From eee9b6f846f15f2c6dfd8d06cfc7111e1aac766b Mon Sep 17 00:00:00 2001 From: brad Date: Mon, 25 Aug 2014 07:08:32 +0000 Subject: [PATCH] Start removing unused documentation and the server and related binaries source code. --- usr.sbin/bind/bin/check/Makefile.in | 98 - usr.sbin/bind/bin/check/check-tool.c | 543 - usr.sbin/bind/bin/check/check-tool.h | 54 - usr.sbin/bind/bin/check/named-checkconf.8 | 89 - usr.sbin/bind/bin/check/named-checkconf.c | 488 - .../bind/bin/check/named-checkconf.docbook | 161 - usr.sbin/bind/bin/check/named-checkconf.html | 92 - usr.sbin/bind/bin/check/named-checkzone.8 | 269 - usr.sbin/bind/bin/check/named-checkzone.c | 429 - .../bind/bin/check/named-checkzone.docbook | 443 - usr.sbin/bind/bin/check/named-checkzone.html | 256 - usr.sbin/bind/bin/dnssec/Makefile.in | 83 - usr.sbin/bind/bin/dnssec/dnssec-keygen.8 | 200 - usr.sbin/bind/bin/dnssec/dnssec-keygen.c | 512 - .../bind/bin/dnssec/dnssec-keygen.docbook | 359 - usr.sbin/bind/bin/dnssec/dnssec-keygen.html | 232 - usr.sbin/bind/bin/dnssec/dnssec-signzone.8 | 272 - usr.sbin/bind/bin/dnssec/dnssec-signzone.c | 2334 --- .../bind/bin/dnssec/dnssec-signzone.docbook | 476 - usr.sbin/bind/bin/dnssec/dnssec-signzone.html | 285 - usr.sbin/bind/bin/dnssec/dnssectool.c | 313 - usr.sbin/bind/bin/dnssec/dnssectool.h | 76 - usr.sbin/bind/bin/named/Makefile.in | 145 - usr.sbin/bind/bin/named/builtin.c | 307 - usr.sbin/bind/bin/named/client.c | 2635 ---- usr.sbin/bind/bin/named/config.c | 797 - usr.sbin/bind/bin/named/control.c | 186 - usr.sbin/bind/bin/named/controlconf.c | 1461 -- .../bind/bin/named/include/named/builtin.h | 31 - .../bind/bin/named/include/named/client.h | 361 - .../bind/bin/named/include/named/config.h | 79 - .../bind/bin/named/include/named/control.h | 93 - .../bind/bin/named/include/named/globals.h | 122 - .../bin/named/include/named/interfacemgr.h | 176 - .../bind/bin/named/include/named/listenlist.h | 105 - usr.sbin/bind/bin/named/include/named/log.h | 98 - .../bind/bin/named/include/named/logconf.h | 34 - .../bind/bin/named/include/named/lwaddr.h | 36 - .../bind/bin/named/include/named/lwdclient.h | 234 - .../bind/bin/named/include/named/lwresd.h | 121 - .../bind/bin/named/include/named/lwsearch.h | 112 - usr.sbin/bind/bin/named/include/named/main.h | 34 - .../bind/bin/named/include/named/notify.h | 55 - .../bin/named/include/named/ns_smf_globals.h | 44 - usr.sbin/bind/bin/named/include/named/query.h | 87 - .../bind/bin/named/include/named/server.h | 230 - .../bind/bin/named/include/named/sortlist.h | 87 - .../bind/bin/named/include/named/tkeyconf.h | 53 - .../bind/bin/named/include/named/tsigconf.h | 49 - usr.sbin/bind/bin/named/include/named/types.h | 43 - .../bind/bin/named/include/named/update.h | 50 - .../bind/bin/named/include/named/xfrout.h | 39 - .../bind/bin/named/include/named/zoneconf.h | 63 - usr.sbin/bind/bin/named/interfacemgr.c | 978 -- usr.sbin/bind/bin/named/listenlist.c | 138 - usr.sbin/bind/bin/named/log.c | 235 - usr.sbin/bind/bin/named/logconf.c | 299 - usr.sbin/bind/bin/named/lwaddr.c | 94 - usr.sbin/bind/bin/named/lwdclient.c | 467 - usr.sbin/bind/bin/named/lwderror.c | 80 - usr.sbin/bind/bin/named/lwdgabn.c | 657 - usr.sbin/bind/bin/named/lwdgnba.c | 272 - usr.sbin/bind/bin/named/lwdgrbn.c | 513 - usr.sbin/bind/bin/named/lwdnoop.c | 88 - usr.sbin/bind/bin/named/lwresd.8 | 223 - usr.sbin/bind/bin/named/lwresd.c | 870 -- usr.sbin/bind/bin/named/lwresd.docbook | 372 - usr.sbin/bind/bin/named/lwresd.html | 225 - usr.sbin/bind/bin/named/lwsearch.c | 206 - usr.sbin/bind/bin/named/main.c | 940 -- usr.sbin/bind/bin/named/named.8 | 141 - usr.sbin/bind/bin/named/named.conf.5 | 520 - usr.sbin/bind/bin/named/named.conf.docbook | 599 - usr.sbin/bind/bin/named/named.conf.html | 554 - usr.sbin/bind/bin/named/named.docbook | 435 - usr.sbin/bind/bin/named/named.html | 255 - usr.sbin/bind/bin/named/notify.c | 163 - usr.sbin/bind/bin/named/query.c | 4600 ------ usr.sbin/bind/bin/named/server.c | 4900 ------ usr.sbin/bind/bin/named/sortlist.c | 166 - usr.sbin/bind/bin/named/tkeyconf.c | 120 - usr.sbin/bind/bin/named/tsigconf.c | 181 - usr.sbin/bind/bin/named/unix/Makefile.in | 36 - .../bind/bin/named/unix/include/named/os.h | 72 - usr.sbin/bind/bin/named/unix/os.c | 719 - usr.sbin/bind/bin/named/update.c | 3030 ---- usr.sbin/bind/bin/named/xfrout.c | 1810 --- usr.sbin/bind/bin/named/zoneconf.c | 913 -- usr.sbin/bind/bin/nsupdate/Makefile.in | 83 - usr.sbin/bind/bin/nsupdate/nsupdate.8 | 348 - usr.sbin/bind/bin/nsupdate/nsupdate.c | 2176 --- usr.sbin/bind/bin/nsupdate/nsupdate.docbook | 657 - usr.sbin/bind/bin/nsupdate/nsupdate.html | 500 - usr.sbin/bind/bin/rndc/Makefile.in | 104 - usr.sbin/bind/bin/rndc/include/rndc/os.h | 46 - usr.sbin/bind/bin/rndc/rndc-confgen.8 | 211 - usr.sbin/bind/bin/rndc/rndc-confgen.c | 335 - usr.sbin/bind/bin/rndc/rndc-confgen.docbook | 286 - usr.sbin/bind/bin/rndc/rndc-confgen.html | 188 - usr.sbin/bind/bin/rndc/rndc.8 | 88 - usr.sbin/bind/bin/rndc/rndc.c | 852 -- usr.sbin/bind/bin/rndc/rndc.conf | 47 - usr.sbin/bind/bin/rndc/rndc.conf.5 | 214 - usr.sbin/bind/bin/rndc/rndc.conf.docbook | 252 - usr.sbin/bind/bin/rndc/rndc.conf.html | 217 - usr.sbin/bind/bin/rndc/rndc.docbook | 253 - usr.sbin/bind/bin/rndc/rndc.html | 164 - usr.sbin/bind/bin/rndc/unix/Makefile.in | 36 - usr.sbin/bind/bin/rndc/unix/os.c | 70 - usr.sbin/bind/bin/rndc/util.c | 57 - usr.sbin/bind/bin/rndc/util.h | 51 - .../bin/tests/system/masterformat/clean.sh | 22 - .../tests/system/masterformat/ns1/compile.sh | 17 - .../tests/system/masterformat/ns1/example.db | 54 - .../tests/system/masterformat/ns1/named.conf | 36 - .../tests/system/masterformat/ns2/named.conf | 35 - .../bin/tests/system/masterformat/setup.sh | 20 - .../bin/tests/system/masterformat/tests.sh | 80 - .../bind/bin/tests/system/rrsetorder/clean.sh | 22 - .../system/rrsetorder/dig.out.cyclic.good1 | 4 - .../system/rrsetorder/dig.out.cyclic.good2 | 4 - .../system/rrsetorder/dig.out.cyclic.good3 | 4 - .../system/rrsetorder/dig.out.cyclic.good4 | 4 - .../system/rrsetorder/dig.out.fixed.good | 4 - .../system/rrsetorder/dig.out.random.good1 | 4 - .../system/rrsetorder/dig.out.random.good10 | 4 - .../system/rrsetorder/dig.out.random.good11 | 4 - .../system/rrsetorder/dig.out.random.good12 | 4 - .../system/rrsetorder/dig.out.random.good13 | 4 - .../system/rrsetorder/dig.out.random.good14 | 4 - .../system/rrsetorder/dig.out.random.good15 | 4 - .../system/rrsetorder/dig.out.random.good16 | 4 - .../system/rrsetorder/dig.out.random.good17 | 4 - .../system/rrsetorder/dig.out.random.good18 | 4 - .../system/rrsetorder/dig.out.random.good19 | 4 - .../system/rrsetorder/dig.out.random.good2 | 4 - .../system/rrsetorder/dig.out.random.good20 | 4 - .../system/rrsetorder/dig.out.random.good21 | 4 - .../system/rrsetorder/dig.out.random.good22 | 4 - .../system/rrsetorder/dig.out.random.good23 | 4 - .../system/rrsetorder/dig.out.random.good24 | 4 - .../system/rrsetorder/dig.out.random.good3 | 4 - .../system/rrsetorder/dig.out.random.good4 | 4 - .../system/rrsetorder/dig.out.random.good5 | 4 - .../system/rrsetorder/dig.out.random.good6 | 4 - .../system/rrsetorder/dig.out.random.good7 | 4 - .../system/rrsetorder/dig.out.random.good8 | 4 - .../system/rrsetorder/dig.out.random.good9 | 4 - .../tests/system/rrsetorder/ns1/named.conf | 43 - .../bin/tests/system/rrsetorder/ns1/root.db | 40 - .../tests/system/rrsetorder/ns2/named.conf | 45 - .../tests/system/rrsetorder/ns3/named.conf | 45 - .../bind/bin/tests/system/rrsetorder/tests.sh | 329 - usr.sbin/bind/bin/tests/system/tsig/clean.sh | 23 - .../bind/bin/tests/system/tsig/ns1/example.db | 151 - .../bind/bin/tests/system/tsig/ns1/named.conf | 96 - usr.sbin/bind/bin/tests/system/tsig/tests.sh | 218 - .../bind/bin/tests/system/zonechecks/a.db | 19 - .../bind/bin/tests/system/zonechecks/aaaa.db | 19 - .../bind/bin/tests/system/zonechecks/clean.sh | 19 - .../bind/bin/tests/system/zonechecks/cname.db | 19 - .../bind/bin/tests/system/zonechecks/dname.db | 19 - .../bin/tests/system/zonechecks/noaddress.db | 19 - .../bin/tests/system/zonechecks/nxdomain.db | 19 - .../bind/bin/tests/system/zonechecks/tests.sh | 164 - usr.sbin/bind/doc/Makefile.in | 29 - usr.sbin/bind/doc/arm/Bv9ARM-book.xml | 12353 ---------------- usr.sbin/bind/doc/arm/Bv9ARM.ch01.html | 560 - usr.sbin/bind/doc/arm/Bv9ARM.ch02.html | 158 - usr.sbin/bind/doc/arm/Bv9ARM.ch03.html | 808 - usr.sbin/bind/doc/arm/Bv9ARM.ch04.html | 1028 -- usr.sbin/bind/doc/arm/Bv9ARM.ch05.html | 143 - usr.sbin/bind/doc/arm/Bv9ARM.ch06.html | 7122 --------- usr.sbin/bind/doc/arm/Bv9ARM.ch07.html | 253 - usr.sbin/bind/doc/arm/Bv9ARM.ch08.html | 139 - usr.sbin/bind/doc/arm/Bv9ARM.ch09.html | 630 - usr.sbin/bind/doc/arm/Bv9ARM.ch10.html | 102 - usr.sbin/bind/doc/arm/Bv9ARM.html | 262 - usr.sbin/bind/doc/arm/Bv9ARM.pdf | 8964 ----------- usr.sbin/bind/doc/arm/Makefile.in | 67 - usr.sbin/bind/doc/arm/README-SGML | 329 - usr.sbin/bind/doc/arm/isc-logo.eps | 12253 --------------- usr.sbin/bind/doc/arm/isc-logo.pdf | Bin 21981 -> 0 bytes usr.sbin/bind/doc/arm/latex-fixup.pl | 49 - usr.sbin/bind/doc/arm/man.dig.html | 665 - usr.sbin/bind/doc/arm/man.dnssec-keygen.html | 269 - .../bind/doc/arm/man.dnssec-signzone.html | 323 - usr.sbin/bind/doc/arm/man.host.html | 249 - .../bind/doc/arm/man.named-checkconf.html | 130 - .../bind/doc/arm/man.named-checkzone.html | 294 - usr.sbin/bind/doc/arm/man.named.html | 293 - usr.sbin/bind/doc/arm/man.rndc-confgen.html | 222 - usr.sbin/bind/doc/arm/man.rndc.conf.html | 255 - usr.sbin/bind/doc/arm/man.rndc.html | 202 - usr.sbin/bind/doc/misc/Makefile.in | 47 - usr.sbin/bind/doc/misc/dnssec | 84 - usr.sbin/bind/doc/misc/format-options.pl | 36 - usr.sbin/bind/doc/misc/ipv6 | 113 - usr.sbin/bind/doc/misc/migration | 257 - usr.sbin/bind/doc/misc/migration-4to9 | 57 - usr.sbin/bind/doc/misc/options | 481 - usr.sbin/bind/doc/misc/rfc-compliance | 62 - usr.sbin/bind/doc/misc/roadmap | 47 - usr.sbin/bind/doc/misc/sdb | 169 - usr.sbin/bind/doc/xsl/Makefile.in | 28 - usr.sbin/bind/doc/xsl/copyright.xsl | 75 - .../bind/doc/xsl/isc-docbook-chunk.xsl.in | 65 - usr.sbin/bind/doc/xsl/isc-docbook-html.xsl.in | 58 - .../doc/xsl/isc-docbook-latex-mappings.xml | 37 - .../bind/doc/xsl/isc-docbook-latex.xsl.in | 166 - usr.sbin/bind/doc/xsl/isc-docbook-text.xsl | 50 - usr.sbin/bind/doc/xsl/isc-manpage.xsl.in | 145 - usr.sbin/bind/doc/xsl/pre-latex.xsl | 55 - 213 files changed, 101009 deletions(-) delete mode 100644 usr.sbin/bind/bin/check/Makefile.in delete mode 100644 usr.sbin/bind/bin/check/check-tool.c delete mode 100644 usr.sbin/bind/bin/check/check-tool.h delete mode 100644 usr.sbin/bind/bin/check/named-checkconf.8 delete mode 100644 usr.sbin/bind/bin/check/named-checkconf.c delete mode 100644 usr.sbin/bind/bin/check/named-checkconf.docbook delete mode 100644 usr.sbin/bind/bin/check/named-checkconf.html delete mode 100644 usr.sbin/bind/bin/check/named-checkzone.8 delete mode 100644 usr.sbin/bind/bin/check/named-checkzone.c delete mode 100644 usr.sbin/bind/bin/check/named-checkzone.docbook delete mode 100644 usr.sbin/bind/bin/check/named-checkzone.html delete mode 100644 usr.sbin/bind/bin/dnssec/Makefile.in delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-keygen.8 delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-keygen.c delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-keygen.docbook delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-keygen.html delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-signzone.8 delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-signzone.c delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook delete mode 100644 usr.sbin/bind/bin/dnssec/dnssec-signzone.html delete mode 100644 usr.sbin/bind/bin/dnssec/dnssectool.c delete mode 100644 usr.sbin/bind/bin/dnssec/dnssectool.h delete mode 100644 usr.sbin/bind/bin/named/Makefile.in delete mode 100644 usr.sbin/bind/bin/named/builtin.c delete mode 100644 usr.sbin/bind/bin/named/client.c delete mode 100644 usr.sbin/bind/bin/named/config.c delete mode 100644 usr.sbin/bind/bin/named/control.c delete mode 100644 usr.sbin/bind/bin/named/controlconf.c delete mode 100644 usr.sbin/bind/bin/named/include/named/builtin.h delete mode 100644 usr.sbin/bind/bin/named/include/named/client.h delete mode 100644 usr.sbin/bind/bin/named/include/named/config.h delete mode 100644 usr.sbin/bind/bin/named/include/named/control.h delete mode 100644 usr.sbin/bind/bin/named/include/named/globals.h delete mode 100644 usr.sbin/bind/bin/named/include/named/interfacemgr.h delete mode 100644 usr.sbin/bind/bin/named/include/named/listenlist.h delete mode 100644 usr.sbin/bind/bin/named/include/named/log.h delete mode 100644 usr.sbin/bind/bin/named/include/named/logconf.h delete mode 100644 usr.sbin/bind/bin/named/include/named/lwaddr.h delete mode 100644 usr.sbin/bind/bin/named/include/named/lwdclient.h delete mode 100644 usr.sbin/bind/bin/named/include/named/lwresd.h delete mode 100644 usr.sbin/bind/bin/named/include/named/lwsearch.h delete mode 100644 usr.sbin/bind/bin/named/include/named/main.h delete mode 100644 usr.sbin/bind/bin/named/include/named/notify.h delete mode 100644 usr.sbin/bind/bin/named/include/named/ns_smf_globals.h delete mode 100644 usr.sbin/bind/bin/named/include/named/query.h delete mode 100644 usr.sbin/bind/bin/named/include/named/server.h delete mode 100644 usr.sbin/bind/bin/named/include/named/sortlist.h delete mode 100644 usr.sbin/bind/bin/named/include/named/tkeyconf.h delete mode 100644 usr.sbin/bind/bin/named/include/named/tsigconf.h delete mode 100644 usr.sbin/bind/bin/named/include/named/types.h delete mode 100644 usr.sbin/bind/bin/named/include/named/update.h delete mode 100644 usr.sbin/bind/bin/named/include/named/xfrout.h delete mode 100644 usr.sbin/bind/bin/named/include/named/zoneconf.h delete mode 100644 usr.sbin/bind/bin/named/interfacemgr.c delete mode 100644 usr.sbin/bind/bin/named/listenlist.c delete mode 100644 usr.sbin/bind/bin/named/log.c delete mode 100644 usr.sbin/bind/bin/named/logconf.c delete mode 100644 usr.sbin/bind/bin/named/lwaddr.c delete mode 100644 usr.sbin/bind/bin/named/lwdclient.c delete mode 100644 usr.sbin/bind/bin/named/lwderror.c delete mode 100644 usr.sbin/bind/bin/named/lwdgabn.c delete mode 100644 usr.sbin/bind/bin/named/lwdgnba.c delete mode 100644 usr.sbin/bind/bin/named/lwdgrbn.c delete mode 100644 usr.sbin/bind/bin/named/lwdnoop.c delete mode 100644 usr.sbin/bind/bin/named/lwresd.8 delete mode 100644 usr.sbin/bind/bin/named/lwresd.c delete mode 100644 usr.sbin/bind/bin/named/lwresd.docbook delete mode 100644 usr.sbin/bind/bin/named/lwresd.html delete mode 100644 usr.sbin/bind/bin/named/lwsearch.c delete mode 100644 usr.sbin/bind/bin/named/main.c delete mode 100644 usr.sbin/bind/bin/named/named.8 delete mode 100644 usr.sbin/bind/bin/named/named.conf.5 delete mode 100644 usr.sbin/bind/bin/named/named.conf.docbook delete mode 100644 usr.sbin/bind/bin/named/named.conf.html delete mode 100644 usr.sbin/bind/bin/named/named.docbook delete mode 100644 usr.sbin/bind/bin/named/named.html delete mode 100644 usr.sbin/bind/bin/named/notify.c delete mode 100644 usr.sbin/bind/bin/named/query.c delete mode 100644 usr.sbin/bind/bin/named/server.c delete mode 100644 usr.sbin/bind/bin/named/sortlist.c delete mode 100644 usr.sbin/bind/bin/named/tkeyconf.c delete mode 100644 usr.sbin/bind/bin/named/tsigconf.c delete mode 100644 usr.sbin/bind/bin/named/unix/Makefile.in delete mode 100644 usr.sbin/bind/bin/named/unix/include/named/os.h delete mode 100644 usr.sbin/bind/bin/named/unix/os.c delete mode 100644 usr.sbin/bind/bin/named/update.c delete mode 100644 usr.sbin/bind/bin/named/xfrout.c delete mode 100644 usr.sbin/bind/bin/named/zoneconf.c delete mode 100644 usr.sbin/bind/bin/nsupdate/Makefile.in delete mode 100644 usr.sbin/bind/bin/nsupdate/nsupdate.8 delete mode 100644 usr.sbin/bind/bin/nsupdate/nsupdate.c delete mode 100644 usr.sbin/bind/bin/nsupdate/nsupdate.docbook delete mode 100644 usr.sbin/bind/bin/nsupdate/nsupdate.html delete mode 100644 usr.sbin/bind/bin/rndc/Makefile.in delete mode 100644 usr.sbin/bind/bin/rndc/include/rndc/os.h delete mode 100644 usr.sbin/bind/bin/rndc/rndc-confgen.8 delete mode 100644 usr.sbin/bind/bin/rndc/rndc-confgen.c delete mode 100644 usr.sbin/bind/bin/rndc/rndc-confgen.docbook delete mode 100644 usr.sbin/bind/bin/rndc/rndc-confgen.html delete mode 100644 usr.sbin/bind/bin/rndc/rndc.8 delete mode 100644 usr.sbin/bind/bin/rndc/rndc.c delete mode 100644 usr.sbin/bind/bin/rndc/rndc.conf delete mode 100644 usr.sbin/bind/bin/rndc/rndc.conf.5 delete mode 100644 usr.sbin/bind/bin/rndc/rndc.conf.docbook delete mode 100644 usr.sbin/bind/bin/rndc/rndc.conf.html delete mode 100644 usr.sbin/bind/bin/rndc/rndc.docbook delete mode 100644 usr.sbin/bind/bin/rndc/rndc.html delete mode 100644 usr.sbin/bind/bin/rndc/unix/Makefile.in delete mode 100644 usr.sbin/bind/bin/rndc/unix/os.c delete mode 100644 usr.sbin/bind/bin/rndc/util.c delete mode 100644 usr.sbin/bind/bin/rndc/util.h delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/clean.sh delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/ns1/compile.sh delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/ns1/example.db delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/ns1/named.conf delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/ns2/named.conf delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/setup.sh delete mode 100644 usr.sbin/bind/bin/tests/system/masterformat/tests.sh delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/clean.sh delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good1 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good2 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good3 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good4 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.fixed.good delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good1 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good10 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good11 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good12 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good13 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good14 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good15 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good16 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good17 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good18 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good19 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good2 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good20 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good21 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good22 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good23 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good24 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good3 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good4 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good5 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good6 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good7 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good8 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good9 delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/ns1/named.conf delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/ns1/root.db delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/ns2/named.conf delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/ns3/named.conf delete mode 100644 usr.sbin/bind/bin/tests/system/rrsetorder/tests.sh delete mode 100644 usr.sbin/bind/bin/tests/system/tsig/clean.sh delete mode 100644 usr.sbin/bind/bin/tests/system/tsig/ns1/example.db delete mode 100644 usr.sbin/bind/bin/tests/system/tsig/ns1/named.conf delete mode 100644 usr.sbin/bind/bin/tests/system/tsig/tests.sh delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/a.db delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/aaaa.db delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/clean.sh delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/cname.db delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/dname.db delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/noaddress.db delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/nxdomain.db delete mode 100644 usr.sbin/bind/bin/tests/system/zonechecks/tests.sh delete mode 100644 usr.sbin/bind/doc/Makefile.in delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM-book.xml delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch01.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch02.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch03.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch04.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch05.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch06.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch07.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch08.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch09.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.ch10.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.html delete mode 100644 usr.sbin/bind/doc/arm/Bv9ARM.pdf delete mode 100644 usr.sbin/bind/doc/arm/Makefile.in delete mode 100644 usr.sbin/bind/doc/arm/README-SGML delete mode 100644 usr.sbin/bind/doc/arm/isc-logo.eps delete mode 100644 usr.sbin/bind/doc/arm/isc-logo.pdf delete mode 100644 usr.sbin/bind/doc/arm/latex-fixup.pl delete mode 100644 usr.sbin/bind/doc/arm/man.dig.html delete mode 100644 usr.sbin/bind/doc/arm/man.dnssec-keygen.html delete mode 100644 usr.sbin/bind/doc/arm/man.dnssec-signzone.html delete mode 100644 usr.sbin/bind/doc/arm/man.host.html delete mode 100644 usr.sbin/bind/doc/arm/man.named-checkconf.html delete mode 100644 usr.sbin/bind/doc/arm/man.named-checkzone.html delete mode 100644 usr.sbin/bind/doc/arm/man.named.html delete mode 100644 usr.sbin/bind/doc/arm/man.rndc-confgen.html delete mode 100644 usr.sbin/bind/doc/arm/man.rndc.conf.html delete mode 100644 usr.sbin/bind/doc/arm/man.rndc.html delete mode 100644 usr.sbin/bind/doc/misc/Makefile.in delete mode 100644 usr.sbin/bind/doc/misc/dnssec delete mode 100644 usr.sbin/bind/doc/misc/format-options.pl delete mode 100644 usr.sbin/bind/doc/misc/ipv6 delete mode 100644 usr.sbin/bind/doc/misc/migration delete mode 100644 usr.sbin/bind/doc/misc/migration-4to9 delete mode 100644 usr.sbin/bind/doc/misc/options delete mode 100644 usr.sbin/bind/doc/misc/rfc-compliance delete mode 100644 usr.sbin/bind/doc/misc/roadmap delete mode 100644 usr.sbin/bind/doc/misc/sdb delete mode 100644 usr.sbin/bind/doc/xsl/Makefile.in delete mode 100644 usr.sbin/bind/doc/xsl/copyright.xsl delete mode 100644 usr.sbin/bind/doc/xsl/isc-docbook-chunk.xsl.in delete mode 100644 usr.sbin/bind/doc/xsl/isc-docbook-html.xsl.in delete mode 100644 usr.sbin/bind/doc/xsl/isc-docbook-latex-mappings.xml delete mode 100644 usr.sbin/bind/doc/xsl/isc-docbook-latex.xsl.in delete mode 100644 usr.sbin/bind/doc/xsl/isc-docbook-text.xsl delete mode 100644 usr.sbin/bind/doc/xsl/isc-manpage.xsl.in delete mode 100644 usr.sbin/bind/doc/xsl/pre-latex.xsl diff --git a/usr.sbin/bind/bin/check/Makefile.in b/usr.sbin/bind/bin/check/Makefile.in deleted file mode 100644 index 1f682891b47..00000000000 --- a/usr.sbin/bind/bin/check/Makefile.in +++ /dev/null @@ -1,98 +0,0 @@ -# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2003 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_VERSION@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \ - ${ISC_INCLUDES} - -CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -CWARNINGS = - -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -BIND9LIBS = ../../lib/bind9/libbind9.@A@ - -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ - -LIBS = @LIBS@ - -SUBDIRS = - -# Alphabetically -TARGETS = named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ - -# Alphabetically -SRCS = named-checkconf.c named-checkzone.c check-tool.c - -MANPAGES = named-checkconf.8 named-checkzone.8 - -HTMLPAGES = named-checkconf.html named-checkzone.html - -MANOBJS = ${MANPAGES} ${HTMLPAGES} - -@BIND9_MAKE_RULES@ - -named-checkconf.@O@: named-checkconf.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/named-checkconf.c - -named-checkzone.@O@: named-checkzone.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/named-checkzone.c - -named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \ - ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \ - ${DNSLIBS} ${ISCLIBS} ${LIBS} - -named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \ - ${ISCLIBS} ${LIBS} - -doc man:: ${MANOBJS} - -docclean manclean maintainer-clean:: - rm -f ${MANOBJS} - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - -install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir} - (cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@) - for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done - (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8) - -clean distclean:: - rm -f ${TARGETS} r1.htm diff --git a/usr.sbin/bind/bin/check/check-tool.c b/usr.sbin/bind/bin/check/check-tool.c deleted file mode 100644 index 7613b76b095..00000000000 --- a/usr.sbin/bind/bin/check/check-tool.c +++ /dev/null @@ -1,543 +0,0 @@ -/* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: check-tool.c,v 1.10.18.18 2007/09/13 05:04:01 each Exp $ */ - -/*! \file */ - -#include - -#include - -#include "check-tool.h" -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#ifdef HAVE_ADDRINFO -#ifdef HAVE_GETADDRINFO -#ifdef HAVE_GAISTRERROR -#define USE_GETADDRINFO -#endif -#endif -#endif - -#define CHECK(r) \ - do { \ - result = (r); \ - if (result != ISC_R_SUCCESS) \ - goto cleanup; \ - } while (0) - -static const char *dbtype[] = { "rbt" }; - -int debug = 0; -isc_boolean_t nomerge = ISC_TRUE; -isc_boolean_t docheckmx = ISC_TRUE; -isc_boolean_t dochecksrv = ISC_TRUE; -isc_boolean_t docheckns = ISC_TRUE; -unsigned int zone_options = DNS_ZONEOPT_CHECKNS | - DNS_ZONEOPT_CHECKMX | - DNS_ZONEOPT_MANYERRORS | - DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_CHECKINTEGRITY | - DNS_ZONEOPT_CHECKWILDCARD | - DNS_ZONEOPT_WARNMXCNAME | - DNS_ZONEOPT_WARNSRVCNAME; - -/* - * This needs to match the list in bin/named/log.c. - */ -static isc_logcategory_t categories[] = { - { "", 0 }, - { "client", 0 }, - { "network", 0 }, - { "update", 0 }, - { "queries", 0 }, - { "unmatched", 0 }, - { "update-security", 0 }, - { NULL, 0 } -}; - -static isc_boolean_t -checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner, - dns_rdataset_t *a, dns_rdataset_t *aaaa) -{ -#ifdef USE_GETADDRINFO - dns_rdataset_t *rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - struct addrinfo hints, *ai, *cur; - char namebuf[DNS_NAME_FORMATSIZE + 1]; - char ownerbuf[DNS_NAME_FORMATSIZE]; - char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")]; - isc_boolean_t answer = ISC_TRUE; - isc_boolean_t match; - const char *type; - void *ptr = NULL; - int result; - - REQUIRE(a == NULL || !dns_rdataset_isassociated(a) || - a->type == dns_rdatatype_a); - REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) || - aaaa->type == dns_rdatatype_aaaa); - memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - dns_name_format(name, namebuf, sizeof(namebuf) - 1); - /* - * Turn off search. - */ - if (dns_name_countlabels(name) > 1U) - strlcat(namebuf, ".", sizeof(namebuf)); - dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); - - result = getaddrinfo(namebuf, NULL, &hints, &ai); - dns_name_format(name, namebuf, sizeof(namebuf) - 1); - switch (result) { - case 0: - /* - * Work around broken getaddrinfo() implementations that - * fail to set ai_canonname on first entry. - */ - cur = ai; - while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) - cur = cur->ai_next; - if (cur != NULL && cur->ai_canonname != NULL && - strcasecmp(ai->ai_canonname, namebuf) != 0) { - dns_zone_log(zone, ISC_LOG_ERROR, - "%s/NS '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); - /* XXX950 make fatal for 9.5.0 */ - /* answer = ISC_FALSE; */ - } - break; - case EAI_NONAME: -#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) - case EAI_NODATA: -#endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); - /* XXX950 make fatal for 9.5.0 */ - return (ISC_TRUE); - - default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); - return (ISC_TRUE); - } - if (a == NULL || aaaa == NULL) - return (answer); - /* - * Check that all glue records really exist. - */ - if (!dns_rdataset_isassociated(a)) - goto checkaaaa; - result = dns_rdataset_first(a); - while (result == ISC_R_SUCCESS) { - dns_rdataset_current(a, &rdata); - match = ISC_FALSE; - for (cur = ai; cur != NULL; cur = cur->ai_next) { - if (cur->ai_family != AF_INET) - continue; - ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; - if (memcmp(ptr, rdata.data, rdata.length) == 0) { - match = ISC_TRUE; - break; - } - } - if (!match) { - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " - "extra GLUE A record (%s)", - ownerbuf, namebuf, - inet_ntop(AF_INET, rdata.data, - addrbuf, sizeof(addrbuf))); - /* XXX950 make fatal for 9.5.0 */ - /* answer = ISC_FALSE; */ - } - dns_rdata_reset(&rdata); - result = dns_rdataset_next(a); - } - - checkaaaa: - if (!dns_rdataset_isassociated(aaaa)) - goto checkmissing; - result = dns_rdataset_first(aaaa); - while (result == ISC_R_SUCCESS) { - dns_rdataset_current(aaaa, &rdata); - match = ISC_FALSE; - for (cur = ai; cur != NULL; cur = cur->ai_next) { - if (cur->ai_family != AF_INET6) - continue; - ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; - if (memcmp(ptr, rdata.data, rdata.length) == 0) { - match = ISC_TRUE; - break; - } - } - if (!match) { - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " - "extra GLUE AAAA record (%s)", - ownerbuf, namebuf, - inet_ntop(AF_INET6, rdata.data, - addrbuf, sizeof(addrbuf))); - /* XXX950 make fatal for 9.5.0. */ - /* answer = ISC_FALSE; */ - } - dns_rdata_reset(&rdata); - result = dns_rdataset_next(aaaa); - } - - checkmissing: - /* - * Check that all addresses appear in the glue. - */ - for (cur = ai; cur != NULL; cur = cur->ai_next) { - switch (cur->ai_family) { - case AF_INET: - rdataset = a; - ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr; - type = "A"; - break; - case AF_INET6: - rdataset = aaaa; - ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr; - type = "AAAA"; - break; - default: - continue; - } - match = ISC_FALSE; - if (dns_rdataset_isassociated(rdataset)) - result = dns_rdataset_first(rdataset); - else - result = ISC_R_FAILURE; - while (result == ISC_R_SUCCESS && !match) { - dns_rdataset_current(rdataset, &rdata); - if (memcmp(ptr, rdata.data, rdata.length) == 0) - match = ISC_TRUE; - dns_rdata_reset(&rdata); - result = dns_rdataset_next(rdataset); - } - if (!match) { - dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' " - "missing GLUE %s record (%s)", - ownerbuf, namebuf, type, - inet_ntop(cur->ai_family, ptr, - addrbuf, sizeof(addrbuf))); - /* XXX950 make fatal for 9.5.0. */ - /* answer = ISC_FALSE; */ - } - } - freeaddrinfo(ai); - return (answer); -#else - return (ISC_TRUE); -#endif -} - -static isc_boolean_t -checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { -#ifdef USE_GETADDRINFO - struct addrinfo hints, *ai, *cur; - char namebuf[DNS_NAME_FORMATSIZE + 1]; - char ownerbuf[DNS_NAME_FORMATSIZE]; - int result; - int level = ISC_LOG_ERROR; - isc_boolean_t answer = ISC_TRUE; - - memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - dns_name_format(name, namebuf, sizeof(namebuf) - 1); - /* - * Turn off search. - */ - if (dns_name_countlabels(name) > 1U) - strlcat(namebuf, ".", sizeof(namebuf)); - dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); - - result = getaddrinfo(namebuf, NULL, &hints, &ai); - dns_name_format(name, namebuf, sizeof(namebuf) - 1); - switch (result) { - case 0: - /* - * Work around broken getaddrinfo() implementations that - * fail to set ai_canonname on first entry. - */ - cur = ai; - while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) - cur = cur->ai_next; - if (cur != NULL && cur->ai_canonname != NULL && - strcasecmp(cur->ai_canonname, namebuf) != 0) { - if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0) - level = ISC_LOG_WARNING; - if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) { - dns_zone_log(zone, ISC_LOG_WARNING, - "%s/MX '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); - if (level == ISC_LOG_ERROR) - answer = ISC_FALSE; - } - } - freeaddrinfo(ai); - return (answer); - - case EAI_NONAME: -#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) - case EAI_NODATA: -#endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); - /* XXX950 make fatal for 9.5.0. */ - return (ISC_TRUE); - - default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); - return (ISC_TRUE); - } -#else - return (ISC_TRUE); -#endif -} - -static isc_boolean_t -checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) { -#ifdef USE_GETADDRINFO - struct addrinfo hints, *ai, *cur; - char namebuf[DNS_NAME_FORMATSIZE + 1]; - char ownerbuf[DNS_NAME_FORMATSIZE]; - int result; - int level = ISC_LOG_ERROR; - isc_boolean_t answer = ISC_TRUE; - - memset(&hints, 0, sizeof(hints)); - hints.ai_flags = AI_CANONNAME; - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - - dns_name_format(name, namebuf, sizeof(namebuf) - 1); - /* - * Turn off search. - */ - if (dns_name_countlabels(name) > 1U) - strlcat(namebuf, ".", sizeof(namebuf)); - dns_name_format(owner, ownerbuf, sizeof(ownerbuf)); - - result = getaddrinfo(namebuf, NULL, &hints, &ai); - dns_name_format(name, namebuf, sizeof(namebuf) - 1); - switch (result) { - case 0: - /* - * Work around broken getaddrinfo() implementations that - * fail to set ai_canonname on first entry. - */ - cur = ai; - while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) - cur = cur->ai_next; - if (cur != NULL && cur->ai_canonname != NULL && - strcasecmp(cur->ai_canonname, namebuf) != 0) { - if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0) - level = ISC_LOG_WARNING; - if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) { - dns_zone_log(zone, level, - "%s/SRV '%s' (out of zone) " - "is a CNAME (illegal)", - ownerbuf, namebuf); - if (level == ISC_LOG_ERROR) - answer = ISC_FALSE; - } - } - freeaddrinfo(ai); - return (answer); - - case EAI_NONAME: -#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME) - case EAI_NODATA: -#endif - dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) " - "has no addresses records (A or AAAA)", - ownerbuf, namebuf); - /* XXX950 make fatal for 9.5.0. */ - return (ISC_TRUE); - - default: - dns_zone_log(zone, ISC_LOG_WARNING, - "getaddrinfo(%s) failed: %s", - namebuf, gai_strerror(result)); - return (ISC_TRUE); - } -#else - return (ISC_TRUE); -#endif -} - -isc_result_t -setup_logging(isc_mem_t *mctx, isc_log_t **logp) { - isc_logdestination_t destination; - isc_logconfig_t *logconfig = NULL; - isc_log_t *log = NULL; - - RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS); - isc_log_registercategories(log, categories); - isc_log_setcontext(log); - dns_log_init(log); - dns_log_setcontext(log); - cfg_log_init(log); - - destination.file.stream = stdout; - destination.file.name = NULL; - destination.file.versions = ISC_LOG_ROLLNEVER; - destination.file.maximum_size = 0; - RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr", - ISC_LOG_TOFILEDESC, - ISC_LOG_DYNAMIC, - &destination, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", - NULL, NULL) == ISC_R_SUCCESS); - - *logp = log; - return (ISC_R_SUCCESS); -} - -/*% load the zone */ -isc_result_t -load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, - dns_masterformat_t fileformat, const char *classname, - dns_zone_t **zonep) -{ - isc_result_t result; - dns_rdataclass_t rdclass; - isc_textregion_t region; - isc_buffer_t buffer; - dns_fixedname_t fixorigin; - dns_name_t *origin; - dns_zone_t *zone = NULL; - - REQUIRE(zonep == NULL || *zonep == NULL); - - if (debug) - fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n", - zonename, filename, classname); - - CHECK(dns_zone_create(&zone, mctx)); - - dns_zone_settype(zone, dns_zone_master); - - isc_buffer_init(&buffer, zonename, strlen(zonename)); - isc_buffer_add(&buffer, strlen(zonename)); - dns_fixedname_init(&fixorigin); - origin = dns_fixedname_name(&fixorigin); - CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, - ISC_FALSE, NULL)); - CHECK(dns_zone_setorigin(zone, origin)); - CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype)); - CHECK(dns_zone_setfile2(zone, filename, fileformat)); - - DE_CONST(classname, region.base); - region.length = strlen(classname); - CHECK(dns_rdataclass_fromtext(&rdclass, ®ion)); - - dns_zone_setclass(zone, rdclass); - dns_zone_setoption(zone, zone_options, ISC_TRUE); - dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge); - if (docheckmx) - dns_zone_setcheckmx(zone, checkmx); - if (docheckns) - dns_zone_setcheckns(zone, checkns); - if (dochecksrv) - dns_zone_setchecksrv(zone, checksrv); - - CHECK(dns_zone_load(zone)); - if (zonep != NULL) { - *zonep = zone; - zone = NULL; - } - - cleanup: - if (zone != NULL) - dns_zone_detach(&zone); - return (result); -} - -/*% dump the zone */ -isc_result_t -dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, - dns_masterformat_t fileformat, const dns_master_style_t *style) -{ - isc_result_t result; - FILE *output = stdout; - - if (debug) { - if (filename != NULL) - fprintf(stderr, "dumping \"%s\" to \"%s\"\n", - zonename, filename); - else - fprintf(stderr, "dumping \"%s\"\n", zonename); - } - - if (filename != NULL) { - result = isc_stdio_open(filename, "w+", &output); - - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not open output " - "file \"%s\" for writing\n", filename); - return (ISC_R_FAILURE); - } - } - - result = dns_zone_dumptostream2(zone, output, fileformat, style); - - if (filename != NULL) - (void)isc_stdio_close(output); - - return (result); -} diff --git a/usr.sbin/bind/bin/check/check-tool.h b/usr.sbin/bind/bin/check/check-tool.h deleted file mode 100644 index bdd2280ed9d..00000000000 --- a/usr.sbin/bind/bin/check/check-tool.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */ - -#ifndef CHECK_TOOL_H -#define CHECK_TOOL_H - -/*! \file */ - -#include -#include - -#include -#include - -ISC_LANG_BEGINDECLS - -isc_result_t -setup_logging(isc_mem_t *mctx, isc_log_t **logp); - -isc_result_t -load_zone(isc_mem_t *mctx, const char *zonename, const char *filename, - dns_masterformat_t fileformat, const char *classname, - dns_zone_t **zonep); - -isc_result_t -dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, - dns_masterformat_t fileformat, const dns_master_style_t *style); - -extern int debug; -extern isc_boolean_t nomerge; -extern isc_boolean_t docheckmx; -extern isc_boolean_t docheckns; -extern isc_boolean_t dochecksrv; -extern unsigned int zone_options; - -ISC_LANG_ENDDECLS - -#endif diff --git a/usr.sbin/bind/bin/check/named-checkconf.8 b/usr.sbin/bind/bin/check/named-checkconf.8 deleted file mode 100644 index a04fd23eab2..00000000000 --- a/usr.sbin/bind/bin/check/named-checkconf.8 +++ /dev/null @@ -1,89 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: named-checkconf.8,v 1.16.18.13 2007/06/20 02:26:58 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: named\-checkconf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: June 14, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -named\-checkconf \- named configuration file syntax checking tool -.SH "SYNOPSIS" -.HP 16 -\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR] -.SH "DESCRIPTION" -.PP -\fBnamed\-checkconf\fR -checks the syntax, but not the semantics, of a named configuration file. -.SH "OPTIONS" -.PP -\-t \fIdirectory\fR -.RS 4 -Chroot to -\fIdirectory\fR -so that include directives in the configuration file are processed as if run by a similarly chrooted named. -.RE -.PP -\-v -.RS 4 -Print the version of the -\fBnamed\-checkconf\fR -program and exit. -.RE -.PP -\-z -.RS 4 -Perform a test load of all master zones found in -\fInamed.conf\fR. -.RE -.PP -\-j -.RS 4 -When loading a zonefile read the journal if it exists. -.RE -.PP -filename -.RS 4 -The name of the configuration file to be checked. If not specified, it defaults to -\fI/etc/named.conf\fR. -.RE -.SH "RETURN VALUES" -.PP -\fBnamed\-checkconf\fR -returns an exit status of 1 if errors were detected and 0 otherwise. -.SH "SEE ALSO" -.PP -\fBnamed\fR(8), -\fBnamed\-checkzone\fR(8), -BIND 9 Administrator Reference Manual. -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000\-2002 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/check/named-checkconf.c b/usr.sbin/bind/bin/check/named-checkconf.c deleted file mode 100644 index ab8fbcbccfe..00000000000 --- a/usr.sbin/bind/bin/check/named-checkconf.c +++ /dev/null @@ -1,488 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named-checkconf.c,v 1.28.18.14 2006/02/28 03:10:47 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include - -#include -#include -#include -#include -#include - -#include "check-tool.h" - -isc_log_t *logc = NULL; - -#define CHECK(r)\ - do { \ - result = (r); \ - if (result != ISC_R_SUCCESS) \ - goto cleanup; \ - } while (0) - -/*% usage */ -static void -usage(void) { - fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] " - "[named.conf]\n"); - exit(1); -} - -/*% directory callback */ -static isc_result_t -directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { - isc_result_t result; - const char *directory; - - REQUIRE(strcasecmp("directory", clausename) == 0); - - UNUSED(arg); - UNUSED(clausename); - - /* - * Change directory. - */ - directory = cfg_obj_asstring(obj); - result = isc_dir_chdir(directory); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(obj, logc, ISC_LOG_ERROR, - "change directory to '%s' failed: %s\n", - directory, isc_result_totext(result)); - return (result); - } - - return (ISC_R_SUCCESS); -} - -static isc_boolean_t -get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) { - int i; - for (i = 0;; i++) { - if (maps[i] == NULL) - return (ISC_FALSE); - if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) - return (ISC_TRUE); - } -} - -static isc_boolean_t -get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) { - const cfg_listelt_t *element; - const cfg_obj_t *checknames; - const cfg_obj_t *type; - const cfg_obj_t *value; - isc_result_t result; - int i; - - for (i = 0;; i++) { - if (maps[i] == NULL) - return (ISC_FALSE); - checknames = NULL; - result = cfg_map_get(maps[i], "check-names", &checknames); - if (result != ISC_R_SUCCESS) - continue; - if (checknames != NULL && !cfg_obj_islist(checknames)) { - *obj = checknames; - return (ISC_TRUE); - } - for (element = cfg_list_first(checknames); - element != NULL; - element = cfg_list_next(element)) { - value = cfg_listelt_value(element); - type = cfg_tuple_get(value, "type"); - if (strcasecmp(cfg_obj_asstring(type), "master") != 0) - continue; - *obj = cfg_tuple_get(value, "mode"); - return (ISC_TRUE); - } - } -} - -static isc_result_t -config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) { - int i; - - for (i = 0;; i++) { - if (maps[i] == NULL) - return (ISC_R_NOTFOUND); - if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) - return (ISC_R_SUCCESS); - } -} - -/*% configure the zone */ -static isc_result_t -configure_zone(const char *vclass, const char *view, - const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, - const cfg_obj_t *config, isc_mem_t *mctx) -{ - int i = 0; - isc_result_t result; - const char *zclass; - const char *zname; - const char *zfile; - const cfg_obj_t *maps[4]; - const cfg_obj_t *zoptions = NULL; - const cfg_obj_t *classobj = NULL; - const cfg_obj_t *typeobj = NULL; - const cfg_obj_t *fileobj = NULL; - const cfg_obj_t *dbobj = NULL; - const cfg_obj_t *obj = NULL; - const cfg_obj_t *fmtobj = NULL; - dns_masterformat_t masterformat; - - zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS; - - zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - classobj = cfg_tuple_get(zconfig, "class"); - if (!cfg_obj_isstring(classobj)) - zclass = vclass; - else - zclass = cfg_obj_asstring(classobj); - - zoptions = cfg_tuple_get(zconfig, "options"); - maps[i++] = zoptions; - if (vconfig != NULL) - maps[i++] = cfg_tuple_get(vconfig, "options"); - if (config != NULL) { - cfg_map_get(config, "options", &obj); - if (obj != NULL) - maps[i++] = obj; - } - maps[i++] = NULL; - - cfg_map_get(zoptions, "type", &typeobj); - if (typeobj == NULL) - return (ISC_R_FAILURE); - if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) - return (ISC_R_SUCCESS); - cfg_map_get(zoptions, "database", &dbobj); - if (dbobj != NULL) - return (ISC_R_SUCCESS); - cfg_map_get(zoptions, "file", &fileobj); - if (fileobj == NULL) - return (ISC_R_FAILURE); - zfile = cfg_obj_asstring(fileobj); - - obj = NULL; - if (get_maps(maps, "check-mx", &obj)) { - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - zone_options |= DNS_ZONEOPT_CHECKMX; - zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - zone_options |= DNS_ZONEOPT_CHECKMX; - zone_options |= DNS_ZONEOPT_CHECKMXFAIL; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - zone_options &= ~DNS_ZONEOPT_CHECKMX; - zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; - } else - INSIST(0); - } else { - zone_options |= DNS_ZONEOPT_CHECKMX; - zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; - } - - obj = NULL; - if (get_maps(maps, "check-integrity", &obj)) { - if (cfg_obj_asboolean(obj)) - zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; - else - zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY; - } - - obj = NULL; - if (get_maps(maps, "check-mx-cname", &obj)) { - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - zone_options |= DNS_ZONEOPT_WARNMXCNAME; - zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - zone_options &= ~DNS_ZONEOPT_WARNMXCNAME; - zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - zone_options |= DNS_ZONEOPT_WARNMXCNAME; - zone_options |= DNS_ZONEOPT_IGNOREMXCNAME; - } else - INSIST(0); - } else { - zone_options |= DNS_ZONEOPT_WARNMXCNAME; - zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; - } - - obj = NULL; - if (get_maps(maps, "check-srv-cname", &obj)) { - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - zone_options |= DNS_ZONEOPT_WARNSRVCNAME; - zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME; - zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - zone_options |= DNS_ZONEOPT_WARNSRVCNAME; - zone_options |= DNS_ZONEOPT_IGNORESRVCNAME; - } else - INSIST(0); - } else { - zone_options |= DNS_ZONEOPT_WARNSRVCNAME; - zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; - } - - obj = NULL; - if (get_maps(maps, "check-sibling", &obj)) { - if (cfg_obj_asboolean(obj)) - zone_options |= DNS_ZONEOPT_CHECKSIBLING; - else - zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; - } - - obj = NULL; - if (get_checknames(maps, &obj)) { - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - zone_options |= DNS_ZONEOPT_CHECKNAMES; - zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - zone_options |= DNS_ZONEOPT_CHECKNAMES; - zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - zone_options &= ~DNS_ZONEOPT_CHECKNAMES; - zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; - } else - INSIST(0); - } else { - zone_options |= DNS_ZONEOPT_CHECKNAMES; - zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL; - } - - masterformat = dns_masterformat_text; - fmtobj = NULL; - result = config_get(maps, "masterfile-format", &fmtobj); - if (result == ISC_R_SUCCESS) { - const char *masterformatstr = cfg_obj_asstring(fmtobj); - if (strcasecmp(masterformatstr, "text") == 0) - masterformat = dns_masterformat_text; - else if (strcasecmp(masterformatstr, "raw") == 0) - masterformat = dns_masterformat_raw; - else - INSIST(0); - } - - result = load_zone(mctx, zname, zfile, masterformat, zclass, NULL); - if (result != ISC_R_SUCCESS) - fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass, - dns_result_totext(result)); - return(result); -} - -/*% configure a view */ -static isc_result_t -configure_view(const char *vclass, const char *view, const cfg_obj_t *config, - const cfg_obj_t *vconfig, isc_mem_t *mctx) -{ - const cfg_listelt_t *element; - const cfg_obj_t *voptions; - const cfg_obj_t *zonelist; - isc_result_t result = ISC_R_SUCCESS; - isc_result_t tresult; - - voptions = NULL; - if (vconfig != NULL) - voptions = cfg_tuple_get(vconfig, "options"); - - zonelist = NULL; - if (voptions != NULL) - (void)cfg_map_get(voptions, "zone", &zonelist); - else - (void)cfg_map_get(config, "zone", &zonelist); - - for (element = cfg_list_first(zonelist); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *zconfig = cfg_listelt_value(element); - tresult = configure_zone(vclass, view, zconfig, vconfig, - config, mctx); - if (tresult != ISC_R_SUCCESS) - result = tresult; - } - return (result); -} - - -/*% load zones from the configuration */ -static isc_result_t -load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) { - const cfg_listelt_t *element; - const cfg_obj_t *classobj; - const cfg_obj_t *views; - const cfg_obj_t *vconfig; - const char *vclass; - isc_result_t result = ISC_R_SUCCESS; - isc_result_t tresult; - - views = NULL; - - (void)cfg_map_get(config, "view", &views); - for (element = cfg_list_first(views); - element != NULL; - element = cfg_list_next(element)) - { - const char *vname; - - vclass = "IN"; - vconfig = cfg_listelt_value(element); - if (vconfig != NULL) { - classobj = cfg_tuple_get(vconfig, "class"); - if (cfg_obj_isstring(classobj)) - vclass = cfg_obj_asstring(classobj); - } - vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name")); - tresult = configure_view(vclass, vname, config, vconfig, mctx); - if (tresult != ISC_R_SUCCESS) - result = tresult; - } - - if (views == NULL) { - tresult = configure_view("IN", "_default", config, NULL, mctx); - if (tresult != ISC_R_SUCCESS) - result = tresult; - } - return (result); -} - -/*% The main processing routine */ -int -main(int argc, char **argv) { - int c; - cfg_parser_t *parser = NULL; - cfg_obj_t *config = NULL; - const char *conffile = NULL; - isc_mem_t *mctx = NULL; - isc_result_t result; - int exit_status = 0; - isc_entropy_t *ectx = NULL; - isc_boolean_t load_zones = ISC_FALSE; - - while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) { - switch (c) { - case 'd': - debug++; - break; - - case 'j': - nomerge = ISC_FALSE; - break; - - case 't': - result = isc_dir_chroot(isc_commandline_argument); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chroot: %s\n", - isc_result_totext(result)); - exit(1); - } - result = isc_dir_chdir("/"); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chdir: %s\n", - isc_result_totext(result)); - exit(1); - } - break; - - case 'v': - printf(VERSION "\n"); - exit(0); - - case 'z': - load_zones = ISC_TRUE; - docheckmx = ISC_FALSE; - docheckns = ISC_FALSE; - dochecksrv = ISC_FALSE; - break; - - default: - usage(); - } - } - - if (argv[isc_commandline_index] != NULL) - conffile = argv[isc_commandline_index]; - if (conffile == NULL || conffile[0] == '\0') - conffile = NAMED_CONFFILE; - - RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - - RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS); - - RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE) - == ISC_R_SUCCESS); - - dns_result_register(); - - RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS); - - cfg_parser_setcallback(parser, directory_callback, NULL); - - if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) != - ISC_R_SUCCESS) - exit(1); - - result = bind9_check_namedconf(config, logc, mctx); - if (result != ISC_R_SUCCESS) - exit_status = 1; - - if (result == ISC_R_SUCCESS && load_zones) { - result = load_zones_fromconfig(config, mctx); - if (result != ISC_R_SUCCESS) - exit_status = 1; - } - - cfg_obj_destroy(parser, &config); - - cfg_parser_destroy(&parser); - - dns_name_destroy(); - - isc_log_destroy(&logc); - - isc_hash_destroy(); - isc_entropy_detach(&ectx); - - isc_mem_destroy(&mctx); - - return (exit_status); -} diff --git a/usr.sbin/bind/bin/check/named-checkconf.docbook b/usr.sbin/bind/bin/check/named-checkconf.docbook deleted file mode 100644 index cecc43c0da1..00000000000 --- a/usr.sbin/bind/bin/check/named-checkconf.docbook +++ /dev/null @@ -1,161 +0,0 @@ -]> - - - - - - June 14, 2000 - - - - named-checkconf - 8 - BIND9 - - - - - 2004 - 2005 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2002 - Internet Software Consortium. - - - - - named-checkconf - named configuration file syntax checking tool - - - - - named-checkconf - - - - filename - - - - - - DESCRIPTION - named-checkconf - checks the syntax, but not the semantics, of a named - configuration file. - - - - - OPTIONS - - - - -t directory - - - Chroot to directory so that - include - directives in the configuration file are processed as if - run by a similarly chrooted named. - - - - - - -v - - - Print the version of the named-checkconf - program and exit. - - - - - - -z - - - Perform a test load of all master zones found in - named.conf. - - - - - - -j - - - When loading a zonefile read the journal if it exists. - - - - - - filename - - - The name of the configuration file to be checked. If not - specified, it defaults to /etc/named.conf. - - - - - - - - - - RETURN VALUES - named-checkconf - returns an exit status of 1 if - errors were detected and 0 otherwise. - - - - - SEE ALSO - - named8 - , - - named-checkzone8 - , - BIND 9 Administrator Reference Manual. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/check/named-checkconf.html b/usr.sbin/bind/bin/check/named-checkconf.html deleted file mode 100644 index 3fa347a5156..00000000000 --- a/usr.sbin/bind/bin/check/named-checkconf.html +++ /dev/null @@ -1,92 +0,0 @@ - - - - - -named-checkconf - - -
-
-
-

Name

-

named-checkconf — named configuration file syntax checking tool

-
-
-

Synopsis

-

named-checkconf [-v] [-j] [-t directory] {filename} [-z]

-
-
-

DESCRIPTION

-

named-checkconf - checks the syntax, but not the semantics, of a named - configuration file. -

-
-
-

OPTIONS

-
-
-t directory
-

- Chroot to directory so that - include - directives in the configuration file are processed as if - run by a similarly chrooted named. -

-
-v
-

- Print the version of the named-checkconf - program and exit. -

-
-z
-

- Perform a test load of all master zones found in - named.conf. -

-
-j
-

- When loading a zonefile read the journal if it exists. -

-
filename
-

- The name of the configuration file to be checked. If not - specified, it defaults to /etc/named.conf. -

-
-
-
-

RETURN VALUES

-

named-checkconf - returns an exit status of 1 if - errors were detected and 0 otherwise. -

-
-
-

SEE ALSO

-

named(8), - named-checkzone(8), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/check/named-checkzone.8 b/usr.sbin/bind/bin/check/named-checkzone.8 deleted file mode 100644 index e550e8d7ef8..00000000000 --- a/usr.sbin/bind/bin/check/named-checkzone.8 +++ /dev/null @@ -1,269 +0,0 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: named-checkzone.8,v 1.18.18.23 2007/06/20 02:26:58 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: named\-checkzone -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: June 13, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -named\-checkzone, named\-compilezone \- zone file validity checking or converting tool -.SH "SYNOPSIS" -.HP 16 -\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} -.HP 18 -\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename} -.SH "DESCRIPTION" -.PP -\fBnamed\-checkzone\fR -checks the syntax and integrity of a zone file. It performs the same checks as -\fBnamed\fR -does when loading a zone. This makes -\fBnamed\-checkzone\fR -useful for checking zone files before configuring them into a name server. -.PP -\fBnamed\-compilezone\fR -is similar to -\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by -\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the -\fBnamed\fR -configuration file. -.SH "OPTIONS" -.PP -\-d -.RS 4 -Enable debugging. -.RE -.PP -\-q -.RS 4 -Quiet mode \- exit code only. -.RE -.PP -\-v -.RS 4 -Print the version of the -\fBnamed\-checkzone\fR -program and exit. -.RE -.PP -\-j -.RS 4 -When loading the zone file read the journal if it exists. -.RE -.PP -\-c \fIclass\fR -.RS 4 -Specify the class of the zone. If not specified "IN" is assumed. -.RE -.PP -\-i \fImode\fR -.RS 4 -Perform post\-load zone integrity checks. Possible modes are -\fB"full"\fR -(default), -\fB"full\-sibling"\fR, -\fB"local"\fR, -\fB"local\-sibling"\fR -and -\fB"none"\fR. -.sp -Mode -\fB"full"\fR -checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode -\fB"local"\fR -only checks MX records which refer to in\-zone hostnames. -.sp -Mode -\fB"full"\fR -checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode -\fB"local"\fR -only checks SRV records which refer to in\-zone hostnames. -.sp -Mode -\fB"full"\fR -checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode -\fB"local"\fR -only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone. -.sp -Mode -\fB"full\-sibling"\fR -and -\fB"local\-sibling"\fR -disable sibling glue checks but are otherwise the same as -\fB"full"\fR -and -\fB"local"\fR -respectively. -.sp -Mode -\fB"none"\fR -disables the checks. -.RE -.PP -\-f \fIformat\fR -.RS 4 -Specify the format of the zone file. Possible formats are -\fB"text"\fR -(default) and -\fB"raw"\fR. -.RE -.PP -\-F \fIformat\fR -.RS 4 -Specify the format of the output file specified. Possible formats are -\fB"text"\fR -(default) and -\fB"raw"\fR. For -\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents. -.RE -.PP -\-k \fImode\fR -.RS 4 -Perform -\fB"check\-names"\fR -checks with the specified failure mode. Possible modes are -\fB"fail"\fR -(default for -\fBnamed\-compilezone\fR), -\fB"warn"\fR -(default for -\fBnamed\-checkzone\fR) and -\fB"ignore"\fR. -.RE -.PP -\-m \fImode\fR -.RS 4 -Specify whether MX records should be checked to see if they are addresses. Possible modes are -\fB"fail"\fR, -\fB"warn"\fR -(default) and -\fB"ignore"\fR. -.RE -.PP -\-M \fImode\fR -.RS 4 -Check if a MX record refers to a CNAME. Possible modes are -\fB"fail"\fR, -\fB"warn"\fR -(default) and -\fB"ignore"\fR. -.RE -.PP -\-n \fImode\fR -.RS 4 -Specify whether NS records should be checked to see if they are addresses. Possible modes are -\fB"fail"\fR -(default for -\fBnamed\-compilezone\fR), -\fB"warn"\fR -(default for -\fBnamed\-checkzone\fR) and -\fB"ignore"\fR. -.RE -.PP -\-o \fIfilename\fR -.RS 4 -Write zone output to -\fIfilename\fR. This is mandatory for -\fBnamed\-compilezone\fR. -.RE -.PP -\-s \fIstyle\fR -.RS 4 -Specify the style of the dumped zone file. Possible styles are -\fB"full"\fR -(default) and -\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For -\fBnamed\-checkzone\fR -this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text. -.RE -.PP -\-S \fImode\fR -.RS 4 -Check if a SRV record refers to a CNAME. Possible modes are -\fB"fail"\fR, -\fB"warn"\fR -(default) and -\fB"ignore"\fR. -.RE -.PP -\-t \fIdirectory\fR -.RS 4 -Chroot to -\fIdirectory\fR -so that include directives in the configuration file are processed as if run by a similarly chrooted named. -.RE -.PP -\-w \fIdirectory\fR -.RS 4 -chdir to -\fIdirectory\fR -so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in -\fInamed.conf\fR. -.RE -.PP -\-D -.RS 4 -Dump zone file in canonical format. This is always enabled for -\fBnamed\-compilezone\fR. -.RE -.PP -\-W \fImode\fR -.RS 4 -Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are -\fB"warn"\fR -(default) and -\fB"ignore"\fR. -.RE -.PP -zonename -.RS 4 -The domain name of the zone being checked. -.RE -.PP -filename -.RS 4 -The name of the zone file. -.RE -.SH "RETURN VALUES" -.PP -\fBnamed\-checkzone\fR -returns an exit status of 1 if errors were detected and 0 otherwise. -.SH "SEE ALSO" -.PP -\fBnamed\fR(8), -\fBnamed\-checkconf\fR(8), -RFC 1035, -BIND 9 Administrator Reference Manual. -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000\-2002 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/check/named-checkzone.c b/usr.sbin/bind/bin/check/named-checkzone.c deleted file mode 100644 index 8f205a7ef39..00000000000 --- a/usr.sbin/bind/bin/check/named-checkzone.c +++ /dev/null @@ -1,429 +0,0 @@ -/* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named-checkzone.c,v 1.29.18.19 2007/08/28 07:19:55 tbox Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "check-tool.h" - -static int quiet = 0; -static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; -dns_zone_t *zone = NULL; -dns_zonetype_t zonetype = dns_zone_master; -static int dumpzone = 0; -static const char *output_filename; -static char *prog_name = NULL; -static const dns_master_style_t *outputstyle = NULL; -static enum { progmode_check, progmode_compile } progmode; - -#define ERRRET(result, function) \ - do { \ - if (result != ISC_R_SUCCESS) { \ - if (!quiet) \ - fprintf(stderr, "%s() returned %s\n", \ - function, dns_result_totext(result)); \ - return (result); \ - } \ - } while (0) - -static void -usage(void) { - fprintf(stderr, - "usage: %s [-djqvD] [-c class] [-o output] " - "[-f inputformat] [-F outputformat] " - "[-t directory] [-w directory] [-k (ignore|warn|fail)] " - "[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] " - "[-i (full|local|none)] [-M (ignore|warn|fail)] " - "[-S (ignore|warn|fail)] [-W (ignore|warn)] " - "zonename filename\n", prog_name); - exit(1); -} - -static void -destroy(void) { - if (zone != NULL) - dns_zone_detach(&zone); - dns_name_destroy(); -} - -/*% main processing routine */ -int -main(int argc, char **argv) { - int c; - char *origin = NULL; - char *filename = NULL; - isc_log_t *lctx = NULL; - isc_result_t result; - char classname_in[] = "IN"; - char *classname = classname_in; - const char *workdir = NULL; - const char *inputformatstr = NULL; - const char *outputformatstr = NULL; - dns_masterformat_t inputformat = dns_masterformat_text; - dns_masterformat_t outputformat = dns_masterformat_text; - - outputstyle = &dns_master_style_full; - - prog_name = strrchr(argv[0], '/'); - if (prog_name == NULL) - prog_name = strrchr(argv[0], '\\'); - if (prog_name != NULL) - prog_name++; - else - prog_name = argv[0]; - /* - * Libtool doesn't preserve the program name prior to final - * installation. Remove the libtool prefix ("lt-"). - */ - if (strncmp(prog_name, "lt-", 3) == 0) - prog_name += 3; - if (strcmp(prog_name, "named-checkzone") == 0) - progmode = progmode_check; - else if (strcmp(prog_name, "named-compilezone") == 0) - progmode = progmode_compile; - else - INSIST(0); - - /* Compilation specific defaults */ - if (progmode == progmode_compile) { - zone_options |= (DNS_ZONEOPT_CHECKNS | - DNS_ZONEOPT_FATALNS | - DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_CHECKNAMESFAIL | - DNS_ZONEOPT_CHECKWILDCARD); - } - -#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0) - - while ((c = isc_commandline_parse(argc, argv, - "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:")) - != EOF) { - switch (c) { - case 'c': - classname = isc_commandline_argument; - break; - - case 'd': - debug++; - break; - - case 'i': - if (ARGCMP("full")) { - zone_options |= DNS_ZONEOPT_CHECKINTEGRITY | - DNS_ZONEOPT_CHECKSIBLING; - docheckmx = ISC_TRUE; - docheckns = ISC_TRUE; - dochecksrv = ISC_TRUE; - } else if (ARGCMP("full-sibling")) { - zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; - zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; - docheckmx = ISC_TRUE; - docheckns = ISC_TRUE; - dochecksrv = ISC_TRUE; - } else if (ARGCMP("local")) { - zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; - zone_options |= DNS_ZONEOPT_CHECKSIBLING; - docheckmx = ISC_FALSE; - docheckns = ISC_FALSE; - dochecksrv = ISC_FALSE; - } else if (ARGCMP("local-sibling")) { - zone_options |= DNS_ZONEOPT_CHECKINTEGRITY; - zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; - docheckmx = ISC_FALSE; - docheckns = ISC_FALSE; - dochecksrv = ISC_FALSE; - } else if (ARGCMP("none")) { - zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY; - zone_options &= ~DNS_ZONEOPT_CHECKSIBLING; - docheckmx = ISC_FALSE; - docheckns = ISC_FALSE; - dochecksrv = ISC_FALSE; - } else { - fprintf(stderr, "invalid argument to -i: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'f': - inputformatstr = isc_commandline_argument; - break; - - case 'F': - outputformatstr = isc_commandline_argument; - break; - - case 'j': - nomerge = ISC_FALSE; - break; - - case 'k': - if (ARGCMP("warn")) { - zone_options |= DNS_ZONEOPT_CHECKNAMES; - zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; - } else if (ARGCMP("fail")) { - zone_options |= DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_CHECKNAMESFAIL; - } else if (ARGCMP("ignore")) { - zone_options &= ~(DNS_ZONEOPT_CHECKNAMES | - DNS_ZONEOPT_CHECKNAMESFAIL); - } else { - fprintf(stderr, "invalid argument to -k: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'n': - if (ARGCMP("ignore")) { - zone_options &= ~(DNS_ZONEOPT_CHECKNS| - DNS_ZONEOPT_FATALNS); - } else if (ARGCMP("warn")) { - zone_options |= DNS_ZONEOPT_CHECKNS; - zone_options &= ~DNS_ZONEOPT_FATALNS; - } else if (ARGCMP("fail")) { - zone_options |= DNS_ZONEOPT_CHECKNS| - DNS_ZONEOPT_FATALNS; - } else { - fprintf(stderr, "invalid argument to -n: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'm': - if (ARGCMP("warn")) { - zone_options |= DNS_ZONEOPT_CHECKMX; - zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; - } else if (ARGCMP("fail")) { - zone_options |= DNS_ZONEOPT_CHECKMX | - DNS_ZONEOPT_CHECKMXFAIL; - } else if (ARGCMP("ignore")) { - zone_options &= ~(DNS_ZONEOPT_CHECKMX | - DNS_ZONEOPT_CHECKMXFAIL); - } else { - fprintf(stderr, "invalid argument to -m: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'q': - quiet++; - break; - - case 't': - result = isc_dir_chroot(isc_commandline_argument); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chroot: %s: %s\n", - isc_commandline_argument, - isc_result_totext(result)); - exit(1); - } - result = isc_dir_chdir("/"); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chdir: %s\n", - isc_result_totext(result)); - exit(1); - } - break; - - case 's': - if (ARGCMP("full")) - outputstyle = &dns_master_style_full; - else if (ARGCMP("relative")) { - outputstyle = &dns_master_style_default; - } else { - fprintf(stderr, - "unknown or unsupported style: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'o': - output_filename = isc_commandline_argument; - break; - - case 'v': - printf(VERSION "\n"); - exit(0); - - case 'w': - workdir = isc_commandline_argument; - break; - - case 'D': - dumpzone++; - break; - - case 'M': - if (ARGCMP("fail")) { - zone_options &= ~DNS_ZONEOPT_WARNMXCNAME; - zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; - } else if (ARGCMP("warn")) { - zone_options |= DNS_ZONEOPT_WARNMXCNAME; - zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME; - } else if (ARGCMP("ignore")) { - zone_options |= DNS_ZONEOPT_WARNMXCNAME; - zone_options |= DNS_ZONEOPT_IGNOREMXCNAME; - } else { - fprintf(stderr, "invalid argument to -M: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'S': - if (ARGCMP("fail")) { - zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME; - zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; - } else if (ARGCMP("warn")) { - zone_options |= DNS_ZONEOPT_WARNSRVCNAME; - zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME; - } else if (ARGCMP("ignore")) { - zone_options |= DNS_ZONEOPT_WARNSRVCNAME; - zone_options |= DNS_ZONEOPT_IGNORESRVCNAME; - } else { - fprintf(stderr, "invalid argument to -S: %s\n", - isc_commandline_argument); - exit(1); - } - break; - - case 'W': - if (ARGCMP("warn")) - zone_options |= DNS_ZONEOPT_CHECKWILDCARD; - else if (ARGCMP("ignore")) - zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD; - break; - - default: - usage(); - } - } - - if (progmode == progmode_compile) { - dumpzone = 1; /* always dump */ - if (output_filename == NULL) { - fprintf(stderr, - "output file required, but not specified\n"); - usage(); - } - } - - if (workdir != NULL) { - result = isc_dir_chdir(workdir); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "isc_dir_chdir: %s: %s\n", - workdir, isc_result_totext(result)); - exit(1); - } - } - - if (inputformatstr != NULL) { - if (strcasecmp(inputformatstr, "text") == 0) - inputformat = dns_masterformat_text; - else if (strcasecmp(inputformatstr, "raw") == 0) - inputformat = dns_masterformat_raw; - else { - fprintf(stderr, "unknown file format: %s\n", - inputformatstr); - exit(1); - } - } - - if (outputformatstr != NULL) { - if (strcasecmp(outputformatstr, "text") == 0) - outputformat = dns_masterformat_text; - else if (strcasecmp(outputformatstr, "raw") == 0) - outputformat = dns_masterformat_raw; - else { - fprintf(stderr, "unknown file format: %s\n", - outputformatstr); - exit(1); - } - } - - if (isc_commandline_index + 2 > argc) - usage(); - - RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - if (!quiet) - RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE) - == ISC_R_SUCCESS); - - dns_result_register(); - - origin = argv[isc_commandline_index++]; - filename = argv[isc_commandline_index++]; - result = load_zone(mctx, origin, filename, inputformat, classname, - &zone); - - if (result == ISC_R_SUCCESS && dumpzone) { - if (!quiet && progmode == progmode_compile) { - fprintf(stdout, "dump zone to %s...", output_filename); - fflush(stdout); - } - result = dump_zone(origin, zone, output_filename, - outputformat, outputstyle); - if (!quiet && progmode == progmode_compile) - fprintf(stdout, "done\n"); - } - - if (!quiet && result == ISC_R_SUCCESS) - fprintf(stdout, "OK\n"); - destroy(); - if (lctx != NULL) - isc_log_destroy(&lctx); - isc_hash_destroy(); - isc_entropy_detach(&ectx); - isc_mem_destroy(&mctx); - return ((result == ISC_R_SUCCESS) ? 0 : 1); -} diff --git a/usr.sbin/bind/bin/check/named-checkzone.docbook b/usr.sbin/bind/bin/check/named-checkzone.docbook deleted file mode 100644 index 477582cc896..00000000000 --- a/usr.sbin/bind/bin/check/named-checkzone.docbook +++ /dev/null @@ -1,443 +0,0 @@ -]> - - - - - - June 13, 2000 - - - - named-checkzone - 8 - BIND9 - - - - - 2004 - 2005 - 2006 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2002 - Internet Software Consortium. - - - - - named-checkzone - named-compilezone - zone file validity checking or converting tool - - - - - named-checkzone - - - - - - - - - - - - - - - - - - - - zonename - filename - - - named-compilezone - - - - - - - - - - - - - - - - - - - zonename - filename - - - - - DESCRIPTION - named-checkzone - checks the syntax and integrity of a zone file. It performs the - same checks as named does when loading a - zone. This makes named-checkzone useful for - checking zone files before configuring them into a name server. - - - named-compilezone is similar to - named-checkzone, but it always dumps the - zone contents to a specified file in a specified format. - Additionally, it applies stricter check levels by default, - since the dump output will be used as an actual zone file - loaded by named. - When manually specified otherwise, the check levels must at - least be as strict as those specified in the - named configuration file. - - - - - OPTIONS - - - - -d - - - Enable debugging. - - - - - - -q - - - Quiet mode - exit code only. - - - - - - -v - - - Print the version of the named-checkzone - program and exit. - - - - - - -j - - - When loading the zone file read the journal if it exists. - - - - - - -c class - - - Specify the class of the zone. If not specified "IN" is assumed. - - - - - - -i mode - - - Perform post-load zone integrity checks. Possible modes are - "full" (default), - "full-sibling", - "local", - "local-sibling" and - "none". - - - Mode "full" checks that MX records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks MX records which refer to in-zone hostnames. - - - Mode "full" checks that SRV records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks SRV records which refer to in-zone hostnames. - - - Mode "full" checks that delegation NS - records refer to A or AAAA record (both in-zone and out-of-zone - hostnames). It also checks that glue address records - in the zone match those advertised by the child. - Mode "local" only checks NS records which - refer to in-zone hostnames or that some required glue exists, - that is when the nameserver is in a child zone. - - - Mode "full-sibling" and - "local-sibling" disable sibling glue - checks but are otherwise the same as "full" - and "local" respectively. - - - Mode "none" disables the checks. - - - - - - -f format - - - Specify the format of the zone file. - Possible formats are "text" (default) - and "raw". - - - - - - -F format - - - Specify the format of the output file specified. - Possible formats are "text" (default) - and "raw". - For named-checkzone, - this does not cause any effects unless it dumps the zone - contents. - - - - - - -k mode - - - Perform "check-names" checks with the - specified failure mode. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". - - - - - - -m mode - - - Specify whether MX records should be checked to see if they - are addresses. Possible modes are "fail", - "warn" (default) and - "ignore". - - - - - - -M mode - - - Check if a MX record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". - - - - - - -n mode - - - Specify whether NS records should be checked to see if they - are addresses. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". - - - - - - -o filename - - - Write zone output to filename. - This is mandatory for named-compilezone. - - - - - - -s style - - - Specify the style of the dumped zone file. - Possible styles are "full" (default) - and "relative". - The full format is most suitable for processing - automatically by a separate script. - On the other hand, the relative format is more - human-readable and is thus suitable for editing by hand. - For named-checkzone - this does not cause any effects unless it dumps the zone - contents. - It also does not have any meaning if the output format - is not text. - - - - - - -S mode - - - Check if a SRV record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". - - - - - - -t directory - - - Chroot to directory so that - include - directives in the configuration file are processed as if - run by a similarly chrooted named. - - - - - - -w directory - - - chdir to directory so that - relative - filenames in master file $INCLUDE directives work. This - is similar to the directory clause in - named.conf. - - - - - - -D - - - Dump zone file in canonical format. - This is always enabled for named-compilezone. - - - - - - -W mode - - - Specify whether to check for non-terminal wildcards. - Non-terminal wildcards are almost always the result of a - failure to understand the wildcard matching algorithm (RFC 1034). - Possible modes are "warn" (default) - and - "ignore". - - - - - - zonename - - - The domain name of the zone being checked. - - - - - - filename - - - The name of the zone file. - - - - - - - - - - RETURN VALUES - named-checkzone - returns an exit status of 1 if - errors were detected and 0 otherwise. - - - - - SEE ALSO - - named8 - , - - named-checkconf8 - , - RFC 1035, - BIND 9 Administrator Reference Manual. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/check/named-checkzone.html b/usr.sbin/bind/bin/check/named-checkzone.html deleted file mode 100644 index 726fcad7005..00000000000 --- a/usr.sbin/bind/bin/check/named-checkzone.html +++ /dev/null @@ -1,256 +0,0 @@ - - - - - -named-checkzone - - -
-
-
-

Name

-

named-checkzone, named-compilezone — zone file validity checking or converting tool

-
-
-

Synopsis

-

named-checkzone [-d] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-o filename] [-s style] [-S mode] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

-

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

-
-
-

DESCRIPTION

-

named-checkzone - checks the syntax and integrity of a zone file. It performs the - same checks as named does when loading a - zone. This makes named-checkzone useful for - checking zone files before configuring them into a name server. -

-

- named-compilezone is similar to - named-checkzone, but it always dumps the - zone contents to a specified file in a specified format. - Additionally, it applies stricter check levels by default, - since the dump output will be used as an actual zone file - loaded by named. - When manually specified otherwise, the check levels must at - least be as strict as those specified in the - named configuration file. -

-
-
-

OPTIONS

-
-
-d
-

- Enable debugging. -

-
-q
-

- Quiet mode - exit code only. -

-
-v
-

- Print the version of the named-checkzone - program and exit. -

-
-j
-

- When loading the zone file read the journal if it exists. -

-
-c class
-

- Specify the class of the zone. If not specified "IN" is assumed. -

-
-i mode
-
-

- Perform post-load zone integrity checks. Possible modes are - "full" (default), - "full-sibling", - "local", - "local-sibling" and - "none". -

-

- Mode "full" checks that MX records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks MX records which refer to in-zone hostnames. -

-

- Mode "full" checks that SRV records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks SRV records which refer to in-zone hostnames. -

-

- Mode "full" checks that delegation NS - records refer to A or AAAA record (both in-zone and out-of-zone - hostnames). It also checks that glue address records - in the zone match those advertised by the child. - Mode "local" only checks NS records which - refer to in-zone hostnames or that some required glue exists, - that is when the nameserver is in a child zone. -

-

- Mode "full-sibling" and - "local-sibling" disable sibling glue - checks but are otherwise the same as "full" - and "local" respectively. -

-

- Mode "none" disables the checks. -

-
-
-f format
-

- Specify the format of the zone file. - Possible formats are "text" (default) - and "raw". -

-
-F format
-

- Specify the format of the output file specified. - Possible formats are "text" (default) - and "raw". - For named-checkzone, - this does not cause any effects unless it dumps the zone - contents. -

-
-k mode
-

- Perform "check-names" checks with the - specified failure mode. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". -

-
-m mode
-

- Specify whether MX records should be checked to see if they - are addresses. Possible modes are "fail", - "warn" (default) and - "ignore". -

-
-M mode
-

- Check if a MX record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". -

-
-n mode
-

- Specify whether NS records should be checked to see if they - are addresses. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". -

-
-o filename
-

- Write zone output to filename. - This is mandatory for named-compilezone. -

-
-s style
-

- Specify the style of the dumped zone file. - Possible styles are "full" (default) - and "relative". - The full format is most suitable for processing - automatically by a separate script. - On the other hand, the relative format is more - human-readable and is thus suitable for editing by hand. - For named-checkzone - this does not cause any effects unless it dumps the zone - contents. - It also does not have any meaning if the output format - is not text. -

-
-S mode
-

- Check if a SRV record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". -

-
-t directory
-

- Chroot to directory so that - include - directives in the configuration file are processed as if - run by a similarly chrooted named. -

-
-w directory
-

- chdir to directory so that - relative - filenames in master file $INCLUDE directives work. This - is similar to the directory clause in - named.conf. -

-
-D
-

- Dump zone file in canonical format. - This is always enabled for named-compilezone. -

-
-W mode
-

- Specify whether to check for non-terminal wildcards. - Non-terminal wildcards are almost always the result of a - failure to understand the wildcard matching algorithm (RFC 1034). - Possible modes are "warn" (default) - and - "ignore". -

-
zonename
-

- The domain name of the zone being checked. -

-
filename
-

- The name of the zone file. -

-
-
-
-

RETURN VALUES

-

named-checkzone - returns an exit status of 1 if - errors were detected and 0 otherwise. -

-
-
-

SEE ALSO

-

named(8), - named-checkconf(8), - RFC 1035, - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/dnssec/Makefile.in b/usr.sbin/bind/bin/dnssec/Makefile.in deleted file mode 100644 index b30c2cb3684..00000000000 --- a/usr.sbin/bind/bin/dnssec/Makefile.in +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_VERSION@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} - -CDEFINES = -DVERSION=\"${VERSION}\" -CWARNINGS = - -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../lib/isc/libisc.@A@ - -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ - -DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} - -LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ - -# Alphabetically -TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ - -OBJS = dnssectool.@O@ - -SRCS = dnssec-keygen.c dnssec-signzone.c dnssectool.c - -MANPAGES = dnssec-keygen.8 dnssec-signzone.8 - -HTMLPAGES = dnssec-keygen.html dnssec-signzone.html - -MANOBJS = ${MANPAGES} ${HTMLPAGES} - -@BIND9_MAKE_RULES@ - -dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-keygen.@O@ ${OBJS} ${LIBS} - -dnssec-signzone.@O@: dnssec-signzone.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-signzone.c - -dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-signzone.@O@ ${OBJS} ${LIBS} - -doc man:: ${MANOBJS} - -docclean manclean maintainer-clean:: - rm -f ${MANOBJS} - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - -install:: ${TARGETS} installdirs - for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done - for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done - -clean distclean:: - rm -f ${TARGETS} - diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.8 b/usr.sbin/bind/bin/dnssec/dnssec-keygen.8 deleted file mode 100644 index 8454dec982b..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.8 +++ /dev/null @@ -1,200 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: dnssec-keygen.8,v 1.23.18.14 2007/05/09 03:33:12 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: dnssec\-keygen -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: June 30, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -dnssec\-keygen \- DNSSEC key generation tool -.SH "SYNOPSIS" -.HP 14 -\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name} -.SH "DESCRIPTION" -.PP -\fBdnssec\-keygen\fR -generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. -.SH "OPTIONS" -.PP -\-a \fIalgorithm\fR -.RS 4 -Selects the cryptographic algorithm. The value of -\fBalgorithm\fR -must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. -.sp -Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. -.sp -Note 2: HMAC\-MD5 and DH automatically set the \-k flag. -.RE -.PP -\-b \fIkeysize\fR -.RS 4 -Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits. -.RE -.PP -\-n \fInametype\fR -.RS 4 -Specifies the owner type of the key. The value of -\fBnametype\fR -must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. -.RE -.PP -\-c \fIclass\fR -.RS 4 -Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -.RE -.PP -\-e -.RS 4 -If generating an RSAMD5/RSASHA1 key, use a large exponent. -.RE -.PP -\-f \fIflag\fR -.RS 4 -Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. -.RE -.PP -\-g \fIgenerator\fR -.RS 4 -If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -.RE -.PP -\-h -.RS 4 -Prints a short summary of the options and arguments to -\fBdnssec\-keygen\fR. -.RE -.PP -\-k -.RS 4 -Generate KEY records rather than DNSKEY records. -.RE -.PP -\-p \fIprotocol\fR -.RS 4 -Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -.RE -.PP -\-r \fIrandomdev\fR -.RS 4 -Specifies the source of randomness. If the operating system does not provide a -\fI/dev/random\fR -or equivalent device, the default source of randomness is keyboard input. -\fIrandomdev\fR -specifies the name of a character device or file containing random data to be used instead of the default. The special value -\fIkeyboard\fR -indicates that keyboard input should be used. -.RE -.PP -\-s \fIstrength\fR -.RS 4 -Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -.RE -.PP -\-t \fItype\fR -.RS 4 -Indicates the use of the key. -\fBtype\fR -must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -.RE -.PP -\-v \fIlevel\fR -.RS 4 -Sets the debugging level. -.RE -.SH "GENERATED KEYS" -.PP -When -\fBdnssec\-keygen\fR -completes successfully, it prints a string of the form -\fIKnnnn.+aaa+iiiii\fR -to the standard output. This is an identification string for the key it has generated. -.TP 4 -\(bu -\fInnnn\fR -is the key name. -.TP 4 -\(bu -\fIaaa\fR -is the numeric representation of the algorithm. -.TP 4 -\(bu -\fIiiiii\fR -is the key identifier (or footprint). -.PP -\fBdnssec\-keygen\fR -creates two files, with names based on the printed string. -\fIKnnnn.+aaa+iiiii.key\fR -contains the public key, and -\fIKnnnn.+aaa+iiiii.private\fR -contains the private key. -.PP -The -\fI.key\fR -file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement). -.PP -The -\fI.private\fR -file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission. -.PP -Both -\fI.key\fR -and -\fI.private\fR -files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent. -.SH "EXAMPLE" -.PP -To generate a 768\-bit DSA key for the domain -\fBexample.com\fR, the following command would be issued: -.PP -\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR -.PP -The command would print a string of the form: -.PP -\fBKexample.com.+003+26160\fR -.PP -In this example, -\fBdnssec\-keygen\fR -creates the files -\fIKexample.com.+003+26160.key\fR -and -\fIKexample.com.+003+26160.private\fR. -.SH "SEE ALSO" -.PP -\fBdnssec\-signzone\fR(8), -BIND 9 Administrator Reference Manual, -RFC 2535, -RFC 2845, -RFC 2539. -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000\-2003 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.c b/usr.sbin/bind/bin/dnssec/dnssec-keygen.c deleted file mode 100644 index fcecdad9b18..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.c +++ /dev/null @@ -1,512 +0,0 @@ -/* - * Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 1999-2003 Internet Software Consortium. - * Portions Copyright (C) 1995-2000 by Network Associates, Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssec-keygen.c,v 1.66.18.10 2007/08/28 07:19:55 tbox Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include - -#include "dnssectool.h" - -#define MAX_RSA 4096 /* should be long enough... */ - -const char *program = "dnssec-keygen"; -int verbose; - -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |" - " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | " - " HMAC-SHA384 | HMAC-SHA512"; - -static isc_boolean_t -dsa_size_ok(int size) { - return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0)); -} - -static void -usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, " %s -a alg -b bits -n type [options] name\n\n", - program); - fprintf(stderr, "Version: %s\n", VERSION); - fprintf(stderr, "Required options:\n"); - fprintf(stderr, " -a algorithm: %s\n", algs); - fprintf(stderr, " -b key size, in bits:\n"); - fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA); - fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA); - fprintf(stderr, " DH:\t\t[128..4096]\n"); - fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); - fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); - fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); - fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); - fprintf(stderr, " HMAC-SHA256:\t[1..256]\n"); - fprintf(stderr, " HMAC-SHA384:\t[1..384]\n"); - fprintf(stderr, " HMAC-SHA512:\t[1..512]\n"); - fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); - fprintf(stderr, " name: owner of the key\n"); - fprintf(stderr, "Other options:\n"); - fprintf(stderr, " -c (default: IN)\n"); - fprintf(stderr, " -d (0 => max, default)\n"); - fprintf(stderr, " -e use large exponent (RSAMD5/RSASHA1 only)\n"); - fprintf(stderr, " -f keyflag: KSK\n"); - fprintf(stderr, " -g use specified generator " - "(DH only)\n"); - fprintf(stderr, " -t : " - "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " - "(default: AUTHCONF)\n"); - fprintf(stderr, " -p : " - "default: 3 [dnssec]\n"); - fprintf(stderr, " -s strength value this key signs DNS " - "records with (default: 0)\n"); - fprintf(stderr, " -r : a file containing random data\n"); - fprintf(stderr, " -v \n"); - fprintf(stderr, " -k : generate a TYPE=KEY key\n"); - fprintf(stderr, "Output:\n"); - fprintf(stderr, " K++.key, " - "K++.private\n"); - - exit (-1); -} - -int -main(int argc, char **argv) { - char *algname = NULL, *nametype = NULL, *type = NULL; - char *classname = NULL; - char *endp; - dst_key_t *key = NULL, *oldkey; - dns_fixedname_t fname; - dns_name_t *name; - isc_uint16_t flags = 0, ksk = 0; - dns_secalg_t alg; - isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE; - isc_mem_t *mctx = NULL; - int ch, rsa_exp = 0, generator = 0, param = 0; - int protocol = -1, size = -1, signatory = 0; - isc_result_t ret; - isc_textregion_t r; - char filename[255]; - isc_buffer_t buf; - isc_log_t *log = NULL; - isc_entropy_t *ectx = NULL; - dns_rdataclass_t rdclass; - int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; - int dbits = 0; - - if (argc == 1) - usage(); - - RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - - dns_result_register(); - - while ((ch = isc_commandline_parse(argc, argv, - "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1) - { - switch (ch) { - case 'a': - algname = isc_commandline_argument; - break; - case 'b': - size = strtol(isc_commandline_argument, &endp, 10); - if (*endp != '\0' || size < 0) - fatal("-b requires a non-negative number"); - break; - case 'c': - classname = isc_commandline_argument; - break; - case 'd': - dbits = strtol(isc_commandline_argument, &endp, 10); - if (*endp != '\0' || dbits < 0) - fatal("-d requires a non-negative number"); - break; - case 'e': - rsa_exp = 1; - break; - case 'f': - if (strcasecmp(isc_commandline_argument, "KSK") == 0) - ksk = DNS_KEYFLAG_KSK; - else - fatal("unknown flag '%s'", - isc_commandline_argument); - break; - case 'g': - generator = strtol(isc_commandline_argument, - &endp, 10); - if (*endp != '\0' || generator <= 0) - fatal("-g requires a positive number"); - break; - case 'k': - options |= DST_TYPE_KEY; - break; - case 'n': - nametype = isc_commandline_argument; - break; - case 't': - type = isc_commandline_argument; - break; - case 'p': - protocol = strtol(isc_commandline_argument, &endp, 10); - if (*endp != '\0' || protocol < 0 || protocol > 255) - fatal("-p must be followed by a number " - "[0..255]"); - break; - case 's': - signatory = strtol(isc_commandline_argument, - &endp, 10); - if (*endp != '\0' || signatory < 0 || signatory > 15) - fatal("-s must be followed by a number " - "[0..15]"); - break; - case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); - break; - case 'v': - endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("-v must be followed by a number"); - break; - - case 'h': - usage(); - default: - fprintf(stderr, "%s: invalid argument -%c\n", - program, ch); - usage(); - } - } - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - ret = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); - if (ret != ISC_R_SUCCESS) - fatal("could not initialize dst"); - - setup_logging(verbose, mctx, &log); - - if (argc < isc_commandline_index + 1) - fatal("the key name was not specified"); - if (argc > isc_commandline_index + 1) - fatal("extraneous arguments"); - - if (algname == NULL) - fatal("no algorithm was specified"); - if (strcasecmp(algname, "RSA") == 0) { - fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" - "If you still wish to use RSA (RSAMD5) please " - "specify \"-a RSAMD5\"\n"); - return (1); - } else if (strcasecmp(algname, "HMAC-MD5") == 0) { - options |= DST_TYPE_KEY; - alg = DST_ALG_HMACMD5; - } else if (strcasecmp(algname, "HMAC-SHA1") == 0) { - options |= DST_TYPE_KEY; - alg = DST_ALG_HMACSHA1; - } else if (strcasecmp(algname, "HMAC-SHA224") == 0) { - options |= DST_TYPE_KEY; - alg = DST_ALG_HMACSHA224; - } else if (strcasecmp(algname, "HMAC-SHA256") == 0) { - options |= DST_TYPE_KEY; - alg = DST_ALG_HMACSHA256; - } else if (strcasecmp(algname, "HMAC-SHA384") == 0) { - options |= DST_TYPE_KEY; - alg = DST_ALG_HMACSHA384; - } else if (strcasecmp(algname, "HMAC-SHA512") == 0) { - options |= DST_TYPE_KEY; - alg = DST_ALG_HMACSHA512; - } else { - r.base = algname; - r.length = strlen(algname); - ret = dns_secalg_fromtext(&alg, &r); - if (ret != ISC_R_SUCCESS) - fatal("unknown algorithm %s", algname); - if (alg == DST_ALG_DH) - options |= DST_TYPE_KEY; - } - - if (type != NULL && (options & DST_TYPE_KEY) != 0) { - if (strcasecmp(type, "NOAUTH") == 0) - flags |= DNS_KEYTYPE_NOAUTH; - else if (strcasecmp(type, "NOCONF") == 0) - flags |= DNS_KEYTYPE_NOCONF; - else if (strcasecmp(type, "NOAUTHCONF") == 0) { - flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF); - if (size < 0) - size = 0; - } - else if (strcasecmp(type, "AUTHCONF") == 0) - /* nothing */; - else - fatal("invalid type %s", type); - } - - if (size < 0) - fatal("key size not specified (-b option)"); - - switch (alg) { - case DNS_KEYALG_RSAMD5: - case DNS_KEYALG_RSASHA1: - if (size != 0 && (size < 512 || size > MAX_RSA)) - fatal("RSA key size %d out of range", size); - break; - case DNS_KEYALG_DH: - if (size != 0 && (size < 128 || size > 4096)) - fatal("DH key size %d out of range", size); - break; - case DNS_KEYALG_DSA: - if (size != 0 && !dsa_size_ok(size)) - fatal("invalid DSS key size: %d", size); - break; - case DST_ALG_HMACMD5: - if (size < 1 || size > 512) - fatal("HMAC-MD5 key size %d out of range", size); - if (dbits != 0 && (dbits < 80 || dbits > 128)) - fatal("HMAC-MD5 digest bits %d out of range", dbits); - if ((dbits % 8) != 0) - fatal("HMAC-MD5 digest bits %d not divisible by 8", - dbits); - break; - case DST_ALG_HMACSHA1: - if (size < 1 || size > 160) - fatal("HMAC-SHA1 key size %d out of range", size); - if (dbits != 0 && (dbits < 80 || dbits > 160)) - fatal("HMAC-SHA1 digest bits %d out of range", dbits); - if ((dbits % 8) != 0) - fatal("HMAC-SHA1 digest bits %d not divisible by 8", - dbits); - break; - case DST_ALG_HMACSHA224: - if (size < 1 || size > 224) - fatal("HMAC-SHA224 key size %d out of range", size); - if (dbits != 0 && (dbits < 112 || dbits > 224)) - fatal("HMAC-SHA224 digest bits %d out of range", dbits); - if ((dbits % 8) != 0) - fatal("HMAC-SHA224 digest bits %d not divisible by 8", - dbits); - break; - case DST_ALG_HMACSHA256: - if (size < 1 || size > 256) - fatal("HMAC-SHA256 key size %d out of range", size); - if (dbits != 0 && (dbits < 128 || dbits > 256)) - fatal("HMAC-SHA256 digest bits %d out of range", dbits); - if ((dbits % 8) != 0) - fatal("HMAC-SHA256 digest bits %d not divisible by 8", - dbits); - break; - case DST_ALG_HMACSHA384: - if (size < 1 || size > 384) - fatal("HMAC-384 key size %d out of range", size); - if (dbits != 0 && (dbits < 192 || dbits > 384)) - fatal("HMAC-SHA384 digest bits %d out of range", dbits); - if ((dbits % 8) != 0) - fatal("HMAC-SHA384 digest bits %d not divisible by 8", - dbits); - break; - case DST_ALG_HMACSHA512: - if (size < 1 || size > 512) - fatal("HMAC-SHA512 key size %d out of range", size); - if (dbits != 0 && (dbits < 256 || dbits > 512)) - fatal("HMAC-SHA512 digest bits %d out of range", dbits); - if ((dbits % 8) != 0) - fatal("HMAC-SHA512 digest bits %d not divisible by 8", - dbits); - break; - } - - if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) && - rsa_exp != 0) - fatal("specified RSA exponent for a non-RSA key"); - - if (alg != DNS_KEYALG_DH && generator != 0) - fatal("specified DH generator for a non-DH key"); - - if (nametype == NULL) - fatal("no nametype specified"); - if (strcasecmp(nametype, "zone") == 0) - flags |= DNS_KEYOWNER_ZONE; - else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ - if (strcasecmp(nametype, "host") == 0 || - strcasecmp(nametype, "entity") == 0) - flags |= DNS_KEYOWNER_ENTITY; - else if (strcasecmp(nametype, "user") == 0) - flags |= DNS_KEYOWNER_USER; - else - fatal("invalid KEY nametype %s", nametype); - } else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */ - fatal("invalid DNSKEY nametype %s", nametype); - - rdclass = strtoclass(classname); - - if ((options & DST_TYPE_KEY) != 0) /* KEY */ - flags |= signatory; - else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */ - flags |= ksk; - - if (protocol == -1) - protocol = DNS_KEYPROTO_DNSSEC; - else if ((options & DST_TYPE_KEY) == 0 && - protocol != DNS_KEYPROTO_DNSSEC) - fatal("invalid DNSKEY protocol: %d", protocol); - - if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) { - if (size > 0) - fatal("specified null key with non-zero size"); - if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0) - fatal("specified null key with signing authority"); - } - - if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && - (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 || - alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || - alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 || - alg == DST_ALG_HMACSHA512)) - fatal("a key with algorithm '%s' cannot be a zone key", - algname); - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - isc_buffer_init(&buf, argv[isc_commandline_index], - strlen(argv[isc_commandline_index])); - isc_buffer_add(&buf, strlen(argv[isc_commandline_index])); - ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL); - if (ret != ISC_R_SUCCESS) - fatal("invalid key name %s: %s", argv[isc_commandline_index], - isc_result_totext(ret)); - - switch(alg) { - case DNS_KEYALG_RSAMD5: - case DNS_KEYALG_RSASHA1: - param = rsa_exp; - break; - case DNS_KEYALG_DH: - param = generator; - break; - case DNS_KEYALG_DSA: - case DST_ALG_HMACMD5: - case DST_ALG_HMACSHA1: - case DST_ALG_HMACSHA224: - case DST_ALG_HMACSHA256: - case DST_ALG_HMACSHA384: - case DST_ALG_HMACSHA512: - param = 0; - break; - } - - if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) - null_key = ISC_TRUE; - - isc_buffer_init(&buf, filename, sizeof(filename) - 1); - - do { - conflict = ISC_FALSE; - oldkey = NULL; - - /* generate the key */ - ret = dst_key_generate(name, alg, size, param, flags, protocol, - rdclass, mctx, &key); - isc_entropy_stopcallbacksources(ectx); - - if (ret != ISC_R_SUCCESS) { - char namestr[DNS_NAME_FORMATSIZE]; - char algstr[ALG_FORMATSIZE]; - dns_name_format(name, namestr, sizeof(namestr)); - alg_format(alg, algstr, sizeof(algstr)); - fatal("failed to generate key %s/%s: %s\n", - namestr, algstr, isc_result_totext(ret)); - exit(-1); - } - - dst_key_setbits(key, dbits); - - /* - * Try to read a key with the same name, alg and id from disk. - * If there is one we must continue generating a new one - * unless we were asked to generate a null key, in which - * case we return failure. - */ - ret = dst_key_fromfile(name, dst_key_id(key), alg, - DST_TYPE_PRIVATE, NULL, mctx, &oldkey); - /* do not overwrite an existing key */ - if (ret == ISC_R_SUCCESS) { - dst_key_free(&oldkey); - conflict = ISC_TRUE; - if (null_key) - break; - } - if (conflict == ISC_TRUE) { - if (verbose > 0) { - isc_buffer_clear(&buf); - ret = dst_key_buildfilename(key, 0, NULL, &buf); - fprintf(stderr, - "%s: %s already exists, " - "generating a new key\n", - program, filename); - } - dst_key_free(&key); - } - - } while (conflict == ISC_TRUE); - - if (conflict) - fatal("cannot generate a null key when a key with id 0 " - "already exists"); - - ret = dst_key_tofile(key, options, NULL); - if (ret != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("failed to write key %s: %s\n", keystr, - isc_result_totext(ret)); - } - - isc_buffer_clear(&buf); - ret = dst_key_buildfilename(key, 0, NULL, &buf); - printf("%s\n", filename); - dst_key_free(&key); - - cleanup_logging(&log); - cleanup_entropy(&ectx); - dst_lib_destroy(); - dns_name_destroy(); - if (verbose > 10) - isc_mem_stats(mctx, stdout); - isc_mem_destroy(&mctx); - - return (0); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.docbook b/usr.sbin/bind/bin/dnssec/dnssec-keygen.docbook deleted file mode 100644 index fcfdca2704f..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.docbook +++ /dev/null @@ -1,359 +0,0 @@ -]> - - - - - - June 30, 2000 - - - - dnssec-keygen - 8 - BIND9 - - - - dnssec-keygen - DNSSEC key generation tool - - - - - 2004 - 2005 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2002 - 2003 - Internet Software Consortium. - - - - - - dnssec-keygen - -a algorithm - -b keysize - -n nametype - - - - - - - - - - - - name - - - - - DESCRIPTION - dnssec-keygen - generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 - and RFC 4034. It can also generate keys for use with - TSIG (Transaction Signatures), as defined in RFC 2845. - - - - - OPTIONS - - - - -a algorithm - - - Selects the cryptographic algorithm. The value of - must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. - - - Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. - - - Note 2: HMAC-MD5 and DH automatically set the -k flag. - - - - - - -b keysize - - - Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be - between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. - - - - - - -n nametype - - - Specifies the owner type of the key. The value of - must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are - case insensitive. - - - - - - -c class - - - Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. - - - - - - -e - - - If generating an RSAMD5/RSASHA1 key, use a large exponent. - - - - - - -f flag - - - Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. - - - - - - -g generator - - - If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. - - - - - - -h - - - Prints a short summary of the options and arguments to - dnssec-keygen. - - - - - - -k - - - Generate KEY records rather than DNSKEY records. - - - - - - -p protocol - - - Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. - - - - - - -r randomdev - - - Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. - - - - - - -s strength - - - Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. - - - - - - -t type - - - Indicates the use of the key. must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. - - - - - - -v level - - - Sets the debugging level. - - - - - - - - - GENERATED KEYS - - When dnssec-keygen completes - successfully, - it prints a string of the form Knnnn.+aaa+iiiii - to the standard output. This is an identification string for - the key it has generated. - - - - nnnn is the key name. - - - - aaa is the numeric representation - of the - algorithm. - - - - iiiii is the key identifier (or - footprint). - - - - dnssec-keygen - creates two files, with names based - on the printed string. Knnnn.+aaa+iiiii.key - contains the public key, and - Knnnn.+aaa+iiiii.private contains the - private - key. - - - The .key file contains a DNS KEY record - that - can be inserted into a zone file (directly or with a $INCLUDE - statement). - - - The .private file contains - algorithm-specific - fields. For obvious security reasons, this file does not have - general read permission. - - - Both .key and .private - files are generated for symmetric encryption algorithms such as - HMAC-MD5, even though the public and private key are equivalent. - - - - - EXAMPLE - - To generate a 768-bit DSA key for the domain - example.com, the following command would be - issued: - - dnssec-keygen -a DSA -b 768 -n ZONE example.com - - - The command would print a string of the form: - - Kexample.com.+003+26160 - - - In this example, dnssec-keygen creates - the files Kexample.com.+003+26160.key - and - Kexample.com.+003+26160.private. - - - - - SEE ALSO - - dnssec-signzone8 - , - BIND 9 Administrator Reference Manual, - RFC 2535, - RFC 2845, - RFC 2539. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html b/usr.sbin/bind/bin/dnssec/dnssec-keygen.html deleted file mode 100644 index f2f59340103..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-keygen.html +++ /dev/null @@ -1,232 +0,0 @@ - - - - - -dnssec-keygen - - -
-
-
-

Name

-

dnssec-keygen — DNSSEC key generation tool

-
-
-

Synopsis

-

dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

-
-
-

DESCRIPTION

-

dnssec-keygen - generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 - and RFC 4034. It can also generate keys for use with - TSIG (Transaction Signatures), as defined in RFC 2845. -

-
-
-

OPTIONS

-
-
-a algorithm
-
-

- Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. -

-

- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. -

-

- Note 2: HMAC-MD5 and DH automatically set the -k flag. -

-
-
-b keysize
-

- Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be - between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. -

-
-n nametype
-

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are - case insensitive. -

-
-c class
-

- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

-
-e
-

- If generating an RSAMD5/RSASHA1 key, use a large exponent. -

-
-f flag
-

- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. -

-
-g generator
-

- If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. -

-
-h
-

- Prints a short summary of the options and arguments to - dnssec-keygen. -

-
-k
-

- Generate KEY records rather than DNSKEY records. -

-
-p protocol
-

- Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

-
-r randomdev
-

- Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

-
-s strength
-

- Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. -

-
-t type
-

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

-
-v level
-

- Sets the debugging level. -

-
-
-
-

GENERATED KEYS

-

- When dnssec-keygen completes - successfully, - it prints a string of the form Knnnn.+aaa+iiiii - to the standard output. This is an identification string for - the key it has generated. -

-
    -

  • nnnn is the key name. -

    • -

  • aaa is the numeric representation - of the - algorithm. -

    • -

  • iiiii is the key identifier (or - footprint). -

    • -
-

dnssec-keygen - creates two files, with names based - on the printed string. Knnnn.+aaa+iiiii.key - contains the public key, and - Knnnn.+aaa+iiiii.private contains the - private - key. -

-

- The .key file contains a DNS KEY record - that - can be inserted into a zone file (directly or with a $INCLUDE - statement). -

-

- The .private file contains - algorithm-specific - fields. For obvious security reasons, this file does not have - general read permission. -

-

- Both .key and .private - files are generated for symmetric encryption algorithms such as - HMAC-MD5, even though the public and private key are equivalent. -

-
-
-

EXAMPLE

-

- To generate a 768-bit DSA key for the domain - example.com, the following command would be - issued: -

-

dnssec-keygen -a DSA -b 768 -n ZONE example.com -

-

- The command would print a string of the form: -

-

Kexample.com.+003+26160 -

-

- In this example, dnssec-keygen creates - the files Kexample.com.+003+26160.key - and - Kexample.com.+003+26160.private. -

-
-
-

SEE ALSO

-

dnssec-signzone(8), - BIND 9 Administrator Reference Manual, - RFC 2535, - RFC 2845, - RFC 2539. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 b/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 deleted file mode 100644 index 461e00e542a..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.8 +++ /dev/null @@ -1,272 +0,0 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: dnssec-signzone.8,v 1.28.18.17 2007/05/09 03:33:12 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: dnssec\-signzone -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: June 30, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -dnssec\-signzone \- DNSSEC zone signing tool -.SH "SYNOPSIS" -.HP 16 -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...] -.SH "DESCRIPTION" -.PP -\fBdnssec\-signzone\fR -signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a -\fIkeyset\fR -file for each child zone. -.SH "OPTIONS" -.PP -\-a -.RS 4 -Verify all generated signatures. -.RE -.PP -\-c \fIclass\fR -.RS 4 -Specifies the DNS class of the zone. -.RE -.PP -\-k \fIkey\fR -.RS 4 -Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. -.RE -.PP -\-l \fIdomain\fR -.RS 4 -Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. -.RE -.PP -\-d \fIdirectory\fR -.RS 4 -Look for -\fIkeyset\fR -files in -\fBdirectory\fR -as the directory -.RE -.PP -\-g -.RS 4 -Generate DS records for child zones from keyset files. Existing DS records will be removed. -.RE -.PP -\-s \fIstart\-time\fR -.RS 4 -Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no -\fBstart\-time\fR -is specified, the current time minus 1 hour (to allow for clock skew) is used. -.RE -.PP -\-e \fIend\-time\fR -.RS 4 -Specify the date and time when the generated RRSIG records expire. As with -\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no -\fBend\-time\fR -is specified, 30 days from the start time is used as a default. -.RE -.PP -\-f \fIoutput\-file\fR -.RS 4 -The name of the output file containing the signed zone. The default is to append -\fI.signed\fR -to the input filename. -.RE -.PP -\-h -.RS 4 -Prints a short summary of the options and arguments to -\fBdnssec\-signzone\fR. -.RE -.PP -\-i \fIinterval\fR -.RS 4 -When a previously\-signed zone is passed as input, records may be resigned. The -\fBinterval\fR -option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. -.sp -The default cycle interval is one quarter of the difference between the signature end and start times. So if neither -\fBend\-time\fR -or -\fBstart\-time\fR -are specified, -\fBdnssec\-signzone\fR -generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. -.RE -.PP -\-I \fIinput\-format\fR -.RS 4 -The format of the input zone file. Possible formats are -\fB"text"\fR -(default) and -\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones. -.RE -.PP -\-j \fIjitter\fR -.RS 4 -When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The -\fBjitter\fR -option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time. -.sp -Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time. -.RE -.PP -\-n \fIncpus\fR -.RS 4 -Specifies the number of threads to use. By default, one thread is started for each detected CPU. -.RE -.PP -\-N \fIsoa\-serial\-format\fR -.RS 4 -The SOA serial number format of the signed zone. Possible formats are -\fB"keep"\fR -(default), -\fB"increment"\fR -and -\fB"unixtime"\fR. -.RS 4 -.PP -\fB"keep"\fR -.RS 4 -Do not modify the SOA serial number. -.RE -.PP -\fB"increment"\fR -.RS 4 -Increment the SOA serial number using RFC 1982 arithmetics. -.RE -.PP -\fB"unixtime"\fR -.RS 4 -Set the SOA serial number to the number of seconds since epoch. -.RE -.RE -.RE -.PP -\-o \fIorigin\fR -.RS 4 -The zone origin. If not specified, the name of the zone file is assumed to be the origin. -.RE -.PP -\-O \fIoutput\-format\fR -.RS 4 -The format of the output file containing the signed zone. Possible formats are -\fB"text"\fR -(default) and -\fB"raw"\fR. -.RE -.PP -\-p -.RS 4 -Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.RE -.PP -\-r \fIrandomdev\fR -.RS 4 -Specifies the source of randomness. If the operating system does not provide a -\fI/dev/random\fR -or equivalent device, the default source of randomness is keyboard input. -\fIrandomdev\fR -specifies the name of a character device or file containing random data to be used instead of the default. The special value -\fIkeyboard\fR -indicates that keyboard input should be used. -.RE -.PP -\-t -.RS 4 -Print statistics at completion. -.RE -.PP -\-v \fIlevel\fR -.RS 4 -Sets the debugging level. -.RE -.PP -\-z -.RS 4 -Ignore KSK flag on key when determining what to sign. -.RE -.PP -zonefile -.RS 4 -The file containing the zone to be signed. -.RE -.PP -key -.RS 4 -Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing. -.RE -.SH "EXAMPLE" -.PP -The following command signs the -\fBexample.com\fR -zone with the DSA key generated by -\fBdnssec\-keygen\fR -(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for -\fIkeyset\fR -files, in the current directory, so that DS records can be generated from them (\fB\-g\fR). -.sp -.RS 4 -.nf -% dnssec\-signzone \-g \-o example.com db.example.com \\ -Kexample.com.+003+17247 -db.example.com.signed -% -.fi -.RE -.PP -In the above example, -\fBdnssec\-signzone\fR -creates the file -\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a -\fInamed.conf\fR -file. -.PP -This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory. -.sp -.RS 4 -.nf -% cp db.example.com.signed db.example.com -% dnssec\-signzone \-o example.com db.example.com -db.example.com.signed -% -.fi -.RE -.SH "SEE ALSO" -.PP -\fBdnssec\-keygen\fR(8), -BIND 9 Administrator Reference Manual, -RFC 2535. -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000\-2003 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c b/usr.sbin/bind/bin/dnssec/dnssec-signzone.c deleted file mode 100644 index 8d6be7ecfa3..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.c +++ /dev/null @@ -1,2334 +0,0 @@ -/* - * Portions Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 1999-2003 Internet Software Consortium. - * Portions Copyright (C) 1995-2000 by Network Associates, Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssec-signzone.c,v 1.177.18.24 2007/08/28 07:20:00 tbox Exp $ */ - -/*! \file */ - -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include "dnssectool.h" - -const char *program = "dnssec-signzone"; -int verbose; - -#define BUFSIZE 2048 -#define MAXDSKEYS 8 - -typedef struct signer_key_struct signer_key_t; - -struct signer_key_struct { - dst_key_t *key; - isc_boolean_t issigningkey; - isc_boolean_t isdsk; - isc_boolean_t isksk; - unsigned int position; - ISC_LINK(signer_key_t) link; -}; - -#define SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453) -#define SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0) -#define SIGNER_EVENT_WORK (SIGNER_EVENTCLASS + 1) - -#define SOA_SERIAL_KEEP 0 -#define SOA_SERIAL_INCREMENT 1 -#define SOA_SERIAL_UNIXTIME 2 - -typedef struct signer_event sevent_t; -struct signer_event { - ISC_EVENT_COMMON(sevent_t); - dns_fixedname_t *fname; - dns_dbnode_t *node; -}; - -static ISC_LIST(signer_key_t) keylist; -static unsigned int keycount = 0; -static isc_stdtime_t starttime = 0, endtime = 0, now; -static int cycle = -1; -static int jitter = 0; -static isc_boolean_t tryverify = ISC_FALSE; -static isc_boolean_t printstats = ISC_FALSE; -static isc_mem_t *mctx = NULL; -static isc_entropy_t *ectx = NULL; -static dns_ttl_t zonettl; -static FILE *fp; -static char *tempfile = NULL; -static const dns_master_style_t *masterstyle; -static dns_masterformat_t inputformat = dns_masterformat_text; -static dns_masterformat_t outputformat = dns_masterformat_text; -static unsigned int nsigned = 0, nretained = 0, ndropped = 0; -static unsigned int nverified = 0, nverifyfailed = 0; -static const char *directory; -static isc_mutex_t namelock, statslock; -static isc_taskmgr_t *taskmgr = NULL; -static dns_db_t *gdb; /* The database */ -static dns_dbversion_t *gversion; /* The database version */ -static dns_dbiterator_t *gdbiter; /* The database iterator */ -static dns_rdataclass_t gclass; /* The class */ -static dns_name_t *gorigin; /* The database origin */ -static isc_task_t *master = NULL; -static unsigned int ntasks = 0; -static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE; -static unsigned int assigned = 0, completed = 0; -static isc_boolean_t nokeys = ISC_FALSE; -static isc_boolean_t removefile = ISC_FALSE; -static isc_boolean_t generateds = ISC_FALSE; -static isc_boolean_t ignoreksk = ISC_FALSE; -static dns_name_t *dlv = NULL; -static dns_fixedname_t dlv_fixed; -static dns_master_style_t *dsstyle = NULL; -static unsigned int serialformat = SOA_SERIAL_KEEP; - -#define INCSTAT(counter) \ - if (printstats) { \ - LOCK(&statslock); \ - counter++; \ - UNLOCK(&statslock); \ - } - -static void -sign(isc_task_t *task, isc_event_t *event); - - -static inline void -set_bit(unsigned char *array, unsigned int index, unsigned int bit) { - unsigned int shift, mask; - - shift = 7 - (index % 8); - mask = 1 << shift; - - if (bit != 0) - array[index / 8] |= mask; - else - array[index / 8] &= (~mask & 0xFF); -} - -static void -dumpnode(dns_name_t *name, dns_dbnode_t *node) { - isc_result_t result; - - if (outputformat != dns_masterformat_text) - return; - result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name, - masterstyle, fp); - check_result(result, "dns_master_dumpnodetostream"); -} - -static signer_key_t * -newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) { - signer_key_t *key; - - key = isc_mem_get(mctx, sizeof(signer_key_t)); - if (key == NULL) - fatal("out of memory"); - key->key = dstkey; - if ((dst_key_flags(dstkey) & DNS_KEYFLAG_KSK) != 0) { - key->issigningkey = signwithkey; - key->isksk = ISC_TRUE; - key->isdsk = ISC_FALSE; - } else { - key->issigningkey = signwithkey; - key->isksk = ISC_FALSE; - key->isdsk = ISC_TRUE; - } - key->position = keycount++; - ISC_LINK_INIT(key, link); - return (key); -} - -static void -signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, - dst_key_t *key, isc_buffer_t *b) -{ - isc_result_t result; - isc_stdtime_t jendtime; - - jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime; - result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime, - mctx, b, rdata); - isc_entropy_stopcallbacksources(ectx); - if (result != ISC_R_SUCCESS) { - char keystr[KEY_FORMATSIZE]; - key_format(key, keystr, sizeof(keystr)); - fatal("dnskey '%s' failed to sign data: %s", - keystr, isc_result_totext(result)); - } - INCSTAT(nsigned); - - if (tryverify) { - result = dns_dnssec_verify(name, rdataset, key, - ISC_TRUE, mctx, rdata); - if (result == ISC_R_SUCCESS) { - vbprintf(3, "\tsignature verified\n"); - INCSTAT(nverified); - } else { - vbprintf(3, "\tsignature failed to verify\n"); - INCSTAT(nverifyfailed); - } - } -} - -static inline isc_boolean_t -issigningkey(signer_key_t *key) { - return (key->issigningkey); -} - -static inline isc_boolean_t -iszonekey(signer_key_t *key) { - return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) && - dst_key_iszonekey(key->key))); -} - -/*% - * Finds the key that generated a RRSIG, if possible. First look at the keys - * that we've loaded already, and then see if there's a key on disk. - */ -static signer_key_t * -keythatsigned(dns_rdata_rrsig_t *rrsig) { - isc_result_t result; - dst_key_t *pubkey = NULL, *privkey = NULL; - signer_key_t *key; - - key = ISC_LIST_HEAD(keylist); - while (key != NULL) { - if (rrsig->keyid == dst_key_id(key->key) && - rrsig->algorithm == dst_key_alg(key->key) && - dns_name_equal(&rrsig->signer, dst_key_name(key->key))) - return key; - key = ISC_LIST_NEXT(key, link); - } - - result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, - rrsig->algorithm, DST_TYPE_PUBLIC, - NULL, mctx, &pubkey); - if (result != ISC_R_SUCCESS) - return (NULL); - - result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, - rrsig->algorithm, - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, - NULL, mctx, &privkey); - if (result == ISC_R_SUCCESS) { - dst_key_free(&pubkey); - key = newkeystruct(privkey, ISC_FALSE); - } else - key = newkeystruct(pubkey, ISC_FALSE); - ISC_LIST_APPEND(keylist, key, link); - return (key); -} - -/*% - * Check to see if we expect to find a key at this name. If we see a RRSIG - * and can't find the signing key that we expect to find, we drop the rrsig. - * I'm not sure if this is completely correct, but it seems to work. - */ -static isc_boolean_t -expecttofindkey(dns_name_t *name) { - unsigned int options = DNS_DBFIND_NOWILD; - dns_fixedname_t fname; - isc_result_t result; - char namestr[DNS_NAME_FORMATSIZE]; - - dns_fixedname_init(&fname); - result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options, - 0, NULL, dns_fixedname_name(&fname), NULL, NULL); - switch (result) { - case ISC_R_SUCCESS: - case DNS_R_NXDOMAIN: - case DNS_R_NXRRSET: - return (ISC_TRUE); - case DNS_R_DELEGATION: - case DNS_R_CNAME: - case DNS_R_DNAME: - return (ISC_FALSE); - } - dns_name_format(name, namestr, sizeof(namestr)); - fatal("failure looking for '%s DNSKEY' in database: %s", - namestr, isc_result_totext(result)); - return (ISC_FALSE); /* removes a warning */ -} - -static inline isc_boolean_t -setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, - dns_rdata_t *rrsig) -{ - isc_result_t result; - result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig); - if (result == ISC_R_SUCCESS) { - INCSTAT(nverified); - return (ISC_TRUE); - } else { - INCSTAT(nverifyfailed); - return (ISC_FALSE); - } -} - -/*% - * Signs a set. Goes through contortions to decide if each RRSIG should - * be dropped or retained, and then determines if any new SIGs need to - * be generated. - */ -static void -signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, - dns_rdataset_t *set) -{ - dns_rdataset_t sigset; - dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdata_rrsig_t rrsig; - signer_key_t *key; - isc_result_t result; - isc_boolean_t nosigs = ISC_FALSE; - isc_boolean_t *wassignedby, *nowsignedby; - int arraysize; - dns_difftuple_t *tuple; - dns_ttl_t ttl; - int i; - char namestr[DNS_NAME_FORMATSIZE]; - char typestr[TYPE_FORMATSIZE]; - char sigstr[SIG_FORMATSIZE]; - - dns_name_format(name, namestr, sizeof(namestr)); - type_format(set->type, typestr, sizeof(typestr)); - - ttl = ISC_MIN(set->ttl, endtime - starttime); - - dns_rdataset_init(&sigset); - result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig, - set->type, 0, &sigset, NULL); - if (result == ISC_R_NOTFOUND) { - result = ISC_R_SUCCESS; - nosigs = ISC_TRUE; - } - if (result != ISC_R_SUCCESS) - fatal("failed while looking for '%s RRSIG %s': %s", - namestr, typestr, isc_result_totext(result)); - - vbprintf(1, "%s/%s:\n", namestr, typestr); - - arraysize = keycount; - if (!nosigs) - arraysize += dns_rdataset_count(&sigset); - wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t)); - nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t)); - if (wassignedby == NULL || nowsignedby == NULL) - fatal("out of memory"); - - for (i = 0; i < arraysize; i++) - wassignedby[i] = nowsignedby[i] = ISC_FALSE; - - if (nosigs) - result = ISC_R_NOMORE; - else - result = dns_rdataset_first(&sigset); - - while (result == ISC_R_SUCCESS) { - isc_boolean_t expired, future; - isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE; - - dns_rdataset_current(&sigset, &sigrdata); - - result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL); - check_result(result, "dns_rdata_tostruct"); - - future = isc_serial_lt(now, rrsig.timesigned); - - key = keythatsigned(&rrsig); - sig_format(&rrsig, sigstr, sizeof(sigstr)); - if (key != NULL && issigningkey(key)) - expired = isc_serial_gt(now + cycle, rrsig.timeexpire); - else - expired = isc_serial_gt(now, rrsig.timeexpire); - - if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) { - /* rrsig is dropped and not replaced */ - vbprintf(2, "\trrsig by %s dropped - " - "invalid validity period\n", - sigstr); - } else if (key == NULL && !future && - expecttofindkey(&rrsig.signer)) - { - /* rrsig is dropped and not replaced */ - vbprintf(2, "\trrsig by %s dropped - " - "private dnskey not found\n", - sigstr); - } else if (key == NULL || future) { - vbprintf(2, "\trrsig by %s %s - dnskey not found\n", - expired ? "retained" : "dropped", sigstr); - if (!expired) - keep = ISC_TRUE; - } else if (issigningkey(key)) { - if (!expired && setverifies(name, set, key, &sigrdata)) - { - vbprintf(2, "\trrsig by %s retained\n", sigstr); - keep = ISC_TRUE; - wassignedby[key->position] = ISC_TRUE; - nowsignedby[key->position] = ISC_TRUE; - } else { - vbprintf(2, "\trrsig by %s dropped - %s\n", - sigstr, - expired ? "expired" : - "failed to verify"); - wassignedby[key->position] = ISC_TRUE; - resign = ISC_TRUE; - } - } else if (iszonekey(key)) { - if (!expired && setverifies(name, set, key, &sigrdata)) - { - vbprintf(2, "\trrsig by %s retained\n", sigstr); - keep = ISC_TRUE; - wassignedby[key->position] = ISC_TRUE; - nowsignedby[key->position] = ISC_TRUE; - } else { - vbprintf(2, "\trrsig by %s dropped - %s\n", - sigstr, - expired ? "expired" : - "failed to verify"); - wassignedby[key->position] = ISC_TRUE; - } - } else if (!expired) { - vbprintf(2, "\trrsig by %s retained\n", sigstr); - keep = ISC_TRUE; - } else { - vbprintf(2, "\trrsig by %s expired\n", sigstr); - } - - if (keep) { - nowsignedby[key->position] = ISC_TRUE; - INCSTAT(nretained); - if (sigset.ttl != ttl) { - vbprintf(2, "\tfixing ttl %s\n", sigstr); - tuple = NULL; - result = dns_difftuple_create(mctx, - DNS_DIFFOP_DEL, - name, sigset.ttl, - &sigrdata, - &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(del, &tuple); - result = dns_difftuple_create(mctx, - DNS_DIFFOP_ADD, - name, ttl, - &sigrdata, - &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(add, &tuple); - } - } else { - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, - name, sigset.ttl, - &sigrdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(del, &tuple); - INCSTAT(ndropped); - } - - if (resign) { - isc_buffer_t b; - dns_rdata_t trdata = DNS_RDATA_INIT; - unsigned char array[BUFSIZE]; - char keystr[KEY_FORMATSIZE]; - - INSIST(!keep); - - key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tresigning with dnskey %s\n", keystr); - isc_buffer_init(&b, array, sizeof(array)); - signwithkey(name, set, &trdata, key->key, &b); - nowsignedby[key->position] = ISC_TRUE; - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, ttl, &trdata, - &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(add, &tuple); - } - - dns_rdata_reset(&sigrdata); - dns_rdata_freestruct(&rrsig); - result = dns_rdataset_next(&sigset); - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - - check_result(result, "dns_rdataset_first/next"); - if (dns_rdataset_isassociated(&sigset)) - dns_rdataset_disassociate(&sigset); - - for (key = ISC_LIST_HEAD(keylist); - key != NULL; - key = ISC_LIST_NEXT(key, link)) - { - isc_buffer_t b; - dns_rdata_t trdata; - unsigned char array[BUFSIZE]; - char keystr[KEY_FORMATSIZE]; - - if (nowsignedby[key->position]) - continue; - - if (!key->issigningkey) - continue; - if (!(ignoreksk || key->isdsk || - (key->isksk && - set->type == dns_rdatatype_dnskey && - dns_name_equal(name, gorigin)))) - continue; - - key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tsigning with dnskey %s\n", keystr); - dns_rdata_init(&trdata); - isc_buffer_init(&b, array, sizeof(array)); - signwithkey(name, set, &trdata, key->key, &b); - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, - ttl, &trdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(add, &tuple); - } - - isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t)); - isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t)); -} - -static void -opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass, - dns_db_t **dbp) -{ - char filename[256]; - isc_buffer_t b; - isc_result_t result; - - isc_buffer_init(&b, filename, sizeof(filename)); - if (directory != NULL) { - isc_buffer_putstr(&b, directory); - if (directory[strlen(directory) - 1] != '/') - isc_buffer_putstr(&b, "/"); - } - isc_buffer_putstr(&b, prefix); - result = dns_name_tofilenametext(name, ISC_FALSE, &b); - check_result(result, "dns_name_tofilenametext()"); - if (isc_buffer_availablelength(&b) == 0) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof(namestr)); - fatal("name '%s' is too long", namestr); - } - isc_buffer_putuint8(&b, 0); - - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - rdclass, 0, NULL, dbp); - check_result(result, "dns_db_create()"); - - result = dns_db_load(*dbp, filename); - if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) - dns_db_detach(dbp); -} - -/*% - * Loads the key set for a child zone, if there is one, and builds DS records. - */ -static isc_result_t -loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { - dns_db_t *db = NULL; - dns_dbversion_t *ver = NULL; - dns_dbnode_t *node = NULL; - isc_result_t result; - dns_rdataset_t keyset; - dns_rdata_t key, ds; - unsigned char dsbuf[DNS_DS_BUFFERSIZE]; - dns_diff_t diff; - dns_difftuple_t *tuple = NULL; - - opendb("keyset-", name, gclass, &db); - if (db == NULL) - return (ISC_R_NOTFOUND); - - result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result != ISC_R_SUCCESS) { - dns_db_detach(&db); - return (DNS_R_BADDB); - } - dns_rdataset_init(&keyset); - result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0, - &keyset, NULL); - if (result != ISC_R_SUCCESS) { - dns_db_detachnode(db, &node); - dns_db_detach(&db); - return (result); - } - - vbprintf(2, "found DNSKEY records\n"); - - result = dns_db_newversion(db, &ver); - check_result(result, "dns_db_newversion"); - - dns_diff_init(mctx, &diff); - - for (result = dns_rdataset_first(&keyset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&keyset)) - { - dns_rdata_init(&key); - dns_rdata_init(&ds); - dns_rdataset_current(&keyset, &key); - result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1, - dsbuf, &ds); - check_result(result, "dns_ds_buildrdata"); - - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, - ttl, &ds, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - dns_rdata_reset(&ds); - result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256, - dsbuf, &ds); - check_result(result, "dns_ds_buildrdata"); - - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, - ttl, &ds, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - } - result = dns_diff_apply(&diff, db, ver); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - dns_db_closeversion(db, &ver, ISC_TRUE); - - result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0, - dsset, NULL); - check_result(result, "dns_db_findrdataset"); - - dns_rdataset_disassociate(&keyset); - dns_db_detachnode(db, &node); - dns_db_detach(&db); - return (result); -} - -static isc_boolean_t -nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type, - unsigned int val) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_nsec_t nsec; - unsigned int newlen; - unsigned char bitmap[8192 + 512]; - unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE]; - isc_boolean_t answer = ISC_FALSE; - unsigned int i, len, window; - int octet; - - result = dns_rdataset_first(rdataset); - check_result(result, "dns_rdataset_first()"); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &nsec, NULL); - check_result(result, "dns_rdata_tostruct"); - - INSIST(nsec.len <= sizeof(bitmap)); - - newlen = 0; - - memset(bitmap, 0, sizeof(bitmap)); - for (i = 0; i < nsec.len; i += len) { - INSIST(i + 2 <= nsec.len); - window = nsec.typebits[i]; - len = nsec.typebits[i+1]; - i += 2; - INSIST(len > 0 && len <= 32); - INSIST(i + len <= nsec.len); - memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len); - } - set_bit(bitmap + 512, type, val); - for (window = 0; window < 256; window++) { - for (octet = 31; octet >= 0; octet--) - if (bitmap[window * 32 + 512 + octet] != 0) - break; - if (octet < 0) - continue; - bitmap[newlen] = window; - bitmap[newlen + 1] = octet + 1; - newlen += 2; - /* - * Overlapping move. - */ - memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1); - newlen += octet + 1; - } - if (newlen != nsec.len || - memcmp(nsec.typebits, bitmap, newlen) != 0) { - dns_rdata_t newrdata = DNS_RDATA_INIT; - isc_buffer_t b; - dns_diff_t diff; - dns_difftuple_t *tuple = NULL; - - dns_diff_init(mctx, &diff); - result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name, - rdataset->ttl, &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - nsec.typebits = bitmap; - nsec.len = newlen; - isc_buffer_init(&b, nsecdata, sizeof(nsecdata)); - result = dns_rdata_fromstruct(&newrdata, rdata.rdclass, - dns_rdatatype_nsec, &nsec, - &b); - check_result(result, "dns_rdata_fromstruct"); - - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, rdataset->ttl, - &newrdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - result = dns_diff_apply(&diff, gdb, gversion); - check_result(result, "dns_difftuple_apply"); - dns_diff_clear(&diff); - answer = ISC_TRUE; - } - dns_rdata_freestruct(&nsec); - return (answer); -} - -static isc_boolean_t -delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { - dns_rdataset_t nsset; - isc_result_t result; - - if (dns_name_equal(name, gorigin)) - return (ISC_FALSE); - - dns_rdataset_init(&nsset); - result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ns, - 0, 0, &nsset, NULL); - if (dns_rdataset_isassociated(&nsset)) { - if (ttlp != NULL) - *ttlp = nsset.ttl; - dns_rdataset_disassociate(&nsset); - } - - return (ISC_TF(result == ISC_R_SUCCESS)); -} - -/*% - * Signs all records at a name. This mostly just signs each set individually, - * but also adds the RRSIG bit to any NSECs generated earlier, deals with - * parent/child KEY signatures, and handles other exceptional cases. - */ -static void -signname(dns_dbnode_t *node, dns_name_t *name) { - isc_result_t result; - dns_rdataset_t rdataset; - dns_rdatasetiter_t *rdsiter; - isc_boolean_t isdelegation = ISC_FALSE; - isc_boolean_t hasds = ISC_FALSE; - isc_boolean_t changed = ISC_FALSE; - dns_diff_t del, add; - char namestr[DNS_NAME_FORMATSIZE]; - isc_uint32_t nsttl = 0; - - dns_name_format(name, namestr, sizeof(namestr)); - - /* - * Determine if this is a delegation point. - */ - if (delegation(name, node, &nsttl)) - isdelegation = ISC_TRUE; - - /* - * If this is a delegation point, look for a DS set. - */ - if (isdelegation) { - dns_rdataset_t dsset; - dns_rdataset_t sigdsset; - - dns_rdataset_init(&dsset); - dns_rdataset_init(&sigdsset); - result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_ds, - 0, 0, &dsset, &sigdsset); - if (result == ISC_R_SUCCESS) { - dns_rdataset_disassociate(&dsset); - if (generateds) { - result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_ds, - 0); - check_result(result, "dns_db_deleterdataset"); - } else - hasds = ISC_TRUE; - } - if (generateds) { - result = loadds(name, nsttl, &dsset); - if (result == ISC_R_SUCCESS) { - result = dns_db_addrdataset(gdb, node, - gversion, 0, - &dsset, 0, NULL); - check_result(result, "dns_db_addrdataset"); - hasds = ISC_TRUE; - dns_rdataset_disassociate(&dsset); - if (dns_rdataset_isassociated(&sigdsset)) - dns_rdataset_disassociate(&sigdsset); - } else if (dns_rdataset_isassociated(&sigdsset)) { - result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_rrsig, - dns_rdatatype_ds); - check_result(result, "dns_db_deleterdataset"); - dns_rdataset_disassociate(&sigdsset); - } - } else if (dns_rdataset_isassociated(&sigdsset)) - dns_rdataset_disassociate(&sigdsset); - } - - /* - * Make sure that NSEC bits are appropriately set. - */ - dns_rdataset_init(&rdataset); - RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, &rdataset, - NULL) == ISC_R_SUCCESS); - if (!nokeys) - changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1); - if (changed) { - dns_rdataset_disassociate(&rdataset); - RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, - &rdataset, - NULL) == ISC_R_SUCCESS); - } - if (hasds) - (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1); - else - (void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0); - dns_rdataset_disassociate(&rdataset); - - /* - * Now iterate through the rdatasets. - */ - dns_diff_init(mctx, &del); - dns_diff_init(mctx, &add); - rdsiter = NULL; - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - dns_rdatasetiter_current(rdsiter, &rdataset); - - /* If this is a RRSIG set, skip it. */ - if (rdataset.type == dns_rdatatype_rrsig) - goto skip; - - /* - * If this name is a delegation point, skip all records - * except NSEC and DS sets. Otherwise check that there - * isn't a DS record. - */ - if (isdelegation) { - if (rdataset.type != dns_rdatatype_nsec && - rdataset.type != dns_rdatatype_ds) - goto skip; - } else if (rdataset.type == dns_rdatatype_ds) { - char namebuf[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namebuf, sizeof(namebuf)); - fatal("'%s': found DS RRset without NS RRset\n", - namebuf); - } - - signset(&del, &add, node, name, &rdataset); - - skip: - dns_rdataset_disassociate(&rdataset); - result = dns_rdatasetiter_next(rdsiter); - } - if (result != ISC_R_NOMORE) - fatal("rdataset iteration for name '%s' failed: %s", - namestr, isc_result_totext(result)); - - dns_rdatasetiter_destroy(&rdsiter); - - result = dns_diff_applysilently(&del, gdb, gversion); - if (result != ISC_R_SUCCESS) - fatal("failed to delete SIGs at node '%s': %s", - namestr, isc_result_totext(result)); - - result = dns_diff_applysilently(&add, gdb, gversion); - if (result != ISC_R_SUCCESS) - fatal("failed to add SIGs at node '%s': %s", - namestr, isc_result_totext(result)); - - dns_diff_clear(&del); - dns_diff_clear(&add); -} - -static inline isc_boolean_t -active_node(dns_dbnode_t *node) { - dns_rdatasetiter_t *rdsiter = NULL; - dns_rdatasetiter_t *rdsiter2 = NULL; - isc_boolean_t active = ISC_FALSE; - isc_result_t result; - dns_rdataset_t rdataset; - dns_rdatatype_t type; - dns_rdatatype_t covers; - isc_boolean_t found; - - dns_rdataset_init(&rdataset); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type != dns_rdatatype_nsec && - rdataset.type != dns_rdatatype_rrsig) - active = ISC_TRUE; - dns_rdataset_disassociate(&rdataset); - if (!active) - result = dns_rdatasetiter_next(rdsiter); - else - result = ISC_R_NOMORE; - } - if (result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - - if (!active) { - /*% - * The node is empty of everything but NSEC / RRSIG records. - */ - for (result = dns_rdatasetiter_first(rdsiter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter)) { - dns_rdatasetiter_current(rdsiter, &rdataset); - result = dns_db_deleterdataset(gdb, node, gversion, - rdataset.type, - rdataset.covers); - check_result(result, "dns_db_deleterdataset()"); - dns_rdataset_disassociate(&rdataset); - } - if (result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - } else { - /* - * Delete RRSIGs for types that no longer exist. - */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2); - check_result(result, "dns_db_allrdatasets()"); - for (result = dns_rdatasetiter_first(rdsiter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter)) { - dns_rdatasetiter_current(rdsiter, &rdataset); - type = rdataset.type; - covers = rdataset.covers; - dns_rdataset_disassociate(&rdataset); - if (type != dns_rdatatype_rrsig) - continue; - found = ISC_FALSE; - for (result = dns_rdatasetiter_first(rdsiter2); - !found && result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter2)) { - dns_rdatasetiter_current(rdsiter2, &rdataset); - if (rdataset.type == covers) - found = ISC_TRUE; - dns_rdataset_disassociate(&rdataset); - } - if (!found) { - if (result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - result = dns_db_deleterdataset(gdb, node, - gversion, type, - covers); - check_result(result, - "dns_db_deleterdataset(rrsig)"); - } else if (result != ISC_R_NOMORE && - result != ISC_R_SUCCESS) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - } - if (result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - dns_rdatasetiter_destroy(&rdsiter2); - } - dns_rdatasetiter_destroy(&rdsiter); - - return (active); -} - -/*% - * Extracts the TTL from the SOA. - */ -static dns_ttl_t -soattl(void) { - dns_rdataset_t soaset; - dns_fixedname_t fname; - dns_name_t *name; - isc_result_t result; - dns_ttl_t ttl; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_soa_t soa; - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - dns_rdataset_init(&soaset); - result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa, - 0, 0, NULL, name, &soaset, NULL); - if (result != ISC_R_SUCCESS) - fatal("failed to find an SOA at the zone apex: %s", - isc_result_totext(result)); - - result = dns_rdataset_first(&soaset); - check_result(result, "dns_rdataset_first"); - dns_rdataset_current(&soaset, &rdata); - result = dns_rdata_tostruct(&rdata, &soa, NULL); - check_result(result, "dns_rdata_tostruct"); - ttl = soa.minimum; - dns_rdataset_disassociate(&soaset); - return (ttl); -} - -/*% - * Increment (or set if nonzero) the SOA serial - */ -static isc_result_t -setsoaserial(isc_uint32_t serial) { - isc_result_t result; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - isc_uint32_t old_serial, new_serial; - - result = dns_db_getoriginnode(gdb, &node); - if (result != ISC_R_SUCCESS) - return result; - - dns_rdataset_init(&rdataset); - - result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_soa, 0, - 0, &rdataset, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - - result = dns_rdataset_first(&rdataset); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - dns_rdataset_current(&rdataset, &rdata); - - old_serial = dns_soa_getserial(&rdata); - - if (serial) { - /* Set SOA serial to the value provided. */ - new_serial = serial; - } else { - /* Increment SOA serial using RFC 1982 arithmetics */ - new_serial = (old_serial + 1) & 0xFFFFFFFF; - if (new_serial == 0) - new_serial = 1; - } - - /* If the new serial is not likely to cause a zone transfer - * (a/ixfr) from servers having the old serial, warn the user. - * - * RFC1982 section 7 defines the maximum increment to be - * (2^(32-1))-1. Using u_int32_t arithmetic, we can do a single - * comparison. (5 - 6 == (2^32)-1, not negative-one) - */ - if (new_serial == old_serial || - (new_serial - old_serial) > 0x7fffffffU) - fprintf(stderr, "%s: warning: Serial number not advanced, " - "zone may not transfer\n", program); - - dns_soa_setserial(new_serial, &rdata); - - result = dns_db_deleterdataset(gdb, node, gversion, - dns_rdatatype_soa, 0); - check_result(result, "dns_db_deleterdataset"); - if (result != ISC_R_SUCCESS) - goto cleanup; - - result = dns_db_addrdataset(gdb, node, gversion, - 0, &rdataset, 0, NULL); - check_result(result, "dns_db_addrdataset"); - if (result != ISC_R_SUCCESS) - goto cleanup; - -cleanup: - dns_rdataset_disassociate(&rdataset); - if (node != NULL) - dns_db_detachnode(gdb, &node); - dns_rdata_reset(&rdata); - - return (result); -} - -/*% - * Delete any RRSIG records at a node. - */ -static void -cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { - dns_rdatasetiter_t *rdsiter = NULL; - dns_rdataset_t set; - isc_result_t result, dresult; - - if (outputformat != dns_masterformat_text) - return; - - dns_rdataset_init(&set); - result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets"); - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - isc_boolean_t destroy = ISC_FALSE; - dns_rdatatype_t covers = 0; - dns_rdatasetiter_current(rdsiter, &set); - if (set.type == dns_rdatatype_rrsig) { - covers = set.covers; - destroy = ISC_TRUE; - } - dns_rdataset_disassociate(&set); - result = dns_rdatasetiter_next(rdsiter); - if (destroy) { - dresult = dns_db_deleterdataset(db, node, version, - dns_rdatatype_rrsig, - covers); - check_result(dresult, "dns_db_deleterdataset"); - } - } - if (result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - dns_rdatasetiter_destroy(&rdsiter); -} - -/*% - * Set up the iterator and global state before starting the tasks. - */ -static void -presign(void) { - isc_result_t result; - - gdbiter = NULL; - result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter); - check_result(result, "dns_db_createiterator()"); - - result = dns_dbiterator_first(gdbiter); - check_result(result, "dns_dbiterator_first()"); -} - -/*% - * Clean up the iterator and global state after the tasks complete. - */ -static void -postsign(void) { - dns_dbiterator_destroy(&gdbiter); -} - -/*% - * Sign the apex of the zone. - */ -static void -signapex(void) { - dns_dbnode_t *node = NULL; - dns_fixedname_t fixed; - dns_name_t *name; - isc_result_t result; - - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - result = dns_dbiterator_current(gdbiter, &node, name); - check_result(result, "dns_dbiterator_current()"); - signname(node, name); - dumpnode(name, node); - cleannode(gdb, gversion, node); - dns_db_detachnode(gdb, &node); - result = dns_dbiterator_next(gdbiter); - if (result == ISC_R_NOMORE) - finished = ISC_TRUE; - else if (result != ISC_R_SUCCESS) - fatal("failure iterating database: %s", - isc_result_totext(result)); -} - -/*% - * Assigns a node to a worker thread. This is protected by the master task's - * lock. - */ -static void -assignwork(isc_task_t *task, isc_task_t *worker) { - dns_fixedname_t *fname; - dns_name_t *name; - dns_dbnode_t *node; - sevent_t *sevent; - dns_rdataset_t nsec; - isc_boolean_t found; - isc_result_t result; - - if (shuttingdown) - return; - - if (finished) { - if (assigned == completed) { - isc_task_detach(&task); - isc_app_shutdown(); - } - return; - } - - fname = isc_mem_get(mctx, sizeof(dns_fixedname_t)); - if (fname == NULL) - fatal("out of memory"); - dns_fixedname_init(fname); - name = dns_fixedname_name(fname); - node = NULL; - found = ISC_FALSE; - LOCK(&namelock); - while (!found) { - result = dns_dbiterator_current(gdbiter, &node, name); - if (result != ISC_R_SUCCESS) - fatal("failure iterating database: %s", - isc_result_totext(result)); - dns_rdataset_init(&nsec); - result = dns_db_findrdataset(gdb, node, gversion, - dns_rdatatype_nsec, 0, 0, - &nsec, NULL); - if (result == ISC_R_SUCCESS) - found = ISC_TRUE; - else - dumpnode(name, node); - if (dns_rdataset_isassociated(&nsec)) - dns_rdataset_disassociate(&nsec); - if (!found) - dns_db_detachnode(gdb, &node); - - result = dns_dbiterator_next(gdbiter); - if (result == ISC_R_NOMORE) { - finished = ISC_TRUE; - break; - } else if (result != ISC_R_SUCCESS) - fatal("failure iterating database: %s", - isc_result_totext(result)); - } - UNLOCK(&namelock); - if (!found) { - if (assigned == completed) { - isc_task_detach(&task); - isc_app_shutdown(); - } - isc_mem_put(mctx, fname, sizeof(dns_fixedname_t)); - return; - } - sevent = (sevent_t *) - isc_event_allocate(mctx, task, SIGNER_EVENT_WORK, - sign, NULL, sizeof(sevent_t)); - if (sevent == NULL) - fatal("failed to allocate event\n"); - - sevent->node = node; - sevent->fname = fname; - isc_task_send(worker, ISC_EVENT_PTR(&sevent)); - assigned++; -} - -/*% - * Start a worker task - */ -static void -startworker(isc_task_t *task, isc_event_t *event) { - isc_task_t *worker; - - worker = (isc_task_t *)event->ev_arg; - assignwork(task, worker); - isc_event_free(&event); -} - -/*% - * Write a node to the output file, and restart the worker task. - */ -static void -writenode(isc_task_t *task, isc_event_t *event) { - isc_task_t *worker; - sevent_t *sevent = (sevent_t *)event; - - completed++; - worker = (isc_task_t *)event->ev_sender; - dumpnode(dns_fixedname_name(sevent->fname), sevent->node); - cleannode(gdb, gversion, sevent->node); - dns_db_detachnode(gdb, &sevent->node); - isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t)); - assignwork(task, worker); - isc_event_free(&event); -} - -/*% - * Sign a database node. - */ -static void -sign(isc_task_t *task, isc_event_t *event) { - dns_fixedname_t *fname; - dns_dbnode_t *node; - sevent_t *sevent, *wevent; - - sevent = (sevent_t *)event; - node = sevent->node; - fname = sevent->fname; - isc_event_free(&event); - - signname(node, dns_fixedname_name(fname)); - wevent = (sevent_t *) - isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE, - writenode, NULL, sizeof(sevent_t)); - if (wevent == NULL) - fatal("failed to allocate event\n"); - wevent->node = node; - wevent->fname = fname; - isc_task_send(master, ISC_EVENT_PTR(&wevent)); -} - -/*% - * Generate NSEC records for the zone. - */ -static void -nsecify(void) { - dns_dbiterator_t *dbiter = NULL; - dns_dbnode_t *node = NULL, *nextnode = NULL; - dns_fixedname_t fname, fnextname, fzonecut; - dns_name_t *name, *nextname, *zonecut; - isc_boolean_t done = ISC_FALSE; - isc_result_t result; - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - dns_fixedname_init(&fnextname); - nextname = dns_fixedname_name(&fnextname); - dns_fixedname_init(&fzonecut); - zonecut = NULL; - - result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter); - check_result(result, "dns_db_createiterator()"); - - result = dns_dbiterator_first(dbiter); - check_result(result, "dns_dbiterator_first()"); - - while (!done) { - dns_dbiterator_current(dbiter, &node, name); - if (delegation(name, node, NULL)) { - zonecut = dns_fixedname_name(&fzonecut); - dns_name_copy(name, zonecut, NULL); - } - result = dns_dbiterator_next(dbiter); - nextnode = NULL; - while (result == ISC_R_SUCCESS) { - isc_boolean_t active = ISC_FALSE; - result = dns_dbiterator_current(dbiter, &nextnode, - nextname); - if (result != ISC_R_SUCCESS) - break; - active = active_node(nextnode); - if (!active) { - dns_db_detachnode(gdb, &nextnode); - result = dns_dbiterator_next(dbiter); - continue; - } - if (!dns_name_issubdomain(nextname, gorigin) || - (zonecut != NULL && - dns_name_issubdomain(nextname, zonecut))) - { - dns_db_detachnode(gdb, &nextnode); - result = dns_dbiterator_next(dbiter); - continue; - } - dns_db_detachnode(gdb, &nextnode); - break; - } - if (result == ISC_R_NOMORE) { - dns_name_clone(gorigin, nextname); - done = ISC_TRUE; - } else if (result != ISC_R_SUCCESS) - fatal("iterating through the database failed: %s", - isc_result_totext(result)); - result = dns_nsec_build(gdb, gversion, node, nextname, - zonettl); - check_result(result, "dns_nsec_build()"); - dns_db_detachnode(gdb, &node); - } - - dns_dbiterator_destroy(&dbiter); -} - -/*% - * Load the zone file from disk - */ -static void -loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) { - isc_buffer_t b; - int len; - dns_fixedname_t fname; - dns_name_t *name; - isc_result_t result; - - len = strlen(origin); - isc_buffer_init(&b, origin, len); - isc_buffer_add(&b, len); - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - fatal("failed converting name '%s' to dns format: %s", - origin, isc_result_totext(result)); - - result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, - rdclass, 0, NULL, db); - check_result(result, "dns_db_create()"); - - result = dns_db_load2(*db, file, inputformat); - if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) - fatal("failed loading zone from '%s': %s", - file, isc_result_totext(result)); -} - -/*% - * Finds all public zone keys in the zone, and attempts to load the - * private keys from disk. - */ -static void -loadzonekeys(dns_db_t *db) { - dns_dbnode_t *node; - dns_dbversion_t *currentversion; - isc_result_t result; - dst_key_t *keys[20]; - unsigned int nkeys, i; - - currentversion = NULL; - dns_db_currentversion(db, ¤tversion); - - node = NULL; - result = dns_db_findnode(db, gorigin, ISC_FALSE, &node); - if (result != ISC_R_SUCCESS) - fatal("failed to find the zone's origin: %s", - isc_result_totext(result)); - - result = dns_dnssec_findzonekeys(db, currentversion, node, gorigin, - mctx, 20, keys, &nkeys); - if (result == ISC_R_NOTFOUND) - result = ISC_R_SUCCESS; - if (result != ISC_R_SUCCESS) - fatal("failed to find the zone keys: %s", - isc_result_totext(result)); - - for (i = 0; i < nkeys; i++) { - signer_key_t *key; - - key = newkeystruct(keys[i], dst_key_isprivate(keys[i])); - ISC_LIST_APPEND(keylist, key, link); - } - dns_db_detachnode(db, &node); - dns_db_closeversion(db, ¤tversion, ISC_FALSE); -} - -/*% - * Finds all public zone keys in the zone. - */ -static void -loadzonepubkeys(dns_db_t *db) { - dns_dbversion_t *currentversion = NULL; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - dst_key_t *pubkey; - signer_key_t *key; - isc_result_t result; - - dns_db_currentversion(db, ¤tversion); - - result = dns_db_findnode(db, gorigin, ISC_FALSE, &node); - if (result != ISC_R_SUCCESS) - fatal("failed to find the zone's origin: %s", - isc_result_totext(result)); - - dns_rdataset_init(&rdataset); - result = dns_db_findrdataset(db, node, currentversion, - dns_rdatatype_dnskey, 0, 0, &rdataset, NULL); - if (result != ISC_R_SUCCESS) - fatal("failed to find keys at the zone apex: %s", - isc_result_totext(result)); - result = dns_rdataset_first(&rdataset); - check_result(result, "dns_rdataset_first"); - while (result == ISC_R_SUCCESS) { - pubkey = NULL; - dns_rdata_reset(&rdata); - dns_rdataset_current(&rdataset, &rdata); - result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx, - &pubkey); - if (result != ISC_R_SUCCESS) - goto next; - if (!dst_key_iszonekey(pubkey)) { - dst_key_free(&pubkey); - goto next; - } - - key = newkeystruct(pubkey, ISC_FALSE); - ISC_LIST_APPEND(keylist, key, link); - next: - result = dns_rdataset_next(&rdataset); - } - dns_rdataset_disassociate(&rdataset); - dns_db_detachnode(db, &node); - dns_db_closeversion(db, ¤tversion, ISC_FALSE); -} - -static void -warnifallksk(dns_db_t *db) { - dns_dbversion_t *currentversion = NULL; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - isc_result_t result; - dns_rdata_key_t key; - isc_boolean_t have_non_ksk = ISC_FALSE; - - dns_db_currentversion(db, ¤tversion); - - result = dns_db_findnode(db, gorigin, ISC_FALSE, &node); - if (result != ISC_R_SUCCESS) - fatal("failed to find the zone's origin: %s", - isc_result_totext(result)); - - dns_rdataset_init(&rdataset); - result = dns_db_findrdataset(db, node, currentversion, - dns_rdatatype_dnskey, 0, 0, &rdataset, NULL); - if (result != ISC_R_SUCCESS) - fatal("failed to find keys at the zone apex: %s", - isc_result_totext(result)); - result = dns_rdataset_first(&rdataset); - check_result(result, "dns_rdataset_first"); - while (result == ISC_R_SUCCESS) { - dns_rdata_reset(&rdata); - dns_rdataset_current(&rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &key, NULL); - check_result(result, "dns_rdata_tostruct"); - if ((key.flags & DNS_KEYFLAG_KSK) == 0) { - have_non_ksk = ISC_TRUE; - result = ISC_R_NOMORE; - } else - result = dns_rdataset_next(&rdataset); - } - dns_rdataset_disassociate(&rdataset); - dns_db_detachnode(db, &node); - dns_db_closeversion(db, ¤tversion, ISC_FALSE); - if (!have_non_ksk && !ignoreksk) - fprintf(stderr, "%s: warning: No non-KSK dnskey found. " - "Supply non-KSK dnskey or use '-z'.\n", - program); -} - -static void -writeset(const char *prefix, dns_rdatatype_t type) { - char *filename; - char namestr[DNS_NAME_FORMATSIZE]; - dns_db_t *db = NULL; - dns_dbversion_t *version = NULL; - dns_diff_t diff; - dns_difftuple_t *tuple = NULL; - dns_fixedname_t fixed; - dns_name_t *name; - dns_rdata_t rdata, ds; - isc_boolean_t have_ksk = ISC_FALSE; - isc_boolean_t have_non_ksk = ISC_FALSE; - isc_buffer_t b; - isc_buffer_t namebuf; - isc_region_t r; - isc_result_t result; - signer_key_t *key; - unsigned char dsbuf[DNS_DS_BUFFERSIZE]; - unsigned char keybuf[DST_KEY_MAXSIZE]; - unsigned int filenamelen; - const dns_master_style_t *style = - (type == dns_rdatatype_dnskey) ? masterstyle : dsstyle; - - isc_buffer_init(&namebuf, namestr, sizeof(namestr)); - result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf); - check_result(result, "dns_name_tofilenametext"); - isc_buffer_putuint8(&namebuf, 0); - filenamelen = strlen(prefix) + strlen(namestr); - if (directory != NULL) - filenamelen += strlen(directory) + 1; - filename = isc_mem_get(mctx, filenamelen + 1); - if (filename == NULL) - fatal("out of memory"); - if (directory != NULL) - snprintf(filename, filenamelen + 1, "%s/", directory); - else - filename[0] = 0; - strlcat(filename, prefix, filenamelen + 1); - strlcat(filename, namestr, filenamelen + 1); - - dns_diff_init(mctx, &diff); - - for (key = ISC_LIST_HEAD(keylist); - key != NULL; - key = ISC_LIST_NEXT(key, link)) - if (!key->isksk) { - have_non_ksk = ISC_TRUE; - break; - } - - for (key = ISC_LIST_HEAD(keylist); - key != NULL; - key = ISC_LIST_NEXT(key, link)) - if (key->isksk) { - have_ksk = ISC_TRUE; - break; - } - - if (type == dns_rdatatype_dlv) { - dns_name_t tname; - unsigned int labels; - - dns_name_init(&tname, NULL); - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - labels = dns_name_countlabels(gorigin); - dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname); - result = dns_name_concatenate(&tname, dlv, name, NULL); - check_result(result, "dns_name_concatenate"); - } else - name = gorigin; - - for (key = ISC_LIST_HEAD(keylist); - key != NULL; - key = ISC_LIST_NEXT(key, link)) - { - if (have_ksk && have_non_ksk && !key->isksk) - continue; - dns_rdata_init(&rdata); - dns_rdata_init(&ds); - isc_buffer_init(&b, keybuf, sizeof(keybuf)); - result = dst_key_todns(key->key, &b); - check_result(result, "dst_key_todns"); - isc_buffer_usedregion(&b, &r); - dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r); - if (type != dns_rdatatype_dnskey) { - result = dns_ds_buildrdata(gorigin, &rdata, - DNS_DSDIGEST_SHA1, - dsbuf, &ds); - check_result(result, "dns_ds_buildrdata"); - if (type == dns_rdatatype_dlv) - ds.type = dns_rdatatype_dlv; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, 0, &ds, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - dns_rdata_reset(&ds); - result = dns_ds_buildrdata(gorigin, &rdata, - DNS_DSDIGEST_SHA256, - dsbuf, &ds); - check_result(result, "dns_ds_buildrdata"); - if (type == dns_rdatatype_dlv) - ds.type = dns_rdatatype_dlv; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, 0, &ds, &tuple); - - } else - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - gorigin, zonettl, - &rdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - } - - result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone, - gclass, 0, NULL, &db); - check_result(result, "dns_db_create"); - - result = dns_db_newversion(db, &version); - check_result(result, "dns_db_newversion"); - - result = dns_diff_apply(&diff, db, version); - check_result(result, "dns_diff_apply"); - dns_diff_clear(&diff); - - result = dns_master_dump(mctx, db, version, style, filename); - check_result(result, "dns_master_dump"); - - isc_mem_put(mctx, filename, filenamelen + 1); - - dns_db_closeversion(db, &version, ISC_FALSE); - dns_db_detach(&db); -} - -static void -print_time(FILE *fp) { - time_t currenttime; - - if (outputformat != dns_masterformat_text) - return; - - currenttime = time(NULL); - fprintf(fp, "; File written on %s", ctime(¤ttime)); -} - -static void -print_version(FILE *fp) { - if (outputformat != dns_masterformat_text) - return; - - fprintf(fp, "; dnssec_signzone version " VERSION "\n"); -} - -static void -usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\t%s [options] zonefile [keys]\n", program); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Version: %s\n", VERSION); - - fprintf(stderr, "Options: (default value in parenthesis) \n"); - fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-d directory\n"); - fprintf(stderr, "\t\tdirectory to find keyset files (.)\n"); - fprintf(stderr, "\t-g:\t"); - fprintf(stderr, "generate DS records from keyset files\n"); - fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n"); - fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); - fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " - "(now + 30 days)\n"); - fprintf(stderr, "\t-i interval:\n"); - fprintf(stderr, "\t\tcycle interval - resign " - "if < interval from end ( (end-start)/4 )\n"); - fprintf(stderr, "\t-j jitter:\n"); - fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n"); - fprintf(stderr, "\t-v debuglevel (0)\n"); - fprintf(stderr, "\t-o origin:\n"); - fprintf(stderr, "\t\tzone origin (name of zonefile)\n"); - fprintf(stderr, "\t-f outfile:\n"); - fprintf(stderr, "\t\tfile the signed zone is written in " - "(zonefile + .signed)\n"); - fprintf(stderr, "\t-I format:\n"); - fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); - fprintf(stderr, "\t-O format:\n"); - fprintf(stderr, "\t\tfile format of signed zone file (text)\n"); - fprintf(stderr, "\t-N format:\n"); - fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n"); - fprintf(stderr, "\t-r randomdev:\n"); - fprintf(stderr, "\t\ta file containing random data\n"); - fprintf(stderr, "\t-a:\t"); - fprintf(stderr, "verify generated signatures\n"); - fprintf(stderr, "\t-p:\t"); - fprintf(stderr, "use pseudorandom data (faster but less secure)\n"); - fprintf(stderr, "\t-t:\t"); - fprintf(stderr, "print statistics\n"); - fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); - fprintf(stderr, "\t-k key_signing_key\n"); - fprintf(stderr, "\t-l lookasidezone\n"); - fprintf(stderr, "\t-z:\t"); - fprintf(stderr, "ignore KSK flag in DNSKEYs"); - - fprintf(stderr, "\n"); - - fprintf(stderr, "Signing Keys: "); - fprintf(stderr, "(default: all zone keys that have private keys)\n"); - fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n"); - exit(0); -} - -static void -removetempfile(void) { - if (removefile) - isc_file_remove(tempfile); -} - -static void -print_stats(isc_time_t *timer_start, isc_time_t *timer_finish) { - isc_uint64_t runtime_us; /* Runtime in microseconds */ - isc_uint64_t runtime_ms; /* Runtime in milliseconds */ - isc_uint64_t sig_ms; /* Signatures per millisecond */ - - runtime_us = isc_time_microdiff(timer_finish, timer_start); - - printf("Signatures generated: %10d\n", nsigned); - printf("Signatures retained: %10d\n", nretained); - printf("Signatures dropped: %10d\n", ndropped); - printf("Signatures successfully verified: %10d\n", nverified); - printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed); - runtime_ms = runtime_us / 1000; - printf("Runtime in seconds: %7u.%03u\n", - (unsigned int) (runtime_ms / 1000), - (unsigned int) (runtime_ms % 1000)); - if (runtime_us > 0) { - sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us; - printf("Signatures per second: %7u.%03u\n", - (unsigned int) sig_ms / 1000, - (unsigned int) sig_ms % 1000); - } -} - -int -main(int argc, char *argv[]) { - int i, ch; - char *startstr = NULL, *endstr = NULL, *classname = NULL; - char *origin = NULL, *file = NULL, *output = NULL; - char *inputformatstr = NULL, *outputformatstr = NULL; - char *serialformatstr = NULL; - char *dskeyfile[MAXDSKEYS]; - int ndskeys = 0; - char *endp; - isc_time_t timer_start, timer_finish; - signer_key_t *key; - isc_result_t result; - isc_log_t *log = NULL; - isc_boolean_t pseudorandom = ISC_FALSE; - unsigned int eflags; - isc_boolean_t free_output = ISC_FALSE; - int tempfilelen; - dns_rdataclass_t rdclass; - isc_task_t **tasks = NULL; - isc_buffer_t b; - int len; - - masterstyle = &dns_master_style_explicitttl; - - check_result(isc_app_start(), "isc_app_start"); - - result = isc_mem_create(0, 0, &mctx); - if (result != ISC_R_SUCCESS) - fatal("out of memory"); - - dns_result_register(); - - while ((ch = isc_commandline_parse(argc, argv, - "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z")) - != -1) { - switch (ch) { - case 'a': - tryverify = ISC_TRUE; - break; - - case 'c': - classname = isc_commandline_argument; - break; - - case 'd': - directory = isc_commandline_argument; - break; - - case 'e': - endstr = isc_commandline_argument; - break; - - case 'f': - output = isc_commandline_argument; - break; - - case 'g': - generateds = ISC_TRUE; - break; - - case 'h': - default: - usage(); - break; - - case 'i': - endp = NULL; - cycle = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0' || cycle < 0) - fatal("cycle period must be numeric and " - "positive"); - break; - - case 'I': - inputformatstr = isc_commandline_argument; - break; - - case 'j': - endp = NULL; - jitter = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0' || jitter < 0) - fatal("jitter must be numeric and positive"); - break; - - case 'l': - dns_fixedname_init(&dlv_fixed); - len = strlen(isc_commandline_argument); - isc_buffer_init(&b, isc_commandline_argument, len); - isc_buffer_add(&b, len); - - dns_fixedname_init(&dlv_fixed); - dlv = dns_fixedname_name(&dlv_fixed); - result = dns_name_fromtext(dlv, &b, dns_rootname, - ISC_FALSE, NULL); - check_result(result, "dns_name_fromtext(dlv)"); - break; - - case 'k': - if (ndskeys == MAXDSKEYS) - fatal("too many key-signing keys specified"); - dskeyfile[ndskeys++] = isc_commandline_argument; - break; - - case 'n': - endp = NULL; - ntasks = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0' || ntasks > ISC_INT32_MAX) - fatal("number of cpus must be numeric"); - break; - - case 'N': - serialformatstr = isc_commandline_argument; - break; - - case 'o': - origin = isc_commandline_argument; - break; - - case 'O': - outputformatstr = isc_commandline_argument; - break; - - case 'p': - pseudorandom = ISC_TRUE; - break; - - case 'r': - setup_entropy(mctx, isc_commandline_argument, &ectx); - break; - - case 's': - startstr = isc_commandline_argument; - break; - - case 'S': - /* This is intentionally undocumented */ - /* -S: simple output style */ - masterstyle = &dns_master_style_simple; - break; - - case 't': - printstats = ISC_TRUE; - break; - - case 'v': - endp = NULL; - verbose = strtol(isc_commandline_argument, &endp, 0); - if (*endp != '\0') - fatal("verbose level must be numeric"); - break; - - case 'z': - ignoreksk = ISC_TRUE; - break; - } - } - - if (ectx == NULL) - setup_entropy(mctx, NULL, &ectx); - eflags = ISC_ENTROPY_BLOCKING; - if (!pseudorandom) - eflags |= ISC_ENTROPY_GOODONLY; - - result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) - fatal("could not create hash context"); - - result = dst_lib_init(mctx, ectx, eflags); - if (result != ISC_R_SUCCESS) - fatal("could not initialize dst"); - - isc_stdtime_get(&now); - - if (startstr != NULL) - starttime = strtotime(startstr, now, now); - else - starttime = now - 3600; /* Allow for some clock skew. */ - - if (endstr != NULL) - endtime = strtotime(endstr, now, starttime); - else - endtime = starttime + (30 * 24 * 60 * 60); - - if (cycle == -1) - cycle = (endtime - starttime) / 4; - - if (ntasks == 0) - ntasks = isc_os_ncpus(); - vbprintf(4, "using %d cpus\n", ntasks); - - rdclass = strtoclass(classname); - - setup_logging(verbose, mctx, &log); - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc < 1) - usage(); - - file = argv[0]; - - argc -= 1; - argv += 1; - - if (origin == NULL) - origin = file; - - if (output == NULL) { - size_t len; - free_output = ISC_TRUE; - len = strlen(file) + strlen(".signed"); - output = isc_mem_allocate(mctx, len + 1); - if (output == NULL) - fatal("out of memory"); - snprintf(output, len + 1, "%s.signed", file); - } - - if (inputformatstr != NULL) { - if (strcasecmp(inputformatstr, "text") == 0) - inputformat = dns_masterformat_text; - else if (strcasecmp(inputformatstr, "raw") == 0) - inputformat = dns_masterformat_raw; - else - fatal("unknown file format: %s\n", inputformatstr); - } - - if (outputformatstr != NULL) { - if (strcasecmp(outputformatstr, "text") == 0) - outputformat = dns_masterformat_text; - else if (strcasecmp(outputformatstr, "raw") == 0) - outputformat = dns_masterformat_raw; - else - fatal("unknown file format: %s\n", outputformatstr); - } - - if (serialformatstr != NULL) { - if (strcasecmp(serialformatstr, "keep") == 0) - serialformat = SOA_SERIAL_KEEP; - else if (strcasecmp(serialformatstr, "increment") == 0 || - strcasecmp(serialformatstr, "incr") == 0) - serialformat = SOA_SERIAL_INCREMENT; - else if (strcasecmp(serialformatstr, "unixtime") == 0) - serialformat = SOA_SERIAL_UNIXTIME; - else - fatal("unknown soa serial format: %s\n", serialformatstr); - } - - result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, - 0, 24, 0, 0, 0, 8, mctx); - check_result(result, "dns_master_stylecreate"); - - - gdb = NULL; - TIME_NOW(&timer_start); - loadzone(file, origin, rdclass, &gdb); - gorigin = dns_db_origin(gdb); - gclass = dns_db_class(gdb); - zonettl = soattl(); - - ISC_LIST_INIT(keylist); - - if (argc == 0) { - loadzonekeys(gdb); - } else { - for (i = 0; i < argc; i++) { - dst_key_t *newkey = NULL; - - result = dst_key_fromnamedfile(argv[i], - DST_TYPE_PUBLIC | - DST_TYPE_PRIVATE, - mctx, &newkey); - if (result != ISC_R_SUCCESS) - fatal("cannot load dnskey %s: %s", argv[i], - isc_result_totext(result)); - - key = ISC_LIST_HEAD(keylist); - while (key != NULL) { - dst_key_t *dkey = key->key; - if (dst_key_id(dkey) == dst_key_id(newkey) && - dst_key_alg(dkey) == dst_key_alg(newkey) && - dns_name_equal(dst_key_name(dkey), - dst_key_name(newkey))) - { - if (!dst_key_isprivate(dkey)) - fatal("cannot sign zone with " - "non-private dnskey %s", - argv[i]); - break; - } - key = ISC_LIST_NEXT(key, link); - } - if (key == NULL) { - key = newkeystruct(newkey, ISC_TRUE); - ISC_LIST_APPEND(keylist, key, link); - } else - dst_key_free(&newkey); - } - - loadzonepubkeys(gdb); - } - - for (i = 0; i < ndskeys; i++) { - dst_key_t *newkey = NULL; - - result = dst_key_fromnamedfile(dskeyfile[i], - DST_TYPE_PUBLIC | - DST_TYPE_PRIVATE, - mctx, &newkey); - if (result != ISC_R_SUCCESS) - fatal("cannot load dnskey %s: %s", dskeyfile[i], - isc_result_totext(result)); - - key = ISC_LIST_HEAD(keylist); - while (key != NULL) { - dst_key_t *dkey = key->key; - if (dst_key_id(dkey) == dst_key_id(newkey) && - dst_key_alg(dkey) == dst_key_alg(newkey) && - dns_name_equal(dst_key_name(dkey), - dst_key_name(newkey))) - { - /* Override key flags. */ - key->issigningkey = ISC_TRUE; - key->isksk = ISC_TRUE; - key->isdsk = ISC_FALSE; - dst_key_free(&dkey); - key->key = newkey; - break; - } - key = ISC_LIST_NEXT(key, link); - } - if (key == NULL) { - /* Override dnskey flags. */ - key = newkeystruct(newkey, ISC_TRUE); - key->isksk = ISC_TRUE; - key->isdsk = ISC_FALSE; - ISC_LIST_APPEND(keylist, key, link); - } - } - - if (ISC_LIST_EMPTY(keylist)) { - fprintf(stderr, "%s: warning: No keys specified or found\n", - program); - nokeys = ISC_TRUE; - } - - warnifallksk(gdb); - - gversion = NULL; - result = dns_db_newversion(gdb, &gversion); - check_result(result, "dns_db_newversion()"); - - switch (serialformat) { - case SOA_SERIAL_INCREMENT: - setsoaserial(0); - break; - case SOA_SERIAL_UNIXTIME: - setsoaserial(now); - break; - case SOA_SERIAL_KEEP: - default: - /* do nothing */ - break; - } - - nsecify(); - - if (!nokeys) { - writeset("keyset-", dns_rdatatype_dnskey); - writeset("dsset-", dns_rdatatype_ds); - if (dlv != NULL) { - writeset("dlvset-", dns_rdatatype_dlv); - } - } - - tempfilelen = strlen(output) + 20; - tempfile = isc_mem_get(mctx, tempfilelen); - if (tempfile == NULL) - fatal("out of memory"); - - result = isc_file_mktemplate(output, tempfile, tempfilelen); - check_result(result, "isc_file_mktemplate"); - - fp = NULL; - result = isc_file_openunique(tempfile, &fp); - if (result != ISC_R_SUCCESS) - fatal("failed to open temporary output file: %s", - isc_result_totext(result)); - removefile = ISC_TRUE; - setfatalcallback(&removetempfile); - - print_time(fp); - print_version(fp); - - result = isc_taskmgr_create(mctx, ntasks, 0, &taskmgr); - if (result != ISC_R_SUCCESS) - fatal("failed to create task manager: %s", - isc_result_totext(result)); - - master = NULL; - result = isc_task_create(taskmgr, 0, &master); - if (result != ISC_R_SUCCESS) - fatal("failed to create task: %s", isc_result_totext(result)); - - tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *)); - if (tasks == NULL) - fatal("out of memory"); - for (i = 0; i < (int)ntasks; i++) { - tasks[i] = NULL; - result = isc_task_create(taskmgr, 0, &tasks[i]); - if (result != ISC_R_SUCCESS) - fatal("failed to create task: %s", - isc_result_totext(result)); - } - - RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS); - if (printstats) - RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS); - - presign(); - signapex(); - if (!finished) { - /* - * There is more work to do. Spread it out over multiple - * processors if possible. - */ - for (i = 0; i < (int)ntasks; i++) { - result = isc_app_onrun(mctx, master, startworker, - tasks[i]); - if (result != ISC_R_SUCCESS) - fatal("failed to start task: %s", - isc_result_totext(result)); - } - (void)isc_app_run(); - if (!finished) - fatal("process aborted by user"); - } else - isc_task_detach(&master); - shuttingdown = ISC_TRUE; - for (i = 0; i < (int)ntasks; i++) - isc_task_detach(&tasks[i]); - isc_taskmgr_destroy(&taskmgr); - isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); - postsign(); - - if (outputformat != dns_masterformat_text) { - result = dns_master_dumptostream2(mctx, gdb, gversion, - masterstyle, outputformat, - fp); - check_result(result, "dns_master_dumptostream2"); - } - - result = isc_stdio_close(fp); - check_result(result, "isc_stdio_close"); - removefile = ISC_FALSE; - - result = isc_file_rename(tempfile, output); - if (result != ISC_R_SUCCESS) - fatal("failed to rename temp file to %s: %s\n", - output, isc_result_totext(result)); - - DESTROYLOCK(&namelock); - if (printstats) - DESTROYLOCK(&statslock); - - printf("%s\n", output); - - dns_db_closeversion(gdb, &gversion, ISC_FALSE); - dns_db_detach(&gdb); - - while (!ISC_LIST_EMPTY(keylist)) { - key = ISC_LIST_HEAD(keylist); - ISC_LIST_UNLINK(keylist, key, link); - dst_key_free(&key->key); - isc_mem_put(mctx, key, sizeof(signer_key_t)); - } - - isc_mem_put(mctx, tempfile, tempfilelen); - - if (free_output) - isc_mem_free(mctx, output); - - dns_master_styledestroy(&dsstyle, mctx); - - cleanup_logging(&log); - dst_lib_destroy(); - isc_hash_destroy(); - cleanup_entropy(&ectx); - dns_name_destroy(); - if (verbose > 10) - isc_mem_stats(mctx, stdout); - isc_mem_destroy(&mctx); - - (void) isc_app_finish(); - - if (printstats) { - TIME_NOW(&timer_finish); - print_stats(&timer_start, &timer_finish); - } - - return (0); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook b/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook deleted file mode 100644 index 733df998843..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.docbook +++ /dev/null @@ -1,476 +0,0 @@ -]> - - - - - - June 30, 2000 - - - - dnssec-signzone - 8 - BIND9 - - - - dnssec-signzone - DNSSEC zone signing tool - - - - - 2004 - 2005 - 2006 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2002 - 2003 - Internet Software Consortium. - - - - - - dnssec-signzone - - - - - - - - - - - - - - - - - - - - - - zonefile - key - - - - - DESCRIPTION - dnssec-signzone - signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - keyset file for each child zone. - - - - - OPTIONS - - - - -a - - - Verify all generated signatures. - - - - - - -c class - - - Specifies the DNS class of the zone. - - - - - - -k key - - - Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. - - - - - - -l domain - - - Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. - - - - - - -d directory - - - Look for keyset files in - as the directory - - - - - - -g - - - Generate DS records for child zones from keyset files. - Existing DS records will be removed. - - - - - - -s start-time - - - Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no is specified, the current - time minus 1 hour (to allow for clock skew) is used. - - - - - - -e end-time - - - Specify the date and time when the generated RRSIG records - expire. As with , an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no is - specified, 30 days from the start time is used as a default. - - - - - - -f output-file - - - The name of the output file containing the signed zone. The - default is to append .signed to - the - input filename. - - - - - - -h - - - Prints a short summary of the options and arguments to - dnssec-signzone. - - - - - - -i interval - - - When a previously-signed zone is passed as input, records - may be resigned. The option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. - - - The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - or - are specified, dnssec-signzone - generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. - - - - - - -I input-format - - - The format of the input zone file. - Possible formats are "text" (default) - and "raw". - This option is primarily intended to be used for dynamic - signed zones so that the dumped zone file in a non-text - format containing updates can be signed directly. - The use of this option does not make much sense for - non-dynamic zones. - - - - - - -j jitter - - - When signing a zone with a fixed signature lifetime, all - RRSIG records issued at the time of signing expires - simultaneously. If the zone is incrementally signed, i.e. - a previously-signed zone is passed as input to the signer, - all expired signatures have to be regenerated at about the - same time. The option specifies a - jitter window that will be used to randomize the signature - expire time, thus spreading incremental signature - regeneration over time. - - - Signature lifetime jitter also to some extent benefits - validators and servers by spreading out cache expiration, - i.e. if large numbers of RRSIGs don't expire at the same time - from all caches there will be less congestion than if all - validators need to refetch at mostly the same time. - - - - - - -n ncpus - - - Specifies the number of threads to use. By default, one - thread is started for each detected CPU. - - - - - - -N soa-serial-format - - - The SOA serial number format of the signed zone. - Possible formats are "keep" (default), - "increment" and - "unixtime". - - - - - "keep" - - Do not modify the SOA serial number. - - - - - "increment" - - Increment the SOA serial number using RFC 1982 - arithmetics. - - - - - "unixtime" - - Set the SOA serial number to the number of seconds - since epoch. - - - - - - - - - -o origin - - - The zone origin. If not specified, the name of the zone file - is assumed to be the origin. - - - - - - -O output-format - - - The format of the output file containing the signed zone. - Possible formats are "text" (default) - and "raw". - - - - - - -p - - - Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. - - - - - - -r randomdev - - - Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. - - - - - - -t - - - Print statistics at completion. - - - - - - -v level - - - Sets the debugging level. - - - - - - -z - - - Ignore KSK flag on key when determining what to sign. - - - - - - zonefile - - - The file containing the zone to be signed. - - - - - - key - - - Specify which keys should be used to sign the zone. If - no keys are specified, then the zone will be examined - for DNSKEY records at the zone apex. If these are found and - there are matching private keys, in the current directory, - then these will be used for signing. - - - - - - - - - EXAMPLE - - The following command signs the example.com - zone with the DSA key generated by dnssec-keygen - (Kexample.com.+003+17247). The zone's keys must be in the master - file (db.example.com). This invocation looks - for keyset files, in the current directory, - so that DS records can be generated from them (-g). - -% dnssec-signzone -g -o example.com db.example.com \ -Kexample.com.+003+17247 -db.example.com.signed -% - - In the above example, dnssec-signzone creates - the file db.example.com.signed. This - file should be referenced in a zone statement in a - named.conf file. - - - This example re-signs a previously signed zone with default parameters. - The private keys are assumed to be in the current directory. - -% cp db.example.com.signed db.example.com -% dnssec-signzone -o example.com db.example.com -db.example.com.signed -% - - - - SEE ALSO - - dnssec-keygen8 - , - BIND 9 Administrator Reference Manual, - RFC 2535. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html b/usr.sbin/bind/bin/dnssec/dnssec-signzone.html deleted file mode 100644 index 0009b2b13cc..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssec-signzone.html +++ /dev/null @@ -1,285 +0,0 @@ - - - - - -dnssec-signzone - - -
-
-
-

Name

-

dnssec-signzone — DNSSEC zone signing tool

-
-
-

Synopsis

-

dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

-
-
-

DESCRIPTION

-

dnssec-signzone - signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - keyset file for each child zone. -

-
-
-

OPTIONS

-
-
-a
-

- Verify all generated signatures. -

-
-c class
-

- Specifies the DNS class of the zone. -

-
-k key
-

- Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. -

-
-l domain
-

- Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. -

-
-d directory
-

- Look for keyset files in - directory as the directory -

-
-g
-

- Generate DS records for child zones from keyset files. - Existing DS records will be removed. -

-
-s start-time
-

- Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no start-time is specified, the current - time minus 1 hour (to allow for clock skew) is used. -

-
-e end-time
-

- Specify the date and time when the generated RRSIG records - expire. As with start-time, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no end-time is - specified, 30 days from the start time is used as a default. -

-
-f output-file
-

- The name of the output file containing the signed zone. The - default is to append .signed to - the - input filename. -

-
-h
-

- Prints a short summary of the options and arguments to - dnssec-signzone. -

-
-i interval
-
-

- When a previously-signed zone is passed as input, records - may be resigned. The interval option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. -

-

- The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - end-time or start-time - are specified, dnssec-signzone - generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. -

-
-
-I input-format
-

- The format of the input zone file. - Possible formats are "text" (default) - and "raw". - This option is primarily intended to be used for dynamic - signed zones so that the dumped zone file in a non-text - format containing updates can be signed directly. - The use of this option does not make much sense for - non-dynamic zones. -

-
-j jitter
-
-

- When signing a zone with a fixed signature lifetime, all - RRSIG records issued at the time of signing expires - simultaneously. If the zone is incrementally signed, i.e. - a previously-signed zone is passed as input to the signer, - all expired signatures have to be regenerated at about the - same time. The jitter option specifies a - jitter window that will be used to randomize the signature - expire time, thus spreading incremental signature - regeneration over time. -

-

- Signature lifetime jitter also to some extent benefits - validators and servers by spreading out cache expiration, - i.e. if large numbers of RRSIGs don't expire at the same time - from all caches there will be less congestion than if all - validators need to refetch at mostly the same time. -

-
-
-n ncpus
-

- Specifies the number of threads to use. By default, one - thread is started for each detected CPU. -

-
-N soa-serial-format
-
-

- The SOA serial number format of the signed zone. - Possible formats are "keep" (default), - "increment" and - "unixtime". -

-
-
"keep"
-

Do not modify the SOA serial number.

-
"increment"
-

Increment the SOA serial number using RFC 1982 - arithmetics.

-
"unixtime"
-

Set the SOA serial number to the number of seconds - since epoch.

-
-
-
-o origin
-

- The zone origin. If not specified, the name of the zone file - is assumed to be the origin. -

-
-O output-format
-

- The format of the output file containing the signed zone. - Possible formats are "text" (default) - and "raw". -

-
-p
-

- Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. -

-
-r randomdev
-

- Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

-
-t
-

- Print statistics at completion. -

-
-v level
-

- Sets the debugging level. -

-
-z
-

- Ignore KSK flag on key when determining what to sign. -

-
zonefile
-

- The file containing the zone to be signed. -

-
key
-

- Specify which keys should be used to sign the zone. If - no keys are specified, then the zone will be examined - for DNSKEY records at the zone apex. If these are found and - there are matching private keys, in the current directory, - then these will be used for signing. -

-
-
-
-

EXAMPLE

-

- The following command signs the example.com - zone with the DSA key generated by dnssec-keygen - (Kexample.com.+003+17247). The zone's keys must be in the master - file (db.example.com). This invocation looks - for keyset files, in the current directory, - so that DS records can be generated from them (-g). -

-
% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
-db.example.com.signed
-%
-

- In the above example, dnssec-signzone creates - the file db.example.com.signed. This - file should be referenced in a zone statement in a - named.conf file. -

-

- This example re-signs a previously signed zone with default parameters. - The private keys are assumed to be in the current directory. -

-
% cp db.example.com.signed db.example.com
-% dnssec-signzone -o example.com db.example.com
-db.example.com.signed
-%
-
-
-

SEE ALSO

-

dnssec-keygen(8), - BIND 9 Administrator Reference Manual, - RFC 2535. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/dnssec/dnssectool.c b/usr.sbin/bind/bin/dnssec/dnssectool.c deleted file mode 100644 index 59c108c9140..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssectool.c +++ /dev/null @@ -1,313 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */ - -/*! \file */ - -/*% - * DNSSEC Support Routines. - */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "dnssectool.h" - -extern int verbose; -extern const char *program; - -typedef struct entropysource entropysource_t; - -struct entropysource { - isc_entropysource_t *source; - isc_mem_t *mctx; - ISC_LINK(entropysource_t) link; -}; - -static ISC_LIST(entropysource_t) sources; -static fatalcallback_t *fatalcallback = NULL; - -void -fatal(const char *format, ...) { - va_list args; - - fprintf(stderr, "%s: ", program); - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); - if (fatalcallback != NULL) - (*fatalcallback)(); - exit(1); -} - -void -setfatalcallback(fatalcallback_t *callback) { - fatalcallback = callback; -} - -void -check_result(isc_result_t result, const char *message) { - if (result != ISC_R_SUCCESS) - fatal("%s: %s", message, isc_result_totext(result)); -} - -void -vbprintf(int level, const char *fmt, ...) { - va_list ap; - if (level > verbose) - return; - va_start(ap, fmt); - fprintf(stderr, "%s: ", program); - vfprintf(stderr, fmt, ap); - va_end(ap); -} - -void -type_format(const dns_rdatatype_t type, char *cp, unsigned int size) { - isc_buffer_t b; - isc_region_t r; - isc_result_t result; - - isc_buffer_init(&b, cp, size - 1); - result = dns_rdatatype_totext(type, &b); - check_result(result, "dns_rdatatype_totext()"); - isc_buffer_usedregion(&b, &r); - r.base[r.length] = 0; -} - -void -alg_format(const dns_secalg_t alg, char *cp, unsigned int size) { - isc_buffer_t b; - isc_region_t r; - isc_result_t result; - - isc_buffer_init(&b, cp, size - 1); - result = dns_secalg_totext(alg, &b); - check_result(result, "dns_secalg_totext()"); - isc_buffer_usedregion(&b, &r); - r.base[r.length] = 0; -} - -void -sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) { - char namestr[DNS_NAME_FORMATSIZE]; - char algstr[DNS_NAME_FORMATSIZE]; - - dns_name_format(&sig->signer, namestr, sizeof(namestr)); - alg_format(sig->algorithm, algstr, sizeof(algstr)); - snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid); -} - -void -key_format(const dst_key_t *key, char *cp, unsigned int size) { - char namestr[DNS_NAME_FORMATSIZE]; - char algstr[DNS_NAME_FORMATSIZE]; - - dns_name_format(dst_key_name(key), namestr, sizeof(namestr)); - alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr)); - snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key)); -} - -void -setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) { - isc_result_t result; - isc_logdestination_t destination; - isc_logconfig_t *logconfig = NULL; - isc_log_t *log = NULL; - int level; - - if (verbose < 0) - verbose = 0; - switch (verbose) { - case 0: - /* - * We want to see warnings about things like out-of-zone - * data in the master file even when not verbose. - */ - level = ISC_LOG_WARNING; - break; - case 1: - level = ISC_LOG_INFO; - break; - default: - level = ISC_LOG_DEBUG(verbose - 2 + 1); - break; - } - - RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS); - isc_log_setcontext(log); - dns_log_init(log); - dns_log_setcontext(log); - - RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS); - - /* - * Set up a channel similar to default_stderr except: - * - the logging level is passed in - * - the program name and logging level are printed - * - no time stamp is printed - */ - destination.file.stream = stderr; - destination.file.name = NULL; - destination.file.versions = ISC_LOG_ROLLNEVER; - destination.file.maximum_size = 0; - result = isc_log_createchannel(logconfig, "stderr", - ISC_LOG_TOFILEDESC, - level, - &destination, - ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL); - check_result(result, "isc_log_createchannel()"); - - RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr", - NULL, NULL) == ISC_R_SUCCESS); - - *logp = log; -} - -void -cleanup_logging(isc_log_t **logp) { - isc_log_t *log; - - REQUIRE(logp != NULL); - - log = *logp; - if (log == NULL) - return; - isc_log_destroy(&log); - isc_log_setcontext(NULL); - dns_log_setcontext(NULL); - logp = NULL; -} - -void -setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { - isc_result_t result; - isc_entropysource_t *source = NULL; - entropysource_t *elt; - int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE; - - REQUIRE(ectx != NULL); - - if (*ectx == NULL) { - result = isc_entropy_create(mctx, ectx); - if (result != ISC_R_SUCCESS) - fatal("could not create entropy object"); - ISC_LIST_INIT(sources); - } - - if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { - usekeyboard = ISC_ENTROPY_KEYBOARDYES; - randomfile = NULL; - } - - result = isc_entropy_usebestsource(*ectx, &source, randomfile, - usekeyboard); - - if (result != ISC_R_SUCCESS) - fatal("could not initialize entropy source: %s", - isc_result_totext(result)); - - if (source != NULL) { - elt = isc_mem_get(mctx, sizeof(*elt)); - if (elt == NULL) - fatal("out of memory"); - elt->source = source; - elt->mctx = mctx; - ISC_LINK_INIT(elt, link); - ISC_LIST_APPEND(sources, elt, link); - } -} - -void -cleanup_entropy(isc_entropy_t **ectx) { - entropysource_t *source; - while (!ISC_LIST_EMPTY(sources)) { - source = ISC_LIST_HEAD(sources); - ISC_LIST_UNLINK(sources, source, link); - isc_entropy_destroysource(&source->source); - isc_mem_put(source->mctx, source, sizeof(*source)); - } - isc_entropy_detach(ectx); -} - -isc_stdtime_t -strtotime(const char *str, isc_int64_t now, isc_int64_t base) { - isc_int64_t val, offset; - isc_result_t result; - char *endp; - - if (str[0] == '+') { - offset = strtol(str + 1, &endp, 0); - if (*endp != '\0') - fatal("time value %s is invalid", str); - val = base + offset; - } else if (strncmp(str, "now+", 4) == 0) { - offset = strtol(str + 4, &endp, 0); - if (*endp != '\0') - fatal("time value %s is invalid", str); - val = now + offset; - } else if (strlen(str) == 8U) { - char timestr[15]; - snprintf(timestr, sizeof(timestr), "%s000000", str); - result = dns_time64_fromtext(timestr, &val); - if (result != ISC_R_SUCCESS) - fatal("time value %s is invalid", str); - } else { - result = dns_time64_fromtext(str, &val); - if (result != ISC_R_SUCCESS) - fatal("time value %s is invalid", str); - } - - return ((isc_stdtime_t) val); -} - -dns_rdataclass_t -strtoclass(const char *str) { - isc_textregion_t r; - dns_rdataclass_t rdclass; - isc_result_t ret; - - if (str == NULL) - return dns_rdataclass_in; - DE_CONST(str, r.base); - r.length = strlen(str); - ret = dns_rdataclass_fromtext(&rdclass, &r); - if (ret != ISC_R_SUCCESS) - fatal("unknown class %s", str); - return (rdclass); -} diff --git a/usr.sbin/bind/bin/dnssec/dnssectool.h b/usr.sbin/bind/bin/dnssec/dnssectool.h deleted file mode 100644 index 80ca37898b4..00000000000 --- a/usr.sbin/bind/bin/dnssec/dnssectool.h +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */ - -#ifndef DNSSECTOOL_H -#define DNSSECTOOL_H 1 - -#include -#include -#include -#include - -typedef void (fatalcallback_t)(void); - -void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -void -setfatalcallback(fatalcallback_t *callback); - -void -check_result(isc_result_t result, const char *message); - -void -vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3); - -void -type_format(const dns_rdatatype_t type, char *cp, unsigned int size); -#define TYPE_FORMATSIZE 10 - -void -alg_format(const dns_secalg_t alg, char *cp, unsigned int size); -#define ALG_FORMATSIZE 10 - -void -sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size); -#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535")) - -void -key_format(const dst_key_t *key, char *cp, unsigned int size); -#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535")) - -void -setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp); - -void -cleanup_logging(isc_log_t **logp); - -void -setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx); - -void -cleanup_entropy(isc_entropy_t **ectx); - -isc_stdtime_t -strtotime(const char *str, isc_int64_t now, isc_int64_t base); - -dns_rdataclass_t -strtoclass(const char *str); - -#endif /* DNSSEC_DNSSECTOOL_H */ diff --git a/usr.sbin/bind/bin/named/Makefile.in b/usr.sbin/bind/bin/named/Makefile.in deleted file mode 100644 index 49e1b7f8ac1..00000000000 --- a/usr.sbin/bind/bin/named/Makefile.in +++ /dev/null @@ -1,145 +0,0 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1998-2002 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_VERSION@ - -@BIND9_MAKE_INCLUDES@ - -# -# Add database drivers here. -# -DBDRIVER_OBJS = -DBDRIVER_SRCS = -DBDRIVER_INCLUDES = -DBDRIVER_LIBS = - -DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - -DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ -DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ -DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ -DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ - -CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ - ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} - -CDEFINES = @USE_DLZ@ - -CWARNINGS = - -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -LWRESLIBS = ../../lib/lwres/liblwres.@A@ -BIND9LIBS = ../../lib/bind9/libbind9.@A@ - -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ -BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ - -DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} - -LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ - ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ - -SUBDIRS = unix - -TARGETS = named@EXEEXT@ lwresd@EXEEXT@ - -OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ - controlconf.@O@ interfacemgr.@O@ \ - listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \ - query.@O@ server.@O@ sortlist.@O@ \ - tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ - zoneconf.@O@ \ - lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ - lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ - ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} - -UOBJS = unix/os.@O@ - -SRCS = builtin.c client.c config.c control.c \ - controlconf.c interfacemgr.c \ - listenlist.c log.c logconf.c main.c notify.c \ - query.c server.c sortlist.c \ - tkeyconf.c tsigconf.c update.c xfrout.c \ - zoneconf.c \ - lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ - lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ - ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} - -MANPAGES = named.8 lwresd.8 named.conf.5 - -HTMLPAGES = named.html lwresd.html named.conf.html - -MANOBJS = ${MANPAGES} ${HTMLPAGES} - -@BIND9_MAKE_RULES@ - -main.@O@: main.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ - -DNS_LOCALSTATEDIR=\"${localstatedir}\" \ - -DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c - -config.@O@: config.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ - -DNS_LOCALSTATEDIR=\"${localstatedir}\" \ - -c ${srcdir}/config.c - -named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - ${OBJS} ${UOBJS} ${LIBS} - -lwresd@EXEEXT@: named@EXEEXT@ - rm -f lwresd@EXEEXT@ - @LN@ named@EXEEXT@ lwresd@EXEEXT@ - -doc man:: ${MANOBJS} - -docclean manclean maintainer-clean:: - rm -f ${MANOBJS} - -clean distclean maintainer-clean:: - rm -f ${TARGETS} ${OBJS} - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - -install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} - (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) - ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 - -@DLZ_DRIVER_RULES@ diff --git a/usr.sbin/bind/bin/named/builtin.c b/usr.sbin/bind/bin/named/builtin.c deleted file mode 100644 index accc6d6bf3a..00000000000 --- a/usr.sbin/bind/bin/named/builtin.c +++ /dev/null @@ -1,307 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */ - -/*! \file - * \brief - * The built-in "version", "hostname", "id", "authors" and "empty" databases. - */ - -#include - -#include -#include - -#include -#include -#include -#include - -#include -#include - -#include -#include -#include -#include - -typedef struct builtin builtin_t; - -static isc_result_t do_version_lookup(dns_sdblookup_t *lookup); -static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup); -static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup); -static isc_result_t do_id_lookup(dns_sdblookup_t *lookup); -static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup); - -/* - * We can't use function pointers as the db_data directly - * because ANSI C does not guarantee that function pointers - * can safely be cast to void pointers and back. - */ - -struct builtin { - isc_result_t (*do_lookup)(dns_sdblookup_t *lookup); - char *server; - char *contact; -}; - -static builtin_t version_builtin = { do_version_lookup, NULL, NULL }; -static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL }; -static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL }; -static builtin_t id_builtin = { do_id_lookup, NULL, NULL }; -static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL }; - -static dns_sdbimplementation_t *builtin_impl; - -static isc_result_t -builtin_lookup(const char *zone, const char *name, void *dbdata, - dns_sdblookup_t *lookup) -{ - builtin_t *b = (builtin_t *) dbdata; - - UNUSED(zone); - - if (strcmp(name, "@") == 0) - return (b->do_lookup(lookup)); - else - return (ISC_R_NOTFOUND); -} - -static isc_result_t -put_txt(dns_sdblookup_t *lookup, const char *text) { - unsigned char buf[256]; - unsigned int len = strlen(text); - if (len > 255) - len = 255; /* Silently truncate */ - buf[0] = len; - memcpy(&buf[1], text, len); - return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1)); -} - -static isc_result_t -do_version_lookup(dns_sdblookup_t *lookup) { - if (ns_g_server->version_set) { - if (ns_g_server->version == NULL) - return (ISC_R_SUCCESS); - else - return (put_txt(lookup, ns_g_server->version)); - } else { - return (put_txt(lookup, ns_g_version)); - } -} - -static isc_result_t -do_hostname_lookup(dns_sdblookup_t *lookup) { - if (ns_g_server->hostname_set) { - if (ns_g_server->hostname == NULL) - return (ISC_R_SUCCESS); - else - return (put_txt(lookup, ns_g_server->hostname)); - } else { - char buf[256]; - isc_result_t result = ns_os_gethostname(buf, sizeof(buf)); - if (result != ISC_R_SUCCESS) - return (result); - return (put_txt(lookup, buf)); - } -} - -static isc_result_t -do_authors_lookup(dns_sdblookup_t *lookup) { - isc_result_t result; - const char **p; - static const char *authors[] = { - "Mark Andrews", - "James Brister", - "Ben Cottrell", - "Michael Graff", - "Andreas Gustafsson", - "Bob Halley", - "David Lawrence", - "Danny Mayer", - "Damien Neil", - "Matt Nelson", - "Michael Sawyer", - "Brian Wellington", - NULL - }; - - /* - * If a version string is specified, disable the authors.bind zone. - */ - if (ns_g_server->version_set) - return (ISC_R_SUCCESS); - - for (p = authors; *p != NULL; p++) { - result = put_txt(lookup, *p); - if (result != ISC_R_SUCCESS) - return (result); - } - return (ISC_R_SUCCESS); -} - -static isc_result_t -do_id_lookup(dns_sdblookup_t *lookup) { - - if (ns_g_server->server_usehostname) { - char buf[256]; - isc_result_t result = ns_os_gethostname(buf, sizeof(buf)); - if (result != ISC_R_SUCCESS) - return (result); - return (put_txt(lookup, buf)); - } - - if (ns_g_server->server_id == NULL) - return (ISC_R_SUCCESS); - else - return (put_txt(lookup, ns_g_server->server_id)); -} - -static isc_result_t -do_empty_lookup(dns_sdblookup_t *lookup) { - - UNUSED(lookup); - return (ISC_R_SUCCESS); -} - -static isc_result_t -builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) { - isc_result_t result; - const char *contact = "hostmaster"; - const char *server = "@"; - builtin_t *b = (builtin_t *) dbdata; - - UNUSED(zone); - UNUSED(dbdata); - - if (b == &empty_builtin) { - server = "."; - contact = "."; - } else { - if (b->server != NULL) - server = b->server; - if (b->contact != NULL) - contact = b->contact; - } - - result = dns_sdb_putsoa(lookup, server, contact, 0); - if (result != ISC_R_SUCCESS) - return (ISC_R_FAILURE); - - result = dns_sdb_putrr(lookup, "ns", 0, server); - if (result != ISC_R_SUCCESS) - return (ISC_R_FAILURE); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -builtin_create(const char *zone, int argc, char **argv, - void *driverdata, void **dbdata) -{ - REQUIRE(argc >= 1); - - UNUSED(zone); - UNUSED(driverdata); - - if (strcmp(argv[0], "empty") == 0) { - if (argc != 3) - return (DNS_R_SYNTAX); - } else if (argc != 1) - return (DNS_R_SYNTAX); - - if (strcmp(argv[0], "version") == 0) - *dbdata = &version_builtin; - else if (strcmp(argv[0], "hostname") == 0) - *dbdata = &hostname_builtin; - else if (strcmp(argv[0], "authors") == 0) - *dbdata = &authors_builtin; - else if (strcmp(argv[0], "id") == 0) - *dbdata = &id_builtin; - else if (strcmp(argv[0], "empty") == 0) { - builtin_t *empty; - char *server; - char *contact; - /* - * We don't want built-in zones to fail. Fallback to - * the static configuration if memory allocation fails. - */ - empty = isc_mem_get(ns_g_mctx, sizeof(*empty)); - server = isc_mem_strdup(ns_g_mctx, argv[1]); - contact = isc_mem_strdup(ns_g_mctx, argv[2]); - if (empty == NULL || server == NULL || contact == NULL) { - *dbdata = &empty_builtin; - if (server != NULL) - isc_mem_free(ns_g_mctx, server); - if (contact != NULL) - isc_mem_free(ns_g_mctx, contact); - if (empty != NULL) - isc_mem_put(ns_g_mctx, empty, sizeof (*empty)); - } else { - memcpy(empty, &empty_builtin, sizeof (empty_builtin)); - empty->server = server; - empty->contact = contact; - *dbdata = empty; - } - } else - return (ISC_R_NOTIMPLEMENTED); - return (ISC_R_SUCCESS); -} - -static void -builtin_destroy(const char *zone, void *driverdata, void **dbdata) { - builtin_t *b = (builtin_t *) *dbdata; - - UNUSED(zone); - UNUSED(driverdata); - - /* - * Don't free the static versions. - */ - if (*dbdata == &version_builtin || *dbdata == &hostname_builtin || - *dbdata == &authors_builtin || *dbdata == &id_builtin || - *dbdata == &empty_builtin) - return; - - isc_mem_free(ns_g_mctx, b->server); - isc_mem_free(ns_g_mctx, b->contact); - isc_mem_put(ns_g_mctx, b, sizeof (*b)); -} - -static dns_sdbmethods_t builtin_methods = { - builtin_lookup, - builtin_authority, - NULL, /* allnodes */ - builtin_create, - builtin_destroy -}; - -isc_result_t -ns_builtin_init(void) { - RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL, - DNS_SDBFLAG_RELATIVEOWNER | - DNS_SDBFLAG_RELATIVERDATA, - ns_g_mctx, &builtin_impl) - == ISC_R_SUCCESS); - return (ISC_R_SUCCESS); -} - -void -ns_builtin_deinit(void) { - dns_sdb_unregister(&builtin_impl); -} diff --git a/usr.sbin/bind/bin/named/client.c b/usr.sbin/bind/bin/named/client.c deleted file mode 100644 index fea48e5acef..00000000000 --- a/usr.sbin/bind/bin/named/client.c +++ /dev/null @@ -1,2635 +0,0 @@ -/* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: client.c,v 1.219.18.28.10.2 2008/07/23 07:28:54 tbox Exp $ */ - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -/*** - *** Client - ***/ - -/*! \file - * Client Routines - * - * Important note! - * - * All client state changes, other than that from idle to listening, occur - * as a result of events. This guarantees serialization and avoids the - * need for locking. - * - * If a routine is ever created that allows someone other than the client's - * task to change the client, then the client will have to be locked. - */ - -#define NS_CLIENT_TRACE -#ifdef NS_CLIENT_TRACE -#define CTRACE(m) ns_client_log(client, \ - NS_LOGCATEGORY_CLIENT, \ - NS_LOGMODULE_CLIENT, \ - ISC_LOG_DEBUG(3), \ - "%s", (m)) -#define MTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_CLIENT, \ - ISC_LOG_DEBUG(3), \ - "clientmgr @%p: %s", manager, (m)) -#else -#define CTRACE(m) ((void)(m)) -#define MTRACE(m) ((void)(m)) -#endif - -#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) - -#define TCP_BUFFER_SIZE (65535 + 2) -#define SEND_BUFFER_SIZE 4096 -#define RECV_BUFFER_SIZE 4096 - -#ifdef ISC_PLATFORM_USETHREADS -#define NMCTXS 100 -/*%< - * Number of 'mctx pools' for clients. (Should this be configurable?) - * When enabling threads, we use a pool of memory contexts shared by - * client objects, since concurrent access to a shared context would cause - * heavy contentions. The above constant is expected to be enough for - * completely avoiding contentions among threads for an authoritative-only - * server. - */ -#else -#define NMCTXS 0 -/*%< - * If named with built without thread, simply share manager's context. Using - * a separate context in this case would simply waste memory. - */ -#endif - -/*% nameserver client manager structure */ -struct ns_clientmgr { - /* Unlocked. */ - unsigned int magic; - isc_mem_t * mctx; - isc_taskmgr_t * taskmgr; - isc_timermgr_t * timermgr; - isc_mutex_t lock; - /* Locked by lock. */ - isc_boolean_t exiting; - client_list_t active; /*%< Active clients */ - client_list_t recursing; /*%< Recursing clients */ - client_list_t inactive; /*%< To be recycled */ -#if NMCTXS > 0 - /*%< mctx pool for clients. */ - unsigned int nextmctx; - isc_mem_t * mctxpool[NMCTXS]; -#endif -}; - -#define MANAGER_MAGIC ISC_MAGIC('N', 'S', 'C', 'm') -#define VALID_MANAGER(m) ISC_MAGIC_VALID(m, MANAGER_MAGIC) - -/*! - * Client object states. Ordering is significant: higher-numbered - * states are generally "more active", meaning that the client can - * have more dynamically allocated data, outstanding events, etc. - * In the list below, any such properties listed for state N - * also apply to any state > N. - * - * To force the client into a less active state, set client->newstate - * to that state and call exit_check(). This will cause any - * activities defined for higher-numbered states to be aborted. - */ - -#define NS_CLIENTSTATE_FREED 0 -/*%< - * The client object no longer exists. - */ - -#define NS_CLIENTSTATE_INACTIVE 1 -/*%< - * The client object exists and has a task and timer. - * Its "query" struct and sendbuf are initialized. - * It is on the client manager's list of inactive clients. - * It has a message and OPT, both in the reset state. - */ - -#define NS_CLIENTSTATE_READY 2 -/*%< - * The client object is either a TCP or a UDP one, and - * it is associated with a network interface. It is on the - * client manager's list of active clients. - * - * If it is a TCP client object, it has a TCP listener socket - * and an outstanding TCP listen request. - * - * If it is a UDP client object, it has a UDP listener socket - * and an outstanding UDP receive request. - */ - -#define NS_CLIENTSTATE_READING 3 -/*%< - * The client object is a TCP client object that has received - * a connection. It has a tcpsocket, tcpmsg, TCP quota, and an - * outstanding TCP read request. This state is not used for - * UDP client objects. - */ - -#define NS_CLIENTSTATE_WORKING 4 -/*%< - * The client object has received a request and is working - * on it. It has a view, and it may have any of a non-reset OPT, - * recursion quota, and an outstanding write request. - */ - -#define NS_CLIENTSTATE_MAX 9 -/*%< - * Sentinel value used to indicate "no state". When client->newstate - * has this value, we are not attempting to exit the current state. - * Must be greater than any valid state. - */ - -/* - * Enable ns_client_dropport() by default. - */ -#ifndef NS_CLIENT_DROPPORT -#define NS_CLIENT_DROPPORT 1 -#endif - -unsigned int ns_client_requests; - -static void client_read(ns_client_t *client); -static void client_accept(ns_client_t *client); -static void client_udprecv(ns_client_t *client); -static void clientmgr_destroy(ns_clientmgr_t *manager); -static isc_boolean_t exit_check(ns_client_t *client); -static void ns_client_endrequest(ns_client_t *client); -static void ns_client_checkactive(ns_client_t *client); -static void client_start(isc_task_t *task, isc_event_t *event); -static void client_request(isc_task_t *task, isc_event_t *event); -static void ns_client_dumpmessage(ns_client_t *client, const char *reason); - -void -ns_client_recursing(ns_client_t *client) { - REQUIRE(NS_CLIENT_VALID(client)); - - LOCK(&client->manager->lock); - ISC_LIST_UNLINK(*client->list, client, link); - ISC_LIST_APPEND(client->manager->recursing, client, link); - client->list = &client->manager->recursing; - UNLOCK(&client->manager->lock); -} - -void -ns_client_killoldestquery(ns_client_t *client) { - ns_client_t *oldest; - REQUIRE(NS_CLIENT_VALID(client)); - - LOCK(&client->manager->lock); - oldest = ISC_LIST_HEAD(client->manager->recursing); - if (oldest != NULL) { - ns_query_cancel(oldest); - ISC_LIST_UNLINK(*oldest->list, oldest, link); - ISC_LIST_APPEND(client->manager->active, oldest, link); - oldest->list = &client->manager->active; - } - UNLOCK(&client->manager->lock); -} - -void -ns_client_settimeout(ns_client_t *client, unsigned int seconds) { - isc_result_t result; - isc_interval_t interval; - - isc_interval_set(&interval, seconds, 0); - result = isc_timer_reset(client->timer, isc_timertype_once, NULL, - &interval, ISC_FALSE); - client->timerset = ISC_TRUE; - if (result != ISC_R_SUCCESS) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "setting timeout: %s", - isc_result_totext(result)); - /* Continue anyway. */ - } -} - -/*% - * Check for a deactivation or shutdown request and take appropriate - * action. Returns ISC_TRUE if either is in progress; in this case - * the caller must no longer use the client object as it may have been - * freed. - */ -static isc_boolean_t -exit_check(ns_client_t *client) { - ns_clientmgr_t *locked_manager = NULL; - ns_clientmgr_t *destroy_manager = NULL; - - REQUIRE(NS_CLIENT_VALID(client)); - - if (client->state <= client->newstate) - return (ISC_FALSE); /* Business as usual. */ - - INSIST(client->newstate < NS_CLIENTSTATE_WORKING); - - /* - * We need to detach from the view early when shutting down - * the server to break the following vicious circle: - * - * - The resolver will not shut down until the view refcount is zero - * - The view refcount does not go to zero until all clients detach - * - The client does not detach from the view until references is zero - * - references does not go to zero until the resolver has shut down - * - * Keep the view attached until any outstanding updates complete. - */ - if (client->nupdates == 0 && - client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL) - dns_view_detach(&client->view); - - if (client->state == NS_CLIENTSTATE_WORKING) { - INSIST(client->newstate <= NS_CLIENTSTATE_READING); - /* - * Let the update processing complete. - */ - if (client->nupdates > 0) - return (ISC_TRUE); - /* - * We are trying to abort request processing. - */ - if (client->nsends > 0) { - isc_socket_t *socket; - if (TCP_CLIENT(client)) - socket = client->tcpsocket; - else - socket = client->udpsocket; - isc_socket_cancel(socket, client->task, - ISC_SOCKCANCEL_SEND); - } - - if (! (client->nsends == 0 && client->nrecvs == 0 && - client->references == 0)) - { - /* - * Still waiting for I/O cancel completion. - * or lingering references. - */ - return (ISC_TRUE); - } - /* - * I/O cancel is complete. Burn down all state - * related to the current request. Ensure that - * the client is on the active list and not the - * recursing list. - */ - LOCK(&client->manager->lock); - if (client->list == &client->manager->recursing) { - ISC_LIST_UNLINK(*client->list, client, link); - ISC_LIST_APPEND(client->manager->active, client, link); - client->list = &client->manager->active; - } - UNLOCK(&client->manager->lock); - ns_client_endrequest(client); - - client->state = NS_CLIENTSTATE_READING; - INSIST(client->recursionquota == NULL); - if (NS_CLIENTSTATE_READING == client->newstate) { - client_read(client); - client->newstate = NS_CLIENTSTATE_MAX; - return (ISC_TRUE); /* We're done. */ - } - } - - if (client->state == NS_CLIENTSTATE_READING) { - /* - * We are trying to abort the current TCP connection, - * if any. - */ - INSIST(client->recursionquota == NULL); - INSIST(client->newstate <= NS_CLIENTSTATE_READY); - if (client->nreads > 0) - dns_tcpmsg_cancelread(&client->tcpmsg); - if (! client->nreads == 0) { - /* Still waiting for read cancel completion. */ - return (ISC_TRUE); - } - - if (client->tcpmsg_valid) { - dns_tcpmsg_invalidate(&client->tcpmsg); - client->tcpmsg_valid = ISC_FALSE; - } - if (client->tcpsocket != NULL) { - CTRACE("closetcp"); - isc_socket_detach(&client->tcpsocket); - } - - if (client->tcpquota != NULL) - isc_quota_detach(&client->tcpquota); - - if (client->timerset) { - (void)isc_timer_reset(client->timer, - isc_timertype_inactive, - NULL, NULL, ISC_TRUE); - client->timerset = ISC_FALSE; - } - - client->peeraddr_valid = ISC_FALSE; - - client->state = NS_CLIENTSTATE_READY; - INSIST(client->recursionquota == NULL); - - /* - * Now the client is ready to accept a new TCP connection - * or UDP request, but we may have enough clients doing - * that already. Check whether this client needs to remain - * active and force it to go inactive if not. - */ - ns_client_checkactive(client); - - if (NS_CLIENTSTATE_READY == client->newstate) { - if (TCP_CLIENT(client)) { - client_accept(client); - } else - client_udprecv(client); - client->newstate = NS_CLIENTSTATE_MAX; - return (ISC_TRUE); - } - } - - if (client->state == NS_CLIENTSTATE_READY) { - INSIST(client->newstate <= NS_CLIENTSTATE_INACTIVE); - /* - * We are trying to enter the inactive state. - */ - if (client->naccepts > 0) - isc_socket_cancel(client->tcplistener, client->task, - ISC_SOCKCANCEL_ACCEPT); - - if (! (client->naccepts == 0)) { - /* Still waiting for accept cancel completion. */ - return (ISC_TRUE); - } - /* Accept cancel is complete. */ - - if (client->nrecvs > 0) - isc_socket_cancel(client->udpsocket, client->task, - ISC_SOCKCANCEL_RECV); - if (! (client->nrecvs == 0)) { - /* Still waiting for recv cancel completion. */ - return (ISC_TRUE); - } - /* Recv cancel is complete. */ - - if (client->nctls > 0) { - /* Still waiting for control event to be delivered */ - return (ISC_TRUE); - } - - /* Deactivate the client. */ - if (client->interface) - ns_interface_detach(&client->interface); - - INSIST(client->naccepts == 0); - INSIST(client->recursionquota == NULL); - if (client->tcplistener != NULL) - isc_socket_detach(&client->tcplistener); - - if (client->udpsocket != NULL) - isc_socket_detach(&client->udpsocket); - - if (client->dispatch != NULL) - dns_dispatch_detach(&client->dispatch); - - client->attributes = 0; - client->mortal = ISC_FALSE; - - LOCK(&client->manager->lock); - /* - * Put the client on the inactive list. If we are aiming for - * the "freed" state, it will be removed from the inactive - * list shortly, and we need to keep the manager locked until - * that has been done, lest the manager decide to reactivate - * the dying client inbetween. - */ - locked_manager = client->manager; - ISC_LIST_UNLINK(*client->list, client, link); - ISC_LIST_APPEND(client->manager->inactive, client, link); - client->list = &client->manager->inactive; - client->state = NS_CLIENTSTATE_INACTIVE; - INSIST(client->recursionquota == NULL); - - if (client->state == client->newstate) { - client->newstate = NS_CLIENTSTATE_MAX; - goto unlock; - } - } - - if (client->state == NS_CLIENTSTATE_INACTIVE) { - INSIST(client->newstate == NS_CLIENTSTATE_FREED); - /* - * We are trying to free the client. - * - * When "shuttingdown" is true, either the task has received - * its shutdown event or no shutdown event has ever been - * set up. Thus, we have no outstanding shutdown - * event at this point. - */ - REQUIRE(client->state == NS_CLIENTSTATE_INACTIVE); - - INSIST(client->recursionquota == NULL); - - ns_query_free(client); - isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE); - isc_event_free((isc_event_t **)&client->sendevent); - isc_event_free((isc_event_t **)&client->recvevent); - isc_timer_detach(&client->timer); - - if (client->tcpbuf != NULL) - isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE); - if (client->opt != NULL) { - INSIST(dns_rdataset_isassociated(client->opt)); - dns_rdataset_disassociate(client->opt); - dns_message_puttemprdataset(client->message, &client->opt); - } - dns_message_destroy(&client->message); - if (client->manager != NULL) { - ns_clientmgr_t *manager = client->manager; - if (locked_manager == NULL) { - LOCK(&manager->lock); - locked_manager = manager; - } - ISC_LIST_UNLINK(*client->list, client, link); - client->list = NULL; - if (manager->exiting && - ISC_LIST_EMPTY(manager->active) && - ISC_LIST_EMPTY(manager->inactive) && - ISC_LIST_EMPTY(manager->recursing)) - destroy_manager = manager; - } - /* - * Detaching the task must be done after unlinking from - * the manager's lists because the manager accesses - * client->task. - */ - if (client->task != NULL) - isc_task_detach(&client->task); - - CTRACE("free"); - client->magic = 0; - isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); - - goto unlock; - } - - unlock: - if (locked_manager != NULL) { - UNLOCK(&locked_manager->lock); - locked_manager = NULL; - } - - /* - * Only now is it safe to destroy the client manager (if needed), - * because we have accessed its lock for the last time. - */ - if (destroy_manager != NULL) - clientmgr_destroy(destroy_manager); - - return (ISC_TRUE); -} - -/*% - * The client's task has received the client's control event - * as part of the startup process. - */ -static void -client_start(isc_task_t *task, isc_event_t *event) { - ns_client_t *client = (ns_client_t *) event->ev_arg; - - INSIST(task == client->task); - - UNUSED(task); - - INSIST(client->nctls == 1); - client->nctls--; - - if (exit_check(client)) - return; - - if (TCP_CLIENT(client)) { - client_accept(client); - } else { - client_udprecv(client); - } -} - - -/*% - * The client's task has received a shutdown event. - */ -static void -client_shutdown(isc_task_t *task, isc_event_t *event) { - ns_client_t *client; - - REQUIRE(event != NULL); - REQUIRE(event->ev_type == ISC_TASKEVENT_SHUTDOWN); - client = event->ev_arg; - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(task == client->task); - - UNUSED(task); - - CTRACE("shutdown"); - - isc_event_free(&event); - - if (client->shutdown != NULL) { - (client->shutdown)(client->shutdown_arg, ISC_R_SHUTTINGDOWN); - client->shutdown = NULL; - client->shutdown_arg = NULL; - } - - client->newstate = NS_CLIENTSTATE_FREED; - (void)exit_check(client); -} - -static void -ns_client_endrequest(ns_client_t *client) { - INSIST(client->naccepts == 0); - INSIST(client->nreads == 0); - INSIST(client->nsends == 0); - INSIST(client->nrecvs == 0); - INSIST(client->nupdates == 0); - INSIST(client->state == NS_CLIENTSTATE_WORKING); - - CTRACE("endrequest"); - - if (client->next != NULL) { - (client->next)(client); - client->next = NULL; - } - - if (client->view != NULL) - dns_view_detach(&client->view); - if (client->opt != NULL) { - INSIST(dns_rdataset_isassociated(client->opt)); - dns_rdataset_disassociate(client->opt); - dns_message_puttemprdataset(client->message, &client->opt); - } - - client->udpsize = 512; - client->extflags = 0; - client->ednsversion = -1; - dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE); - - if (client->recursionquota != NULL) - isc_quota_detach(&client->recursionquota); - - /* - * Clear all client attributes that are specific to - * the request; that's all except the TCP flag. - */ - client->attributes &= NS_CLIENTATTR_TCP; -} - -static void -ns_client_checkactive(ns_client_t *client) { - if (client->mortal) { - /* - * This client object should normally go inactive - * at this point, but if we have fewer active client - * objects than desired due to earlier quota exhaustion, - * keep it active to make up for the shortage. - */ - isc_boolean_t need_another_client = ISC_FALSE; - if (TCP_CLIENT(client)) { - LOCK(&client->interface->lock); - if (client->interface->ntcpcurrent < - client->interface->ntcptarget) - need_another_client = ISC_TRUE; - UNLOCK(&client->interface->lock); - } else { - /* - * The UDP client quota is enforced by making - * requests fail rather than by not listening - * for new ones. Therefore, there is always a - * full set of UDP clients listening. - */ - } - if (! need_another_client) { - /* - * We don't need this client object. Recycle it. - */ - if (client->newstate >= NS_CLIENTSTATE_INACTIVE) - client->newstate = NS_CLIENTSTATE_INACTIVE; - } - } -} - -void -ns_client_next(ns_client_t *client, isc_result_t result) { - int newstate; - - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(client->state == NS_CLIENTSTATE_WORKING || - client->state == NS_CLIENTSTATE_READING); - - CTRACE("next"); - - if (result != ISC_R_SUCCESS) - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "request failed: %s", isc_result_totext(result)); - - /* - * An error processing a TCP request may have left - * the connection out of sync. To be safe, we always - * sever the connection when result != ISC_R_SUCCESS. - */ - if (result == ISC_R_SUCCESS && TCP_CLIENT(client)) - newstate = NS_CLIENTSTATE_READING; - else - newstate = NS_CLIENTSTATE_READY; - - if (client->newstate > newstate) - client->newstate = newstate; - (void)exit_check(client); -} - - -static void -client_senddone(isc_task_t *task, isc_event_t *event) { - ns_client_t *client; - isc_socketevent_t *sevent = (isc_socketevent_t *) event; - - REQUIRE(sevent != NULL); - REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE); - client = sevent->ev_arg; - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(task == client->task); - REQUIRE(sevent == client->sendevent); - - UNUSED(task); - - CTRACE("senddone"); - - if (sevent->result != ISC_R_SUCCESS) - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, - "error sending response: %s", - isc_result_totext(sevent->result)); - - INSIST(client->nsends > 0); - client->nsends--; - - if (client->tcpbuf != NULL) { - INSIST(TCP_CLIENT(client)); - isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE); - client->tcpbuf = NULL; - } - - if (exit_check(client)) - return; - - ns_client_next(client, ISC_R_SUCCESS); -} - -/*% - * We only want to fail with ISC_R_NOSPACE when called from - * ns_client_sendraw() and not when called from ns_client_send(), - * tcpbuffer is NULL when called from ns_client_sendraw() and - * length != 0. tcpbuffer != NULL when called from ns_client_send() - * and length == 0. - */ - -static isc_result_t -client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer, - isc_buffer_t *tcpbuffer, isc_uint32_t length, - unsigned char *sendbuf, unsigned char **datap) -{ - unsigned char *data; - isc_uint32_t bufsize; - isc_result_t result; - - INSIST(datap != NULL); - INSIST((tcpbuffer == NULL && length != 0) || - (tcpbuffer != NULL && length == 0)); - - if (TCP_CLIENT(client)) { - INSIST(client->tcpbuf == NULL); - if (length + 2 > TCP_BUFFER_SIZE) { - result = ISC_R_NOSPACE; - goto done; - } - client->tcpbuf = isc_mem_get(client->mctx, TCP_BUFFER_SIZE); - if (client->tcpbuf == NULL) { - result = ISC_R_NOMEMORY; - goto done; - } - data = client->tcpbuf; - if (tcpbuffer != NULL) { - isc_buffer_init(tcpbuffer, data, TCP_BUFFER_SIZE); - isc_buffer_init(buffer, data + 2, TCP_BUFFER_SIZE - 2); - } else { - isc_buffer_init(buffer, data, TCP_BUFFER_SIZE); - INSIST(length <= 0xffff); - isc_buffer_putuint16(buffer, (isc_uint16_t)length); - } - } else { - data = sendbuf; - if (client->udpsize < SEND_BUFFER_SIZE) - bufsize = client->udpsize; - else - bufsize = SEND_BUFFER_SIZE; - if (length > bufsize) { - result = ISC_R_NOSPACE; - goto done; - } - isc_buffer_init(buffer, data, bufsize); - } - *datap = data; - result = ISC_R_SUCCESS; - - done: - return (result); -} - -static isc_result_t -client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { - struct in6_pktinfo *pktinfo; - isc_result_t result; - isc_region_t r; - isc_sockaddr_t *address; - isc_socket_t *socket; - isc_netaddr_t netaddr; - int match; - unsigned int sockflags = ISC_SOCKFLAG_IMMEDIATE; - - if (TCP_CLIENT(client)) { - socket = client->tcpsocket; - address = NULL; - } else { - socket = client->udpsocket; - address = &client->peeraddr; - - isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); - if (ns_g_server->blackholeacl != NULL && - dns_acl_match(&netaddr, NULL, - ns_g_server->blackholeacl, - &ns_g_server->aclenv, - &match, NULL) == ISC_R_SUCCESS && - match > 0) - return (DNS_R_BLACKHOLED); - sockflags |= ISC_SOCKFLAG_NORETRY; - } - - if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0 && - (client->attributes & NS_CLIENTATTR_MULTICAST) == 0) - pktinfo = &client->pktinfo; - else - pktinfo = NULL; - - isc_buffer_usedregion(buffer, &r); - - CTRACE("sendto"); - - result = isc_socket_sendto2(socket, &r, client->task, - address, pktinfo, - client->sendevent, sockflags); - if (result == ISC_R_SUCCESS || result == ISC_R_INPROGRESS) { - client->nsends++; - if (result == ISC_R_SUCCESS) - client_senddone(client->task, - (isc_event_t *)client->sendevent); - result = ISC_R_SUCCESS; - } - return (result); -} - -void -ns_client_sendraw(ns_client_t *client, dns_message_t *message) { - isc_result_t result; - unsigned char *data; - isc_buffer_t buffer; - isc_region_t r; - isc_region_t *mr; - unsigned char sendbuf[SEND_BUFFER_SIZE]; - - REQUIRE(NS_CLIENT_VALID(client)); - - CTRACE("sendraw"); - - mr = dns_message_getrawmessage(message); - if (mr == NULL) { - result = ISC_R_UNEXPECTEDEND; - goto done; - } - - result = client_allocsendbuf(client, &buffer, NULL, mr->length, - sendbuf, &data); - if (result != ISC_R_SUCCESS) - goto done; - - /* - * Copy message to buffer and fixup id. - */ - isc_buffer_availableregion(&buffer, &r); - result = isc_buffer_copyregion(&buffer, mr); - if (result != ISC_R_SUCCESS) - goto done; - r.base[0] = (client->message->id >> 8) & 0xff; - r.base[1] = client->message->id & 0xff; - - result = client_sendpkg(client, &buffer); - if (result == ISC_R_SUCCESS) - return; - - done: - if (client->tcpbuf != NULL) { - isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE); - client->tcpbuf = NULL; - } - ns_client_next(client, result); -} - -void -ns_client_send(ns_client_t *client) { - isc_result_t result; - unsigned char *data; - isc_buffer_t buffer; - isc_buffer_t tcpbuffer; - isc_region_t r; - dns_compress_t cctx; - isc_boolean_t cleanup_cctx = ISC_FALSE; - unsigned char sendbuf[SEND_BUFFER_SIZE]; - unsigned int dnssec_opts; - unsigned int preferred_glue; - - REQUIRE(NS_CLIENT_VALID(client)); - - CTRACE("send"); - - if ((client->attributes & NS_CLIENTATTR_RA) != 0) - client->message->flags |= DNS_MESSAGEFLAG_RA; - - if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) - dnssec_opts = 0; - else - dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC; - - preferred_glue = 0; - if (client->view != NULL) { - if (client->view->preferred_glue == dns_rdatatype_a) - preferred_glue = DNS_MESSAGERENDER_PREFER_A; - else if (client->view->preferred_glue == dns_rdatatype_aaaa) - preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; - } - - /* - * XXXRTH The following doesn't deal with TCP buffer resizing. - */ - result = client_allocsendbuf(client, &buffer, &tcpbuffer, 0, - sendbuf, &data); - if (result != ISC_R_SUCCESS) - goto done; - - result = dns_compress_init(&cctx, -1, client->mctx); - if (result != ISC_R_SUCCESS) - goto done; - cleanup_cctx = ISC_TRUE; - - result = dns_message_renderbegin(client->message, &cctx, &buffer); - if (result != ISC_R_SUCCESS) - goto done; - if (client->opt != NULL) { - result = dns_message_setopt(client->message, client->opt); - /* - * XXXRTH dns_message_setopt() should probably do this... - */ - client->opt = NULL; - if (result != ISC_R_SUCCESS) - goto done; - } - result = dns_message_rendersection(client->message, - DNS_SECTION_QUESTION, 0); - if (result == ISC_R_NOSPACE) { - client->message->flags |= DNS_MESSAGEFLAG_TC; - goto renderend; - } - if (result != ISC_R_SUCCESS) - goto done; - result = dns_message_rendersection(client->message, - DNS_SECTION_ANSWER, - DNS_MESSAGERENDER_PARTIAL | - dnssec_opts); - if (result == ISC_R_NOSPACE) { - client->message->flags |= DNS_MESSAGEFLAG_TC; - goto renderend; - } - if (result != ISC_R_SUCCESS) - goto done; - result = dns_message_rendersection(client->message, - DNS_SECTION_AUTHORITY, - DNS_MESSAGERENDER_PARTIAL | - dnssec_opts); - if (result == ISC_R_NOSPACE) { - client->message->flags |= DNS_MESSAGEFLAG_TC; - goto renderend; - } - if (result != ISC_R_SUCCESS) - goto done; - result = dns_message_rendersection(client->message, - DNS_SECTION_ADDITIONAL, - preferred_glue | dnssec_opts); - if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE) - goto done; - renderend: - result = dns_message_renderend(client->message); - - if (result != ISC_R_SUCCESS) - goto done; - - if (cleanup_cctx) { - dns_compress_invalidate(&cctx); - cleanup_cctx = ISC_FALSE; - } - - if (TCP_CLIENT(client)) { - isc_buffer_usedregion(&buffer, &r); - isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t) r.length); - isc_buffer_add(&tcpbuffer, r.length); - result = client_sendpkg(client, &tcpbuffer); - } else - result = client_sendpkg(client, &buffer); - if (result == ISC_R_SUCCESS) - return; - - done: - if (client->tcpbuf != NULL) { - isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE); - client->tcpbuf = NULL; - } - - if (cleanup_cctx) - dns_compress_invalidate(&cctx); - - ns_client_next(client, result); -} - -#if NS_CLIENT_DROPPORT -#define DROPPORT_NO 0 -#define DROPPORT_REQUEST 1 -#define DROPPORT_RESPONSE 2 -/*% - * ns_client_dropport determines if certain requests / responses - * should be dropped based on the port number. - * - * Returns: - * \li 0: Don't drop. - * \li 1: Drop request. - * \li 2: Drop (error) response. - */ -static int -ns_client_dropport(in_port_t port) { - switch (port) { - case 7: /* echo */ - case 13: /* daytime */ - case 19: /* chargen */ - case 37: /* time */ - return (DROPPORT_REQUEST); - case 464: /* kpasswd */ - return (DROPPORT_RESPONSE); - } - return (DROPPORT_NO); -} -#endif - -void -ns_client_error(ns_client_t *client, isc_result_t result) { - dns_rcode_t rcode; - dns_message_t *message; - - REQUIRE(NS_CLIENT_VALID(client)); - - CTRACE("error"); - - message = client->message; - rcode = dns_result_torcode(result); - -#if NS_CLIENT_DROPPORT - /* - * Don't send FORMERR to ports on the drop port list. - */ - if (rcode == dns_rcode_formerr && - ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) != - DROPPORT_NO) { - char buf[64]; - isc_buffer_t b; - - isc_buffer_init(&b, buf, sizeof(buf) - 1); - if (dns_rcode_totext(rcode, &b) != ISC_R_SUCCESS) - isc_buffer_putstr(&b, "UNKNOWN RCODE"); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), - "dropped error (%.*s) response: suspicious port", - (int)isc_buffer_usedlength(&b), buf); - ns_client_next(client, ISC_R_SUCCESS); - return; - } -#endif - - /* - * Message may be an in-progress reply that we had trouble - * with, in which case QR will be set. We need to clear QR before - * calling dns_message_reply() to avoid triggering an assertion. - */ - message->flags &= ~DNS_MESSAGEFLAG_QR; - /* - * AA and AD shouldn't be set. - */ - message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD); - result = dns_message_reply(message, ISC_TRUE); - if (result != ISC_R_SUCCESS) { - /* - * It could be that we've got a query with a good header, - * but a bad question section, so we try again with - * want_question_section set to ISC_FALSE. - */ - result = dns_message_reply(message, ISC_FALSE); - if (result != ISC_R_SUCCESS) { - ns_client_next(client, result); - return; - } - } - message->rcode = rcode; - - /* - * FORMERR loop avoidance: If we sent a FORMERR message - * with the same ID to the same client less than two - * seconds ago, assume that we are in an infinite error - * packet dialog with a server for some protocol whose - * error responses look enough like DNS queries to - * elicit a FORMERR response. Drop a packet to break - * the loop. - */ - if (rcode == dns_rcode_formerr) { - if (isc_sockaddr_equal(&client->peeraddr, - &client->formerrcache.addr) && - message->id == client->formerrcache.id && - client->requesttime - client->formerrcache.time < 2) { - /* Drop packet. */ - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), - "possible error packet loop, " - "FORMERR dropped"); - ns_client_next(client, result); - return; - } - client->formerrcache.addr = client->peeraddr; - client->formerrcache.time = client->requesttime; - client->formerrcache.id = message->id; - } - ns_client_send(client); -} - -static inline isc_result_t -client_addopt(ns_client_t *client) { - dns_rdataset_t *rdataset; - dns_rdatalist_t *rdatalist; - dns_rdata_t *rdata; - isc_result_t result; - dns_view_t *view; - dns_resolver_t *resolver; - isc_uint16_t udpsize; - - REQUIRE(client->opt == NULL); /* XXXRTH free old. */ - - rdatalist = NULL; - result = dns_message_gettemprdatalist(client->message, &rdatalist); - if (result != ISC_R_SUCCESS) - return (result); - rdata = NULL; - result = dns_message_gettemprdata(client->message, &rdata); - if (result != ISC_R_SUCCESS) - return (result); - rdataset = NULL; - result = dns_message_gettemprdataset(client->message, &rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_init(rdataset); - - rdatalist->type = dns_rdatatype_opt; - rdatalist->covers = 0; - - /* - * Set the maximum UDP buffer size. - */ - view = client->view; - resolver = (view != NULL) ? view->resolver : NULL; - if (resolver != NULL) - udpsize = dns_resolver_getudpsize(resolver); - else - udpsize = ns_g_udpsize; - rdatalist->rdclass = udpsize; - - /* - * Set EXTENDED-RCODE, VERSION and Z to 0. - */ - rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE); - - /* - * No EDNS options in the default case. - */ - rdata->data = NULL; - rdata->length = 0; - rdata->rdclass = rdatalist->rdclass; - rdata->type = rdatalist->type; - rdata->flags = 0; - - ISC_LIST_INIT(rdatalist->rdata); - ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) - == ISC_R_SUCCESS); - - client->opt = rdataset; - - return (ISC_R_SUCCESS); -} - -static inline isc_boolean_t -allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) { - int match; - isc_result_t result; - - if (acl == NULL) - return (ISC_TRUE); - result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv, - &match, NULL); - if (result == ISC_R_SUCCESS && match > 0) - return (ISC_TRUE); - return (ISC_FALSE); -} - -/* - * Callback to see if a non-recursive query coming from 'srcaddr' to - * 'destaddr', with optional key 'mykey' for class 'rdclass' would be - * delivered to 'myview'. - * - * We run this unlocked as both the view list and the interface list - * are updated when the approprite task has exclusivity. - */ -isc_boolean_t -ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, - isc_sockaddr_t *srcaddr, isc_sockaddr_t *dstaddr, - dns_rdataclass_t rdclass, void *arg) -{ - dns_view_t *view; - dns_tsigkey_t *key = NULL; - dns_name_t *tsig = NULL; - isc_netaddr_t netsrc; - isc_netaddr_t netdst; - - UNUSED(arg); - - if (!ns_interfacemgr_listeningon(ns_g_server->interfacemgr, dstaddr)) - return (ISC_FALSE); - - isc_netaddr_fromsockaddr(&netsrc, srcaddr); - isc_netaddr_fromsockaddr(&netdst, dstaddr); - - for (view = ISC_LIST_HEAD(ns_g_server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) { - - if (view->matchrecursiveonly) - continue; - - if (rdclass != view->rdclass) - continue; - - if (mykey != NULL) { - isc_boolean_t match; - isc_result_t result; - - tsig = &mykey->name; - result = dns_view_gettsig(view, tsig, &key); - if (result != ISC_R_SUCCESS) - continue; - match = dst_key_compare(mykey->key, key->key); - dns_tsigkey_detach(&key); - if (!match) - continue; - } - - if (allowed(&netsrc, tsig, view->matchclients) && - allowed(&netdst, tsig, view->matchdestinations)) - break; - } - return (ISC_TF(view == myview)); -} - -/* - * Handle an incoming request event from the socket (UDP case) - * or tcpmsg (TCP case). - */ -static void -client_request(isc_task_t *task, isc_event_t *event) { - ns_client_t *client; - isc_socketevent_t *sevent; - isc_result_t result; - isc_result_t sigresult = ISC_R_SUCCESS; - isc_buffer_t *buffer; - isc_buffer_t tbuffer; - dns_view_t *view; - dns_rdataset_t *opt; - isc_boolean_t ra; /* Recursion available. */ - isc_netaddr_t netaddr; - isc_netaddr_t destaddr; - int match; - dns_messageid_t id; - unsigned int flags; - isc_boolean_t notimp; - - REQUIRE(event != NULL); - client = event->ev_arg; - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(task == client->task); - - INSIST(client->recursionquota == NULL); - - INSIST(client->state == - TCP_CLIENT(client) ? - NS_CLIENTSTATE_READING : - NS_CLIENTSTATE_READY); - - ns_client_requests++; - - if (event->ev_type == ISC_SOCKEVENT_RECVDONE) { - INSIST(!TCP_CLIENT(client)); - sevent = (isc_socketevent_t *)event; - REQUIRE(sevent == client->recvevent); - isc_buffer_init(&tbuffer, sevent->region.base, sevent->n); - isc_buffer_add(&tbuffer, sevent->n); - buffer = &tbuffer; - result = sevent->result; - if (result == ISC_R_SUCCESS) { - client->peeraddr = sevent->address; - client->peeraddr_valid = ISC_TRUE; - } - if ((sevent->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) { - client->attributes |= NS_CLIENTATTR_PKTINFO; - client->pktinfo = sevent->pktinfo; - } - if ((sevent->attributes & ISC_SOCKEVENTATTR_MULTICAST) != 0) - client->attributes |= NS_CLIENTATTR_MULTICAST; - client->nrecvs--; - } else { - INSIST(TCP_CLIENT(client)); - REQUIRE(event->ev_type == DNS_EVENT_TCPMSG); - REQUIRE(event->ev_sender == &client->tcpmsg); - buffer = &client->tcpmsg.buffer; - result = client->tcpmsg.result; - INSIST(client->nreads == 1); - /* - * client->peeraddr was set when the connection was accepted. - */ - client->nreads--; - } - - if (exit_check(client)) - goto cleanup; - client->state = client->newstate = NS_CLIENTSTATE_WORKING; - - isc_task_getcurrenttime(task, &client->requesttime); - client->now = client->requesttime; - - if (result != ISC_R_SUCCESS) { - if (TCP_CLIENT(client)) { - ns_client_next(client, result); - } else { - if (result != ISC_R_CANCELED) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, - ISC_LOG_ERROR, - "UDP client handler shutting " - "down due to fatal receive " - "error: %s", - isc_result_totext(result)); - isc_task_shutdown(client->task); - } - goto cleanup; - } - - isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); - -#if NS_CLIENT_DROPPORT - if (ns_client_dropport(isc_sockaddr_getport(&client->peeraddr)) == - DROPPORT_REQUEST) { - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), - "dropped request: suspicious port"); - ns_client_next(client, ISC_R_SUCCESS); - goto cleanup; - } -#endif - - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "%s request", - TCP_CLIENT(client) ? "TCP" : "UDP"); - - /* - * Check the blackhole ACL for UDP only, since TCP is done in - * client_newconn. - */ - if (!TCP_CLIENT(client)) { - - if (ns_g_server->blackholeacl != NULL && - dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl, - &ns_g_server->aclenv, - &match, NULL) == ISC_R_SUCCESS && - match > 0) - { - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), - "blackholed UDP datagram"); - ns_client_next(client, ISC_R_SUCCESS); - goto cleanup; - } - } - - /* - * Silently drop multicast requests for the present. - * XXXMPA look at when/if mDNS spec stabilizes. - */ - if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2), - "dropping multicast request"); - ns_client_next(client, DNS_R_REFUSED); - goto cleanup; - } - - result = dns_message_peekheader(buffer, &id, &flags); - if (result != ISC_R_SUCCESS) { - /* - * There isn't enough header to determine whether - * this was a request or a response. Drop it. - */ - ns_client_next(client, result); - goto cleanup; - } - - /* - * The client object handles requests, not responses. - * If this is a UDP response, forward it to the dispatcher. - * If it's a TCP response, discard it here. - */ - if ((flags & DNS_MESSAGEFLAG_QR) != 0) { - if (TCP_CLIENT(client)) { - CTRACE("unexpected response"); - ns_client_next(client, DNS_R_FORMERR); - goto cleanup; - } else { - dns_dispatch_importrecv(client->dispatch, event); - ns_client_next(client, ISC_R_SUCCESS); - goto cleanup; - } - } - - /* - * It's a request. Parse it. - */ - result = dns_message_parse(client->message, buffer, 0); - if (result != ISC_R_SUCCESS) { - /* - * Parsing the request failed. Send a response - * (typically FORMERR or SERVFAIL). - */ - ns_client_error(client, result); - goto cleanup; - } - - switch (client->message->opcode) { - case dns_opcode_query: - case dns_opcode_update: - case dns_opcode_notify: - notimp = ISC_FALSE; - break; - case dns_opcode_iquery: - default: - notimp = ISC_TRUE; - break; - } - - client->message->rcode = dns_rcode_noerror; - - /* RFC1123 section 6.1.3.2 */ - if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) - client->message->flags &= ~DNS_MESSAGEFLAG_RD; - - /* - * Deal with EDNS. - */ - opt = dns_message_getopt(client->message); - if (opt != NULL) { - /* - * Set the client's UDP buffer size. - */ - client->udpsize = opt->rdclass; - - /* - * If the requested UDP buffer size is less than 512, - * ignore it and use 512. - */ - if (client->udpsize < 512) - client->udpsize = 512; - - /* - * Get the flags out of the OPT record. - */ - client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF); - - /* - * Do we understand this version of EDNS? - * - * XXXRTH need library support for this! - */ - client->ednsversion = (opt->ttl & 0x00FF0000) >> 16; - if (client->ednsversion > 0) { - result = client_addopt(client); - if (result == ISC_R_SUCCESS) - result = DNS_R_BADVERS; - ns_client_error(client, result); - goto cleanup; - } - /* - * Create an OPT for our reply. - */ - result = client_addopt(client); - if (result != ISC_R_SUCCESS) { - ns_client_error(client, result); - goto cleanup; - } - } - - if (client->message->rdclass == 0) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), - "message class could not be determined"); - ns_client_dumpmessage(client, - "message class could not be determined"); - ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR); - goto cleanup; - } - - /* - * Determine the destination address. If the receiving interface is - * bound to a specific address, we simply use it regardless of the - * address family. All IPv4 queries should fall into this case. - * Otherwise, if this is a TCP query, get the address from the - * receiving socket (this needs a system call and can be heavy). - * For IPv6 UDP queries, we get this from the pktinfo structure (if - * supported). - * If all the attempts fail (this can happen due to memory shortage, - * etc), we regard this as an error for safety. - */ - if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0) - isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr); - else { - result = ISC_R_FAILURE; - - if (TCP_CLIENT(client)) { - isc_sockaddr_t destsockaddr; - - result = isc_socket_getsockname(client->tcpsocket, - &destsockaddr); - if (result == ISC_R_SUCCESS) - isc_netaddr_fromsockaddr(&destaddr, - &destsockaddr); - } - if (result != ISC_R_SUCCESS && - client->interface->addr.type.sa.sa_family == AF_INET6 && - (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) { - isc_uint32_t zone = 0; - - /* - * XXXJT technically, we should convert the receiving - * interface ID to a proper scope zone ID. However, - * due to the fact there is no standard API for this, - * we only handle link-local addresses and use the - * interface index as link ID. Despite the assumption, - * it should cover most typical cases. - */ - if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr)) - zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex; - - isc_netaddr_fromin6(&destaddr, - &client->pktinfo.ipi6_addr); - isc_netaddr_setzone(&destaddr, zone); - result = ISC_R_SUCCESS; - } - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "failed to get request's " - "destination: %s", - isc_result_totext(result)); - ns_client_next(client, ISC_R_SUCCESS); - goto cleanup; - } - } - - /* - * Find a view that matches the client's source address. - */ - for (view = ISC_LIST_HEAD(ns_g_server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) { - if (client->message->rdclass == view->rdclass || - client->message->rdclass == dns_rdataclass_any) - { - dns_name_t *tsig = NULL; - sigresult = dns_message_rechecksig(client->message, - view); - if (sigresult == ISC_R_SUCCESS) - tsig = client->message->tsigname; - - if (allowed(&netaddr, tsig, view->matchclients) && - allowed(&destaddr, tsig, view->matchdestinations) && - !((client->message->flags & DNS_MESSAGEFLAG_RD) - == 0 && view->matchrecursiveonly)) - { - dns_view_attach(view, &client->view); - break; - } - } - } - - if (view == NULL) { - char classname[DNS_RDATACLASS_FORMATSIZE]; - - /* - * Do a dummy TSIG verification attempt so that the - * response will have a TSIG if the query did, as - * required by RFC2845. - */ - isc_buffer_t b; - isc_region_t *r; - - dns_message_resetsig(client->message); - - r = dns_message_getrawmessage(client->message); - isc_buffer_init(&b, r->base, r->length); - isc_buffer_add(&b, r->length); - (void)dns_tsig_verify(&b, client->message, NULL, NULL); - - dns_rdataclass_format(client->message->rdclass, classname, - sizeof(classname)); - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), - "no matching view in class '%s'", classname); - ns_client_dumpmessage(client, "no matching view in class"); - ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED); - goto cleanup; - } - - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(5), - "using view '%s'", view->name); - - /* - * Check for a signature. We log bad signatures regardless of - * whether they ultimately cause the request to be rejected or - * not. We do not log the lack of a signature unless we are - * debugging. - */ - client->signer = NULL; - dns_name_init(&client->signername, NULL); - result = dns_message_signer(client->message, &client->signername); - if (result == ISC_R_SUCCESS) { - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "request has valid signature"); - client->signer = &client->signername; - } else if (result == ISC_R_NOTFOUND) { - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "request is not signed"); - } else if (result == DNS_R_NOIDENTITY) { - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "request is signed by a nonauthoritative key"); - } else { - char tsigrcode[64]; - isc_buffer_t b; - dns_name_t *name = NULL; - dns_rcode_t status; - isc_result_t tresult; - - /* There is a signature, but it is bad. */ - if (dns_message_gettsig(client->message, &name) != NULL) { - char namebuf[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namebuf, sizeof(namebuf)); - status = client->message->tsigstatus; - isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); - tresult = dns_tsigrcode_totext(status, &b); - INSIST(tresult == ISC_R_SUCCESS); - tsigrcode[isc_buffer_usedlength(&b)] = '\0'; - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "request has invalid signature: " - "TSIG %s: %s (%s)", namebuf, - isc_result_totext(result), tsigrcode); - } else { - status = client->message->sig0status; - isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); - tresult = dns_tsigrcode_totext(status, &b); - INSIST(tresult == ISC_R_SUCCESS); - tsigrcode[isc_buffer_usedlength(&b)] = '\0'; - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "request has invalid signature: %s (%s)", - isc_result_totext(result), tsigrcode); - } - /* - * Accept update messages signed by unknown keys so that - * update forwarding works transparently through slaves - * that don't have all the same keys as the master. - */ - if (!(client->message->tsigstatus == dns_tsigerror_badkey && - client->message->opcode == dns_opcode_update)) { - ns_client_error(client, sigresult); - goto cleanup; - } - } - - /* - * Decide whether recursive service is available to this client. - * We do this here rather than in the query code so that we can - * set the RA bit correctly on all kinds of responses, not just - * responses to ordinary queries. Note if you can't query the - * cache there is no point in setting RA. - */ - ra = ISC_FALSE; - if (client->view->resolver != NULL && - client->view->recursion == ISC_TRUE && - ns_client_checkaclsilent(client, client->view->recursionacl, - ISC_TRUE) == ISC_R_SUCCESS && - ns_client_checkaclsilent(client, client->view->queryacl, - ISC_TRUE) == ISC_R_SUCCESS) - ra = ISC_TRUE; - - if (ra == ISC_TRUE) - client->attributes |= NS_CLIENTATTR_RA; - - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, - ISC_LOG_DEBUG(3), ra ? "recursion available" : - "recursion not available"); - - /* - * Adjust maximum UDP response size for this client. - */ - if (client->udpsize > 512) { - dns_peer_t *peer = NULL; - isc_uint16_t udpsize = view->maxudp; - (void) dns_peerlist_peerbyaddr(view->peers, &netaddr, &peer); - if (peer != NULL) - dns_peer_getmaxudp(peer, &udpsize); - if (client->udpsize > udpsize) - client->udpsize = udpsize; - } - - /* - * Dispatch the request. - */ - switch (client->message->opcode) { - case dns_opcode_query: - CTRACE("query"); - ns_query_start(client); - break; - case dns_opcode_update: - CTRACE("update"); - ns_client_settimeout(client, 60); - ns_update_start(client, sigresult); - break; - case dns_opcode_notify: - CTRACE("notify"); - ns_client_settimeout(client, 60); - ns_notify_start(client); - break; - case dns_opcode_iquery: - CTRACE("iquery"); - ns_client_error(client, DNS_R_NOTIMP); - break; - default: - CTRACE("unknown opcode"); - ns_client_error(client, DNS_R_NOTIMP); - } - - cleanup: - return; -} - -static void -client_timeout(isc_task_t *task, isc_event_t *event) { - ns_client_t *client; - - REQUIRE(event != NULL); - REQUIRE(event->ev_type == ISC_TIMEREVENT_LIFE || - event->ev_type == ISC_TIMEREVENT_IDLE); - client = event->ev_arg; - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(task == client->task); - REQUIRE(client->timer != NULL); - - UNUSED(task); - - CTRACE("timeout"); - - isc_event_free(&event); - - if (client->shutdown != NULL) { - (client->shutdown)(client->shutdown_arg, ISC_R_TIMEDOUT); - client->shutdown = NULL; - client->shutdown_arg = NULL; - } - - if (client->newstate > NS_CLIENTSTATE_READY) - client->newstate = NS_CLIENTSTATE_READY; - (void)exit_check(client); -} - -static isc_result_t -get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) { - isc_mem_t *clientmctx; -#if NMCTXS > 0 - isc_result_t result; -#endif - - /* - * Caller must be holding the manager lock. - */ -#if NMCTXS > 0 - INSIST(manager->nextmctx < NMCTXS); - clientmctx = manager->mctxpool[manager->nextmctx]; - if (clientmctx == NULL) { - result = isc_mem_create(0, 0, &clientmctx); - if (result != ISC_R_SUCCESS) - return (result); - - manager->mctxpool[manager->nextmctx] = clientmctx; - manager->nextmctx++; - if (manager->nextmctx == NMCTXS) - manager->nextmctx = 0; - } -#else - clientmctx = manager->mctx; -#endif - - isc_mem_attach(clientmctx, mctxp); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { - ns_client_t *client; - isc_result_t result; - isc_mem_t *mctx = NULL; - - /* - * Caller must be holding the manager lock. - * - * Note: creating a client does not add the client to the - * manager's client list or set the client's manager pointer. - * The caller is responsible for that. - */ - - REQUIRE(clientp != NULL && *clientp == NULL); - - result = get_clientmctx(manager, &mctx); - if (result != ISC_R_SUCCESS) - return (result); - - client = isc_mem_get(mctx, sizeof(*client)); - if (client == NULL) { - isc_mem_detach(&mctx); - return (ISC_R_NOMEMORY); - } - client->mctx = mctx; - - client->task = NULL; - result = isc_task_create(manager->taskmgr, 0, &client->task); - if (result != ISC_R_SUCCESS) - goto cleanup_client; - isc_task_setname(client->task, "client", client); - - client->timer = NULL; - result = isc_timer_create(manager->timermgr, isc_timertype_inactive, - NULL, NULL, client->task, client_timeout, - client, &client->timer); - if (result != ISC_R_SUCCESS) - goto cleanup_task; - client->timerset = ISC_FALSE; - - client->message = NULL; - result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE, - &client->message); - if (result != ISC_R_SUCCESS) - goto cleanup_timer; - - /* XXXRTH Hardwired constants */ - - client->sendevent = (isc_socketevent_t *) - isc_event_allocate(client->mctx, client, - ISC_SOCKEVENT_SENDDONE, - client_senddone, client, - sizeof(isc_socketevent_t)); - if (client->sendevent == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_message; - } - - client->recvbuf = isc_mem_get(client->mctx, RECV_BUFFER_SIZE); - if (client->recvbuf == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_sendevent; - } - - client->recvevent = (isc_socketevent_t *) - isc_event_allocate(client->mctx, client, - ISC_SOCKEVENT_RECVDONE, - client_request, client, - sizeof(isc_socketevent_t)); - if (client->recvevent == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup_recvbuf; - } - - client->magic = NS_CLIENT_MAGIC; - client->manager = NULL; - client->state = NS_CLIENTSTATE_INACTIVE; - client->newstate = NS_CLIENTSTATE_MAX; - client->naccepts = 0; - client->nreads = 0; - client->nsends = 0; - client->nrecvs = 0; - client->nupdates = 0; - client->nctls = 0; - client->references = 0; - client->attributes = 0; - client->view = NULL; - client->dispatch = NULL; - client->udpsocket = NULL; - client->tcplistener = NULL; - client->tcpsocket = NULL; - client->tcpmsg_valid = ISC_FALSE; - client->tcpbuf = NULL; - client->opt = NULL; - client->udpsize = 512; - client->extflags = 0; - client->ednsversion = -1; - client->next = NULL; - client->shutdown = NULL; - client->shutdown_arg = NULL; - dns_name_init(&client->signername, NULL); - client->mortal = ISC_FALSE; - client->tcpquota = NULL; - client->recursionquota = NULL; - client->interface = NULL; - client->peeraddr_valid = ISC_FALSE; - ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, - NS_EVENT_CLIENTCONTROL, client_start, client, client, - NULL, NULL); - /* - * Initialize FORMERR cache to sentinel value that will not match - * any actual FORMERR response. - */ - isc_sockaddr_any(&client->formerrcache.addr); - client->formerrcache.time = 0; - client->formerrcache.id = 0; - ISC_LINK_INIT(client, link); - client->list = NULL; - - /* - * We call the init routines for the various kinds of client here, - * after we have created an otherwise valid client, because some - * of them call routines that REQUIRE(NS_CLIENT_VALID(client)). - */ - result = ns_query_init(client); - if (result != ISC_R_SUCCESS) - goto cleanup_recvevent; - - result = isc_task_onshutdown(client->task, client_shutdown, client); - if (result != ISC_R_SUCCESS) - goto cleanup_query; - - CTRACE("create"); - - *clientp = client; - - return (ISC_R_SUCCESS); - - cleanup_query: - ns_query_free(client); - - cleanup_recvevent: - isc_event_free((isc_event_t **)&client->recvevent); - - cleanup_recvbuf: - isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE); - - cleanup_sendevent: - isc_event_free((isc_event_t **)&client->sendevent); - - client->magic = 0; - - cleanup_message: - dns_message_destroy(&client->message); - - cleanup_timer: - isc_timer_detach(&client->timer); - - cleanup_task: - isc_task_detach(&client->task); - - cleanup_client: - isc_mem_putanddetach(&client->mctx, client, sizeof(*client)); - - return (result); -} - -static void -client_read(ns_client_t *client) { - isc_result_t result; - - CTRACE("read"); - - result = dns_tcpmsg_readmessage(&client->tcpmsg, client->task, - client_request, client); - if (result != ISC_R_SUCCESS) - goto fail; - - /* - * Set a timeout to limit the amount of time we will wait - * for a request on this TCP connection. - */ - ns_client_settimeout(client, 30); - - client->state = client->newstate = NS_CLIENTSTATE_READING; - INSIST(client->nreads == 0); - INSIST(client->recursionquota == NULL); - client->nreads++; - - return; - fail: - ns_client_next(client, result); -} - -static void -client_newconn(isc_task_t *task, isc_event_t *event) { - ns_client_t *client = event->ev_arg; - isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; - isc_result_t result; - - REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN); - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(client->task == task); - - UNUSED(task); - - INSIST(client->state == NS_CLIENTSTATE_READY); - - INSIST(client->naccepts == 1); - client->naccepts--; - - LOCK(&client->interface->lock); - INSIST(client->interface->ntcpcurrent > 0); - client->interface->ntcpcurrent--; - UNLOCK(&client->interface->lock); - - /* - * We must take ownership of the new socket before the exit - * check to make sure it gets destroyed if we decide to exit. - */ - if (nevent->result == ISC_R_SUCCESS) { - client->tcpsocket = nevent->newsocket; - client->state = NS_CLIENTSTATE_READING; - INSIST(client->recursionquota == NULL); - - (void)isc_socket_getpeername(client->tcpsocket, - &client->peeraddr); - client->peeraddr_valid = ISC_TRUE; - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "new TCP connection"); - } else { - /* - * XXXRTH What should we do? We're trying to accept but - * it didn't work. If we just give up, then TCP - * service may eventually stop. - * - * For now, we just go idle. - * - * Going idle is probably the right thing if the - * I/O was canceled. - */ - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "accept failed: %s", - isc_result_totext(nevent->result)); - } - - if (exit_check(client)) - goto freeevent; - - if (nevent->result == ISC_R_SUCCESS) { - int match; - isc_netaddr_t netaddr; - - isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); - - if (ns_g_server->blackholeacl != NULL && - dns_acl_match(&netaddr, NULL, - ns_g_server->blackholeacl, - &ns_g_server->aclenv, - &match, NULL) == ISC_R_SUCCESS && - match > 0) - { - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), - "blackholed connection attempt"); - client->newstate = NS_CLIENTSTATE_READY; - (void)exit_check(client); - goto freeevent; - } - - INSIST(client->tcpmsg_valid == ISC_FALSE); - dns_tcpmsg_init(client->mctx, client->tcpsocket, - &client->tcpmsg); - client->tcpmsg_valid = ISC_TRUE; - - /* - * Let a new client take our place immediately, before - * we wait for a request packet. If we don't, - * telnetting to port 53 (once per CPU) will - * deny service to legititmate TCP clients. - */ - result = isc_quota_attach(&ns_g_server->tcpquota, - &client->tcpquota); - if (result == ISC_R_SUCCESS) - result = ns_client_replace(client); - if (result != ISC_R_SUCCESS) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_WARNING, - "no more TCP clients: %s", - isc_result_totext(result)); - } - - client_read(client); - } - - freeevent: - isc_event_free(&event); -} - -static void -client_accept(ns_client_t *client) { - isc_result_t result; - - CTRACE("accept"); - - result = isc_socket_accept(client->tcplistener, client->task, - client_newconn, client); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_socket_accept() failed: %s", - isc_result_totext(result)); - /* - * XXXRTH What should we do? We're trying to accept but - * it didn't work. If we just give up, then TCP - * service may eventually stop. - * - * For now, we just go idle. - */ - return; - } - INSIST(client->naccepts == 0); - client->naccepts++; - LOCK(&client->interface->lock); - client->interface->ntcpcurrent++; - UNLOCK(&client->interface->lock); -} - -static void -client_udprecv(ns_client_t *client) { - isc_result_t result; - isc_region_t r; - - CTRACE("udprecv"); - - r.base = client->recvbuf; - r.length = RECV_BUFFER_SIZE; - result = isc_socket_recv2(client->udpsocket, &r, 1, - client->task, client->recvevent, 0); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_socket_recv2() failed: %s", - isc_result_totext(result)); - /* - * This cannot happen in the current implementation, since - * isc_socket_recv2() cannot fail if flags == 0. - * - * If this does fail, we just go idle. - */ - return; - } - INSIST(client->nrecvs == 0); - client->nrecvs++; -} - -void -ns_client_attach(ns_client_t *source, ns_client_t **targetp) { - REQUIRE(NS_CLIENT_VALID(source)); - REQUIRE(targetp != NULL && *targetp == NULL); - - source->references++; - ns_client_log(source, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), - "ns_client_attach: ref = %d", source->references); - *targetp = source; -} - -void -ns_client_detach(ns_client_t **clientp) { - ns_client_t *client = *clientp; - - client->references--; - INSIST(client->references >= 0); - *clientp = NULL; - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10), - "ns_client_detach: ref = %d", client->references); - (void)exit_check(client); -} - -isc_boolean_t -ns_client_shuttingdown(ns_client_t *client) { - return (ISC_TF(client->newstate == NS_CLIENTSTATE_FREED)); -} - -isc_result_t -ns_client_replace(ns_client_t *client) { - isc_result_t result; - - CTRACE("replace"); - - result = ns_clientmgr_createclients(client->manager, - 1, client->interface, - (TCP_CLIENT(client) ? - ISC_TRUE : ISC_FALSE)); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * The responsibility for listening for new requests is hereby - * transferred to the new client. Therefore, the old client - * should refrain from listening for any more requests. - */ - client->mortal = ISC_TRUE; - - return (ISC_R_SUCCESS); -} - -/*** - *** Client Manager - ***/ - -static void -clientmgr_destroy(ns_clientmgr_t *manager) { -#if NMCTXS > 0 - int i; -#endif - - REQUIRE(ISC_LIST_EMPTY(manager->active)); - REQUIRE(ISC_LIST_EMPTY(manager->inactive)); - REQUIRE(ISC_LIST_EMPTY(manager->recursing)); - - MTRACE("clientmgr_destroy"); - -#if NMCTXS > 0 - for (i = 0; i < NMCTXS; i++) { - if (manager->mctxpool[i] != NULL) - isc_mem_detach(&manager->mctxpool[i]); - } -#endif - - DESTROYLOCK(&manager->lock); - manager->magic = 0; - isc_mem_put(manager->mctx, manager, sizeof(*manager)); -} - -isc_result_t -ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, - isc_timermgr_t *timermgr, ns_clientmgr_t **managerp) -{ - ns_clientmgr_t *manager; - isc_result_t result; -#if NMCTXS > 0 - int i; -#endif - - manager = isc_mem_get(mctx, sizeof(*manager)); - if (manager == NULL) - return (ISC_R_NOMEMORY); - - result = isc_mutex_init(&manager->lock); - if (result != ISC_R_SUCCESS) - goto cleanup_manager; - - manager->mctx = mctx; - manager->taskmgr = taskmgr; - manager->timermgr = timermgr; - manager->exiting = ISC_FALSE; - ISC_LIST_INIT(manager->active); - ISC_LIST_INIT(manager->inactive); - ISC_LIST_INIT(manager->recursing); -#if NMCTXS > 0 - manager->nextmctx = 0; - for (i = 0; i < NMCTXS; i++) - manager->mctxpool[i] = NULL; /* will be created on-demand */ -#endif - manager->magic = MANAGER_MAGIC; - - MTRACE("create"); - - *managerp = manager; - - return (ISC_R_SUCCESS); - - cleanup_manager: - isc_mem_put(manager->mctx, manager, sizeof(*manager)); - - return (result); -} - -void -ns_clientmgr_destroy(ns_clientmgr_t **managerp) { - ns_clientmgr_t *manager; - ns_client_t *client; - isc_boolean_t need_destroy = ISC_FALSE; - - REQUIRE(managerp != NULL); - manager = *managerp; - REQUIRE(VALID_MANAGER(manager)); - - MTRACE("destroy"); - - LOCK(&manager->lock); - - manager->exiting = ISC_TRUE; - - for (client = ISC_LIST_HEAD(manager->recursing); - client != NULL; - client = ISC_LIST_NEXT(client, link)) - isc_task_shutdown(client->task); - - for (client = ISC_LIST_HEAD(manager->active); - client != NULL; - client = ISC_LIST_NEXT(client, link)) - isc_task_shutdown(client->task); - - for (client = ISC_LIST_HEAD(manager->inactive); - client != NULL; - client = ISC_LIST_NEXT(client, link)) - isc_task_shutdown(client->task); - - if (ISC_LIST_EMPTY(manager->active) && - ISC_LIST_EMPTY(manager->inactive) && - ISC_LIST_EMPTY(manager->recursing)) - need_destroy = ISC_TRUE; - - UNLOCK(&manager->lock); - - if (need_destroy) - clientmgr_destroy(manager); - - *managerp = NULL; -} - -isc_result_t -ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, - ns_interface_t *ifp, isc_boolean_t tcp) -{ - isc_result_t result = ISC_R_SUCCESS; - unsigned int i; - ns_client_t *client; - - REQUIRE(VALID_MANAGER(manager)); - REQUIRE(n > 0); - - MTRACE("createclients"); - - /* - * We MUST lock the manager lock for the entire client creation - * process. If we didn't do this, then a client could get a - * shutdown event and disappear out from under us. - */ - - LOCK(&manager->lock); - - for (i = 0; i < n; i++) { - isc_event_t *ev; - /* - * Allocate a client. First try to get a recycled one; - * if that fails, make a new one. - */ - client = ISC_LIST_HEAD(manager->inactive); - if (client != NULL) { - MTRACE("recycle"); - ISC_LIST_UNLINK(manager->inactive, client, link); - client->list = NULL; - } else { - MTRACE("create new"); - result = client_create(manager, &client); - if (result != ISC_R_SUCCESS) - break; - } - - ns_interface_attach(ifp, &client->interface); - client->state = NS_CLIENTSTATE_READY; - INSIST(client->recursionquota == NULL); - - if (tcp) { - client->attributes |= NS_CLIENTATTR_TCP; - isc_socket_attach(ifp->tcpsocket, - &client->tcplistener); - } else { - isc_socket_t *sock; - - dns_dispatch_attach(ifp->udpdispatch, - &client->dispatch); - sock = dns_dispatch_getsocket(client->dispatch); - isc_socket_attach(sock, &client->udpsocket); - } - client->manager = manager; - ISC_LIST_APPEND(manager->active, client, link); - client->list = &manager->active; - - INSIST(client->nctls == 0); - client->nctls++; - ev = &client->ctlevent; - isc_task_send(client->task, &ev); - } - if (i != 0) { - /* - * We managed to create at least one client, so we - * declare victory. - */ - result = ISC_R_SUCCESS; - } - - UNLOCK(&manager->lock); - - return (result); -} - -isc_sockaddr_t * -ns_client_getsockaddr(ns_client_t *client) { - return (&client->peeraddr); -} - -isc_result_t -ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl, - isc_boolean_t default_allow) -{ - isc_result_t result; - int match; - isc_netaddr_t netaddr; - - if (acl == NULL) { - if (default_allow) - goto allow; - else - goto deny; - } - - isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); - - result = dns_acl_match(&netaddr, client->signer, acl, - &ns_g_server->aclenv, - &match, NULL); - if (result != ISC_R_SUCCESS) - goto deny; /* Internal error, already logged. */ - if (match > 0) - goto allow; - goto deny; /* Negative match or no match. */ - - allow: - return (ISC_R_SUCCESS); - - deny: - return (DNS_R_REFUSED); -} - -isc_result_t -ns_client_checkacl(ns_client_t *client, - const char *opname, dns_acl_t *acl, - isc_boolean_t default_allow, int log_level) -{ - isc_result_t result = - ns_client_checkaclsilent(client, acl, default_allow); - - if (result == ISC_R_SUCCESS) - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - "%s approved", opname); - else - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, - log_level, "%s denied", opname); - return (result); -} - -static void -ns_client_name(ns_client_t *client, char *peerbuf, size_t len) { - if (client->peeraddr_valid) - isc_sockaddr_format(&client->peeraddr, peerbuf, len); - else - snprintf(peerbuf, len, "@%p", client); -} - -void -ns_client_logv(ns_client_t *client, isc_logcategory_t *category, - isc_logmodule_t *module, int level, const char *fmt, va_list ap) -{ - char msgbuf[2048]; - char peerbuf[ISC_SOCKADDR_FORMATSIZE]; - const char *name = ""; - const char *sep = ""; - - vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); - ns_client_name(client, peerbuf, sizeof(peerbuf)); - if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 && - strcmp(client->view->name, "_default") != 0) { - name = client->view->name; - sep = ": view "; - } - - isc_log_write(ns_g_lctx, category, module, level, - "client %s%s%s: %s", peerbuf, sep, name, msgbuf); -} - -void -ns_client_log(ns_client_t *client, isc_logcategory_t *category, - isc_logmodule_t *module, int level, const char *fmt, ...) -{ - va_list ap; - - if (! isc_log_wouldlog(ns_g_lctx, level)) - return; - - va_start(ap, fmt); - ns_client_logv(client, category, module, level, fmt, ap); - va_end(ap); -} - -void -ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type, - dns_rdataclass_t rdclass, char *buf, size_t len) -{ - char namebuf[DNS_NAME_FORMATSIZE]; - char typebuf[DNS_RDATATYPE_FORMATSIZE]; - char classbuf[DNS_RDATACLASS_FORMATSIZE]; - - dns_name_format(name, namebuf, sizeof(namebuf)); - dns_rdatatype_format(type, typebuf, sizeof(typebuf)); - dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf)); - (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf, - classbuf); -} - -static void -ns_client_dumpmessage(ns_client_t *client, const char *reason) { - isc_buffer_t buffer; - char *buf = NULL; - int len = 1024; - isc_result_t result; - - /* - * Note that these are multiline debug messages. We want a newline - * to appear in the log after each message. - */ - - do { - buf = isc_mem_get(client->mctx, len); - if (buf == NULL) - break; - isc_buffer_init(&buffer, buf, len); - result = dns_message_totext(client->message, - &dns_master_style_debug, - 0, &buffer); - if (result == ISC_R_NOSPACE) { - isc_mem_put(client->mctx, buf, len); - len += 1024; - } else if (result == ISC_R_SUCCESS) - ns_client_log(client, NS_LOGCATEGORY_UNMATCHED, - NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), - "%s\n%.*s", reason, - (int)isc_buffer_usedlength(&buffer), - buf); - } while (result == ISC_R_NOSPACE); - - if (buf != NULL) - isc_mem_put(client->mctx, buf, len); -} - -void -ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) { - ns_client_t *client; - char namebuf[DNS_NAME_FORMATSIZE]; - char peerbuf[ISC_SOCKADDR_FORMATSIZE]; - const char *name; - const char *sep; - - REQUIRE(VALID_MANAGER(manager)); - - LOCK(&manager->lock); - client = ISC_LIST_HEAD(manager->recursing); - while (client != NULL) { - ns_client_name(client, peerbuf, sizeof(peerbuf)); - if (client->view != NULL && - strcmp(client->view->name, "_bind") != 0 && - strcmp(client->view->name, "_default") != 0) { - name = client->view->name; - sep = ": view "; - } else { - name = ""; - sep = ""; - } - dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); - fprintf(f, "; client %s%s%s: '%s' requesttime %d\n", - peerbuf, sep, name, namebuf, client->requesttime); - client = ISC_LIST_NEXT(client, link); - } - UNLOCK(&manager->lock); -} - -void -ns_client_qnamereplace(ns_client_t *client, dns_name_t *name) { - - if (client->manager != NULL) - LOCK(&client->manager->lock); - if (client->query.restarts > 0) { - /* - * client->query.qname was dynamically allocated. - */ - dns_message_puttempname(client->message, - &client->query.qname); - } - client->query.qname = name; - if (client->manager != NULL) - UNLOCK(&client->manager->lock); -} diff --git a/usr.sbin/bind/bin/named/config.c b/usr.sbin/bind/bin/named/config.c deleted file mode 100644 index 28f5e74ce34..00000000000 --- a/usr.sbin/bind/bin/named/config.c +++ /dev/null @@ -1,797 +0,0 @@ -/* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: config.c,v 1.47.18.32.10.3 2008/07/23 23:48:17 tbox Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#include - -#include -#include - -/*% default configuration */ -static char defaultconf[] = "\ -options {\n\ -# blackhole {none;};\n" -#ifndef WIN32 -" coresize default;\n\ - datasize default;\n\ - files unlimited;\n\ - stacksize default;\n" -#endif -" deallocate-on-exit true;\n\ -# directory \n\ - dump-file \"tmp/named_dump.db\";\n\ - fake-iquery no;\n\ - has-old-clients false;\n\ - heartbeat-interval 60;\n\ - host-statistics no;\n\ - interface-interval 60;\n\ - listen-on {any;};\n\ - listen-on-v6 {any;};\n\ - match-mapped-addresses no;\n\ - memstatistics-file \"tmp/named.memstats\";\n\ - multiple-cnames no;\n\ -# named-xfer ;\n\ -# pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\ - port 53;\n\ - recursing-file \"tmp/named.recursing\";\n\ -" -#ifdef PATH_RANDOMDEV -"\ - random-device \"" PATH_RANDOMDEV "\";\n\ -" -#endif -"\ - recursive-clients 1000;\n\ - rrset-order {type NS order random; order cyclic; };\n\ - serial-queries 20;\n\ - serial-query-rate 20;\n\ - server-id none;\n\ - statistics-file \"tmp/named.stats\";\n\ - statistics-interval 60;\n\ - tcp-clients 100;\n\ - tcp-listen-queue 3;\n\ -# tkey-dhkey \n\ -# tkey-gssapi-credential \n\ -# tkey-domain \n\ - transfers-per-ns 2;\n\ - transfers-in 10;\n\ - transfers-out 10;\n\ - treat-cr-as-space true;\n\ - use-id-pool true;\n\ - use-ixfr true;\n\ - edns-udp-size 4096;\n\ - max-udp-size 4096;\n\ - reserved-sockets 512;\n\ -\n\ - /* view */\n\ - allow-notify {none;};\n\ - allow-update-forwarding {none;};\n\ - allow-query-cache { localnets; localhost; };\n\ - allow-recursion { localnets; localhost; };\n\ -# allow-v6-synthesis ;\n\ -# sortlist \n\ -# topology \n\ - auth-nxdomain false;\n\ - minimal-responses false;\n\ - recursion true;\n\ - provide-ixfr true;\n\ - request-ixfr true;\n\ - fetch-glue no;\n\ - rfc2308-type1 no;\n\ - additional-from-auth true;\n\ - additional-from-cache true;\n\ - query-source address *;\n\ - query-source-v6 address *;\n\ - notify-source *;\n\ - notify-source-v6 *;\n\ - cleaning-interval 60;\n\ - min-roots 2;\n\ - lame-ttl 600;\n\ - max-ncache-ttl 10800; /* 3 hours */\n\ - max-cache-ttl 604800; /* 1 week */\n\ - transfer-format many-answers;\n\ - max-cache-size 0;\n\ - check-names master fail;\n\ - check-names slave warn;\n\ - check-names response ignore;\n\ - check-mx warn;\n\ - acache-enable no;\n\ - acache-cleaning-interval 60;\n\ - max-acache-size 0;\n\ - dnssec-enable yes;\n\ - dnssec-validation no; /* Make yes for 9.5. */ \n\ - dnssec-accept-expired no;\n\ - clients-per-query 10;\n\ - max-clients-per-query 100;\n\ - zero-no-soa-ttl-cache no;\n\ -" - -" /* zone */\n\ - allow-query {any;};\n\ - allow-transfer {any;};\n\ - notify yes;\n\ -# also-notify \n\ - notify-delay 5;\n\ - dialup no;\n\ -# forward \n\ -# forwarders \n\ - maintain-ixfr-base no;\n\ -# max-ixfr-log-size \n\ - transfer-source *;\n\ - transfer-source-v6 *;\n\ - alt-transfer-source *;\n\ - alt-transfer-source-v6 *;\n\ - max-transfer-time-in 120;\n\ - max-transfer-time-out 120;\n\ - max-transfer-idle-in 60;\n\ - max-transfer-idle-out 60;\n\ - max-retry-time 1209600; /* 2 weeks */\n\ - min-retry-time 500;\n\ - max-refresh-time 2419200; /* 4 weeks */\n\ - min-refresh-time 300;\n\ - multi-master no;\n\ - sig-validity-interval 30; /* days */\n\ - zone-statistics false;\n\ - max-journal-size unlimited;\n\ - ixfr-from-differences false;\n\ - check-wildcard yes;\n\ - check-sibling yes;\n\ - check-integrity yes;\n\ - check-mx-cname warn;\n\ - check-srv-cname warn;\n\ - zero-no-soa-ttl yes;\n\ - update-check-ksk yes;\n\ -};\n\ -" - -"#\n\ -# Zones in the \"_bind\" view are NOT counted in the count of zones.\n\ -#\n\ -view \"_bind\" chaos {\n\ - recursion no;\n\ - notify no;\n\ -\n\ - zone \"version.bind\" chaos {\n\ - type master;\n\ - database \"_builtin version\";\n\ - };\n\ -\n\ - zone \"hostname.bind\" chaos {\n\ - type master;\n\ - database \"_builtin hostname\";\n\ - };\n\ -\n\ - zone \"authors.bind\" chaos {\n\ - type master;\n\ - database \"_builtin authors\";\n\ - };\n\ - zone \"id.server\" chaos {\n\ - type master;\n\ - database \"_builtin id\";\n\ - };\n\ -};\n\ -"; - -isc_result_t -ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) { - isc_buffer_t b; - - isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1); - isc_buffer_add(&b, sizeof(defaultconf) - 1); - return (cfg_parse_buffer(parser, &b, &cfg_type_namedconf, conf)); -} - -isc_result_t -ns_config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) { - int i; - - for (i = 0;; i++) { - if (maps[i] == NULL) - return (ISC_R_NOTFOUND); - if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS) - return (ISC_R_SUCCESS); - } -} - -isc_result_t -ns_checknames_get(const cfg_obj_t **maps, const char *which, - const cfg_obj_t **obj) -{ - const cfg_listelt_t *element; - const cfg_obj_t *checknames; - const cfg_obj_t *type; - const cfg_obj_t *value; - int i; - - for (i = 0;; i++) { - if (maps[i] == NULL) - return (ISC_R_NOTFOUND); - checknames = NULL; - if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) { - /* - * Zone map entry is not a list. - */ - if (checknames != NULL && !cfg_obj_islist(checknames)) { - *obj = checknames; - return (ISC_R_SUCCESS); - } - for (element = cfg_list_first(checknames); - element != NULL; - element = cfg_list_next(element)) { - value = cfg_listelt_value(element); - type = cfg_tuple_get(value, "type"); - if (strcasecmp(cfg_obj_asstring(type), which) == 0) { - *obj = cfg_tuple_get(value, "mode"); - return (ISC_R_SUCCESS); - } - } - - } - } -} - -int -ns_config_listcount(const cfg_obj_t *list) { - const cfg_listelt_t *e; - int i = 0; - - for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e)) - i++; - - return (i); -} - -isc_result_t -ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, - dns_rdataclass_t *classp) { - isc_textregion_t r; - isc_result_t result; - - if (!cfg_obj_isstring(classobj)) { - *classp = defclass; - return (ISC_R_SUCCESS); - } - DE_CONST(cfg_obj_asstring(classobj), r.base); - r.length = strlen(r.base); - result = dns_rdataclass_fromtext(classp, &r); - if (result != ISC_R_SUCCESS) - cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR, - "unknown class '%s'", r.base); - return (result); -} - -isc_result_t -ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, - dns_rdatatype_t *typep) { - isc_textregion_t r; - isc_result_t result; - - if (!cfg_obj_isstring(typeobj)) { - *typep = deftype; - return (ISC_R_SUCCESS); - } - DE_CONST(cfg_obj_asstring(typeobj), r.base); - r.length = strlen(r.base); - result = dns_rdatatype_fromtext(typep, &r); - if (result != ISC_R_SUCCESS) - cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR, - "unknown type '%s'", r.base); - return (result); -} - -dns_zonetype_t -ns_config_getzonetype(const cfg_obj_t *zonetypeobj) { - dns_zonetype_t ztype = dns_zone_none; - const char *str; - - str = cfg_obj_asstring(zonetypeobj); - if (strcasecmp(str, "master") == 0) - ztype = dns_zone_master; - else if (strcasecmp(str, "slave") == 0) - ztype = dns_zone_slave; - else if (strcasecmp(str, "stub") == 0) - ztype = dns_zone_stub; - else - INSIST(0); - return (ztype); -} - -isc_result_t -ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list, - in_port_t defport, isc_mem_t *mctx, - isc_sockaddr_t **addrsp, isc_uint32_t *countp) -{ - int count, i = 0; - const cfg_obj_t *addrlist; - const cfg_obj_t *portobj; - const cfg_listelt_t *element; - isc_sockaddr_t *addrs; - in_port_t port; - isc_result_t result; - - INSIST(addrsp != NULL && *addrsp == NULL); - INSIST(countp != NULL); - - addrlist = cfg_tuple_get(list, "addresses"); - count = ns_config_listcount(addrlist); - - portobj = cfg_tuple_get(list, "port"); - if (cfg_obj_isuint32(portobj)) { - isc_uint32_t val = cfg_obj_asuint32(portobj); - if (val > ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, - "port '%u' out of range", val); - return (ISC_R_RANGE); - } - port = (in_port_t) val; - } else if (defport != 0) - port = defport; - else { - result = ns_config_getport(config, &port); - if (result != ISC_R_SUCCESS) - return (result); - } - - addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t)); - if (addrs == NULL) - return (ISC_R_NOMEMORY); - - for (element = cfg_list_first(addrlist); - element != NULL; - element = cfg_list_next(element), i++) - { - INSIST(i < count); - addrs[i] = *cfg_obj_assockaddr(cfg_listelt_value(element)); - if (isc_sockaddr_getport(&addrs[i]) == 0) - isc_sockaddr_setport(&addrs[i], port); - } - INSIST(i == count); - - *addrsp = addrs; - *countp = count; - - return (ISC_R_SUCCESS); -} - -void -ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, - isc_uint32_t count) -{ - INSIST(addrsp != NULL && *addrsp != NULL); - - isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t)); - *addrsp = NULL; -} - -static isc_result_t -get_masters_def(const cfg_obj_t *cctx, const char *name, - const cfg_obj_t **ret) -{ - isc_result_t result; - const cfg_obj_t *masters = NULL; - const cfg_listelt_t *elt; - - result = cfg_map_get(cctx, "masters", &masters); - if (result != ISC_R_SUCCESS) - return (result); - for (elt = cfg_list_first(masters); - elt != NULL; - elt = cfg_list_next(elt)) { - const cfg_obj_t *list; - const char *listname; - - list = cfg_listelt_value(elt); - listname = cfg_obj_asstring(cfg_tuple_get(list, "name")); - - if (strcasecmp(listname, name) == 0) { - *ret = list; - return (ISC_R_SUCCESS); - } - } - return (ISC_R_NOTFOUND); -} - -isc_result_t -ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, - isc_mem_t *mctx, isc_sockaddr_t **addrsp, - dns_name_t ***keysp, isc_uint32_t *countp) -{ - isc_uint32_t addrcount = 0, keycount = 0, i = 0; - isc_uint32_t listcount = 0, l = 0, j; - isc_uint32_t stackcount = 0, pushed = 0; - isc_result_t result; - const cfg_listelt_t *element; - const cfg_obj_t *addrlist; - const cfg_obj_t *portobj; - in_port_t port; - dns_fixedname_t fname; - isc_sockaddr_t *addrs = NULL; - dns_name_t **keys = NULL; - struct { const char *name; } *lists = NULL; - struct { - const cfg_listelt_t *element; - in_port_t port; - } *stack = NULL; - - REQUIRE(addrsp != NULL && *addrsp == NULL); - REQUIRE(keysp != NULL && *keysp == NULL); - REQUIRE(countp != NULL); - - newlist: - addrlist = cfg_tuple_get(list, "addresses"); - portobj = cfg_tuple_get(list, "port"); - if (cfg_obj_isuint32(portobj)) { - isc_uint32_t val = cfg_obj_asuint32(portobj); - if (val > ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, - "port '%u' out of range", val); - result = ISC_R_RANGE; - goto cleanup; - } - port = (in_port_t) val; - } else { - result = ns_config_getport(config, &port); - if (result != ISC_R_SUCCESS) - goto cleanup; - } - - result = ISC_R_NOMEMORY; - - element = cfg_list_first(addrlist); - resume: - for ( ; - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *addr; - const cfg_obj_t *key; - const char *keystr; - isc_buffer_t b; - - addr = cfg_tuple_get(cfg_listelt_value(element), - "masterselement"); - key = cfg_tuple_get(cfg_listelt_value(element), "key"); - - if (!cfg_obj_issockaddr(addr)) { - const char *listname = cfg_obj_asstring(addr); - isc_result_t tresult; - - /* Grow lists? */ - if (listcount == l) { - void * new; - isc_uint32_t newlen = listcount + 16; - size_t newsize, oldsize; - - newsize = newlen * sizeof(*lists); - oldsize = listcount * sizeof(*lists); - new = isc_mem_get(mctx, newsize); - if (new == NULL) - goto cleanup; - if (listcount != 0) { - memcpy(new, lists, oldsize); - isc_mem_put(mctx, lists, oldsize); - } - lists = new; - listcount = newlen; - } - /* Seen? */ - for (j = 0; j < l; j++) - if (strcasecmp(lists[j].name, listname) == 0) - break; - if (j < l) - continue; - tresult = get_masters_def(config, listname, &list); - if (tresult == ISC_R_NOTFOUND) { - cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR, - "masters \"%s\" not found", listname); - - result = tresult; - goto cleanup; - } - if (tresult != ISC_R_SUCCESS) - goto cleanup; - lists[l++].name = listname; - /* Grow stack? */ - if (stackcount == pushed) { - void * new; - isc_uint32_t newlen = stackcount + 16; - size_t newsize, oldsize; - - newsize = newlen * sizeof(*stack); - oldsize = stackcount * sizeof(*stack); - new = isc_mem_get(mctx, newsize); - if (new == NULL) - goto cleanup; - if (stackcount != 0) { - memcpy(new, stack, oldsize); - isc_mem_put(mctx, stack, oldsize); - } - stack = new; - stackcount = newlen; - } - /* - * We want to resume processing this list on the - * next element. - */ - stack[pushed].element = cfg_list_next(element); - stack[pushed].port = port; - pushed++; - goto newlist; - } - - if (i == addrcount) { - void * new; - isc_uint32_t newlen = addrcount + 16; - size_t newsize, oldsize; - - newsize = newlen * sizeof(isc_sockaddr_t); - oldsize = addrcount * sizeof(isc_sockaddr_t); - new = isc_mem_get(mctx, newsize); - if (new == NULL) - goto cleanup; - if (addrcount != 0) { - memcpy(new, addrs, oldsize); - isc_mem_put(mctx, addrs, oldsize); - } - addrs = new; - addrcount = newlen; - - newsize = newlen * sizeof(dns_name_t *); - oldsize = keycount * sizeof(dns_name_t *); - new = isc_mem_get(mctx, newsize); - if (new == NULL) - goto cleanup; - if (keycount != 0) { - memcpy(new, keys, oldsize); - isc_mem_put(mctx, keys, oldsize); - } - keys = new; - keycount = newlen; - } - - addrs[i] = *cfg_obj_assockaddr(addr); - if (isc_sockaddr_getport(&addrs[i]) == 0) - isc_sockaddr_setport(&addrs[i], port); - keys[i] = NULL; - if (!cfg_obj_isstring(key)) { - i++; - continue; - } - keys[i] = isc_mem_get(mctx, sizeof(dns_name_t)); - if (keys[i] == NULL) - goto cleanup; - dns_name_init(keys[i], NULL); - - keystr = cfg_obj_asstring(key); - isc_buffer_init(&b, keystr, strlen(keystr)); - isc_buffer_add(&b, strlen(keystr)); - dns_fixedname_init(&fname); - result = dns_name_fromtext(dns_fixedname_name(&fname), &b, - dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - result = dns_name_dup(dns_fixedname_name(&fname), mctx, - keys[i]); - if (result != ISC_R_SUCCESS) - goto cleanup; - i++; - } - if (pushed != 0) { - pushed--; - element = stack[pushed].element; - port = stack[pushed].port; - goto resume; - } - if (i < addrcount) { - void * new; - size_t newsize, oldsize; - - newsize = i * sizeof(isc_sockaddr_t); - oldsize = addrcount * sizeof(isc_sockaddr_t); - if (i != 0) { - new = isc_mem_get(mctx, newsize); - if (new == NULL) - goto cleanup; - memcpy(new, addrs, newsize); - } else - new = NULL; - isc_mem_put(mctx, addrs, oldsize); - addrs = new; - addrcount = i; - - newsize = i * sizeof(dns_name_t *); - oldsize = keycount * sizeof(dns_name_t *); - if (i != 0) { - new = isc_mem_get(mctx, newsize); - if (new == NULL) - goto cleanup; - memcpy(new, keys, newsize); - } else - new = NULL; - isc_mem_put(mctx, keys, oldsize); - keys = new; - keycount = i; - } - - if (lists != NULL) - isc_mem_put(mctx, lists, listcount * sizeof(*lists)); - if (stack != NULL) - isc_mem_put(mctx, stack, stackcount * sizeof(*stack)); - - INSIST(keycount == addrcount); - - *addrsp = addrs; - *keysp = keys; - *countp = addrcount; - - return (ISC_R_SUCCESS); - - cleanup: - if (addrs != NULL) - isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t)); - if (keys != NULL) { - for (j = 0; j <= i; j++) { - if (keys[j] == NULL) - continue; - if (dns_name_dynamic(keys[j])) - dns_name_free(keys[j], mctx); - isc_mem_put(mctx, keys[j], sizeof(dns_name_t)); - } - isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *)); - } - if (lists != NULL) - isc_mem_put(mctx, lists, listcount * sizeof(*lists)); - if (stack != NULL) - isc_mem_put(mctx, stack, stackcount * sizeof(*stack)); - return (result); -} - -void -ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, - dns_name_t ***keysp, isc_uint32_t count) -{ - unsigned int i; - dns_name_t **keys = *keysp; - - INSIST(addrsp != NULL && *addrsp != NULL); - - isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t)); - for (i = 0; i < count; i++) { - if (keys[i] == NULL) - continue; - if (dns_name_dynamic(keys[i])) - dns_name_free(keys[i], mctx); - isc_mem_put(mctx, keys[i], sizeof(dns_name_t)); - } - isc_mem_put(mctx, *keysp, count * sizeof(dns_name_t *)); - *addrsp = NULL; - *keysp = NULL; -} - -isc_result_t -ns_config_getport(const cfg_obj_t *config, in_port_t *portp) { - const cfg_obj_t *maps[3]; - const cfg_obj_t *options = NULL; - const cfg_obj_t *portobj = NULL; - isc_result_t result; - int i; - - (void)cfg_map_get(config, "options", &options); - i = 0; - if (options != NULL) - maps[i++] = options; - maps[i++] = ns_g_defaults; - maps[i] = NULL; - - result = ns_config_get(maps, "port", &portobj); - INSIST(result == ISC_R_SUCCESS); - if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, - "port '%u' out of range", - cfg_obj_asuint32(portobj)); - return (ISC_R_RANGE); - } - *portp = (in_port_t)cfg_obj_asuint32(portobj); - return (ISC_R_SUCCESS); -} - -struct keyalgorithms { - const char *str; - enum { hmacnone, hmacmd5, hmacsha1, hmacsha224, - hmacsha256, hmacsha384, hmacsha512 } hmac; - isc_uint16_t size; -} algorithms[] = { - { "hmac-md5", hmacmd5, 128 }, - { "hmac-md5.sig-alg.reg.int", hmacmd5, 0 }, - { "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 }, - { "hmac-sha1", hmacsha1, 160 }, - { "hmac-sha224", hmacsha224, 224 }, - { "hmac-sha256", hmacsha256, 256 }, - { "hmac-sha384", hmacsha384, 384 }, - { "hmac-sha512", hmacsha512, 512 }, - { NULL, hmacnone, 0 } -}; - -isc_result_t -ns_config_getkeyalgorithm(const char *str, dns_name_t **name, - isc_uint16_t *digestbits) -{ - int i; - size_t len = 0; - isc_uint16_t bits; - isc_result_t result; - - for (i = 0; algorithms[i].str != NULL; i++) { - len = strlen(algorithms[i].str); - if (strncasecmp(algorithms[i].str, str, len) == 0 && - (str[len] == '\0' || - (algorithms[i].size != 0 && str[len] == '-'))) - break; - } - if (algorithms[i].str == NULL) - return (ISC_R_NOTFOUND); - if (str[len] == '-') { - result = isc_parse_uint16(&bits, str + len + 1, 10); - if (result != ISC_R_SUCCESS) - return (result); - if (bits > algorithms[i].size) - return (ISC_R_RANGE); - } else if (algorithms[i].size == 0) - bits = 128; - else - bits = algorithms[i].size; - - if (name != NULL) { - switch (algorithms[i].hmac) { - case hmacmd5: *name = dns_tsig_hmacmd5_name; break; - case hmacsha1: *name = dns_tsig_hmacsha1_name; break; - case hmacsha224: *name = dns_tsig_hmacsha224_name; break; - case hmacsha256: *name = dns_tsig_hmacsha256_name; break; - case hmacsha384: *name = dns_tsig_hmacsha384_name; break; - case hmacsha512: *name = dns_tsig_hmacsha512_name; break; - default: - INSIST(0); - } - } - if (digestbits != NULL) - *digestbits = bits; - return (ISC_R_SUCCESS); -} diff --git a/usr.sbin/bind/bin/named/control.c b/usr.sbin/bind/bin/named/control.c deleted file mode 100644 index 45d0c324771..00000000000 --- a/usr.sbin/bind/bin/named/control.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: control.c,v 1.20.10.10 2007/09/13 23:46:26 tbox Exp $ */ - -/*! \file */ - -#include - - -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include - -#include -#include -#include -#include -#ifdef HAVE_LIBSCF -#include -#endif - -static isc_boolean_t -command_compare(const char *text, const char *command) { - unsigned int commandlen = strlen(command); - if (strncasecmp(text, command, commandlen) == 0 && - (text[commandlen] == '\0' || - text[commandlen] == ' ' || - text[commandlen] == '\t')) - return (ISC_TRUE); - return (ISC_FALSE); -} - -/*% - * This function is called to process the incoming command - * when a control channel message is received. - */ -isc_result_t -ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { - isccc_sexpr_t *data; - char *command; - isc_result_t result; -#ifdef HAVE_LIBSCF - ns_smf_want_disable = 0; -#endif - - data = isccc_alist_lookup(message, "_data"); - if (data == NULL) { - /* - * No data section. - */ - return (ISC_R_FAILURE); - } - - result = isccc_cc_lookupstring(data, "type", &command); - if (result != ISC_R_SUCCESS) { - /* - * We have no idea what this is. - */ - return (result); - } - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1), - "received control channel command '%s'", - command); - - /* - * Compare the 'command' parameter against all known control commands. - */ - if (command_compare(command, NS_COMMAND_RELOAD)) { - result = ns_server_reloadcommand(ns_g_server, command, text); - } else if (command_compare(command, NS_COMMAND_RECONFIG)) { - result = ns_server_reconfigcommand(ns_g_server, command); - } else if (command_compare(command, NS_COMMAND_REFRESH)) { - result = ns_server_refreshcommand(ns_g_server, command, text); - } else if (command_compare(command, NS_COMMAND_RETRANSFER)) { - result = ns_server_retransfercommand(ns_g_server, command); - } else if (command_compare(command, NS_COMMAND_HALT)) { -#ifdef HAVE_LIBSCF - /* - * If we are managed by smf(5), AND in chroot, then - * we cannot connect to the smf repository, so just - * return with an appropriate message back to rndc. - */ - if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { - result = ns_smf_add_message(text); - return (result); - } - /* - * If we are managed by smf(5) but not in chroot, - * try to disable ourselves the smf way. - */ - if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) - ns_smf_want_disable = 1; - /* - * If ns_smf_got_instance = 0, ns_smf_chroot - * is not relevant and we fall through to - * isc_app_shutdown below. - */ -#endif - ns_server_flushonshutdown(ns_g_server, ISC_FALSE); - ns_os_shutdownmsg(command, text); - isc_app_shutdown(); - result = ISC_R_SUCCESS; - } else if (command_compare(command, NS_COMMAND_STOP)) { -#ifdef HAVE_LIBSCF - if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) { - result = ns_smf_add_message(text); - return (result); - } - if (ns_smf_got_instance == 1 && ns_smf_chroot == 0) - ns_smf_want_disable = 1; -#endif - ns_server_flushonshutdown(ns_g_server, ISC_TRUE); - ns_os_shutdownmsg(command, text); - isc_app_shutdown(); - result = ISC_R_SUCCESS; - } else if (command_compare(command, NS_COMMAND_DUMPSTATS)) { - result = ns_server_dumpstats(ns_g_server); - } else if (command_compare(command, NS_COMMAND_QUERYLOG)) { - result = ns_server_togglequerylog(ns_g_server); - } else if (command_compare(command, NS_COMMAND_DUMPDB)) { - ns_server_dumpdb(ns_g_server, command); - result = ISC_R_SUCCESS; - } else if (command_compare(command, NS_COMMAND_TRACE)) { - result = ns_server_setdebuglevel(ns_g_server, command); - } else if (command_compare(command, NS_COMMAND_NOTRACE)) { - ns_g_debuglevel = 0; - isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel); - result = ISC_R_SUCCESS; - } else if (command_compare(command, NS_COMMAND_FLUSH)) { - result = ns_server_flushcache(ns_g_server, command); - } else if (command_compare(command, NS_COMMAND_FLUSHNAME)) { - result = ns_server_flushname(ns_g_server, command); - } else if (command_compare(command, NS_COMMAND_STATUS)) { - result = ns_server_status(ns_g_server, text); - } else if (command_compare(command, NS_COMMAND_FREEZE)) { - result = ns_server_freeze(ns_g_server, ISC_TRUE, command); - } else if (command_compare(command, NS_COMMAND_UNFREEZE) || - command_compare(command, NS_COMMAND_THAW)) { - result = ns_server_freeze(ns_g_server, ISC_FALSE, command); - } else if (command_compare(command, NS_COMMAND_RECURSING)) { - result = ns_server_dumprecursing(ns_g_server); - } else if (command_compare(command, NS_COMMAND_TIMERPOKE)) { - result = ISC_R_SUCCESS; - isc_timermgr_poke(ns_g_timermgr); - } else if (command_compare(command, NS_COMMAND_NULL)) { - result = ISC_R_SUCCESS; - } else if (command_compare(command, NS_COMMAND_NOTIFY)) { - result = ns_server_notifycommand(ns_g_server, command, text); - } else if (command_compare(command, NS_COMMAND_VALIDATION)) { - result = ns_server_validation(ns_g_server, command); - } else { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, - "unknown control channel command '%s'", - command); - result = DNS_R_UNKNOWNCOMMAND; - } - - return (result); -} diff --git a/usr.sbin/bind/bin/named/controlconf.c b/usr.sbin/bind/bin/named/controlconf.c deleted file mode 100644 index 4001a8b19da..00000000000 --- a/usr.sbin/bind/bin/named/controlconf.c +++ /dev/null @@ -1,1461 +0,0 @@ -/* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: controlconf.c,v 1.40.18.10.40.3 2008/07/23 23:16:43 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include -#include - -/* - * Note: Listeners and connections are not locked. All event handlers are - * executed by the server task, and all callers of exported routines must - * be running under the server task. - */ - -typedef struct controlkey controlkey_t; -typedef ISC_LIST(controlkey_t) controlkeylist_t; - -typedef struct controlconnection controlconnection_t; -typedef ISC_LIST(controlconnection_t) controlconnectionlist_t; - -typedef struct controllistener controllistener_t; -typedef ISC_LIST(controllistener_t) controllistenerlist_t; - -struct controlkey { - char * keyname; - isc_region_t secret; - ISC_LINK(controlkey_t) link; -}; - -struct controlconnection { - isc_socket_t * sock; - isccc_ccmsg_t ccmsg; - isc_boolean_t ccmsg_valid; - isc_boolean_t sending; - isc_timer_t * timer; - unsigned char buffer[2048]; - controllistener_t * listener; - isc_uint32_t nonce; - ISC_LINK(controlconnection_t) link; -}; - -struct controllistener { - ns_controls_t * controls; - isc_mem_t * mctx; - isc_task_t * task; - isc_sockaddr_t address; - isc_socket_t * sock; - dns_acl_t * acl; - isc_boolean_t listening; - isc_boolean_t exiting; - controlkeylist_t keys; - controlconnectionlist_t connections; - isc_sockettype_t type; - isc_uint32_t perm; - isc_uint32_t owner; - isc_uint32_t group; - ISC_LINK(controllistener_t) link; -}; - -struct ns_controls { - ns_server_t *server; - controllistenerlist_t listeners; - isc_boolean_t shuttingdown; - isccc_symtab_t *symtab; -}; - -static void control_newconn(isc_task_t *task, isc_event_t *event); -static void control_recvmessage(isc_task_t *task, isc_event_t *event); - -#define CLOCKSKEW 300 - -static void -free_controlkey(controlkey_t *key, isc_mem_t *mctx) { - if (key->keyname != NULL) - isc_mem_free(mctx, key->keyname); - if (key->secret.base != NULL) - isc_mem_put(mctx, key->secret.base, key->secret.length); - isc_mem_put(mctx, key, sizeof(*key)); -} - -static void -free_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) { - while (!ISC_LIST_EMPTY(*keylist)) { - controlkey_t *key = ISC_LIST_HEAD(*keylist); - ISC_LIST_UNLINK(*keylist, key, link); - free_controlkey(key, mctx); - } -} - -static void -free_listener(controllistener_t *listener) { - INSIST(listener->exiting); - INSIST(!listener->listening); - INSIST(ISC_LIST_EMPTY(listener->connections)); - - if (listener->sock != NULL) - isc_socket_detach(&listener->sock); - - free_controlkeylist(&listener->keys, listener->mctx); - - if (listener->acl != NULL) - dns_acl_detach(&listener->acl); - - isc_mem_put(listener->mctx, listener, sizeof(*listener)); -} - -static void -maybe_free_listener(controllistener_t *listener) { - if (listener->exiting && - !listener->listening && - ISC_LIST_EMPTY(listener->connections)) - free_listener(listener); -} - -static void -maybe_free_connection(controlconnection_t *conn) { - controllistener_t *listener = conn->listener; - - if (conn->timer != NULL) - isc_timer_detach(&conn->timer); - - if (conn->ccmsg_valid) { - isccc_ccmsg_cancelread(&conn->ccmsg); - return; - } - - if (conn->sending) { - isc_socket_cancel(conn->sock, listener->task, - ISC_SOCKCANCEL_SEND); - return; - } - - ISC_LIST_UNLINK(listener->connections, conn, link); - isc_mem_put(listener->mctx, conn, sizeof(*conn)); -} - -static void -shutdown_listener(controllistener_t *listener) { - controlconnection_t *conn; - controlconnection_t *next; - - if (!listener->exiting) { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - - ISC_LIST_UNLINK(listener->controls->listeners, listener, link); - - isc_sockaddr_format(&listener->address, socktext, - sizeof(socktext)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE, - "stopping command channel on %s", socktext); - if (listener->type == isc_sockettype_unix) - isc_socket_cleanunix(&listener->address, ISC_TRUE); - listener->exiting = ISC_TRUE; - } - - for (conn = ISC_LIST_HEAD(listener->connections); - conn != NULL; - conn = next) - { - next = ISC_LIST_NEXT(conn, link); - maybe_free_connection(conn); - } - - if (listener->listening) - isc_socket_cancel(listener->sock, listener->task, - ISC_SOCKCANCEL_ACCEPT); - - maybe_free_listener(listener); -} - -static isc_boolean_t -address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) { - isc_netaddr_t netaddr; - isc_result_t result; - int match; - - isc_netaddr_fromsockaddr(&netaddr, sockaddr); - - result = dns_acl_match(&netaddr, NULL, acl, - &ns_g_server->aclenv, &match, NULL); - - if (result != ISC_R_SUCCESS || match <= 0) - return (ISC_FALSE); - else - return (ISC_TRUE); -} - -static isc_result_t -control_accept(controllistener_t *listener) { - isc_result_t result; - result = isc_socket_accept(listener->sock, - listener->task, - control_newconn, listener); - if (result != ISC_R_SUCCESS) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_socket_accept() failed: %s", - isc_result_totext(result)); - else - listener->listening = ISC_TRUE; - return (result); -} - -static isc_result_t -control_listen(controllistener_t *listener) { - isc_result_t result; - - result = isc_socket_listen(listener->sock, 0); - if (result != ISC_R_SUCCESS) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_socket_listen() failed: %s", - isc_result_totext(result)); - return (result); -} - -static void -control_next(controllistener_t *listener) { - (void)control_accept(listener); -} - -static void -control_senddone(isc_task_t *task, isc_event_t *event) { - isc_socketevent_t *sevent = (isc_socketevent_t *) event; - controlconnection_t *conn = event->ev_arg; - controllistener_t *listener = conn->listener; - isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender; - isc_result_t result; - - REQUIRE(conn->sending); - - UNUSED(task); - - conn->sending = ISC_FALSE; - - if (sevent->result != ISC_R_SUCCESS && - sevent->result != ISC_R_CANCELED) - { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_t peeraddr; - - (void)isc_socket_getpeername(sock, &peeraddr); - isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, - "error sending command response to %s: %s", - socktext, isc_result_totext(sevent->result)); - } - isc_event_free(&event); - - result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task, - control_recvmessage, conn); - if (result != ISC_R_SUCCESS) { - isc_socket_detach(&conn->sock); - maybe_free_connection(conn); - maybe_free_listener(listener); - } -} - -static inline void -log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_t peeraddr; - - (void)isc_socket_getpeername(ccmsg->sock, &peeraddr); - isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_ERROR, - "invalid command from %s: %s", - socktext, isc_result_totext(result)); -} - -static void -control_recvmessage(isc_task_t *task, isc_event_t *event) { - controlconnection_t *conn; - controllistener_t *listener; - controlkey_t *key; - isccc_sexpr_t *request = NULL; - isccc_sexpr_t *response = NULL; - isccc_region_t ccregion; - isccc_region_t secret; - isc_stdtime_t now; - isc_buffer_t b; - isc_region_t r; - isc_uint32_t len; - isc_buffer_t text; - char textarray[1024]; - isc_result_t result; - isc_result_t eresult; - isccc_sexpr_t *_ctrl; - isccc_time_t sent; - isccc_time_t exp; - isc_uint32_t nonce; - - REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG); - - conn = event->ev_arg; - listener = conn->listener; - secret.rstart = NULL; - - /* Is the server shutting down? */ - if (listener->controls->shuttingdown) - goto cleanup; - - if (conn->ccmsg.result != ISC_R_SUCCESS) { - if (conn->ccmsg.result != ISC_R_CANCELED && - conn->ccmsg.result != ISC_R_EOF) - log_invalid(&conn->ccmsg, conn->ccmsg.result); - goto cleanup; - } - - request = NULL; - - for (key = ISC_LIST_HEAD(listener->keys); - key != NULL; - key = ISC_LIST_NEXT(key, link)) - { - ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer); - ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer); - if (secret.rstart != NULL) - isc_mem_put(listener->mctx, secret.rstart, - REGION_SIZE(secret)); - secret.rstart = isc_mem_get(listener->mctx, key->secret.length); - if (secret.rstart == NULL) - goto cleanup; - memcpy(secret.rstart, key->secret.base, key->secret.length); - secret.rend = secret.rstart + key->secret.length; - result = isccc_cc_fromwire(&ccregion, &request, &secret); - if (result == ISC_R_SUCCESS) - break; - else if (result == ISCCC_R_BADAUTH) { - /* - * For some reason, request is non-NULL when - * isccc_cc_fromwire returns ISCCC_R_BADAUTH. - */ - if (request != NULL) - isccc_sexpr_free(&request); - } else { - log_invalid(&conn->ccmsg, result); - goto cleanup; - } - } - - if (key == NULL) { - log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH); - goto cleanup; - } - - /* We shouldn't be getting a reply. */ - if (isccc_cc_isreply(request)) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup; - } - - isc_stdtime_get(&now); - - /* - * Limit exposure to replay attacks. - */ - _ctrl = isccc_alist_lookup(request, "_ctrl"); - if (_ctrl == NULL) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup; - } - - if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) { - if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) { - log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW); - goto cleanup; - } - } else { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup; - } - - /* - * Expire messages that are too old. - */ - if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS && - now > exp) { - log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED); - goto cleanup; - } - - /* - * Duplicate suppression (required for UDP). - */ - isccc_cc_cleansymtab(listener->controls->symtab, now); - result = isccc_cc_checkdup(listener->controls->symtab, request, now); - if (result != ISC_R_SUCCESS) { - if (result == ISC_R_EXISTS) - result = ISCCC_R_DUPLICATE; - log_invalid(&conn->ccmsg, result); - goto cleanup; - } - - if (conn->nonce != 0 && - (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS || - conn->nonce != nonce)) { - log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH); - goto cleanup; - } - - /* - * Establish nonce. - */ - while (conn->nonce == 0) - isc_random_get(&conn->nonce); - - isc_buffer_init(&text, textarray, sizeof(textarray)); - eresult = ns_control_docommand(request, &text); - - result = isccc_cc_createresponse(request, now, now + 60, &response); - if (result != ISC_R_SUCCESS) - goto cleanup; - if (eresult != ISC_R_SUCCESS) { - isccc_sexpr_t *data; - - data = isccc_alist_lookup(response, "_data"); - if (data != NULL) { - const char *estr = isc_result_totext(eresult); - if (isccc_cc_definestring(data, "err", estr) == NULL) - goto cleanup; - } - } - - if (isc_buffer_usedlength(&text) > 0) { - isccc_sexpr_t *data; - - data = isccc_alist_lookup(response, "_data"); - if (data != NULL) { - char *str = (char *)isc_buffer_base(&text); - if (isccc_cc_definestring(data, "text", str) == NULL) - goto cleanup; - } - } - - _ctrl = isccc_alist_lookup(response, "_ctrl"); - if (_ctrl == NULL || - isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL) - goto cleanup; - - ccregion.rstart = conn->buffer + 4; - ccregion.rend = conn->buffer + sizeof(conn->buffer); - result = isccc_cc_towire(response, &ccregion, &secret); - if (result != ISC_R_SUCCESS) - goto cleanup; - isc_buffer_init(&b, conn->buffer, 4); - len = sizeof(conn->buffer) - REGION_SIZE(ccregion); - isc_buffer_putuint32(&b, len - 4); - r.base = conn->buffer; - r.length = len; - - result = isc_socket_send(conn->sock, &r, task, control_senddone, conn); - if (result != ISC_R_SUCCESS) - goto cleanup; - conn->sending = ISC_TRUE; - - if (secret.rstart != NULL) - isc_mem_put(listener->mctx, secret.rstart, - REGION_SIZE(secret)); - if (request != NULL) - isccc_sexpr_free(&request); - if (response != NULL) - isccc_sexpr_free(&response); - return; - - cleanup: - if (secret.rstart != NULL) - isc_mem_put(listener->mctx, secret.rstart, - REGION_SIZE(secret)); - isc_socket_detach(&conn->sock); - isccc_ccmsg_invalidate(&conn->ccmsg); - conn->ccmsg_valid = ISC_FALSE; - maybe_free_connection(conn); - maybe_free_listener(listener); - if (request != NULL) - isccc_sexpr_free(&request); - if (response != NULL) - isccc_sexpr_free(&response); -} - -static void -control_timeout(isc_task_t *task, isc_event_t *event) { - controlconnection_t *conn = event->ev_arg; - - UNUSED(task); - - isc_timer_detach(&conn->timer); - maybe_free_connection(conn); - - isc_event_free(&event); -} - -static isc_result_t -newconnection(controllistener_t *listener, isc_socket_t *sock) { - controlconnection_t *conn; - isc_interval_t interval; - isc_result_t result; - - conn = isc_mem_get(listener->mctx, sizeof(*conn)); - if (conn == NULL) - return (ISC_R_NOMEMORY); - - conn->sock = sock; - isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg); - conn->ccmsg_valid = ISC_TRUE; - conn->sending = ISC_FALSE; - conn->timer = NULL; - isc_interval_set(&interval, 60, 0); - result = isc_timer_create(ns_g_timermgr, isc_timertype_once, - NULL, &interval, listener->task, - control_timeout, conn, &conn->timer); - if (result != ISC_R_SUCCESS) - goto cleanup; - - conn->listener = listener; - conn->nonce = 0; - ISC_LINK_INIT(conn, link); - - result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task, - control_recvmessage, conn); - if (result != ISC_R_SUCCESS) - goto cleanup; - isccc_ccmsg_setmaxsize(&conn->ccmsg, 2048); - - ISC_LIST_APPEND(listener->connections, conn, link); - return (ISC_R_SUCCESS); - - cleanup: - isccc_ccmsg_invalidate(&conn->ccmsg); - if (conn->timer != NULL) - isc_timer_detach(&conn->timer); - isc_mem_put(listener->mctx, conn, sizeof(*conn)); - return (result); -} - -static void -control_newconn(isc_task_t *task, isc_event_t *event) { - isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event; - controllistener_t *listener = event->ev_arg; - isc_socket_t *sock; - isc_sockaddr_t peeraddr; - isc_result_t result; - - UNUSED(task); - - listener->listening = ISC_FALSE; - - if (nevent->result != ISC_R_SUCCESS) { - if (nevent->result == ISC_R_CANCELED) { - shutdown_listener(listener); - goto cleanup; - } - goto restart; - } - - sock = nevent->newsocket; - (void)isc_socket_getpeername(sock, &peeraddr); - if (listener->type == isc_sockettype_tcp && - !address_ok(&peeraddr, listener->acl)) { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, - "rejected command channel message from %s", - socktext); - isc_socket_detach(&sock); - goto restart; - } - - result = newconnection(listener, sock); - if (result != ISC_R_SUCCESS) { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, - "dropped command channel from %s: %s", - socktext, isc_result_totext(result)); - isc_socket_detach(&sock); - goto restart; - } - - restart: - control_next(listener); - cleanup: - isc_event_free(&event); -} - -static void -controls_shutdown(ns_controls_t *controls) { - controllistener_t *listener; - controllistener_t *next; - - for (listener = ISC_LIST_HEAD(controls->listeners); - listener != NULL; - listener = next) - { - /* - * This is asynchronous. As listeners shut down, they will - * call their callbacks. - */ - next = ISC_LIST_NEXT(listener, link); - shutdown_listener(listener); - } -} - -void -ns_controls_shutdown(ns_controls_t *controls) { - controls_shutdown(controls); - controls->shuttingdown = ISC_TRUE; -} - -static isc_result_t -cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname, - const cfg_obj_t **objp) -{ - const cfg_listelt_t *element; - const char *str; - const cfg_obj_t *obj; - - for (element = cfg_list_first(keylist); - element != NULL; - element = cfg_list_next(element)) - { - obj = cfg_listelt_value(element); - str = cfg_obj_asstring(cfg_map_getname(obj)); - if (strcasecmp(str, keyname) == 0) - break; - } - if (element == NULL) - return (ISC_R_NOTFOUND); - obj = cfg_listelt_value(element); - *objp = obj; - return (ISC_R_SUCCESS); -} - -static isc_result_t -controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, - controlkeylist_t *keyids) -{ - const cfg_listelt_t *element; - char *newstr = NULL; - const char *str; - const cfg_obj_t *obj; - controlkey_t *key; - - for (element = cfg_list_first(keylist); - element != NULL; - element = cfg_list_next(element)) - { - obj = cfg_listelt_value(element); - str = cfg_obj_asstring(obj); - newstr = isc_mem_strdup(mctx, str); - if (newstr == NULL) - goto cleanup; - key = isc_mem_get(mctx, sizeof(*key)); - if (key == NULL) - goto cleanup; - key->keyname = newstr; - key->secret.base = NULL; - key->secret.length = 0; - ISC_LINK_INIT(key, link); - ISC_LIST_APPEND(*keyids, key, link); - newstr = NULL; - } - return (ISC_R_SUCCESS); - - cleanup: - if (newstr != NULL) - isc_mem_free(mctx, newstr); - free_controlkeylist(keyids, mctx); - return (ISC_R_NOMEMORY); -} - -static void -register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist, - controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext) -{ - controlkey_t *keyid, *next; - const cfg_obj_t *keydef; - char secret[1024]; - isc_buffer_t b; - isc_result_t result; - - /* - * Find the keys corresponding to the keyids used by this listener. - */ - for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) { - next = ISC_LIST_NEXT(keyid, link); - - result = cfgkeylist_find(keylist, keyid->keyname, &keydef); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, - "couldn't find key '%s' for use with " - "command channel %s", - keyid->keyname, socktext); - ISC_LIST_UNLINK(*keyids, keyid, link); - free_controlkey(keyid, mctx); - } else { - const cfg_obj_t *algobj = NULL; - const cfg_obj_t *secretobj = NULL; - const char *algstr = NULL; - const char *secretstr = NULL; - - (void)cfg_map_get(keydef, "algorithm", &algobj); - (void)cfg_map_get(keydef, "secret", &secretobj); - INSIST(algobj != NULL && secretobj != NULL); - - algstr = cfg_obj_asstring(algobj); - secretstr = cfg_obj_asstring(secretobj); - - if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != - ISC_R_SUCCESS) - { - cfg_obj_log(control, ns_g_lctx, - ISC_LOG_WARNING, - "unsupported algorithm '%s' in " - "key '%s' for use with command " - "channel %s", - algstr, keyid->keyname, socktext); - ISC_LIST_UNLINK(*keyids, keyid, link); - free_controlkey(keyid, mctx); - continue; - } - - isc_buffer_init(&b, secret, sizeof(secret)); - result = isc_base64_decodestring(secretstr, &b); - - if (result != ISC_R_SUCCESS) { - cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING, - "secret for key '%s' on " - "command channel %s: %s", - keyid->keyname, socktext, - isc_result_totext(result)); - ISC_LIST_UNLINK(*keyids, keyid, link); - free_controlkey(keyid, mctx); - continue; - } - - keyid->secret.length = isc_buffer_usedlength(&b); - keyid->secret.base = isc_mem_get(mctx, - keyid->secret.length); - if (keyid->secret.base == NULL) { - cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING, - "couldn't register key '%s': " - "out of memory", keyid->keyname); - ISC_LIST_UNLINK(*keyids, keyid, link); - free_controlkey(keyid, mctx); - break; - } - memcpy(keyid->secret.base, isc_buffer_base(&b), - keyid->secret.length); - } - } -} - -#define CHECK(x) \ - do { \ - result = (x); \ - if (result != ISC_R_SUCCESS) \ - goto cleanup; \ - } while (0) - -static isc_result_t -get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { - isc_result_t result; - cfg_parser_t *pctx = NULL; - cfg_obj_t *config = NULL; - const cfg_obj_t *key = NULL; - const cfg_obj_t *algobj = NULL; - const cfg_obj_t *secretobj = NULL; - const char *algstr = NULL; - const char *secretstr = NULL; - controlkey_t *keyid = NULL; - char secret[1024]; - isc_buffer_t b; - - CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx)); - CHECK(cfg_parse_file(pctx, ns_g_keyfile, &cfg_type_rndckey, &config)); - CHECK(cfg_map_get(config, "key", &key)); - - keyid = isc_mem_get(mctx, sizeof(*keyid)); - if (keyid == NULL) - CHECK(ISC_R_NOMEMORY); - keyid->keyname = isc_mem_strdup(mctx, - cfg_obj_asstring(cfg_map_getname(key))); - keyid->secret.base = NULL; - keyid->secret.length = 0; - ISC_LINK_INIT(keyid, link); - if (keyid->keyname == NULL) - CHECK(ISC_R_NOMEMORY); - - CHECK(bind9_check_key(key, ns_g_lctx)); - - (void)cfg_map_get(key, "algorithm", &algobj); - (void)cfg_map_get(key, "secret", &secretobj); - INSIST(algobj != NULL && secretobj != NULL); - - algstr = cfg_obj_asstring(algobj); - secretstr = cfg_obj_asstring(secretobj); - - if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) { - cfg_obj_log(key, ns_g_lctx, - ISC_LOG_WARNING, - "unsupported algorithm '%s' in " - "key '%s' for use with command " - "channel", - algstr, keyid->keyname); - goto cleanup; - } - - isc_buffer_init(&b, secret, sizeof(secret)); - result = isc_base64_decodestring(secretstr, &b); - - if (result != ISC_R_SUCCESS) { - cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, - "secret for key '%s' on command channel: %s", - keyid->keyname, isc_result_totext(result)); - CHECK(result); - } - - keyid->secret.length = isc_buffer_usedlength(&b); - keyid->secret.base = isc_mem_get(mctx, - keyid->secret.length); - if (keyid->secret.base == NULL) { - cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, - "couldn't register key '%s': " - "out of memory", keyid->keyname); - CHECK(ISC_R_NOMEMORY); - } - memcpy(keyid->secret.base, isc_buffer_base(&b), - keyid->secret.length); - ISC_LIST_APPEND(*keyids, keyid, link); - keyid = NULL; - result = ISC_R_SUCCESS; - - cleanup: - if (keyid != NULL) - free_controlkey(keyid, mctx); - if (config != NULL) - cfg_obj_destroy(pctx, &config); - if (pctx != NULL) - cfg_parser_destroy(&pctx); - return (result); -} - -/* - * Ensures that both '*global_keylistp' and '*control_keylistp' are - * valid or both are NULL. - */ -static void -get_key_info(const cfg_obj_t *config, const cfg_obj_t *control, - const cfg_obj_t **global_keylistp, - const cfg_obj_t **control_keylistp) -{ - isc_result_t result; - const cfg_obj_t *control_keylist = NULL; - const cfg_obj_t *global_keylist = NULL; - - REQUIRE(global_keylistp != NULL && *global_keylistp == NULL); - REQUIRE(control_keylistp != NULL && *control_keylistp == NULL); - - control_keylist = cfg_tuple_get(control, "keys"); - - if (!cfg_obj_isvoid(control_keylist) && - cfg_list_first(control_keylist) != NULL) { - result = cfg_map_get(config, "key", &global_keylist); - - if (result == ISC_R_SUCCESS) { - *global_keylistp = global_keylist; - *control_keylistp = control_keylist; - } - } -} - -static void -update_listener(ns_controls_t *cp, controllistener_t **listenerp, - const cfg_obj_t *control, const cfg_obj_t *config, - isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, - const char *socktext, isc_sockettype_t type) -{ - controllistener_t *listener; - const cfg_obj_t *allow; - const cfg_obj_t *global_keylist = NULL; - const cfg_obj_t *control_keylist = NULL; - dns_acl_t *new_acl = NULL; - controlkeylist_t keys; - isc_result_t result = ISC_R_SUCCESS; - - for (listener = ISC_LIST_HEAD(cp->listeners); - listener != NULL; - listener = ISC_LIST_NEXT(listener, link)) - if (isc_sockaddr_equal(addr, &listener->address)) - break; - - if (listener == NULL) { - *listenerp = NULL; - return; - } - - /* - * There is already a listener for this sockaddr. - * Update the access list and key information. - * - * First try to deal with the key situation. There are a few - * possibilities: - * (a) It had an explicit keylist and still has an explicit keylist. - * (b) It had an automagic key and now has an explicit keylist. - * (c) It had an explicit keylist and now needs an automagic key. - * (d) It has an automagic key and still needs the automagic key. - * - * (c) and (d) are the annoying ones. The caller needs to know - * that it should use the automagic configuration for key information - * in place of the named.conf configuration. - * - * XXXDCL There is one other hazard that has not been dealt with, - * the problem that if a key change is being caused by a control - * channel reload, then the response will be with the new key - * and not able to be decrypted by the client. - */ - if (control != NULL) - get_key_info(config, control, &global_keylist, - &control_keylist); - - if (control_keylist != NULL) { - INSIST(global_keylist != NULL); - - ISC_LIST_INIT(keys); - result = controlkeylist_fromcfg(control_keylist, - listener->mctx, &keys); - if (result == ISC_R_SUCCESS) { - free_controlkeylist(&listener->keys, listener->mctx); - listener->keys = keys; - register_keys(control, global_keylist, &listener->keys, - listener->mctx, socktext); - } - } else { - free_controlkeylist(&listener->keys, listener->mctx); - result = get_rndckey(listener->mctx, &listener->keys); - } - - if (result != ISC_R_SUCCESS && global_keylist != NULL) { - /* - * This message might be a little misleading since the - * "new keys" might in fact be identical to the old ones, - * but tracking whether they are identical just for the - * sake of avoiding this message would be too much trouble. - */ - if (control != NULL) - cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, - "couldn't install new keys for " - "command channel %s: %s", - socktext, isc_result_totext(result)); - else - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, - "couldn't install new keys for " - "command channel %s: %s", - socktext, isc_result_totext(result)); - } - - /* - * Now, keep the old access list unless a new one can be made. - */ - if (control != NULL && type == isc_sockettype_tcp) { - allow = cfg_tuple_get(control, "allow"); - result = cfg_acl_fromconfig(allow, config, ns_g_lctx, - aclconfctx, listener->mctx, - &new_acl); - } else { - result = dns_acl_any(listener->mctx, &new_acl); - } - - if (result == ISC_R_SUCCESS) { - dns_acl_detach(&listener->acl); - dns_acl_attach(new_acl, &listener->acl); - dns_acl_detach(&new_acl); - /* XXXDCL say the old acl is still used? */ - } else if (control != NULL) - cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, - "couldn't install new acl for " - "command channel %s: %s", - socktext, isc_result_totext(result)); - else - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_WARNING, - "couldn't install new acl for " - "command channel %s: %s", - socktext, isc_result_totext(result)); - - if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) { - isc_uint32_t perm, owner, group; - perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm")); - owner = cfg_obj_asuint32(cfg_tuple_get(control, "owner")); - group = cfg_obj_asuint32(cfg_tuple_get(control, "group")); - result = ISC_R_SUCCESS; - if (listener->perm != perm || listener->owner != owner || - listener->group != group) - result = isc_socket_permunix(&listener->address, perm, - owner, group); - if (result == ISC_R_SUCCESS) { - listener->perm = perm; - listener->owner = owner; - listener->group = group; - } else if (control != NULL) - cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, - "couldn't update ownership/permission for " - "command channel %s", socktext); - } - - *listenerp = listener; -} - -static void -add_listener(ns_controls_t *cp, controllistener_t **listenerp, - const cfg_obj_t *control, const cfg_obj_t *config, - isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx, - const char *socktext, isc_sockettype_t type) -{ - isc_mem_t *mctx = cp->server->mctx; - controllistener_t *listener; - const cfg_obj_t *allow; - const cfg_obj_t *global_keylist = NULL; - const cfg_obj_t *control_keylist = NULL; - dns_acl_t *new_acl = NULL; - isc_result_t result = ISC_R_SUCCESS; - - listener = isc_mem_get(mctx, sizeof(*listener)); - if (listener == NULL) - result = ISC_R_NOMEMORY; - - if (result == ISC_R_SUCCESS) { - listener->controls = cp; - listener->mctx = mctx; - listener->task = cp->server->task; - listener->address = *addr; - listener->sock = NULL; - listener->listening = ISC_FALSE; - listener->exiting = ISC_FALSE; - listener->acl = NULL; - listener->type = type; - listener->perm = 0; - listener->owner = 0; - listener->group = 0; - ISC_LINK_INIT(listener, link); - ISC_LIST_INIT(listener->keys); - ISC_LIST_INIT(listener->connections); - - /* - * Make the acl. - */ - if (control != NULL && type == isc_sockettype_tcp) { - allow = cfg_tuple_get(control, "allow"); - result = cfg_acl_fromconfig(allow, config, ns_g_lctx, - aclconfctx, mctx, &new_acl); - } else { - result = dns_acl_any(mctx, &new_acl); - } - } - - if (result == ISC_R_SUCCESS) { - dns_acl_attach(new_acl, &listener->acl); - dns_acl_detach(&new_acl); - - if (config != NULL) - get_key_info(config, control, &global_keylist, - &control_keylist); - - if (control_keylist != NULL) { - result = controlkeylist_fromcfg(control_keylist, - listener->mctx, - &listener->keys); - if (result == ISC_R_SUCCESS) - register_keys(control, global_keylist, - &listener->keys, - listener->mctx, socktext); - } else - result = get_rndckey(mctx, &listener->keys); - - if (result != ISC_R_SUCCESS && control != NULL) - cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, - "couldn't install keys for " - "command channel %s: %s", - socktext, isc_result_totext(result)); - } - - if (result == ISC_R_SUCCESS) { - int pf = isc_sockaddr_pf(&listener->address); - if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) || -#ifdef ISC_PLATFORM_HAVESYSUNH - (pf == AF_UNIX && isc_net_probeunix() != ISC_R_SUCCESS) || -#endif - (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS)) - result = ISC_R_FAMILYNOSUPPORT; - } - - if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) - isc_socket_cleanunix(&listener->address, ISC_FALSE); - - if (result == ISC_R_SUCCESS) - result = isc_socket_create(ns_g_socketmgr, - isc_sockaddr_pf(&listener->address), - type, &listener->sock); - - if (result == ISC_R_SUCCESS) - result = isc_socket_bind(listener->sock, &listener->address, - ISC_SOCKET_REUSEADDRESS); - - if (result == ISC_R_SUCCESS && type == isc_sockettype_unix) { - listener->perm = cfg_obj_asuint32(cfg_tuple_get(control, - "perm")); - listener->owner = cfg_obj_asuint32(cfg_tuple_get(control, - "owner")); - listener->group = cfg_obj_asuint32(cfg_tuple_get(control, - "group")); - result = isc_socket_permunix(&listener->address, listener->perm, - listener->owner, listener->group); - } - if (result == ISC_R_SUCCESS) - result = control_listen(listener); - - if (result == ISC_R_SUCCESS) - result = control_accept(listener); - - if (result == ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE, - "command channel listening on %s", socktext); - *listenerp = listener; - - } else { - if (listener != NULL) { - listener->exiting = ISC_TRUE; - free_listener(listener); - } - - if (control != NULL) - cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING, - "couldn't add command channel %s: %s", - socktext, isc_result_totext(result)); - else - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE, - "couldn't add command channel %s: %s", - socktext, isc_result_totext(result)); - - *listenerp = NULL; - } - - /* XXXDCL return error results? fail hard? */ -} - -isc_result_t -ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, - cfg_aclconfctx_t *aclconfctx) -{ - controllistener_t *listener; - controllistenerlist_t new_listeners; - const cfg_obj_t *controlslist = NULL; - const cfg_listelt_t *element, *element2; - char socktext[ISC_SOCKADDR_FORMATSIZE]; - - ISC_LIST_INIT(new_listeners); - - /* - * Get the list of named.conf 'controls' statements. - */ - (void)cfg_map_get(config, "controls", &controlslist); - - /* - * Run through the new control channel list, noting sockets that - * are already being listened on and moving them to the new list. - * - * Identifying duplicate addr/port combinations is left to either - * the underlying config code, or to the bind attempt getting an - * address-in-use error. - */ - if (controlslist != NULL) { - for (element = cfg_list_first(controlslist); - element != NULL; - element = cfg_list_next(element)) { - const cfg_obj_t *controls; - const cfg_obj_t *inetcontrols = NULL; - - controls = cfg_listelt_value(element); - (void)cfg_map_get(controls, "inet", &inetcontrols); - if (inetcontrols == NULL) - continue; - - for (element2 = cfg_list_first(inetcontrols); - element2 != NULL; - element2 = cfg_list_next(element2)) { - const cfg_obj_t *control; - const cfg_obj_t *obj; - isc_sockaddr_t addr; - - /* - * The parser handles BIND 8 configuration file - * syntax, so it allows unix phrases as well - * inet phrases with no keys{} clause. - */ - control = cfg_listelt_value(element2); - - obj = cfg_tuple_get(control, "address"); - addr = *cfg_obj_assockaddr(obj); - if (isc_sockaddr_getport(&addr) == 0) - isc_sockaddr_setport(&addr, - NS_CONTROL_PORT); - - isc_sockaddr_format(&addr, socktext, - sizeof(socktext)); - - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, - ISC_LOG_DEBUG(9), - "processing control channel %s", - socktext); - - update_listener(cp, &listener, control, config, - &addr, aclconfctx, socktext, - isc_sockettype_tcp); - - if (listener != NULL) - /* - * Remove the listener from the old - * list, so it won't be shut down. - */ - ISC_LIST_UNLINK(cp->listeners, - listener, link); - else - /* - * This is a new listener. - */ - add_listener(cp, &listener, control, - config, &addr, aclconfctx, - socktext, - isc_sockettype_tcp); - - if (listener != NULL) - ISC_LIST_APPEND(new_listeners, - listener, link); - } - } - for (element = cfg_list_first(controlslist); - element != NULL; - element = cfg_list_next(element)) { - const cfg_obj_t *controls; - const cfg_obj_t *unixcontrols = NULL; - - controls = cfg_listelt_value(element); - (void)cfg_map_get(controls, "unix", &unixcontrols); - if (unixcontrols == NULL) - continue; - - for (element2 = cfg_list_first(unixcontrols); - element2 != NULL; - element2 = cfg_list_next(element2)) { - const cfg_obj_t *control; - const cfg_obj_t *path; - isc_sockaddr_t addr; - isc_result_t result; - - /* - * The parser handles BIND 8 configuration file - * syntax, so it allows unix phrases as well - * inet phrases with no keys{} clause. - */ - control = cfg_listelt_value(element2); - - path = cfg_tuple_get(control, "path"); - result = isc_sockaddr_frompath(&addr, - cfg_obj_asstring(path)); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, - ISC_LOG_DEBUG(9), - "control channel '%s': %s", - cfg_obj_asstring(path), - isc_result_totext(result)); - continue; - } - - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_CONTROL, - ISC_LOG_DEBUG(9), - "processing control channel '%s'", - cfg_obj_asstring(path)); - - update_listener(cp, &listener, control, config, - &addr, aclconfctx, - cfg_obj_asstring(path), - isc_sockettype_unix); - - if (listener != NULL) - /* - * Remove the listener from the old - * list, so it won't be shut down. - */ - ISC_LIST_UNLINK(cp->listeners, - listener, link); - else - /* - * This is a new listener. - */ - add_listener(cp, &listener, control, - config, &addr, aclconfctx, - cfg_obj_asstring(path), - isc_sockettype_unix); - - if (listener != NULL) - ISC_LIST_APPEND(new_listeners, - listener, link); - } - } - } else { - int i; - - for (i = 0; i < 2; i++) { - isc_sockaddr_t addr; - - if (i == 0) { - struct in_addr localhost; - - if (isc_net_probeipv4() != ISC_R_SUCCESS) - continue; - localhost.s_addr = htonl(INADDR_LOOPBACK); - isc_sockaddr_fromin(&addr, &localhost, 0); - } else { - if (isc_net_probeipv6() != ISC_R_SUCCESS) - continue; - isc_sockaddr_fromin6(&addr, - &in6addr_loopback, 0); - } - isc_sockaddr_setport(&addr, NS_CONTROL_PORT); - - isc_sockaddr_format(&addr, socktext, sizeof(socktext)); - - update_listener(cp, &listener, NULL, NULL, - &addr, NULL, socktext, - isc_sockettype_tcp); - - if (listener != NULL) - /* - * Remove the listener from the old - * list, so it won't be shut down. - */ - ISC_LIST_UNLINK(cp->listeners, - listener, link); - else - /* - * This is a new listener. - */ - add_listener(cp, &listener, NULL, NULL, - &addr, NULL, socktext, - isc_sockettype_tcp); - - if (listener != NULL) - ISC_LIST_APPEND(new_listeners, - listener, link); - } - } - - /* - * ns_control_shutdown() will stop whatever is on the global - * listeners list, which currently only has whatever sockaddrs - * were in the previous configuration (if any) that do not - * remain in the current configuration. - */ - controls_shutdown(cp); - - /* - * Put all of the valid listeners on the listeners list. - * Anything already on listeners in the process of shutting - * down will be taken care of by listen_done(). - */ - ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link); - return (ISC_R_SUCCESS); -} - -isc_result_t -ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) { - isc_mem_t *mctx = server->mctx; - isc_result_t result; - ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls)); - - if (controls == NULL) - return (ISC_R_NOMEMORY); - controls->server = server; - ISC_LIST_INIT(controls->listeners); - controls->shuttingdown = ISC_FALSE; - controls->symtab = NULL; - result = isccc_cc_createsymtab(&controls->symtab); - if (result != ISC_R_SUCCESS) { - isc_mem_put(server->mctx, controls, sizeof(*controls)); - return (result); - } - *ctrlsp = controls; - return (ISC_R_SUCCESS); -} - -void -ns_controls_destroy(ns_controls_t **ctrlsp) { - ns_controls_t *controls = *ctrlsp; - - REQUIRE(ISC_LIST_EMPTY(controls->listeners)); - - isccc_symtab_destroy(&controls->symtab); - isc_mem_put(controls->server->mctx, controls, sizeof(*controls)); - *ctrlsp = NULL; -} diff --git a/usr.sbin/bind/bin/named/include/named/builtin.h b/usr.sbin/bind/bin/named/include/named/builtin.h deleted file mode 100644 index bece03f1f58..00000000000 --- a/usr.sbin/bind/bin/named/include/named/builtin.h +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */ - -#ifndef NAMED_BUILTIN_H -#define NAMED_BUILTIN_H 1 - -/*! \file */ - -#include - -isc_result_t ns_builtin_init(void); - -void ns_builtin_deinit(void); - -#endif /* NAMED_BUILTIN_H */ diff --git a/usr.sbin/bind/bin/named/include/named/client.h b/usr.sbin/bind/bin/named/include/named/client.h deleted file mode 100644 index f7fe916e032..00000000000 --- a/usr.sbin/bind/bin/named/include/named/client.h +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */ - -#ifndef NAMED_CLIENT_H -#define NAMED_CLIENT_H 1 - -/***** - ***** Module Info - *****/ - -/*! \file - * \brief - * This module defines two objects, ns_client_t and ns_clientmgr_t. - * - * An ns_client_t object handles incoming DNS requests from clients - * on a given network interface. - * - * Each ns_client_t object can handle only one TCP connection or UDP - * request at a time. Therefore, several ns_client_t objects are - * typically created to serve each network interface, e.g., one - * for handling TCP requests and a few (one per CPU) for handling - * UDP requests. - * - * Incoming requests are classified as queries, zone transfer - * requests, update requests, notify requests, etc, and handed off - * to the appropriate request handler. When the request has been - * fully handled (which can be much later), the ns_client_t must be - * notified of this by calling one of the following functions - * exactly once in the context of its task: - * \code - * ns_client_send() (sending a non-error response) - * ns_client_sendraw() (sending a raw response) - * ns_client_error() (sending an error response) - * ns_client_next() (sending no response) - *\endcode - * This will release any resources used by the request and - * and allow the ns_client_t to listen for the next request. - * - * A ns_clientmgr_t manages a number of ns_client_t objects. - * New ns_client_t objects are created by calling - * ns_clientmgr_createclients(). They are destroyed by - * destroying their manager. - */ - -/*** - *** Imports - ***/ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include -#include - -/*** - *** Types - ***/ - -typedef ISC_LIST(ns_client_t) client_list_t; - -/*% nameserver client structure */ -struct ns_client { - unsigned int magic; - isc_mem_t * mctx; - ns_clientmgr_t * manager; - int state; - int newstate; - int naccepts; - int nreads; - int nsends; - int nrecvs; - int nupdates; - int nctls; - int references; - unsigned int attributes; - isc_task_t * task; - dns_view_t * view; - dns_dispatch_t * dispatch; - isc_socket_t * udpsocket; - isc_socket_t * tcplistener; - isc_socket_t * tcpsocket; - unsigned char * tcpbuf; - dns_tcpmsg_t tcpmsg; - isc_boolean_t tcpmsg_valid; - isc_timer_t * timer; - isc_boolean_t timerset; - dns_message_t * message; - isc_socketevent_t * sendevent; - isc_socketevent_t * recvevent; - unsigned char * recvbuf; - dns_rdataset_t * opt; - isc_uint16_t udpsize; - isc_uint16_t extflags; - isc_int16_t ednsversion; /* -1 noedns */ - void (*next)(ns_client_t *); - void (*shutdown)(void *arg, isc_result_t result); - void *shutdown_arg; - ns_query_t query; - isc_stdtime_t requesttime; - isc_stdtime_t now; - dns_name_t signername; /*%< [T]SIG key name */ - dns_name_t * signer; /*%< NULL if not valid sig */ - isc_boolean_t mortal; /*%< Die after handling request */ - isc_quota_t *tcpquota; - isc_quota_t *recursionquota; - ns_interface_t *interface; - isc_sockaddr_t peeraddr; - isc_boolean_t peeraddr_valid; - struct in6_pktinfo pktinfo; - isc_event_t ctlevent; - /*% - * Information about recent FORMERR response(s), for - * FORMERR loop avoidance. This is separate for each - * client object rather than global only to avoid - * the need for locking. - */ - struct { - isc_sockaddr_t addr; - isc_stdtime_t time; - dns_messageid_t id; - } formerrcache; - ISC_LINK(ns_client_t) link; - /*% - * The list 'link' is part of, or NULL if not on any list. - */ - client_list_t *list; -}; - -#define NS_CLIENT_MAGIC ISC_MAGIC('N','S','C','c') -#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC) - -#define NS_CLIENTATTR_TCP 0x01 -#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recusive service */ -#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */ -#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */ -#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */ - -extern unsigned int ns_client_requests; - -/*** - *** Functions - ***/ - -/*% - * Note! These ns_client_ routines MUST be called ONLY from the client's - * task in order to ensure synchronization. - */ - -void -ns_client_send(ns_client_t *client); -/*% - * Finish processing the current client request and - * send client->message as a response. - * \brief - * Note! These ns_client_ routines MUST be called ONLY from the client's - * task in order to ensure synchronization. - */ - -void -ns_client_sendraw(ns_client_t *client, dns_message_t *msg); -/*% - * Finish processing the current client request and - * send msg as a response using client->message->id for the id. - */ - -void -ns_client_error(ns_client_t *client, isc_result_t result); -/*% - * Finish processing the current client request and return - * an error response to the client. The error response - * will have an RCODE determined by 'result'. - */ - -void -ns_client_next(ns_client_t *client, isc_result_t result); -/*% - * Finish processing the current client request, - * return no response to the client. - */ - -isc_boolean_t -ns_client_shuttingdown(ns_client_t *client); -/*% - * Return ISC_TRUE iff the client is currently shutting down. - */ - -void -ns_client_attach(ns_client_t *source, ns_client_t **target); -/*% - * Attach '*targetp' to 'source'. - */ - -void -ns_client_detach(ns_client_t **clientp); -/*% - * Detach '*clientp' from its client. - */ - -isc_result_t -ns_client_replace(ns_client_t *client); -/*% - * Try to replace the current client with a new one, so that the - * current one can go off and do some lengthy work without - * leaving the dispatch/socket without service. - */ - -void -ns_client_settimeout(ns_client_t *client, unsigned int seconds); -/*% - * Set a timer in the client to go off in the specified amount of time. - */ - -isc_result_t -ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, - isc_timermgr_t *timermgr, ns_clientmgr_t **managerp); -/*% - * Create a client manager. - */ - -void -ns_clientmgr_destroy(ns_clientmgr_t **managerp); -/*% - * Destroy a client manager and all ns_client_t objects - * managed by it. - */ - -isc_result_t -ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n, - ns_interface_t *ifp, isc_boolean_t tcp); -/*% - * Create up to 'n' clients listening on interface 'ifp'. - * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections, - * otherwise for UDP requests. - */ - -isc_sockaddr_t * -ns_client_getsockaddr(ns_client_t *client); -/*% - * Get the socket address of the client whose request is - * currently being processed. - */ - -isc_result_t -ns_client_checkaclsilent(ns_client_t *client,dns_acl_t *acl, - isc_boolean_t default_allow); - -/*% - * Convenience function for client request ACL checking. - * - * Check the current client request against 'acl'. If 'acl' - * is NULL, allow the request iff 'default_allow' is ISC_TRUE. - * - * Notes: - *\li This is appropriate for checking allow-update, - * allow-query, allow-transfer, etc. It is not appropriate - * for checking the blackhole list because we treat positive - * matches as "allow" and negative matches as "deny"; in - * the case of the blackhole list this would be backwards. - * - * Requires: - *\li 'client' points to a valid client. - *\li 'acl' points to a valid ACL, or is NULL. - * - * Returns: - *\li ISC_R_SUCCESS if the request should be allowed - * \li ISC_R_REFUSED if the request should be denied - *\li No other return values are possible. - */ - -isc_result_t -ns_client_checkacl(ns_client_t *client, - const char *opname, dns_acl_t *acl, - isc_boolean_t default_allow, - int log_level); -/*% - * Like ns_client_checkacl, but also logs the outcome of the - * check at log level 'log_level' if denied, and at debug 3 - * if approved. Log messages will refer to the request as - * an 'opname' request. - * - * Requires: - *\li Those of ns_client_checkaclsilent(), and: - * - *\li 'opname' points to a null-terminated string. - */ - -void -ns_client_log(ns_client_t *client, isc_logcategory_t *category, - isc_logmodule_t *module, int level, - const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6); - -void -ns_client_logv(ns_client_t *client, isc_logcategory_t *category, - isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0); - -void -ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type, - dns_rdataclass_t rdclass, char *buf, size_t len); - -#define NS_CLIENT_ACLMSGSIZE(x) \ - (DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \ - DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'")) - -void -ns_client_recursing(ns_client_t *client); -/*% - * Add client to end of th recursing list. - */ - -void -ns_client_killoldestquery(ns_client_t *client); -/*% - * Kill the oldest recursive query (recursing list head). - */ - -void -ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager); -/*% - * Dump the outstanding recursive queries to 'f'. - */ - -void -ns_client_qnamereplace(ns_client_t *client, dns_name_t *name); -/*% - * Replace the qname. - */ - -isc_boolean_t -ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey, - isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, - dns_rdataclass_t rdclass, void *arg); -/*% - * Isself callback. - */ - -#endif /* NAMED_CLIENT_H */ diff --git a/usr.sbin/bind/bin/named/include/named/config.h b/usr.sbin/bind/bin/named/include/named/config.h deleted file mode 100644 index eb988c93ae7..00000000000 --- a/usr.sbin/bind/bin/named/include/named/config.h +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001, 2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */ - -#ifndef NAMED_CONFIG_H -#define NAMED_CONFIG_H 1 - -/*! \file */ - -#include - -#include -#include - -isc_result_t -ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf); - -isc_result_t -ns_config_get(const cfg_obj_t **maps, const char* name, const cfg_obj_t **obj); - -isc_result_t -ns_checknames_get(const cfg_obj_t **maps, const char* name, - const cfg_obj_t **obj); - -int -ns_config_listcount(const cfg_obj_t *list); - -isc_result_t -ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass, - dns_rdataclass_t *classp); - -isc_result_t -ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype, - dns_rdatatype_t *typep); - -dns_zonetype_t -ns_config_getzonetype(const cfg_obj_t *zonetypeobj); - -isc_result_t -ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list, - in_port_t defport, isc_mem_t *mctx, - isc_sockaddr_t **addrsp, isc_uint32_t *countp); - -void -ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, - isc_uint32_t count); - -isc_result_t -ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list, - isc_mem_t *mctx, isc_sockaddr_t **addrsp, - dns_name_t ***keys, isc_uint32_t *countp); - -void -ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp, - dns_name_t ***keys, isc_uint32_t count); - -isc_result_t -ns_config_getport(const cfg_obj_t *config, in_port_t *portp); - -isc_result_t -ns_config_getkeyalgorithm(const char *str, dns_name_t **name, - isc_uint16_t *digestbits); - -#endif /* NAMED_CONFIG_H */ diff --git a/usr.sbin/bind/bin/named/include/named/control.h b/usr.sbin/bind/bin/named/include/named/control.h deleted file mode 100644 index 9f155941d07..00000000000 --- a/usr.sbin/bind/bin/named/include/named/control.h +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */ - -#ifndef NAMED_CONTROL_H -#define NAMED_CONTROL_H 1 - -/*! \file - * \brief - * The name server command channel. - */ - -#include - -#include - -#include - -#define NS_CONTROL_PORT 953 - -#define NS_COMMAND_STOP "stop" -#define NS_COMMAND_HALT "halt" -#define NS_COMMAND_RELOAD "reload" -#define NS_COMMAND_RECONFIG "reconfig" -#define NS_COMMAND_REFRESH "refresh" -#define NS_COMMAND_RETRANSFER "retransfer" -#define NS_COMMAND_DUMPSTATS "stats" -#define NS_COMMAND_QUERYLOG "querylog" -#define NS_COMMAND_DUMPDB "dumpdb" -#define NS_COMMAND_TRACE "trace" -#define NS_COMMAND_NOTRACE "notrace" -#define NS_COMMAND_FLUSH "flush" -#define NS_COMMAND_FLUSHNAME "flushname" -#define NS_COMMAND_STATUS "status" -#define NS_COMMAND_FREEZE "freeze" -#define NS_COMMAND_UNFREEZE "unfreeze" -#define NS_COMMAND_THAW "thaw" -#define NS_COMMAND_TIMERPOKE "timerpoke" -#define NS_COMMAND_RECURSING "recursing" -#define NS_COMMAND_NULL "null" -#define NS_COMMAND_NOTIFY "notify" -#define NS_COMMAND_VALIDATION "validation" - -isc_result_t -ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp); -/*%< - * Create an initial, empty set of command channels for 'server'. - */ - -void -ns_controls_destroy(ns_controls_t **ctrlsp); -/*%< - * Destroy a set of command channels. - * - * Requires: - * Shutdown of the channels has completed. - */ - -isc_result_t -ns_controls_configure(ns_controls_t *controls, const cfg_obj_t *config, - cfg_aclconfctx_t *aclconfctx); -/*%< - * Configure zero or more command channels into 'controls' - * as defined in the configuration parse tree 'config'. - * The channels will evaluate ACLs in the context of - * 'aclconfctx'. - */ - -void -ns_controls_shutdown(ns_controls_t *controls); -/*%< - * Initiate shutdown of all the command channels in 'controls'. - */ - -isc_result_t -ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text); - -#endif /* NAMED_CONTROL_H */ diff --git a/usr.sbin/bind/bin/named/include/named/globals.h b/usr.sbin/bind/bin/named/include/named/globals.h deleted file mode 100644 index 937536b3f1a..00000000000 --- a/usr.sbin/bind/bin/named/include/named/globals.h +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: globals.h,v 1.64.18.4 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NAMED_GLOBALS_H -#define NAMED_GLOBALS_H 1 - -/*! \file */ - -#include -#include -#include - -#include - -#include - -#include - -#undef EXTERN -#undef INIT -#ifdef NS_MAIN -#define EXTERN -#define INIT(v) = (v) -#else -#define EXTERN extern -#define INIT(v) -#endif - -EXTERN isc_mem_t * ns_g_mctx INIT(NULL); -EXTERN unsigned int ns_g_cpus INIT(0); -EXTERN isc_taskmgr_t * ns_g_taskmgr INIT(NULL); -EXTERN dns_dispatchmgr_t * ns_g_dispatchmgr INIT(NULL); -EXTERN isc_entropy_t * ns_g_entropy INIT(NULL); -EXTERN isc_entropy_t * ns_g_fallbackentropy INIT(NULL); - -/* - * XXXRTH We're going to want multiple timer managers eventually. One - * for really short timers, another for client timers, and one - * for zone timers. - */ -EXTERN isc_timermgr_t * ns_g_timermgr INIT(NULL); -EXTERN isc_socketmgr_t * ns_g_socketmgr INIT(NULL); -EXTERN cfg_parser_t * ns_g_parser INIT(NULL); -EXTERN const char * ns_g_version INIT(VERSION); -EXTERN in_port_t ns_g_port INIT(0); -EXTERN in_port_t lwresd_g_listenport INIT(0); - -EXTERN ns_server_t * ns_g_server INIT(NULL); - -EXTERN isc_boolean_t ns_g_lwresdonly INIT(ISC_FALSE); - -/* - * Logging. - */ -EXTERN isc_log_t * ns_g_lctx INIT(NULL); -EXTERN isc_logcategory_t * ns_g_categories INIT(NULL); -EXTERN isc_logmodule_t * ns_g_modules INIT(NULL); -EXTERN unsigned int ns_g_debuglevel INIT(0); - -/* - * Current configuration information. - */ -EXTERN cfg_obj_t * ns_g_config INIT(NULL); -EXTERN const cfg_obj_t * ns_g_defaults INIT(NULL); -EXTERN const char * ns_g_conffile INIT(NS_SYSCONFDIR - "/named.conf"); -EXTERN const char * ns_g_keyfile INIT(NS_SYSCONFDIR - "/rndc.key"); -EXTERN const char * lwresd_g_conffile INIT(NS_SYSCONFDIR - "/lwresd.conf"); -EXTERN const char * lwresd_g_resolvconffile INIT("/etc" - "/resolv.conf"); -EXTERN isc_boolean_t ns_g_conffileset INIT(ISC_FALSE); -EXTERN isc_boolean_t lwresd_g_useresolvconf INIT(ISC_FALSE); -EXTERN isc_uint16_t ns_g_udpsize INIT(4096); - -/* - * Initial resource limits. - */ -EXTERN isc_resourcevalue_t ns_g_initstacksize INIT(0); -EXTERN isc_resourcevalue_t ns_g_initdatasize INIT(0); -EXTERN isc_resourcevalue_t ns_g_initcoresize INIT(0); -EXTERN isc_resourcevalue_t ns_g_initopenfiles INIT(0); - -/* - * Misc. - */ -EXTERN isc_boolean_t ns_g_coreok INIT(ISC_TRUE); -EXTERN const char * ns_g_chrootdir INIT(NULL); -EXTERN isc_boolean_t ns_g_foreground INIT(ISC_FALSE); -EXTERN isc_boolean_t ns_g_logstderr INIT(ISC_FALSE); - -EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR - "/run/named.pid"); -EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR - "/run/lwresd.pid"); -EXTERN const char * ns_g_pidfile INIT(NS_LOCALSTATEDIR - "/run/named.pid"); -EXTERN const char * ns_g_username INIT("named"); - -EXTERN int ns_g_listen INIT(3); - -#undef EXTERN -#undef INIT - -#endif /* NAMED_GLOBALS_H */ diff --git a/usr.sbin/bind/bin/named/include/named/interfacemgr.h b/usr.sbin/bind/bin/named/include/named/interfacemgr.h deleted file mode 100644 index b2eb91c1e15..00000000000 --- a/usr.sbin/bind/bin/named/include/named/interfacemgr.h +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */ - -#ifndef NAMED_INTERFACEMGR_H -#define NAMED_INTERFACEMGR_H 1 - -/***** - ***** Module Info - *****/ - -/*! \file - * \brief - * The interface manager monitors the operating system's list - * of network interfaces, creating and destroying listeners - * as needed. - * - * Reliability: - *\li No impact expected. - * - * Resources: - * - * Security: - * \li The server will only be able to bind to the DNS port on - * newly discovered interfaces if it is running as root. - * - * Standards: - *\li The API for scanning varies greatly among operating systems. - * This module attempts to hide the differences. - */ - -/*** - *** Imports - ***/ - -#include -#include -#include - -#include - -#include -#include - -/*** - *** Types - ***/ - -#define IFACE_MAGIC ISC_MAGIC('I',':','-',')') -#define NS_INTERFACE_VALID(t) ISC_MAGIC_VALID(t, IFACE_MAGIC) - -#define NS_INTERFACEFLAG_ANYADDR 0x01U /*%< bound to "any" address */ - -/*% The nameserver interface structure */ -struct ns_interface { - unsigned int magic; /*%< Magic number. */ - ns_interfacemgr_t * mgr; /*%< Interface manager. */ - isc_mutex_t lock; - int references; /*%< Locked */ - unsigned int generation; /*%< Generation number. */ - isc_sockaddr_t addr; /*%< Address and port. */ - unsigned int flags; /*%< Interface characteristics */ - char name[32]; /*%< Null terminated. */ - dns_dispatch_t * udpdispatch; /*%< UDP dispatcher. */ - isc_socket_t * tcpsocket; /*%< TCP socket. */ - int ntcptarget; /*%< Desired number of concurrent - TCP accepts */ - int ntcpcurrent; /*%< Current ditto, locked */ - ns_clientmgr_t * clientmgr; /*%< Client manager. */ - ISC_LINK(ns_interface_t) link; -}; - -/*** - *** Functions - ***/ - -isc_result_t -ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, - isc_socketmgr_t *socketmgr, - dns_dispatchmgr_t *dispatchmgr, - ns_interfacemgr_t **mgrp); -/*% - * Create a new interface manager. - * - * Initially, the new manager will not listen on any interfaces. - * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6() - * to set nonempty listen-on lists. - */ - -void -ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target); - -void -ns_interfacemgr_detach(ns_interfacemgr_t **targetp); - -void -ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr); - -void -ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose); -/*% - * Scan the operatings system's list of network interfaces - * and create listeners when new interfaces are discovered. - * Shut down the sockets for interfaces that go away. - * - * This should be called once on server startup and then - * periodically according to the 'interface-interval' option - * in named.conf. - */ - -void -ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, - isc_boolean_t verbose); -/*% - * Similar to ns_interfacemgr_scan(), but this function also tries to see the - * need for an explicit listen-on when a list element in 'list' is going to - * override an already-listening a wildcard interface. - * - * This function does not update localhost and localnets ACLs. - * - * This should be called once on server startup, after configuring views and - * zones. - */ - -void -ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value); -/*% - * Set the IPv4 "listen-on" list of 'mgr' to 'value'. - * The previous IPv4 listen-on list is freed. - */ - -void -ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value); -/*% - * Set the IPv6 "listen-on" list of 'mgr' to 'value'. - * The previous IPv6 listen-on list is freed. - */ - -dns_aclenv_t * -ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr); - -void -ns_interface_attach(ns_interface_t *source, ns_interface_t **target); - -void -ns_interface_detach(ns_interface_t **targetp); - -void -ns_interface_shutdown(ns_interface_t *ifp); -/*% - * Stop listening for queries on interface 'ifp'. - * May safely be called multiple times. - */ - -void -ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr); - -isc_boolean_t -ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr); - -#endif /* NAMED_INTERFACEMGR_H */ diff --git a/usr.sbin/bind/bin/named/include/named/listenlist.h b/usr.sbin/bind/bin/named/include/named/listenlist.h deleted file mode 100644 index 40d81cdd774..00000000000 --- a/usr.sbin/bind/bin/named/include/named/listenlist.h +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */ - -#ifndef NAMED_LISTENLIST_H -#define NAMED_LISTENLIST_H 1 - -/***** - ***** Module Info - *****/ - -/*! \file - * \brief - * "Listen lists", as in the "listen-on" configuration statement. - */ - -/*** - *** Imports - ***/ -#include - -#include - -/*** - *** Types - ***/ - -typedef struct ns_listenelt ns_listenelt_t; -typedef struct ns_listenlist ns_listenlist_t; - -struct ns_listenelt { - isc_mem_t * mctx; - in_port_t port; - dns_acl_t * acl; - ISC_LINK(ns_listenelt_t) link; -}; - -struct ns_listenlist { - isc_mem_t * mctx; - int refcount; - ISC_LIST(ns_listenelt_t) elts; -}; - -/*** - *** Functions - ***/ - -isc_result_t -ns_listenelt_create(isc_mem_t *mctx, in_port_t port, - dns_acl_t *acl, ns_listenelt_t **target); -/*% - * Create a listen-on list element. - */ - -void -ns_listenelt_destroy(ns_listenelt_t *elt); -/*% - * Destroy a listen-on list element. - */ - -isc_result_t -ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target); -/*% - * Create a new, empty listen-on list. - */ - -void -ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target); -/*% - * Attach '*target' to '*source'. - */ - -void -ns_listenlist_detach(ns_listenlist_t **listp); -/*% - * Detach 'listp'. - */ - -isc_result_t -ns_listenlist_default(isc_mem_t *mctx, in_port_t port, - isc_boolean_t enabled, ns_listenlist_t **target); -/*% - * Create a listen-on list with default contents, matching - * all addresses with port 'port' (if 'enabled' is ISC_TRUE), - * or no addresses (if 'enabled' is ISC_FALSE). - */ - -#endif /* NAMED_LISTENLIST_H */ - - diff --git a/usr.sbin/bind/bin/named/include/named/log.h b/usr.sbin/bind/bin/named/include/named/log.h deleted file mode 100644 index 4794e77a618..00000000000 --- a/usr.sbin/bind/bin/named/include/named/log.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */ - -#ifndef NAMED_LOG_H -#define NAMED_LOG_H 1 - -/*! \file */ - -#include -#include - -#include - -#include /* Required for ns_g_(categories|modules). */ - -/* Unused slot 0. */ -#define NS_LOGCATEGORY_CLIENT (&ns_g_categories[1]) -#define NS_LOGCATEGORY_NETWORK (&ns_g_categories[2]) -#define NS_LOGCATEGORY_UPDATE (&ns_g_categories[3]) -#define NS_LOGCATEGORY_QUERIES (&ns_g_categories[4]) -#define NS_LOGCATEGORY_UNMATCHED (&ns_g_categories[5]) -#define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_g_categories[6]) - -/* - * Backwards compatibility. - */ -#define NS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL - -#define NS_LOGMODULE_MAIN (&ns_g_modules[0]) -#define NS_LOGMODULE_CLIENT (&ns_g_modules[1]) -#define NS_LOGMODULE_SERVER (&ns_g_modules[2]) -#define NS_LOGMODULE_QUERY (&ns_g_modules[3]) -#define NS_LOGMODULE_INTERFACEMGR (&ns_g_modules[4]) -#define NS_LOGMODULE_UPDATE (&ns_g_modules[5]) -#define NS_LOGMODULE_XFER_IN (&ns_g_modules[6]) -#define NS_LOGMODULE_XFER_OUT (&ns_g_modules[7]) -#define NS_LOGMODULE_NOTIFY (&ns_g_modules[8]) -#define NS_LOGMODULE_CONTROL (&ns_g_modules[9]) -#define NS_LOGMODULE_LWRESD (&ns_g_modules[10]) - -isc_result_t -ns_log_init(isc_boolean_t safe); -/*% - * Initialize the logging system and set up an initial default - * logging default configuration that will be used until the - * config file has been read. - * - * If 'safe' is true, use a default configuration that refrains - * from opening files. This is to avoid creating log files - * as root. - */ - -isc_result_t -ns_log_setdefaultchannels(isc_logconfig_t *lcfg); -/*% - * Set up logging channels according to the named defaults, which - * may differ from the logging library defaults. Currently, - * this just means setting up default_debug. - */ - -isc_result_t -ns_log_setsafechannels(isc_logconfig_t *lcfg); -/*% - * Like ns_log_setdefaultchannels(), but omits any logging to files. - */ - -isc_result_t -ns_log_setdefaultcategory(isc_logconfig_t *lcfg); -/*% - * Set up "category default" to go to the right places. - */ - -isc_result_t -ns_log_setunmatchedcategory(isc_logconfig_t *lcfg); -/*% - * Set up "category unmatched" to go to the right places. - */ - -void -ns_log_shutdown(void); - -#endif /* NAMED_LOG_H */ diff --git a/usr.sbin/bind/bin/named/include/named/logconf.h b/usr.sbin/bind/bin/named/include/named/logconf.h deleted file mode 100644 index d360909ef15..00000000000 --- a/usr.sbin/bind/bin/named/include/named/logconf.h +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NAMED_LOGCONF_H -#define NAMED_LOGCONF_H 1 - -/*! \file */ - -#include - -isc_result_t -ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt); -/*%< - * Set up the logging configuration in '*logconf' according to - * the named.conf data in 'logstmt'. - */ - -#endif /* NAMED_LOGCONF_H */ diff --git a/usr.sbin/bind/bin/named/include/named/lwaddr.h b/usr.sbin/bind/bin/named/include/named/lwaddr.h deleted file mode 100644 index 2cf573a267b..00000000000 --- a/usr.sbin/bind/bin/named/include/named/lwaddr.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */ - -/*! \file */ - -#include -#include - -isc_result_t -lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la); - -isc_result_t -lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la, - in_port_t port); - -isc_result_t -lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na); - -isc_result_t -lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa); diff --git a/usr.sbin/bind/bin/named/include/named/lwdclient.h b/usr.sbin/bind/bin/named/include/named/lwdclient.h deleted file mode 100644 index 96563733845..00000000000 --- a/usr.sbin/bind/bin/named/include/named/lwdclient.h +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */ - -#ifndef NAMED_LWDCLIENT_H -#define NAMED_LWDCLIENT_H 1 - -/*! \file */ - -#include -#include -#include -#include -#include - -#include -#include - -#include - -#include - -#define LWRD_EVENTCLASS ISC_EVENTCLASS(4242) - -#define LWRD_SHUTDOWN (LWRD_EVENTCLASS + 0x0001) - -/*% Lighweight Resolver Daemon Client */ -struct ns_lwdclient { - isc_sockaddr_t address; /*%< where to reply */ - struct in6_pktinfo pktinfo; - isc_boolean_t pktinfo_valid; - ns_lwdclientmgr_t *clientmgr; /*%< our parent */ - ISC_LINK(ns_lwdclient_t) link; - unsigned int state; - void *arg; /*%< packet processing state */ - - /* - * Received data info. - */ - unsigned char buffer[LWRES_RECVLENGTH]; /*%< receive buffer */ - isc_uint32_t recvlength; /*%< length recv'd */ - lwres_lwpacket_t pkt; - - /*% - * Send data state. If sendbuf != buffer (that is, the send buffer - * isn't our receive buffer) it will be freed to the lwres_context_t. - */ - unsigned char *sendbuf; - isc_uint32_t sendlength; - isc_buffer_t recv_buffer; - - /*% - * gabn (get address by name) state info. - */ - dns_adbfind_t *find; - dns_adbfind_t *v4find; - dns_adbfind_t *v6find; - unsigned int find_wanted; /*%< Addresses we want */ - dns_fixedname_t query_name; - dns_fixedname_t target_name; - ns_lwsearchctx_t searchctx; - lwres_gabnresponse_t gabn; - - /*% - * gnba (get name by address) state info. - */ - lwres_gnbaresponse_t gnba; - dns_byaddr_t *byaddr; - unsigned int options; - isc_netaddr_t na; - - /*% - * grbn (get rrset by name) state info. - * - * Note: this also uses target_name and searchctx. - */ - lwres_grbnresponse_t grbn; - dns_lookup_t *lookup; - dns_rdatatype_t rdtype; - - /*% - * Alias and address info. This is copied up to the gabn/gnba - * structures eventually. - * - * XXXMLG We can keep all of this in a client since we only service - * three packet types right now. If we started handling more, - * we'd need to use "arg" above and allocate/destroy things. - */ - char *aliases[LWRES_MAX_ALIASES]; - isc_uint16_t aliaslen[LWRES_MAX_ALIASES]; - lwres_addr_t addrs[LWRES_MAX_ADDRS]; -}; - -/*% - * Client states. - * - * _IDLE The client is not doing anything at all. - * - * _RECV The client is waiting for data after issuing a socket recv(). - * - * _RECVDONE Data has been received, and is being processed. - * - * _FINDWAIT An adb (or other) request was made that cannot be satisfied - * immediately. An event will wake the client up. - * - * _SEND All data for a response has completed, and a reply was - * sent via a socket send() call. - * - * Badly formatted state table: - * - * IDLE -> RECV when client has a recv() queued. - * - * RECV -> RECVDONE when recvdone event received. - * - * RECVDONE -> SEND if the data for a reply is at hand. - * RECVDONE -> FINDWAIT if more searching is needed, and events will - * eventually wake us up again. - * - * FINDWAIT -> SEND when enough data was received to reply. - * - * SEND -> IDLE when a senddone event was received. - * - * At any time -> IDLE on error. Sometimes this will be -> SEND - * instead, if enough data is on hand to reply with a meaningful - * error. - * - * Packets which are badly formatted may or may not get error returns. - */ -#define NS_LWDCLIENT_STATEIDLE 1 -#define NS_LWDCLIENT_STATERECV 2 -#define NS_LWDCLIENT_STATERECVDONE 3 -#define NS_LWDCLIENT_STATEFINDWAIT 4 -#define NS_LWDCLIENT_STATESEND 5 -#define NS_LWDCLIENT_STATESENDDONE 6 - -#define NS_LWDCLIENT_ISIDLE(c) \ - ((c)->state == NS_LWDCLIENT_STATEIDLE) -#define NS_LWDCLIENT_ISRECV(c) \ - ((c)->state == NS_LWDCLIENT_STATERECV) -#define NS_LWDCLIENT_ISRECVDONE(c) \ - ((c)->state == NS_LWDCLIENT_STATERECVDONE) -#define NS_LWDCLIENT_ISFINDWAIT(c) \ - ((c)->state == NS_LWDCLIENT_STATEFINDWAIT) -#define NS_LWDCLIENT_ISSEND(c) \ - ((c)->state == NS_LWDCLIENT_STATESEND) - -/*% - * Overall magic test that means we're not idle. - */ -#define NS_LWDCLIENT_ISRUNNING(c) (!NS_LWDCLIENT_ISIDLE(c)) - -#define NS_LWDCLIENT_SETIDLE(c) \ - ((c)->state = NS_LWDCLIENT_STATEIDLE) -#define NS_LWDCLIENT_SETRECV(c) \ - ((c)->state = NS_LWDCLIENT_STATERECV) -#define NS_LWDCLIENT_SETRECVDONE(c) \ - ((c)->state = NS_LWDCLIENT_STATERECVDONE) -#define NS_LWDCLIENT_SETFINDWAIT(c) \ - ((c)->state = NS_LWDCLIENT_STATEFINDWAIT) -#define NS_LWDCLIENT_SETSEND(c) \ - ((c)->state = NS_LWDCLIENT_STATESEND) -#define NS_LWDCLIENT_SETSENDDONE(c) \ - ((c)->state = NS_LWDCLIENT_STATESENDDONE) - -/*% lightweight daemon client manager */ -struct ns_lwdclientmgr { - ns_lwreslistener_t *listener; - isc_mem_t *mctx; - isc_socket_t *sock; /*%< socket to use */ - dns_view_t *view; - lwres_context_t *lwctx; /*%< lightweight proto context */ - isc_task_t *task; /*%< owning task */ - unsigned int flags; - ISC_LINK(ns_lwdclientmgr_t) link; - ISC_LIST(ns_lwdclient_t) idle; /*%< idle client slots */ - ISC_LIST(ns_lwdclient_t) running; /*%< running clients */ -}; - -#define NS_LWDCLIENTMGR_FLAGRECVPENDING 0x00000001 -#define NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN 0x00000002 - -isc_result_t -ns_lwdclientmgr_create(ns_lwreslistener_t *, unsigned int, isc_taskmgr_t *); - -void -ns_lwdclient_initialize(ns_lwdclient_t *, ns_lwdclientmgr_t *); - -isc_result_t -ns_lwdclient_startrecv(ns_lwdclientmgr_t *); - -void -ns_lwdclient_stateidle(ns_lwdclient_t *); - -void -ns_lwdclient_recv(isc_task_t *, isc_event_t *); - -void -ns_lwdclient_shutdown(isc_task_t *, isc_event_t *); - -void -ns_lwdclient_send(isc_task_t *, isc_event_t *); - -isc_result_t -ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r); - -/* - * Processing functions of various types. - */ -void ns_lwdclient_processgabn(ns_lwdclient_t *, lwres_buffer_t *); -void ns_lwdclient_processgnba(ns_lwdclient_t *, lwres_buffer_t *); -void ns_lwdclient_processgrbn(ns_lwdclient_t *, lwres_buffer_t *); -void ns_lwdclient_processnoop(ns_lwdclient_t *, lwres_buffer_t *); - -void ns_lwdclient_errorpktsend(ns_lwdclient_t *, isc_uint32_t); - -void ns_lwdclient_log(int level, const char *format, ...) - ISC_FORMAT_PRINTF(2, 3); - -#endif /* NAMED_LWDCLIENT_H */ diff --git a/usr.sbin/bind/bin/named/include/named/lwresd.h b/usr.sbin/bind/bin/named/include/named/lwresd.h deleted file mode 100644 index a6b5861e143..00000000000 --- a/usr.sbin/bind/bin/named/include/named/lwresd.h +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NAMED_LWRESD_H -#define NAMED_LWRESD_H 1 - -/*! \file */ - -#include -#include - -#include - -#include - -struct ns_lwresd { - unsigned int magic; - - isc_mutex_t lock; - dns_view_t *view; - ns_lwsearchlist_t *search; - unsigned int ndots; - isc_mem_t *mctx; - isc_boolean_t shutting_down; - unsigned int refs; -}; - -struct ns_lwreslistener { - unsigned int magic; - - isc_mutex_t lock; - isc_mem_t *mctx; - isc_sockaddr_t address; - ns_lwresd_t *manager; - isc_socket_t *sock; - unsigned int refs; - ISC_LIST(ns_lwdclientmgr_t) cmgrs; - ISC_LINK(ns_lwreslistener_t) link; -}; - -/*% - * Configure lwresd. - */ -isc_result_t -ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config); - -isc_result_t -ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, - cfg_obj_t **configp); - -/*% - * Trigger shutdown. - */ -void -ns_lwresd_shutdown(void); - -/* - * Manager functions - */ -/*% create manager */ -isc_result_t -ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres, - ns_lwresd_t **lwresdp); - -/*% attach to manager */ -void -ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp); - -/*% detach from manager */ -void -ns_lwdmanager_detach(ns_lwresd_t **lwresdp); - -/* - * Listener functions - */ -/*% attach to listener */ -void -ns_lwreslistener_attach(ns_lwreslistener_t *source, - ns_lwreslistener_t **targetp); - -/*% detach from lister */ -void -ns_lwreslistener_detach(ns_lwreslistener_t **listenerp); - -/*% link client manager */ -void -ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm); - -/*% unlink client manager */ -void -ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm); - - - - -/* - * INTERNAL FUNCTIONS. - */ -void * -ns__lwresd_memalloc(void *arg, size_t size); - -void -ns__lwresd_memfree(void *arg, void *mem, size_t size); - -#endif /* NAMED_LWRESD_H */ diff --git a/usr.sbin/bind/bin/named/include/named/lwsearch.h b/usr.sbin/bind/bin/named/include/named/lwsearch.h deleted file mode 100644 index e4efcc3c088..00000000000 --- a/usr.sbin/bind/bin/named/include/named/lwsearch.h +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */ - -#ifndef NAMED_LWSEARCH_H -#define NAMED_LWSEARCH_H 1 - -#include -#include -#include - -#include - -#include - -/*! \file - * \brief - * Lightweight resolver search list types and routines. - * - * An ns_lwsearchlist_t holds a list of search path elements. - * - * An ns_lwsearchctx stores the state of search list during a lookup - * operation. - */ - -/*% An ns_lwsearchlist_t holds a list of search path elements. */ -struct ns_lwsearchlist { - unsigned int magic; - - isc_mutex_t lock; - isc_mem_t *mctx; - unsigned int refs; - dns_namelist_t names; -}; -/*% An ns_lwsearchctx stores the state of search list during a lookup operation. */ -struct ns_lwsearchctx { - dns_name_t *relname; - dns_name_t *searchname; - unsigned int ndots; - ns_lwsearchlist_t *list; - isc_boolean_t doneexact; - isc_boolean_t exactfirst; -}; - -isc_result_t -ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp); -/*%< - * Create an empty search list object. - */ - -void -ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target); -/*%< - * Attach to a search list object. - */ - -void -ns_lwsearchlist_detach(ns_lwsearchlist_t **listp); -/*%< - * Detach from a search list object. - */ - -isc_result_t -ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name); -/*%< - * Append an element to a search list. This creates a copy of the name. - */ - -void -ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list, - dns_name_t *name, unsigned int ndots); -/*%< - * Creates a search list context structure. - */ - -void -ns_lwsearchctx_first(ns_lwsearchctx_t *sctx); -/*%< - * Moves the search list context iterator to the first element, which - * is usually the exact name. - */ - -isc_result_t -ns_lwsearchctx_next(ns_lwsearchctx_t *sctx); -/*%< - * Moves the search list context iterator to the next element. - */ - -isc_result_t -ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname); -/*%< - * Obtains the current name to be looked up. This involves either - * concatenating the name with a search path element, making an - * exact name absolute, or doing nothing. - */ - -#endif /* NAMED_LWSEARCH_H */ diff --git a/usr.sbin/bind/bin/named/include/named/main.h b/usr.sbin/bind/bin/named/include/named/main.h deleted file mode 100644 index 194b0bc16cd..00000000000 --- a/usr.sbin/bind/bin/named/include/named/main.h +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */ - -#ifndef NAMED_MAIN_H -#define NAMED_MAIN_H 1 - -/*! \file */ - -void -ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -void -ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -void -ns_main_setmemstats(const char *); - -#endif /* NAMED_MAIN_H */ diff --git a/usr.sbin/bind/bin/named/include/named/notify.h b/usr.sbin/bind/bin/named/include/named/notify.h deleted file mode 100644 index b2a875068db..00000000000 --- a/usr.sbin/bind/bin/named/include/named/notify.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */ - -#ifndef NAMED_NOTIFY_H -#define NAMED_NOTIFY_H 1 - -#include -#include - -/*** - *** Module Info - ***/ - -/*! \file - * \brief - * RFC1996 - * A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) - */ - -/*** - *** Functions. - ***/ - -void -ns_notify_start(ns_client_t *client); - -/*%< - * Examines the incoming message to determine apporiate zone. - * Returns FORMERR if there is not exactly one question. - * Returns REFUSED if we do not serve the listed zone. - * Pass the message to the zone module for processing - * and returns the return status. - * - * Requires - *\li client to be valid. - */ - -#endif /* NAMED_NOTIFY_H */ - diff --git a/usr.sbin/bind/bin/named/include/named/ns_smf_globals.h b/usr.sbin/bind/bin/named/include/named/ns_smf_globals.h deleted file mode 100644 index 430692eacbd..00000000000 --- a/usr.sbin/bind/bin/named/include/named/ns_smf_globals.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */ - -#ifndef NS_SMF_GLOBALS_H -#define NS_SMF_GLOBALS_H 1 - -#include - -#undef EXTERN -#undef INIT -#ifdef NS_MAIN -#define EXTERN -#define INIT(v) = (v) -#else -#define EXTERN extern -#define INIT(v) -#endif - -EXTERN unsigned int ns_smf_got_instance INIT(0); -EXTERN unsigned int ns_smf_chroot INIT(0); -EXTERN unsigned int ns_smf_want_disable INIT(0); - -isc_result_t ns_smf_add_message(isc_buffer_t *text); -isc_result_t ns_smf_get_instance(char **name, int debug, isc_mem_t *mctx); - -#undef EXTERN -#undef INIT - -#endif /* NS_SMF_GLOBALS_H */ diff --git a/usr.sbin/bind/bin/named/include/named/query.h b/usr.sbin/bind/bin/named/include/named/query.h deleted file mode 100644 index aada16b0ded..00000000000 --- a/usr.sbin/bind/bin/named/include/named/query.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */ - -#ifndef NAMED_QUERY_H -#define NAMED_QUERY_H 1 - -/*! \file */ - -#include -#include -#include - -#include - -#include - -/*% nameserver database version structure */ -typedef struct ns_dbversion { - dns_db_t *db; - dns_dbversion_t *version; - isc_boolean_t queryok; - ISC_LINK(struct ns_dbversion) link; -} ns_dbversion_t; - -/*% nameserver query structure */ -struct ns_query { - unsigned int attributes; - unsigned int restarts; - isc_boolean_t timerset; - dns_name_t * qname; - dns_name_t * origqname; - unsigned int dboptions; - unsigned int fetchoptions; - dns_db_t * gluedb; - dns_db_t * authdb; - dns_zone_t * authzone; - isc_boolean_t authdbset; - isc_boolean_t isreferral; - isc_mutex_t fetchlock; - dns_fetch_t * fetch; - isc_bufferlist_t namebufs; - ISC_LIST(ns_dbversion_t) activeversions; - ISC_LIST(ns_dbversion_t) freeversions; -}; - -#define NS_QUERYATTR_RECURSIONOK 0x0001 -#define NS_QUERYATTR_CACHEOK 0x0002 -#define NS_QUERYATTR_PARTIALANSWER 0x0004 -#define NS_QUERYATTR_NAMEBUFUSED 0x0008 -#define NS_QUERYATTR_RECURSING 0x0010 -#define NS_QUERYATTR_CACHEGLUEOK 0x0020 -#define NS_QUERYATTR_QUERYOKVALID 0x0040 -#define NS_QUERYATTR_QUERYOK 0x0080 -#define NS_QUERYATTR_WANTRECURSION 0x0100 -#define NS_QUERYATTR_SECURE 0x0200 -#define NS_QUERYATTR_NOAUTHORITY 0x0400 -#define NS_QUERYATTR_NOADDITIONAL 0x0800 - -isc_result_t -ns_query_init(ns_client_t *client); - -void -ns_query_free(ns_client_t *client); - -void -ns_query_start(ns_client_t *client); - -void -ns_query_cancel(ns_client_t *client); - -#endif /* NAMED_QUERY_H */ diff --git a/usr.sbin/bind/bin/named/include/named/server.h b/usr.sbin/bind/bin/named/include/named/server.h deleted file mode 100644 index 0a83d45adab..00000000000 --- a/usr.sbin/bind/bin/named/include/named/server.h +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */ - -#ifndef NAMED_SERVER_H -#define NAMED_SERVER_H 1 - -/*! \file */ - -#include -#include -#include -#include -#include - -#include -#include - -#include - -#define NS_EVENTCLASS ISC_EVENTCLASS(0x4E43) -#define NS_EVENT_RELOAD (NS_EVENTCLASS + 0) -#define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1) - -/*% - * Name server state. Better here than in lots of separate global variables. - */ -struct ns_server { - unsigned int magic; - isc_mem_t * mctx; - - isc_task_t * task; - - /* Configurable data. */ - isc_quota_t xfroutquota; - isc_quota_t tcpquota; - isc_quota_t recursionquota; - dns_acl_t *blackholeacl; - char * statsfile; /*%< Statistics file name */ - char * dumpfile; /*%< Dump file name */ - char * recfile; /*%< Recursive file name */ - isc_boolean_t version_set; /*%< User has set version */ - char * version; /*%< User-specified version */ - isc_boolean_t hostname_set; /*%< User has set hostname */ - char * hostname; /*%< User-specified hostname */ - /*% Use hostname for server id */ - isc_boolean_t server_usehostname; - char * server_id; /*%< User-specified server id */ - - /*% - * Current ACL environment. This defines the - * current values of the localhost and localnets - * ACLs. - */ - dns_aclenv_t aclenv; - - /* Server data structures. */ - dns_loadmgr_t * loadmgr; - dns_zonemgr_t * zonemgr; - dns_viewlist_t viewlist; - ns_interfacemgr_t * interfacemgr; - dns_db_t * in_roothints; - dns_tkeyctx_t * tkeyctx; - - isc_timer_t * interface_timer; - isc_timer_t * heartbeat_timer; - isc_timer_t * pps_timer; - - isc_uint32_t interface_interval; - isc_uint32_t heartbeat_interval; - - isc_mutex_t reload_event_lock; - isc_event_t * reload_event; - - isc_boolean_t flushonshutdown; - isc_boolean_t log_queries; /*%< For BIND 8 compatibility */ - - isc_uint64_t * querystats; /*%< Query statistics counters */ - - ns_controls_t * controls; /*%< Control channels */ - unsigned int dispatchgen; - ns_dispatchlist_t dispatches; - - dns_acache_t *acache; -}; - -#define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R') -#define NS_SERVER_VALID(s) ISC_MAGIC_VALID(s, NS_SERVER_MAGIC) - -void -ns_server_create(isc_mem_t *mctx, ns_server_t **serverp); -/*%< - * Create a server object with default settings. - * This function either succeeds or causes the program to exit - * with a fatal error. - */ - -void -ns_server_destroy(ns_server_t **serverp); -/*%< - * Destroy a server object, freeing its memory. - */ - -void -ns_server_reloadwanted(ns_server_t *server); -/*%< - * Inform a server that a reload is wanted. This function - * may be called asynchronously, from outside the server's task. - * If a reload is already scheduled or in progress, the call - * is ignored. - */ - -void -ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush); -/*%< - * Inform the server that the zones should be flushed to disk on shutdown. - */ - -isc_result_t -ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text); -/*%< - * Act on a "reload" command from the command channel. - */ - -isc_result_t -ns_server_reconfigcommand(ns_server_t *server, char *args); -/*%< - * Act on a "reconfig" command from the command channel. - */ - -isc_result_t -ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text); -/*%< - * Act on a "notify" command from the command channel. - */ - -isc_result_t -ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text); -/*%< - * Act on a "refresh" command from the command channel. - */ - -isc_result_t -ns_server_retransfercommand(ns_server_t *server, char *args); -/*%< - * Act on a "retransfer" command from the command channel. - */ - -isc_result_t -ns_server_togglequerylog(ns_server_t *server); -/*%< - * Toggle logging of queries, as in BIND 8. - */ - -/*% - * Dump the current statistics to the statistics file. - */ -isc_result_t -ns_server_dumpstats(ns_server_t *server); - -/*% - * Dump the current cache to the dump file. - */ -isc_result_t -ns_server_dumpdb(ns_server_t *server, char *args); - -/*% - * Change or increment the server debug level. - */ -isc_result_t -ns_server_setdebuglevel(ns_server_t *server, char *args); - -/*% - * Flush the server's cache(s) - */ -isc_result_t -ns_server_flushcache(ns_server_t *server, char *args); - -/*% - * Flush a particular name from the server's cache(s) - */ -isc_result_t -ns_server_flushname(ns_server_t *server, char *args); - -/*% - * Report the server's status. - */ -isc_result_t -ns_server_status(ns_server_t *server, isc_buffer_t *text); - -/*% - * Enable or disable updates for a zone. - */ -isc_result_t -ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args); - -/*% - * Dump the current recursive queries. - */ -isc_result_t -ns_server_dumprecursing(ns_server_t *server); - -/*% - * Maintain a list of dispatches that require reserved ports. - */ -void -ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr); - -/*% - * Enable or disable dnssec validation. - */ -isc_result_t -ns_server_validation(ns_server_t *server, char *args); - -#endif /* NAMED_SERVER_H */ diff --git a/usr.sbin/bind/bin/named/include/named/sortlist.h b/usr.sbin/bind/bin/named/include/named/sortlist.h deleted file mode 100644 index e49f89514d0..00000000000 --- a/usr.sbin/bind/bin/named/include/named/sortlist.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NAMED_SORTLIST_H -#define NAMED_SORTLIST_H 1 - -/*! \file */ - -#include - -#include - -/*% - * Type for callback functions that rank addresses. - */ -typedef int -(*dns_addressorderfunc_t)(const isc_netaddr_t *address, const void *arg); - -/*% - * Return value type for setup_sortlist. - */ -typedef enum { - NS_SORTLISTTYPE_NONE, - NS_SORTLISTTYPE_1ELEMENT, - NS_SORTLISTTYPE_2ELEMENT -} ns_sortlisttype_t; - -ns_sortlisttype_t -ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, - const void **argp); -/*%< - * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. - * - * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and - * make '*argp' point to the matching subelement. - * - * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and - * make '*argp' point to ACL that forms the second element. - * - * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp' - * to NULL. - */ - -int -ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg); -/*%< - * Find the sort order of 'addr' in 'arg', the matching element - * of a 1-element top-level sortlist statement. - */ - -int -ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg); -/*%< - * Find the sort order of 'addr' in 'arg', a topology-like - * ACL forming the second element in a 2-element top-level - * sortlist statement. - */ - -void -ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr, - dns_addressorderfunc_t *orderp, - const void **argp); -/*%< - * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. - * If a sortlist statement applies, return in '*orderp' a pointer to a function - * for ranking network addresses based on that sortlist statement, and in - * '*argp' an argument to pass to said function. If no sortlist statement - * applies, set '*orderp' and '*argp' to NULL. - */ - -#endif /* NAMED_SORTLIST_H */ diff --git a/usr.sbin/bind/bin/named/include/named/tkeyconf.h b/usr.sbin/bind/bin/named/include/named/tkeyconf.h deleted file mode 100644 index 45cb0af28bb..00000000000 --- a/usr.sbin/bind/bin/named/include/named/tkeyconf.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NS_TKEYCONF_H -#define NS_TKEYCONF_H 1 - -/*! \file */ - -#include -#include - -#include - -ISC_LANG_BEGINDECLS - -isc_result_t -ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, - isc_entropy_t *ectx, dns_tkeyctx_t **tctxp); -/*%< - * Create a TKEY context and configure it, including the default DH key - * and default domain, according to 'options'. - * - * Requires: - *\li 'cfg' is a valid configuration options object. - *\li 'mctx' is not NULL - *\li 'ectx' is not NULL - *\li 'tctx' is not NULL - *\li '*tctx' is NULL - * - * Returns: - *\li ISC_R_SUCCESS - *\li ISC_R_NOMEMORY - */ - -ISC_LANG_ENDDECLS - -#endif /* NS_TKEYCONF_H */ diff --git a/usr.sbin/bind/bin/named/include/named/tsigconf.h b/usr.sbin/bind/bin/named/include/named/tsigconf.h deleted file mode 100644 index 6c845f9ecfe..00000000000 --- a/usr.sbin/bind/bin/named/include/named/tsigconf.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NS_TSIGCONF_H -#define NS_TSIGCONF_H 1 - -/*! \file */ - -#include -#include - -ISC_LANG_BEGINDECLS - -isc_result_t -ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, - isc_mem_t *mctx, dns_tsig_keyring_t **ringp); -/*%< - * Create a TSIG key ring and configure it according to the 'key' - * statements in the global and view configuration objects. - * - * Requires: - * \li 'config' is not NULL. - * \li 'mctx' is not NULL - * \li 'ring' is not NULL, and '*ring' is NULL - * - * Returns: - * \li ISC_R_SUCCESS - * \li ISC_R_NOMEMORY - */ - -ISC_LANG_ENDDECLS - -#endif /* NS_TSIGCONF_H */ diff --git a/usr.sbin/bind/bin/named/include/named/types.h b/usr.sbin/bind/bin/named/include/named/types.h deleted file mode 100644 index 61971c78faf..00000000000 --- a/usr.sbin/bind/bin/named/include/named/types.h +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */ - -#ifndef NAMED_TYPES_H -#define NAMED_TYPES_H 1 - -/*! \file */ - -#include - -typedef struct ns_client ns_client_t; -typedef struct ns_clientmgr ns_clientmgr_t; -typedef struct ns_query ns_query_t; -typedef struct ns_server ns_server_t; -typedef struct ns_interface ns_interface_t; -typedef struct ns_interfacemgr ns_interfacemgr_t; -typedef struct ns_lwresd ns_lwresd_t; -typedef struct ns_lwreslistener ns_lwreslistener_t; -typedef struct ns_lwdclient ns_lwdclient_t; -typedef struct ns_lwdclientmgr ns_lwdclientmgr_t; -typedef struct ns_lwsearchlist ns_lwsearchlist_t; -typedef struct ns_lwsearchctx ns_lwsearchctx_t; -typedef struct ns_controls ns_controls_t; -typedef struct ns_dispatch ns_dispatch_t; -typedef ISC_LIST(ns_dispatch_t) ns_dispatchlist_t; - -#endif /* NAMED_TYPES_H */ diff --git a/usr.sbin/bind/bin/named/include/named/update.h b/usr.sbin/bind/bin/named/include/named/update.h deleted file mode 100644 index 430e5c45e35..00000000000 --- a/usr.sbin/bind/bin/named/include/named/update.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */ - -#ifndef NAMED_UPDATE_H -#define NAMED_UPDATE_H 1 - -/***** - ***** Module Info - *****/ - -/*! \file - * \brief - * RFC2136 Dynamic Update - */ - -/*** - *** Imports - ***/ - -#include -#include - -/*** - *** Types. - ***/ - -/*** - *** Functions - ***/ - -void -ns_update_start(ns_client_t *client, isc_result_t sigresult); - -#endif /* NAMED_UPDATE_H */ diff --git a/usr.sbin/bind/bin/named/include/named/xfrout.h b/usr.sbin/bind/bin/named/include/named/xfrout.h deleted file mode 100644 index d8d32843849..00000000000 --- a/usr.sbin/bind/bin/named/include/named/xfrout.h +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */ - -#ifndef NAMED_XFROUT_H -#define NAMED_XFROUT_H 1 - -/***** - ***** Module Info - *****/ - -/*! \file - * \brief - * Outgoing zone transfers (AXFR + IXFR). - */ - -/*** - *** Functions - ***/ - -void -ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype); - -#endif /* NAMED_XFROUT_H */ diff --git a/usr.sbin/bind/bin/named/include/named/zoneconf.h b/usr.sbin/bind/bin/named/include/named/zoneconf.h deleted file mode 100644 index fd23243e8dc..00000000000 --- a/usr.sbin/bind/bin/named/include/named/zoneconf.h +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */ - -#ifndef NS_ZONECONF_H -#define NS_ZONECONF_H 1 - -/*! \file */ - -#include -#include - -#include -#include - -ISC_LANG_BEGINDECLS - -isc_result_t -ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, - dns_zone_t *zone); -/*%< - * Configure or reconfigure a zone according to the named.conf - * data in 'cctx' and 'czone'. - * - * The zone origin is not configured, it is assumed to have been set - * at zone creation time. - * - * Require: - * \li 'lctx' to be initialized or NULL. - * \li 'cctx' to be initialized or NULL. - * \li 'ac' to point to an initialized ns_aclconfctx_t. - * \li 'czone' to be initialized. - * \li 'zone' to be initialized. - */ - -isc_boolean_t -ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); -/*%< - * If 'zone' can be safely reconfigured according to the configuration - * data in 'zconfig', return ISC_TRUE. If the configuration data is so - * different from the current zone state that the zone needs to be destroyed - * and recreated, return ISC_FALSE. - */ - -ISC_LANG_ENDDECLS - -#endif /* NS_ZONECONF_H */ diff --git a/usr.sbin/bind/bin/named/interfacemgr.c b/usr.sbin/bind/bin/named/interfacemgr.c deleted file mode 100644 index 46699cbcfc5..00000000000 --- a/usr.sbin/bind/bin/named/interfacemgr.c +++ /dev/null @@ -1,978 +0,0 @@ -/* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: interfacemgr.c,v 1.76.18.8.44.3 2008/07/23 23:16:43 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include - -#include -#include - -#include -#include -#include - -#define IFMGR_MAGIC ISC_MAGIC('I', 'F', 'M', 'G') -#define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC) - -#define IFMGR_COMMON_LOGARGS \ - ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR - -/*% nameserver interface manager structure */ -struct ns_interfacemgr { - unsigned int magic; /*%< Magic number. */ - int references; - isc_mutex_t lock; - isc_mem_t * mctx; /*%< Memory context. */ - isc_taskmgr_t * taskmgr; /*%< Task manager. */ - isc_socketmgr_t * socketmgr; /*%< Socket manager. */ - dns_dispatchmgr_t * dispatchmgr; - unsigned int generation; /*%< Current generation no. */ - ns_listenlist_t * listenon4; - ns_listenlist_t * listenon6; - dns_aclenv_t aclenv; /*%< Localhost/localnets ACLs */ - ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces. */ - ISC_LIST(isc_sockaddr_t) listenon; -}; - -static void -purge_old_interfaces(ns_interfacemgr_t *mgr); - -static void -clearlistenon(ns_interfacemgr_t *mgr); - -isc_result_t -ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, - isc_socketmgr_t *socketmgr, - dns_dispatchmgr_t *dispatchmgr, - ns_interfacemgr_t **mgrp) -{ - isc_result_t result; - ns_interfacemgr_t *mgr; - - REQUIRE(mctx != NULL); - REQUIRE(mgrp != NULL); - REQUIRE(*mgrp == NULL); - - mgr = isc_mem_get(mctx, sizeof(*mgr)); - if (mgr == NULL) - return (ISC_R_NOMEMORY); - - result = isc_mutex_init(&mgr->lock); - if (result != ISC_R_SUCCESS) - goto cleanup_mem; - - mgr->mctx = mctx; - mgr->taskmgr = taskmgr; - mgr->socketmgr = socketmgr; - mgr->dispatchmgr = dispatchmgr; - mgr->generation = 1; - mgr->listenon4 = NULL; - mgr->listenon6 = NULL; - - ISC_LIST_INIT(mgr->interfaces); - ISC_LIST_INIT(mgr->listenon); - - /* - * The listen-on lists are initially empty. - */ - result = ns_listenlist_create(mctx, &mgr->listenon4); - if (result != ISC_R_SUCCESS) - goto cleanup_mem; - ns_listenlist_attach(mgr->listenon4, &mgr->listenon6); - - result = dns_aclenv_init(mctx, &mgr->aclenv); - if (result != ISC_R_SUCCESS) - goto cleanup_listenon; - - mgr->references = 1; - mgr->magic = IFMGR_MAGIC; - *mgrp = mgr; - return (ISC_R_SUCCESS); - - cleanup_listenon: - ns_listenlist_detach(&mgr->listenon4); - ns_listenlist_detach(&mgr->listenon6); - cleanup_mem: - isc_mem_put(mctx, mgr, sizeof(*mgr)); - return (result); -} - -static void -ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { - REQUIRE(NS_INTERFACEMGR_VALID(mgr)); - dns_aclenv_destroy(&mgr->aclenv); - ns_listenlist_detach(&mgr->listenon4); - ns_listenlist_detach(&mgr->listenon6); - clearlistenon(mgr); - DESTROYLOCK(&mgr->lock); - mgr->magic = 0; - isc_mem_put(mgr->mctx, mgr, sizeof(*mgr)); -} - -dns_aclenv_t * -ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) { - return (&mgr->aclenv); -} - -void -ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) { - REQUIRE(NS_INTERFACEMGR_VALID(source)); - LOCK(&source->lock); - INSIST(source->references > 0); - source->references++; - UNLOCK(&source->lock); - *target = source; -} - -void -ns_interfacemgr_detach(ns_interfacemgr_t **targetp) { - isc_result_t need_destroy = ISC_FALSE; - ns_interfacemgr_t *target = *targetp; - REQUIRE(target != NULL); - REQUIRE(NS_INTERFACEMGR_VALID(target)); - LOCK(&target->lock); - REQUIRE(target->references > 0); - target->references--; - if (target->references == 0) - need_destroy = ISC_TRUE; - UNLOCK(&target->lock); - if (need_destroy) - ns_interfacemgr_destroy(target); - *targetp = NULL; -} - -void -ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) { - REQUIRE(NS_INTERFACEMGR_VALID(mgr)); - - /*% - * Shut down and detach all interfaces. - * By incrementing the generation count, we make purge_old_interfaces() - * consider all interfaces "old". - */ - mgr->generation++; - purge_old_interfaces(mgr); -} - - -static isc_result_t -ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, - const char *name, ns_interface_t **ifpret) -{ - ns_interface_t *ifp; - isc_result_t result; - - REQUIRE(NS_INTERFACEMGR_VALID(mgr)); - ifp = isc_mem_get(mgr->mctx, sizeof(*ifp)); - if (ifp == NULL) - return (ISC_R_NOMEMORY); - ifp->mgr = NULL; - ifp->generation = mgr->generation; - ifp->addr = *addr; - ifp->flags = 0; - strlcpy(ifp->name, name, sizeof(ifp->name)); - ifp->clientmgr = NULL; - - result = isc_mutex_init(&ifp->lock); - if (result != ISC_R_SUCCESS) - goto lock_create_failure; - - result = ns_clientmgr_create(mgr->mctx, mgr->taskmgr, - ns_g_timermgr, - &ifp->clientmgr); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, - "ns_clientmgr_create() failed: %s", - isc_result_totext(result)); - goto clientmgr_create_failure; - } - - ifp->udpdispatch = NULL; - - ifp->tcpsocket = NULL; - /* - * Create a single TCP client object. It will replace itself - * with a new one as soon as it gets a connection, so the actual - * connections will be handled in parallel even though there is - * only one client initially. - */ - ifp->ntcptarget = 1; - ifp->ntcpcurrent = 0; - - ISC_LINK_INIT(ifp, link); - - ns_interfacemgr_attach(mgr, &ifp->mgr); - ISC_LIST_APPEND(mgr->interfaces, ifp, link); - - ifp->references = 1; - ifp->magic = IFACE_MAGIC; - *ifpret = ifp; - - return (ISC_R_SUCCESS); - - clientmgr_create_failure: - DESTROYLOCK(&ifp->lock); - lock_create_failure: - ifp->magic = 0; - isc_mem_put(mgr->mctx, ifp, sizeof(*ifp)); - - return (ISC_R_UNEXPECTED); -} - -static isc_result_t -ns_interface_listenudp(ns_interface_t *ifp) { - isc_result_t result; - unsigned int attrs; - unsigned int attrmask; - - attrs = 0; - attrs |= DNS_DISPATCHATTR_UDP; - if (isc_sockaddr_pf(&ifp->addr) == AF_INET) - attrs |= DNS_DISPATCHATTR_IPV4; - else - attrs |= DNS_DISPATCHATTR_IPV6; - attrs |= DNS_DISPATCHATTR_NOLISTEN; - attrmask = 0; - attrmask |= DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; - result = dns_dispatch_getudp(ifp->mgr->dispatchmgr, ns_g_socketmgr, - ns_g_taskmgr, &ifp->addr, - 4096, 1000, 32768, 8219, 8237, - attrs, attrmask, &ifp->udpdispatch); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, - "could not listen on UDP socket: %s", - isc_result_totext(result)); - goto udp_dispatch_failure; - } - - result = ns_clientmgr_createclients(ifp->clientmgr, ns_g_cpus, - ifp, ISC_FALSE); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "UDP ns_clientmgr_createclients(): %s", - isc_result_totext(result)); - goto addtodispatch_failure; - } - return (ISC_R_SUCCESS); - - addtodispatch_failure: - dns_dispatch_changeattributes(ifp->udpdispatch, 0, - DNS_DISPATCHATTR_NOLISTEN); - dns_dispatch_detach(&ifp->udpdispatch); - udp_dispatch_failure: - return (result); -} - -static isc_result_t -ns_interface_accepttcp(ns_interface_t *ifp) { - isc_result_t result; - - /* - * Open a TCP socket. - */ - result = isc_socket_create(ifp->mgr->socketmgr, - isc_sockaddr_pf(&ifp->addr), - isc_sockettype_tcp, - &ifp->tcpsocket); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, - "creating TCP socket: %s", - isc_result_totext(result)); - goto tcp_socket_failure; - } -#ifndef ISC_ALLOW_MAPPED - isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE); -#endif - result = isc_socket_bind(ifp->tcpsocket, &ifp->addr, - ISC_SOCKET_REUSEADDRESS); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, - "binding TCP socket: %s", - isc_result_totext(result)); - goto tcp_bind_failure; - } - result = isc_socket_listen(ifp->tcpsocket, ns_g_listen); - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, - "listening on TCP socket: %s", - isc_result_totext(result)); - goto tcp_listen_failure; - } - - /* - * If/when there a multiple filters listen to the - * result. - */ - (void)isc_socket_filter(ifp->tcpsocket, "dataready"); - - result = ns_clientmgr_createclients(ifp->clientmgr, - ifp->ntcptarget, ifp, - ISC_TRUE); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "TCP ns_clientmgr_createclients(): %s", - isc_result_totext(result)); - goto accepttcp_failure; - } - return (ISC_R_SUCCESS); - - accepttcp_failure: - tcp_listen_failure: - tcp_bind_failure: - isc_socket_detach(&ifp->tcpsocket); - tcp_socket_failure: - return (ISC_R_SUCCESS); -} - -static isc_result_t -ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, - const char *name, ns_interface_t **ifpret, - isc_boolean_t accept_tcp) -{ - isc_result_t result; - ns_interface_t *ifp = NULL; - REQUIRE(ifpret != NULL && *ifpret == NULL); - - result = ns_interface_create(mgr, addr, name, &ifp); - if (result != ISC_R_SUCCESS) - return (result); - - result = ns_interface_listenudp(ifp); - if (result != ISC_R_SUCCESS) - goto cleanup_interface; - - if (accept_tcp == ISC_TRUE) { - result = ns_interface_accepttcp(ifp); - if (result != ISC_R_SUCCESS) { - /* - * XXXRTH We don't currently have a way to easily stop - * dispatch service, so we currently return - * ISC_R_SUCCESS (the UDP stuff will work even if TCP - * creation failed). This will be fixed later. - */ - result = ISC_R_SUCCESS; - } - } - *ifpret = ifp; - return (ISC_R_SUCCESS); - - cleanup_interface: - ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link); - ns_interface_detach(&ifp); - return (result); -} - -void -ns_interface_shutdown(ns_interface_t *ifp) { - if (ifp->clientmgr != NULL) - ns_clientmgr_destroy(&ifp->clientmgr); -} - -static void -ns_interface_destroy(ns_interface_t *ifp) { - isc_mem_t *mctx = ifp->mgr->mctx; - REQUIRE(NS_INTERFACE_VALID(ifp)); - - ns_interface_shutdown(ifp); - - if (ifp->udpdispatch != NULL) { - dns_dispatch_changeattributes(ifp->udpdispatch, 0, - DNS_DISPATCHATTR_NOLISTEN); - dns_dispatch_detach(&ifp->udpdispatch); - } - if (ifp->tcpsocket != NULL) - isc_socket_detach(&ifp->tcpsocket); - - DESTROYLOCK(&ifp->lock); - - ns_interfacemgr_detach(&ifp->mgr); - - ifp->magic = 0; - isc_mem_put(mctx, ifp, sizeof(*ifp)); -} - -void -ns_interface_attach(ns_interface_t *source, ns_interface_t **target) { - REQUIRE(NS_INTERFACE_VALID(source)); - LOCK(&source->lock); - INSIST(source->references > 0); - source->references++; - UNLOCK(&source->lock); - *target = source; -} - -void -ns_interface_detach(ns_interface_t **targetp) { - isc_result_t need_destroy = ISC_FALSE; - ns_interface_t *target = *targetp; - REQUIRE(target != NULL); - REQUIRE(NS_INTERFACE_VALID(target)); - LOCK(&target->lock); - REQUIRE(target->references > 0); - target->references--; - if (target->references == 0) - need_destroy = ISC_TRUE; - UNLOCK(&target->lock); - if (need_destroy) - ns_interface_destroy(target); - *targetp = NULL; -} - -/*% - * Search the interface list for an interface whose address and port - * both match those of 'addr'. Return a pointer to it, or NULL if not found. - */ -static ns_interface_t * -find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { - ns_interface_t *ifp; - for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; - ifp = ISC_LIST_NEXT(ifp, link)) { - if (isc_sockaddr_equal(&ifp->addr, addr)) - break; - } - return (ifp); -} - -/*% - * Remove any interfaces whose generation number is not the current one. - */ -static void -purge_old_interfaces(ns_interfacemgr_t *mgr) { - ns_interface_t *ifp, *next; - for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; ifp = next) { - INSIST(NS_INTERFACE_VALID(ifp)); - next = ISC_LIST_NEXT(ifp, link); - if (ifp->generation != mgr->generation) { - char sabuf[256]; - ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link); - isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf)); - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_INFO, - "no longer listening on %s", sabuf); - ns_interface_shutdown(ifp); - ns_interface_detach(&ifp); - } - } -} - -static isc_result_t -clearacl(isc_mem_t *mctx, dns_acl_t **aclp) { - dns_acl_t *newacl = NULL; - isc_result_t result; - result = dns_acl_create(mctx, 10, &newacl); - if (result != ISC_R_SUCCESS) - return (result); - dns_acl_detach(aclp); - dns_acl_attach(newacl, aclp); - dns_acl_detach(&newacl); - return (ISC_R_SUCCESS); -} - -static isc_boolean_t -listenon_is_ip6_any(ns_listenelt_t *elt) { - if (elt->acl->length != 1) - return (ISC_FALSE); - if (elt->acl->elements[0].negative == ISC_FALSE && - elt->acl->elements[0].type == dns_aclelementtype_any) - return (ISC_TRUE); /* listen-on-v6 { any; } */ - return (ISC_FALSE); /* All others */ -} - -static isc_result_t -setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { - isc_result_t result; - dns_aclelement_t elt; - unsigned int family; - unsigned int prefixlen; - - family = interface->address.family; - - elt.type = dns_aclelementtype_ipprefix; - elt.negative = ISC_FALSE; - elt.u.ip_prefix.address = interface->address; - elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128; - result = dns_acl_appendelement(mgr->aclenv.localhost, &elt); - if (result != ISC_R_SUCCESS) - return (result); - - result = isc_netaddr_masktoprefixlen(&interface->netmask, - &prefixlen); - - /* Non contigious netmasks not allowed by IPv6 arch. */ - if (result != ISC_R_SUCCESS && family == AF_INET6) - return (result); - - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_WARNING, - "omitting IPv4 interface %s from " - "localnets ACL: %s", - interface->name, - isc_result_totext(result)); - } else { - elt.u.ip_prefix.prefixlen = prefixlen; - if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt, - NULL) == ISC_R_NOTFOUND) { - result = dns_acl_appendelement(mgr->aclenv.localnets, - &elt); - if (result != ISC_R_SUCCESS) - return (result); - } - } - - return (ISC_R_SUCCESS); -} - -static void -setup_listenon(ns_interfacemgr_t *mgr, isc_interface_t *interface, - in_port_t port) -{ - isc_sockaddr_t *addr; - isc_sockaddr_t *old; - - addr = isc_mem_get(mgr->mctx, sizeof(*addr)); - if (addr == NULL) - return; - - isc_sockaddr_fromnetaddr(addr, &interface->address, port); - - for (old = ISC_LIST_HEAD(mgr->listenon); - old != NULL; - old = ISC_LIST_NEXT(old, link)) - if (isc_sockaddr_equal(addr, old)) - break; - - if (old != NULL) - isc_mem_put(mgr->mctx, addr, sizeof(*addr)); - else - ISC_LIST_APPEND(mgr->listenon, addr, link); -} - -static void -clearlistenon(ns_interfacemgr_t *mgr) { - isc_sockaddr_t *old; - - old = ISC_LIST_HEAD(mgr->listenon); - while (old != NULL) { - ISC_LIST_UNLINK(mgr->listenon, old, link); - isc_mem_put(mgr->mctx, old, sizeof(*old)); - old = ISC_LIST_HEAD(mgr->listenon); - } -} - -static isc_result_t -do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, - isc_boolean_t verbose) -{ - isc_interfaceiter_t *iter = NULL; - isc_boolean_t scan_ipv4 = ISC_FALSE; - isc_boolean_t scan_ipv6 = ISC_FALSE; - isc_boolean_t adjusting = ISC_FALSE; - isc_boolean_t ipv6only = ISC_TRUE; - isc_boolean_t ipv6pktinfo = ISC_TRUE; - isc_result_t result; - isc_netaddr_t zero_address, zero_address6; - ns_listenelt_t *le; - isc_sockaddr_t listen_addr; - ns_interface_t *ifp; - isc_boolean_t log_explicit = ISC_FALSE; - isc_boolean_t dolistenon; - - if (ext_listen != NULL) - adjusting = ISC_TRUE; - - if (isc_net_probeipv6() == ISC_R_SUCCESS) - scan_ipv6 = ISC_TRUE; -#ifdef WANT_IPV6 - else - isc_log_write(IFMGR_COMMON_LOGARGS, - verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), - "no IPv6 interfaces found"); -#endif - - if (isc_net_probeipv4() == ISC_R_SUCCESS) - scan_ipv4 = ISC_TRUE; - else - isc_log_write(IFMGR_COMMON_LOGARGS, - verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1), - "no IPv4 interfaces found"); - - /* - * A special, but typical case; listen-on-v6 { any; }. - * When we can make the socket IPv6-only, open a single wildcard - * socket for IPv6 communication. Otherwise, make separate socket - * for each IPv6 address in order to avoid accepting IPv4 packets - * as the form of mapped addresses unintentionally unless explicitly - * allowed. - */ -#ifndef ISC_ALLOW_MAPPED - if (scan_ipv6 == ISC_TRUE && - isc_net_probe_ipv6only() != ISC_R_SUCCESS) { - ipv6only = ISC_FALSE; - log_explicit = ISC_TRUE; - } -#endif - if (scan_ipv6 == ISC_TRUE && - isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) { - ipv6pktinfo = ISC_FALSE; - log_explicit = ISC_TRUE; - } - if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) { - for (le = ISC_LIST_HEAD(mgr->listenon6->elts); - le != NULL; - le = ISC_LIST_NEXT(le, link)) { - struct in6_addr in6a; - - if (!listenon_is_ip6_any(le)) - continue; - - in6a = in6addr_any; - isc_sockaddr_fromin6(&listen_addr, &in6a, le->port); - - ifp = find_matching_interface(mgr, &listen_addr); - if (ifp != NULL) { - ifp->generation = mgr->generation; - } else { - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_INFO, - "listening on IPv6 " - "interfaces, port %u", - le->port); - result = ns_interface_setup(mgr, &listen_addr, - "", &ifp, - ISC_TRUE); - if (result == ISC_R_SUCCESS) - ifp->flags |= NS_INTERFACEFLAG_ANYADDR; - else - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_ERROR, - "listening on all IPv6 " - "interfaces failed"); - /* Continue. */ - } - } - } - - isc_netaddr_any(&zero_address); - isc_netaddr_any6(&zero_address6); - - result = isc_interfaceiter_create(mgr->mctx, &iter); - if (result != ISC_R_SUCCESS) - return (result); - - if (adjusting == ISC_FALSE) { - result = clearacl(mgr->mctx, &mgr->aclenv.localhost); - if (result != ISC_R_SUCCESS) - goto cleanup_iter; - result = clearacl(mgr->mctx, &mgr->aclenv.localnets); - if (result != ISC_R_SUCCESS) - goto cleanup_iter; - clearlistenon(mgr); - } - - for (result = isc_interfaceiter_first(iter); - result == ISC_R_SUCCESS; - result = isc_interfaceiter_next(iter)) - { - isc_interface_t interface; - ns_listenlist_t *ll; - unsigned int family; - - result = isc_interfaceiter_current(iter, &interface); - if (result != ISC_R_SUCCESS) - break; - - family = interface.address.family; - if (family != AF_INET && family != AF_INET6) - continue; - if (scan_ipv4 == ISC_FALSE && family == AF_INET) - continue; - if (scan_ipv6 == ISC_FALSE && family == AF_INET6) - continue; - - /* - * Test for the address being nonzero rather than testing - * INTERFACE_F_UP, because on some systems the latter - * follows the media state and we could end up ignoring - * the interface for an entire rescan interval due to - * a temporary media glitch at rescan time. - */ - if (family == AF_INET && - isc_netaddr_equal(&interface.address, &zero_address)) { - continue; - } - if (family == AF_INET6 && - isc_netaddr_equal(&interface.address, &zero_address6)) { - continue; - } - - if (adjusting == ISC_FALSE) { - result = setup_locals(mgr, &interface); - if (result != ISC_R_SUCCESS) - goto ignore_interface; - } - - ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6; - dolistenon = ISC_TRUE; - for (le = ISC_LIST_HEAD(ll->elts); - le != NULL; - le = ISC_LIST_NEXT(le, link)) - { - int match; - isc_boolean_t ipv6_wildcard = ISC_FALSE; - isc_netaddr_t listen_netaddr; - isc_sockaddr_t listen_sockaddr; - - /* - * Construct a socket address for this IP/port - * combination. - */ - if (family == AF_INET) { - isc_netaddr_fromin(&listen_netaddr, - &interface.address.type.in); - } else { - isc_netaddr_fromin6(&listen_netaddr, - &interface.address.type.in6); - isc_netaddr_setzone(&listen_netaddr, - interface.address.zone); - } - isc_sockaddr_fromnetaddr(&listen_sockaddr, - &listen_netaddr, - le->port); - - /* - * See if the address matches the listen-on statement; - * if not, ignore the interface. - */ - (void)dns_acl_match(&listen_netaddr, NULL, le->acl, - &mgr->aclenv, &match, NULL); - if (match <= 0) - continue; - - if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) { - setup_listenon(mgr, &interface, le->port); - dolistenon = ISC_FALSE; - } - - /* - * The case of "any" IPv6 address will require - * special considerations later, so remember it. - */ - if (family == AF_INET6 && ipv6only && ipv6pktinfo && - listenon_is_ip6_any(le)) - ipv6_wildcard = ISC_TRUE; - - /* - * When adjusting interfaces with extra a listening - * list, see if the address matches the extra list. - * If it does, and is also covered by a wildcard - * interface, we need to listen on the address - * explicitly. - */ - if (adjusting == ISC_TRUE) { - ns_listenelt_t *ele; - - match = 0; - for (ele = ISC_LIST_HEAD(ext_listen->elts); - ele != NULL; - ele = ISC_LIST_NEXT(ele, link)) { - (void)dns_acl_match(&listen_netaddr, - NULL, ele->acl, - NULL, &match, NULL); - if (match > 0 && ele->port == le->port) - break; - else - match = 0; - } - if (ipv6_wildcard == ISC_TRUE && match == 0) - continue; - } - - ifp = find_matching_interface(mgr, &listen_sockaddr); - if (ifp != NULL) { - ifp->generation = mgr->generation; - } else { - char sabuf[ISC_SOCKADDR_FORMATSIZE]; - - if (adjusting == ISC_FALSE && - ipv6_wildcard == ISC_TRUE) - continue; - - if (log_explicit && family == AF_INET6 && - !adjusting && listenon_is_ip6_any(le)) { - isc_log_write(IFMGR_COMMON_LOGARGS, - verbose ? ISC_LOG_INFO : - ISC_LOG_DEBUG(1), - "IPv6 socket API is " - "incomplete; explicitly " - "binding to each IPv6 " - "address separately"); - log_explicit = ISC_FALSE; - } - isc_sockaddr_format(&listen_sockaddr, - sabuf, sizeof(sabuf)); - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_INFO, - "%s" - "listening on %s interface " - "%s, %s", - (adjusting == ISC_TRUE) ? - "additionally " : "", - (family == AF_INET) ? - "IPv4" : "IPv6", - interface.name, sabuf); - - result = ns_interface_setup(mgr, - &listen_sockaddr, - interface.name, - &ifp, - (adjusting == ISC_TRUE) ? - ISC_FALSE : - ISC_TRUE); - - if (result != ISC_R_SUCCESS) { - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_ERROR, - "creating %s interface " - "%s failed; interface " - "ignored", - (family == AF_INET) ? - "IPv4" : "IPv6", - interface.name); - } - /* Continue. */ - } - - } - continue; - - ignore_interface: - isc_log_write(IFMGR_COMMON_LOGARGS, - ISC_LOG_ERROR, - "ignoring %s interface %s: %s", - (family == AF_INET) ? "IPv4" : "IPv6", - interface.name, isc_result_totext(result)); - continue; - } - if (result != ISC_R_NOMORE) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "interface iteration failed: %s", - isc_result_totext(result)); - else - result = ISC_R_SUCCESS; - cleanup_iter: - isc_interfaceiter_destroy(&iter); - return (result); -} - -static void -ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, - isc_boolean_t verbose) -{ - isc_boolean_t purge = ISC_TRUE; - - REQUIRE(NS_INTERFACEMGR_VALID(mgr)); - - mgr->generation++; /* Increment the generation count. */ - - if (do_scan(mgr, ext_listen, verbose) != ISC_R_SUCCESS) - purge = ISC_FALSE; - - /* - * Now go through the interface list and delete anything that - * does not have the current generation number. This is - * how we catch interfaces that go away or change their - * addresses. - */ - if (purge) - purge_old_interfaces(mgr); - - /* - * Warn if we are not listening on any interface, unless - * we're in lwresd-only mode, in which case that is to - * be expected. - */ - if (ext_listen == NULL && - ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) { - isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING, - "not listening on any interfaces"); - } -} - -void -ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) { - ns_interfacemgr_scan0(mgr, NULL, verbose); -} - -void -ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list, - isc_boolean_t verbose) -{ - ns_interfacemgr_scan0(mgr, list, verbose); -} - -void -ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) { - LOCK(&mgr->lock); - ns_listenlist_detach(&mgr->listenon4); - ns_listenlist_attach(value, &mgr->listenon4); - UNLOCK(&mgr->lock); -} - -void -ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) { - LOCK(&mgr->lock); - ns_listenlist_detach(&mgr->listenon6); - ns_listenlist_attach(value, &mgr->listenon6); - UNLOCK(&mgr->lock); -} - -void -ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) { - ns_interface_t *interface; - - LOCK(&mgr->lock); - interface = ISC_LIST_HEAD(mgr->interfaces); - while (interface != NULL) { - if (interface->clientmgr != NULL) - ns_client_dumprecursing(f, interface->clientmgr); - interface = ISC_LIST_NEXT(interface, link); - } - UNLOCK(&mgr->lock); -} - -isc_boolean_t -ns_interfacemgr_listeningon(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) { - isc_sockaddr_t *old; - - old = ISC_LIST_HEAD(mgr->listenon); - for (old = ISC_LIST_HEAD(mgr->listenon); - old != NULL; - old = ISC_LIST_NEXT(old, link)) - if (isc_sockaddr_equal(old, addr)) - return (ISC_TRUE); - return (ISC_FALSE); -} diff --git a/usr.sbin/bind/bin/named/listenlist.c b/usr.sbin/bind/bin/named/listenlist.c deleted file mode 100644 index 68c2e0e8d8b..00000000000 --- a/usr.sbin/bind/bin/named/listenlist.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include - -#include - -#include - -static void -destroy(ns_listenlist_t *list); - -isc_result_t -ns_listenelt_create(isc_mem_t *mctx, in_port_t port, - dns_acl_t *acl, ns_listenelt_t **target) -{ - ns_listenelt_t *elt = NULL; - REQUIRE(target != NULL && *target == NULL); - elt = isc_mem_get(mctx, sizeof(*elt)); - if (elt == NULL) - return (ISC_R_NOMEMORY); - elt->mctx = mctx; - ISC_LINK_INIT(elt, link); - elt->port = port; - elt->acl = acl; - *target = elt; - return (ISC_R_SUCCESS); -} - -void -ns_listenelt_destroy(ns_listenelt_t *elt) { - if (elt->acl != NULL) - dns_acl_detach(&elt->acl); - isc_mem_put(elt->mctx, elt, sizeof(*elt)); -} - -isc_result_t -ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target) { - ns_listenlist_t *list = NULL; - REQUIRE(target != NULL && *target == NULL); - list = isc_mem_get(mctx, sizeof(*list)); - if (list == NULL) - return (ISC_R_NOMEMORY); - list->mctx = mctx; - list->refcount = 1; - ISC_LIST_INIT(list->elts); - *target = list; - return (ISC_R_SUCCESS); -} - -static void -destroy(ns_listenlist_t *list) { - ns_listenelt_t *elt, *next; - for (elt = ISC_LIST_HEAD(list->elts); - elt != NULL; - elt = next) - { - next = ISC_LIST_NEXT(elt, link); - ns_listenelt_destroy(elt); - } - isc_mem_put(list->mctx, list, sizeof(*list)); -} - -void -ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) { - INSIST(source->refcount > 0); - source->refcount++; - *target = source; -} - -void -ns_listenlist_detach(ns_listenlist_t **listp) { - ns_listenlist_t *list = *listp; - INSIST(list->refcount > 0); - list->refcount--; - if (list->refcount == 0) - destroy(list); - *listp = NULL; -} - -isc_result_t -ns_listenlist_default(isc_mem_t *mctx, in_port_t port, - isc_boolean_t enabled, ns_listenlist_t **target) -{ - isc_result_t result; - dns_acl_t *acl = NULL; - ns_listenelt_t *elt = NULL; - ns_listenlist_t *list = NULL; - - REQUIRE(target != NULL && *target == NULL); - if (enabled) - result = dns_acl_any(mctx, &acl); - else - result = dns_acl_none(mctx, &acl); - if (result != ISC_R_SUCCESS) - goto cleanup; - - result = ns_listenelt_create(mctx, port, acl, &elt); - if (result != ISC_R_SUCCESS) - goto cleanup_acl; - - result = ns_listenlist_create(mctx, &list); - if (result != ISC_R_SUCCESS) - goto cleanup_listenelt; - - ISC_LIST_APPEND(list->elts, elt, link); - - *target = list; - return (ISC_R_SUCCESS); - - cleanup_listenelt: - ns_listenelt_destroy(elt); - cleanup_acl: - dns_acl_detach(&acl); - cleanup: - return (result); -} diff --git a/usr.sbin/bind/bin/named/log.c b/usr.sbin/bind/bin/named/log.c deleted file mode 100644 index d6a2bf8ed38..00000000000 --- a/usr.sbin/bind/bin/named/log.c +++ /dev/null @@ -1,235 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */ - -/*! \file */ - -#include - -#include - -#include - -#include - -#ifndef ISC_FACILITY -#define ISC_FACILITY LOG_DAEMON -#endif - -/*% - * When adding a new category, be sure to add the appropriate - * #define to and to update the list in - * bin/check/check-tool.c. - */ -static isc_logcategory_t categories[] = { - { "", 0 }, - { "client", 0 }, - { "network", 0 }, - { "update", 0 }, - { "queries", 0 }, - { "unmatched", 0 }, - { "update-security", 0 }, - { NULL, 0 } -}; - -/*% - * When adding a new module, be sure to add the appropriate - * #define to . - */ -static isc_logmodule_t modules[] = { - { "main", 0 }, - { "client", 0 }, - { "server", 0 }, - { "query", 0 }, - { "interfacemgr", 0 }, - { "update", 0 }, - { "xfer-in", 0 }, - { "xfer-out", 0 }, - { "notify", 0 }, - { "control", 0 }, - { "lwresd", 0 }, - { NULL, 0 } -}; - -isc_result_t -ns_log_init(isc_boolean_t safe) { - isc_result_t result; - isc_logconfig_t *lcfg = NULL; - - ns_g_categories = categories; - ns_g_modules = modules; - - /* - * Setup a logging context. - */ - result = isc_log_create(ns_g_mctx, &ns_g_lctx, &lcfg); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * named-checktool.c:setup_logging() needs to be kept in sync. - */ - isc_log_registercategories(ns_g_lctx, ns_g_categories); - isc_log_registermodules(ns_g_lctx, ns_g_modules); - isc_log_setcontext(ns_g_lctx); - dns_log_init(ns_g_lctx); - dns_log_setcontext(ns_g_lctx); - cfg_log_init(ns_g_lctx); - - if (safe) - result = ns_log_setsafechannels(lcfg); - else - result = ns_log_setdefaultchannels(lcfg); - if (result != ISC_R_SUCCESS) - goto cleanup; - - result = ns_log_setdefaultcategory(lcfg); - if (result != ISC_R_SUCCESS) - goto cleanup; - - return (ISC_R_SUCCESS); - - cleanup: - isc_log_destroy(&ns_g_lctx); - isc_log_setcontext(NULL); - dns_log_setcontext(NULL); - - return (result); -} - -isc_result_t -ns_log_setdefaultchannels(isc_logconfig_t *lcfg) { - isc_result_t result; - isc_logdestination_t destination; - - /* - * By default, the logging library makes "default_debug" log to - * stderr. In BIND, we want to override this and log to named.run - * instead, unless the the -g option was given. - */ - if (! ns_g_logstderr) { - destination.file.stream = NULL; - destination.file.name = "named.run"; - destination.file.versions = ISC_LOG_ROLLNEVER; - destination.file.maximum_size = 0; - result = isc_log_createchannel(lcfg, "default_debug", - ISC_LOG_TOFILE, - ISC_LOG_DYNAMIC, - &destination, - ISC_LOG_PRINTTIME| - ISC_LOG_DEBUGONLY); - if (result != ISC_R_SUCCESS) - goto cleanup; - } - -#if ISC_FACILITY != LOG_DAEMON - destination.facility = ISC_FACILITY; - result = isc_log_createchannel(lcfg, "default_syslog", - ISC_LOG_TOSYSLOG, ISC_LOG_INFO, - &destination, 0); - if (result != ISC_R_SUCCESS) - goto cleanup; -#endif - - /* - * Set the initial debug level. - */ - isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel); - - result = ISC_R_SUCCESS; - - cleanup: - return (result); -} - -isc_result_t -ns_log_setsafechannels(isc_logconfig_t *lcfg) { - isc_result_t result; -#if ISC_FACILITY != LOG_DAEMON - isc_logdestination_t destination; -#endif - - if (! ns_g_logstderr) { - result = isc_log_createchannel(lcfg, "default_debug", - ISC_LOG_TONULL, - ISC_LOG_DYNAMIC, - NULL, 0); - if (result != ISC_R_SUCCESS) - goto cleanup; - - /* - * Setting the debug level to zero should get the output - * discarded a bit faster. - */ - isc_log_setdebuglevel(ns_g_lctx, 0); - } else { - isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel); - } - -#if ISC_FACILITY != LOG_DAEMON - destination.facility = ISC_FACILITY; - result = isc_log_createchannel(lcfg, "default_syslog", - ISC_LOG_TOSYSLOG, ISC_LOG_INFO, - &destination, 0); - if (result != ISC_R_SUCCESS) - goto cleanup; -#endif - - result = ISC_R_SUCCESS; - - cleanup: - return (result); -} - -isc_result_t -ns_log_setdefaultcategory(isc_logconfig_t *lcfg) { - isc_result_t result; - - if (! ns_g_logstderr) { - result = isc_log_usechannel(lcfg, "default_syslog", - ISC_LOGCATEGORY_DEFAULT, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - } - - result = isc_log_usechannel(lcfg, "default_debug", - ISC_LOGCATEGORY_DEFAULT, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - - result = ISC_R_SUCCESS; - - cleanup: - return (result); -} - -isc_result_t -ns_log_setunmatchedcategory(isc_logconfig_t *lcfg) { - isc_result_t result; - - result = isc_log_usechannel(lcfg, "null", - NS_LOGCATEGORY_UNMATCHED, NULL); - return (result); -} - -void -ns_log_shutdown(void) { - isc_log_destroy(&ns_g_lctx); - isc_log_setcontext(NULL); - dns_log_setcontext(NULL); -} diff --git a/usr.sbin/bind/bin/named/logconf.c b/usr.sbin/bind/bin/named/logconf.c deleted file mode 100644 index 572edda5087..00000000000 --- a/usr.sbin/bind/bin/named/logconf.c +++ /dev/null @@ -1,299 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include - -#include -#include - -#include -#include - -#define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto cleanup; \ - } while (0) - -/*% - * Set up a logging category according to the named.conf data - * in 'ccat' and add it to 'lctx'. - */ -static isc_result_t -category_fromconf(const cfg_obj_t *ccat, isc_logconfig_t *lctx) { - isc_result_t result; - const char *catname; - isc_logcategory_t *category; - isc_logmodule_t *module; - const cfg_obj_t *destinations = NULL; - const cfg_listelt_t *element = NULL; - - catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name")); - category = isc_log_categorybyname(ns_g_lctx, catname); - if (category == NULL) { - cfg_obj_log(ccat, ns_g_lctx, ISC_LOG_ERROR, - "unknown logging category '%s' ignored", - catname); - /* - * Allow further processing by returning success. - */ - return (ISC_R_SUCCESS); - } - - module = NULL; - - destinations = cfg_tuple_get(ccat, "destinations"); - for (element = cfg_list_first(destinations); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *channel = cfg_listelt_value(element); - const char *channelname = cfg_obj_asstring(channel); - - result = isc_log_usechannel(lctx, channelname, category, - module); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "logging channel '%s': %s", channelname, - isc_result_totext(result)); - return (result); - } - } - return (ISC_R_SUCCESS); -} - -/*% - * Set up a logging channel according to the named.conf data - * in 'cchan' and add it to 'lctx'. - */ -static isc_result_t -channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) { - isc_result_t result; - isc_logdestination_t dest; - unsigned int type; - unsigned int flags = 0; - int level; - const char *channelname; - const cfg_obj_t *fileobj = NULL; - const cfg_obj_t *syslogobj = NULL; - const cfg_obj_t *nullobj = NULL; - const cfg_obj_t *stderrobj = NULL; - const cfg_obj_t *severity = NULL; - int i; - - channelname = cfg_obj_asstring(cfg_map_getname(channel)); - - (void)cfg_map_get(channel, "file", &fileobj); - (void)cfg_map_get(channel, "syslog", &syslogobj); - (void)cfg_map_get(channel, "null", &nullobj); - (void)cfg_map_get(channel, "stderr", &stderrobj); - - i = 0; - if (fileobj != NULL) - i++; - if (syslogobj != NULL) - i++; - if (nullobj != NULL) - i++; - if (stderrobj != NULL) - i++; - - if (i != 1) { - cfg_obj_log(channel, ns_g_lctx, ISC_LOG_ERROR, - "channel '%s': exactly one of file, syslog, " - "null, and stderr must be present", channelname); - return (ISC_R_FAILURE); - } - - type = ISC_LOG_TONULL; - - if (fileobj != NULL) { - const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file"); - const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size"); - const cfg_obj_t *versionsobj = - cfg_tuple_get(fileobj, "versions"); - isc_int32_t versions = ISC_LOG_ROLLNEVER; - isc_offset_t size = 0; - - type = ISC_LOG_TOFILE; - - if (versionsobj != NULL && cfg_obj_isuint32(versionsobj)) - versions = cfg_obj_asuint32(versionsobj); - if (versionsobj != NULL && cfg_obj_isstring(versionsobj) && - strcasecmp(cfg_obj_asstring(versionsobj), "unlimited") == 0) - versions = ISC_LOG_ROLLINFINITE; - if (sizeobj != NULL && - cfg_obj_isuint64(sizeobj) && - cfg_obj_asuint64(sizeobj) < ISC_OFFSET_MAXIMUM) - size = (isc_offset_t)cfg_obj_asuint64(sizeobj); - dest.file.stream = NULL; - dest.file.name = cfg_obj_asstring(pathobj); - dest.file.versions = versions; - dest.file.maximum_size = size; - } else if (syslogobj != NULL) { - int facility = LOG_DAEMON; - - type = ISC_LOG_TOSYSLOG; - - if (cfg_obj_isstring(syslogobj)) { - const char *facilitystr = cfg_obj_asstring(syslogobj); - (void)isc_syslog_facilityfromstring(facilitystr, - &facility); - } - dest.facility = facility; - } else if (stderrobj != NULL) { - type = ISC_LOG_TOFILEDESC; - dest.file.stream = stderr; - dest.file.name = NULL; - dest.file.versions = ISC_LOG_ROLLNEVER; - dest.file.maximum_size = 0; - } - - /* - * Munge flags. - */ - { - const cfg_obj_t *printcat = NULL; - const cfg_obj_t *printsev = NULL; - const cfg_obj_t *printtime = NULL; - - (void)cfg_map_get(channel, "print-category", &printcat); - (void)cfg_map_get(channel, "print-severity", &printsev); - (void)cfg_map_get(channel, "print-time", &printtime); - - if (printcat != NULL && cfg_obj_asboolean(printcat)) - flags |= ISC_LOG_PRINTCATEGORY; - if (printtime != NULL && cfg_obj_asboolean(printtime)) - flags |= ISC_LOG_PRINTTIME; - if (printsev != NULL && cfg_obj_asboolean(printsev)) - flags |= ISC_LOG_PRINTLEVEL; - } - - level = ISC_LOG_INFO; - if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) { - if (cfg_obj_isstring(severity)) { - const char *str = cfg_obj_asstring(severity); - if (strcasecmp(str, "critical") == 0) - level = ISC_LOG_CRITICAL; - else if (strcasecmp(str, "error") == 0) - level = ISC_LOG_ERROR; - else if (strcasecmp(str, "warning") == 0) - level = ISC_LOG_WARNING; - else if (strcasecmp(str, "notice") == 0) - level = ISC_LOG_NOTICE; - else if (strcasecmp(str, "info") == 0) - level = ISC_LOG_INFO; - else if (strcasecmp(str, "dynamic") == 0) - level = ISC_LOG_DYNAMIC; - } else - /* debug */ - level = cfg_obj_asuint32(severity); - } - - result = isc_log_createchannel(lctx, channelname, - type, level, &dest, flags); - - if (result == ISC_R_SUCCESS && type == ISC_LOG_TOFILE) { - FILE *fp; - - /* - * Test that the file can be opened, since isc_log_open() - * can't effectively report failures when called in - * isc_log_doit(). - */ - result = isc_stdio_open(dest.file.name, "a", &fp); - if (result != ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "logging channel '%s' file '%s': %s", - channelname, dest.file.name, - isc_result_totext(result)); - else - (void)isc_stdio_close(fp); - - /* - * Allow named to continue by returning success. - */ - result = ISC_R_SUCCESS; - } - - return (result); -} - -isc_result_t -ns_log_configure(isc_logconfig_t *logconf, const cfg_obj_t *logstmt) { - isc_result_t result; - const cfg_obj_t *channels = NULL; - const cfg_obj_t *categories = NULL; - const cfg_listelt_t *element; - isc_boolean_t default_set = ISC_FALSE; - isc_boolean_t unmatched_set = ISC_FALSE; - const cfg_obj_t *catname; - - CHECK(ns_log_setdefaultchannels(logconf)); - - (void)cfg_map_get(logstmt, "channel", &channels); - for (element = cfg_list_first(channels); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *channel = cfg_listelt_value(element); - CHECK(channel_fromconf(channel, logconf)); - } - - (void)cfg_map_get(logstmt, "category", &categories); - for (element = cfg_list_first(categories); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *category = cfg_listelt_value(element); - CHECK(category_fromconf(category, logconf)); - if (!default_set) { - catname = cfg_tuple_get(category, "name"); - if (strcmp(cfg_obj_asstring(catname), "default") == 0) - default_set = ISC_TRUE; - } - if (!unmatched_set) { - catname = cfg_tuple_get(category, "name"); - if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0) - unmatched_set = ISC_TRUE; - } - } - - if (!default_set) - CHECK(ns_log_setdefaultcategory(logconf)); - - if (!unmatched_set) - CHECK(ns_log_setunmatchedcategory(logconf)); - - return (ISC_R_SUCCESS); - - cleanup: - if (logconf != NULL) - isc_logconfig_destroy(&logconf); - return (result); -} diff --git a/usr.sbin/bind/bin/named/lwaddr.c b/usr.sbin/bind/bin/named/lwaddr.c deleted file mode 100644 index cb8445b5e14..00000000000 --- a/usr.sbin/bind/bin/named/lwaddr.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwaddr.c,v 1.4.18.2 2005/04/29 00:15:23 marka Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include - -#include - -#include - -/*% - * Convert addresses from lwres to isc format. - */ -isc_result_t -lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la) { - if (la->family != LWRES_ADDRTYPE_V4 && la->family != LWRES_ADDRTYPE_V6) - return (ISC_R_FAMILYNOSUPPORT); - - if (la->family == LWRES_ADDRTYPE_V4) { - struct in_addr ina; - memcpy(&ina.s_addr, la->address, 4); - isc_netaddr_fromin(na, &ina); - } else { - struct in6_addr ina6; - memcpy(&ina6.s6_addr, la->address, 16); - isc_netaddr_fromin6(na, &ina6); - } - return (ISC_R_SUCCESS); -} - -isc_result_t -lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la, - in_port_t port) -{ - isc_netaddr_t na; - isc_result_t result; - - result = lwaddr_netaddr_fromlwresaddr(&na, la); - if (result != ISC_R_SUCCESS) - return (result); - isc_sockaddr_fromnetaddr(sa, &na, port); - return (ISC_R_SUCCESS); -} - -/*% - * Convert addresses from isc to lwres format. - */ - -isc_result_t -lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na) { - if (na->family != AF_INET && na->family != AF_INET6) - return (ISC_R_FAMILYNOSUPPORT); - - if (na->family == AF_INET) { - la->family = LWRES_ADDRTYPE_V4; - la->length = 4; - memcpy(la->address, &na->type.in, 4); - } else { - la->family = LWRES_ADDRTYPE_V6; - la->length = 16; - memcpy(la->address, &na->type.in, 16); - } - return (ISC_R_SUCCESS); -} - -isc_result_t -lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa) { - isc_netaddr_t na; - isc_netaddr_fromsockaddr(&na, sa); - return (lwaddr_lwresaddr_fromnetaddr(la, &na)); -} diff --git a/usr.sbin/bind/bin/named/lwdclient.c b/usr.sbin/bind/bin/named/lwdclient.c deleted file mode 100644 index 0ccf5420aa4..00000000000 --- a/usr.sbin/bind/bin/named/lwdclient.c +++ /dev/null @@ -1,467 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#define SHUTTINGDOWN(cm) ((cm->flags & NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN) != 0) - -static void -lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev); - -void -ns_lwdclient_log(int level, const char *format, ...) { - va_list args; - - va_start(args, format); - isc_log_vwrite(dns_lctx, - DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB, - ISC_LOG_DEBUG(level), format, args); - va_end(args); -} - -isc_result_t -ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients, - isc_taskmgr_t *taskmgr) -{ - ns_lwresd_t *lwresd = listener->manager; - ns_lwdclientmgr_t *cm; - ns_lwdclient_t *client; - unsigned int i; - isc_result_t result = ISC_R_FAILURE; - - cm = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclientmgr_t)); - if (cm == NULL) - return (ISC_R_NOMEMORY); - - cm->listener = NULL; - ns_lwreslistener_attach(listener, &cm->listener); - cm->mctx = lwresd->mctx; - cm->sock = NULL; - isc_socket_attach(listener->sock, &cm->sock); - cm->view = lwresd->view; - cm->lwctx = NULL; - cm->task = NULL; - cm->flags = 0; - ISC_LINK_INIT(cm, link); - ISC_LIST_INIT(cm->idle); - ISC_LIST_INIT(cm->running); - - if (lwres_context_create(&cm->lwctx, cm->mctx, - ns__lwresd_memalloc, ns__lwresd_memfree, - LWRES_CONTEXT_SERVERMODE) - != ISC_R_SUCCESS) - goto errout; - - for (i = 0; i < nclients; i++) { - client = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclient_t)); - if (client != NULL) { - ns_lwdclient_log(50, "created client %p, manager %p", - client, cm); - ns_lwdclient_initialize(client, cm); - } - } - - /* - * If we could create no clients, clean up and return. - */ - if (ISC_LIST_EMPTY(cm->idle)) - goto errout; - - result = isc_task_create(taskmgr, 0, &cm->task); - if (result != ISC_R_SUCCESS) - goto errout; - - /* - * This MUST be last, since there is no way to cancel an onshutdown... - */ - result = isc_task_onshutdown(cm->task, lwdclientmgr_shutdown_callback, - cm); - if (result != ISC_R_SUCCESS) - goto errout; - - ns_lwreslistener_linkcm(listener, cm); - - return (ISC_R_SUCCESS); - - errout: - client = ISC_LIST_HEAD(cm->idle); - while (client != NULL) { - ISC_LIST_UNLINK(cm->idle, client, link); - isc_mem_put(lwresd->mctx, client, sizeof(*client)); - client = ISC_LIST_HEAD(cm->idle); - } - - if (cm->task != NULL) - isc_task_detach(&cm->task); - - if (cm->lwctx != NULL) - lwres_context_destroy(&cm->lwctx); - - isc_mem_put(lwresd->mctx, cm, sizeof(*cm)); - return (result); -} - -static void -lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) { - ns_lwdclient_t *client; - ns_lwreslistener_t *listener; - - if (!SHUTTINGDOWN(cm)) - return; - - /* - * run through the idle list and free the clients there. Idle - * clients do not have a recv running nor do they have any finds - * or similar running. - */ - client = ISC_LIST_HEAD(cm->idle); - while (client != NULL) { - ns_lwdclient_log(50, "destroying client %p, manager %p", - client, cm); - ISC_LIST_UNLINK(cm->idle, client, link); - isc_mem_put(cm->mctx, client, sizeof(*client)); - client = ISC_LIST_HEAD(cm->idle); - } - - if (!ISC_LIST_EMPTY(cm->running)) - return; - - lwres_context_destroy(&cm->lwctx); - cm->view = NULL; - isc_socket_detach(&cm->sock); - isc_task_detach(&cm->task); - - listener = cm->listener; - ns_lwreslistener_unlinkcm(listener, cm); - ns_lwdclient_log(50, "destroying manager %p", cm); - isc_mem_put(cm->mctx, cm, sizeof(*cm)); - ns_lwreslistener_detach(&listener); -} - -static void -process_request(ns_lwdclient_t *client) { - lwres_buffer_t b; - isc_result_t result; - - lwres_buffer_init(&b, client->buffer, client->recvlength); - lwres_buffer_add(&b, client->recvlength); - - result = lwres_lwpacket_parseheader(&b, &client->pkt); - if (result != ISC_R_SUCCESS) { - ns_lwdclient_log(50, "invalid packet header received"); - goto restart; - } - - ns_lwdclient_log(50, "opcode %08x", client->pkt.opcode); - - switch (client->pkt.opcode) { - case LWRES_OPCODE_GETADDRSBYNAME: - ns_lwdclient_processgabn(client, &b); - return; - case LWRES_OPCODE_GETNAMEBYADDR: - ns_lwdclient_processgnba(client, &b); - return; - case LWRES_OPCODE_GETRDATABYNAME: - ns_lwdclient_processgrbn(client, &b); - return; - case LWRES_OPCODE_NOOP: - ns_lwdclient_processnoop(client, &b); - return; - default: - ns_lwdclient_log(50, "unknown opcode %08x", client->pkt.opcode); - goto restart; - } - - /* - * Drop the packet. - */ - restart: - ns_lwdclient_log(50, "restarting client %p...", client); - ns_lwdclient_stateidle(client); -} - -void -ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) { - isc_result_t result; - ns_lwdclient_t *client = ev->ev_arg; - ns_lwdclientmgr_t *cm = client->clientmgr; - isc_socketevent_t *dev = (isc_socketevent_t *)ev; - - INSIST(dev->region.base == client->buffer); - INSIST(NS_LWDCLIENT_ISRECV(client)); - - NS_LWDCLIENT_SETRECVDONE(client); - - INSIST((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0); - cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING; - - ns_lwdclient_log(50, - "event received: task %p, length %u, result %u (%s)", - task, dev->n, dev->result, - isc_result_totext(dev->result)); - - if (dev->result != ISC_R_SUCCESS) { - isc_event_free(&ev); - dev = NULL; - - /* - * Go idle. - */ - ns_lwdclient_stateidle(client); - - return; - } - - client->recvlength = dev->n; - client->address = dev->address; - if ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) { - client->pktinfo = dev->pktinfo; - client->pktinfo_valid = ISC_TRUE; - } else - client->pktinfo_valid = ISC_FALSE; - isc_event_free(&ev); - dev = NULL; - - result = ns_lwdclient_startrecv(cm); - if (result != ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_ERROR, - "could not start lwres " - "client handler: %s", - isc_result_totext(result)); - - process_request(client); -} - -/* - * This function will start a new recv() on a socket for this client manager. - */ -isc_result_t -ns_lwdclient_startrecv(ns_lwdclientmgr_t *cm) { - ns_lwdclient_t *client; - isc_result_t result; - isc_region_t r; - - if (SHUTTINGDOWN(cm)) { - lwdclientmgr_destroy(cm); - return (ISC_R_SUCCESS); - } - - /* - * If a recv is already running, don't bother. - */ - if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0) - return (ISC_R_SUCCESS); - - /* - * If we have no idle slots, just return success. - */ - client = ISC_LIST_HEAD(cm->idle); - if (client == NULL) - return (ISC_R_SUCCESS); - INSIST(NS_LWDCLIENT_ISIDLE(client)); - - /* - * Issue the recv. If it fails, return that it did. - */ - r.base = client->buffer; - r.length = LWRES_RECVLENGTH; - result = isc_socket_recv(cm->sock, &r, 0, cm->task, ns_lwdclient_recv, - client); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * Set the flag to say we've issued a recv() call. - */ - cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING; - - /* - * Remove the client from the idle list, and put it on the running - * list. - */ - NS_LWDCLIENT_SETRECV(client); - ISC_LIST_UNLINK(cm->idle, client, link); - ISC_LIST_APPEND(cm->running, client, link); - - return (ISC_R_SUCCESS); -} - -static void -lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) { - ns_lwdclientmgr_t *cm = ev->ev_arg; - ns_lwdclient_t *client; - - REQUIRE(!SHUTTINGDOWN(cm)); - - ns_lwdclient_log(50, "got shutdown event, task %p, lwdclientmgr %p", - task, cm); - - /* - * run through the idle list and free the clients there. Idle - * clients do not have a recv running nor do they have any finds - * or similar running. - */ - client = ISC_LIST_HEAD(cm->idle); - while (client != NULL) { - ns_lwdclient_log(50, "destroying client %p, manager %p", - client, cm); - ISC_LIST_UNLINK(cm->idle, client, link); - isc_mem_put(cm->mctx, client, sizeof(*client)); - client = ISC_LIST_HEAD(cm->idle); - } - - /* - * Cancel any pending I/O. - */ - isc_socket_cancel(cm->sock, task, ISC_SOCKCANCEL_ALL); - - /* - * Run through the running client list and kill off any finds - * in progress. - */ - client = ISC_LIST_HEAD(cm->running); - while (client != NULL) { - if (client->find != client->v4find - && client->find != client->v6find) - dns_adb_cancelfind(client->find); - if (client->v4find != NULL) - dns_adb_cancelfind(client->v4find); - if (client->v6find != NULL) - dns_adb_cancelfind(client->v6find); - client = ISC_LIST_NEXT(client, link); - } - - cm->flags |= NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN; - - isc_event_free(&ev); -} - -/* - * Do all the crap needed to move a client from the run queue to the idle - * queue. - */ -void -ns_lwdclient_stateidle(ns_lwdclient_t *client) { - ns_lwdclientmgr_t *cm; - isc_result_t result; - - cm = client->clientmgr; - - INSIST(client->sendbuf == NULL); - INSIST(client->sendlength == 0); - INSIST(client->arg == NULL); - INSIST(client->v4find == NULL); - INSIST(client->v6find == NULL); - - ISC_LIST_UNLINK(cm->running, client, link); - ISC_LIST_PREPEND(cm->idle, client, link); - - NS_LWDCLIENT_SETIDLE(client); - - result = ns_lwdclient_startrecv(cm); - if (result != ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_ERROR, - "could not start lwres " - "client handler: %s", - isc_result_totext(result)); -} - -void -ns_lwdclient_send(isc_task_t *task, isc_event_t *ev) { - ns_lwdclient_t *client = ev->ev_arg; - ns_lwdclientmgr_t *cm = client->clientmgr; - isc_socketevent_t *dev = (isc_socketevent_t *)ev; - - UNUSED(task); - UNUSED(dev); - - INSIST(NS_LWDCLIENT_ISSEND(client)); - INSIST(client->sendbuf == dev->region.base); - - ns_lwdclient_log(50, "task %p for client %p got send-done event", - task, client); - - if (client->sendbuf != client->buffer) - lwres_context_freemem(cm->lwctx, client->sendbuf, - client->sendlength); - client->sendbuf = NULL; - client->sendlength = 0; - - ns_lwdclient_stateidle(client); - - isc_event_free(&ev); -} - -isc_result_t -ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r) { - struct in6_pktinfo *pktinfo; - ns_lwdclientmgr_t *cm = client->clientmgr; - - if (client->pktinfo_valid) - pktinfo = &client->pktinfo; - else - pktinfo = NULL; - return (isc_socket_sendto(cm->sock, r, cm->task, ns_lwdclient_send, - client, &client->address, pktinfo)); -} - -void -ns_lwdclient_initialize(ns_lwdclient_t *client, ns_lwdclientmgr_t *cmgr) { - client->clientmgr = cmgr; - ISC_LINK_INIT(client, link); - NS_LWDCLIENT_SETIDLE(client); - client->arg = NULL; - - client->recvlength = 0; - - client->sendbuf = NULL; - client->sendlength = 0; - - client->find = NULL; - client->v4find = NULL; - client->v6find = NULL; - client->find_wanted = 0; - - client->options = 0; - client->byaddr = NULL; - - client->lookup = NULL; - - client->pktinfo_valid = ISC_FALSE; - - ISC_LIST_APPEND(cmgr->idle, client, link); -} diff --git a/usr.sbin/bind/bin/named/lwderror.c b/usr.sbin/bind/bin/named/lwderror.c deleted file mode 100644 index 922e81f0e98..00000000000 --- a/usr.sbin/bind/bin/named/lwderror.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include - -#include -#include - -/*% - * Generate an error packet for the client, schedule a send, and put us in - * the SEND state. - * - * The client->pkt structure will be modified to form an error return. - * The receiver needs to verify that it is in fact an error, and do the - * right thing with it. The opcode will be unchanged. The result needs - * to be set before calling this function. - * - * The only change this code makes is to set the receive buffer size to the - * size we use, set the reply bit, and recompute any security information. - */ -void -ns_lwdclient_errorpktsend(ns_lwdclient_t *client, isc_uint32_t _result) { - isc_result_t result; - int lwres; - isc_region_t r; - lwres_buffer_t b; - - REQUIRE(NS_LWDCLIENT_ISRUNNING(client)); - - /* - * Since we are only sending the packet header, we can safely toss - * the receive buffer. This means we won't need to allocate space - * for sending an error reply. This is a Good Thing. - */ - client->pkt.length = LWRES_LWPACKET_LENGTH; - client->pkt.pktflags |= LWRES_LWPACKETFLAG_RESPONSE; - client->pkt.recvlength = LWRES_RECVLENGTH; - client->pkt.authtype = 0; /* XXXMLG */ - client->pkt.authlength = 0; - client->pkt.result = _result; - - lwres_buffer_init(&b, client->buffer, LWRES_RECVLENGTH); - lwres = lwres_lwpacket_renderheader(&b, &client->pkt); - if (lwres != LWRES_R_SUCCESS) { - ns_lwdclient_stateidle(client); - return; - } - - r.base = client->buffer; - r.length = b.used; - client->sendbuf = client->buffer; - result = ns_lwdclient_sendreply(client, &r); - if (result != ISC_R_SUCCESS) { - ns_lwdclient_stateidle(client); - return; - } - - NS_LWDCLIENT_SETSEND(client); -} diff --git a/usr.sbin/bind/bin/named/lwdgabn.c b/usr.sbin/bind/bin/named/lwdgabn.c deleted file mode 100644 index b8f0f84df2d..00000000000 --- a/usr.sbin/bind/bin/named/lwdgabn.c +++ /dev/null @@ -1,657 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include -#include /* Required for HP/UX (and others?) */ -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#define NEED_V4(c) ((((c)->find_wanted & LWRES_ADDRTYPE_V4) != 0) \ - && ((c)->v4find == NULL)) -#define NEED_V6(c) ((((c)->find_wanted & LWRES_ADDRTYPE_V6) != 0) \ - && ((c)->v6find == NULL)) - -static isc_result_t start_find(ns_lwdclient_t *); -static void restart_find(ns_lwdclient_t *); -static void init_gabn(ns_lwdclient_t *); - -/*% - * Destroy any finds. This can be used to "start over from scratch" and - * should only be called when events are _not_ being generated by the finds. - */ -static void -cleanup_gabn(ns_lwdclient_t *client) { - ns_lwdclient_log(50, "cleaning up client %p", client); - - if (client->v6find != NULL) { - if (client->v6find == client->v4find) - client->v6find = NULL; - else - dns_adb_destroyfind(&client->v6find); - } - if (client->v4find != NULL) - dns_adb_destroyfind(&client->v4find); -} - -static void -setup_addresses(ns_lwdclient_t *client, dns_adbfind_t *find, unsigned int at) { - dns_adbaddrinfo_t *ai; - lwres_addr_t *addr; - int af; - const struct sockaddr *sa; - isc_result_t result; - - if (at == DNS_ADBFIND_INET) - af = AF_INET; - else - af = AF_INET6; - - ai = ISC_LIST_HEAD(find->list); - while (ai != NULL && client->gabn.naddrs < LWRES_MAX_ADDRS) { - sa = &ai->sockaddr.type.sa; - if (sa->sa_family != af) - goto next; - - addr = &client->addrs[client->gabn.naddrs]; - - result = lwaddr_lwresaddr_fromsockaddr(addr, &ai->sockaddr); - if (result != ISC_R_SUCCESS) - goto next; - - ns_lwdclient_log(50, "adding address %p, family %d, length %d", - addr->address, addr->family, addr->length); - - client->gabn.naddrs++; - REQUIRE(!LWRES_LINK_LINKED(addr, link)); - LWRES_LIST_APPEND(client->gabn.addrs, addr, link); - - next: - ai = ISC_LIST_NEXT(ai, publink); - } -} - -typedef struct { - isc_netaddr_t address; - int rank; -} rankedaddress; - -static int -addr_compare(const void *av, const void *bv) { - const rankedaddress *a = (const rankedaddress *) av; - const rankedaddress *b = (const rankedaddress *) bv; - return (a->rank - b->rank); -} - -static void -sort_addresses(ns_lwdclient_t *client) { - unsigned int naddrs; - rankedaddress *addrs; - isc_netaddr_t remote; - dns_addressorderfunc_t order; - const void *arg; - ns_lwresd_t *lwresd = client->clientmgr->listener->manager; - unsigned int i; - isc_result_t result; - - naddrs = client->gabn.naddrs; - - if (naddrs <= 1 || lwresd->view->sortlist == NULL) - return; - - addrs = isc_mem_get(lwresd->mctx, sizeof(rankedaddress) * naddrs); - if (addrs == NULL) - return; - - isc_netaddr_fromsockaddr(&remote, &client->address); - ns_sortlist_byaddrsetup(lwresd->view->sortlist, - &remote, &order, &arg); - if (order == NULL) { - isc_mem_put(lwresd->mctx, addrs, - sizeof(rankedaddress) * naddrs); - return; - } - for (i = 0; i < naddrs; i++) { - result = lwaddr_netaddr_fromlwresaddr(&addrs[i].address, - &client->addrs[i]); - INSIST(result == ISC_R_SUCCESS); - addrs[i].rank = (*order)(&addrs[i].address, arg); - } - qsort(addrs, naddrs, sizeof(rankedaddress), addr_compare); - for (i = 0; i < naddrs; i++) { - result = lwaddr_lwresaddr_fromnetaddr(&client->addrs[i], - &addrs[i].address); - INSIST(result == ISC_R_SUCCESS); - } - - isc_mem_put(lwresd->mctx, addrs, sizeof(rankedaddress) * naddrs); -} - -static void -generate_reply(ns_lwdclient_t *client) { - isc_result_t result; - int lwres; - isc_region_t r; - lwres_buffer_t lwb; - ns_lwdclientmgr_t *cm; - - cm = client->clientmgr; - lwb.base = NULL; - - ns_lwdclient_log(50, "generating gabn reply for client %p", client); - - /* - * We must make certain the client->find is not still active. - * If it is either the v4 or v6 answer, just set it to NULL and - * let the cleanup code destroy it. Otherwise, destroy it now. - */ - if (client->find == client->v4find || client->find == client->v6find) - client->find = NULL; - else - if (client->find != NULL) - dns_adb_destroyfind(&client->find); - - /* - * perhaps there are some here? - */ - if (NEED_V6(client) && client->v4find != NULL) - client->v6find = client->v4find; - - /* - * Run through the finds we have and wire them up to the gabn - * structure. - */ - LWRES_LIST_INIT(client->gabn.addrs); - if (client->v4find != NULL) - setup_addresses(client, client->v4find, DNS_ADBFIND_INET); - if (client->v6find != NULL) - setup_addresses(client, client->v6find, DNS_ADBFIND_INET6); - - /* - * If there are no addresses, try the next element in the search - * path, if there are any more. Otherwise, fall through into - * the error handling code below. - */ - if (client->gabn.naddrs == 0) { - do { - result = ns_lwsearchctx_next(&client->searchctx); - if (result == ISC_R_SUCCESS) { - cleanup_gabn(client); - result = start_find(client); - if (result == ISC_R_SUCCESS) - return; - } - } while (result == ISC_R_SUCCESS); - } - - /* - * Render the packet. - */ - client->pkt.recvlength = LWRES_RECVLENGTH; - client->pkt.authtype = 0; /* XXXMLG */ - client->pkt.authlength = 0; - - /* - * If there are no addresses, return failure. - */ - if (client->gabn.naddrs != 0) - client->pkt.result = LWRES_R_SUCCESS; - else - client->pkt.result = LWRES_R_NOTFOUND; - - sort_addresses(client); - - lwres = lwres_gabnresponse_render(cm->lwctx, &client->gabn, - &client->pkt, &lwb); - if (lwres != LWRES_R_SUCCESS) - goto out; - - r.base = lwb.base; - r.length = lwb.used; - client->sendbuf = r.base; - client->sendlength = r.length; - result = ns_lwdclient_sendreply(client, &r); - if (result != ISC_R_SUCCESS) - goto out; - - NS_LWDCLIENT_SETSEND(client); - - /* - * All done! - */ - cleanup_gabn(client); - - return; - - out: - cleanup_gabn(client); - - if (lwb.base != NULL) - lwres_context_freemem(client->clientmgr->lwctx, - lwb.base, lwb.length); - - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} - -/* - * Take the current real name, move it to an alias slot (if any are - * open) then put this new name in as the real name for the target. - * - * Return success if it can be rendered, otherwise failure. Note that - * not having enough alias slots open is NOT a failure. - */ -static isc_result_t -add_alias(ns_lwdclient_t *client) { - isc_buffer_t b; - isc_result_t result; - isc_uint16_t naliases; - - b = client->recv_buffer; - - /* - * Render the new name to the buffer. - */ - result = dns_name_totext(dns_fixedname_name(&client->target_name), - ISC_TRUE, &client->recv_buffer); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * Are there any open slots? - */ - naliases = client->gabn.naliases; - if (naliases < LWRES_MAX_ALIASES) { - client->gabn.aliases[naliases] = client->gabn.realname; - client->gabn.aliaslen[naliases] = client->gabn.realnamelen; - client->gabn.naliases++; - } - - /* - * Save this name away as the current real name. - */ - client->gabn.realname = (char *)(b.base) + b.used; - client->gabn.realnamelen = client->recv_buffer.used - b.used; - - return (ISC_R_SUCCESS); -} - -static isc_result_t -store_realname(ns_lwdclient_t *client) { - isc_buffer_t b; - isc_result_t result; - dns_name_t *tname; - - b = client->recv_buffer; - - tname = dns_fixedname_name(&client->target_name); - result = ns_lwsearchctx_current(&client->searchctx, tname); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * Render the new name to the buffer. - */ - result = dns_name_totext(tname, ISC_TRUE, &client->recv_buffer); - if (result != ISC_R_SUCCESS) - return (result); - - /* - * Save this name away as the current real name. - */ - client->gabn.realname = (char *) b.base + b.used; - client->gabn.realnamelen = client->recv_buffer.used - b.used; - - return (ISC_R_SUCCESS); -} - -static void -process_gabn_finddone(isc_task_t *task, isc_event_t *ev) { - ns_lwdclient_t *client = ev->ev_arg; - isc_eventtype_t evtype; - isc_boolean_t claimed; - - ns_lwdclient_log(50, "find done for task %p, client %p", task, client); - - evtype = ev->ev_type; - isc_event_free(&ev); - - /* - * No more info to be had? If so, we have all the good stuff - * right now, so we can render things. - */ - claimed = ISC_FALSE; - if (evtype == DNS_EVENT_ADBNOMOREADDRESSES) { - if (NEED_V4(client)) { - client->v4find = client->find; - claimed = ISC_TRUE; - } - if (NEED_V6(client)) { - client->v6find = client->find; - claimed = ISC_TRUE; - } - if (client->find != NULL) { - if (claimed) - client->find = NULL; - else - dns_adb_destroyfind(&client->find); - - } - generate_reply(client); - return; - } - - /* - * We probably don't need this find anymore. We're either going to - * reissue it, or an error occurred. Either way, we're done with - * it. - */ - if ((client->find != client->v4find) - && (client->find != client->v6find)) { - dns_adb_destroyfind(&client->find); - } else { - client->find = NULL; - } - - /* - * We have some new information we can gather. Run off and fetch - * it. - */ - if (evtype == DNS_EVENT_ADBMOREADDRESSES) { - restart_find(client); - return; - } - - /* - * An error or other strangeness happened. Drop this query. - */ - cleanup_gabn(client); - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} - -static void -restart_find(ns_lwdclient_t *client) { - unsigned int options; - isc_result_t result; - isc_boolean_t claimed; - - ns_lwdclient_log(50, "starting find for client %p", client); - - /* - * Issue a find for the name contained in the request. We won't - * set the bit that says "anything is good enough" -- we want it - * all. - */ - options = 0; - options |= DNS_ADBFIND_WANTEVENT; - options |= DNS_ADBFIND_RETURNLAME; - - /* - * Set the bits up here to mark that we want this address family - * and that we do not currently have a find pending. We will - * set that bit again below if it turns out we will get an event. - */ - if (NEED_V4(client)) - options |= DNS_ADBFIND_INET; - if (NEED_V6(client)) - options |= DNS_ADBFIND_INET6; - - find_again: - INSIST(client->find == NULL); - result = dns_adb_createfind(client->clientmgr->view->adb, - client->clientmgr->task, - process_gabn_finddone, client, - dns_fixedname_name(&client->target_name), - dns_rootname, 0, options, 0, - dns_fixedname_name(&client->target_name), - client->clientmgr->view->dstport, - &client->find); - - /* - * Did we get an alias? If so, save it and re-issue the query. - */ - if (result == DNS_R_ALIAS) { - ns_lwdclient_log(50, "found alias, restarting query"); - dns_adb_destroyfind(&client->find); - cleanup_gabn(client); - result = add_alias(client); - if (result != ISC_R_SUCCESS) { - ns_lwdclient_log(50, - "out of buffer space adding alias"); - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); - return; - } - goto find_again; - } - - ns_lwdclient_log(50, "find returned %d (%s)", result, - isc_result_totext(result)); - - /* - * Did we get an error? - */ - if (result != ISC_R_SUCCESS) { - if (client->find != NULL) - dns_adb_destroyfind(&client->find); - cleanup_gabn(client); - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); - return; - } - - claimed = ISC_FALSE; - - /* - * Did we get our answer to V4 addresses? - */ - if (NEED_V4(client) - && ((client->find->query_pending & DNS_ADBFIND_INET) == 0)) { - ns_lwdclient_log(50, "client %p ipv4 satisfied by find %p", - client, client->find); - claimed = ISC_TRUE; - client->v4find = client->find; - } - - /* - * Did we get our answer to V6 addresses? - */ - if (NEED_V6(client) - && ((client->find->query_pending & DNS_ADBFIND_INET6) == 0)) { - ns_lwdclient_log(50, "client %p ipv6 satisfied by find %p", - client, client->find); - claimed = ISC_TRUE; - client->v6find = client->find; - } - - /* - * If we're going to get an event, set our internal pending flag - * and return. When we get an event back we'll do the right - * thing, basically by calling this function again, perhaps with a - * new target name. - * - * If we have both v4 and v6, and we are still getting an event, - * we have a programming error, so die hard. - */ - if ((client->find->options & DNS_ADBFIND_WANTEVENT) != 0) { - ns_lwdclient_log(50, "event will be sent"); - INSIST(client->v4find == NULL || client->v6find == NULL); - return; - } - ns_lwdclient_log(50, "no event will be sent"); - if (claimed) - client->find = NULL; - else - dns_adb_destroyfind(&client->find); - - /* - * We seem to have everything we asked for, or at least we are - * able to respond with things we've learned. - */ - - generate_reply(client); -} - -static isc_result_t -start_find(ns_lwdclient_t *client) { - isc_result_t result; - - /* - * Initialize the real name and alias arrays in the reply we're - * going to build up. - */ - init_gabn(client); - - result = store_realname(client); - if (result != ISC_R_SUCCESS) - return (result); - restart_find(client); - return (ISC_R_SUCCESS); - -} - -static void -init_gabn(ns_lwdclient_t *client) { - int i; - - /* - * Initialize the real name and alias arrays in the reply we're - * going to build up. - */ - for (i = 0; i < LWRES_MAX_ALIASES; i++) { - client->aliases[i] = NULL; - client->aliaslen[i] = 0; - } - for (i = 0; i < LWRES_MAX_ADDRS; i++) { - client->addrs[i].family = 0; - client->addrs[i].length = 0; - memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN); - LWRES_LINK_INIT(&client->addrs[i], link); - } - - client->gabn.naliases = 0; - client->gabn.naddrs = 0; - client->gabn.realname = NULL; - client->gabn.aliases = client->aliases; - client->gabn.realnamelen = 0; - client->gabn.aliaslen = client->aliaslen; - LWRES_LIST_INIT(client->gabn.addrs); - client->gabn.base = NULL; - client->gabn.baselen = 0; - - /* - * Set up the internal buffer to point to the receive region. - */ - isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH); -} - -/* - * When we are called, we can be assured that: - * - * client->sockaddr contains the address we need to reply to, - * - * client->pkt contains the packet header data, - * - * the packet "checks out" overall -- any MD5 hashes or crypto - * bits have been verified, - * - * "b" points to the remaining data after the packet header - * was parsed off. - * - * We are in a the RECVDONE state. - * - * From this state we will enter the SEND state if we happen to have - * everything we need or we need to return an error packet, or to the - * FINDWAIT state if we need to look things up. - */ -void -ns_lwdclient_processgabn(ns_lwdclient_t *client, lwres_buffer_t *b) { - isc_result_t result; - lwres_gabnrequest_t *req; - ns_lwdclientmgr_t *cm; - isc_buffer_t namebuf; - - REQUIRE(NS_LWDCLIENT_ISRECVDONE(client)); - - cm = client->clientmgr; - req = NULL; - - result = lwres_gabnrequest_parse(client->clientmgr->lwctx, - b, &client->pkt, &req); - if (result != LWRES_R_SUCCESS) - goto out; - if (req->name == NULL) - goto out; - - isc_buffer_init(&namebuf, req->name, req->namelen); - isc_buffer_add(&namebuf, req->namelen); - - dns_fixedname_init(&client->target_name); - dns_fixedname_init(&client->query_name); - result = dns_name_fromtext(dns_fixedname_name(&client->query_name), - &namebuf, NULL, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - goto out; - ns_lwsearchctx_init(&client->searchctx, - cm->listener->manager->search, - dns_fixedname_name(&client->query_name), - cm->listener->manager->ndots); - ns_lwsearchctx_first(&client->searchctx); - - client->find_wanted = req->addrtypes; - ns_lwdclient_log(50, "client %p looking for addrtypes %08x", - client, client->find_wanted); - - /* - * We no longer need to keep this around. - */ - lwres_gabnrequest_free(client->clientmgr->lwctx, &req); - - /* - * Start the find. - */ - result = start_find(client); - if (result != ISC_R_SUCCESS) - goto out; - - return; - - /* - * We're screwed. Return an error packet to our caller. - */ - out: - if (req != NULL) - lwres_gabnrequest_free(client->clientmgr->lwctx, &req); - - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} diff --git a/usr.sbin/bind/bin/named/lwdgnba.c b/usr.sbin/bind/bin/named/lwdgnba.c deleted file mode 100644 index a19485209d5..00000000000 --- a/usr.sbin/bind/bin/named/lwdgnba.c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwdgnba.c,v 1.16.18.2 2005/04/29 00:15:24 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include /* Required for HP/UX (and others?) */ -#include - -#include -#include -#include - -#include -#include - -static void start_byaddr(ns_lwdclient_t *); - -static void -byaddr_done(isc_task_t *task, isc_event_t *event) { - ns_lwdclient_t *client; - ns_lwdclientmgr_t *cm; - dns_byaddrevent_t *bevent; - int lwres; - lwres_buffer_t lwb; - dns_name_t *name; - isc_result_t result; - lwres_result_t lwresult; - isc_region_t r; - isc_buffer_t b; - lwres_gnbaresponse_t *gnba; - isc_uint16_t naliases; - - UNUSED(task); - - lwb.base = NULL; - client = event->ev_arg; - cm = client->clientmgr; - INSIST(client->byaddr == (dns_byaddr_t *)event->ev_sender); - - bevent = (dns_byaddrevent_t *)event; - gnba = &client->gnba; - - ns_lwdclient_log(50, "byaddr event result = %s", - isc_result_totext(bevent->result)); - - result = bevent->result; - if (result != ISC_R_SUCCESS) { - dns_byaddr_destroy(&client->byaddr); - isc_event_free(&event); - bevent = NULL; - - if (client->na.family != AF_INET6 || - (client->options & DNS_BYADDROPT_IPV6INT) != 0) { - if (result == DNS_R_NCACHENXDOMAIN || - result == DNS_R_NCACHENXRRSET || - result == DNS_R_NXDOMAIN || - result == DNS_R_NXRRSET) - lwresult = LWRES_R_NOTFOUND; - else - lwresult = LWRES_R_FAILURE; - ns_lwdclient_errorpktsend(client, lwresult); - return; - } - - /* - * Fall back to ip6.int reverse if the default ip6.arpa - * fails. - */ - client->options |= DNS_BYADDROPT_IPV6INT; - - start_byaddr(client); - return; - } - - for (name = ISC_LIST_HEAD(bevent->names); - name != NULL; - name = ISC_LIST_NEXT(name, link)) - { - b = client->recv_buffer; - - result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer); - if (result != ISC_R_SUCCESS) - goto out; - ns_lwdclient_log(50, "found name '%.*s'", - (int)(client->recv_buffer.used - b.used), - (char *)(b.base) + b.used); - if (gnba->realname == NULL) { - gnba->realname = (char *)(b.base) + b.used; - gnba->realnamelen = client->recv_buffer.used - b.used; - } else { - naliases = gnba->naliases; - if (naliases >= LWRES_MAX_ALIASES) - break; - gnba->aliases[naliases] = (char *)(b.base) + b.used; - gnba->aliaslen[naliases] = - client->recv_buffer.used - b.used; - gnba->naliases++; - } - } - - dns_byaddr_destroy(&client->byaddr); - isc_event_free(&event); - - /* - * Render the packet. - */ - client->pkt.recvlength = LWRES_RECVLENGTH; - client->pkt.authtype = 0; /* XXXMLG */ - client->pkt.authlength = 0; - client->pkt.result = LWRES_R_SUCCESS; - - lwres = lwres_gnbaresponse_render(cm->lwctx, - gnba, &client->pkt, &lwb); - if (lwres != LWRES_R_SUCCESS) - goto out; - - r.base = lwb.base; - r.length = lwb.used; - client->sendbuf = r.base; - client->sendlength = r.length; - result = ns_lwdclient_sendreply(client, &r); - if (result != ISC_R_SUCCESS) - goto out; - - NS_LWDCLIENT_SETSEND(client); - - return; - - out: - if (client->byaddr != NULL) - dns_byaddr_destroy(&client->byaddr); - if (lwb.base != NULL) - lwres_context_freemem(cm->lwctx, - lwb.base, lwb.length); - - if (event != NULL) - isc_event_free(&event); -} - -static void -start_byaddr(ns_lwdclient_t *client) { - isc_result_t result; - ns_lwdclientmgr_t *cm; - - cm = client->clientmgr; - - INSIST(client->byaddr == NULL); - - result = dns_byaddr_create(cm->mctx, &client->na, cm->view, - client->options, cm->task, byaddr_done, - client, &client->byaddr); - if (result != ISC_R_SUCCESS) { - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); - return; - } -} - -static void -init_gnba(ns_lwdclient_t *client) { - int i; - - /* - * Initialize the real name and alias arrays in the reply we're - * going to build up. - */ - for (i = 0; i < LWRES_MAX_ALIASES; i++) { - client->aliases[i] = NULL; - client->aliaslen[i] = 0; - } - for (i = 0; i < LWRES_MAX_ADDRS; i++) { - client->addrs[i].family = 0; - client->addrs[i].length = 0; - memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN); - LWRES_LINK_INIT(&client->addrs[i], link); - } - - client->gnba.naliases = 0; - client->gnba.realname = NULL; - client->gnba.aliases = client->aliases; - client->gnba.realnamelen = 0; - client->gnba.aliaslen = client->aliaslen; - client->gnba.base = NULL; - client->gnba.baselen = 0; - isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH); -} - -void -ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) { - lwres_gnbarequest_t *req; - isc_result_t result; - isc_sockaddr_t sa; - ns_lwdclientmgr_t *cm; - - REQUIRE(NS_LWDCLIENT_ISRECVDONE(client)); - INSIST(client->byaddr == NULL); - - cm = client->clientmgr; - req = NULL; - - result = lwres_gnbarequest_parse(cm->lwctx, - b, &client->pkt, &req); - if (result != LWRES_R_SUCCESS) - goto out; - if (req->addr.address == NULL) - goto out; - - client->options = 0; - if (req->addr.family == LWRES_ADDRTYPE_V4) { - client->na.family = AF_INET; - if (req->addr.length != 4) - goto out; - memcpy(&client->na.type.in, req->addr.address, 4); - } else if (req->addr.family == LWRES_ADDRTYPE_V6) { - client->na.family = AF_INET6; - if (req->addr.length != 16) - goto out; - memcpy(&client->na.type.in6, req->addr.address, 16); - } else { - goto out; - } - isc_sockaddr_fromnetaddr(&sa, &client->na, 53); - - ns_lwdclient_log(50, "client %p looking for addrtype %08x", - client, req->addr.family); - - /* - * We no longer need to keep this around. - */ - lwres_gnbarequest_free(cm->lwctx, &req); - - /* - * Initialize the real name and alias arrays in the reply we're - * going to build up. - */ - init_gnba(client); - client->options = 0; - - /* - * Start the find. - */ - start_byaddr(client); - - return; - - /* - * We're screwed. Return an error packet to our caller. - */ - out: - if (req != NULL) - lwres_gnbarequest_free(cm->lwctx, &req); - - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} diff --git a/usr.sbin/bind/bin/named/lwdgrbn.c b/usr.sbin/bind/bin/named/lwdgrbn.c deleted file mode 100644 index 8b2d266dbc2..00000000000 --- a/usr.sbin/bind/bin/named/lwdgrbn.c +++ /dev/null @@ -1,513 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include /* Required for HP/UX (and others?) */ -#include - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -static void start_lookup(ns_lwdclient_t *); - -static isc_result_t -fill_array(int *pos, dns_rdataset_t *rdataset, - int size, unsigned char **rdatas, lwres_uint16_t *rdatalen) -{ - dns_rdata_t rdata; - isc_result_t result; - isc_region_t r; - - UNUSED(size); - - dns_rdata_init(&rdata); - for (result = dns_rdataset_first(rdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) - { - INSIST(*pos < size); - dns_rdataset_current(rdataset, &rdata); - dns_rdata_toregion(&rdata, &r); - rdatas[*pos] = r.base; - rdatalen[*pos] = r.length; - dns_rdata_reset(&rdata); - (*pos)++; - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - return (result); -} - -static isc_result_t -iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node, - isc_mem_t *mctx) -{ - int used = 0, count; - int size = 8, oldsize = 0; - unsigned char **rdatas = NULL, **oldrdatas = NULL, **newrdatas = NULL; - lwres_uint16_t *lens = NULL, *oldlens = NULL, *newlens = NULL; - dns_rdatasetiter_t *iter = NULL; - dns_rdataset_t set; - dns_ttl_t ttl = ISC_INT32_MAX; - lwres_uint32_t flags = LWRDATA_VALIDATED; - isc_result_t result = ISC_R_NOMEMORY; - - result = dns_db_allrdatasets(db, node, NULL, 0, &iter); - if (result != ISC_R_SUCCESS) - goto out; - - rdatas = isc_mem_get(mctx, size * sizeof(*rdatas)); - if (rdatas == NULL) - goto out; - lens = isc_mem_get(mctx, size * sizeof(*lens)); - if (lens == NULL) - goto out; - - for (result = dns_rdatasetiter_first(iter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(iter)) - { - result = ISC_R_NOMEMORY; - dns_rdataset_init(&set); - dns_rdatasetiter_current(iter, &set); - - if (set.type != dns_rdatatype_rrsig) { - dns_rdataset_disassociate(&set); - continue; - } - - count = dns_rdataset_count(&set); - if (used + count > size) { - /* copy & reallocate */ - oldsize = size; - oldrdatas = rdatas; - oldlens = lens; - rdatas = NULL; - lens = NULL; - - size *= 2; - - rdatas = isc_mem_get(mctx, size * sizeof(*rdatas)); - if (rdatas == NULL) - goto out; - lens = isc_mem_get(mctx, size * sizeof(*lens)); - if (lens == NULL) - goto out; - memcpy(rdatas, oldrdatas, used * sizeof(*rdatas)); - memcpy(lens, oldlens, used * sizeof(*lens)); - isc_mem_put(mctx, oldrdatas, - oldsize * sizeof(*oldrdatas)); - isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens)); - oldrdatas = NULL; - oldlens = NULL; - } - if (set.ttl < ttl) - ttl = set.ttl; - if (set.trust != dns_trust_secure) - flags &= (~LWRDATA_VALIDATED); - result = fill_array(&used, &set, size, rdatas, lens); - dns_rdataset_disassociate(&set); - if (result != ISC_R_SUCCESS) - goto out; - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - if (result != ISC_R_SUCCESS) - goto out; - dns_rdatasetiter_destroy(&iter); - - /* - * If necessary, shrink and copy the arrays. - */ - if (size != used) { - result = ISC_R_NOMEMORY; - newrdatas = isc_mem_get(mctx, used * sizeof(*rdatas)); - if (newrdatas == NULL) - goto out; - newlens = isc_mem_get(mctx, used * sizeof(*lens)); - if (newlens == NULL) - goto out; - memcpy(newrdatas, rdatas, used * sizeof(*rdatas)); - memcpy(newlens, lens, used * sizeof(*lens)); - isc_mem_put(mctx, rdatas, size * sizeof(*rdatas)); - isc_mem_put(mctx, lens, size * sizeof(*lens)); - grbn->rdatas = newrdatas; - grbn->rdatalen = newlens; - } else { - grbn->rdatas = rdatas; - grbn->rdatalen = lens; - } - grbn->nrdatas = used; - grbn->ttl = ttl; - grbn->flags = flags; - return (ISC_R_SUCCESS); - - out: - dns_rdatasetiter_destroy(&iter); - if (rdatas != NULL) - isc_mem_put(mctx, rdatas, size * sizeof(*rdatas)); - if (lens != NULL) - isc_mem_put(mctx, lens, size * sizeof(*lens)); - if (oldrdatas != NULL) - isc_mem_put(mctx, oldrdatas, oldsize * sizeof(*oldrdatas)); - if (oldlens != NULL) - isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens)); - if (newrdatas != NULL) - isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas)); - return (result); -} - -static void -lookup_done(isc_task_t *task, isc_event_t *event) { - ns_lwdclient_t *client; - ns_lwdclientmgr_t *cm; - dns_lookupevent_t *levent; - lwres_buffer_t lwb; - dns_name_t *name; - dns_rdataset_t *rdataset; - dns_rdataset_t *sigrdataset; - isc_result_t result; - lwres_result_t lwresult; - isc_region_t r; - isc_buffer_t b; - lwres_grbnresponse_t *grbn; - int i; - - UNUSED(task); - - lwb.base = NULL; - client = event->ev_arg; - cm = client->clientmgr; - INSIST(client->lookup == (dns_lookup_t *)event->ev_sender); - - levent = (dns_lookupevent_t *)event; - grbn = &client->grbn; - - ns_lwdclient_log(50, "lookup event result = %s", - isc_result_totext(levent->result)); - - result = levent->result; - if (result != ISC_R_SUCCESS) { - dns_lookup_destroy(&client->lookup); - isc_event_free(&event); - levent = NULL; - - switch (result) { - case DNS_R_NXDOMAIN: - case DNS_R_NCACHENXDOMAIN: - result = ns_lwsearchctx_next(&client->searchctx); - if (result != ISC_R_SUCCESS) - lwresult = LWRES_R_NOTFOUND; - else { - start_lookup(client); - return; - } - break; - case DNS_R_NXRRSET: - case DNS_R_NCACHENXRRSET: - lwresult = LWRES_R_TYPENOTFOUND; - break; - default: - lwresult = LWRES_R_FAILURE; - } - ns_lwdclient_errorpktsend(client, lwresult); - return; - } - - name = levent->name; - b = client->recv_buffer; - - grbn->flags = 0; - - grbn->nrdatas = 0; - grbn->rdatas = NULL; - grbn->rdatalen = NULL; - - grbn->nsigs = 0; - grbn->sigs = NULL; - grbn->siglen = NULL; - - result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer); - if (result != ISC_R_SUCCESS) - goto out; - grbn->realname = (char *)isc_buffer_used(&b); - grbn->realnamelen = isc_buffer_usedlength(&client->recv_buffer) - - isc_buffer_usedlength(&b); - ns_lwdclient_log(50, "found name '%.*s'", grbn->realnamelen, - grbn->realname); - - grbn->rdclass = cm->view->rdclass; - grbn->rdtype = client->rdtype; - - rdataset = levent->rdataset; - if (rdataset != NULL) { - /* The normal case */ - grbn->nrdatas = dns_rdataset_count(rdataset); - grbn->rdatas = isc_mem_get(cm->mctx, grbn->nrdatas * - sizeof(unsigned char *)); - if (grbn->rdatas == NULL) - goto out; - grbn->rdatalen = isc_mem_get(cm->mctx, grbn->nrdatas * - sizeof(lwres_uint16_t)); - if (grbn->rdatalen == NULL) - goto out; - - i = 0; - result = fill_array(&i, rdataset, grbn->nrdatas, grbn->rdatas, - grbn->rdatalen); - if (result != ISC_R_SUCCESS) - goto out; - INSIST(i == grbn->nrdatas); - grbn->ttl = rdataset->ttl; - if (rdataset->trust == dns_trust_secure) - grbn->flags |= LWRDATA_VALIDATED; - } else { - /* The SIG query case */ - result = iterate_node(grbn, levent->db, levent->node, - cm->mctx); - if (result != ISC_R_SUCCESS) - goto out; - } - ns_lwdclient_log(50, "filled in %d rdata%s", grbn->nrdatas, - (grbn->nrdatas == 1) ? "" : "s"); - - sigrdataset = levent->sigrdataset; - if (sigrdataset != NULL) { - grbn->nsigs = dns_rdataset_count(sigrdataset); - grbn->sigs = isc_mem_get(cm->mctx, grbn->nsigs * - sizeof(unsigned char *)); - if (grbn->sigs == NULL) - goto out; - grbn->siglen = isc_mem_get(cm->mctx, grbn->nsigs * - sizeof(lwres_uint16_t)); - if (grbn->siglen == NULL) - goto out; - - i = 0; - result = fill_array(&i, sigrdataset, grbn->nsigs, grbn->sigs, - grbn->siglen); - if (result != ISC_R_SUCCESS) - goto out; - INSIST(i == grbn->nsigs); - ns_lwdclient_log(50, "filled in %d signature%s", grbn->nsigs, - (grbn->nsigs == 1) ? "" : "s"); - } - - dns_lookup_destroy(&client->lookup); - isc_event_free(&event); - - /* - * Render the packet. - */ - client->pkt.recvlength = LWRES_RECVLENGTH; - client->pkt.authtype = 0; /* XXXMLG */ - client->pkt.authlength = 0; - client->pkt.result = LWRES_R_SUCCESS; - - lwresult = lwres_grbnresponse_render(cm->lwctx, - grbn, &client->pkt, &lwb); - if (lwresult != LWRES_R_SUCCESS) - goto out; - - isc_mem_put(cm->mctx, grbn->rdatas, - grbn->nrdatas * sizeof(unsigned char *)); - isc_mem_put(cm->mctx, grbn->rdatalen, - grbn->nrdatas * sizeof(lwres_uint16_t)); - - if (grbn->sigs != NULL) - isc_mem_put(cm->mctx, grbn->sigs, - grbn->nsigs * sizeof(unsigned char *)); - if (grbn->siglen != NULL) - isc_mem_put(cm->mctx, grbn->siglen, - grbn->nsigs * sizeof(lwres_uint16_t)); - - r.base = lwb.base; - r.length = lwb.used; - client->sendbuf = r.base; - client->sendlength = r.length; - result = ns_lwdclient_sendreply(client, &r); - if (result != ISC_R_SUCCESS) - goto out2; - - NS_LWDCLIENT_SETSEND(client); - - return; - - out: - if (grbn->rdatas != NULL) - isc_mem_put(cm->mctx, grbn->rdatas, - grbn->nrdatas * sizeof(unsigned char *)); - if (grbn->rdatalen != NULL) - isc_mem_put(cm->mctx, grbn->rdatalen, - grbn->nrdatas * sizeof(lwres_uint16_t)); - - if (grbn->sigs != NULL) - isc_mem_put(cm->mctx, grbn->sigs, - grbn->nsigs * sizeof(unsigned char *)); - if (grbn->siglen != NULL) - isc_mem_put(cm->mctx, grbn->siglen, - grbn->nsigs * sizeof(lwres_uint16_t)); - out2: - if (client->lookup != NULL) - dns_lookup_destroy(&client->lookup); - if (lwb.base != NULL) - lwres_context_freemem(cm->lwctx, lwb.base, lwb.length); - - if (event != NULL) - isc_event_free(&event); - - ns_lwdclient_log(50, "error constructing getrrsetbyname response"); - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} - -static void -start_lookup(ns_lwdclient_t *client) { - isc_result_t result; - ns_lwdclientmgr_t *cm; - dns_fixedname_t absname; - - cm = client->clientmgr; - - INSIST(client->lookup == NULL); - - dns_fixedname_init(&absname); - result = ns_lwsearchctx_current(&client->searchctx, - dns_fixedname_name(&absname)); - /* - * This will return failure if relative name + suffix is too long. - * In this case, just go on to the next entry in the search path. - */ - if (result != ISC_R_SUCCESS) - start_lookup(client); - - result = dns_lookup_create(cm->mctx, - dns_fixedname_name(&absname), - client->rdtype, cm->view, - client->options, cm->task, lookup_done, - client, &client->lookup); - if (result != ISC_R_SUCCESS) { - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); - return; - } -} - -static void -init_grbn(ns_lwdclient_t *client) { - client->grbn.rdclass = 0; - client->grbn.rdtype = 0; - client->grbn.ttl = 0; - client->grbn.nrdatas = 0; - client->grbn.realname = NULL; - client->grbn.realnamelen = 0; - client->grbn.rdatas = 0; - client->grbn.rdatalen = 0; - client->grbn.base = NULL; - client->grbn.baselen = 0; - isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH); -} - -void -ns_lwdclient_processgrbn(ns_lwdclient_t *client, lwres_buffer_t *b) { - lwres_grbnrequest_t *req; - isc_result_t result; - ns_lwdclientmgr_t *cm; - isc_buffer_t namebuf; - - REQUIRE(NS_LWDCLIENT_ISRECVDONE(client)); - INSIST(client->byaddr == NULL); - - cm = client->clientmgr; - req = NULL; - - result = lwres_grbnrequest_parse(cm->lwctx, - b, &client->pkt, &req); - if (result != LWRES_R_SUCCESS) - goto out; - if (req->name == NULL) - goto out; - - client->options = 0; - if (req->rdclass != cm->view->rdclass) - goto out; - - if (req->rdclass == dns_rdataclass_any || - req->rdtype == dns_rdatatype_any) - goto out; - - client->rdtype = req->rdtype; - - isc_buffer_init(&namebuf, req->name, req->namelen); - isc_buffer_add(&namebuf, req->namelen); - - dns_fixedname_init(&client->query_name); - result = dns_name_fromtext(dns_fixedname_name(&client->query_name), - &namebuf, NULL, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - goto out; - ns_lwsearchctx_init(&client->searchctx, - cm->listener->manager->search, - dns_fixedname_name(&client->query_name), - cm->listener->manager->ndots); - ns_lwsearchctx_first(&client->searchctx); - - ns_lwdclient_log(50, "client %p looking for type %d", - client, client->rdtype); - - /* - * We no longer need to keep this around. - */ - lwres_grbnrequest_free(cm->lwctx, &req); - - /* - * Initialize the real name and alias arrays in the reply we're - * going to build up. - */ - init_grbn(client); - - /* - * Start the find. - */ - start_lookup(client); - - return; - - /* - * We're screwed. Return an error packet to our caller. - */ - out: - if (req != NULL) - lwres_grbnrequest_free(cm->lwctx, &req); - - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} diff --git a/usr.sbin/bind/bin/named/lwdnoop.c b/usr.sbin/bind/bin/named/lwdnoop.c deleted file mode 100644 index ca37ac76bb0..00000000000 --- a/usr.sbin/bind/bin/named/lwdnoop.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwdnoop.c,v 1.7.18.2 2005/04/29 00:15:25 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include - -#include -#include - -void -ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) { - lwres_nooprequest_t *req; - lwres_noopresponse_t resp; - isc_result_t result; - lwres_result_t lwres; - isc_region_t r; - lwres_buffer_t lwb; - - REQUIRE(NS_LWDCLIENT_ISRECVDONE(client)); - INSIST(client->byaddr == NULL); - - req = NULL; - - result = lwres_nooprequest_parse(client->clientmgr->lwctx, - b, &client->pkt, &req); - if (result != LWRES_R_SUCCESS) - goto out; - - client->pkt.recvlength = LWRES_RECVLENGTH; - client->pkt.authtype = 0; /* XXXMLG */ - client->pkt.authlength = 0; - client->pkt.result = LWRES_R_SUCCESS; - - resp.datalength = req->datalength; - resp.data = req->data; - - lwres = lwres_noopresponse_render(client->clientmgr->lwctx, &resp, - &client->pkt, &lwb); - if (lwres != LWRES_R_SUCCESS) - goto out; - - r.base = lwb.base; - r.length = lwb.used; - client->sendbuf = r.base; - client->sendlength = r.length; - result = ns_lwdclient_sendreply(client, &r); - if (result != ISC_R_SUCCESS) - goto out; - - /* - * We can now destroy request. - */ - lwres_nooprequest_free(client->clientmgr->lwctx, &req); - - NS_LWDCLIENT_SETSEND(client); - - return; - - out: - if (req != NULL) - lwres_nooprequest_free(client->clientmgr->lwctx, &req); - - if (lwb.base != NULL) - lwres_context_freemem(client->clientmgr->lwctx, - lwb.base, lwb.length); - - ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -} diff --git a/usr.sbin/bind/bin/named/lwresd.8 b/usr.sbin/bind/bin/named/lwresd.8 deleted file mode 100644 index 8a7d6eb6b97..00000000000 --- a/usr.sbin/bind/bin/named/lwresd.8 +++ /dev/null @@ -1,223 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: lwresd.8,v 1.15.18.12 2007/05/16 06:11:27 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: lwresd -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: June 30, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -lwresd \- lightweight resolver daemon -.SH "SYNOPSIS" -.HP 7 -\fBlwresd\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-4\fR] [\fB\-6\fR] -.SH "DESCRIPTION" -.PP -\fBlwresd\fR -is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped\-down, caching\-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol. -.PP -\fBlwresd\fR -listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that -\fBlwresd\fR -can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses. -.PP -Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes, -\fBlwresd\fR -encodes the answers in the lightweight resolver format and returns them to the client that made the request. -.PP -If -\fI/etc/resolv.conf\fR -contains any -\fBnameserver\fR -entries, -\fBlwresd\fR -sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no -\fBnameserver\fR -entries are present, or if forwarding fails, -\fBlwresd\fR -resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints. -.SH "OPTIONS" -.PP -\-4 -.RS 4 -Use IPv4 only even if the host machine is capable of IPv6. -\fB\-4\fR -and -\fB\-6\fR -are mutually exclusive. -.RE -.PP -\-6 -.RS 4 -Use IPv6 only even if the host machine is capable of IPv4. -\fB\-4\fR -and -\fB\-6\fR -are mutually exclusive. -.RE -.PP -\-c \fIconfig\-file\fR -.RS 4 -Use -\fIconfig\-file\fR -as the configuration file instead of the default, -\fI/etc/lwresd.conf\fR. -\-c -can not be used with -\-C. -.RE -.PP -\-C \fIconfig\-file\fR -.RS 4 -Use -\fIconfig\-file\fR -as the configuration file instead of the default, -\fI/etc/resolv.conf\fR. -\-C -can not be used with -\-c. -.RE -.PP -\-d \fIdebug\-level\fR -.RS 4 -Set the daemon's debug level to -\fIdebug\-level\fR. Debugging traces from -\fBlwresd\fR -become more verbose as the debug level increases. -.RE -.PP -\-f -.RS 4 -Run the server in the foreground (i.e. do not daemonize). -.RE -.PP -\-g -.RS 4 -Run the server in the foreground and force all logging to -\fIstderr\fR. -.RE -.PP -\-i \fIpid\-file\fR -.RS 4 -Use -\fIpid\-file\fR -as the PID file instead of the default, -\fI/var/run/lwresd.pid\fR. -.RE -.PP -\-m \fIflag\fR -.RS 4 -Turn on memory usage debugging flags. Possible flags are -\fIusage\fR, -\fItrace\fR, -\fIrecord\fR, -\fIsize\fR, and -\fImctx\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in -\fI\fR. -.RE -.PP -\-n \fI#cpus\fR -.RS 4 -Create -\fI#cpus\fR -worker threads to take advantage of multiple CPUs. If not specified, -\fBlwresd\fR -will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.RE -.PP -\-P \fIport\fR -.RS 4 -Listen for lightweight resolver queries on port -\fIport\fR. If not specified, the default is port 921. -.RE -.PP -\-p \fIport\fR -.RS 4 -Send DNS lookups to port -\fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number. -.RE -.PP -\-s -.RS 4 -Write memory usage statistics to -\fIstdout\fR -on exit. -.RS -.B "Note:" -This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. -.RE -.RE -.PP -\-t \fIdirectory\fR -.RS 4 -Chroot to -\fIdirectory\fR -after processing the command line arguments, but before reading the configuration file. -.RS -.B "Warning:" -This option should be used in conjunction with the -\fB\-u\fR -option, as chrooting a process running as root doesn't enhance security on most systems; the way -\fBchroot(2)\fR -is defined allows a process with root privileges to escape a chroot jail. -.RE -.RE -.PP -\-u \fIuser\fR -.RS 4 -Setuid to -\fIuser\fR -after completing privileged operations, such as creating sockets that listen on privileged ports. -.RE -.PP -\-v -.RS 4 -Report the version number and exit. -.RE -.SH "FILES" -.PP -\fI/etc/resolv.conf\fR -.RS 4 -The default configuration file. -.RE -.PP -\fI/var/run/lwresd.pid\fR -.RS 4 -The default process\-id file. -.RE -.SH "SEE ALSO" -.PP -\fBnamed\fR(8), -\fBlwres\fR(3), -\fBresolver\fR(5). -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000, 2001 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/named/lwresd.c b/usr.sbin/bind/bin/named/lwresd.c deleted file mode 100644 index 6f991030802..00000000000 --- a/usr.sbin/bind/bin/named/lwresd.c +++ /dev/null @@ -1,870 +0,0 @@ -/* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwresd.c,v 1.46.18.7.52.3 2008/07/23 23:16:43 marka Exp $ */ - -/*! \file - * \brief - * Main program for the Lightweight Resolver Daemon. - * - * To paraphrase the old saying about X11, "It's not a lightweight deamon - * for resolvers, it's a deamon for lightweight resolvers". - */ - -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#define LWRESD_MAGIC ISC_MAGIC('L', 'W', 'R', 'D') -#define VALID_LWRESD(l) ISC_MAGIC_VALID(l, LWRESD_MAGIC) - -#define LWRESLISTENER_MAGIC ISC_MAGIC('L', 'W', 'R', 'L') -#define VALID_LWRESLISTENER(l) ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC) - -/*! - * The total number of clients we can handle will be NTASKS * NRECVS. - */ -#define NTASKS 2 /*%< tasks to create to handle lwres queries */ -#define NRECVS 2 /*%< max clients per task */ - -typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t; - -static ns_lwreslistenerlist_t listeners; -static isc_mutex_t listeners_lock; -static isc_once_t once = ISC_ONCE_INIT; - - -static void -initialize_mutex(void) { - RUNTIME_CHECK(isc_mutex_init(&listeners_lock) == ISC_R_SUCCESS); -} - - -/*% - * Wrappers around our memory management stuff, for the lwres functions. - */ -void * -ns__lwresd_memalloc(void *arg, size_t size) { - return (isc_mem_get(arg, size)); -} - -void -ns__lwresd_memfree(void *arg, void *mem, size_t size) { - isc_mem_put(arg, mem, size); -} - - -#define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto cleanup; \ - } while (0) - -static isc_result_t -buffer_putstr(isc_buffer_t *b, const char *s) { - unsigned int len = strlen(s); - if (isc_buffer_availablelength(b) <= len) - return (ISC_R_NOSPACE); - isc_buffer_putmem(b, (const unsigned char *)s, len); - return (ISC_R_SUCCESS); -} - -/* - * Convert a resolv.conf file into a config structure. - */ -isc_result_t -ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx, - cfg_obj_t **configp) -{ - char text[4096]; - char str[16]; - isc_buffer_t b; - lwres_context_t *lwctx = NULL; - lwres_conf_t *lwc = NULL; - isc_sockaddr_t sa; - isc_netaddr_t na; - int i; - isc_result_t result; - lwres_result_t lwresult; - - lwctx = NULL; - lwresult = lwres_context_create(&lwctx, mctx, ns__lwresd_memalloc, - ns__lwresd_memfree, - LWRES_CONTEXT_SERVERMODE); - if (lwresult != LWRES_R_SUCCESS) { - result = ISC_R_NOMEMORY; - goto cleanup; - } - - lwresult = lwres_conf_parse(lwctx, lwresd_g_resolvconffile); - if (lwresult != LWRES_R_SUCCESS) { - result = DNS_R_SYNTAX; - goto cleanup; - } - - lwc = lwres_conf_get(lwctx); - INSIST(lwc != NULL); - - isc_buffer_init(&b, text, sizeof(text)); - - CHECK(buffer_putstr(&b, "options {\n")); - - /* - * Build the list of forwarders. - */ - if (lwc->nsnext > 0) { - CHECK(buffer_putstr(&b, "\tforwarders {\n")); - - for (i = 0; i < lwc->nsnext; i++) { - CHECK(lwaddr_sockaddr_fromlwresaddr( - &sa, - &lwc->nameservers[i], - ns_g_port)); - isc_netaddr_fromsockaddr(&na, &sa); - CHECK(buffer_putstr(&b, "\t\t")); - CHECK(isc_netaddr_totext(&na, &b)); - CHECK(buffer_putstr(&b, ";\n")); - } - CHECK(buffer_putstr(&b, "\t};\n")); - } - - /* - * Build the sortlist - */ - if (lwc->sortlistnxt > 0) { - CHECK(buffer_putstr(&b, "\tsortlist {\n")); - CHECK(buffer_putstr(&b, "\t\t{\n")); - CHECK(buffer_putstr(&b, "\t\t\tany;\n")); - CHECK(buffer_putstr(&b, "\t\t\t{\n")); - for (i = 0; i < lwc->sortlistnxt; i++) { - lwres_addr_t *lwaddr = &lwc->sortlist[i].addr; - lwres_addr_t *lwmask = &lwc->sortlist[i].mask; - unsigned int mask; - - CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwmask, 0)); - isc_netaddr_fromsockaddr(&na, &sa); - result = isc_netaddr_masktoprefixlen(&na, &mask); - if (result != ISC_R_SUCCESS) { - char addrtext[ISC_NETADDR_FORMATSIZE]; - isc_netaddr_format(&na, addrtext, - sizeof(addrtext)); - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, - ISC_LOG_ERROR, - "processing sortlist: '%s' is " - "not a valid netmask", - addrtext); - goto cleanup; - } - - CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwaddr, 0)); - isc_netaddr_fromsockaddr(&na, &sa); - - CHECK(buffer_putstr(&b, "\t\t\t\t")); - CHECK(isc_netaddr_totext(&na, &b)); - snprintf(str, sizeof(str), "%u", mask); - CHECK(buffer_putstr(&b, "/")); - CHECK(buffer_putstr(&b, str)); - CHECK(buffer_putstr(&b, ";\n")); - } - CHECK(buffer_putstr(&b, "\t\t\t};\n")); - CHECK(buffer_putstr(&b, "\t\t};\n")); - CHECK(buffer_putstr(&b, "\t};\n")); - } - - CHECK(buffer_putstr(&b, "};\n\n")); - - CHECK(buffer_putstr(&b, "lwres {\n")); - - /* - * Build the search path - */ - if (lwc->searchnxt > 0) { - if (lwc->searchnxt > 0) { - CHECK(buffer_putstr(&b, "\tsearch {\n")); - for (i = 0; i < lwc->searchnxt; i++) { - CHECK(buffer_putstr(&b, "\t\t\"")); - CHECK(buffer_putstr(&b, lwc->search[i])); - CHECK(buffer_putstr(&b, "\";\n")); - } - CHECK(buffer_putstr(&b, "\t};\n")); - } - } - - /* - * Build the ndots line - */ - if (lwc->ndots != 1) { - CHECK(buffer_putstr(&b, "\tndots ")); - snprintf(str, sizeof(str), "%u", lwc->ndots); - CHECK(buffer_putstr(&b, str)); - CHECK(buffer_putstr(&b, ";\n")); - } - - /* - * Build the listen-on line - */ - if (lwc->lwnext > 0) { - CHECK(buffer_putstr(&b, "\tlisten-on {\n")); - - for (i = 0; i < lwc->lwnext; i++) { - CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, - &lwc->lwservers[i], - 0)); - isc_netaddr_fromsockaddr(&na, &sa); - CHECK(buffer_putstr(&b, "\t\t")); - CHECK(isc_netaddr_totext(&na, &b)); - CHECK(buffer_putstr(&b, ";\n")); - } - CHECK(buffer_putstr(&b, "\t};\n")); - } - - CHECK(buffer_putstr(&b, "};\n")); - -#if 0 - printf("%.*s\n", - (int)isc_buffer_usedlength(&b), - (char *)isc_buffer_base(&b)); -#endif - - lwres_conf_clear(lwctx); - lwres_context_destroy(&lwctx); - - return (cfg_parse_buffer(pctx, &b, &cfg_type_namedconf, configp)); - - cleanup: - - if (lwctx != NULL) { - lwres_conf_clear(lwctx); - lwres_context_destroy(&lwctx); - } - - return (result); -} - - -/* - * Handle lwresd manager objects - */ -isc_result_t -ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres, - ns_lwresd_t **lwresdp) -{ - ns_lwresd_t *lwresd; - const char *vname; - dns_rdataclass_t vclass; - const cfg_obj_t *obj, *viewobj, *searchobj; - const cfg_listelt_t *element; - isc_result_t result; - - INSIST(lwresdp != NULL && *lwresdp == NULL); - - lwresd = isc_mem_get(mctx, sizeof(ns_lwresd_t)); - if (lwresd == NULL) - return (ISC_R_NOMEMORY); - - lwresd->mctx = NULL; - isc_mem_attach(mctx, &lwresd->mctx); - lwresd->view = NULL; - lwresd->search = NULL; - lwresd->refs = 1; - - obj = NULL; - (void)cfg_map_get(lwres, "ndots", &obj); - if (obj != NULL) - lwresd->ndots = cfg_obj_asuint32(obj); - else - lwresd->ndots = 1; - - RUNTIME_CHECK(isc_mutex_init(&lwresd->lock) == ISC_R_SUCCESS); - - lwresd->shutting_down = ISC_FALSE; - - viewobj = NULL; - (void)cfg_map_get(lwres, "view", &viewobj); - if (viewobj != NULL) { - vname = cfg_obj_asstring(cfg_tuple_get(viewobj, "name")); - obj = cfg_tuple_get(viewobj, "class"); - result = ns_config_getclass(obj, dns_rdataclass_in, &vclass); - if (result != ISC_R_SUCCESS) - goto fail; - } else { - vname = "_default"; - vclass = dns_rdataclass_in; - } - - result = dns_viewlist_find(&ns_g_server->viewlist, vname, vclass, - &lwresd->view); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_WARNING, - "couldn't find view %s", vname); - goto fail; - } - - searchobj = NULL; - (void)cfg_map_get(lwres, "search", &searchobj); - if (searchobj != NULL) { - lwresd->search = NULL; - result = ns_lwsearchlist_create(lwresd->mctx, - &lwresd->search); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_WARNING, - "couldn't create searchlist"); - goto fail; - } - for (element = cfg_list_first(searchobj); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *search; - const char *searchstr; - isc_buffer_t namebuf; - dns_fixedname_t fname; - dns_name_t *name; - - search = cfg_listelt_value(element); - searchstr = cfg_obj_asstring(search); - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - isc_buffer_init(&namebuf, searchstr, - strlen(searchstr)); - isc_buffer_add(&namebuf, strlen(searchstr)); - result = dns_name_fromtext(name, &namebuf, - dns_rootname, ISC_FALSE, - NULL); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, - ISC_LOG_WARNING, - "invalid name %s in searchlist", - searchstr); - continue; - } - - result = ns_lwsearchlist_append(lwresd->search, name); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, - ISC_LOG_WARNING, - "couldn't update searchlist"); - goto fail; - } - } - } - - lwresd->magic = LWRESD_MAGIC; - - *lwresdp = lwresd; - return (ISC_R_SUCCESS); - - fail: - if (lwresd->view != NULL) - dns_view_detach(&lwresd->view); - if (lwresd->search != NULL) - ns_lwsearchlist_detach(&lwresd->search); - if (lwresd->mctx != NULL) - isc_mem_detach(&lwresd->mctx); - isc_mem_put(mctx, lwresd, sizeof(ns_lwresd_t)); - return (result); -} - -void -ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp) { - INSIST(VALID_LWRESD(source)); - INSIST(targetp != NULL && *targetp == NULL); - - LOCK(&source->lock); - source->refs++; - UNLOCK(&source->lock); - - *targetp = source; -} - -void -ns_lwdmanager_detach(ns_lwresd_t **lwresdp) { - ns_lwresd_t *lwresd; - isc_mem_t *mctx; - isc_boolean_t done = ISC_FALSE; - - INSIST(lwresdp != NULL && *lwresdp != NULL); - INSIST(VALID_LWRESD(*lwresdp)); - - lwresd = *lwresdp; - *lwresdp = NULL; - - LOCK(&lwresd->lock); - INSIST(lwresd->refs > 0); - lwresd->refs--; - if (lwresd->refs == 0) - done = ISC_TRUE; - UNLOCK(&lwresd->lock); - - if (!done) - return; - - dns_view_detach(&lwresd->view); - if (lwresd->search != NULL) - ns_lwsearchlist_detach(&lwresd->search); - mctx = lwresd->mctx; - lwresd->magic = 0; - isc_mem_put(mctx, lwresd, sizeof(*lwresd)); - isc_mem_detach(&mctx); -} - - -/* - * Handle listener objects - */ -void -ns_lwreslistener_attach(ns_lwreslistener_t *source, - ns_lwreslistener_t **targetp) -{ - INSIST(VALID_LWRESLISTENER(source)); - INSIST(targetp != NULL && *targetp == NULL); - - LOCK(&source->lock); - source->refs++; - UNLOCK(&source->lock); - - *targetp = source; -} - -void -ns_lwreslistener_detach(ns_lwreslistener_t **listenerp) { - ns_lwreslistener_t *listener; - isc_mem_t *mctx; - isc_boolean_t done = ISC_FALSE; - - INSIST(listenerp != NULL && *listenerp != NULL); - INSIST(VALID_LWRESLISTENER(*listenerp)); - - listener = *listenerp; - - LOCK(&listener->lock); - INSIST(listener->refs > 0); - listener->refs--; - if (listener->refs == 0) - done = ISC_TRUE; - UNLOCK(&listener->lock); - - if (!done) - return; - - if (listener->manager != NULL) - ns_lwdmanager_detach(&listener->manager); - - if (listener->sock != NULL) - isc_socket_detach(&listener->sock); - - listener->magic = 0; - mctx = listener->mctx; - isc_mem_put(mctx, listener, sizeof(*listener)); - isc_mem_detach(&mctx); - listenerp = NULL; -} - -static isc_result_t -listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd, - ns_lwreslistener_t **listenerp) -{ - ns_lwreslistener_t *listener; - isc_result_t result; - - REQUIRE(listenerp != NULL && *listenerp == NULL); - - listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t)); - if (listener == NULL) - return (ISC_R_NOMEMORY); - - result = isc_mutex_init(&listener->lock); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, listener, sizeof(ns_lwreslistener_t)); - return (result); - } - - listener->magic = LWRESLISTENER_MAGIC; - listener->refs = 1; - - listener->sock = NULL; - - listener->manager = NULL; - ns_lwdmanager_attach(lwresd, &listener->manager); - - listener->mctx = NULL; - isc_mem_attach(mctx, &listener->mctx); - - ISC_LINK_INIT(listener, link); - ISC_LIST_INIT(listener->cmgrs); - - *listenerp = listener; - return (ISC_R_SUCCESS); -} - -static isc_result_t -listener_bind(ns_lwreslistener_t *listener, isc_sockaddr_t *address) { - isc_socket_t *sock = NULL; - isc_result_t result = ISC_R_SUCCESS; - int pf; - - pf = isc_sockaddr_pf(address); - if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) || - (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS)) - return (ISC_R_FAMILYNOSUPPORT); - - listener->address = *address; - - if (isc_sockaddr_getport(&listener->address) == 0) { - in_port_t port; - port = lwresd_g_listenport; - if (port == 0) - port = LWRES_UDP_PORT; - isc_sockaddr_setport(&listener->address, port); - } - - sock = NULL; - result = isc_socket_create(ns_g_socketmgr, pf, - isc_sockettype_udp, &sock); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_WARNING, - "failed to create lwres socket: %s", - isc_result_totext(result)); - return (result); - } - - result = isc_socket_bind(sock, &listener->address, - ISC_SOCKET_REUSEADDRESS); - if (result != ISC_R_SUCCESS) { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_format(&listener->address, socktext, - sizeof(socktext)); - isc_socket_detach(&sock); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_WARNING, - "failed to add lwres socket: %s: %s", - socktext, isc_result_totext(result)); - return (result); - } - listener->sock = sock; - return (ISC_R_SUCCESS); -} - -static void -listener_copysock(ns_lwreslistener_t *oldlistener, - ns_lwreslistener_t *newlistener) -{ - newlistener->address = oldlistener->address; - isc_socket_attach(oldlistener->sock, &newlistener->sock); -} - -static isc_result_t -listener_startclients(ns_lwreslistener_t *listener) { - ns_lwdclientmgr_t *cm; - unsigned int i; - isc_result_t result; - - /* - * Create the client managers. - */ - result = ISC_R_SUCCESS; - for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++) - result = ns_lwdclientmgr_create(listener, NRECVS, - ns_g_taskmgr); - - /* - * Ensure that we have created at least one. - */ - if (ISC_LIST_EMPTY(listener->cmgrs)) - return (result); - - /* - * Walk the list of clients and start each one up. - */ - LOCK(&listener->lock); - cm = ISC_LIST_HEAD(listener->cmgrs); - while (cm != NULL) { - result = ns_lwdclient_startrecv(cm); - if (result != ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_ERROR, - "could not start lwres " - "client handler: %s", - isc_result_totext(result)); - cm = ISC_LIST_NEXT(cm, link); - } - UNLOCK(&listener->lock); - - return (ISC_R_SUCCESS); -} - -static void -listener_shutdown(ns_lwreslistener_t *listener) { - ns_lwdclientmgr_t *cm; - - cm = ISC_LIST_HEAD(listener->cmgrs); - while (cm != NULL) { - isc_task_shutdown(cm->task); - cm = ISC_LIST_NEXT(cm, link); - } -} - -static isc_result_t -find_listener(isc_sockaddr_t *address, ns_lwreslistener_t **listenerp) { - ns_lwreslistener_t *listener; - - INSIST(listenerp != NULL && *listenerp == NULL); - - for (listener = ISC_LIST_HEAD(listeners); - listener != NULL; - listener = ISC_LIST_NEXT(listener, link)) - { - if (!isc_sockaddr_equal(address, &listener->address)) - continue; - *listenerp = listener; - return (ISC_R_SUCCESS); - } - return (ISC_R_NOTFOUND); -} - -void -ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm) -{ - REQUIRE(VALID_LWRESLISTENER(listener)); - - LOCK(&listener->lock); - ISC_LIST_UNLINK(listener->cmgrs, cm, link); - UNLOCK(&listener->lock); -} - -void -ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm) { - REQUIRE(VALID_LWRESLISTENER(listener)); - - /* - * This does no locking, since it's called early enough that locking - * isn't needed. - */ - ISC_LIST_APPEND(listener->cmgrs, cm, link); -} - -static isc_result_t -configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd, - isc_mem_t *mctx, ns_lwreslistenerlist_t *newlisteners) -{ - ns_lwreslistener_t *listener, *oldlistener = NULL; - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_result_t result; - - (void)find_listener(address, &oldlistener); - listener = NULL; - result = listener_create(mctx, lwresd, &listener); - if (result != ISC_R_SUCCESS) { - isc_sockaddr_format(address, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_WARNING, - "lwres failed to configure %s: %s", - socktext, isc_result_totext(result)); - return (result); - } - - /* - * If there's already a listener, don't rebind the socket. - */ - if (oldlistener == NULL) { - result = listener_bind(listener, address); - if (result != ISC_R_SUCCESS) { - ns_lwreslistener_detach(&listener); - return (ISC_R_SUCCESS); - } - } else - listener_copysock(oldlistener, listener); - - result = listener_startclients(listener); - if (result != ISC_R_SUCCESS) { - isc_sockaddr_format(address, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_WARNING, - "lwres: failed to start %s: %s", socktext, - isc_result_totext(result)); - ns_lwreslistener_detach(&listener); - return (ISC_R_SUCCESS); - } - - if (oldlistener != NULL) { - /* - * Remove the old listener from the old list and shut it down. - */ - ISC_LIST_UNLINK(listeners, oldlistener, link); - listener_shutdown(oldlistener); - ns_lwreslistener_detach(&oldlistener); - } else { - isc_sockaddr_format(address, socktext, sizeof(socktext)); - isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE, - "lwres listening on %s", socktext); - } - - ISC_LIST_APPEND(*newlisteners, listener, link); - return (result); -} - -isc_result_t -ns_lwresd_configure(isc_mem_t *mctx, const cfg_obj_t *config) { - const cfg_obj_t *lwreslist = NULL; - const cfg_obj_t *lwres = NULL; - const cfg_obj_t *listenerslist = NULL; - const cfg_listelt_t *element = NULL; - ns_lwreslistener_t *listener; - ns_lwreslistenerlist_t newlisteners; - isc_result_t result; - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_sockaddr_t *addrs = NULL; - ns_lwresd_t *lwresd = NULL; - isc_uint32_t count = 0; - - REQUIRE(mctx != NULL); - REQUIRE(config != NULL); - - RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS); - - ISC_LIST_INIT(newlisteners); - - result = cfg_map_get(config, "lwres", &lwreslist); - if (result != ISC_R_SUCCESS) - return (ISC_R_SUCCESS); - - LOCK(&listeners_lock); - /* - * Run through the new lwres address list, noting sockets that - * are already being listened on and moving them to the new list. - * - * Identifying duplicates addr/port combinations is left to either - * the underlying config code, or to the bind attempt getting an - * address-in-use error. - */ - for (element = cfg_list_first(lwreslist); - element != NULL; - element = cfg_list_next(element)) - { - in_port_t port; - - lwres = cfg_listelt_value(element); - CHECK(ns_lwdmanager_create(mctx, lwres, &lwresd)); - - port = lwresd_g_listenport; - if (port == 0) - port = LWRES_UDP_PORT; - - listenerslist = NULL; - (void)cfg_map_get(lwres, "listen-on", &listenerslist); - if (listenerslist == NULL) { - struct in_addr localhost; - isc_sockaddr_t address; - - localhost.s_addr = htonl(INADDR_LOOPBACK); - isc_sockaddr_fromin(&address, &localhost, port); - CHECK(configure_listener(&address, lwresd, mctx, - &newlisteners)); - } else { - isc_uint32_t i; - - CHECK(ns_config_getiplist(config, listenerslist, - port, mctx, &addrs, &count)); - for (i = 0; i < count; i++) - CHECK(configure_listener(&addrs[i], lwresd, - mctx, &newlisteners)); - ns_config_putiplist(mctx, &addrs, count); - } - ns_lwdmanager_detach(&lwresd); - } - - /* - * Shutdown everything on the listeners list, and remove them from - * the list. Then put all of the new listeners on it. - */ - - while (!ISC_LIST_EMPTY(listeners)) { - listener = ISC_LIST_HEAD(listeners); - ISC_LIST_UNLINK(listeners, listener, link); - - isc_sockaddr_format(&listener->address, - socktext, sizeof(socktext)); - - listener_shutdown(listener); - ns_lwreslistener_detach(&listener); - - isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL, - NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE, - "lwres no longer listening on %s", socktext); - } - - cleanup: - ISC_LIST_APPENDLIST(listeners, newlisteners, link); - - if (addrs != NULL) - ns_config_putiplist(mctx, &addrs, count); - - if (lwresd != NULL) - ns_lwdmanager_detach(&lwresd); - - UNLOCK(&listeners_lock); - - return (result); -} - -void -ns_lwresd_shutdown(void) { - ns_lwreslistener_t *listener; - - RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS); - - while (!ISC_LIST_EMPTY(listeners)) { - listener = ISC_LIST_HEAD(listeners); - ISC_LIST_UNLINK(listeners, listener, link); - ns_lwreslistener_detach(&listener); - } -} diff --git a/usr.sbin/bind/bin/named/lwresd.docbook b/usr.sbin/bind/bin/named/lwresd.docbook deleted file mode 100644 index 368648b495e..00000000000 --- a/usr.sbin/bind/bin/named/lwresd.docbook +++ /dev/null @@ -1,372 +0,0 @@ -]> - - - - - - June 30, 2000 - - - - lwresd - 8 - BIND9 - - - - lwresd - lightweight resolver daemon - - - - - 2004 - 2005 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - Internet Software Consortium. - - - - - - lwresd - - - - - - - - - - - - - - - - - - - - - DESCRIPTION - - lwresd - is the daemon providing name lookup - services to clients that use the BIND 9 lightweight resolver - library. It is essentially a stripped-down, caching-only name - server that answers queries using the BIND 9 lightweight - resolver protocol rather than the DNS protocol. - - - lwresd - listens for resolver queries on a - UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that lwresd can only be used by - processes running on the local machine. By default UDP port - number 921 is used for lightweight resolver requests and - responses. - - - Incoming lightweight resolver requests are decoded by the - server which then resolves them using the DNS protocol. When - the DNS lookup completes, lwresd encodes - the answers in the lightweight resolver format and returns - them to the client that made the request. - - - If /etc/resolv.conf contains any - entries, lwresd - sends recursive DNS queries to those servers. This is similar - to the use of forwarders in a caching name server. If no - entries are present, or if - forwarding fails, lwresd resolves the - queries autonomously starting at the root name servers, using - a built-in list of root server hints. - - - - - OPTIONS - - - - - -4 - - - Use IPv4 only even if the host machine is capable of IPv6. - and are mutually - exclusive. - - - - - - -6 - - - Use IPv6 only even if the host machine is capable of IPv4. - and are mutually - exclusive. - - - - - - - -c config-file - - - Use config-file as the - configuration file instead of the default, - /etc/lwresd.conf. - - -c can not be used with -C. - - - - - - -C config-file - - - Use config-file as the - configuration file instead of the default, - /etc/resolv.conf. - -C can not be used with -c. - - - - - - -d debug-level - - - Set the daemon's debug level to debug-level. - Debugging traces from lwresd become - more verbose as the debug level increases. - - - - - - -f - - - Run the server in the foreground (i.e. do not daemonize). - - - - - - -g - - - Run the server in the foreground and force all logging - to stderr. - - - - - - -i pid-file - - - Use pid-file as the - PID file instead of the default, - /var/run/lwresd.pid. - - - - - - -m flag - - - Turn on memory usage debugging flags. Possible flags are - usage, - trace, - record, - size, and - mctx. - These correspond to the ISC_MEM_DEBUGXXXX flags described in - <isc/mem.h>. - - - - - - -n #cpus - - - Create #cpus worker threads - to take advantage of multiple CPUs. If not specified, - lwresd will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. - - - - - - -P port - - - Listen for lightweight resolver queries on port - port. If - not specified, the default is port 921. - - - - - - -p port - - - Send DNS lookups to port port. If not - specified, the default is port 53. This provides a - way of testing the lightweight resolver daemon with a - name server that listens for queries on a non-standard - port number. - - - - - - -s - - - Write memory usage statistics to stdout - on exit. - - - - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - - - - - - - -t directory - - Chroot - to directory after - processing the command line arguments, but before - reading the configuration file. - - - - This option should be used in conjunction with the - option, as chrooting a process - running as root doesn't enhance security on most - systems; the way chroot(2) is - defined allows a process with root privileges to - escape a chroot jail. - - - - - - - -u user - - Setuid - to user after completing - privileged operations, such as creating sockets that - listen on privileged ports. - - - - - - -v - - - Report the version number and exit. - - - - - - - - - - FILES - - - - - /etc/resolv.conf - - - The default configuration file. - - - - - - /var/run/lwresd.pid - - - The default process-id file. - - - - - - - - - - SEE ALSO - - named8 - , - - lwres3 - , - - resolver5 - . - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/named/lwresd.html b/usr.sbin/bind/bin/named/lwresd.html deleted file mode 100644 index db38e914211..00000000000 --- a/usr.sbin/bind/bin/named/lwresd.html +++ /dev/null @@ -1,225 +0,0 @@ - - - - - -lwresd - - -
-
-
-

Name

-

lwresd — lightweight resolver daemon

-
-
-

Synopsis

-

lwresd [-c config-file] [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-m flag] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v] [-4] [-6]

-
-
-

DESCRIPTION

-

lwresd - is the daemon providing name lookup - services to clients that use the BIND 9 lightweight resolver - library. It is essentially a stripped-down, caching-only name - server that answers queries using the BIND 9 lightweight - resolver protocol rather than the DNS protocol. -

-

lwresd - listens for resolver queries on a - UDP port on the IPv4 loopback interface, 127.0.0.1. This - means that lwresd can only be used by - processes running on the local machine. By default UDP port - number 921 is used for lightweight resolver requests and - responses. -

-

- Incoming lightweight resolver requests are decoded by the - server which then resolves them using the DNS protocol. When - the DNS lookup completes, lwresd encodes - the answers in the lightweight resolver format and returns - them to the client that made the request. -

-

- If /etc/resolv.conf contains any - nameserver entries, lwresd - sends recursive DNS queries to those servers. This is similar - to the use of forwarders in a caching name server. If no - nameserver entries are present, or if - forwarding fails, lwresd resolves the - queries autonomously starting at the root name servers, using - a built-in list of root server hints. -

-
-
-

OPTIONS

-
-
-4
-

- Use IPv4 only even if the host machine is capable of IPv6. - -4 and -6 are mutually - exclusive. -

-
-6
-

- Use IPv6 only even if the host machine is capable of IPv4. - -4 and -6 are mutually - exclusive. -

-
-c config-file
-

- Use config-file as the - configuration file instead of the default, - /etc/lwresd.conf. - - <term>-c</term> can not be used with <term>-C</term>. -

-
-C config-file
-

- Use config-file as the - configuration file instead of the default, - /etc/resolv.conf. - <term>-C</term> can not be used with <term>-c</term>. -

-
-d debug-level
-

- Set the daemon's debug level to debug-level. - Debugging traces from lwresd become - more verbose as the debug level increases. -

-
-f
-

- Run the server in the foreground (i.e. do not daemonize). -

-
-g
-

- Run the server in the foreground and force all logging - to stderr. -

-
-i pid-file
-

- Use pid-file as the - PID file instead of the default, - /var/run/lwresd.pid. -

-
-m flag
-

- Turn on memory usage debugging flags. Possible flags are - usage, - trace, - record, - size, and - mctx. - These correspond to the ISC_MEM_DEBUGXXXX flags described in - <isc/mem.h>. -

-
-n #cpus
-

- Create #cpus worker threads - to take advantage of multiple CPUs. If not specified, - lwresd will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. -

-
-P port
-

- Listen for lightweight resolver queries on port - port. If - not specified, the default is port 921. -

-
-p port
-

- Send DNS lookups to port port. If not - specified, the default is port 53. This provides a - way of testing the lightweight resolver daemon with a - name server that listens for queries on a non-standard - port number. -

-
-s
-
-

- Write memory usage statistics to stdout - on exit. -

-
-

Note

-

- This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. -

-
-
-
-t directory
-
-

Chroot - to directory after - processing the command line arguments, but before - reading the configuration file. -

-
-

Warning

-

- This option should be used in conjunction with the - -u option, as chrooting a process - running as root doesn't enhance security on most - systems; the way chroot(2) is - defined allows a process with root privileges to - escape a chroot jail. -

-
-
-
-u user
-

Setuid - to user after completing - privileged operations, such as creating sockets that - listen on privileged ports. -

-
-v
-

- Report the version number and exit. -

-
-
-
-

FILES

-
-
/etc/resolv.conf
-

- The default configuration file. -

-
/var/run/lwresd.pid
-

- The default process-id file. -

-
-
-
-

SEE ALSO

-

named(8), - lwres(3), - resolver(5). -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/named/lwsearch.c b/usr.sbin/bind/bin/named/lwsearch.c deleted file mode 100644 index 5d82a2a33db..00000000000 --- a/usr.sbin/bind/bin/named/lwsearch.c +++ /dev/null @@ -1,206 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include -#include - -#include -#include - -#include -#include - -#define LWSEARCHLIST_MAGIC ISC_MAGIC('L', 'W', 'S', 'L') -#define VALID_LWSEARCHLIST(l) ISC_MAGIC_VALID(l, LWSEARCHLIST_MAGIC) - -isc_result_t -ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) { - ns_lwsearchlist_t *list; - isc_result_t result; - - REQUIRE(mctx != NULL); - REQUIRE(listp != NULL && *listp == NULL); - - list = isc_mem_get(mctx, sizeof(ns_lwsearchlist_t)); - if (list == NULL) - return (ISC_R_NOMEMORY); - - result = isc_mutex_init(&list->lock); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t)); - return (result); - } - list->mctx = NULL; - isc_mem_attach(mctx, &list->mctx); - list->refs = 1; - ISC_LIST_INIT(list->names); - list->magic = LWSEARCHLIST_MAGIC; - - *listp = list; - return (ISC_R_SUCCESS); -} - -void -ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target) { - REQUIRE(VALID_LWSEARCHLIST(source)); - REQUIRE(target != NULL && *target == NULL); - - LOCK(&source->lock); - INSIST(source->refs > 0); - source->refs++; - INSIST(source->refs != 0); - UNLOCK(&source->lock); - - *target = source; -} - -void -ns_lwsearchlist_detach(ns_lwsearchlist_t **listp) { - ns_lwsearchlist_t *list; - isc_mem_t *mctx; - - REQUIRE(listp != NULL); - list = *listp; - REQUIRE(VALID_LWSEARCHLIST(list)); - - LOCK(&list->lock); - INSIST(list->refs > 0); - list->refs--; - UNLOCK(&list->lock); - - *listp = NULL; - if (list->refs != 0) - return; - - mctx = list->mctx; - while (!ISC_LIST_EMPTY(list->names)) { - dns_name_t *name = ISC_LIST_HEAD(list->names); - ISC_LIST_UNLINK(list->names, name, link); - dns_name_free(name, list->mctx); - isc_mem_put(list->mctx, name, sizeof(dns_name_t)); - } - list->magic = 0; - isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t)); - isc_mem_detach(&mctx); -} - -isc_result_t -ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name) { - dns_name_t *newname; - isc_result_t result; - - REQUIRE(VALID_LWSEARCHLIST(list)); - REQUIRE(name != NULL); - - newname = isc_mem_get(list->mctx, sizeof(dns_name_t)); - if (newname == NULL) - return (ISC_R_NOMEMORY); - dns_name_init(newname, NULL); - result = dns_name_dup(name, list->mctx, newname); - if (result != ISC_R_SUCCESS) { - isc_mem_put(list->mctx, newname, sizeof(dns_name_t)); - return (result); - } - ISC_LINK_INIT(newname, link); - ISC_LIST_APPEND(list->names, newname, link); - return (ISC_R_SUCCESS); -} - -void -ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list, - dns_name_t *name, unsigned int ndots) -{ - INSIST(sctx != NULL); - sctx->relname = name; - sctx->searchname = NULL; - sctx->doneexact = ISC_FALSE; - sctx->exactfirst = ISC_FALSE; - sctx->ndots = ndots; - if (dns_name_isabsolute(name) || list == NULL) { - sctx->list = NULL; - return; - } - sctx->list = list; - sctx->searchname = ISC_LIST_HEAD(sctx->list->names); - if (dns_name_countlabels(name) > ndots) - sctx->exactfirst = ISC_TRUE; -} - -void -ns_lwsearchctx_first(ns_lwsearchctx_t *sctx) { - REQUIRE(sctx != NULL); - UNUSED(sctx); -} - -isc_result_t -ns_lwsearchctx_next(ns_lwsearchctx_t *sctx) { - REQUIRE(sctx != NULL); - - if (sctx->list == NULL) - return (ISC_R_NOMORE); - - if (sctx->searchname == NULL) { - INSIST (!sctx->exactfirst || sctx->doneexact); - if (sctx->exactfirst || sctx->doneexact) - return (ISC_R_NOMORE); - sctx->doneexact = ISC_TRUE; - } else { - if (sctx->exactfirst && !sctx->doneexact) - sctx->doneexact = ISC_TRUE; - else { - sctx->searchname = ISC_LIST_NEXT(sctx->searchname, - link); - if (sctx->searchname == NULL && sctx->doneexact) - return (ISC_R_NOMORE); - } - } - - return (ISC_R_SUCCESS); -} - -isc_result_t -ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname) { - dns_name_t *tname; - isc_boolean_t useexact = ISC_FALSE; - - REQUIRE(sctx != NULL); - - if (sctx->list == NULL || - sctx->searchname == NULL || - (sctx->exactfirst && !sctx->doneexact)) - useexact = ISC_TRUE; - - if (useexact) { - if (dns_name_isabsolute(sctx->relname)) - tname = NULL; - else - tname = dns_rootname; - } else - tname = sctx->searchname; - - return (dns_name_concatenate(sctx->relname, tname, absname, NULL)); -} diff --git a/usr.sbin/bind/bin/named/main.c b/usr.sbin/bind/bin/named/main.c deleted file mode 100644 index 9e89cd4d32d..00000000000 --- a/usr.sbin/bind/bin/named/main.c +++ /dev/null @@ -1,940 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: main.c,v 1.136.18.17 2006/11/10 18:51:14 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include -#include - -#include - -/* - * Defining NS_MAIN provides storage declarations (rather than extern) - * for variables in named/globals.h. - */ -#define NS_MAIN 1 - -#include -#include -#include /* Explicit, though named/log.h includes it. */ -#include -#include -#include -#include -#include -#include -#ifdef HAVE_LIBSCF -#include -#endif - -/* - * Include header files for database drivers here. - */ -/* #include "xxdb.h" */ - -/* - * Include DLZ drivers if appropriate. - */ -#ifdef DLZ -#include -#endif - -static isc_boolean_t want_stats = ISC_FALSE; -static char program_name[ISC_DIR_NAMEMAX] = "named"; -static char absolute_conffile[ISC_DIR_PATHMAX]; -static char saved_command_line[512]; -static char version[512]; - -void -ns_main_earlywarning(const char *format, ...) { - va_list args; - - va_start(args, format); - if (ns_g_lctx != NULL) { - isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_WARNING, - format, args); - } else { - fprintf(stderr, "%s: ", program_name); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - fflush(stderr); - } - va_end(args); -} - -void -ns_main_earlyfatal(const char *format, ...) { - va_list args; - - va_start(args, format); - if (ns_g_lctx != NULL) { - isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - format, args); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "exiting (due to early fatal error)"); - } else { - fprintf(stderr, "%s: ", program_name); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - fflush(stderr); - } - va_end(args); - - exit(1); -} - -static void -assertion_failed(const char *file, int line, isc_assertiontype_t type, - const char *cond) -{ - /* - * Handle assertion failures. - */ - - if (ns_g_lctx != NULL) { - /* - * Reset the assetion callback in case it is the log - * routines causing the assertion. - */ - isc_assertion_setcallback(NULL); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "%s:%d: %s(%s) failed", file, line, - isc_assertion_typetotext(type), cond); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "exiting (due to assertion failure)"); - } else { - fprintf(stderr, "%s:%d: %s(%s) failed\n", - file, line, isc_assertion_typetotext(type), cond); - fflush(stderr); - } - - if (ns_g_coreok) - abort(); - exit(1); -} - -static void -library_fatal_error(const char *file, int line, const char *format, - va_list args) ISC_FORMAT_PRINTF(3, 0); - -static void -library_fatal_error(const char *file, int line, const char *format, - va_list args) -{ - /* - * Handle isc_error_fatal() calls from our libraries. - */ - - if (ns_g_lctx != NULL) { - /* - * Reset the error callback in case it is the log - * routines causing the assertion. - */ - isc_error_setfatal(NULL); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "%s:%d: fatal error:", file, line); - isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - format, args); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL, - "exiting (due to fatal error in library)"); - } else { - fprintf(stderr, "%s:%d: fatal error: ", file, line); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - fflush(stderr); - } - - if (ns_g_coreok) - abort(); - exit(1); -} - -static void -library_unexpected_error(const char *file, int line, const char *format, - va_list args) ISC_FORMAT_PRINTF(3, 0); - -static void -library_unexpected_error(const char *file, int line, const char *format, - va_list args) -{ - /* - * Handle isc_error_unexpected() calls from our libraries. - */ - - if (ns_g_lctx != NULL) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_ERROR, - "%s:%d: unexpected error:", file, line); - isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_MAIN, ISC_LOG_ERROR, - format, args); - } else { - fprintf(stderr, "%s:%d: fatal error: ", file, line); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - fflush(stderr); - } -} - -static void -lwresd_usage(void) { - fprintf(stderr, - "usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] " - "[-d debuglevel]\n" - " [-f|-g] [-n number_of_cpus] [-p port] " - "[-P listen-port] [-s]\n" - " [-t chrootdir] [-u username] [-i pidfile]\n" - " [-m {usage|trace|record|size|mctx}]\n"); -} - -static void -usage(void) { - if (ns_g_lwresdonly) { - lwresd_usage(); - return; - } - fprintf(stderr, - "usage: named [-4|-6] [-c conffile] [-d debuglevel] " - "[-f|-g] [-n number_of_cpus]\n" - " [-p port] [-s] [-t chrootdir] [-u username] [-i pidfile]\n" - " [-m {usage|trace|record|size|mctx}]\n"); -} - -static void -save_command_line(int argc, char *argv[]) { - int i; - char *src; - char *dst; - char *eob; - const char truncated[] = "..."; - isc_boolean_t quoted = ISC_FALSE; - - dst = saved_command_line; - eob = saved_command_line + sizeof(saved_command_line); - - for (i = 1; i < argc && dst < eob; i++) { - *dst++ = ' '; - - src = argv[i]; - while (*src != '\0' && dst < eob) { - /* - * This won't perfectly produce a shell-independent - * pastable command line in all circumstances, but - * comes close, and for practical purposes will - * nearly always be fine. - */ - if (quoted || isalnum(*src & 0xff) || - *src == '-' || *src == '_' || - *src == '.' || *src == '/') { - *dst++ = *src++; - quoted = ISC_FALSE; - } else { - *dst++ = '\\'; - quoted = ISC_TRUE; - } - } - } - - INSIST(sizeof(saved_command_line) >= sizeof(truncated)); - - if (dst == eob) - strlcpy(eob - sizeof(truncated), truncated, sizeof(truncated)); - else - *dst = '\0'; -} - -static int -parse_int(char *arg, const char *desc) { - char *endp; - int tmp; - long int ltmp; - - ltmp = strtol(arg, &endp, 10); - tmp = (int) ltmp; - if (*endp != '\0') - ns_main_earlyfatal("%s '%s' must be numeric", desc, arg); - if (tmp < 0 || tmp != ltmp) - ns_main_earlyfatal("%s '%s' out of range", desc, arg); - return (tmp); -} - -static struct flag_def { - const char *name; - unsigned int value; -} mem_debug_flags[] = { - { "trace", ISC_MEM_DEBUGTRACE }, - { "record", ISC_MEM_DEBUGRECORD }, - { "usage", ISC_MEM_DEBUGUSAGE }, - { "size", ISC_MEM_DEBUGSIZE }, - { "mctx", ISC_MEM_DEBUGCTX }, - { NULL, 0 } -}; - -static void -set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { - for (;;) { - const struct flag_def *def; - const char *end = strchr(arg, ','); - int arglen; - if (end == NULL) - end = arg + strlen(arg); - arglen = end - arg; - for (def = defs; def->name != NULL; def++) { - if (arglen == (int)strlen(def->name) && - memcmp(arg, def->name, arglen) == 0) { - *ret |= def->value; - goto found; - } - } - ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg); - found: - if (*end == '\0') - break; - arg = end + 1; - } -} - -static void -parse_command_line(int argc, char *argv[]) { - int ch; - int port; - isc_boolean_t disable6 = ISC_FALSE; - isc_boolean_t disable4 = ISC_FALSE; - - save_command_line(argc, argv); - - isc_commandline_errprint = ISC_FALSE; - while ((ch = isc_commandline_parse(argc, argv, - "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) { - switch (ch) { - case '4': - if (disable4) - ns_main_earlyfatal("cannot specify -4 and -6"); - if (isc_net_probeipv4() != ISC_R_SUCCESS) - ns_main_earlyfatal("IPv4 not supported by OS"); - isc_net_disableipv6(); - disable6 = ISC_TRUE; - break; - case '6': - if (disable6) - ns_main_earlyfatal("cannot specify -4 and -6"); - if (isc_net_probeipv6() != ISC_R_SUCCESS) - ns_main_earlyfatal("IPv6 not supported by OS"); - isc_net_disableipv4(); - disable4 = ISC_TRUE; - break; - case 'c': - ns_g_conffile = isc_commandline_argument; - lwresd_g_conffile = isc_commandline_argument; - if (lwresd_g_useresolvconf) - ns_main_earlyfatal("cannot specify -c and -C"); - ns_g_conffileset = ISC_TRUE; - break; - case 'C': - lwresd_g_resolvconffile = isc_commandline_argument; - if (ns_g_conffileset) - ns_main_earlyfatal("cannot specify -c and -C"); - lwresd_g_useresolvconf = ISC_TRUE; - break; - case 'd': - ns_g_debuglevel = parse_int(isc_commandline_argument, - "debug level"); - break; - case 'f': - ns_g_foreground = ISC_TRUE; - break; - case 'g': - ns_g_foreground = ISC_TRUE; - ns_g_logstderr = ISC_TRUE; - break; - case 'i': - ns_g_pidfile = isc_commandline_argument; - break; - case 'l': - ns_g_lwresdonly = ISC_TRUE; - break; - case 'm': - set_flags(isc_commandline_argument, mem_debug_flags, - &isc_mem_debugging); - break; - case 'N': /* Deprecated. */ - case 'n': - ns_g_cpus = parse_int(isc_commandline_argument, - "number of cpus"); - if (ns_g_cpus == 0) - ns_g_cpus = 1; - break; - case 'p': - port = parse_int(isc_commandline_argument, "port"); - if (port < 1 || port > 65535) - ns_main_earlyfatal("port '%s' out of range", - isc_commandline_argument); - ns_g_port = port; - break; - /* XXXBEW Should -P be removed? */ - case 'P': - port = parse_int(isc_commandline_argument, "port"); - if (port < 1 || port > 65535) - ns_main_earlyfatal("port '%s' out of range", - isc_commandline_argument); - lwresd_g_listenport = port; - break; - case 's': - /* XXXRTH temporary syntax */ - want_stats = ISC_TRUE; - break; - case 't': - /* XXXJAB should we make a copy? */ - ns_g_chrootdir = isc_commandline_argument; - break; - case 'u': - ns_g_username = isc_commandline_argument; - break; - case 'v': - printf("BIND %s\n", ns_g_version); - exit(0); - case '?': - usage(); - ns_main_earlyfatal("unknown option '-%c'", - isc_commandline_option); - default: - ns_main_earlyfatal("parsing options returned %d", ch); - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc > 0) { - usage(); - ns_main_earlyfatal("extra command line arguments"); - } -} - -static isc_result_t -create_managers(void) { - isc_result_t result; -#ifdef ISC_PLATFORM_USETHREADS - unsigned int cpus_detected; -#endif - -#ifdef ISC_PLATFORM_USETHREADS - cpus_detected = isc_os_ncpus(); - if (ns_g_cpus == 0) - ns_g_cpus = cpus_detected; - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s", - cpus_detected, cpus_detected == 1 ? "" : "s", - ns_g_cpus, ns_g_cpus == 1 ? "" : "s"); -#else - ns_g_cpus = 1; -#endif - result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_taskmgr_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - - result = isc_timermgr_create(ns_g_mctx, &ns_g_timermgr); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_timermgr_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - - result = isc_socketmgr_create(ns_g_mctx, &ns_g_socketmgr); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_socketmgr_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - - result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_entropy_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - - result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_hash_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - - return (ISC_R_SUCCESS); -} - -static void -destroy_managers(void) { - ns_lwresd_shutdown(); - - isc_entropy_detach(&ns_g_entropy); - if (ns_g_fallbackentropy != NULL) - isc_entropy_detach(&ns_g_fallbackentropy); - - /* - * isc_taskmgr_destroy() will block until all tasks have exited, - */ - isc_taskmgr_destroy(&ns_g_taskmgr); - isc_timermgr_destroy(&ns_g_timermgr); - isc_socketmgr_destroy(&ns_g_socketmgr); - - /* - * isc_hash_destroy() cannot be called as long as a resolver may be - * running. Calling this after isc_taskmgr_destroy() ensures the - * call is safe. - */ - isc_hash_destroy(); -} - -static void -setup(void) { - isc_result_t result; -#ifdef HAVE_LIBSCF - char *instance = NULL; -#endif - - /* - * Write pidfile before chroot if specified on the command line - */ - if (ns_g_pidfile != NULL) - ns_os_preopenpidfile(ns_g_pidfile); - - /* - * Get the user and group information before changing the root - * directory, so the administrator does not need to keep a copy - * of the user and group databases in the chroot'ed environment. - */ - ns_os_inituserinfo(ns_g_username); - - /* - * Initialize time conversion information - */ - ns_os_tzset(); - - ns_os_opendevnull(); - -#ifdef HAVE_LIBSCF - /* Check if named is under smf control, before chroot. */ - result = ns_smf_get_instance(&instance, 0, ns_g_mctx); - /* We don't care about instance, just check if we got one. */ - if (result == ISC_R_SUCCESS) - ns_smf_got_instance = 1; - else - ns_smf_got_instance = 0; - if (instance != NULL) - isc_mem_free(ns_g_mctx, instance); -#endif /* HAVE_LIBSCF */ - -#ifdef PATH_RANDOMDEV - /* - * Initialize system's random device as fallback entropy source - * if running chroot'ed. - */ - if (1) { /* Always chroot due to privsep */ - result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("isc_entropy_create() failed: %s", - isc_result_totext(result)); - - result = isc_entropy_createfilesource(ns_g_fallbackentropy, - PATH_RANDOMDEV); - if (result != ISC_R_SUCCESS) { - ns_main_earlywarning("could not open pre-chroot " - "entropy source %s: %s", - PATH_RANDOMDEV, - isc_result_totext(result)); - isc_entropy_detach(&ns_g_fallbackentropy); - } - } -#endif - -#if 0 /* Not used due to privsep */ - ns_os_chroot(ns_g_chrootdir); -#endif - - /* - * For operating systems which have a capability mechanism, now - * is the time to switch to minimal privs and change our user id. - * On traditional UNIX systems, this call will be a no-op, and we - * will change the user ID after reading the config file the first - * time. (We need to read the config file to know which possibly - * privileged ports to bind() to.) - */ - ns_os_minprivs(); - - result = ns_log_init(ISC_TF(ns_g_username != NULL)); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("ns_log_init() failed: %s", - isc_result_totext(result)); - - /* - * Now is the time to daemonize (if we're not running in the - * foreground). We waited until now because we wanted to get - * a valid logging context setup. We cannot daemonize any later, - * because calling create_managers() will create threads, which - * would be lost after fork(). - */ - if (!ns_g_foreground) - ns_os_daemonize(); - - /* - * Privilege separation - */ - isc_priv_init(ns_g_logstderr); - isc_drop_privs(ns_g_username, ns_g_chrootdir); - isc_socket_privsep(1); - - /* process is now unprivileged and inside a chroot */ - - /* - * We call isc_app_start() here as some versions of FreeBSD's fork() - * destroys all the signal handling it sets up. - */ - result = isc_app_start(); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("isc_app_start() failed: %s", - isc_result_totext(result)); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version, - saved_command_line); - - /* - * Get the initial resource limits. - */ - (void)isc_resource_getlimit(isc_resource_stacksize, - &ns_g_initstacksize); - (void)isc_resource_getlimit(isc_resource_datasize, - &ns_g_initdatasize); - (void)isc_resource_getlimit(isc_resource_coresize, - &ns_g_initcoresize); - (void)isc_resource_getlimit(isc_resource_openfiles, - &ns_g_initopenfiles); - - /* - * If the named configuration filename is relative, prepend the current - * directory's name before possibly changing to another directory. - */ - if (! isc_file_isabsolute(ns_g_conffile)) { - result = isc_file_absolutepath(ns_g_conffile, - absolute_conffile, - sizeof(absolute_conffile)); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("could not construct absolute path of " - "configuration file: %s", - isc_result_totext(result)); - ns_g_conffile = absolute_conffile; - } - - result = create_managers(); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("create_managers() failed: %s", - isc_result_totext(result)); - - ns_builtin_init(); - - /* - * Add calls to register sdb drivers here. - */ - /* xxdb_init(); */ - -#ifdef DLZ - /* - * Registyer any DLZ drivers. - */ - result = dlz_drivers_init(); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("dlz_drivers_init() failed: %s", - isc_result_totext(result)); -#endif - - ns_server_create(ns_g_mctx, &ns_g_server); -} - -static void -cleanup(void) { - destroy_managers(); - - ns_server_destroy(&ns_g_server); - - ns_builtin_deinit(); - - /* - * Add calls to unregister sdb drivers here. - */ - /* xxdb_clear(); */ - -#ifdef DLZ - /* - * Unregister any DLZ drivers. - */ - dlz_drivers_clear(); -#endif - - dns_name_destroy(); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, - ISC_LOG_NOTICE, "exiting"); - ns_log_shutdown(); -} - -static char *memstats = NULL; - -void -ns_main_setmemstats(const char *filename) { - /* - * Caller has to ensure locking. - */ - - if (memstats != NULL) { - free(memstats); - memstats = NULL; - } - if (filename == NULL) - return; - memstats = malloc(strlen(filename) + 1); - if (memstats) - strlcpy(memstats, filename, strlen(filename) + 1); -} - -#ifdef HAVE_LIBSCF -/* - * Get FMRI for the named process. - */ -isc_result_t -ns_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) { - scf_handle_t *h = NULL; - int namelen; - char *instance; - - REQUIRE(ins_name != NULL && *ins_name == NULL); - - if ((h = scf_handle_create(SCF_VERSION)) == NULL) { - if (debug) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_create() failed: %s", - scf_strerror(scf_error())); - return (ISC_R_FAILURE); - } - - if (scf_handle_bind(h) == -1) { - if (debug) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_handle_bind() failed: %s", - scf_strerror(scf_error())); - scf_handle_destroy(h); - return (ISC_R_FAILURE); - } - - if ((namelen = scf_myname(h, NULL, 0)) == -1) { - if (debug) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_myname() failed: %s", - scf_strerror(scf_error())); - scf_handle_destroy(h); - return (ISC_R_FAILURE); - } - - if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "ns_smf_get_instance memory " - "allocation failed: %s", - isc_result_totext(ISC_R_NOMEMORY)); - scf_handle_destroy(h); - return (ISC_R_FAILURE); - } - - if (scf_myname(h, instance, namelen + 1) == -1) { - if (debug) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "scf_myname() failed: %s", - scf_strerror(scf_error())); - scf_handle_destroy(h); - isc_mem_free(mctx, instance); - return (ISC_R_FAILURE); - } - - scf_handle_destroy(h); - *ins_name = instance; - return (ISC_R_SUCCESS); -} -#endif /* HAVE_LIBSCF */ - -int -main(int argc, char *argv[]) { - isc_result_t result; -#ifdef HAVE_LIBSCF - char *instance = NULL; -#endif - - /* - * Record version in core image. - * strings named.core | grep "named version:" - */ - strlcat(version, - "named version: BIND " VERSION, - sizeof(version)); - result = isc_file_progname(*argv, program_name, sizeof(program_name)); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("program name too long"); - - if (strcmp(program_name, "lwresd") == 0) - ns_g_lwresdonly = ISC_TRUE; - - isc_assertion_setcallback(assertion_failed); - isc_error_setfatal(library_fatal_error); - isc_error_setunexpected(library_unexpected_error); - - ns_os_init(program_name); - - dns_result_register(); - dst_result_register(); - isccc_result_register(); - - parse_command_line(argc, argv); - - /* - * Warn about common configuration error. - */ - if (ns_g_chrootdir != NULL) { - int len = strlen(ns_g_chrootdir); - if (strncmp(ns_g_chrootdir, ns_g_conffile, len) == 0 && - (ns_g_conffile[len] == '/' || ns_g_conffile[len] == '\\')) - ns_main_earlywarning("config filename (-c %s) contains " - "chroot path (-t %s)", - ns_g_conffile, ns_g_chrootdir); - } - - result = isc_mem_create(0, 0, &ns_g_mctx); - if (result != ISC_R_SUCCESS) - ns_main_earlyfatal("isc_mem_create() failed: %s", - isc_result_totext(result)); - - setup(); - - /* - * Start things running and then wait for a shutdown request - * or reload. - */ - do { - result = isc_app_run(); - - if (result == ISC_R_RELOAD) { - ns_server_reloadwanted(ns_g_server); - } else if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_app_run(): %s", - isc_result_totext(result)); - /* - * Force exit. - */ - result = ISC_R_SUCCESS; - } - } while (result != ISC_R_SUCCESS); - -#ifdef HAVE_LIBSCF - if (ns_smf_want_disable == 1) { - result = ns_smf_get_instance(&instance, 1, ns_g_mctx); - if (result == ISC_R_SUCCESS && instance != NULL) { - if (smf_disable_instance(instance, 0) != 0) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "smf_disable_instance() " - "failed for %s : %s", - instance, - scf_strerror(scf_error())); - } - if (instance != NULL) - isc_mem_free(ns_g_mctx, instance); - } -#endif /* HAVE_LIBSCF */ - - cleanup(); - - if (want_stats) { - isc_mem_stats(ns_g_mctx, stdout); - isc_mutex_stats(stdout); - } - if (memstats != NULL) { - FILE *fp = NULL; - result = isc_stdio_open(memstats, "w", &fp); - if (result == ISC_R_SUCCESS) { - isc_mem_stats(ns_g_mctx, fp); - isc_mutex_stats(fp); - isc_stdio_close(fp); - } - } - isc_mem_destroy(&ns_g_mctx); - isc_mem_checkdestroyed(stderr); - - ns_main_setmemstats(NULL); - - isc_app_finish(); - - ns_os_closedevnull(); - - ns_os_shutdown(); - - return (0); -} diff --git a/usr.sbin/bind/bin/named/named.8 b/usr.sbin/bind/bin/named/named.8 deleted file mode 100644 index 695de70fbc6..00000000000 --- a/usr.sbin/bind/bin/named/named.8 +++ /dev/null @@ -1,141 +0,0 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $Id: named.8,v 1.10 2008/02/24 10:15:17 mbalmer Exp $ -.\" -.hy 0 -.ad l -.\"Generated by db2man.xsl. Don't modify this, modify the source. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "NAMED" 8 "June 30, 2000" "" "" -.SH NAME -named \- Internet domain name server -.SH "SYNOPSIS" -.HP 6 -\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fIconfig\-file\fR\fR] [\fB\-d\ \fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fIpid\-file\fR\fR] [\fB\-m\ \fIflag\fR\fR] [\fB\-n\ \fI#cpus\fR\fR] [\fB\-p\ \fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fIdirectory\fR\fR] [\fB\-u\ \fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fIcache\-file\fR\fR] -.SH "DESCRIPTION" -.PP -\fBnamed\fR is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC\&. For more information on the DNS, see RFCs 1033, 1034, and 1035\&. -.PP -When invoked without arguments, \fBnamed\fR will fork into two processes for privilege separation, \fBchroot(2)\fR to \fB/var/named\fR, read the default configuration file \fI/var/named/etc/named\&.conf\fR, read any initial data, and listen for queries\&. The privileged process will communicate with the child and \fBbind(2)\fR to privileged ports on its behalf\&. See CAVEATS section below\&. -.SH "OPTIONS" -.TP -\-4 -Use IPv4 only even if the host machine is capable of IPv6\&. \fB\-4\fR and \fB\-6\fR are mutually exclusive\&. -.TP -\-6 -Use IPv6 only even if the host machine is capable of IPv4\&. \fB\-4\fR and \fB\-6\fR are mutually exclusive\&. -.TP -\-c \fIconfig\-file\fR -Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/named\&.conf\fR\&. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible \fBdirectory\fR option in the configuration file, \fIconfig\-file\fR should be an absolute pathname\&. -.TP -\-d \fIdebug\-level\fR -Set the daemon's debug level to \fIdebug\-level\fR\&. Debugging traces from \fBnamed\fR become more verbose as the debug level increases\&. -.TP -\-f -Run the server in the foreground (i\&.e\&. do not daemonize)\&. -.TP -\-g -Run the server in the foreground and force all logging to \fIstderr\fR\&. -.TP -\-m \fIflag\fR -Turn on memory usage debugging flags\&. Possible flags are \fIusage\fR, \fItrace\fR, \fIrecord\fR, \fIsize\fR, and \fImctx\fR\&. These correspond to the ISC_MEM_DEBUGXXXX flags described in \fI\fR\&. -.TP -\-i \fIpid\-file\fR -Specifies the file that contains the process ID of \fBnamed\fR\&. The default is \fI/var/run/named\&.pid\fR\&. -.TP -\-n \fI#cpus\fR -Create \fI#cpus\fR worker threads to take advantage of multiple CPUs\&. If not specified, \fBnamed\fR will try to determine the number of CPUs present and create one thread per CPU\&. If it is unable to determine the number of CPUs, a single worker thread will be created\&. -.TP -\-p \fIport\fR -Listen for queries on port \fIport\fR\&. If not specified, the default is port 53\&. -.TP -\-s -Write memory usage statistics to \fIstdout\fR on exit\&. -.RS -.B "Note:" -This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release\&. -.RE -.TP -\-t \fIdirectory\fR -Chroot to \fIdirectory\fR after processing the command line arguments, but before reading the configuration file\&. -.RS -.B "Warning:" -This option should be used in conjunction with the \fB\-u\fR option, as chrooting a process running as root doesn't enhance security on most systems; the way \fBchroot(2)\fR is defined allows a process with root privileges to escape a chroot jail\&. -.RE -.TP -\-u \fIuser\fR -Setuid to \fIuser\fR after completing privileged operations, such as creating sockets that listen on privileged ports\&. -.RS -.B "Note:" -On Linux, \fBnamed\fR uses the kernel's capability mechanism to drop all root privileges except the ability to \fBbind(2)\fR to a privileged port and set process resource limits\&. Unfortunately, this means that the \fB\-u\fR option only works when \fBnamed\fR is run on kernel 2\&.2\&.18 or later, or kernel 2\&.3\&.99\-pre3 or later, since previous kernels did not allow privileges to be retained after \fBsetuid(2)\fR\&. -.RE -.TP -\-v -Report the version number and exit\&. -.TP -\-x \fIcache\-file\fR -Load data from \fIcache\-file\fR into the cache of the default view\&. -.RS -.B "Warning:" -This option must not be used\&. It is only of interest to BIND 9 developers and may be removed or changed in a future release\&. -.RE -.SH "SIGNALS" -.PP -In routine operation, signals should not be used to control the nameserver; \fBrndc\fR should be used instead\&. -.TP -SIGHUP -Force a reload of the server\&. -.TP -SIGINT, SIGTERM -Shut down the server\&. -.PP -The result of sending any other signals to the server is undefined\&. -.SH "CONFIGURATION" -.PP -The \fBnamed\fR configuration file is too complex to describe in detail here\&. A complete description is provided in the BIND 9 Administrator Reference Manual\&. -.SH "CAVEATS" -.PP - \fBnamed\fR runs privilege separated for binding the privileged ports after an interface or address change\&. The privileged process will only allow \fBnamed\fR to \fBbind(2)\fR to default ports\&. Make sure you use unprivileged (>1024) ports if you change any of the default ports in \fBnamed\fR's configuration or on the command\-line\&. -.SH "FILES" -.TP -\fI/etc/named\&.conf\fR -The default configuration file\&. -.TP -\fI/var/run/named\&.pid\fR -The default process\-id file\&. -.SH "SEE ALSO" -.PP -RFC 1033, RFC 1034, RFC 1035, \fBnamed\-checkconf\fR(8), \fBnamed\-checkzone\fR(8), \fBrndc\fR(8), \fBlwresd\fR(8), \fBnamed\&.conf\fR(5), BIND 9 Administrator Reference Manual\&. -.SH "AUTHOR" -.PP -Internet Systems Consortium diff --git a/usr.sbin/bind/bin/named/named.conf.5 b/usr.sbin/bind/bin/named/named.conf.5 deleted file mode 100644 index 2147ceea32b..00000000000 --- a/usr.sbin/bind/bin/named/named.conf.5 +++ /dev/null @@ -1,520 +0,0 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: named.conf.5,v 1.1.2.26 2007/08/19 23:26:13 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: \fInamed.conf\fR -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: Aug 13, 2004 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -named.conf \- configuration file for named -.SH "SYNOPSIS" -.HP 11 -\fBnamed.conf\fR -.SH "DESCRIPTION" -.PP -\fInamed.conf\fR -is the configuration file for -\fBnamed\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported: -.PP -C style: /* */ -.PP -C++ style: // to end of line -.PP -Unix style: # to end of line -.SH "ACL" -.sp -.RS 4 -.nf -acl \fIstring\fR { \fIaddress_match_element\fR; ... }; -.fi -.RE -.SH "KEY" -.sp -.RS 4 -.nf -key \fIdomain_name\fR { - algorithm \fIstring\fR; - secret \fIstring\fR; -}; -.fi -.RE -.SH "MASTERS" -.sp -.RS 4 -.nf -masters \fIstring\fR [ port \fIinteger\fR ] { - ( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ... -}; -.fi -.RE -.SH "SERVER" -.sp -.RS 4 -.nf -server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) { - bogus \fIboolean\fR; - edns \fIboolean\fR; - edns\-udp\-size \fIinteger\fR; - max\-udp\-size \fIinteger\fR; - provide\-ixfr \fIboolean\fR; - request\-ixfr \fIboolean\fR; - keys \fIserver_key\fR; - transfers \fIinteger\fR; - transfer\-format ( many\-answers | one\-answer ); - transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - support\-ixfr \fIboolean\fR; // obsolete -}; -.fi -.RE -.SH "TRUSTED\-KEYS" -.sp -.RS 4 -.nf -trusted\-keys { - \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... -}; -.fi -.RE -.SH "CONTROLS" -.sp -.RS 4 -.nf -controls { - inet ( \fIipv4_address\fR | \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ] - allow { \fIaddress_match_element\fR; ... } - [ keys { \fIstring\fR; ... } ]; - unix \fIunsupported\fR; // not implemented -}; -.fi -.RE -.SH "LOGGING" -.sp -.RS 4 -.nf -logging { - channel \fIstring\fR { - file \fIlog_file\fR; - syslog \fIoptional_facility\fR; - null; - stderr; - severity \fIlog_severity\fR; - print\-time \fIboolean\fR; - print\-severity \fIboolean\fR; - print\-category \fIboolean\fR; - }; - category \fIstring\fR { \fIstring\fR; ... }; -}; -.fi -.RE -.SH "LWRES" -.sp -.RS 4 -.nf -lwres { - listen\-on [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - view \fIstring\fR \fIoptional_class\fR; - search { \fIstring\fR; ... }; - ndots \fIinteger\fR; -}; -.fi -.RE -.SH "OPTIONS" -.sp -.RS 4 -.nf -options { - avoid\-v4\-udp\-ports { \fIport\fR; ... }; - avoid\-v6\-udp\-ports { \fIport\fR; ... }; - blackhole { \fIaddress_match_element\fR; ... }; - coresize \fIsize\fR; - datasize \fIsize\fR; - directory \fIquoted_string\fR; - dump\-file \fIquoted_string\fR; - files \fIsize\fR; - heartbeat\-interval \fIinteger\fR; - host\-statistics \fIboolean\fR; // not implemented - host\-statistics\-max \fInumber\fR; // not implemented - hostname ( \fIquoted_string\fR | none ); - interface\-interval \fIinteger\fR; - listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... }; - listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... }; - match\-mapped\-addresses \fIboolean\fR; - memstatistics\-file \fIquoted_string\fR; - pid\-file ( \fIquoted_string\fR | none ); - port \fIinteger\fR; - querylog \fIboolean\fR; - recursing\-file \fIquoted_string\fR; - random\-device \fIquoted_string\fR; - recursive\-clients \fIinteger\fR; - serial\-query\-rate \fIinteger\fR; - server\-id ( \fIquoted_string\fR | none |; - stacksize \fIsize\fR; - statistics\-file \fIquoted_string\fR; - statistics\-interval \fIinteger\fR; // not yet implemented - tcp\-clients \fIinteger\fR; - tcp\-listen\-queue \fIinteger\fR; - tkey\-dhkey \fIquoted_string\fR \fIinteger\fR; - tkey\-gssapi\-credential \fIquoted_string\fR; - tkey\-domain \fIquoted_string\fR; - transfers\-per\-ns \fIinteger\fR; - transfers\-in \fIinteger\fR; - transfers\-out \fIinteger\fR; - use\-ixfr \fIboolean\fR; - version ( \fIquoted_string\fR | none ); - allow\-recursion { \fIaddress_match_element\fR; ... }; - sortlist { \fIaddress_match_element\fR; ... }; - topology { \fIaddress_match_element\fR; ... }; // not implemented - auth\-nxdomain \fIboolean\fR; // default changed - minimal\-responses \fIboolean\fR; - recursion \fIboolean\fR; - rrset\-order { - [ class \fIstring\fR ] [ type \fIstring\fR ] - [ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ... - }; - provide\-ixfr \fIboolean\fR; - request\-ixfr \fIboolean\fR; - rfc2308\-type1 \fIboolean\fR; // not yet implemented - additional\-from\-auth \fIboolean\fR; - additional\-from\-cache \fIboolean\fR; - query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; - query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; - cleaning\-interval \fIinteger\fR; - min\-roots \fIinteger\fR; // not implemented - lame\-ttl \fIinteger\fR; - max\-ncache\-ttl \fIinteger\fR; - max\-cache\-ttl \fIinteger\fR; - transfer\-format ( many\-answers | one\-answer ); - max\-cache\-size \fIsize_no_default\fR; - max\-acache\-size \fIsize_no_default\fR; - clients\-per\-query \fInumber\fR; - max\-clients\-per\-query \fInumber\fR; - check\-names ( master | slave | response ) - ( fail | warn | ignore ); - check\-mx ( fail | warn | ignore ); - check\-integrity \fIboolean\fR; - check\-mx\-cname ( fail | warn | ignore ); - check\-srv\-cname ( fail | warn | ignore ); - cache\-file \fIquoted_string\fR; // test option - suppress\-initial\-notify \fIboolean\fR; // not yet implemented - preferred\-glue \fIstring\fR; - dual\-stack\-servers [ port \fIinteger\fR ] { - ( \fIquoted_string\fR [port \fIinteger\fR] | - \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [port \fIinteger\fR] ); ... - }; - edns\-udp\-size \fIinteger\fR; - max\-udp\-size \fIinteger\fR; - root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; - disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; - dnssec\-enable \fIboolean\fR; - dnssec\-validation \fIboolean\fR; - dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; - dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; - dnssec\-accept\-expired \fIboolean\fR; - empty\-server \fIstring\fR; - empty\-contact \fIstring\fR; - empty\-zones\-enable \fIboolean\fR; - disable\-empty\-zone \fIstring\fR; - dialup \fIdialuptype\fR; - ixfr\-from\-differences \fIixfrdiff\fR; - allow\-query { \fIaddress_match_element\fR; ... }; - allow\-query\-cache { \fIaddress_match_element\fR; ... }; - allow\-transfer { \fIaddress_match_element\fR; ... }; - allow\-update { \fIaddress_match_element\fR; ... }; - allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; - update\-check\-ksk \fIboolean\fR; - masterfile\-format ( text | raw ); - notify \fInotifytype\fR; - notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify\-delay \fIseconds\fR; - also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) - [ port \fIinteger\fR ]; ... }; - allow\-notify { \fIaddress_match_element\fR; ... }; - forward ( first | only ); - forwarders [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - max\-journal\-size \fIsize_no_default\fR; - max\-transfer\-time\-in \fIinteger\fR; - max\-transfer\-time\-out \fIinteger\fR; - max\-transfer\-idle\-in \fIinteger\fR; - max\-transfer\-idle\-out \fIinteger\fR; - max\-retry\-time \fIinteger\fR; - min\-retry\-time \fIinteger\fR; - max\-refresh\-time \fIinteger\fR; - min\-refresh\-time \fIinteger\fR; - multi\-master \fIboolean\fR; - sig\-validity\-interval \fIinteger\fR; - transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt\-transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - use\-alt\-transfer\-source \fIboolean\fR; - zone\-statistics \fIboolean\fR; - key\-directory \fIquoted_string\fR; - zero\-no\-soa\-ttl \fIboolean\fR; - zero\-no\-soa\-ttl\-cache \fIboolean\fR; - allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete - deallocate\-on\-exit \fIboolean\fR; // obsolete - fake\-iquery \fIboolean\fR; // obsolete - fetch\-glue \fIboolean\fR; // obsolete - has\-old\-clients \fIboolean\fR; // obsolete - maintain\-ixfr\-base \fIboolean\fR; // obsolete - max\-ixfr\-log\-size \fIsize\fR; // obsolete - multiple\-cnames \fIboolean\fR; // obsolete - named\-xfer \fIquoted_string\fR; // obsolete - serial\-queries \fIinteger\fR; // obsolete - treat\-cr\-as\-space \fIboolean\fR; // obsolete - use\-id\-pool \fIboolean\fR; // obsolete -}; -.fi -.RE -.SH "VIEW" -.sp -.RS 4 -.nf -view \fIstring\fR \fIoptional_class\fR { - match\-clients { \fIaddress_match_element\fR; ... }; - match\-destinations { \fIaddress_match_element\fR; ... }; - match\-recursive\-only \fIboolean\fR; - key \fIstring\fR { - algorithm \fIstring\fR; - secret \fIstring\fR; - }; - zone \fIstring\fR \fIoptional_class\fR { - ... - }; - server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen]\fR ) { - ... - }; - trusted\-keys { - \fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ... - }; - allow\-recursion { \fIaddress_match_element\fR; ... }; - sortlist { \fIaddress_match_element\fR; ... }; - topology { \fIaddress_match_element\fR; ... }; // not implemented - auth\-nxdomain \fIboolean\fR; // default changed - minimal\-responses \fIboolean\fR; - recursion \fIboolean\fR; - rrset\-order { - [ class \fIstring\fR ] [ type \fIstring\fR ] - [ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ... - }; - provide\-ixfr \fIboolean\fR; - request\-ixfr \fIboolean\fR; - rfc2308\-type1 \fIboolean\fR; // not yet implemented - additional\-from\-auth \fIboolean\fR; - additional\-from\-cache \fIboolean\fR; - query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; - query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ]; - cleaning\-interval \fIinteger\fR; - min\-roots \fIinteger\fR; // not implemented - lame\-ttl \fIinteger\fR; - max\-ncache\-ttl \fIinteger\fR; - max\-cache\-ttl \fIinteger\fR; - transfer\-format ( many\-answers | one\-answer ); - max\-cache\-size \fIsize_no_default\fR; - max\-acache\-size \fIsize_no_default\fR; - clients\-per\-query \fInumber\fR; - max\-clients\-per\-query \fInumber\fR; - check\-names ( master | slave | response ) - ( fail | warn | ignore ); - check\-mx ( fail | warn | ignore ); - check\-integrity \fIboolean\fR; - check\-mx\-cname ( fail | warn | ignore ); - check\-srv\-cname ( fail | warn | ignore ); - cache\-file \fIquoted_string\fR; // test option - suppress\-initial\-notify \fIboolean\fR; // not yet implemented - preferred\-glue \fIstring\fR; - dual\-stack\-servers [ port \fIinteger\fR ] { - ( \fIquoted_string\fR [port \fIinteger\fR] | - \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [port \fIinteger\fR] ); ... - }; - edns\-udp\-size \fIinteger\fR; - max\-udp\-size \fIinteger\fR; - root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; - disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; - dnssec\-enable \fIboolean\fR; - dnssec\-validation \fIboolean\fR; - dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; - dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; - dnssec\-accept\-expired \fIboolean\fR; - empty\-server \fIstring\fR; - empty\-contact \fIstring\fR; - empty\-zones\-enable \fIboolean\fR; - disable\-empty\-zone \fIstring\fR; - dialup \fIdialuptype\fR; - ixfr\-from\-differences \fIixfrdiff\fR; - allow\-query { \fIaddress_match_element\fR; ... }; - allow\-query\-cache { \fIaddress_match_element\fR; ... }; - allow\-transfer { \fIaddress_match_element\fR; ... }; - allow\-update { \fIaddress_match_element\fR; ... }; - allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; - update\-check\-ksk \fIboolean\fR; - masterfile\-format ( text | raw ); - notify \fInotifytype\fR; - notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify\-delay \fIseconds\fR; - also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) - [ port \fIinteger\fR ]; ... }; - allow\-notify { \fIaddress_match_element\fR; ... }; - forward ( first | only ); - forwarders [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - max\-journal\-size \fIsize_no_default\fR; - max\-transfer\-time\-in \fIinteger\fR; - max\-transfer\-time\-out \fIinteger\fR; - max\-transfer\-idle\-in \fIinteger\fR; - max\-transfer\-idle\-out \fIinteger\fR; - max\-retry\-time \fIinteger\fR; - min\-retry\-time \fIinteger\fR; - max\-refresh\-time \fIinteger\fR; - min\-refresh\-time \fIinteger\fR; - multi\-master \fIboolean\fR; - sig\-validity\-interval \fIinteger\fR; - transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt\-transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - use\-alt\-transfer\-source \fIboolean\fR; - zone\-statistics \fIboolean\fR; - key\-directory \fIquoted_string\fR; - zero\-no\-soa\-ttl \fIboolean\fR; - zero\-no\-soa\-ttl\-cache \fIboolean\fR; - allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete - fetch\-glue \fIboolean\fR; // obsolete - maintain\-ixfr\-base \fIboolean\fR; // obsolete - max\-ixfr\-log\-size \fIsize\fR; // obsolete -}; -.fi -.RE -.SH "ZONE" -.sp -.RS 4 -.nf -zone \fIstring\fR \fIoptional_class\fR { - type ( master | slave | stub | hint | - forward | delegation\-only ); - file \fIquoted_string\fR; - masters [ port \fIinteger\fR ] { - ( \fImasters\fR | - \fIipv4_address\fR [port \fIinteger\fR] | - \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ... - }; - database \fIstring\fR; - delegation\-only \fIboolean\fR; - check\-names ( fail | warn | ignore ); - check\-mx ( fail | warn | ignore ); - check\-integrity \fIboolean\fR; - check\-mx\-cname ( fail | warn | ignore ); - check\-srv\-cname ( fail | warn | ignore ); - dialup \fIdialuptype\fR; - ixfr\-from\-differences \fIboolean\fR; - journal \fIquoted_string\fR; - zero\-no\-soa\-ttl \fIboolean\fR; - allow\-query { \fIaddress_match_element\fR; ... }; - allow\-transfer { \fIaddress_match_element\fR; ... }; - allow\-update { \fIaddress_match_element\fR; ... }; - allow\-update\-forwarding { \fIaddress_match_element\fR; ... }; - update\-policy { - ( grant | deny ) \fIstring\fR - ( name | subdomain | wildcard | self ) \fIstring\fR - \fIrrtypelist\fR; ... - }; - update\-check\-ksk \fIboolean\fR; - masterfile\-format ( text | raw ); - notify \fInotifytype\fR; - notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ]; - notify\-delay \fIseconds\fR; - also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR ) - [ port \fIinteger\fR ]; ... }; - allow\-notify { \fIaddress_match_element\fR; ... }; - forward ( first | only ); - forwarders [ port \fIinteger\fR ] { - ( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ... - }; - max\-journal\-size \fIsize_no_default\fR; - max\-transfer\-time\-in \fIinteger\fR; - max\-transfer\-time\-out \fIinteger\fR; - max\-transfer\-idle\-in \fIinteger\fR; - max\-transfer\-idle\-out \fIinteger\fR; - max\-retry\-time \fIinteger\fR; - min\-retry\-time \fIinteger\fR; - max\-refresh\-time \fIinteger\fR; - min\-refresh\-time \fIinteger\fR; - multi\-master \fIboolean\fR; - sig\-validity\-interval \fIinteger\fR; - transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt\-transfer\-source ( \fIipv4_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * ) - [ port ( \fIinteger\fR | * ) ]; - use\-alt\-transfer\-source \fIboolean\fR; - zone\-statistics \fIboolean\fR; - key\-directory \fIquoted_string\fR; - ixfr\-base \fIquoted_string\fR; // obsolete - ixfr\-tmp\-file \fIquoted_string\fR; // obsolete - maintain\-ixfr\-base \fIboolean\fR; // obsolete - max\-ixfr\-log\-size \fIsize\fR; // obsolete - pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete -}; -.fi -.RE -.SH "FILES" -.PP -\fI/etc/named.conf\fR -.SH "SEE ALSO" -.PP -\fBnamed\fR(8), -\fBnamed\-checkconf\fR(8), -\fBrndc\fR(8), -BIND 9 Administrator Reference Manual. -.SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") -.br diff --git a/usr.sbin/bind/bin/named/named.conf.docbook b/usr.sbin/bind/bin/named/named.conf.docbook deleted file mode 100644 index 924c67018c1..00000000000 --- a/usr.sbin/bind/bin/named/named.conf.docbook +++ /dev/null @@ -1,599 +0,0 @@ -]> - - - - - - Aug 13, 2004 - - - - named.conf - 5 - BIND9 - - - - named.conf - configuration file for named - - - - - 2004 - 2005 - 2006 - 2007 - 2008 - Internet Systems Consortium, Inc. ("ISC") - - - - - - named.conf - - - - - DESCRIPTION - named.conf is the configuration file - for - named. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: - - - C style: /* */ - - - C++ style: // to end of line - - - Unix style: # to end of line - - - - - ACL - -acl string { address_match_element; ... }; - - - - - - KEY - -key domain_name { - algorithm string; - secret string; -}; - - - - - MASTERS - -masters string port integer { - ( masters | ipv4_address port integer | - ipv6_address port integer ) key string ; ... -}; - - - - - SERVER - -server ( ipv4_address/prefixlen | ipv6_address/prefixlen ) { - bogus boolean; - edns boolean; - edns-udp-size integer; - max-udp-size integer; - provide-ixfr boolean; - request-ixfr boolean; - keys server_key; - transfers integer; - transfer-format ( many-answers | one-answer ); - transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - - support-ixfr boolean; // obsolete -}; - - - - - TRUSTED-KEYS - -trusted-keys { - domain_name flags protocol algorithm key; ... -}; - - - - - CONTROLS - -controls { - inet ( ipv4_address | ipv6_address | * ) - port ( integer | * ) - allow { address_match_element; ... } - keys { string; ... } ; - unix unsupported; // not implemented -}; - - - - - LOGGING - -logging { - channel string { - file log_file; - syslog optional_facility; - null; - stderr; - severity log_severity; - print-time boolean; - print-severity boolean; - print-category boolean; - }; - category string { string; ... }; -}; - - - - - LWRES - -lwres { - listen-on port integer { - ( ipv4_address | ipv6_address ) port integer ; ... - }; - view string optional_class; - search { string; ... }; - ndots integer; -}; - - - - - OPTIONS - -options { - avoid-v4-udp-ports { port; ... }; - avoid-v6-udp-ports { port; ... }; - blackhole { address_match_element; ... }; - coresize size; - datasize size; - directory quoted_string; - dump-file quoted_string; - files size; - heartbeat-interval integer; - host-statistics boolean; // not implemented - host-statistics-max number; // not implemented - hostname ( quoted_string | none ); - interface-interval integer; - listen-on port integer { address_match_element; ... }; - listen-on-v6 port integer { address_match_element; ... }; - match-mapped-addresses boolean; - memstatistics-file quoted_string; - pid-file ( quoted_string | none ); - port integer; - querylog boolean; - recursing-file quoted_string; - reserved-sockets integer; - random-device quoted_string; - recursive-clients integer; - serial-query-rate integer; - server-id ( quoted_string | none |; - stacksize size; - statistics-file quoted_string; - statistics-interval integer; // not yet implemented - tcp-clients integer; - tcp-listen-queue integer; - tkey-dhkey quoted_string integer; - tkey-gssapi-credential quoted_string; - tkey-domain quoted_string; - transfers-per-ns integer; - transfers-in integer; - transfers-out integer; - use-ixfr boolean; - version ( quoted_string | none ); - allow-recursion { address_match_element; ... }; - sortlist { address_match_element; ... }; - topology { address_match_element; ... }; // not implemented - auth-nxdomain boolean; // default changed - minimal-responses boolean; - recursion boolean; - rrset-order { - class string type string - name quoted_string string string; ... - }; - provide-ixfr boolean; - request-ixfr boolean; - rfc2308-type1 boolean; // not yet implemented - additional-from-auth boolean; - additional-from-cache boolean; - query-source ( ( ipv4_address | * ) | address ( ipv4_address | * ) ) port ( integer | * ) ; - query-source-v6 ( ( ipv6_address | * ) | address ( ipv6_address | * ) ) port ( integer | * ) ; - cleaning-interval integer; - min-roots integer; // not implemented - lame-ttl integer; - max-ncache-ttl integer; - max-cache-ttl integer; - transfer-format ( many-answers | one-answer ); - max-cache-size size_no_default; - max-acache-size size_no_default; - clients-per-query number; - max-clients-per-query number; - check-names ( master | slave | response ) - ( fail | warn | ignore ); - check-mx ( fail | warn | ignore ); - check-integrity boolean; - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - cache-file quoted_string; // test option - suppress-initial-notify boolean; // not yet implemented - preferred-glue string; - dual-stack-servers port integer { - ( quoted_string port integer | - ipv4_address port integer | - ipv6_address port integer ); ... - }; - edns-udp-size integer; - max-udp-size integer; - root-delegation-only exclude { quoted_string; ... } ; - disable-algorithms string { string; ... }; - dnssec-enable boolean; - dnssec-validation boolean; - dnssec-lookaside string trust-anchor string; - dnssec-must-be-secure string boolean; - dnssec-accept-expired boolean; - - empty-server string; - empty-contact string; - empty-zones-enable boolean; - disable-empty-zone string; - - dialup dialuptype; - ixfr-from-differences ixfrdiff; - - allow-query { address_match_element; ... }; - allow-query-cache { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - update-check-ksk boolean; - - masterfile-format ( text | raw ); - notify notifytype; - notify-source ( ipv4_address | * ) port ( integer | * ) ; - notify-source-v6 ( ipv6_address | * ) port ( integer | * ) ; - notify-delay seconds; - also-notify port integer { ( ipv4_address | ipv6_address ) - port integer ; ... }; - allow-notify { address_match_element; ... }; - - forward ( first | only ); - forwarders port integer { - ( ipv4_address | ipv6_address ) port integer ; ... - }; - - max-journal-size size_no_default; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-retry-time integer; - min-retry-time integer; - max-refresh-time integer; - min-refresh-time integer; - multi-master boolean; - sig-validity-interval integer; - - transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - - alt-transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - alt-transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - use-alt-transfer-source boolean; - - zone-statistics boolean; - key-directory quoted_string; - zero-no-soa-ttl boolean; - zero-no-soa-ttl-cache boolean; - - allow-v6-synthesis { address_match_element; ... }; // obsolete - deallocate-on-exit boolean; // obsolete - fake-iquery boolean; // obsolete - fetch-glue boolean; // obsolete - has-old-clients boolean; // obsolete - maintain-ixfr-base boolean; // obsolete - max-ixfr-log-size size; // obsolete - multiple-cnames boolean; // obsolete - named-xfer quoted_string; // obsolete - serial-queries integer; // obsolete - treat-cr-as-space boolean; // obsolete - use-id-pool boolean; // obsolete -}; - - - - - VIEW - -view string optional_class { - match-clients { address_match_element; ... }; - match-destinations { address_match_element; ... }; - match-recursive-only boolean; - - key string { - algorithm string; - secret string; - }; - - zone string optional_class { - ... - }; - - server ( ipv4_address/prefixlen | ipv6_address/prefixlen ) { - ... - }; - - trusted-keys { - string integer integer integer quoted_string; ... - }; - - allow-recursion { address_match_element; ... }; - sortlist { address_match_element; ... }; - topology { address_match_element; ... }; // not implemented - auth-nxdomain boolean; // default changed - minimal-responses boolean; - recursion boolean; - rrset-order { - class string type string - name quoted_string string string; ... - }; - provide-ixfr boolean; - request-ixfr boolean; - rfc2308-type1 boolean; // not yet implemented - additional-from-auth boolean; - additional-from-cache boolean; - query-source ( ( ipv4_address | * ) | address ( ipv4_address | * ) ) port ( integer | * ) ; - query-source-v6 ( ( ipv6_address | * ) | address ( ipv6_address | * ) ) port ( integer | * ) ; - cleaning-interval integer; - min-roots integer; // not implemented - lame-ttl integer; - max-ncache-ttl integer; - max-cache-ttl integer; - transfer-format ( many-answers | one-answer ); - max-cache-size size_no_default; - max-acache-size size_no_default; - clients-per-query number; - max-clients-per-query number; - check-names ( master | slave | response ) - ( fail | warn | ignore ); - check-mx ( fail | warn | ignore ); - check-integrity boolean; - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - cache-file quoted_string; // test option - suppress-initial-notify boolean; // not yet implemented - preferred-glue string; - dual-stack-servers port integer { - ( quoted_string port integer | - ipv4_address port integer | - ipv6_address port integer ); ... - }; - edns-udp-size integer; - max-udp-size integer; - root-delegation-only exclude { quoted_string; ... } ; - disable-algorithms string { string; ... }; - dnssec-enable boolean; - dnssec-validation boolean; - dnssec-lookaside string trust-anchor string; - dnssec-must-be-secure string boolean; - dnssec-accept-expired boolean; - - empty-server string; - empty-contact string; - empty-zones-enable boolean; - disable-empty-zone string; - - dialup dialuptype; - ixfr-from-differences ixfrdiff; - - allow-query { address_match_element; ... }; - allow-query-cache { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - update-check-ksk boolean; - - masterfile-format ( text | raw ); - notify notifytype; - notify-source ( ipv4_address | * ) port ( integer | * ) ; - notify-source-v6 ( ipv6_address | * ) port ( integer | * ) ; - notify-delay seconds; - also-notify port integer { ( ipv4_address | ipv6_address ) - port integer ; ... }; - allow-notify { address_match_element; ... }; - - forward ( first | only ); - forwarders port integer { - ( ipv4_address | ipv6_address ) port integer ; ... - }; - - max-journal-size size_no_default; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-retry-time integer; - min-retry-time integer; - max-refresh-time integer; - min-refresh-time integer; - multi-master boolean; - sig-validity-interval integer; - - transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - - alt-transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - alt-transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - use-alt-transfer-source boolean; - - zone-statistics boolean; - key-directory quoted_string; - zero-no-soa-ttl boolean; - zero-no-soa-ttl-cache boolean; - - allow-v6-synthesis { address_match_element; ... }; // obsolete - fetch-glue boolean; // obsolete - maintain-ixfr-base boolean; // obsolete - max-ixfr-log-size size; // obsolete -}; - - - - - ZONE - -zone string optional_class { - type ( master | slave | stub | hint | - forward | delegation-only ); - file quoted_string; - - masters port integer { - ( masters | - ipv4_address port integer | - ipv6_address port integer ) key string ; ... - }; - - database string; - delegation-only boolean; - check-names ( fail | warn | ignore ); - check-mx ( fail | warn | ignore ); - check-integrity boolean; - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - dialup dialuptype; - ixfr-from-differences boolean; - journal quoted_string; - zero-no-soa-ttl boolean; - - allow-query { address_match_element; ... }; - allow-transfer { address_match_element; ... }; - allow-update { address_match_element; ... }; - allow-update-forwarding { address_match_element; ... }; - update-policy { - ( grant | deny ) string - ( name | subdomain | wildcard | self ) string - rrtypelist; ... - }; - update-check-ksk boolean; - - masterfile-format ( text | raw ); - notify notifytype; - notify-source ( ipv4_address | * ) port ( integer | * ) ; - notify-source-v6 ( ipv6_address | * ) port ( integer | * ) ; - notify-delay seconds; - also-notify port integer { ( ipv4_address | ipv6_address ) - port integer ; ... }; - allow-notify { address_match_element; ... }; - - forward ( first | only ); - forwarders port integer { - ( ipv4_address | ipv6_address ) port integer ; ... - }; - - max-journal-size size_no_default; - max-transfer-time-in integer; - max-transfer-time-out integer; - max-transfer-idle-in integer; - max-transfer-idle-out integer; - max-retry-time integer; - min-retry-time integer; - max-refresh-time integer; - min-refresh-time integer; - multi-master boolean; - sig-validity-interval integer; - - transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - - alt-transfer-source ( ipv4_address | * ) - port ( integer | * ) ; - alt-transfer-source-v6 ( ipv6_address | * ) - port ( integer | * ) ; - use-alt-transfer-source boolean; - - zone-statistics boolean; - key-directory quoted_string; - - ixfr-base quoted_string; // obsolete - ixfr-tmp-file quoted_string; // obsolete - maintain-ixfr-base boolean; // obsolete - max-ixfr-log-size size; // obsolete - pubkey integer integer integer quoted_string; // obsolete -}; - - - - - FILES - /etc/named.conf - - - - - SEE ALSO - - named8 - , - - named-checkconf8 - , - - rndc8 - , - BIND 9 Administrator Reference Manual. - - - - diff --git a/usr.sbin/bind/bin/named/named.conf.html b/usr.sbin/bind/bin/named/named.conf.html deleted file mode 100644 index ff0cf5c51d4..00000000000 --- a/usr.sbin/bind/bin/named/named.conf.html +++ /dev/null @@ -1,554 +0,0 @@ - - - - - -named.conf - - -
-
-
-

Name

-

named.conf — configuration file for named

-
-
-

Synopsis

-

named.conf

-
-
-

DESCRIPTION

-

named.conf is the configuration file - for - named. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: -

-

- C style: /* */ -

-

- C++ style: // to end of line -

-

- Unix style: # to end of line -

-
-
-

ACL

-


-acl string { address_match_element; ... };
-
-

-
-
-

KEY

-


-key domain_name {
- algorithm string;
- secret string;
-};
-

-
-
-

MASTERS

-


-masters string [ port integer ] {
- ( masters | ipv4_address [port integer] |
- ipv6_address [port integer] ) [ key string ]; ...
-};
-

-
-
-

SERVER

-


-server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
- bogus boolean;
- edns boolean;
- edns-udp-size integer;
- max-udp-size integer;
- provide-ixfr boolean;
- request-ixfr boolean;
- keys server_key;
- transfers integer;
- transfer-format ( many-answers | one-answer );
- transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
-
- support-ixfr boolean; // obsolete
-};
-

-
-
-

TRUSTED-KEYS

-


-trusted-keys {
- domain_name flags protocol algorithm key; ... 
-};
-

-
-
-

CONTROLS

-


-controls {
- inet ( ipv4_address | ipv6_address | * )
- [ port ( integer | * ) ]
- allow { address_match_element; ... }
- [ keys { string; ... } ];
- unix unsupported; // not implemented
-};
-

-
-
-

LOGGING

-


-logging {
- channel string {
- file log_file;
- syslog optional_facility;
- null;
- stderr;
- severity log_severity;
- print-time boolean;
- print-severity boolean;
- print-category boolean;
- };
- category string { string; ... };
-};
-

-
-
-

LWRES

-


-lwres {
- listen-on [ port integer ] {
- ( ipv4_address | ipv6_address ) [ port integer ]; ...
- };
- view string optional_class;
- search { string; ... };
- ndots integer;
-};
-

-
-
-

OPTIONS

-


-options {
- avoid-v4-udp-ports { port; ... };
- avoid-v6-udp-ports { port; ... };
- blackhole { address_match_element; ... };
- coresize size;
- datasize size;
- directory quoted_string;
- dump-file quoted_string;
- files size;
- heartbeat-interval integer;
- host-statistics boolean; // not implemented
- host-statistics-max number; // not implemented
- hostname ( quoted_string | none );
- interface-interval integer;
- listen-on [ port integer ] { address_match_element; ... };
- listen-on-v6 [ port integer ] { address_match_element; ... };
- match-mapped-addresses boolean;
- memstatistics-file quoted_string;
- pid-file ( quoted_string | none );
- port integer;
- querylog boolean;
- recursing-file quoted_string;
- random-device quoted_string;
- recursive-clients integer;
- serial-query-rate integer;
- server-id ( quoted_string | none |;
- stacksize size;
- statistics-file quoted_string;
- statistics-interval integer; // not yet implemented
- tcp-clients integer;
- tcp-listen-queue integer;
- tkey-dhkey quoted_string integer;
- tkey-gssapi-credential quoted_string;
- tkey-domain quoted_string;
- transfers-per-ns integer;
- transfers-in integer;
- transfers-out integer;
- use-ixfr boolean;
- version ( quoted_string | none );
- allow-recursion { address_match_element; ... };
- sortlist { address_match_element; ... };
- topology { address_match_element; ... }; // not implemented
- auth-nxdomain boolean; // default changed
- minimal-responses boolean;
- recursion boolean;
- rrset-order {
- [ class string ] [ type string ]
- [ name quoted_string string string; ...
- };
- provide-ixfr boolean;
- request-ixfr boolean;
- rfc2308-type1 boolean; // not yet implemented
- additional-from-auth boolean;
- additional-from-cache boolean;
- query-source ( ( ipv4_address | * ) | [ address ( ipv4_address | * ) ] ) [ port ( integer | * ) ];
- query-source-v6 ( ( ipv6_address | * ) | [ address ( ipv6_address | * ) ] ) [ port ( integer | * ) ];
- cleaning-interval integer;
- min-roots integer; // not implemented
- lame-ttl integer;
- max-ncache-ttl integer;
- max-cache-ttl integer;
- transfer-format ( many-answers | one-answer );
- max-cache-size size_no_default;
- max-acache-size size_no_default;
- clients-per-query number;
- max-clients-per-query number;
- check-names ( master | slave | response )
- ( fail | warn | ignore );
- check-mx ( fail | warn | ignore );
- check-integrity boolean;
- check-mx-cname ( fail | warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- cache-file quoted_string; // test option
- suppress-initial-notify boolean; // not yet implemented
- preferred-glue string;
- dual-stack-servers [ port integer ] {
- ( quoted_string [port integer] |
- ipv4_address [port integer] |
- ipv6_address [port integer] ); ...
- };
- edns-udp-size integer;
- max-udp-size integer;
- root-delegation-only [ exclude { quoted_string; ... } ];
- disable-algorithms string { string; ... };
- dnssec-enable boolean;
- dnssec-validation boolean;
- dnssec-lookaside string trust-anchor string;
- dnssec-must-be-secure string boolean;
- dnssec-accept-expired boolean;
-
- empty-server string;
- empty-contact string;
- empty-zones-enable boolean;
- disable-empty-zone string;
-
- dialup dialuptype;
- ixfr-from-differences ixfrdiff;
-
- allow-query { address_match_element; ... };
- allow-query-cache { address_match_element; ... };
- allow-transfer { address_match_element; ... };
- allow-update { address_match_element; ... };
- allow-update-forwarding { address_match_element; ... };
- update-check-ksk boolean;
-
- masterfile-format ( text | raw );
- notify notifytype;
- notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
- notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
- notify-delay seconds;
- also-notify [ port integer ] { ( ipv4_address | ipv6_address )
- [ port integer ]; ... };
- allow-notify { address_match_element; ... };
-
- forward ( first | only );
- forwarders [ port integer ] {
- ( ipv4_address | ipv6_address ) [ port integer ]; ...
- };
-
- max-journal-size size_no_default;
- max-transfer-time-in integer;
- max-transfer-time-out integer;
- max-transfer-idle-in integer;
- max-transfer-idle-out integer;
- max-retry-time integer;
- min-retry-time integer;
- max-refresh-time integer;
- min-refresh-time integer;
- multi-master boolean;
- sig-validity-interval integer;
-
- transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
-
- alt-transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- alt-transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
- use-alt-transfer-source boolean;
-
- zone-statistics boolean;
- key-directory quoted_string;
- zero-no-soa-ttl boolean;
- zero-no-soa-ttl-cache boolean;
-
- allow-v6-synthesis { address_match_element; ... }; // obsolete
- deallocate-on-exit boolean; // obsolete
- fake-iquery boolean; // obsolete
- fetch-glue boolean; // obsolete
- has-old-clients boolean; // obsolete
- maintain-ixfr-base boolean; // obsolete
- max-ixfr-log-size size; // obsolete
- multiple-cnames boolean; // obsolete
- named-xfer quoted_string; // obsolete
- serial-queries integer; // obsolete
- treat-cr-as-space boolean; // obsolete
- use-id-pool boolean; // obsolete
-};
-

-
-
-

VIEW

-


-view string optional_class {
- match-clients { address_match_element; ... };
- match-destinations { address_match_element; ... };
- match-recursive-only boolean;
-
- key string {
- algorithm string;
- secret string;
- };
-
- zone string optional_class {
- ...
- };
-
- server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
- ...
- };
-
- trusted-keys {
- string integer integer integer quoted_string; ...
- };
-
- allow-recursion { address_match_element; ... };
- sortlist { address_match_element; ... };
- topology { address_match_element; ... }; // not implemented
- auth-nxdomain boolean; // default changed
- minimal-responses boolean;
- recursion boolean;
- rrset-order {
- [ class string ] [ type string ]
- [ name quoted_string string string; ...
- };
- provide-ixfr boolean;
- request-ixfr boolean;
- rfc2308-type1 boolean; // not yet implemented
- additional-from-auth boolean;
- additional-from-cache boolean;
- query-source ( ( ipv4_address | * ) | [ address ( ipv4_address | * ) ] ) [ port ( integer | * ) ];
- query-source-v6 ( ( ipv6_address | * ) | [ address ( ipv6_address | * ) ] ) [ port ( integer | * ) ];
- cleaning-interval integer;
- min-roots integer; // not implemented
- lame-ttl integer;
- max-ncache-ttl integer;
- max-cache-ttl integer;
- transfer-format ( many-answers | one-answer );
- max-cache-size size_no_default;
- max-acache-size size_no_default;
- clients-per-query number;
- max-clients-per-query number;
- check-names ( master | slave | response )
- ( fail | warn | ignore );
- check-mx ( fail | warn | ignore );
- check-integrity boolean;
- check-mx-cname ( fail | warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- cache-file quoted_string; // test option
- suppress-initial-notify boolean; // not yet implemented
- preferred-glue string;
- dual-stack-servers [ port integer ] {
- ( quoted_string [port integer] |
- ipv4_address [port integer] |
- ipv6_address [port integer] ); ...
- };
- edns-udp-size integer;
- max-udp-size integer;
- root-delegation-only [ exclude { quoted_string; ... } ];
- disable-algorithms string { string; ... };
- dnssec-enable boolean;
- dnssec-validation boolean;
- dnssec-lookaside string trust-anchor string;
- dnssec-must-be-secure string boolean;
- dnssec-accept-expired boolean;
-
- empty-server string;
- empty-contact string;
- empty-zones-enable boolean;
- disable-empty-zone string;
-
- dialup dialuptype;
- ixfr-from-differences ixfrdiff;
-
- allow-query { address_match_element; ... };
- allow-query-cache { address_match_element; ... };
- allow-transfer { address_match_element; ... };
- allow-update { address_match_element; ... };
- allow-update-forwarding { address_match_element; ... };
- update-check-ksk boolean;
-
- masterfile-format ( text | raw );
- notify notifytype;
- notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
- notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
- notify-delay seconds;
- also-notify [ port integer ] { ( ipv4_address | ipv6_address )
- [ port integer ]; ... };
- allow-notify { address_match_element; ... };
-
- forward ( first | only );
- forwarders [ port integer ] {
- ( ipv4_address | ipv6_address ) [ port integer ]; ...
- };
-
- max-journal-size size_no_default;
- max-transfer-time-in integer;
- max-transfer-time-out integer;
- max-transfer-idle-in integer;
- max-transfer-idle-out integer;
- max-retry-time integer;
- min-retry-time integer;
- max-refresh-time integer;
- min-refresh-time integer;
- multi-master boolean;
- sig-validity-interval integer;
-
- transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
-
- alt-transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- alt-transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
- use-alt-transfer-source boolean;
-
- zone-statistics boolean;
- key-directory quoted_string;
- zero-no-soa-ttl boolean;
- zero-no-soa-ttl-cache boolean;
-
- allow-v6-synthesis { address_match_element; ... }; // obsolete
- fetch-glue boolean; // obsolete
- maintain-ixfr-base boolean; // obsolete
- max-ixfr-log-size size; // obsolete
-};
-

-
-
-

ZONE

-


-zone string optional_class {
- type ( master | slave | stub | hint |
- forward | delegation-only );
- file quoted_string;
-
- masters [ port integer ] {
- ( masters |
- ipv4_address [port integer] |
- ipv6_address [ port integer ] ) [ key string ]; ...
- };
-
- database string;
- delegation-only boolean;
- check-names ( fail | warn | ignore );
- check-mx ( fail | warn | ignore );
- check-integrity boolean;
- check-mx-cname ( fail | warn | ignore );
- check-srv-cname ( fail | warn | ignore );
- dialup dialuptype;
- ixfr-from-differences boolean;
- journal quoted_string;
- zero-no-soa-ttl boolean;
-
- allow-query { address_match_element; ... };
- allow-transfer { address_match_element; ... };
- allow-update { address_match_element; ... };
- allow-update-forwarding { address_match_element; ... };
- update-policy {
- ( grant | deny ) string
- ( name | subdomain | wildcard | self ) string
- rrtypelist; ...
- };
- update-check-ksk boolean;
-
- masterfile-format ( text | raw );
- notify notifytype;
- notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
- notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
- notify-delay seconds;
- also-notify [ port integer ] { ( ipv4_address | ipv6_address )
- [ port integer ]; ... };
- allow-notify { address_match_element; ... };
-
- forward ( first | only );
- forwarders [ port integer ] {
- ( ipv4_address | ipv6_address ) [ port integer ]; ...
- };
-
- max-journal-size size_no_default;
- max-transfer-time-in integer;
- max-transfer-time-out integer;
- max-transfer-idle-in integer;
- max-transfer-idle-out integer;
- max-retry-time integer;
- min-retry-time integer;
- max-refresh-time integer;
- min-refresh-time integer;
- multi-master boolean;
- sig-validity-interval integer;
-
- transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
-
- alt-transfer-source ( ipv4_address | * )
- [ port ( integer | * ) ];
- alt-transfer-source-v6 ( ipv6_address | * )
- [ port ( integer | * ) ];
- use-alt-transfer-source boolean;
-
- zone-statistics boolean;
- key-directory quoted_string;
-
- ixfr-base quoted_string; // obsolete
- ixfr-tmp-file quoted_string; // obsolete
- maintain-ixfr-base boolean; // obsolete
- max-ixfr-log-size size; // obsolete
- pubkey integer integer integer quoted_string; // obsolete
-};
-

-
-
-

FILES

-

/etc/named.conf -

-
-
-

SEE ALSO

-

named(8), - named-checkconf(8), - rndc(8), - BIND 9 Administrator Reference Manual. -

-
-
- diff --git a/usr.sbin/bind/bin/named/named.docbook b/usr.sbin/bind/bin/named/named.docbook deleted file mode 100644 index 6f9ed270e5c..00000000000 --- a/usr.sbin/bind/bin/named/named.docbook +++ /dev/null @@ -1,435 +0,0 @@ -]> - - - - - - June 30, 2000 - - - - named - 8 - BIND9 - - - - named - Internet domain name server - - - - - 2004 - 2005 - 2006 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2003 - Internet Software Consortium. - - - - - - named - - - - - - - - - - - - - - - - - - - - DESCRIPTION - named - is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. - - - When invoked without arguments, named - will fork into two processes for privilege separation, - chroot(2) to , - read the default configuration file - /var/named/etc/named.conf, - read any initial data, and listen for queries. The - privileged process will communicate with the child and - bind(2) to privileged - ports on its behalf. See CAVEATS section below. - - - - - OPTIONS - - - - -4 - - - Use IPv4 only even if the host machine is capable of IPv6. - and are mutually - exclusive. - - - - - - -6 - - - Use IPv6 only even if the host machine is capable of IPv4. - and are mutually - exclusive. - - - - - -c config-file - - - Use config-file as the - configuration file instead of the default, - /etc/named.conf. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - option in the configuration - file, config-file should be - an absolute pathname. - - - - - - -d debug-level - - - Set the daemon's debug level to debug-level. - Debugging traces from named become - more verbose as the debug level increases. - - - - - - -f - - - Run the server in the foreground (i.e. do not daemonize). - - - - - - -g - - - Run the server in the foreground and force all logging - to stderr. - - - - - - -m flag - - - Turn on memory usage debugging flags. Possible flags are - usage, - trace, - record, - size, and - mctx. - These correspond to the ISC_MEM_DEBUGXXXX flags described in - <isc/mem.h>. - - - - - - -i pid-file - - - Specifies the file that contains the process ID of - named. The default is - /var/run/named.pid. - - - - - - -n #cpus - - - Create #cpus worker threads - to take advantage of multiple CPUs. If not specified, - named will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. - - - - - - -p port - - - Listen for queries on port port. If not - specified, the default is port 53. - - - - - - -s - - - Write memory usage statistics to stdout on exit. - - - - This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. - - - - - - - -t directory - - Chroot - to directory after - processing the command line arguments, but before - reading the configuration file. - - - - This option should be used in conjunction with the - option, as chrooting a process - running as root doesn't enhance security on most - systems; the way chroot(2) is - defined allows a process with root privileges to - escape a chroot jail. - - - - - - - -u user - - Setuid - to user after completing - privileged operations, such as creating sockets that - listen on privileged ports. - - - - On Linux, named uses the kernel's - capability mechanism to drop all root privileges - except the ability to bind(2) to - a - privileged port and set process resource limits. - Unfortunately, this means that the - option only works when named is - run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after setuid(2). - - - - - - - -v - - - Report the version number and exit. - - - - - - -x cache-file - - - Load data from cache-file into the - cache of the default view. - - - - This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. - - - - - - - - - - - SIGNALS - - In routine operation, signals should not be used to control - the nameserver; rndc should be used - instead. - - - - - - SIGHUP - - - Force a reload of the server. - - - - - - SIGINT, SIGTERM - - - Shut down the server. - - - - - - - - The result of sending any other signals to the server is undefined. - - - - - - CONFIGURATION - - The named configuration file is too complex - to describe in detail here. A complete description is provided - in the - BIND 9 Administrator Reference Manual. - - - - - CAVEATS - - named runs privilege separated for binding - the privileged ports after an interface or address - change. The privileged process will only allow - named to bind(2) to - default ports. Make sure you use unprivileged (>1024) ports if - you change any of the default ports in named's - configuration or on the command-line. - - - - - FILES - - - - - /etc/named.conf - - - The default configuration file. - - - - - - /var/run/named.pid - - - The default process-id file. - - - - - - - - - - SEE ALSO - RFC 1033, - RFC 1034, - RFC 1035, - - named-checkconf - 8 - , - - named-checkzone - 8 - , - - rndc - 8 - , - - lwresd - 8 - , - - named.conf - 5 - , - BIND 9 Administrator Reference Manual. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/named/named.html b/usr.sbin/bind/bin/named/named.html deleted file mode 100644 index 5967257a100..00000000000 --- a/usr.sbin/bind/bin/named/named.html +++ /dev/null @@ -1,255 +0,0 @@ - - - - - -named - - -
-
-
-

Name

-

named — Internet domain name server

-
-
-

Synopsis

-

named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

-
-
-

DESCRIPTION

-

named - is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. -

-

- When invoked without arguments, named - will - read the default configuration file - /etc/named.conf, read any initial - data, and listen for queries. -

-
-
-

OPTIONS

-
-
-4
-

- Use IPv4 only even if the host machine is capable of IPv6. - -4 and -6 are mutually - exclusive. -

-
-6
-

- Use IPv6 only even if the host machine is capable of IPv4. - -4 and -6 are mutually - exclusive. -

-
-c config-file
-

- Use config-file as the - configuration file instead of the default, - /etc/named.conf. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - directory option in the configuration - file, config-file should be - an absolute pathname. -

-
-d debug-level
-

- Set the daemon's debug level to debug-level. - Debugging traces from named become - more verbose as the debug level increases. -

-
-f
-

- Run the server in the foreground (i.e. do not daemonize). -

-
-g
-

- Run the server in the foreground and force all logging - to stderr. -

-
-m flag
-

- Turn on memory usage debugging flags. Possible flags are - usage, - trace, - record, - size, and - mctx. - These correspond to the ISC_MEM_DEBUGXXXX flags described in - <isc/mem.h>. -

-
-n #cpus
-

- Create #cpus worker threads - to take advantage of multiple CPUs. If not specified, - named will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. -

-
-p port
-

- Listen for queries on port port. If not - specified, the default is port 53. -

-
-s
-
-

- Write memory usage statistics to stdout on exit. -

-
-

Note

-

- This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. -

-
-
-
-t directory
-
-

Chroot - to directory after - processing the command line arguments, but before - reading the configuration file. -

-
-

Warning

-

- This option should be used in conjunction with the - -u option, as chrooting a process - running as root doesn't enhance security on most - systems; the way chroot(2) is - defined allows a process with root privileges to - escape a chroot jail. -

-
-
-
-u user
-
-

Setuid - to user after completing - privileged operations, such as creating sockets that - listen on privileged ports. -

-
-

Note

-

- On Linux, named uses the kernel's - capability mechanism to drop all root privileges - except the ability to bind(2) to - a - privileged port and set process resource limits. - Unfortunately, this means that the -u - option only works when named is - run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after setuid(2). -

-
-
-
-v
-

- Report the version number and exit. -

-
-x cache-file
-
-

- Load data from cache-file into the - cache of the default view. -

-
-

Warning

-

- This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. -

-
-
-
-
-
-

SIGNALS

-

- In routine operation, signals should not be used to control - the nameserver; rndc should be used - instead. -

-
-
SIGHUP
-

- Force a reload of the server. -

-
SIGINT, SIGTERM
-

- Shut down the server. -

-
-

- The result of sending any other signals to the server is undefined. -

-
-
-

CONFIGURATION

-

- The named configuration file is too complex - to describe in detail here. A complete description is provided - in the - BIND 9 Administrator Reference Manual. -

-
-
-

FILES

-
-
/etc/named.conf
-

- The default configuration file. -

-
/var/run/named.pid
-

- The default process-id file. -

-
-
-
-

SEE ALSO

-

RFC 1033, - RFC 1034, - RFC 1035, - named-checkconf(8), - named-checkzone(8), - rndc(8), - lwresd(8), - named.conf(5), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/named/notify.c b/usr.sbin/bind/bin/named/notify.c deleted file mode 100644 index e20d3dc0c78..00000000000 --- a/usr.sbin/bind/bin/named/notify.c +++ /dev/null @@ -1,163 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */ - -#include - -#include -#include - -#include -#include -#include -#include -#include -#include - -#include -#include - -/*! \file - * \brief - * This module implements notify as in RFC1996. - */ - -static void -notify_log(ns_client_t *client, int level, const char *fmt, ...) { - va_list ap; - - va_start(ap, fmt); - ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY, - level, fmt, ap); - va_end(ap); -} - -static void -respond(ns_client_t *client, isc_result_t result) { - dns_rcode_t rcode; - dns_message_t *message; - isc_result_t msg_result; - - message = client->message; - rcode = dns_result_torcode(result); - - msg_result = dns_message_reply(message, ISC_TRUE); - if (msg_result != ISC_R_SUCCESS) - msg_result = dns_message_reply(message, ISC_FALSE); - if (msg_result != ISC_R_SUCCESS) { - ns_client_next(client, msg_result); - return; - } - message->rcode = rcode; - if (rcode == dns_rcode_noerror) - message->flags |= DNS_MESSAGEFLAG_AA; - else - message->flags &= ~DNS_MESSAGEFLAG_AA; - ns_client_send(client); -} - -void -ns_notify_start(ns_client_t *client) { - dns_message_t *request = client->message; - isc_result_t result; - dns_name_t *zonename; - dns_rdataset_t *zone_rdataset; - dns_zone_t *zone = NULL; - char namebuf[DNS_NAME_FORMATSIZE]; - char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")]; - dns_name_t *tsigname; - - /* - * Interpret the question section. - */ - result = dns_message_firstname(request, DNS_SECTION_QUESTION); - if (result != ISC_R_SUCCESS) { - notify_log(client, ISC_LOG_NOTICE, - "notify question section empty"); - goto formerr; - } - - /* - * The question section must contain exactly one question. - */ - zonename = NULL; - dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename); - zone_rdataset = ISC_LIST_HEAD(zonename->list); - if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) { - notify_log(client, ISC_LOG_NOTICE, - "notify question section contains multiple RRs"); - goto formerr; - } - - /* The zone section must have exactly one name. */ - result = dns_message_nextname(request, DNS_SECTION_ZONE); - if (result != ISC_R_NOMORE) { - notify_log(client, ISC_LOG_NOTICE, - "notify question section contains multiple RRs"); - goto formerr; - } - - /* The one rdataset must be an SOA. */ - if (zone_rdataset->type != dns_rdatatype_soa) { - notify_log(client, ISC_LOG_NOTICE, - "notify question section contains no SOA"); - goto formerr; - } - - tsigname = NULL; - if (dns_message_gettsig(request, &tsigname) != NULL) { - dns_name_format(tsigname, namebuf, sizeof(namebuf)); - snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf); - } else - tsigbuf[0] = '\0'; - dns_name_format(zonename, namebuf, sizeof(namebuf)); - result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, - &zone); - if (result != ISC_R_SUCCESS) - goto notauth; - - switch (dns_zone_gettype(zone)) { - case dns_zone_master: - case dns_zone_slave: - case dns_zone_stub: /* Allow dialup passive to work. */ - notify_log(client, ISC_LOG_INFO, - "received notify for zone '%s'%s", namebuf, tsigbuf); - respond(client, dns_zone_notifyreceive(zone, - ns_client_getsockaddr(client), request)); - break; - default: - goto notauth; - } - dns_zone_detach(&zone); - return; - - notauth: - notify_log(client, ISC_LOG_NOTICE, - "received notify for zone '%s'%s: not authoritative", - namebuf, tsigbuf); - result = DNS_R_NOTAUTH; - goto failure; - - formerr: - result = DNS_R_FORMERR; - - failure: - if (zone != NULL) - dns_zone_detach(&zone); - respond(client, result); -} diff --git a/usr.sbin/bind/bin/named/query.c b/usr.sbin/bind/bin/named/query.c deleted file mode 100644 index b7d9ddf5945..00000000000 --- a/usr.sbin/bind/bin/named/query.c +++ /dev/null @@ -1,4600 +0,0 @@ -/* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: query.c,v 1.257.18.40 2007/09/26 03:08:14 each Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include - -#include -#include -#include -#ifdef DLZ -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -/*% Partial answer? */ -#define PARTIALANSWER(c) (((c)->query.attributes & \ - NS_QUERYATTR_PARTIALANSWER) != 0) -/*% Use Cache? */ -#define USECACHE(c) (((c)->query.attributes & \ - NS_QUERYATTR_CACHEOK) != 0) -/*% Recursion OK? */ -#define RECURSIONOK(c) (((c)->query.attributes & \ - NS_QUERYATTR_RECURSIONOK) != 0) -/*% Recursing? */ -#define RECURSING(c) (((c)->query.attributes & \ - NS_QUERYATTR_RECURSING) != 0) -/*% Cache glue ok? */ -#define CACHEGLUEOK(c) (((c)->query.attributes & \ - NS_QUERYATTR_CACHEGLUEOK) != 0) -/*% Want Recursion? */ -#define WANTRECURSION(c) (((c)->query.attributes & \ - NS_QUERYATTR_WANTRECURSION) != 0) -/*% Want DNSSEC? */ -#define WANTDNSSEC(c) (((c)->attributes & \ - NS_CLIENTATTR_WANTDNSSEC) != 0) -/*% No authority? */ -#define NOAUTHORITY(c) (((c)->query.attributes & \ - NS_QUERYATTR_NOAUTHORITY) != 0) -/*% No additional? */ -#define NOADDITIONAL(c) (((c)->query.attributes & \ - NS_QUERYATTR_NOADDITIONAL) != 0) -/*% Secure? */ -#define SECURE(c) (((c)->query.attributes & \ - NS_QUERYATTR_SECURE) != 0) - -#if 0 -#define CTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_CLIENT, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "client %p: %s", client, (m)) -#define QTRACE(m) isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_QUERY, \ - ISC_LOG_DEBUG(3), \ - "query %p: %s", query, (m)) -#else -#define CTRACE(m) ((void)m) -#define QTRACE(m) ((void)m) -#endif - -#define DNS_GETDB_NOEXACT 0x01U -#define DNS_GETDB_NOLOG 0x02U -#define DNS_GETDB_PARTIAL 0x04U - -typedef struct client_additionalctx { - ns_client_t *client; - dns_rdataset_t *rdataset; -} client_additionalctx_t; - -static void -query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype); - -static isc_boolean_t -validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); - -/*% - * Increment query statistics counters. - */ -static inline void -inc_stats(ns_client_t *client, dns_statscounter_t counter) { - dns_zone_t *zone = client->query.authzone; - - REQUIRE(counter < DNS_STATS_NCOUNTERS); - - ns_g_server->querystats[counter]++; - - if (zone != NULL) { - isc_uint64_t *zonestats = dns_zone_getstatscounters(zone); - if (zonestats != NULL) - zonestats[counter]++; - } -} - -static void -query_send(ns_client_t *client) { - dns_statscounter_t counter; - if (client->message->rcode == dns_rcode_noerror) { - if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) { - if (client->query.isreferral) { - counter = dns_statscounter_referral; - } else { - counter = dns_statscounter_nxrrset; - } - } else { - counter = dns_statscounter_success; - } - } else if (client->message->rcode == dns_rcode_nxdomain) { - counter = dns_statscounter_nxdomain; - } else { - /* We end up here in case of YXDOMAIN, and maybe others */ - counter = dns_statscounter_failure; - } - inc_stats(client, counter); - ns_client_send(client); -} - -static void -query_error(ns_client_t *client, isc_result_t result) { - inc_stats(client, dns_statscounter_failure); - ns_client_error(client, result); -} - -static void -query_next(ns_client_t *client, isc_result_t result) { - if (result == DNS_R_DUPLICATE) - inc_stats(client, dns_statscounter_duplicate); - else if (result == DNS_R_DROP) - inc_stats(client, dns_statscounter_dropped); - else - inc_stats(client, dns_statscounter_failure); - ns_client_next(client, result); -} - -static inline void -query_freefreeversions(ns_client_t *client, isc_boolean_t everything) { - ns_dbversion_t *dbversion, *dbversion_next; - unsigned int i; - - for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0; - dbversion != NULL; - dbversion = dbversion_next, i++) - { - dbversion_next = ISC_LIST_NEXT(dbversion, link); - /* - * If we're not freeing everything, we keep the first three - * dbversions structures around. - */ - if (i > 3 || everything) { - ISC_LIST_UNLINK(client->query.freeversions, dbversion, - link); - isc_mem_put(client->mctx, dbversion, - sizeof(*dbversion)); - } - } -} - -void -ns_query_cancel(ns_client_t *client) { - LOCK(&client->query.fetchlock); - if (client->query.fetch != NULL) { - dns_resolver_cancelfetch(client->query.fetch); - - client->query.fetch = NULL; - } - UNLOCK(&client->query.fetchlock); -} - -static inline void -query_reset(ns_client_t *client, isc_boolean_t everything) { - isc_buffer_t *dbuf, *dbuf_next; - ns_dbversion_t *dbversion, *dbversion_next; - - /*% - * Reset the query state of a client to its default state. - */ - - /* - * Cancel the fetch if it's running. - */ - ns_query_cancel(client); - - /* - * Cleanup any active versions. - */ - for (dbversion = ISC_LIST_HEAD(client->query.activeversions); - dbversion != NULL; - dbversion = dbversion_next) { - dbversion_next = ISC_LIST_NEXT(dbversion, link); - dns_db_closeversion(dbversion->db, &dbversion->version, - ISC_FALSE); - dns_db_detach(&dbversion->db); - ISC_LIST_INITANDAPPEND(client->query.freeversions, - dbversion, link); - } - ISC_LIST_INIT(client->query.activeversions); - - if (client->query.authdb != NULL) - dns_db_detach(&client->query.authdb); - if (client->query.authzone != NULL) - dns_zone_detach(&client->query.authzone); - - query_freefreeversions(client, everything); - - for (dbuf = ISC_LIST_HEAD(client->query.namebufs); - dbuf != NULL; - dbuf = dbuf_next) { - dbuf_next = ISC_LIST_NEXT(dbuf, link); - if (dbuf_next != NULL || everything) { - ISC_LIST_UNLINK(client->query.namebufs, dbuf, link); - isc_buffer_free(&dbuf); - } - } - - if (client->query.restarts > 0) { - /* - * client->query.qname was dynamically allocated. - */ - dns_message_puttempname(client->message, - &client->query.qname); - } - client->query.qname = NULL; - client->query.attributes = (NS_QUERYATTR_RECURSIONOK | - NS_QUERYATTR_CACHEOK | - NS_QUERYATTR_SECURE); - client->query.restarts = 0; - client->query.timerset = ISC_FALSE; - client->query.origqname = NULL; - client->query.qname = NULL; - client->query.dboptions = 0; - client->query.fetchoptions = 0; - client->query.gluedb = NULL; - client->query.authdbset = ISC_FALSE; - client->query.isreferral = ISC_FALSE; -} - -static void -query_next_callback(ns_client_t *client) { - query_reset(client, ISC_FALSE); -} - -void -ns_query_free(ns_client_t *client) { - query_reset(client, ISC_TRUE); -} - -static inline isc_result_t -query_newnamebuf(ns_client_t *client) { - isc_buffer_t *dbuf; - isc_result_t result; - - CTRACE("query_newnamebuf"); - /*% - * Allocate a name buffer. - */ - - dbuf = NULL; - result = isc_buffer_allocate(client->mctx, &dbuf, 1024); - if (result != ISC_R_SUCCESS) { - CTRACE("query_newnamebuf: isc_buffer_allocate failed: done"); - return (result); - } - ISC_LIST_APPEND(client->query.namebufs, dbuf, link); - - CTRACE("query_newnamebuf: done"); - return (ISC_R_SUCCESS); -} - -static inline isc_buffer_t * -query_getnamebuf(ns_client_t *client) { - isc_buffer_t *dbuf; - isc_result_t result; - isc_region_t r; - - CTRACE("query_getnamebuf"); - /*% - * Return a name buffer with space for a maximal name, allocating - * a new one if necessary. - */ - - if (ISC_LIST_EMPTY(client->query.namebufs)) { - result = query_newnamebuf(client); - if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); - return (NULL); - } - } - - dbuf = ISC_LIST_TAIL(client->query.namebufs); - INSIST(dbuf != NULL); - isc_buffer_availableregion(dbuf, &r); - if (r.length < 255) { - result = query_newnamebuf(client); - if (result != ISC_R_SUCCESS) { - CTRACE("query_getnamebuf: query_newnamebuf failed: done"); - return (NULL); - - } - dbuf = ISC_LIST_TAIL(client->query.namebufs); - isc_buffer_availableregion(dbuf, &r); - INSIST(r.length >= 255); - } - CTRACE("query_getnamebuf: done"); - return (dbuf); -} - -static inline void -query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) { - isc_region_t r; - - CTRACE("query_keepname"); - /*% - * 'name' is using space in 'dbuf', but 'dbuf' has not yet been - * adjusted to take account of that. We do the adjustment. - */ - - REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0); - - dns_name_toregion(name, &r); - isc_buffer_add(dbuf, r.length); - dns_name_setbuffer(name, NULL); - client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; -} - -static inline void -query_releasename(ns_client_t *client, dns_name_t **namep) { - dns_name_t *name = *namep; - - /*% - * 'name' is no longer needed. Return it to our pool of temporary - * names. If it is using a name buffer, relinquish its exclusive - * rights on the buffer. - */ - - CTRACE("query_releasename"); - if (dns_name_hasbuffer(name)) { - INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) - != 0); - client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED; - } - dns_message_puttempname(client->message, namep); - CTRACE("query_releasename: done"); -} - -static inline dns_name_t * -query_newname(ns_client_t *client, isc_buffer_t *dbuf, - isc_buffer_t *nbuf) -{ - dns_name_t *name; - isc_region_t r; - isc_result_t result; - - REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0); - - CTRACE("query_newname"); - name = NULL; - result = dns_message_gettempname(client->message, &name); - if (result != ISC_R_SUCCESS) { - CTRACE("query_newname: dns_message_gettempname failed: done"); - return (NULL); - } - isc_buffer_availableregion(dbuf, &r); - isc_buffer_init(nbuf, r.base, r.length); - dns_name_init(name, NULL); - dns_name_setbuffer(name, nbuf); - client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED; - - CTRACE("query_newname: done"); - return (name); -} - -static inline dns_rdataset_t * -query_newrdataset(ns_client_t *client) { - dns_rdataset_t *rdataset; - isc_result_t result; - - CTRACE("query_newrdataset"); - rdataset = NULL; - result = dns_message_gettemprdataset(client->message, &rdataset); - if (result != ISC_R_SUCCESS) { - CTRACE("query_newrdataset: " - "dns_message_gettemprdataset failed: done"); - return (NULL); - } - dns_rdataset_init(rdataset); - - CTRACE("query_newrdataset: done"); - return (rdataset); -} - -static inline void -query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) { - dns_rdataset_t *rdataset = *rdatasetp; - - CTRACE("query_putrdataset"); - if (rdataset != NULL) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - dns_message_puttemprdataset(client->message, rdatasetp); - } - CTRACE("query_putrdataset: done"); -} - - -static inline isc_result_t -query_newdbversion(ns_client_t *client, unsigned int n) { - unsigned int i; - ns_dbversion_t *dbversion; - - for (i = 0; i < n; i++) { - dbversion = isc_mem_get(client->mctx, sizeof(*dbversion)); - if (dbversion != NULL) { - dbversion->db = NULL; - dbversion->version = NULL; - ISC_LIST_INITANDAPPEND(client->query.freeversions, - dbversion, link); - } else { - /* - * We only return ISC_R_NOMEMORY if we couldn't - * allocate anything. - */ - if (i == 0) - return (ISC_R_NOMEMORY); - else - return (ISC_R_SUCCESS); - } - } - - return (ISC_R_SUCCESS); -} - -static inline ns_dbversion_t * -query_getdbversion(ns_client_t *client) { - isc_result_t result; - ns_dbversion_t *dbversion; - - if (ISC_LIST_EMPTY(client->query.freeversions)) { - result = query_newdbversion(client, 1); - if (result != ISC_R_SUCCESS) - return (NULL); - } - dbversion = ISC_LIST_HEAD(client->query.freeversions); - INSIST(dbversion != NULL); - ISC_LIST_UNLINK(client->query.freeversions, dbversion, link); - - return (dbversion); -} - -isc_result_t -ns_query_init(ns_client_t *client) { - isc_result_t result; - - ISC_LIST_INIT(client->query.namebufs); - ISC_LIST_INIT(client->query.activeversions); - ISC_LIST_INIT(client->query.freeversions); - client->query.restarts = 0; - client->query.timerset = ISC_FALSE; - client->query.qname = NULL; - result = isc_mutex_init(&client->query.fetchlock); - if (result != ISC_R_SUCCESS) - return (result); - client->query.fetch = NULL; - client->query.authdb = NULL; - client->query.authzone = NULL; - client->query.authdbset = ISC_FALSE; - client->query.isreferral = ISC_FALSE; - query_reset(client, ISC_FALSE); - result = query_newdbversion(client, 3); - if (result != ISC_R_SUCCESS) { - DESTROYLOCK(&client->query.fetchlock); - return (result); - } - result = query_newnamebuf(client); - if (result != ISC_R_SUCCESS) - query_freefreeversions(client, ISC_TRUE); - - return (result); -} - -static inline ns_dbversion_t * -query_findversion(ns_client_t *client, dns_db_t *db, - isc_boolean_t *newzonep) -{ - ns_dbversion_t *dbversion; - - /*% - * We may already have done a query related to this - * database. If so, we must be sure to make subsequent - * queries from the same version. - */ - for (dbversion = ISC_LIST_HEAD(client->query.activeversions); - dbversion != NULL; - dbversion = ISC_LIST_NEXT(dbversion, link)) { - if (dbversion->db == db) - break; - } - - if (dbversion == NULL) { - /* - * This is a new zone for this query. Add it to - * the active list. - */ - dbversion = query_getdbversion(client); - if (dbversion == NULL) - return (NULL); - dns_db_attach(db, &dbversion->db); - dns_db_currentversion(db, &dbversion->version); - dbversion->queryok = ISC_FALSE; - ISC_LIST_APPEND(client->query.activeversions, - dbversion, link); - *newzonep = ISC_TRUE; - } else - *newzonep = ISC_FALSE; - - return (dbversion); -} - -static inline isc_result_t -query_validatezonedb(ns_client_t *client, dns_name_t *name, - dns_rdatatype_t qtype, unsigned int options, - dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t **versionp) -{ - isc_result_t result; - isc_boolean_t check_acl, new_zone; - dns_acl_t *queryacl; - ns_dbversion_t *dbversion; - - REQUIRE(zone != NULL); - REQUIRE(db != NULL); - - /* - * This limits our searching to the zone where the first name - * (the query target) was looked for. This prevents following - * CNAMES or DNAMES into other zones and prevents returning - * additional data from other zones. - */ - if (!client->view->additionalfromauth && - client->query.authdbset && - db != client->query.authdb) - goto refuse; - - /* - * If the zone has an ACL, we'll check it, otherwise - * we use the view's "allow-query" ACL. Each ACL is only checked - * once per query. - * - * Also, get the database version to use. - */ - - check_acl = ISC_TRUE; /* Keep compiler happy. */ - queryacl = NULL; - - /* - * Get the current version of this database. - */ - dbversion = query_findversion(client, db, &new_zone); - if (dbversion == NULL) { - result = DNS_R_SERVFAIL; - goto fail; - } - if (new_zone) { - check_acl = ISC_TRUE; - } else if (!dbversion->queryok) { - goto refuse; - } else { - check_acl = ISC_FALSE; - } - - queryacl = dns_zone_getqueryacl(zone); - if (queryacl == NULL) { - queryacl = client->view->queryacl; - if ((client->query.attributes & - NS_QUERYATTR_QUERYOKVALID) != 0) { - /* - * We've evaluated the view's queryacl already. If - * NS_QUERYATTR_QUERYOK is set, then the client is - * allowed to make queries, otherwise the query should - * be refused. - */ - check_acl = ISC_FALSE; - if ((client->query.attributes & - NS_QUERYATTR_QUERYOK) == 0) - goto refuse; - } else { - /* - * We haven't evaluated the view's queryacl yet. - */ - check_acl = ISC_TRUE; - } - } - - if (check_acl) { - isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); - - result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE); - if (log) { - char msg[NS_CLIENT_ACLMSGSIZE("query")]; - if (result == ISC_R_SUCCESS) { - if (isc_log_wouldlog(ns_g_lctx, - ISC_LOG_DEBUG(3))) - { - ns_client_aclmsg("query", name, qtype, - client->view->rdclass, - msg, sizeof(msg)); - ns_client_log(client, - DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(3), - "%s approved", msg); - } - } else { - ns_client_aclmsg("query", name, qtype, - client->view->rdclass, - msg, sizeof(msg)); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, ISC_LOG_INFO, - "%s denied", msg); - } - } - - if (queryacl == client->view->queryacl) { - if (result == ISC_R_SUCCESS) { - /* - * We were allowed by the default - * "allow-query" ACL. Remember this so we - * don't have to check again. - */ - client->query.attributes |= - NS_QUERYATTR_QUERYOK; - } - /* - * We've now evaluated the view's query ACL, and - * the NS_QUERYATTR_QUERYOK attribute is now valid. - */ - client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; - } - - if (result != ISC_R_SUCCESS) - goto refuse; - } - - /* Approved. */ - - /* - * Remember the result of the ACL check so we - * don't have to check again. - */ - dbversion->queryok = ISC_TRUE; - - /* Transfer ownership, if necessary. */ - if (versionp != NULL) - *versionp = dbversion->version; - - return (ISC_R_SUCCESS); - - refuse: - return (DNS_R_REFUSED); - - fail: - return (result); -} - -static inline isc_result_t -query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, - unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbversion_t **versionp) -{ - isc_result_t result; - unsigned int ztoptions; - dns_zone_t *zone = NULL; - dns_db_t *db = NULL; - isc_boolean_t partial = ISC_FALSE; - - REQUIRE(zonep != NULL && *zonep == NULL); - REQUIRE(dbp != NULL && *dbp == NULL); - - /*% - * Find a zone database to answer the query. - */ - ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? - DNS_ZTFIND_NOEXACT : 0; - - result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, - &zone); - if (result == DNS_R_PARTIALMATCH) - partial = ISC_TRUE; - if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) - result = dns_zone_getdb(zone, &db); - - if (result != ISC_R_SUCCESS) - goto fail; - - result = query_validatezonedb(client, name, qtype, options, zone, db, - versionp); - - if (result != ISC_R_SUCCESS) - goto fail; - - /* Transfer ownership. */ - *zonep = zone; - *dbp = db; - - if (partial && (options & DNS_GETDB_PARTIAL) != 0) - return (DNS_R_PARTIALMATCH); - return (ISC_R_SUCCESS); - - fail: - if (zone != NULL) - dns_zone_detach(&zone); - if (db != NULL) - dns_db_detach(&db); - - return (result); -} - -static inline isc_result_t -query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, - dns_db_t **dbp, unsigned int options) -{ - isc_result_t result; - isc_boolean_t check_acl; - dns_db_t *db = NULL; - - REQUIRE(dbp != NULL && *dbp == NULL); - - /*% - * Find a cache database to answer the query. - * This may fail with DNS_R_REFUSED if the client - * is not allowed to use the cache. - */ - - if (!USECACHE(client)) - return (DNS_R_REFUSED); - dns_db_attach(client->view->cachedb, &db); - - if ((client->query.attributes & - NS_QUERYATTR_QUERYOKVALID) != 0) { - /* - * We've evaluated the view's queryacl already. If - * NS_QUERYATTR_QUERYOK is set, then the client is - * allowed to make queries, otherwise the query should - * be refused. - */ - check_acl = ISC_FALSE; - if ((client->query.attributes & - NS_QUERYATTR_QUERYOK) == 0) - goto refuse; - } else { - /* - * We haven't evaluated the view's queryacl yet. - */ - check_acl = ISC_TRUE; - } - - if (check_acl) { - isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); - char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; - - result = ns_client_checkaclsilent(client, - client->view->queryacl, - ISC_TRUE); - if (result == ISC_R_SUCCESS) { - /* - * We were allowed by the default - * "allow-query" ACL. Remember this so we - * don't have to check again. - */ - client->query.attributes |= - NS_QUERYATTR_QUERYOK; - if (log && isc_log_wouldlog(ns_g_lctx, - ISC_LOG_DEBUG(3))) - { - ns_client_aclmsg("query (cache)", name, qtype, - client->view->rdclass, - msg, sizeof(msg)); - ns_client_log(client, - DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, - ISC_LOG_DEBUG(3), - "%s approved", msg); - } - } else if (log) { - ns_client_aclmsg("query (cache)", name, qtype, - client->view->rdclass, msg, - sizeof(msg)); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, ISC_LOG_INFO, - "%s denied", msg); - } - /* - * We've now evaluated the view's query ACL, and - * the NS_QUERYATTR_QUERYOK attribute is now valid. - */ - client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; - - if (result != ISC_R_SUCCESS) - goto refuse; - } - - /* Approved. */ - - /* Transfer ownership. */ - *dbp = db; - - return (ISC_R_SUCCESS); - - refuse: - result = DNS_R_REFUSED; - - if (db != NULL) - dns_db_detach(&db); - - return (result); -} - - -static inline isc_result_t -query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, - unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbversion_t **versionp, isc_boolean_t *is_zonep) -{ - isc_result_t result; - -#ifdef DLZ - isc_result_t tresult; - unsigned int namelabels; - unsigned int zonelabels; - dns_zone_t *zone = NULL; - dns_db_t *tdbp; - - REQUIRE(zonep != NULL && *zonep == NULL); - - tdbp = NULL; - - /* Calculate how many labels are in name. */ - namelabels = dns_name_countlabels(name); - zonelabels = 0; - - /* Try to find name in bind's standard database. */ - result = query_getzonedb(client, name, qtype, options, &zone, - dbp, versionp); - - /* See how many labels are in the zone's name. */ - if (result == ISC_R_SUCCESS && zone != NULL) - zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); - /* - * If # zone labels < # name labels, try to find an even better match - * Only try if a DLZ driver is loaded for this view - */ - if (zonelabels < namelabels && client->view->dlzdatabase != NULL) { - tresult = dns_dlzfindzone(client->view, name, - zonelabels, &tdbp); - /* If we successful, we found a better match. */ - if (tresult == ISC_R_SUCCESS) { - /* - * If the previous search returned a zone, detach it. - */ - if (zone != NULL) - dns_zone_detach(&zone); - - /* - * If the previous search returned a database, - * detach it. - */ - if (*dbp != NULL) - dns_db_detach(dbp); - - /* - * If the previous search returned a version, clear it. - */ - *versionp = NULL; - - /* - * Get our database version. - */ - dns_db_currentversion(tdbp, versionp); - - /* - * Be sure to return our database. - */ - *dbp = tdbp; - - /* - * We return a null zone, No stats for DLZ zones. - */ - zone = NULL; - result = tresult; - } - } -#else - result = query_getzonedb(client, name, qtype, options, - zonep, dbp, versionp); -#endif - - /* If successfull, Transfer ownership of zone. */ - if (result == ISC_R_SUCCESS) { -#ifdef DLZ - *zonep = zone; -#endif - /* - * If neither attempt above succeeded, return the cache instead - */ - *is_zonep = ISC_TRUE; - } else if (result == ISC_R_NOTFOUND) { - result = query_getcachedb(client, name, qtype, dbp, options); - *is_zonep = ISC_FALSE; - } - return (result); -} - -static inline isc_boolean_t -query_isduplicate(ns_client_t *client, dns_name_t *name, - dns_rdatatype_t type, dns_name_t **mnamep) -{ - dns_section_t section; - dns_name_t *mname = NULL; - isc_result_t result; - - CTRACE("query_isduplicate"); - - for (section = DNS_SECTION_ANSWER; - section <= DNS_SECTION_ADDITIONAL; - section++) { - result = dns_message_findname(client->message, section, - name, type, 0, &mname, NULL); - if (result == ISC_R_SUCCESS) { - /* - * We've already got this RRset in the response. - */ - CTRACE("query_isduplicate: true: done"); - return (ISC_TRUE); - } else if (result == DNS_R_NXRRSET) { - /* - * The name exists, but the rdataset does not. - */ - if (section == DNS_SECTION_ADDITIONAL) - break; - } else - RUNTIME_CHECK(result == DNS_R_NXDOMAIN); - mname = NULL; - } - - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - - *mnamep = mname; - - CTRACE("query_isduplicate: false: done"); - return (ISC_FALSE); -} - -static isc_result_t -query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { - ns_client_t *client = arg; - isc_result_t result, eresult; - dns_dbnode_t *node; - dns_db_t *db; - dns_name_t *fname, *mname; - dns_rdataset_t *rdataset, *sigrdataset, *trdataset; - isc_buffer_t *dbuf; - isc_buffer_t b; - dns_dbversion_t *version; - isc_boolean_t added_something, need_addname; - dns_zone_t *zone; - dns_rdatatype_t type; - - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(qtype != dns_rdatatype_any); - - if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) - return (ISC_R_SUCCESS); - - CTRACE("query_addadditional"); - - /* - * Initialization. - */ - eresult = ISC_R_SUCCESS; - fname = NULL; - rdataset = NULL; - sigrdataset = NULL; - trdataset = NULL; - db = NULL; - version = NULL; - node = NULL; - added_something = ISC_FALSE; - need_addname = ISC_FALSE; - zone = NULL; - - /* - * We treat type A additional section processing as if it - * were "any address type" additional section processing. - * To avoid multiple lookups, we do an 'any' database - * lookup and iterate over the node. - */ - if (qtype == dns_rdatatype_a) - type = dns_rdatatype_any; - else - type = qtype; - - /* - * Get some resources. - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto cleanup; - fname = query_newname(client, dbuf, &b); - rdataset = query_newrdataset(client); - if (fname == NULL || rdataset == NULL) - goto cleanup; - if (WANTDNSSEC(client)) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) - goto cleanup; - } - - /* - * Look for a zone database that might contain authoritative - * additional data. - */ - result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG, - &zone, &db, &version); - if (result != ISC_R_SUCCESS) - goto try_cache; - - CTRACE("query_addadditional: db_find"); - - /* - * Since we are looking for authoritative data, we do not set - * the GLUEOK flag. Glue will be looked for later, but not - * necessarily in the same database. - */ - node = NULL; - result = dns_db_find(db, name, version, type, client->query.dboptions, - client->now, &node, fname, rdataset, - sigrdataset); - if (result == ISC_R_SUCCESS) - goto found; - - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - version = NULL; - dns_db_detach(&db); - - /* - * No authoritative data was found. The cache is our next best bet. - */ - - try_cache: - result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); - if (result != ISC_R_SUCCESS) - /* - * Most likely the client isn't allowed to query the cache. - */ - goto try_glue; - /* - * Attempt to validate glue. - */ - if (sigrdataset == NULL) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) - goto cleanup; - } - result = dns_db_find(db, name, version, type, - client->query.dboptions | DNS_DBFIND_GLUEOK, - client->now, &node, fname, rdataset, - sigrdataset); - if (result == DNS_R_GLUE && - validate(client, db, fname, rdataset, sigrdataset)) - result = ISC_R_SUCCESS; - if (!WANTDNSSEC(client)) - query_putrdataset(client, &sigrdataset); - if (result == ISC_R_SUCCESS) - goto found; - - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - dns_db_detach(&db); - - try_glue: - /* - * No cached data was found. Glue is our last chance. - * RFC1035 sayeth: - * - * NS records cause both the usual additional section - * processing to locate a type A record, and, when used - * in a referral, a special search of the zone in which - * they reside for glue information. - * - * This is the "special search". Note that we must search - * the zone where the NS record resides, not the zone it - * points to, and that we only do the search in the delegation - * case (identified by client->query.gluedb being set). - */ - - if (client->query.gluedb == NULL) - goto cleanup; - - /* - * Don't poision caches using the bailiwick protection model. - */ - if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) - goto cleanup; - - dns_db_attach(client->query.gluedb, &db); - result = dns_db_find(db, name, version, type, - client->query.dboptions | DNS_DBFIND_GLUEOK, - client->now, &node, fname, rdataset, - sigrdataset); - if (!(result == ISC_R_SUCCESS || - result == DNS_R_ZONECUT || - result == DNS_R_GLUE)) - goto cleanup; - - found: - /* - * We have found a potential additional data rdataset, or - * at least a node to iterate over. - */ - query_keepname(client, fname, dbuf); - - /* - * If we have an rdataset, add it to the additional data - * section. - */ - mname = NULL; - if (dns_rdataset_isassociated(rdataset) && - !query_isduplicate(client, fname, type, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; - ISC_LIST_APPEND(fname->list, rdataset, link); - trdataset = rdataset; - rdataset = NULL; - added_something = ISC_TRUE; - /* - * Note: we only add SIGs if we've added the type they cover, - * so we do not need to check if the SIG rdataset is already - * in the response. - */ - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - { - ISC_LIST_APPEND(fname->list, sigrdataset, link); - sigrdataset = NULL; - } - } - - if (qtype == dns_rdatatype_a) { - /* - * We now go looking for A and AAAA records, along with - * their signatures. - * - * XXXRTH This code could be more efficient. - */ - if (rdataset != NULL) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - } else { - rdataset = query_newrdataset(client); - if (rdataset == NULL) - goto addname; - } - if (sigrdataset != NULL) { - if (dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - } else if (WANTDNSSEC(client)) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) - goto addname; - } - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_a, 0, - client->now, rdataset, - sigrdataset); - if (result == DNS_R_NCACHENXDOMAIN) - goto addname; - if (result == DNS_R_NCACHENXRRSET) { - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - } - if (result == ISC_R_SUCCESS) { - mname = NULL; - if (!query_isduplicate(client, fname, - dns_rdatatype_a, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; - ISC_LIST_APPEND(fname->list, rdataset, link); - added_something = ISC_TRUE; - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - { - ISC_LIST_APPEND(fname->list, - sigrdataset, link); - sigrdataset = - query_newrdataset(client); - } - rdataset = query_newrdataset(client); - if (rdataset == NULL) - goto addname; - if (WANTDNSSEC(client) && sigrdataset == NULL) - goto addname; - } else { - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - } - } - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_aaaa, 0, - client->now, rdataset, - sigrdataset); - if (result == DNS_R_NCACHENXDOMAIN) - goto addname; - if (result == DNS_R_NCACHENXRRSET) { - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - } - if (result == ISC_R_SUCCESS) { - mname = NULL; - if (!query_isduplicate(client, fname, - dns_rdatatype_aaaa, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; - ISC_LIST_APPEND(fname->list, rdataset, link); - added_something = ISC_TRUE; - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - { - ISC_LIST_APPEND(fname->list, - sigrdataset, link); - sigrdataset = NULL; - } - rdataset = NULL; - } - } - } - - addname: - CTRACE("query_addadditional: addname"); - /* - * If we haven't added anything, then we're done. - */ - if (!added_something) - goto cleanup; - - /* - * We may have added our rdatasets to an existing name, if so, then - * need_addname will be ISC_FALSE. Whether we used an existing name - * or a new one, we must set fname to NULL to prevent cleanup. - */ - if (need_addname) - dns_message_addname(client->message, fname, - DNS_SECTION_ADDITIONAL); - fname = NULL; - - /* - * In a few cases, we want to add additional data for additional - * data. It's simpler to just deal with special cases here than - * to try to create a general purpose mechanism and allow the - * rdata implementations to do it themselves. - * - * This involves recursion, but the depth is limited. The - * most complex case is adding a SRV rdataset, which involves - * recursing to add address records, which in turn can cause - * recursion to add KEYs. - */ - if (type == dns_rdatatype_srv && trdataset != NULL) { - /* - * If we're adding SRV records to the additional data - * section, it's helpful if we add the SRV additional data - * as well. - */ - eresult = dns_rdataset_additionaldata(trdataset, - query_addadditional, - client); - } - - cleanup: - CTRACE("query_addadditional: cleanup"); - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (fname != NULL) - query_releasename(client, &fname); - if (node != NULL) - dns_db_detachnode(db, &node); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - - CTRACE("query_addadditional: done"); - return (eresult); -} - -static inline void -query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base, - dns_rdatasetadditional_t additionaltype, - dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbversion_t **versionp, dns_dbnode_t **nodep, - dns_name_t *fname) -{ - dns_rdataset_t *rdataset; - - while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) { - ISC_LIST_UNLINK(fname->list, rdataset, link); - query_putrdataset(client, &rdataset); - } - if (*versionp != NULL) - dns_db_closeversion(*dbp, versionp, ISC_FALSE); - if (*nodep != NULL) - dns_db_detachnode(*dbp, nodep); - if (*dbp != NULL) - dns_db_detach(dbp); - if (*zonep != NULL) - dns_zone_detach(zonep); - (void)dns_rdataset_putadditional(client->view->acache, rdataset_base, - additionaltype, type); -} - -static inline isc_result_t -query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0, - dns_dbversion_t *version) -{ - isc_result_t result = ISC_R_SUCCESS; - dns_dbversion_t *version_current = NULL; - dns_db_t *db_current = db0; - - if (db_current == NULL) { - result = dns_zone_getdb(zone, &db_current); - if (result != ISC_R_SUCCESS) - return (result); - } - dns_db_currentversion(db_current, &version_current); - if (db_current != db || version_current != version) { - result = ISC_R_FAILURE; - goto cleanup; - } - - cleanup: - dns_db_closeversion(db_current, &version_current, ISC_FALSE); - if (db0 == NULL && db_current != NULL) - dns_db_detach(&db_current); - - return (result); -} - -static isc_result_t -query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { - client_additionalctx_t *additionalctx = arg; - dns_rdataset_t *rdataset_base; - ns_client_t *client; - isc_result_t result, eresult; - dns_dbnode_t *node, *cnode; - dns_db_t *db, *cdb; - dns_name_t *fname, *mname0, cfname; - dns_rdataset_t *rdataset, *sigrdataset; - dns_rdataset_t *crdataset, *crdataset_next; - isc_buffer_t *dbuf; - isc_buffer_t b; - dns_dbversion_t *version, *cversion; - isc_boolean_t added_something, need_addname, needadditionalcache; - isc_boolean_t need_sigrrset; - dns_zone_t *zone; - dns_rdatatype_t type; - dns_rdatasetadditional_t additionaltype; - - if (qtype != dns_rdatatype_a) { - /* - * This function is optimized for "address" types. For other - * types, use a generic routine. - * XXX: ideally, this function should be generic enough. - */ - return (query_addadditional(additionalctx->client, - name, qtype)); - } - - /* - * Initialization. - */ - rdataset_base = additionalctx->rdataset; - client = additionalctx->client; - REQUIRE(NS_CLIENT_VALID(client)); - eresult = ISC_R_SUCCESS; - fname = NULL; - rdataset = NULL; - sigrdataset = NULL; - db = NULL; - cdb = NULL; - version = NULL; - cversion = NULL; - node = NULL; - cnode = NULL; - added_something = ISC_FALSE; - need_addname = ISC_FALSE; - zone = NULL; - needadditionalcache = ISC_FALSE; - additionaltype = dns_rdatasetadditional_fromauth; - dns_name_init(&cfname, NULL); - - CTRACE("query_addadditional2"); - - /* - * We treat type A additional section processing as if it - * were "any address type" additional section processing. - * To avoid multiple lookups, we do an 'any' database - * lookup and iterate over the node. - * XXXJT: this approach can cause a suboptimal result when the cache - * DB only has partial address types and the glue DB has remaining - * ones. - */ - type = dns_rdatatype_any; - - /* - * Get some resources. - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto cleanup; - fname = query_newname(client, dbuf, &b); - if (fname == NULL) - goto cleanup; - dns_name_setbuffer(&cfname, &b); /* share the buffer */ - - /* Check additional cache */ - result = dns_rdataset_getadditional(rdataset_base, additionaltype, - type, client->view->acache, &zone, - &cdb, &cversion, &cnode, &cfname, - client->message, client->now); - if (result != ISC_R_SUCCESS) - goto findauthdb; - if (zone == NULL) { - CTRACE("query_addadditional2: auth zone not found"); - goto try_cache; - } - - /* Is the cached DB up-to-date? */ - result = query_iscachevalid(zone, cdb, NULL, cversion); - if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old auth additional cache"); - query_discardcache(client, rdataset_base, additionaltype, - type, &zone, &cdb, &cversion, &cnode, - &cfname); - goto findauthdb; - } - - if (cnode == NULL) { - /* - * We have a negative cache. We don't have to check the zone - * ACL, since the result (not using this zone) would be same - * regardless of the result. - */ - CTRACE("query_addadditional2: negative auth additional cache"); - dns_db_closeversion(cdb, &cversion, ISC_FALSE); - dns_db_detach(&cdb); - dns_zone_detach(&zone); - goto try_cache; - } - - result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG, - zone, cdb, NULL); - if (result != ISC_R_SUCCESS) { - query_discardcache(client, rdataset_base, additionaltype, - type, &zone, &cdb, &cversion, &cnode, - &cfname); - goto try_cache; - } - - /* We've got an active cache. */ - CTRACE("query_addadditional2: auth additional cache"); - dns_db_closeversion(cdb, &cversion, ISC_FALSE); - db = cdb; - node = cnode; - dns_name_clone(&cfname, fname); - query_keepname(client, fname, dbuf); - goto foundcache; - - /* - * Look for a zone database that might contain authoritative - * additional data. - */ - findauthdb: - result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG, - &zone, &db, &version); - if (result != ISC_R_SUCCESS) { - /* Cache the negative result */ - (void)dns_rdataset_setadditional(rdataset_base, additionaltype, - type, client->view->acache, - NULL, NULL, NULL, NULL, - NULL); - goto try_cache; - } - - CTRACE("query_addadditional2: db_find"); - - /* - * Since we are looking for authoritative data, we do not set - * the GLUEOK flag. Glue will be looked for later, but not - * necessarily in the same database. - */ - node = NULL; - result = dns_db_find(db, name, version, type, client->query.dboptions, - client->now, &node, fname, NULL, NULL); - if (result == ISC_R_SUCCESS) - goto found; - - /* Cache the negative result */ - (void)dns_rdataset_setadditional(rdataset_base, additionaltype, - type, client->view->acache, zone, db, - version, NULL, fname); - - if (node != NULL) - dns_db_detachnode(db, &node); - version = NULL; - dns_db_detach(&db); - - /* - * No authoritative data was found. The cache is our next best bet. - */ - - try_cache: - additionaltype = dns_rdatasetadditional_fromcache; - result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); - if (result != ISC_R_SUCCESS) - /* - * Most likely the client isn't allowed to query the cache. - */ - goto try_glue; - - result = dns_db_find(db, name, version, type, - client->query.dboptions | DNS_DBFIND_GLUEOK, - client->now, &node, fname, NULL, NULL); - if (result == ISC_R_SUCCESS) - goto found; - - if (node != NULL) - dns_db_detachnode(db, &node); - dns_db_detach(&db); - - try_glue: - /* - * No cached data was found. Glue is our last chance. - * RFC1035 sayeth: - * - * NS records cause both the usual additional section - * processing to locate a type A record, and, when used - * in a referral, a special search of the zone in which - * they reside for glue information. - * - * This is the "special search". Note that we must search - * the zone where the NS record resides, not the zone it - * points to, and that we only do the search in the delegation - * case (identified by client->query.gluedb being set). - */ - if (client->query.gluedb == NULL) - goto cleanup; - - /* - * Don't poision caches using the bailiwick protection model. - */ - if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) - goto cleanup; - - /* Check additional cache */ - additionaltype = dns_rdatasetadditional_fromglue; - result = dns_rdataset_getadditional(rdataset_base, additionaltype, - type, client->view->acache, NULL, - &cdb, &cversion, &cnode, &cfname, - client->message, client->now); - if (result != ISC_R_SUCCESS) - goto findglue; - - result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion); - if (result != ISC_R_SUCCESS) { - CTRACE("query_addadditional2: old glue additional cache"); - query_discardcache(client, rdataset_base, additionaltype, - type, &zone, &cdb, &cversion, &cnode, - &cfname); - goto findglue; - } - - if (cnode == NULL) { - /* We have a negative cache. */ - CTRACE("query_addadditional2: negative glue additional cache"); - dns_db_closeversion(cdb, &cversion, ISC_FALSE); - dns_db_detach(&cdb); - goto cleanup; - } - - /* Cache hit. */ - CTRACE("query_addadditional2: glue additional cache"); - dns_db_closeversion(cdb, &cversion, ISC_FALSE); - db = cdb; - node = cnode; - dns_name_clone(&cfname, fname); - query_keepname(client, fname, dbuf); - goto foundcache; - - findglue: - dns_db_attach(client->query.gluedb, &db); - result = dns_db_find(db, name, version, type, - client->query.dboptions | DNS_DBFIND_GLUEOK, - client->now, &node, fname, NULL, NULL); - if (!(result == ISC_R_SUCCESS || - result == DNS_R_ZONECUT || - result == DNS_R_GLUE)) { - /* cache the negative result */ - (void)dns_rdataset_setadditional(rdataset_base, additionaltype, - type, client->view->acache, - NULL, db, version, NULL, - fname); - goto cleanup; - } - - found: - /* - * We have found a DB node to iterate over from a DB. - * We are going to look for address RRsets (i.e., A and AAAA) in the DB - * node we've just found. We'll then store the complete information - * in the additional data cache. - */ - dns_name_clone(fname, &cfname); - query_keepname(client, fname, dbuf); - needadditionalcache = ISC_TRUE; - - rdataset = query_newrdataset(client); - if (rdataset == NULL) - goto cleanup; - - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) - goto cleanup; - - /* - * Find A RRset with sig RRset. Even if we don't find a sig RRset - * for a client using DNSSEC, we'll continue the process to make a - * complete list to be cached. However, we need to cancel the - * caching when something unexpected happens, in order to avoid - * caching incomplete information. - */ - result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0, - client->now, rdataset, sigrdataset); - /* - * If we can't promote glue/pending from the cache to secure - * then drop it. - */ - if (result == ISC_R_SUCCESS && - additionaltype == dns_rdatasetadditional_fromcache && - (rdataset->trust == dns_trust_pending || - rdataset->trust == dns_trust_glue) && - !validate(client, db, fname, rdataset, sigrdataset)) { - dns_rdataset_disassociate(rdataset); - if (dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - result = ISC_R_NOTFOUND; - } - if (result == DNS_R_NCACHENXDOMAIN) - goto setcache; - if (result == DNS_R_NCACHENXRRSET) { - dns_rdataset_disassociate(rdataset); - if (dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - } - if (result == ISC_R_SUCCESS) { - /* Remember the result as a cache */ - ISC_LIST_APPEND(cfname.list, rdataset, link); - if (dns_rdataset_isassociated(sigrdataset)) { - ISC_LIST_APPEND(cfname.list, sigrdataset, link); - sigrdataset = query_newrdataset(client); - } - rdataset = query_newrdataset(client); - if (sigrdataset == NULL || rdataset == NULL) { - /* do not cache incomplete information */ - goto foundcache; - } - } - - /* Find AAAA RRset with sig RRset */ - result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa, - 0, client->now, rdataset, sigrdataset); - /* - * If we can't promote glue/pending from the cache to secure - * then drop it. - */ - if (result == ISC_R_SUCCESS && - additionaltype == dns_rdatasetadditional_fromcache && - (rdataset->trust == dns_trust_pending || - rdataset->trust == dns_trust_glue) && - !validate(client, db, fname, rdataset, sigrdataset)) { - dns_rdataset_disassociate(rdataset); - if (dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - result = ISC_R_NOTFOUND; - } - if (result == ISC_R_SUCCESS) { - ISC_LIST_APPEND(cfname.list, rdataset, link); - rdataset = NULL; - if (dns_rdataset_isassociated(sigrdataset)) { - ISC_LIST_APPEND(cfname.list, sigrdataset, link); - sigrdataset = NULL; - } - } - - setcache: - /* - * Set the new result in the cache if required. We do not support - * caching additional data from a cache DB. - */ - if (needadditionalcache == ISC_TRUE && - (additionaltype == dns_rdatasetadditional_fromauth || - additionaltype == dns_rdatasetadditional_fromglue)) { - (void)dns_rdataset_setadditional(rdataset_base, additionaltype, - type, client->view->acache, - zone, db, version, node, - &cfname); - } - - foundcache: - need_sigrrset = ISC_FALSE; - mname0 = NULL; - for (crdataset = ISC_LIST_HEAD(cfname.list); - crdataset != NULL; - crdataset = crdataset_next) { - dns_name_t *mname; - - crdataset_next = ISC_LIST_NEXT(crdataset, link); - - mname = NULL; - if (crdataset->type == dns_rdatatype_a || - crdataset->type == dns_rdatatype_aaaa) { - if (!query_isduplicate(client, fname, crdataset->type, - &mname)) { - if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname->link could - * leak below. - */ - INSIST(mname0 == NULL); - - query_releasename(client, &fname); - fname = mname; - mname0 = mname; - } else - need_addname = ISC_TRUE; - ISC_LIST_UNLINK(cfname.list, crdataset, link); - ISC_LIST_APPEND(fname->list, crdataset, link); - added_something = ISC_TRUE; - need_sigrrset = ISC_TRUE; - } else - need_sigrrset = ISC_FALSE; - } else if (crdataset->type == dns_rdatatype_rrsig && - need_sigrrset && WANTDNSSEC(client)) { - ISC_LIST_UNLINK(cfname.list, crdataset, link); - ISC_LIST_APPEND(fname->list, crdataset, link); - added_something = ISC_TRUE; /* just in case */ - need_sigrrset = ISC_FALSE; - } - } - - CTRACE("query_addadditional2: addname"); - - /* - * If we haven't added anything, then we're done. - */ - if (!added_something) - goto cleanup; - - /* - * We may have added our rdatasets to an existing name, if so, then - * need_addname will be ISC_FALSE. Whether we used an existing name - * or a new one, we must set fname to NULL to prevent cleanup. - */ - if (need_addname) - dns_message_addname(client->message, fname, - DNS_SECTION_ADDITIONAL); - fname = NULL; - - cleanup: - CTRACE("query_addadditional2: cleanup"); - - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) { - ISC_LIST_UNLINK(cfname.list, crdataset, link); - query_putrdataset(client, &crdataset); - } - if (fname != NULL) - query_releasename(client, &fname); - if (node != NULL) - dns_db_detachnode(db, &node); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - - CTRACE("query_addadditional2: done"); - return (eresult); -} - -static inline void -query_addrdataset(ns_client_t *client, dns_name_t *fname, - dns_rdataset_t *rdataset) -{ - client_additionalctx_t additionalctx; - - /* - * Add 'rdataset' and any pertinent additional data to - * 'fname', a name in the response message for 'client'. - */ - - CTRACE("query_addrdataset"); - - ISC_LIST_APPEND(fname->list, rdataset, link); - - if (client->view->order != NULL) - rdataset->attributes |= dns_order_find(client->view->order, - fname, rdataset->type, - rdataset->rdclass); - rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; - - if (NOADDITIONAL(client)) - return; - - /* - * Add additional data. - * - * We don't care if dns_rdataset_additionaldata() fails. - */ - additionalctx.client = client; - additionalctx.rdataset = rdataset; - (void)dns_rdataset_additionaldata(rdataset, query_addadditional2, - &additionalctx); - CTRACE("query_addrdataset: done"); -} - -static void -query_addrrset(ns_client_t *client, dns_name_t **namep, - dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp, - isc_buffer_t *dbuf, dns_section_t section) -{ - dns_name_t *name, *mname; - dns_rdataset_t *rdataset, *mrdataset, *sigrdataset; - isc_result_t result; - - /*% - * To the current response for 'client', add the answer RRset - * '*rdatasetp' and an optional signature set '*sigrdatasetp', with - * owner name '*namep', to section 'section', unless they are - * already there. Also add any pertinent additional data. - * - * If 'dbuf' is not NULL, then '*namep' is the name whose data is - * stored in 'dbuf'. In this case, query_addrrset() guarantees that - * when it returns the name will either have been kept or released. - */ - CTRACE("query_addrrset"); - name = *namep; - rdataset = *rdatasetp; - if (sigrdatasetp != NULL) - sigrdataset = *sigrdatasetp; - else - sigrdataset = NULL; - mname = NULL; - mrdataset = NULL; - result = dns_message_findname(client->message, section, - name, rdataset->type, rdataset->covers, - &mname, &mrdataset); - if (result == ISC_R_SUCCESS) { - /* - * We've already got an RRset of the given name and type. - * There's nothing else to do; - */ - CTRACE("query_addrrset: dns_message_findname succeeded: done"); - if (dbuf != NULL) - query_releasename(client, namep); - return; - } else if (result == DNS_R_NXDOMAIN) { - /* - * The name doesn't exist. - */ - if (dbuf != NULL) - query_keepname(client, name, dbuf); - dns_message_addname(client->message, name, section); - *namep = NULL; - mname = name; - } else { - RUNTIME_CHECK(result == DNS_R_NXRRSET); - if (dbuf != NULL) - query_releasename(client, namep); - } - - if (rdataset->trust != dns_trust_secure && - (section == DNS_SECTION_ANSWER || - section == DNS_SECTION_AUTHORITY)) - client->query.attributes &= ~NS_QUERYATTR_SECURE; - /* - * Note: we only add SIGs if we've added the type they cover, so - * we do not need to check if the SIG rdataset is already in the - * response. - */ - query_addrdataset(client, mname, rdataset); - *rdatasetp = NULL; - if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { - /* - * We have a signature. Add it to the response. - */ - ISC_LIST_APPEND(mname->list, sigrdataset, link); - *sigrdatasetp = NULL; - } - CTRACE("query_addrrset: done"); -} - -static inline isc_result_t -query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version, - isc_boolean_t zero_ttl) -{ - dns_name_t *name; - dns_dbnode_t *node; - isc_result_t result, eresult; - dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; - dns_rdataset_t **sigrdatasetp = NULL; - - CTRACE("query_addsoa"); - /* - * Initialization. - */ - eresult = ISC_R_SUCCESS; - name = NULL; - rdataset = NULL; - node = NULL; - - /* - * Get resources and make 'name' be the database origin. - */ - result = dns_message_gettempname(client->message, &name); - if (result != ISC_R_SUCCESS) - return (result); - dns_name_init(name, NULL); - dns_name_clone(dns_db_origin(db), name); - rdataset = query_newrdataset(client); - if (rdataset == NULL) { - eresult = DNS_R_SERVFAIL; - goto cleanup; - } - if (WANTDNSSEC(client)) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) { - eresult = DNS_R_SERVFAIL; - goto cleanup; - } - } - - /* - * Find the SOA. - */ - result = dns_db_getoriginnode(db, &node); - if (result == ISC_R_SUCCESS) { - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_soa, - 0, client->now, rdataset, - sigrdataset); - } else { - dns_fixedname_t foundname; - dns_name_t *fname; - - dns_fixedname_init(&foundname); - fname = dns_fixedname_name(&foundname); - - result = dns_db_find(db, name, version, dns_rdatatype_soa, - client->query.dboptions, 0, &node, - fname, rdataset, sigrdataset); - } - if (result != ISC_R_SUCCESS) { - /* - * This is bad. We tried to get the SOA RR at the zone top - * and it didn't work! - */ - eresult = DNS_R_SERVFAIL; - } else { - /* - * Extract the SOA MINIMUM. - */ - dns_rdata_soa_t soa; - dns_rdata_t rdata = DNS_RDATA_INIT; - result = dns_rdataset_first(rdataset); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &soa, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - - if (zero_ttl) { - rdataset->ttl = 0; - if (sigrdataset != NULL) - sigrdataset->ttl = 0; - } - - /* - * Add the SOA and its SIG to the response, with the - * TTLs adjusted per RFC2308 section 3. - */ - if (rdataset->ttl > soa.minimum) - rdataset->ttl = soa.minimum; - if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum) - sigrdataset->ttl = soa.minimum; - - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL, - DNS_SECTION_AUTHORITY); - } - - cleanup: - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (name != NULL) - query_releasename(client, &name); - if (node != NULL) - dns_db_detachnode(db, &node); - - return (eresult); -} - -static inline isc_result_t -query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) { - dns_name_t *name, *fname; - dns_dbnode_t *node; - isc_result_t result, eresult; - dns_fixedname_t foundname; - dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; - dns_rdataset_t **sigrdatasetp = NULL; - - CTRACE("query_addns"); - /* - * Initialization. - */ - eresult = ISC_R_SUCCESS; - name = NULL; - rdataset = NULL; - node = NULL; - dns_fixedname_init(&foundname); - fname = dns_fixedname_name(&foundname); - - /* - * Get resources and make 'name' be the database origin. - */ - result = dns_message_gettempname(client->message, &name); - if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: dns_message_gettempname failed: done"); - return (result); - } - dns_name_init(name, NULL); - dns_name_clone(dns_db_origin(db), name); - rdataset = query_newrdataset(client); - if (rdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); - eresult = DNS_R_SERVFAIL; - goto cleanup; - } - if (WANTDNSSEC(client)) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) { - CTRACE("query_addns: query_newrdataset failed"); - eresult = DNS_R_SERVFAIL; - goto cleanup; - } - } - - /* - * Find the NS rdataset. - */ - result = dns_db_getoriginnode(db, &node); - if (result == ISC_R_SUCCESS) { - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_ns, - 0, client->now, rdataset, - sigrdataset); - } else { - CTRACE("query_addns: calling dns_db_find"); - result = dns_db_find(db, name, NULL, dns_rdatatype_ns, - client->query.dboptions, 0, &node, - fname, rdataset, sigrdataset); - CTRACE("query_addns: dns_db_find complete"); - } - if (result != ISC_R_SUCCESS) { - CTRACE("query_addns: " - "dns_db_findrdataset or dns_db_find failed"); - /* - * This is bad. We tried to get the NS rdataset at the zone - * top and it didn't work! - */ - eresult = DNS_R_SERVFAIL; - } else { - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL, - DNS_SECTION_AUTHORITY); - } - - cleanup: - CTRACE("query_addns: cleanup"); - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (name != NULL) - query_releasename(client, &name); - if (node != NULL) - dns_db_detachnode(db, &node); - - CTRACE("query_addns: done"); - return (eresult); -} - -static inline isc_result_t -query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname, - dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type) -{ - dns_rdataset_t *rdataset; - dns_rdatalist_t *rdatalist; - dns_rdata_t *rdata; - isc_result_t result; - isc_region_t r; - - /* - * We assume the name data referred to by tname won't go away. - */ - - REQUIRE(anamep != NULL); - - rdatalist = NULL; - result = dns_message_gettemprdatalist(client->message, &rdatalist); - if (result != ISC_R_SUCCESS) - return (result); - rdata = NULL; - result = dns_message_gettemprdata(client->message, &rdata); - if (result != ISC_R_SUCCESS) - return (result); - rdataset = NULL; - result = dns_message_gettemprdataset(client->message, &rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_init(rdataset); - result = dns_name_dup(qname, client->mctx, *anamep); - if (result != ISC_R_SUCCESS) { - dns_message_puttemprdataset(client->message, &rdataset); - return (result); - } - - rdatalist->type = type; - rdatalist->covers = 0; - rdatalist->rdclass = client->message->rdclass; - rdatalist->ttl = 0; - - dns_name_toregion(tname, &r); - rdata->data = r.base; - rdata->length = r.length; - rdata->rdclass = client->message->rdclass; - rdata->type = type; - - ISC_LIST_INIT(rdatalist->rdata); - ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) - == ISC_R_SUCCESS); - rdataset->trust = trust; - - query_addrrset(client, anamep, &rdataset, NULL, NULL, - DNS_SECTION_ANSWER); - - if (rdataset != NULL) { - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - dns_message_puttemprdataset(client->message, &rdataset); - } - - return (ISC_R_SUCCESS); -} - -/* - * Mark the RRsets as secure. Update the cache (db) to reflect the - * change in trust level. - */ -static void -mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - - rdataset->trust = dns_trust_secure; - sigrdataset->trust = dns_trust_secure; - - /* - * Save the updated secure state. Ignore failures. - */ - result = dns_db_findnode(db, name, ISC_TRUE, &node); - if (result != ISC_R_SUCCESS) - return; - (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, - 0, NULL); - (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, - 0, NULL); - dns_db_detachnode(db, &node); -} - -/* - * Find the secure key that corresponds to rrsig. - * Note: 'keyrdataset' maintains state between sucessive calls, - * there may be multiple keys with the same keyid. - * Return ISC_FALSE if we have exhausted all the possible keys. - */ -static isc_boolean_t -get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, - dns_rdataset_t *keyrdataset, dst_key_t **keyp) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - isc_boolean_t secure = ISC_FALSE; - - if (!dns_rdataset_isassociated(keyrdataset)) { - result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node); - if (result != ISC_R_SUCCESS) - return (ISC_FALSE); - - result = dns_db_findrdataset(db, node, NULL, - dns_rdatatype_dnskey, 0, - client->now, keyrdataset, NULL); - dns_db_detachnode(db, &node); - if (result != ISC_R_SUCCESS) - return (ISC_FALSE); - - if (keyrdataset->trust != dns_trust_secure) - return (ISC_FALSE); - - result = dns_rdataset_first(keyrdataset); - } else - result = dns_rdataset_next(keyrdataset); - - for ( ; result == ISC_R_SUCCESS; - result = dns_rdataset_next(keyrdataset)) { - dns_rdata_t rdata = DNS_RDATA_INIT; - isc_buffer_t b; - - dns_rdataset_current(keyrdataset, &rdata); - isc_buffer_init(&b, rdata.data, rdata.length); - isc_buffer_add(&b, rdata.length); - result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b, - client->mctx, keyp); - if (result != ISC_R_SUCCESS) - continue; - if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) && - rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) && - dst_key_iszonekey(*keyp)) { - secure = ISC_TRUE; - break; - } - dst_key_free(keyp); - } - return (secure); -} - -static isc_boolean_t -verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, - dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired) -{ - isc_result_t result; - dns_fixedname_t fixed; - isc_boolean_t ignore = ISC_FALSE; - - dns_fixedname_init(&fixed); - -again: - result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx, - rdata, NULL); - if (result == DNS_R_SIGEXPIRED && acceptexpired) { - ignore = ISC_TRUE; - goto again; - } - if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) - return (ISC_TRUE); - return (ISC_FALSE); -} - -/* - * Validate the rdataset if possible with available records. - */ -static isc_boolean_t -validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, - dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_rrsig_t rrsig; - dst_key_t *key = NULL; - dns_rdataset_t keyrdataset; - - if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) - return (ISC_FALSE); - - for (result = dns_rdataset_first(sigrdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(sigrdataset)) { - - dns_rdata_reset(&rdata); - dns_rdataset_current(sigrdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &rrsig, NULL); - if (result != ISC_R_SUCCESS) - return (ISC_FALSE); - if (!dns_resolver_algorithm_supported(client->view->resolver, - name, rrsig.algorithm)) - continue; - if (!dns_name_issubdomain(name, &rrsig.signer)) - continue; - dns_rdataset_init(&keyrdataset); - do { - if (!get_key(client, db, &rrsig, &keyrdataset, &key)) - break; - if (verify(key, name, rdataset, &rdata, client->mctx, - client->view->acceptexpired)) { - dst_key_free(&key); - dns_rdataset_disassociate(&keyrdataset); - mark_secure(client, db, name, rdataset, - sigrdataset); - return (ISC_TRUE); - } - dst_key_free(&key); - } while (1); - if (dns_rdataset_isassociated(&keyrdataset)) - dns_rdataset_disassociate(&keyrdataset); - } - return (ISC_FALSE); -} - -static void -query_addbestns(ns_client_t *client) { - dns_db_t *db, *zdb; - dns_dbnode_t *node; - dns_name_t *fname, *zfname; - dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset; - isc_boolean_t is_zone, use_zone; - isc_buffer_t *dbuf; - isc_result_t result; - dns_dbversion_t *version; - dns_zone_t *zone; - isc_buffer_t b; - - CTRACE("query_addbestns"); - fname = NULL; - zfname = NULL; - rdataset = NULL; - zrdataset = NULL; - sigrdataset = NULL; - zsigrdataset = NULL; - node = NULL; - db = NULL; - zdb = NULL; - version = NULL; - zone = NULL; - is_zone = ISC_FALSE; - use_zone = ISC_FALSE; - - /* - * Find the right database. - */ - result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0, - &zone, &db, &version, &is_zone); - if (result != ISC_R_SUCCESS) - goto cleanup; - - db_find: - /* - * We'll need some resources... - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto cleanup; - fname = query_newname(client, dbuf, &b); - rdataset = query_newrdataset(client); - if (fname == NULL || rdataset == NULL) - goto cleanup; - /* - * Get the RRSIGs if the client requested them or if we may - * need to validate answers from the cache. - */ - if (WANTDNSSEC(client) || !is_zone) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) - goto cleanup; - } - - /* - * Now look for the zonecut. - */ - if (is_zone) { - result = dns_db_find(db, client->query.qname, version, - dns_rdatatype_ns, client->query.dboptions, - client->now, &node, fname, - rdataset, sigrdataset); - if (result != DNS_R_DELEGATION) - goto cleanup; - if (USECACHE(client)) { - query_keepname(client, fname, dbuf); - zdb = db; - zfname = fname; - fname = NULL; - zrdataset = rdataset; - rdataset = NULL; - zsigrdataset = sigrdataset; - sigrdataset = NULL; - dns_db_detachnode(db, &node); - version = NULL; - db = NULL; - dns_db_attach(client->view->cachedb, &db); - is_zone = ISC_FALSE; - goto db_find; - } - } else { - result = dns_db_findzonecut(db, client->query.qname, - client->query.dboptions, - client->now, &node, fname, - rdataset, sigrdataset); - if (result == ISC_R_SUCCESS) { - if (zfname != NULL && - !dns_name_issubdomain(fname, zfname)) { - /* - * We found a zonecut in the cache, but our - * zone delegation is better. - */ - use_zone = ISC_TRUE; - } - } else if (result == ISC_R_NOTFOUND && zfname != NULL) { - /* - * We didn't find anything in the cache, but we - * have a zone delegation, so use it. - */ - use_zone = ISC_TRUE; - } else - goto cleanup; - } - - if (use_zone) { - query_releasename(client, &fname); - fname = zfname; - zfname = NULL; - /* - * We've already done query_keepname() on - * zfname, so we must set dbuf to NULL to - * prevent query_addrrset() from trying to - * call query_keepname() again. - */ - dbuf = NULL; - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - rdataset = zrdataset; - zrdataset = NULL; - sigrdataset = zsigrdataset; - zsigrdataset = NULL; - } - - /* - * Attempt to validate RRsets that are pending or that are glue. - */ - if ((rdataset->trust == dns_trust_pending || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)) - && !validate(client, db, fname, rdataset, sigrdataset) && - (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0) - goto cleanup; - - if ((rdataset->trust == dns_trust_glue || - (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) && - !validate(client, db, fname, rdataset, sigrdataset) && - SECURE(client) && WANTDNSSEC(client)) - goto cleanup; - - /* - * If the client doesn't want DNSSEC we can discard the sigrdataset - * now. - */ - if (!WANTDNSSEC(client)) - query_putrdataset(client, &sigrdataset); - query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf, - DNS_SECTION_AUTHORITY); - - cleanup: - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (fname != NULL) - query_releasename(client, &fname); - if (node != NULL) - dns_db_detachnode(db, &node); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - if (zdb != NULL) { - query_putrdataset(client, &zrdataset); - if (zsigrdataset != NULL) - query_putrdataset(client, &zsigrdataset); - if (zfname != NULL) - query_releasename(client, &zfname); - dns_db_detach(&zdb); - } -} - -static void -query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, - dns_dbversion_t *version) -{ - dns_name_t *rname; - dns_rdataset_t *rdataset, *sigrdataset; - isc_result_t result; - - CTRACE("query_addds"); - rname = NULL; - rdataset = NULL; - sigrdataset = NULL; - - /* - * We'll need some resources... - */ - rdataset = query_newrdataset(client); - sigrdataset = query_newrdataset(client); - if (rdataset == NULL || sigrdataset == NULL) - goto cleanup; - - /* - * Look for the DS record, which may or may not be present. - */ - result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0, - client->now, rdataset, sigrdataset); - /* - * If we didn't find it, look for an NSEC. */ - if (result == ISC_R_NOTFOUND) - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_nsec, 0, client->now, - rdataset, sigrdataset); - if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) - goto cleanup; - if (!dns_rdataset_isassociated(rdataset) || - !dns_rdataset_isassociated(sigrdataset)) - goto cleanup; - - /* - * We've already added the NS record, so if the name's not there, - * we have other problems. Use this name rather than calling - * query_addrrset(). - */ - result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY); - if (result != ISC_R_SUCCESS) - goto cleanup; - - rname = NULL; - dns_message_currentname(client->message, DNS_SECTION_AUTHORITY, - &rname); - result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL); - if (result != ISC_R_SUCCESS) - goto cleanup; - - ISC_LIST_APPEND(rname->list, rdataset, link); - ISC_LIST_APPEND(rname->list, sigrdataset, link); - rdataset = NULL; - sigrdataset = NULL; - - cleanup: - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); -} - -static void -query_addwildcardproof(ns_client_t *client, dns_db_t *db, - dns_dbversion_t *version, dns_name_t *name, - isc_boolean_t ispositive) -{ - isc_buffer_t *dbuf, b; - dns_name_t *fname; - dns_rdataset_t *rdataset, *sigrdataset; - dns_fixedname_t wfixed; - dns_name_t *wname; - dns_dbnode_t *node; - unsigned int options; - unsigned int olabels, nlabels; - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_nsec_t nsec; - isc_boolean_t have_wname; - int order; - - CTRACE("query_addwildcardproof"); - fname = NULL; - rdataset = NULL; - sigrdataset = NULL; - node = NULL; - - /* - * Get the NOQNAME proof then if !ispositve - * get the NOWILDCARD proof. - * - * DNS_DBFIND_NOWILD finds the NSEC records that covers the - * name ignoring any wildcard. From the owner and next names - * of this record you can compute which wildcard (if it exists) - * will match by finding the longest common suffix of the - * owner name and next names with the qname and prefixing that - * with the wildcard label. - * - * e.g. - * Given: - * example SOA - * example NSEC b.example - * b.example A - * b.example NSEC a.d.example - * a.d.example A - * a.d.example NSEC g.f.example - * g.f.example A - * g.f.example NSEC z.i.example - * z.i.example A - * z.i.example NSEC example - * - * QNAME: - * a.example -> example NSEC b.example - * owner common example - * next common example - * wild *.example - * d.b.example -> b.example NSEC a.d.example - * owner common b.example - * next common example - * wild *.b.example - * a.f.example -> a.d.example NSEC g.f.example - * owner common example - * next common f.example - * wild *.f.example - * j.example -> z.i.example NSEC example - * owner common example - * next common example - * wild *.f.example - */ - options = client->query.dboptions | DNS_DBFIND_NOWILD; - dns_fixedname_init(&wfixed); - wname = dns_fixedname_name(&wfixed); - again: - have_wname = ISC_FALSE; - /* - * We'll need some resources... - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto cleanup; - fname = query_newname(client, dbuf, &b); - rdataset = query_newrdataset(client); - sigrdataset = query_newrdataset(client); - if (fname == NULL || rdataset == NULL || sigrdataset == NULL) - goto cleanup; - - result = dns_db_find(db, name, version, dns_rdatatype_nsec, options, - 0, &node, fname, rdataset, sigrdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - if (result == DNS_R_NXDOMAIN) { - if (!ispositive) - result = dns_rdataset_first(rdataset); - if (result == ISC_R_SUCCESS) { - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &nsec, NULL); - } - if (result == ISC_R_SUCCESS) { - (void)dns_name_fullcompare(name, fname, &order, - &olabels); - (void)dns_name_fullcompare(name, &nsec.next, &order, - &nlabels); - if (olabels > nlabels) - dns_name_split(name, olabels, NULL, wname); - else - dns_name_split(name, nlabels, NULL, wname); - result = dns_name_concatenate(dns_wildcardname, - wname, wname, NULL); - if (result == ISC_R_SUCCESS) - have_wname = ISC_TRUE; - dns_rdata_freestruct(&nsec); - } - query_addrrset(client, &fname, &rdataset, &sigrdataset, - dbuf, DNS_SECTION_AUTHORITY); - } - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (fname != NULL) - query_releasename(client, &fname); - if (have_wname) { - ispositive = ISC_TRUE; /* prevent loop */ - if (!dns_name_equal(name, wname)) { - name = wname; - goto again; - } - } - cleanup: - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (fname != NULL) - query_releasename(client, &fname); -} - -static void -query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, - dns_dbversion_t *version, dns_name_t **namep, - dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp) -{ - dns_name_t *name; - dns_rdataset_t *sigrdataset; - dns_rdata_t sigrdata; - dns_rdata_rrsig_t sig; - unsigned int labels; - isc_buffer_t *dbuf, b; - dns_name_t *fname; - isc_result_t result; - - name = *namep; - if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) { - query_addrrset(client, namep, rdatasetp, sigrdatasetp, - NULL, DNS_SECTION_AUTHORITY); - return; - } - - if (sigrdatasetp == NULL) - return; - sigrdataset = *sigrdatasetp; - if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) - return; - result = dns_rdataset_first(sigrdataset); - if (result != ISC_R_SUCCESS) - return; - dns_rdata_init(&sigrdata); - dns_rdataset_current(sigrdataset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, NULL); - if (result != ISC_R_SUCCESS) - return; - - labels = dns_name_countlabels(name); - if ((unsigned int)sig.labels + 1 >= labels) - return; - - /* XXX */ - query_addwildcardproof(client, db, version, client->query.qname, - ISC_TRUE); - - /* - * We'll need some resources... - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - return; - fname = query_newname(client, dbuf, &b); - if (fname == NULL) - return; - dns_name_split(name, sig.labels + 1, NULL, fname); - /* This will succeed, since we've stripped labels. */ - RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname, - NULL) == ISC_R_SUCCESS); - query_addrrset(client, &fname, rdatasetp, sigrdatasetp, - dbuf, DNS_SECTION_AUTHORITY); -} - -static void -query_resume(isc_task_t *task, isc_event_t *event) { - dns_fetchevent_t *devent = (dns_fetchevent_t *)event; - ns_client_t *client; - isc_boolean_t fetch_cancelled, client_shuttingdown; - - /* - * Resume a query after recursion. - */ - - UNUSED(task); - - REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); - client = devent->ev_arg; - REQUIRE(NS_CLIENT_VALID(client)); - REQUIRE(task == client->task); - REQUIRE(RECURSING(client)); - - LOCK(&client->query.fetchlock); - if (client->query.fetch != NULL) { - /* - * This is the fetch we've been waiting for. - */ - INSIST(devent->fetch == client->query.fetch); - client->query.fetch = NULL; - fetch_cancelled = ISC_FALSE; - /* - * Update client->now. - */ - isc_stdtime_get(&client->now); - } else { - /* - * This is a fetch completion event for a cancelled fetch. - * Clean up and don't resume the find. - */ - fetch_cancelled = ISC_TRUE; - } - UNLOCK(&client->query.fetchlock); - INSIST(client->query.fetch == NULL); - - client->query.attributes &= ~NS_QUERYATTR_RECURSING; - dns_resolver_destroyfetch(&devent->fetch); - - /* - * If this client is shutting down, or this transaction - * has timed out, do not resume the find. - */ - client_shuttingdown = ns_client_shuttingdown(client); - if (fetch_cancelled || client_shuttingdown) { - if (devent->node != NULL) - dns_db_detachnode(devent->db, &devent->node); - if (devent->db != NULL) - dns_db_detach(&devent->db); - query_putrdataset(client, &devent->rdataset); - if (devent->sigrdataset != NULL) - query_putrdataset(client, &devent->sigrdataset); - isc_event_free(&event); - if (fetch_cancelled) - query_error(client, DNS_R_SERVFAIL); - else - query_next(client, ISC_R_CANCELED); - /* - * This may destroy the client. - */ - ns_client_detach(&client); - } else { - query_find(client, devent, 0); - } -} - -static isc_result_t -query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain, - dns_rdataset_t *nameservers) -{ - isc_result_t result; - dns_rdataset_t *rdataset, *sigrdataset; - isc_sockaddr_t *peeraddr; - - inc_stats(client, dns_statscounter_recursion); - - /* - * We are about to recurse, which means that this client will - * be unavailable for serving new requests for an indeterminate - * amount of time. If this client is currently responsible - * for handling incoming queries, set up a new client - * object to handle them while we are waiting for a - * response. There is no need to replace TCP clients - * because those have already been replaced when the - * connection was accepted (if allowed by the TCP quota). - */ - if (client->recursionquota == NULL) { - result = isc_quota_attach(&ns_g_server->recursionquota, - &client->recursionquota); - if (result == ISC_R_SOFTQUOTA) { - static isc_stdtime_t last = 0; - isc_stdtime_t now; - isc_stdtime_get(&now); - if (now != last) { - last = now; - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_QUERY, - ISC_LOG_WARNING, - "recursive-clients soft limit " - "exceeded, aborting oldest query"); - } - ns_client_killoldestquery(client); - result = ISC_R_SUCCESS; - } else if (result == ISC_R_QUOTA) { - static isc_stdtime_t last = 0; - isc_stdtime_t now; - isc_stdtime_get(&now); - if (now != last) { - last = now; - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_QUERY, - ISC_LOG_WARNING, - "no more recursive clients: %s", - isc_result_totext(result)); - } - ns_client_killoldestquery(client); - } - if (result == ISC_R_SUCCESS && !client->mortal && - (client->attributes & NS_CLIENTATTR_TCP) == 0) { - result = ns_client_replace(client); - if (result != ISC_R_SUCCESS) { - ns_client_log(client, NS_LOGCATEGORY_CLIENT, - NS_LOGMODULE_QUERY, - ISC_LOG_WARNING, - "ns_client_replace() failed: %s", - isc_result_totext(result)); - isc_quota_detach(&client->recursionquota); - } - } - if (result != ISC_R_SUCCESS) - return (result); - ns_client_recursing(client); - } - - /* - * Invoke the resolver. - */ - REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns); - REQUIRE(client->query.fetch == NULL); - - rdataset = query_newrdataset(client); - if (rdataset == NULL) - return (ISC_R_NOMEMORY); - if (WANTDNSSEC(client)) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) { - query_putrdataset(client, &rdataset); - return (ISC_R_NOMEMORY); - } - } else - sigrdataset = NULL; - - if (client->query.timerset == ISC_FALSE) - ns_client_settimeout(client, 60); - if ((client->attributes & NS_CLIENTATTR_TCP) == 0) - peeraddr = &client->peeraddr; - else - peeraddr = NULL; - result = dns_resolver_createfetch2(client->view->resolver, - client->query.qname, - qtype, qdomain, nameservers, - NULL, peeraddr, client->message->id, - client->query.fetchoptions, - client->task, - query_resume, client, - rdataset, sigrdataset, - &client->query.fetch); - - if (result == ISC_R_SUCCESS) { - /* - * Record that we're waiting for an event. A client which - * is shutting down will not be destroyed until all the - * events have been received. - */ - } else { - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - } - - return (result); -} - -#define MAX_RESTARTS 16 - -#define QUERY_ERROR(r) \ -do { \ - eresult = r; \ - want_restart = ISC_FALSE; \ -} while (0) - -/* - * Extract a network address from the RDATA of an A or AAAA - * record. - * - * Returns: - * ISC_R_SUCCESS - * ISC_R_NOTIMPLEMENTED The rdata is not a known address type. - */ -static isc_result_t -rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { - struct in_addr ina; - struct in6_addr in6a; - - switch (rdata->type) { - case dns_rdatatype_a: - INSIST(rdata->length == 4); - memcpy(&ina.s_addr, rdata->data, 4); - isc_netaddr_fromin(netaddr, &ina); - return (ISC_R_SUCCESS); - case dns_rdatatype_aaaa: - INSIST(rdata->length == 16); - memcpy(in6a.s6_addr, rdata->data, 16); - isc_netaddr_fromin6(netaddr, &in6a); - return (ISC_R_SUCCESS); - default: - return (ISC_R_NOTIMPLEMENTED); - } -} - -/* - * Find the sort order of 'rdata' in the topology-like - * ACL forming the second element in a 2-element top-level - * sortlist statement. - */ -static int -query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) { - isc_netaddr_t netaddr; - - if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) - return (INT_MAX); - return (ns_sortlist_addrorder2(&netaddr, arg)); -} - -/* - * Find the sort order of 'rdata' in the matching element - * of a 1-element top-level sortlist statement. - */ -static int -query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) { - isc_netaddr_t netaddr; - - if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) - return (INT_MAX); - return (ns_sortlist_addrorder1(&netaddr, arg)); -} - -/* - * Find the sortlist statement that applies to 'client' and set up - * the sortlist info in in client->message appropriately. - */ -static void -setup_query_sortlist(ns_client_t *client) { - isc_netaddr_t netaddr; - dns_rdatasetorderfunc_t order = NULL; - const void *order_arg = NULL; - - isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); - switch (ns_sortlist_setup(client->view->sortlist, - &netaddr, &order_arg)) { - case NS_SORTLISTTYPE_1ELEMENT: - order = query_sortlist_order_1element; - break; - case NS_SORTLISTTYPE_2ELEMENT: - order = query_sortlist_order_2element; - break; - case NS_SORTLISTTYPE_NONE: - order = NULL; - break; - default: - INSIST(0); - break; - } - dns_message_setsortorder(client->message, order, order_arg); -} - -static void -query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { - isc_buffer_t *dbuf, b; - dns_name_t *fname; - dns_rdataset_t *nsec, *nsecsig; - isc_result_t result = ISC_R_NOMEMORY; - - CTRACE("query_addnoqnameproof"); - - fname = NULL; - nsec = NULL; - nsecsig = NULL; - - dbuf = query_getnamebuf(client); - if (dbuf == NULL) - goto cleanup; - fname = query_newname(client, dbuf, &b); - nsec = query_newrdataset(client); - nsecsig = query_newrdataset(client); - if (fname == NULL || nsec == NULL || nsecsig == NULL) - goto cleanup; - - result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - query_addrrset(client, &fname, &nsec, &nsecsig, dbuf, - DNS_SECTION_AUTHORITY); - - cleanup: - if (nsec != NULL) - query_putrdataset(client, &nsec); - if (nsecsig != NULL) - query_putrdataset(client, &nsecsig); - if (fname != NULL) - query_releasename(client, &fname); -} - -static inline void -answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) { - dns_name_t *name; - dns_message_t *msg; - dns_section_t section = DNS_SECTION_ADDITIONAL; - dns_rdataset_t *rdataset = NULL; - - msg = client->message; - for (name = ISC_LIST_HEAD(msg->sections[section]); - name != NULL; - name = ISC_LIST_NEXT(name, link)) - if (dns_name_equal(name, client->query.qname)) { - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) - if (rdataset->type == qtype) - break; - break; - } - if (rdataset != NULL) { - ISC_LIST_UNLINK(msg->sections[section], name, link); - ISC_LIST_PREPEND(msg->sections[section], name, link); - ISC_LIST_UNLINK(name->list, rdataset, link); - ISC_LIST_PREPEND(name->list, rdataset, link); - rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE; - } -} - -#define NS_NAME_INIT(A,B) \ - { \ - DNS_NAME_MAGIC, \ - A, sizeof(A), sizeof(B), \ - DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \ - B, NULL, { (void *)-1, (void *)-1}, \ - {NULL, NULL} \ - } - -static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 }; -static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 }; -static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 }; - -static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA"; - -static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA"; -static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA"; - -static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA"; - -static dns_name_t rfc1918names[] = { - NS_NAME_INIT(inaddr10, inaddr10_offsets), - NS_NAME_INIT(inaddr16172, inaddr172_offsets), - NS_NAME_INIT(inaddr17172, inaddr172_offsets), - NS_NAME_INIT(inaddr18172, inaddr172_offsets), - NS_NAME_INIT(inaddr19172, inaddr172_offsets), - NS_NAME_INIT(inaddr20172, inaddr172_offsets), - NS_NAME_INIT(inaddr21172, inaddr172_offsets), - NS_NAME_INIT(inaddr22172, inaddr172_offsets), - NS_NAME_INIT(inaddr23172, inaddr172_offsets), - NS_NAME_INIT(inaddr24172, inaddr172_offsets), - NS_NAME_INIT(inaddr25172, inaddr172_offsets), - NS_NAME_INIT(inaddr26172, inaddr172_offsets), - NS_NAME_INIT(inaddr27172, inaddr172_offsets), - NS_NAME_INIT(inaddr28172, inaddr172_offsets), - NS_NAME_INIT(inaddr29172, inaddr172_offsets), - NS_NAME_INIT(inaddr30172, inaddr172_offsets), - NS_NAME_INIT(inaddr31172, inaddr172_offsets), - NS_NAME_INIT(inaddr168192, inaddr192_offsets) -}; - - -static unsigned char prisoner_data[] = "\010prisoner\004iana\003org"; -static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org"; - -static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 }; -static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 }; - -static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets); -static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets); - -static void -warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { - unsigned int i; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_soa_t soa; - dns_rdataset_t found; - isc_result_t result; - - for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) { - if (dns_name_issubdomain(fname, &rfc1918names[i])) { - dns_rdataset_init(&found); - result = dns_ncache_getrdataset(rdataset, - &rfc1918names[i], - dns_rdatatype_soa, - &found); - if (result != ISC_R_SUCCESS) - return; - - result = dns_rdataset_first(&found); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_rdataset_current(&found, &rdata); - result = dns_rdata_tostruct(&rdata, &soa, NULL); - if (result != ISC_R_SUCCESS) - return; - if (dns_name_equal(&soa.origin, &prisoner) && - dns_name_equal(&soa.contact, &hostmaster)) { - char buf[DNS_NAME_FORMATSIZE]; - dns_name_format(fname, buf, sizeof(buf)); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, - ISC_LOG_WARNING, - "RFC 1918 response from " - "Internet for %s", buf); - } - dns_rdataset_disassociate(&found); - return; - } - } -} - -/* - * Do the bulk of query processing for the current query of 'client'. - * If 'event' is non-NULL, we are returning from recursion and 'qtype' - * is ignored. Otherwise, 'qtype' is the query type. - */ -static void -query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) -{ - dns_db_t *db, *zdb; - dns_dbnode_t *node; - dns_rdatatype_t type; - dns_name_t *fname, *zfname, *tname, *prefix; - dns_rdataset_t *rdataset, *trdataset; - dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset; - dns_rdataset_t **sigrdatasetp; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdatasetiter_t *rdsiter; - isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof; - unsigned int n, nlabels; - dns_namereln_t namereln; - int order; - isc_buffer_t *dbuf; - isc_buffer_t b; - isc_result_t result, eresult; - dns_fixedname_t fixed; - dns_fixedname_t wildcardname; - dns_dbversion_t *version; - dns_zone_t *zone; - dns_rdata_cname_t cname; - dns_rdata_dname_t dname; - unsigned int options; - isc_boolean_t empty_wild; - dns_rdataset_t *noqname; - - CTRACE("query_find"); - - /* - * One-time initialization. - * - * It's especially important to initialize anything that the cleanup - * code might cleanup. - */ - - eresult = ISC_R_SUCCESS; - fname = NULL; - zfname = NULL; - rdataset = NULL; - zrdataset = NULL; - sigrdataset = NULL; - zsigrdataset = NULL; - node = NULL; - db = NULL; - zdb = NULL; - version = NULL; - zone = NULL; - need_wildcardproof = ISC_FALSE; - empty_wild = ISC_FALSE; - options = 0; - - if (event != NULL) { - /* - * We're returning from recursion. Restore the query context - * and resume. - */ - - want_restart = ISC_FALSE; - authoritative = ISC_FALSE; - is_zone = ISC_FALSE; - - qtype = event->qtype; - if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) - type = dns_rdatatype_any; - else - type = qtype; - db = event->db; - node = event->node; - rdataset = event->rdataset; - sigrdataset = event->sigrdataset; - - /* - * We'll need some resources... - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - fname = query_newname(client, dbuf, &b); - if (fname == NULL) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - tname = dns_fixedname_name(&event->foundname); - result = dns_name_copy(tname, fname, NULL); - if (result != ISC_R_SUCCESS) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - - result = event->result; - - goto resume; - } - - /* - * Not returning from recursion. - */ - - /* - * If it's a SIG query, we'll iterate the node. - */ - if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) - type = dns_rdatatype_any; - else - type = qtype; - - restart: - CTRACE("query_find: restart"); - want_restart = ISC_FALSE; - authoritative = ISC_FALSE; - version = NULL; - need_wildcardproof = ISC_FALSE; - - if (client->view->checknames && - !dns_rdata_checkowner(client->query.qname, - client->message->rdclass, - qtype, ISC_FALSE)) { - char namebuf[DNS_NAME_FORMATSIZE]; - char typename[DNS_RDATATYPE_FORMATSIZE]; - char classname[DNS_RDATACLASS_FORMATSIZE]; - - dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); - dns_rdatatype_format(qtype, typename, sizeof(typename)); - dns_rdataclass_format(client->message->rdclass, classname, - sizeof(classname)); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, ISC_LOG_ERROR, - "check-names failure %s/%s/%s", namebuf, - typename, classname); - QUERY_ERROR(DNS_R_REFUSED); - goto cleanup; - } - - /* - * First we must find the right database. - */ - options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */ - if (dns_rdatatype_atparent(qtype) && - !dns_name_equal(client->query.qname, dns_rootname)) - options |= DNS_GETDB_NOEXACT; - result = query_getdb(client, client->query.qname, qtype, options, - &zone, &db, &version, &is_zone); - if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) && - (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) { - /* - * Look to see if we are authoritative for the - * child zone if the query type is DS. - */ - dns_db_t *tdb = NULL; - dns_zone_t *tzone = NULL; - dns_dbversion_t *tversion = NULL; - isc_result_t tresult; - - tresult = query_getzonedb(client, client->query.qname, qtype, - DNS_GETDB_PARTIAL, &tzone, &tdb, - &tversion); - if (tresult == ISC_R_SUCCESS) { - options &= ~DNS_GETDB_NOEXACT; - query_putrdataset(client, &rdataset); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - version = tversion; - db = tdb; - zone = tzone; - is_zone = ISC_TRUE; - result = ISC_R_SUCCESS; - } else { - if (tdb != NULL) - dns_db_detach(&tdb); - if (tzone != NULL) - dns_zone_detach(&tzone); - } - } - if (result != ISC_R_SUCCESS) { - if (result == DNS_R_REFUSED) { - if (!PARTIALANSWER(client)) - QUERY_ERROR(DNS_R_REFUSED); - } else - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - - if (is_zone) - authoritative = ISC_TRUE; - - if (event == NULL && client->query.restarts == 0) { - if (is_zone) { -#ifdef DLZ - if (zone != NULL) { - /* - * if is_zone = true, zone = NULL then this is - * a DLZ zone. Don't attempt to attach zone. - */ -#endif - dns_zone_attach(zone, &client->query.authzone); -#ifdef DLZ - } -#endif - dns_db_attach(db, &client->query.authdb); - } - client->query.authdbset = ISC_TRUE; - } - - db_find: - CTRACE("query_find: db_find"); - /* - * We'll need some resources... - */ - dbuf = query_getnamebuf(client); - if (dbuf == NULL) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - fname = query_newname(client, dbuf, &b); - rdataset = query_newrdataset(client); - if (fname == NULL || rdataset == NULL) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - if (WANTDNSSEC(client)) { - sigrdataset = query_newrdataset(client); - if (sigrdataset == NULL) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - } - - /* - * Now look for an answer in the database. - */ - result = dns_db_find(db, client->query.qname, version, type, - client->query.dboptions, client->now, - &node, fname, rdataset, sigrdataset); - - resume: - CTRACE("query_find: resume"); - switch (result) { - case ISC_R_SUCCESS: - /* - * This case is handled in the main line below. - */ - break; - case DNS_R_GLUE: - case DNS_R_ZONECUT: - /* - * These cases are handled in the main line below. - */ - INSIST(is_zone); - authoritative = ISC_FALSE; - break; - case ISC_R_NOTFOUND: - /* - * The cache doesn't even have the root NS. Get them from - * the hints DB. - */ - INSIST(!is_zone); - if (db != NULL) - dns_db_detach(&db); - - if (client->view->hints == NULL) { - /* We have no hints. */ - result = ISC_R_FAILURE; - } else { - dns_db_attach(client->view->hints, &db); - result = dns_db_find(db, dns_rootname, - NULL, dns_rdatatype_ns, - 0, client->now, &node, fname, - rdataset, sigrdataset); - } - if (result != ISC_R_SUCCESS) { - /* - * Nonsensical root hints may require cleanup. - */ - if (dns_rdataset_isassociated(rdataset)) - dns_rdataset_disassociate(rdataset); - if (sigrdataset != NULL && - dns_rdataset_isassociated(sigrdataset)) - dns_rdataset_disassociate(sigrdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - - /* - * We don't have any root server hints, but - * we may have working forwarders, so try to - * recurse anyway. - */ - if (RECURSIONOK(client)) { - result = query_recurse(client, qtype, - NULL, NULL); - if (result == ISC_R_SUCCESS) - client->query.attributes |= - NS_QUERYATTR_RECURSING; - else if (result == DNS_R_DUPLICATE || - result == DNS_R_DROP) { - /* Duplicate query. */ - QUERY_ERROR(result); - } else { - /* Unable to recurse. */ - QUERY_ERROR(DNS_R_SERVFAIL); - } - goto cleanup; - } else { - /* Unable to give root server referral. */ - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - } - /* - * XXXRTH We should trigger root server priming here. - */ - /* FALLTHROUGH */ - case DNS_R_DELEGATION: - authoritative = ISC_FALSE; - if (is_zone) { - /* - * Look to see if we are authoritative for the - * child zone if the query type is DS. - */ - if (!RECURSIONOK(client) && - (options & DNS_GETDB_NOEXACT) != 0 && - qtype == dns_rdatatype_ds) { - dns_db_t *tdb = NULL; - dns_zone_t *tzone = NULL; - dns_dbversion_t *tversion = NULL; - result = query_getzonedb(client, - client->query.qname, - qtype, - DNS_GETDB_PARTIAL, - &tzone, &tdb, - &tversion); - if (result == ISC_R_SUCCESS) { - options &= ~DNS_GETDB_NOEXACT; - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, - &sigrdataset); - if (fname != NULL) - query_releasename(client, - &fname); - if (node != NULL) - dns_db_detachnode(db, &node); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - version = tversion; - db = tdb; - zone = tzone; - authoritative = ISC_TRUE; - goto db_find; - } - if (tdb != NULL) - dns_db_detach(&tdb); - if (tzone != NULL) - dns_zone_detach(&tzone); - } - /* - * We're authoritative for an ancestor of QNAME. - */ - if (!USECACHE(client) || !RECURSIONOK(client)) { - /* - * If we don't have a cache, this is the best - * answer. - * - * If the client is making a nonrecursive - * query we always give out the authoritative - * delegation. This way even if we get - * junk in our cache, we won't fail in our - * role as the delegating authority if another - * nameserver asks us about a delegated - * subzone. - * - * We enable the retrieval of glue for this - * database by setting client->query.gluedb. - */ - client->query.gluedb = db; - client->query.isreferral = ISC_TRUE; - /* - * We must ensure NOADDITIONAL is off, - * because the generation of - * additional data is required in - * delegations. - */ - client->query.attributes &= - ~NS_QUERYATTR_NOADDITIONAL; - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - query_addrrset(client, &fname, - &rdataset, sigrdatasetp, - dbuf, DNS_SECTION_AUTHORITY); - client->query.gluedb = NULL; - if (WANTDNSSEC(client) && dns_db_issecure(db)) - query_addds(client, db, node, version); - } else { - /* - * We might have a better answer or delegation - * in the cache. We'll remember the current - * values of fname, rdataset, and sigrdataset. - * We'll then go looking for QNAME in the - * cache. If we find something better, we'll - * use it instead. - */ - query_keepname(client, fname, dbuf); - zdb = db; - zfname = fname; - fname = NULL; - zrdataset = rdataset; - rdataset = NULL; - zsigrdataset = sigrdataset; - sigrdataset = NULL; - dns_db_detachnode(db, &node); - version = NULL; - db = NULL; - dns_db_attach(client->view->cachedb, &db); - is_zone = ISC_FALSE; - goto db_find; - } - } else { - if (zfname != NULL && - !dns_name_issubdomain(fname, zfname)) { - /* - * We've already got a delegation from - * authoritative data, and it is better - * than what we found in the cache. Use - * it instead of the cache delegation. - */ - query_releasename(client, &fname); - fname = zfname; - zfname = NULL; - /* - * We've already done query_keepname() on - * zfname, so we must set dbuf to NULL to - * prevent query_addrrset() from trying to - * call query_keepname() again. - */ - dbuf = NULL; - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, - &sigrdataset); - rdataset = zrdataset; - zrdataset = NULL; - sigrdataset = zsigrdataset; - zsigrdataset = NULL; - /* - * We don't clean up zdb here because we - * may still need it. It will get cleaned - * up by the main cleanup code. - */ - } - - if (RECURSIONOK(client)) { - /* - * Recurse! - */ - if (dns_rdatatype_atparent(type)) - result = query_recurse(client, qtype, - NULL, NULL); - else - result = query_recurse(client, qtype, - fname, rdataset); - if (result == ISC_R_SUCCESS) - client->query.attributes |= - NS_QUERYATTR_RECURSING; - else if (result == DNS_R_DUPLICATE || - result == DNS_R_DROP) - QUERY_ERROR(result); - else - QUERY_ERROR(DNS_R_SERVFAIL); - } else { - /* - * This is the best answer. - */ - client->query.attributes |= - NS_QUERYATTR_CACHEGLUEOK; - client->query.gluedb = zdb; - client->query.isreferral = ISC_TRUE; - /* - * We must ensure NOADDITIONAL is off, - * because the generation of - * additional data is required in - * delegations. - */ - client->query.attributes &= - ~NS_QUERYATTR_NOADDITIONAL; - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - query_addrrset(client, &fname, - &rdataset, sigrdatasetp, - dbuf, DNS_SECTION_AUTHORITY); - client->query.gluedb = NULL; - client->query.attributes &= - ~NS_QUERYATTR_CACHEGLUEOK; - if (WANTDNSSEC(client)) - query_addds(client, db, node, version); - } - } - goto cleanup; - case DNS_R_EMPTYNAME: - result = DNS_R_NXRRSET; - /* FALLTHROUGH */ - case DNS_R_NXRRSET: - INSIST(is_zone); - if (dns_rdataset_isassociated(rdataset)) { - /* - * If we've got a NSEC record, we need to save the - * name now because we're going call query_addsoa() - * below, and it needs to use the name buffer. - */ - query_keepname(client, fname, dbuf); - } else { - /* - * We're not going to use fname, and need to release - * our hold on the name buffer so query_addsoa() - * may use it. - */ - query_releasename(client, &fname); - } - /* - * Add SOA. - */ - result = query_addsoa(client, db, version, ISC_FALSE); - if (result != ISC_R_SUCCESS) { - QUERY_ERROR(result); - goto cleanup; - } - /* - * Add NSEC record if we found one. - */ - if (WANTDNSSEC(client)) { - if (dns_rdataset_isassociated(rdataset)) - query_addnxrrsetnsec(client, db, version, - &fname, &rdataset, - &sigrdataset); - } - goto cleanup; - case DNS_R_EMPTYWILD: - empty_wild = ISC_TRUE; - /* FALLTHROUGH */ - case DNS_R_NXDOMAIN: - INSIST(is_zone); - if (dns_rdataset_isassociated(rdataset)) { - /* - * If we've got a NSEC record, we need to save the - * name now because we're going call query_addsoa() - * below, and it needs to use the name buffer. - */ - query_keepname(client, fname, dbuf); - } else { - /* - * We're not going to use fname, and need to release - * our hold on the name buffer so query_addsoa() - * may use it. - */ - query_releasename(client, &fname); - } - /* - * Add SOA. If the query was for a SOA record force the - * ttl to zero so that it is possible for clients to find - * the containing zone of an arbitrary name with a stub - * resolver and not have it cached. - */ - if (qtype == dns_rdatatype_soa && -#ifdef DLZ - zone != NULL && -#endif - dns_zone_getzeronosoattl(zone)) - result = query_addsoa(client, db, version, ISC_TRUE); - else - result = query_addsoa(client, db, version, ISC_FALSE); - if (result != ISC_R_SUCCESS) { - QUERY_ERROR(result); - goto cleanup; - } - /* - * Add NSEC record if we found one. - */ - if (dns_rdataset_isassociated(rdataset)) { - if (WANTDNSSEC(client)) { - query_addrrset(client, &fname, &rdataset, - &sigrdataset, - NULL, DNS_SECTION_AUTHORITY); - query_addwildcardproof(client, db, version, - client->query.qname, - ISC_FALSE); - } - } - /* - * Set message rcode. - */ - if (empty_wild) - client->message->rcode = dns_rcode_noerror; - else - client->message->rcode = dns_rcode_nxdomain; - goto cleanup; - case DNS_R_NCACHENXDOMAIN: - case DNS_R_NCACHENXRRSET: - INSIST(!is_zone); - authoritative = ISC_FALSE; - /* - * Set message rcode, if required. - */ - if (result == DNS_R_NCACHENXDOMAIN) - client->message->rcode = dns_rcode_nxdomain; - /* - * Look for RFC 1918 leakage from Internet. - */ - if (result == DNS_R_NCACHENXDOMAIN && - qtype == dns_rdatatype_ptr && - client->message->rdclass == dns_rdataclass_in && - dns_name_countlabels(fname) == 7) - warn_rfc1918(client, fname, rdataset); - /* - * We don't call query_addrrset() because we don't need any - * of its extra features (and things would probably break!). - */ - query_keepname(client, fname, dbuf); - dns_message_addname(client->message, fname, - DNS_SECTION_AUTHORITY); - ISC_LIST_APPEND(fname->list, rdataset, link); - fname = NULL; - rdataset = NULL; - goto cleanup; - case DNS_R_CNAME: - /* - * Keep a copy of the rdataset. We have to do this because - * query_addrrset may clear 'rdataset' (to prevent the - * cleanup code from cleaning it up). - */ - trdataset = rdataset; - /* - * Add the CNAME to the answer section. - */ - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - if (WANTDNSSEC(client) && - (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) - { - dns_fixedname_init(&wildcardname); - dns_name_copy(fname, dns_fixedname_name(&wildcardname), - NULL); - need_wildcardproof = ISC_TRUE; - } - if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 && - WANTDNSSEC(client)) - noqname = rdataset; - else - noqname = NULL; - query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, - DNS_SECTION_ANSWER); - if (noqname != NULL) - query_addnoqnameproof(client, noqname); - /* - * We set the PARTIALANSWER attribute so that if anything goes - * wrong later on, we'll return what we've got so far. - */ - client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; - /* - * Reset qname to be the target name of the CNAME and restart - * the query. - */ - tname = NULL; - result = dns_message_gettempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto cleanup; - result = dns_rdataset_first(trdataset); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } - dns_rdataset_current(trdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &cname, NULL); - dns_rdata_reset(&rdata); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } - dns_name_init(tname, NULL); - result = dns_name_dup(&cname.cname, client->mctx, tname); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - dns_rdata_freestruct(&cname); - goto cleanup; - } - dns_rdata_freestruct(&cname); - ns_client_qnamereplace(client, tname); - want_restart = ISC_TRUE; - if (!WANTRECURSION(client)) - options |= DNS_GETDB_NOLOG; - goto addauth; - case DNS_R_DNAME: - /* - * Compare the current qname to the found name. We need - * to know how many labels and bits are in common because - * we're going to have to split qname later on. - */ - namereln = dns_name_fullcompare(client->query.qname, fname, - &order, &nlabels); - INSIST(namereln == dns_namereln_subdomain); - /* - * Keep a copy of the rdataset. We have to do this because - * query_addrrset may clear 'rdataset' (to prevent the - * cleanup code from cleaning it up). - */ - trdataset = rdataset; - /* - * Add the DNAME to the answer section. - */ - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - if (WANTDNSSEC(client) && - (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) - { - dns_fixedname_init(&wildcardname); - dns_name_copy(fname, dns_fixedname_name(&wildcardname), - NULL); - need_wildcardproof = ISC_TRUE; - } - query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, - DNS_SECTION_ANSWER); - /* - * We set the PARTIALANSWER attribute so that if anything goes - * wrong later on, we'll return what we've got so far. - */ - client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; - /* - * Get the target name of the DNAME. - */ - tname = NULL; - result = dns_message_gettempname(client->message, &tname); - if (result != ISC_R_SUCCESS) - goto cleanup; - result = dns_rdataset_first(trdataset); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } - dns_rdataset_current(trdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &dname, NULL); - dns_rdata_reset(&rdata); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } - dns_name_init(tname, NULL); - dns_name_clone(&dname.dname, tname); - dns_rdata_freestruct(&dname); - /* - * Construct the new qname. - */ - dns_fixedname_init(&fixed); - prefix = dns_fixedname_name(&fixed); - dns_name_split(client->query.qname, nlabels, prefix, NULL); - INSIST(fname == NULL); - dbuf = query_getnamebuf(client); - if (dbuf == NULL) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } - fname = query_newname(client, dbuf, &b); - if (fname == NULL) { - dns_message_puttempname(client->message, &tname); - goto cleanup; - } - result = dns_name_concatenate(prefix, tname, fname, NULL); - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(client->message, &tname); - if (result == ISC_R_NOSPACE) { - /* - * RFC2672, section 4.1, subsection 3c says - * we should return YXDOMAIN if the constructed - * name would be too long. - */ - client->message->rcode = dns_rcode_yxdomain; - } - goto cleanup; - } - query_keepname(client, fname, dbuf); - /* - * Synthesize a CNAME for this DNAME. - * - * We want to synthesize a CNAME since if we don't - * then older software that doesn't understand DNAME - * will not chain like it should. - * - * We do not try to synthesize a signature because we hope - * that security aware servers will understand DNAME. Also, - * even if we had an online key, making a signature - * on-the-fly is costly, and not really legitimate anyway - * since the synthesized CNAME is NOT in the zone. - */ - dns_name_init(tname, NULL); - (void)query_addcnamelike(client, client->query.qname, fname, - trdataset->trust, &tname, - dns_rdatatype_cname); - if (tname != NULL) - dns_message_puttempname(client->message, &tname); - /* - * Switch to the new qname and restart. - */ - ns_client_qnamereplace(client, fname); - fname = NULL; - want_restart = ISC_TRUE; - if (!WANTRECURSION(client)) - options |= DNS_GETDB_NOLOG; - goto addauth; - default: - /* - * Something has gone wrong. - */ - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - - if (WANTDNSSEC(client) && - (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0) - { - dns_fixedname_init(&wildcardname); - dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL); - need_wildcardproof = ISC_TRUE; - } - - if (type == dns_rdatatype_any) { - /* - * XXXRTH Need to handle zonecuts with special case - * code. - */ - n = 0; - rdsiter = NULL; - result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); - if (result != ISC_R_SUCCESS) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - /* - * Calling query_addrrset() with a non-NULL dbuf is going - * to either keep or release the name. We don't want it to - * release fname, since we may have to call query_addrrset() - * more than once. That means we have to call query_keepname() - * now, and pass a NULL dbuf to query_addrrset(). - * - * If we do a query_addrrset() below, we must set fname to - * NULL before leaving this block, otherwise we might try to - * cleanup fname even though we're using it! - */ - query_keepname(client, fname, dbuf); - tname = fname; - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - dns_rdatasetiter_current(rdsiter, rdataset); - if ((qtype == dns_rdatatype_any || - rdataset->type == qtype) && rdataset->type != 0) { - query_addrrset(client, - fname != NULL ? &fname : &tname, - &rdataset, NULL, - NULL, DNS_SECTION_ANSWER); - n++; - INSIST(tname != NULL); - /* - * rdataset is non-NULL only in certain pathological - * cases involving DNAMEs. - */ - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - rdataset = query_newrdataset(client); - if (rdataset == NULL) - break; - } else { - /* - * We're not interested in this rdataset. - */ - dns_rdataset_disassociate(rdataset); - } - result = dns_rdatasetiter_next(rdsiter); - } - - if (fname != NULL) - dns_message_puttempname(client->message, &fname); - - if (n == 0) { - /* - * We didn't match any rdatasets. - */ - if (qtype == dns_rdatatype_rrsig && - result == ISC_R_NOMORE) { - /* - * XXXRTH If this is a secure zone and we - * didn't find any SIGs, we should generate - * an error unless we were searching for - * glue. Ugh. - */ - if (!is_zone) { - authoritative = ISC_FALSE; - dns_rdatasetiter_destroy(&rdsiter); - if (RECURSIONOK(client)) { - result = query_recurse(client, - qtype, - NULL, - NULL); - if (result == ISC_R_SUCCESS) - client->query.attributes |= - NS_QUERYATTR_RECURSING; - else - QUERY_ERROR(DNS_R_SERVFAIL); } - goto addauth; - } - /* - * We were searching for SIG records in - * a nonsecure zone. Send a "no error, - * no data" response. - */ - /* - * Add SOA. - */ - result = query_addsoa(client, db, version, - ISC_FALSE); - if (result == ISC_R_SUCCESS) - result = ISC_R_NOMORE; - } else { - /* - * Something went wrong. - */ - result = DNS_R_SERVFAIL; - } - } - dns_rdatasetiter_destroy(&rdsiter); - if (result != ISC_R_NOMORE) { - QUERY_ERROR(DNS_R_SERVFAIL); - goto cleanup; - } - } else { - /* - * This is the "normal" case -- an ordinary question to which - * we know the answer. - */ - if (sigrdataset != NULL) - sigrdatasetp = &sigrdataset; - else - sigrdatasetp = NULL; - if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 && - WANTDNSSEC(client)) - noqname = rdataset; - else - noqname = NULL; - /* - * BIND 8 priming queries need the additional section. - */ - if (is_zone && qtype == dns_rdatatype_ns && - dns_name_equal(client->query.qname, dns_rootname)) - client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; - - query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, - DNS_SECTION_ANSWER); - if (noqname != NULL) - query_addnoqnameproof(client, noqname); - /* - * We shouldn't ever fail to add 'rdataset' - * because it's already in the answer. - */ - INSIST(rdataset == NULL); - } - - addauth: - CTRACE("query_find: addauth"); - /* - * Add NS records to the authority section (if we haven't already - * added them to the answer section). - */ - if (!want_restart && !NOAUTHORITY(client)) { - if (is_zone) { - if (!((qtype == dns_rdatatype_ns || - qtype == dns_rdatatype_any) && - dns_name_equal(client->query.qname, - dns_db_origin(db)))) - (void)query_addns(client, db, version); - } else if (qtype != dns_rdatatype_ns) { - if (fname != NULL) - query_releasename(client, &fname); - query_addbestns(client); - } - } - - /* - * Add NSEC records to the authority section if they're needed for - * DNSSEC wildcard proofs. - */ - if (need_wildcardproof && dns_db_issecure(db)) - query_addwildcardproof(client, db, version, - dns_fixedname_name(&wildcardname), - ISC_TRUE); - cleanup: - CTRACE("query_find: cleanup"); - /* - * General cleanup. - */ - if (rdataset != NULL) - query_putrdataset(client, &rdataset); - if (sigrdataset != NULL) - query_putrdataset(client, &sigrdataset); - if (fname != NULL) - query_releasename(client, &fname); - if (node != NULL) - dns_db_detachnode(db, &node); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - if (zdb != NULL) { - query_putrdataset(client, &zrdataset); - if (zsigrdataset != NULL) - query_putrdataset(client, &zsigrdataset); - if (zfname != NULL) - query_releasename(client, &zfname); - dns_db_detach(&zdb); - } - if (event != NULL) - isc_event_free(ISC_EVENT_PTR(&event)); - - /* - * AA bit. - */ - if (client->query.restarts == 0 && !authoritative) { - /* - * We're not authoritative, so we must ensure the AA bit - * isn't set. - */ - client->message->flags &= ~DNS_MESSAGEFLAG_AA; - } - - /* - * Restart the query? - */ - if (want_restart && client->query.restarts < MAX_RESTARTS) { - client->query.restarts++; - goto restart; - } - - if (eresult != ISC_R_SUCCESS && - (!PARTIALANSWER(client) || WANTRECURSION(client))) { - if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) { - /* - * This was a duplicate query that we are - * recursing on. Don't send a response now. - * The original query will still cause a response. - */ - query_next(client, eresult); - } else { - /* - * If we don't have any answer to give the client, - * or if the client requested recursion and thus wanted - * the complete answer, send an error response. - */ - query_error(client, eresult); - } - ns_client_detach(&client); - } else if (!RECURSING(client)) { - /* - * We are done. Set up sortlist data for the message - * rendering code, make a final tweak to the AA bit if the - * auth-nxdomain config option says so, then render and - * send the response. - */ - setup_query_sortlist(client); - - /* - * If this is a referral and the answer to the question - * is in the glue sort it to the start of the additional - * section. - */ - if (client->message->counts[DNS_SECTION_ANSWER] == 0 && - client->message->rcode == dns_rcode_noerror && - (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa)) - answer_in_glue(client, qtype); - - if (client->message->rcode == dns_rcode_nxdomain && - client->view->auth_nxdomain == ISC_TRUE) - client->message->flags |= DNS_MESSAGEFLAG_AA; - - query_send(client); - ns_client_detach(&client); - } - CTRACE("query_find: done"); -} - -static inline void -log_query(ns_client_t *client) { - char namebuf[DNS_NAME_FORMATSIZE]; - char typename[DNS_RDATATYPE_FORMATSIZE]; - char classname[DNS_RDATACLASS_FORMATSIZE]; - dns_rdataset_t *rdataset; - int level = ISC_LOG_INFO; - - if (! isc_log_wouldlog(ns_g_lctx, level)) - return; - - rdataset = ISC_LIST_HEAD(client->query.qname->list); - INSIST(rdataset != NULL); - dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); - dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname)); - dns_rdatatype_format(rdataset->type, typename, sizeof(typename)); - - ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, - level, "query: %s %s %s %s%s%s", namebuf, classname, - typename, WANTRECURSION(client) ? "+" : "-", - (client->signer != NULL) ? "S": "", - (client->opt != NULL) ? "E" : ""); -} - -void -ns_query_start(ns_client_t *client) { - isc_result_t result; - dns_message_t *message = client->message; - dns_rdataset_t *rdataset; - ns_client_t *qclient; - dns_rdatatype_t qtype; - - CTRACE("ns_query_start"); - - /* - * Ensure that appropriate cleanups occur. - */ - client->next = query_next_callback; - - /* - * Behave as if we don't support DNSSEC if not enabled. - */ - if (!client->view->enablednssec) { - message->flags &= ~DNS_MESSAGEFLAG_CD; - client->extflags &= ~DNS_MESSAGEEXTFLAG_DO; - if (client->opt != NULL) - client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO; - } - - if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) - client->query.attributes |= NS_QUERYATTR_WANTRECURSION; - - if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) - client->attributes |= NS_CLIENTATTR_WANTDNSSEC; - - if (client->view->minimalresponses) - client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | - NS_QUERYATTR_NOADDITIONAL); - - if ((client->view->cachedb == NULL) - || (!client->view->additionalfromcache)) { - /* - * We don't have a cache. Turn off cache support and - * recursion. - */ - client->query.attributes &= - ~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK); - } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 || - (message->flags & DNS_MESSAGEFLAG_RD) == 0) { - /* - * If the client isn't allowed to recurse (due to - * "recursion no", the allow-recursion ACL, or the - * lack of a resolver in this view), or if it - * doesn't want recursion, turn recursion off. - */ - client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; - } - - /* - * Get the question name. - */ - result = dns_message_firstname(message, DNS_SECTION_QUESTION); - if (result != ISC_R_SUCCESS) { - query_error(client, result); - return; - } - dns_message_currentname(message, DNS_SECTION_QUESTION, - &client->query.qname); - client->query.origqname = client->query.qname; - result = dns_message_nextname(message, DNS_SECTION_QUESTION); - if (result != ISC_R_NOMORE) { - if (result == ISC_R_SUCCESS) { - /* - * There's more than one QNAME in the question - * section. - */ - query_error(client, DNS_R_FORMERR); - } else - query_error(client, result); - return; - } - - if (ns_g_server->log_queries) - log_query(client); - - /* - * Check for multiple question queries, since edns1 is dead. - */ - if (message->counts[DNS_SECTION_QUESTION] > 1) { - query_error(client, DNS_R_FORMERR); - return; - } - - /* - * Check for meta-queries like IXFR and AXFR. - */ - rdataset = ISC_LIST_HEAD(client->query.qname->list); - INSIST(rdataset != NULL); - qtype = rdataset->type; - if (dns_rdatatype_ismeta(qtype)) { - switch (qtype) { - case dns_rdatatype_any: - break; /* Let query_find handle it. */ - case dns_rdatatype_ixfr: - case dns_rdatatype_axfr: - ns_xfr_start(client, rdataset->type); - return; - case dns_rdatatype_maila: - case dns_rdatatype_mailb: - query_error(client, DNS_R_NOTIMP); - return; - case dns_rdatatype_tkey: - result = dns_tkey_processquery(client->message, - ns_g_server->tkeyctx, - client->view->dynamickeys); - if (result == ISC_R_SUCCESS) - query_send(client); - else - query_error(client, result); - return; - default: /* TSIG, etc. */ - query_error(client, DNS_R_FORMERR); - return; - } - } - - /* - * If the client has requested that DNSSEC checking be disabled, - * allow lookups to return pending data and instruct the resolver - * to return data before validation has completed. - * - * We don't need to set DNS_DBFIND_PENDINGOK when validation is - * disabled as there will be no pending data. - */ - if (message->flags & DNS_MESSAGEFLAG_CD || - qtype == dns_rdatatype_rrsig) - { - client->query.dboptions |= DNS_DBFIND_PENDINGOK; - client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; - } else if (!client->view->enablevalidation) - client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; - - /* - * Allow glue NS records to be added to the authority section - * if the answer is secure. - */ - if (message->flags & DNS_MESSAGEFLAG_CD) - client->query.attributes &= ~NS_QUERYATTR_SECURE; - - /* - * This is an ordinary query. - */ - result = dns_message_reply(message, ISC_TRUE); - if (result != ISC_R_SUCCESS) { - query_next(client, result); - return; - } - - /* - * Assume authoritative response until it is known to be - * otherwise. - */ - message->flags |= DNS_MESSAGEFLAG_AA; - - /* - * Set AD. We must clear it if we add non-validated data to a - * response. - */ - if (WANTDNSSEC(client)) - message->flags |= DNS_MESSAGEFLAG_AD; - - qclient = NULL; - ns_client_attach(client, &qclient); - query_find(qclient, NULL, qtype); -} diff --git a/usr.sbin/bind/bin/named/server.c b/usr.sbin/bind/bin/named/server.c deleted file mode 100644 index 57c30619d73..00000000000 --- a/usr.sbin/bind/bin/named/server.c +++ /dev/null @@ -1,4900 +0,0 @@ -/* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: server.c,v 1.419.18.57.10.3 2008/07/23 12:04:32 marka Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include - -#include -#include -#include -#include -#include -#ifdef DLZ -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_LIBSCF -#include -#include -#endif - -/*% - * Check an operation for failure. Assumes that the function - * using it has a 'result' variable and a 'cleanup' label. - */ -#define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto cleanup; \ - } while (0) - -#define CHECKM(op, msg) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) { \ - isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_SERVER, \ - ISC_LOG_ERROR, \ - "%s: %s", msg, \ - isc_result_totext(result)); \ - goto cleanup; \ - } \ - } while (0) \ - -#define CHECKMF(op, msg, file) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) { \ - isc_log_write(ns_g_lctx, \ - NS_LOGCATEGORY_GENERAL, \ - NS_LOGMODULE_SERVER, \ - ISC_LOG_ERROR, \ - "%s '%s': %s", msg, file, \ - isc_result_totext(result)); \ - goto cleanup; \ - } \ - } while (0) \ - -#define CHECKFATAL(op, msg) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) \ - fatal(msg, result); \ - } while (0) \ - -struct ns_dispatch { - isc_sockaddr_t addr; - unsigned int dispatchgen; - dns_dispatch_t *dispatch; - ISC_LINK(struct ns_dispatch) link; -}; - -struct dumpcontext { - isc_mem_t *mctx; - isc_boolean_t dumpcache; - isc_boolean_t dumpzones; - FILE *fp; - ISC_LIST(struct viewlistentry) viewlist; - struct viewlistentry *view; - struct zonelistentry *zone; - dns_dumpctx_t *mdctx; - dns_db_t *db; - dns_db_t *cache; - isc_task_t *task; - dns_dbversion_t *version; -}; - -struct viewlistentry { - dns_view_t *view; - ISC_LINK(struct viewlistentry) link; - ISC_LIST(struct zonelistentry) zonelist; -}; - -struct zonelistentry { - dns_zone_t *zone; - ISC_LINK(struct zonelistentry) link; -}; - -/* - * These zones should not leak onto the Internet. - */ -static const struct { - const char *zone; - isc_boolean_t rfc1918; -} empty_zones[] = { -#ifdef notyet - /* RFC 1918 */ - { "10.IN-ADDR.ARPA", ISC_TRUE }, - { "16.172.IN-ADDR.ARPA", ISC_TRUE }, - { "17.172.IN-ADDR.ARPA", ISC_TRUE }, - { "18.172.IN-ADDR.ARPA", ISC_TRUE }, - { "19.172.IN-ADDR.ARPA", ISC_TRUE }, - { "20.172.IN-ADDR.ARPA", ISC_TRUE }, - { "21.172.IN-ADDR.ARPA", ISC_TRUE }, - { "22.172.IN-ADDR.ARPA", ISC_TRUE }, - { "23.172.IN-ADDR.ARPA", ISC_TRUE }, - { "24.172.IN-ADDR.ARPA", ISC_TRUE }, - { "25.172.IN-ADDR.ARPA", ISC_TRUE }, - { "26.172.IN-ADDR.ARPA", ISC_TRUE }, - { "27.172.IN-ADDR.ARPA", ISC_TRUE }, - { "28.172.IN-ADDR.ARPA", ISC_TRUE }, - { "29.172.IN-ADDR.ARPA", ISC_TRUE }, - { "30.172.IN-ADDR.ARPA", ISC_TRUE }, - { "31.172.IN-ADDR.ARPA", ISC_TRUE }, - { "168.192.IN-ADDR.ARPA", ISC_TRUE }, -#endif - - /* RFC 3330 */ - { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */ - { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */ - { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */ - { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */ - - /* Local IPv6 Unicast Addresses */ - { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, - { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE }, - /* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */ - { "D.F.IP6.ARPA", ISC_FALSE }, - { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ - { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ - { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ - { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */ - - { NULL, ISC_FALSE } -}; - -static void -fatal(const char *msg, isc_result_t result); - -static void -ns_server_reload(isc_task_t *task, isc_event_t *event); - -static isc_result_t -ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, - cfg_aclconfctx_t *actx, - isc_mem_t *mctx, ns_listenelt_t **target); -static isc_result_t -ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, - cfg_aclconfctx_t *actx, - isc_mem_t *mctx, ns_listenlist_t **target); - -static isc_result_t -configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, - const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype); - -static isc_result_t -configure_alternates(const cfg_obj_t *config, dns_view_t *view, - const cfg_obj_t *alternates); - -static isc_result_t -configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf); - -static void -end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); - -/*% - * Configure a single view ACL at '*aclp'. Get its configuration by - * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl' - * (for a global default). - */ -static isc_result_t -configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config, - const char *aclname, cfg_aclconfctx_t *actx, - isc_mem_t *mctx, dns_acl_t **aclp) -{ - isc_result_t result; - const cfg_obj_t *maps[3]; - const cfg_obj_t *aclobj = NULL; - int i = 0; - - if (*aclp != NULL) - dns_acl_detach(aclp); - if (vconfig != NULL) - maps[i++] = cfg_tuple_get(vconfig, "options"); - if (config != NULL) { - const cfg_obj_t *options = NULL; - (void)cfg_map_get(config, "options", &options); - if (options != NULL) - maps[i++] = options; - } - maps[i] = NULL; - - (void)ns_config_get(maps, aclname, &aclobj); - if (aclobj == NULL) - /* - * No value available. *aclp == NULL. - */ - return (ISC_R_SUCCESS); - - result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, - actx, mctx, aclp); - - return (result); -} - -static isc_result_t -configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, - dns_keytable_t *keytable, isc_mem_t *mctx) -{ - dns_rdataclass_t viewclass; - dns_rdata_dnskey_t keystruct; - isc_uint32_t flags, proto, alg; - const char *keystr, *keynamestr; - unsigned char keydata[4096]; - isc_buffer_t keydatabuf; - unsigned char rrdata[4096]; - isc_buffer_t rrdatabuf; - isc_region_t r; - dns_fixedname_t fkeyname; - dns_name_t *keyname; - isc_buffer_t namebuf; - isc_result_t result; - dst_key_t *dstkey = NULL; - - flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags")); - proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol")); - alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm")); - keyname = dns_fixedname_name(&fkeyname); - keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name")); - - if (vconfig == NULL) - viewclass = dns_rdataclass_in; - else { - const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class"); - CHECK(ns_config_getclass(classobj, dns_rdataclass_in, - &viewclass)); - } - keystruct.common.rdclass = viewclass; - keystruct.common.rdtype = dns_rdatatype_dnskey; - /* - * The key data in keystruct is not dynamically allocated. - */ - keystruct.mctx = NULL; - - ISC_LINK_INIT(&keystruct.common, link); - - if (flags > 0xffff) - CHECKM(ISC_R_RANGE, "key flags"); - if (proto > 0xff) - CHECKM(ISC_R_RANGE, "key protocol"); - if (alg > 0xff) - CHECKM(ISC_R_RANGE, "key algorithm"); - keystruct.flags = (isc_uint16_t)flags; - keystruct.protocol = (isc_uint8_t)proto; - keystruct.algorithm = (isc_uint8_t)alg; - - isc_buffer_init(&keydatabuf, keydata, sizeof(keydata)); - isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata)); - - keystr = cfg_obj_asstring(cfg_tuple_get(key, "key")); - CHECK(isc_base64_decodestring(keystr, &keydatabuf)); - isc_buffer_usedregion(&keydatabuf, &r); - keystruct.datalen = r.length; - keystruct.data = r.base; - - if ((keystruct.algorithm == DST_ALG_RSASHA1 || - keystruct.algorithm == DST_ALG_RSAMD5) && - r.length > 1 && r.base[0] == 1 && r.base[1] == 3) - cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, - "trusted key '%s' has a weak exponent", - keynamestr); - - CHECK(dns_rdata_fromstruct(NULL, - keystruct.common.rdclass, - keystruct.common.rdtype, - &keystruct, &rrdatabuf)); - dns_fixedname_init(&fkeyname); - isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr)); - isc_buffer_add(&namebuf, strlen(keynamestr)); - CHECK(dns_name_fromtext(keyname, &namebuf, - dns_rootname, ISC_FALSE, - NULL)); - CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf, - mctx, &dstkey)); - - CHECK(dns_keytable_add(keytable, &dstkey)); - INSIST(dstkey == NULL); - return (ISC_R_SUCCESS); - - cleanup: - if (result == DST_R_NOCRYPTO) { - cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, - "ignoring trusted key for '%s': no crypto support", - keynamestr); - result = ISC_R_SUCCESS; - } else { - cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, - "configuring trusted key for '%s': %s", - keynamestr, isc_result_totext(result)); - result = ISC_R_FAILURE; - } - - if (dstkey != NULL) - dst_key_free(&dstkey); - - return (result); -} - -/*% - * Configure DNSSEC keys for a view. Currently used only for - * the security roots. - * - * The per-view configuration values and the server-global defaults are read - * from 'vconfig' and 'config'. The variable to be configured is '*target'. - */ -static isc_result_t -configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, - isc_mem_t *mctx, dns_keytable_t **target) -{ - isc_result_t result; - const cfg_obj_t *keys = NULL; - const cfg_obj_t *voptions = NULL; - const cfg_listelt_t *element, *element2; - const cfg_obj_t *keylist; - const cfg_obj_t *key; - dns_keytable_t *keytable = NULL; - - CHECK(dns_keytable_create(mctx, &keytable)); - - if (vconfig != NULL) - voptions = cfg_tuple_get(vconfig, "options"); - - keys = NULL; - if (voptions != NULL) - (void)cfg_map_get(voptions, "trusted-keys", &keys); - if (keys == NULL) - (void)cfg_map_get(config, "trusted-keys", &keys); - - for (element = cfg_list_first(keys); - element != NULL; - element = cfg_list_next(element)) - { - keylist = cfg_listelt_value(element); - for (element2 = cfg_list_first(keylist); - element2 != NULL; - element2 = cfg_list_next(element2)) - { - key = cfg_listelt_value(element2); - CHECK(configure_view_dnsseckey(vconfig, key, - keytable, mctx)); - } - } - - dns_keytable_detach(target); - *target = keytable; /* Transfer ownership. */ - keytable = NULL; - result = ISC_R_SUCCESS; - - cleanup: - return (result); -} - -static isc_result_t -mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) -{ - const cfg_listelt_t *element; - const cfg_obj_t *obj; - const char *str; - dns_fixedname_t fixed; - dns_name_t *name; - isc_boolean_t value; - isc_result_t result; - isc_buffer_t b; - - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - for (element = cfg_list_first(mbs); - element != NULL; - element = cfg_list_next(element)) - { - obj = cfg_listelt_value(element); - str = cfg_obj_asstring(cfg_tuple_get(obj, "name")); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - CHECK(dns_name_fromtext(name, &b, dns_rootname, - ISC_FALSE, NULL)); - value = cfg_obj_asboolean(cfg_tuple_get(obj, "value")); - CHECK(dns_resolver_setmustbesecure(resolver, name, value)); - } - - result = ISC_R_SUCCESS; - - cleanup: - return (result); -} - -/*% - * Get a dispatch appropriate for the resolver of a given view. - */ -static isc_result_t -get_view_querysource_dispatch(const cfg_obj_t **maps, - int af, dns_dispatch_t **dispatchp) -{ - isc_result_t result; - dns_dispatch_t *disp; - isc_sockaddr_t sa; - unsigned int attrs, attrmask; - const cfg_obj_t *obj = NULL; - - /* - * Make compiler happy. - */ - result = ISC_R_FAILURE; - - switch (af) { - case AF_INET: - result = ns_config_get(maps, "query-source", &obj); - INSIST(result == ISC_R_SUCCESS); - break; - case AF_INET6: - result = ns_config_get(maps, "query-source-v6", &obj); - INSIST(result == ISC_R_SUCCESS); - break; - default: - INSIST(0); - } - - sa = *(cfg_obj_assockaddr(obj)); - INSIST(isc_sockaddr_pf(&sa) == af); - - /* - * If we don't support this address family, we're done! - */ - switch (af) { - case AF_INET: - result = isc_net_probeipv4(); - break; - case AF_INET6: - result = isc_net_probeipv6(); - break; - default: - INSIST(0); - } - if (result != ISC_R_SUCCESS) - return (ISC_R_SUCCESS); - - /* - * Try to find a dispatcher that we can share. - */ - attrs = 0; - attrs |= DNS_DISPATCHATTR_UDP; - switch (af) { - case AF_INET: - attrs |= DNS_DISPATCHATTR_IPV4; - break; - case AF_INET6: - attrs |= DNS_DISPATCHATTR_IPV6; - break; - } - - if (isc_sockaddr_getport(&sa) != 0) { - INSIST(obj != NULL); - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO, - "using specific query-source port suppresses port " - "randomization and can be insecure."); - } - - attrmask = 0; - attrmask |= DNS_DISPATCHATTR_UDP; - attrmask |= DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4; - attrmask |= DNS_DISPATCHATTR_IPV6; - - disp = NULL; - result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, - ns_g_taskmgr, &sa, 4096, - 1024, 32768, 16411, 16433, - attrs, attrmask, &disp); - if (result != ISC_R_SUCCESS) { - isc_sockaddr_t any; - char buf[ISC_SOCKADDR_FORMATSIZE]; - - switch (af) { - case AF_INET: - isc_sockaddr_any(&any); - break; - case AF_INET6: - isc_sockaddr_any6(&any); - break; - } - if (isc_sockaddr_equal(&sa, &any)) - return (ISC_R_SUCCESS); - isc_sockaddr_format(&sa, buf, sizeof(buf)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "could not get query source dispatcher (%s)", - buf); - return (result); - } - - *dispatchp = disp; - - return (ISC_R_SUCCESS); -} - -static isc_result_t -configure_order(dns_order_t *order, const cfg_obj_t *ent) { - dns_rdataclass_t rdclass; - dns_rdatatype_t rdtype; - const cfg_obj_t *obj; - dns_fixedname_t fixed; - unsigned int mode = 0; - const char *str; - isc_buffer_t b; - isc_result_t result; - isc_boolean_t addroot; - - result = ns_config_getclass(cfg_tuple_get(ent, "class"), - dns_rdataclass_any, &rdclass); - if (result != ISC_R_SUCCESS) - return (result); - - result = ns_config_gettype(cfg_tuple_get(ent, "type"), - dns_rdatatype_any, &rdtype); - if (result != ISC_R_SUCCESS) - return (result); - - obj = cfg_tuple_get(ent, "name"); - if (cfg_obj_isstring(obj)) - str = cfg_obj_asstring(obj); - else - str = "*"; - addroot = ISC_TF(strcmp(str, "*") == 0); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - dns_fixedname_init(&fixed); - result = dns_name_fromtext(dns_fixedname_name(&fixed), &b, - dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - return (result); - - obj = cfg_tuple_get(ent, "ordering"); - INSIST(cfg_obj_isstring(obj)); - str = cfg_obj_asstring(obj); - if (!strcasecmp(str, "fixed")) - mode = DNS_RDATASETATTR_FIXEDORDER; - else if (!strcasecmp(str, "random")) - mode = DNS_RDATASETATTR_RANDOMIZE; - else if (!strcasecmp(str, "cyclic")) - mode = 0; - else - INSIST(0); - - /* - * "*" should match everything including the root (BIND 8 compat). - * As dns_name_matcheswildcard(".", "*.") returns FALSE add a - * explicit entry for "." when the name is "*". - */ - if (addroot) { - result = dns_order_add(order, dns_rootname, - rdtype, rdclass, mode); - if (result != ISC_R_SUCCESS) - return (result); - } - - return (dns_order_add(order, dns_fixedname_name(&fixed), - rdtype, rdclass, mode)); -} - -static isc_result_t -configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { - isc_netaddr_t na; - dns_peer_t *peer; - const cfg_obj_t *obj; - const char *str; - isc_result_t result; - unsigned int prefixlen; - - cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen); - - peer = NULL; - result = dns_peer_new(mctx, &na, &peer); - if (result != ISC_R_SUCCESS) - return (result); - - obj = NULL; - (void)cfg_map_get(cpeer, "bogus", &obj); - if (obj != NULL) - CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj))); - - obj = NULL; - (void)cfg_map_get(cpeer, "provide-ixfr", &obj); - if (obj != NULL) - CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj))); - - obj = NULL; - (void)cfg_map_get(cpeer, "request-ixfr", &obj); - if (obj != NULL) - CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj))); - - obj = NULL; - (void)cfg_map_get(cpeer, "edns", &obj); - if (obj != NULL) - CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj))); - - obj = NULL; - (void)cfg_map_get(cpeer, "edns-udp-size", &obj); - if (obj != NULL) { - isc_uint32_t udpsize = cfg_obj_asuint32(obj); - if (udpsize < 512) - udpsize = 512; - if (udpsize > 4096) - udpsize = 4096; - CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize)); - } - - obj = NULL; - (void)cfg_map_get(cpeer, "max-udp-size", &obj); - if (obj != NULL) { - isc_uint32_t udpsize = cfg_obj_asuint32(obj); - if (udpsize < 512) - udpsize = 512; - if (udpsize > 4096) - udpsize = 4096; - CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize)); - } - - obj = NULL; - (void)cfg_map_get(cpeer, "transfers", &obj); - if (obj != NULL) - CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj))); - - obj = NULL; - (void)cfg_map_get(cpeer, "transfer-format", &obj); - if (obj != NULL) { - str = cfg_obj_asstring(obj); - if (strcasecmp(str, "many-answers") == 0) - CHECK(dns_peer_settransferformat(peer, - dns_many_answers)); - else if (strcasecmp(str, "one-answer") == 0) - CHECK(dns_peer_settransferformat(peer, - dns_one_answer)); - else - INSIST(0); - } - - obj = NULL; - (void)cfg_map_get(cpeer, "keys", &obj); - if (obj != NULL) { - result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj)); - if (result != ISC_R_SUCCESS) - goto cleanup; - } - - obj = NULL; - if (na.family == AF_INET) - (void)cfg_map_get(cpeer, "transfer-source", &obj); - else - (void)cfg_map_get(cpeer, "transfer-source-v6", &obj); - if (obj != NULL) { - result = dns_peer_settransfersource(peer, - cfg_obj_assockaddr(obj)); - if (result != ISC_R_SUCCESS) - goto cleanup; - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - } - - obj = NULL; - if (na.family == AF_INET) - (void)cfg_map_get(cpeer, "notify-source", &obj); - else - (void)cfg_map_get(cpeer, "notify-source-v6", &obj); - if (obj != NULL) { - result = dns_peer_setnotifysource(peer, - cfg_obj_assockaddr(obj)); - if (result != ISC_R_SUCCESS) - goto cleanup; - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - } - - obj = NULL; - if (na.family == AF_INET) - (void)cfg_map_get(cpeer, "query-source", &obj); - else - (void)cfg_map_get(cpeer, "query-source-v6", &obj); - if (obj != NULL) { - result = dns_peer_setquerysource(peer, - cfg_obj_assockaddr(obj)); - if (result != ISC_R_SUCCESS) - goto cleanup; - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - } - - *peerp = peer; - return (ISC_R_SUCCESS); - - cleanup: - dns_peer_detach(&peer); - return (result); -} - -static isc_result_t -disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { - isc_result_t result; - const cfg_obj_t *algorithms; - const cfg_listelt_t *element; - const char *str; - dns_fixedname_t fixed; - dns_name_t *name; - isc_buffer_t b; - - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - str = cfg_obj_asstring(cfg_tuple_get(disabled, "name")); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL)); - - algorithms = cfg_tuple_get(disabled, "algorithms"); - for (element = cfg_list_first(algorithms); - element != NULL; - element = cfg_list_next(element)) - { - isc_textregion_t r; - dns_secalg_t alg; - - DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base); - r.length = strlen(r.base); - - result = dns_secalg_fromtext(&alg, &r); - if (result != ISC_R_SUCCESS) { - isc_uint8_t ui; - result = isc_parse_uint8(&ui, r.base, 10); - alg = ui; - } - if (result != ISC_R_SUCCESS) { - cfg_obj_log(cfg_listelt_value(element), - ns_g_lctx, ISC_LOG_ERROR, - "invalid algorithm"); - CHECK(result); - } - CHECK(dns_resolver_disable_algorithm(resolver, name, alg)); - } - cleanup: - return (result); -} - -static isc_boolean_t -on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) { - const cfg_listelt_t *element; - dns_fixedname_t fixed; - dns_name_t *name; - isc_result_t result; - const cfg_obj_t *value; - const char *str; - isc_buffer_t b; - - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - - for (element = cfg_list_first(disablelist); - element != NULL; - element = cfg_list_next(element)) - { - value = cfg_listelt_value(element); - str = cfg_obj_asstring(value); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - result = dns_name_fromtext(name, &b, dns_rootname, - ISC_TRUE, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (dns_name_equal(name, zonename)) - return (ISC_TRUE); - } - return (ISC_FALSE); -} - -static void -check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv, - isc_mem_t *mctx) -{ - char **argv = NULL; - unsigned int i; - isc_result_t result; - - result = dns_zone_getdbtype(*zonep, &argv, mctx); - if (result != ISC_R_SUCCESS) { - dns_zone_detach(zonep); - return; - } - - /* - * Check that all the arguments match. - */ - for (i = 0; i < dbtypec; i++) - if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) { - dns_zone_detach(zonep); - break; - } - - /* - * Check that there are not extra arguments. - */ - if (i == dbtypec && argv[i] != NULL) - dns_zone_detach(zonep); - isc_mem_free(mctx, argv); -} - - -/* - * Configure 'view' according to 'vconfig', taking defaults from 'config' - * where values are missing in 'vconfig'. - * - * When configuring the default view, 'vconfig' will be NULL and the - * global defaults in 'config' used exclusively. - */ -static isc_result_t -configure_view(dns_view_t *view, const cfg_obj_t *config, - const cfg_obj_t *vconfig, isc_mem_t *mctx, - cfg_aclconfctx_t *actx, isc_boolean_t need_hints) -{ - const cfg_obj_t *maps[4]; - const cfg_obj_t *cfgmaps[3]; - const cfg_obj_t *options = NULL; - const cfg_obj_t *voptions = NULL; - const cfg_obj_t *forwardtype; - const cfg_obj_t *forwarders; - const cfg_obj_t *alternates; - const cfg_obj_t *zonelist; -#ifdef DLZ - const cfg_obj_t *dlz; - unsigned int dlzargc; - char **dlzargv; -#endif - const cfg_obj_t *disabled; - const cfg_obj_t *obj; - const cfg_listelt_t *element; - in_port_t port; - dns_cache_t *cache = NULL; - isc_result_t result; - isc_uint32_t max_adb_size; - isc_uint32_t max_cache_size; - isc_uint32_t max_acache_size; - isc_uint32_t lame_ttl; - dns_tsig_keyring_t *ring; - dns_view_t *pview = NULL; /* Production view */ - isc_mem_t *cmctx; - dns_dispatch_t *dispatch4 = NULL; - dns_dispatch_t *dispatch6 = NULL; - isc_boolean_t reused_cache = ISC_FALSE; - int i; - const char *str; - dns_order_t *order = NULL; - isc_uint32_t udpsize; - unsigned int check = 0; - dns_zone_t *zone = NULL; - isc_uint32_t max_clients_per_query; - const char *sep = ": view "; - const char *viewname = view->name; - const char *forview = " for view "; - isc_boolean_t rfc1918; - isc_boolean_t empty_zones_enable; - const cfg_obj_t *disablelist = NULL; - - REQUIRE(DNS_VIEW_VALID(view)); - - cmctx = NULL; - - if (config != NULL) - (void)cfg_map_get(config, "options", &options); - - i = 0; - if (vconfig != NULL) { - voptions = cfg_tuple_get(vconfig, "options"); - maps[i++] = voptions; - } - if (options != NULL) - maps[i++] = options; - maps[i++] = ns_g_defaults; - maps[i] = NULL; - - i = 0; - if (voptions != NULL) - cfgmaps[i++] = voptions; - if (config != NULL) - cfgmaps[i++] = config; - cfgmaps[i] = NULL; - - if (!strcmp(viewname, "_default")) { - sep = ""; - viewname = ""; - forview = ""; - } - - /* - * Set the view's port number for outgoing queries. - */ - CHECKM(ns_config_getport(config, &port), "port"); - dns_view_setdstport(view, port); - - /* - * Create additional cache for this view and zones under the view - * if explicitly enabled. - * XXX950 default to on. - */ - obj = NULL; - (void)ns_config_get(maps, "acache-enable", &obj); - if (obj != NULL && cfg_obj_asboolean(obj)) { - cmctx = NULL; - CHECK(isc_mem_create(0, 0, &cmctx)); - CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr, - ns_g_timermgr)); - isc_mem_detach(&cmctx); - } - if (view->acache != NULL) { - obj = NULL; - result = ns_config_get(maps, "acache-cleaning-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_acache_setcleaninginterval(view->acache, - cfg_obj_asuint32(obj) * 60); - - obj = NULL; - result = ns_config_get(maps, "max-acache-size", &obj); - INSIST(result == ISC_R_SUCCESS); - if (cfg_obj_isstring(obj)) { - str = cfg_obj_asstring(obj); - INSIST(strcasecmp(str, "unlimited") == 0); - max_acache_size = ISC_UINT32_MAX; - } else { - isc_resourcevalue_t value; - - value = cfg_obj_asuint64(obj); - if (value > ISC_UINT32_MAX) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, - "'max-acache-size " - "%" ISC_PRINT_QUADFORMAT - "d' is too large", - value); - result = ISC_R_RANGE; - goto cleanup; - } - max_acache_size = (isc_uint32_t)value; - } - dns_acache_setcachesize(view->acache, max_acache_size); - } - - /* - * Configure the zones. - */ - zonelist = NULL; - if (voptions != NULL) - (void)cfg_map_get(voptions, "zone", &zonelist); - else - (void)cfg_map_get(config, "zone", &zonelist); - for (element = cfg_list_first(zonelist); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *zconfig = cfg_listelt_value(element); - CHECK(configure_zone(config, zconfig, vconfig, mctx, view, - actx)); - } - -#ifdef DLZ - /* - * Create Dynamically Loadable Zone driver. - */ - dlz = NULL; - if (voptions != NULL) - (void)cfg_map_get(voptions, "dlz", &dlz); - else - (void)cfg_map_get(config, "dlz", &dlz); - - obj = NULL; - if (dlz != NULL) { - (void)cfg_map_get(cfg_tuple_get(dlz, "options"), - "database", &obj); - if (obj != NULL) { - char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); - if (s == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; - } - - result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv); - if (result != ISC_R_SUCCESS) { - isc_mem_free(mctx, s); - goto cleanup; - } - - obj = cfg_tuple_get(dlz, "name"); - result = dns_dlzcreate(mctx, cfg_obj_asstring(obj), - dlzargv[0], dlzargc, dlzargv, - &view->dlzdatabase); - isc_mem_free(mctx, s); - isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv)); - if (result != ISC_R_SUCCESS) - goto cleanup; - } - } -#endif - - /* - * Configure the view's cache. Try to reuse an existing - * cache if possible, otherwise create a new cache. - * Note that the ADB is not preserved in either case. - * - * XXX Determining when it is safe to reuse a cache is - * tricky. When the view's configuration changes, the cached - * data may become invalid because it reflects our old - * view of the world. As more view attributes become - * configurable, we will have to add code here to check - * whether they have changed in ways that could - * invalidate the cache. - */ - result = dns_viewlist_find(&ns_g_server->viewlist, - view->name, view->rdclass, - &pview); - if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) - goto cleanup; - if (pview != NULL) { - INSIST(pview->cache != NULL); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3), - "reusing existing cache"); - reused_cache = ISC_TRUE; - dns_cache_attach(pview->cache, &cache); - dns_view_detach(&pview); - } else { - CHECK(isc_mem_create(0, 0, &cmctx)); - CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr, - view->rdclass, "rbt", 0, NULL, &cache)); - } - dns_view_setcache(view, cache); - - /* - * cache-file cannot be inherited if views are present, but this - * should be caught by the configuration checking stage. - */ - obj = NULL; - result = ns_config_get(maps, "cache-file", &obj); - if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) { - CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj))); - if (!reused_cache) - CHECK(dns_cache_load(cache)); - } - - obj = NULL; - result = ns_config_get(maps, "cleaning-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_cache_setcleaninginterval(cache, cfg_obj_asuint32(obj) * 60); - - obj = NULL; - result = ns_config_get(maps, "max-cache-size", &obj); - INSIST(result == ISC_R_SUCCESS); - if (cfg_obj_isstring(obj)) { - str = cfg_obj_asstring(obj); - INSIST(strcasecmp(str, "unlimited") == 0); - max_cache_size = ISC_UINT32_MAX; - } else { - isc_resourcevalue_t value; - value = cfg_obj_asuint64(obj); - if (value > ISC_UINT32_MAX) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, - "'max-cache-size " - "%" ISC_PRINT_QUADFORMAT "d' is too large", - value); - result = ISC_R_RANGE; - goto cleanup; - } - max_cache_size = (isc_uint32_t)value; - } - dns_cache_setcachesize(cache, max_cache_size); - - dns_cache_detach(&cache); - - /* - * Check-names. - */ - obj = NULL; - result = ns_checknames_get(maps, "response", &obj); - INSIST(result == ISC_R_SUCCESS); - - str = cfg_obj_asstring(obj); - if (strcasecmp(str, "fail") == 0) { - check = DNS_RESOLVER_CHECKNAMES | - DNS_RESOLVER_CHECKNAMESFAIL; - view->checknames = ISC_TRUE; - } else if (strcasecmp(str, "warn") == 0) { - check = DNS_RESOLVER_CHECKNAMES; - view->checknames = ISC_FALSE; - } else if (strcasecmp(str, "ignore") == 0) { - check = 0; - view->checknames = ISC_FALSE; - } else - INSIST(0); - - /* - * Resolver. - * - * XXXRTH Hardwired number of tasks. - */ - CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4)); - CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6)); - if (dispatch4 == NULL && dispatch6 == NULL) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "unable to obtain neither an IPv4 nor" - " an IPv6 dispatch"); - result = ISC_R_UNEXPECTED; - goto cleanup; - } - CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, - ns_g_socketmgr, ns_g_timermgr, - check, ns_g_dispatchmgr, - dispatch4, dispatch6)); - - /* - * Set the ADB cache size to 1/8th of the max-cache-size. - */ - max_adb_size = 0; - if (max_cache_size != 0) { - max_adb_size = max_cache_size / 8; - if (max_adb_size == 0) - max_adb_size = 1; /* Force minimum. */ - } - dns_adb_setadbsize(view->adb, max_adb_size); - - /* - * Set resolver's lame-ttl. - */ - obj = NULL; - result = ns_config_get(maps, "lame-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - lame_ttl = cfg_obj_asuint32(obj); - if (lame_ttl > 1800) - lame_ttl = 1800; - dns_resolver_setlamettl(view->resolver, lame_ttl); - - obj = NULL; - result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj)); - - /* - * Set the resolver's EDNS UDP size. - */ - obj = NULL; - result = ns_config_get(maps, "edns-udp-size", &obj); - INSIST(result == ISC_R_SUCCESS); - udpsize = cfg_obj_asuint32(obj); - if (udpsize < 512) - udpsize = 512; - if (udpsize > 4096) - udpsize = 4096; - dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); - - /* - * Set the maximum UDP response size. - */ - obj = NULL; - result = ns_config_get(maps, "max-udp-size", &obj); - INSIST(result == ISC_R_SUCCESS); - udpsize = cfg_obj_asuint32(obj); - if (udpsize < 512) - udpsize = 512; - if (udpsize > 4096) - udpsize = 4096; - view->maxudp = udpsize; - - /* - * Set supported DNSSEC algorithms. - */ - dns_resolver_reset_algorithms(view->resolver); - disabled = NULL; - (void)ns_config_get(maps, "disable-algorithms", &disabled); - if (disabled != NULL) { - for (element = cfg_list_first(disabled); - element != NULL; - element = cfg_list_next(element)) - CHECK(disable_algorithms(cfg_listelt_value(element), - view->resolver)); - } - - /* - * A global or view "forwarders" option, if present, - * creates an entry for "." in the forwarding table. - */ - forwardtype = NULL; - forwarders = NULL; - (void)ns_config_get(maps, "forward", &forwardtype); - (void)ns_config_get(maps, "forwarders", &forwarders); - if (forwarders != NULL) - CHECK(configure_forward(config, view, dns_rootname, - forwarders, forwardtype)); - - /* - * Dual Stack Servers. - */ - alternates = NULL; - (void)ns_config_get(maps, "dual-stack-servers", &alternates); - if (alternates != NULL) - CHECK(configure_alternates(config, view, alternates)); - - /* - * We have default hints for class IN if we need them. - */ - if (view->rdclass == dns_rdataclass_in && view->hints == NULL) - dns_view_sethints(view, ns_g_server->in_roothints); - - /* - * If we still have no hints, this is a non-IN view with no - * "hints zone" configured. Issue a warning, except if this - * is a root server. Root servers never need to consult - * their hints, so it's no point requiring users to configure - * them. - */ - if (view->hints == NULL) { - dns_zone_t *rootzone = NULL; - (void)dns_view_findzone(view, dns_rootname, &rootzone); - if (rootzone != NULL) { - dns_zone_detach(&rootzone); - need_hints = ISC_FALSE; - } - if (need_hints) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "no root hints for view '%s'", - view->name); - } - - /* - * Configure the view's TSIG keys. - */ - ring = NULL; - CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring)); - dns_view_setkeyring(view, ring); - - /* - * Configure the view's peer list. - */ - { - const cfg_obj_t *peers = NULL; - const cfg_listelt_t *element; - dns_peerlist_t *newpeers = NULL; - - (void)ns_config_get(cfgmaps, "server", &peers); - CHECK(dns_peerlist_new(mctx, &newpeers)); - for (element = cfg_list_first(peers); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *cpeer = cfg_listelt_value(element); - dns_peer_t *peer; - - CHECK(configure_peer(cpeer, mctx, &peer)); - dns_peerlist_addpeer(newpeers, peer); - dns_peer_detach(&peer); - } - dns_peerlist_detach(&view->peers); - view->peers = newpeers; /* Transfer ownership. */ - } - - /* - * Configure the views rrset-order. - */ - { - const cfg_obj_t *rrsetorder = NULL; - const cfg_listelt_t *element; - - (void)ns_config_get(maps, "rrset-order", &rrsetorder); - CHECK(dns_order_create(mctx, &order)); - for (element = cfg_list_first(rrsetorder); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *ent = cfg_listelt_value(element); - - CHECK(configure_order(order, ent)); - } - if (view->order != NULL) - dns_order_detach(&view->order); - dns_order_attach(order, &view->order); - dns_order_detach(&order); - } - /* - * Copy the aclenv object. - */ - dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv); - - /* - * Configure the "match-clients" and "match-destinations" ACL. - */ - CHECK(configure_view_acl(vconfig, config, "match-clients", actx, - ns_g_mctx, &view->matchclients)); - CHECK(configure_view_acl(vconfig, config, "match-destinations", actx, - ns_g_mctx, &view->matchdestinations)); - - /* - * Configure the "match-recursive-only" option. - */ - obj = NULL; - (void)ns_config_get(maps, "match-recursive-only", &obj); - if (obj != NULL && cfg_obj_asboolean(obj)) - view->matchrecursiveonly = ISC_TRUE; - else - view->matchrecursiveonly = ISC_FALSE; - - /* - * Configure other configurable data. - */ - obj = NULL; - result = ns_config_get(maps, "recursion", &obj); - INSIST(result == ISC_R_SUCCESS); - view->recursion = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "auth-nxdomain", &obj); - INSIST(result == ISC_R_SUCCESS); - view->auth_nxdomain = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "minimal-responses", &obj); - INSIST(result == ISC_R_SUCCESS); - view->minimalresponses = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "transfer-format", &obj); - INSIST(result == ISC_R_SUCCESS); - str = cfg_obj_asstring(obj); - if (strcasecmp(str, "many-answers") == 0) - view->transfer_format = dns_many_answers; - else if (strcasecmp(str, "one-answer") == 0) - view->transfer_format = dns_one_answer; - else - INSIST(0); - - /* - * Set sources where additional data and CNAME/DNAME - * targets for authoritative answers may be found. - */ - obj = NULL; - result = ns_config_get(maps, "additional-from-auth", &obj); - INSIST(result == ISC_R_SUCCESS); - view->additionalfromauth = cfg_obj_asboolean(obj); - if (view->recursion && ! view->additionalfromauth) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, - "'additional-from-auth no' is only supported " - "with 'recursion no'"); - view->additionalfromauth = ISC_TRUE; - } - - obj = NULL; - result = ns_config_get(maps, "additional-from-cache", &obj); - INSIST(result == ISC_R_SUCCESS); - view->additionalfromcache = cfg_obj_asboolean(obj); - if (view->recursion && ! view->additionalfromcache) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, - "'additional-from-cache no' is only supported " - "with 'recursion no'"); - view->additionalfromcache = ISC_TRUE; - } - - /* - * Set "allow-query-cache" and "allow-recursion" acls if - * configured in named.conf. - */ - CHECK(configure_view_acl(vconfig, config, "allow-query-cache", - actx, ns_g_mctx, &view->queryacl)); - - if (strcmp(view->name, "_bind") != 0) - CHECK(configure_view_acl(vconfig, config, "allow-recursion", - actx, ns_g_mctx, &view->recursionacl)); - - /* - * Warning if both "recursion no;" and allow-recursion are active - * except for "allow-recursion { none; };". - */ - if (!view->recursion && view->recursionacl != NULL && - (view->recursionacl->length != 1 || - view->recursionacl->elements[0].type != dns_aclelementtype_any || - view->recursionacl->elements[0].negative != ISC_TRUE)) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "both \"recursion no;\" and \"allow-recursion\" " - "active%s%s", forview, viewname); - - /* - * "allow-query-cache" inherits from "allow-recursion" if set, - * otherwise from "allow-query" if set. - * "allow-recursion" inherits from "allow-query-cache" if set, - * otherwise from "allow-query" if set. - */ - if (view->queryacl == NULL && view->recursionacl != NULL) - dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL) - CHECK(configure_view_acl(vconfig, config, "allow-query", - actx, ns_g_mctx, &view->queryacl)); - if (view->recursionacl == NULL && view->queryacl != NULL) - dns_acl_attach(view->queryacl, &view->recursionacl); - - /* - * Set default "allow-recursion" and "allow-query-cache" acls. - */ - if (view->recursionacl == NULL && view->recursion) - CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion", - actx, ns_g_mctx, &view->recursionacl)); - if (view->queryacl == NULL) - CHECK(configure_view_acl(NULL, ns_g_config, - "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); - - CHECK(configure_view_acl(vconfig, config, "sortlist", - actx, ns_g_mctx, &view->sortlist)); - - obj = NULL; - result = ns_config_get(maps, "request-ixfr", &obj); - INSIST(result == ISC_R_SUCCESS); - view->requestixfr = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "provide-ixfr", &obj); - INSIST(result == ISC_R_SUCCESS); - view->provideixfr = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "max-clients-per-query", &obj); - INSIST(result == ISC_R_SUCCESS); - max_clients_per_query = cfg_obj_asuint32(obj); - - obj = NULL; - result = ns_config_get(maps, "clients-per-query", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_resolver_setclientsperquery(view->resolver, - cfg_obj_asuint32(obj), - max_clients_per_query); - - obj = NULL; - result = ns_config_get(maps, "dnssec-enable", &obj); - INSIST(result == ISC_R_SUCCESS); - view->enablednssec = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "dnssec-accept-expired", &obj); - INSIST(result == ISC_R_SUCCESS); - view->acceptexpired = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "dnssec-validation", &obj); - INSIST(result == ISC_R_SUCCESS); - view->enablevalidation = cfg_obj_asboolean(obj); - - obj = NULL; - result = ns_config_get(maps, "dnssec-lookaside", &obj); - if (result == ISC_R_SUCCESS) { - for (element = cfg_list_first(obj); - element != NULL; - element = cfg_list_next(element)) - { - const char *str; - isc_buffer_t b; - dns_name_t *dlv; - - obj = cfg_listelt_value(element); -#if 0 - dns_fixedname_t fixed; - dns_name_t *name; - - /* - * When we support multiple dnssec-lookaside - * entries this is how to find the domain to be - * checked. XXXMPA - */ - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - str = cfg_obj_asstring(cfg_tuple_get(obj, - "domain")); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - CHECK(dns_name_fromtext(name, &b, dns_rootname, - ISC_TRUE, NULL)); -#endif - str = cfg_obj_asstring(cfg_tuple_get(obj, - "trust-anchor")); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - dlv = dns_fixedname_name(&view->dlv_fixed); - CHECK(dns_name_fromtext(dlv, &b, dns_rootname, - ISC_TRUE, NULL)); - view->dlv = dns_fixedname_name(&view->dlv_fixed); - } - } else - view->dlv = NULL; - - /* - * For now, there is only one kind of trusted keys, the - * "security roots". - */ - CHECK(configure_view_dnsseckeys(vconfig, config, mctx, - &view->secroots)); - dns_resolver_resetmustbesecure(view->resolver); - obj = NULL; - result = ns_config_get(maps, "dnssec-must-be-secure", &obj); - if (result == ISC_R_SUCCESS) - CHECK(mustbesecure(obj, view->resolver)); - - obj = NULL; - result = ns_config_get(maps, "max-cache-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - view->maxcachettl = cfg_obj_asuint32(obj); - - obj = NULL; - result = ns_config_get(maps, "max-ncache-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - view->maxncachettl = cfg_obj_asuint32(obj); - if (view->maxncachettl > 7 * 24 * 3600) - view->maxncachettl = 7 * 24 * 3600; - - obj = NULL; - result = ns_config_get(maps, "preferred-glue", &obj); - if (result == ISC_R_SUCCESS) { - str = cfg_obj_asstring(obj); - if (strcasecmp(str, "a") == 0) - view->preferred_glue = dns_rdatatype_a; - else if (strcasecmp(str, "aaaa") == 0) - view->preferred_glue = dns_rdatatype_aaaa; - else - view->preferred_glue = 0; - } else - view->preferred_glue = 0; - - obj = NULL; - result = ns_config_get(maps, "root-delegation-only", &obj); - if (result == ISC_R_SUCCESS) { - dns_view_setrootdelonly(view, ISC_TRUE); - if (!cfg_obj_isvoid(obj)) { - dns_fixedname_t fixed; - dns_name_t *name; - isc_buffer_t b; - const char *str; - const cfg_obj_t *exclude; - - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - for (element = cfg_list_first(obj); - element != NULL; - element = cfg_list_next(element)) { - exclude = cfg_listelt_value(element); - str = cfg_obj_asstring(exclude); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - CHECK(dns_name_fromtext(name, &b, dns_rootname, - ISC_FALSE, NULL)); - CHECK(dns_view_excludedelegationonly(view, - name)); - } - } - } else - dns_view_setrootdelonly(view, ISC_FALSE); - - /* - * Setup automatic empty zones. If recursion is off then - * they are disabled by default. - */ - obj = NULL; - (void)ns_config_get(maps, "empty-zones-enable", &obj); - (void)ns_config_get(maps, "disable-empty-zone", &disablelist); - if (obj == NULL && disablelist == NULL && - view->rdclass == dns_rdataclass_in) { - rfc1918 = ISC_FALSE; - empty_zones_enable = view->recursion; - } else if (view->rdclass == dns_rdataclass_in) { - rfc1918 = ISC_TRUE; - if (obj != NULL) - empty_zones_enable = cfg_obj_asboolean(obj); - else - empty_zones_enable = view->recursion; - } else { - rfc1918 = ISC_FALSE; - empty_zones_enable = ISC_FALSE; - } - if (empty_zones_enable) { - const char *empty; - int empty_zone = 0; - dns_fixedname_t fixed; - dns_name_t *name; - isc_buffer_t buffer; - const char *str; - char server[DNS_NAME_FORMATSIZE + 1]; - char contact[DNS_NAME_FORMATSIZE + 1]; - isc_boolean_t logit; - const char *empty_dbtype[4] = - { "_builtin", "empty", NULL, NULL }; - int empty_dbtypec = 4; - - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - - obj = NULL; - result = ns_config_get(maps, "empty-server", &obj); - if (result == ISC_R_SUCCESS) { - str = cfg_obj_asstring(obj); - isc_buffer_init(&buffer, str, strlen(str)); - isc_buffer_add(&buffer, strlen(str)); - CHECK(dns_name_fromtext(name, &buffer, dns_rootname, - ISC_FALSE, NULL)); - isc_buffer_init(&buffer, server, sizeof(server) - 1); - CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); - server[isc_buffer_usedlength(&buffer)] = 0; - empty_dbtype[2] = server; - } else - empty_dbtype[2] = "@"; - - obj = NULL; - result = ns_config_get(maps, "empty-contact", &obj); - if (result == ISC_R_SUCCESS) { - str = cfg_obj_asstring(obj); - isc_buffer_init(&buffer, str, strlen(str)); - isc_buffer_add(&buffer, strlen(str)); - CHECK(dns_name_fromtext(name, &buffer, dns_rootname, - ISC_FALSE, NULL)); - isc_buffer_init(&buffer, contact, sizeof(contact) - 1); - CHECK(dns_name_totext(name, ISC_FALSE, &buffer)); - contact[isc_buffer_usedlength(&buffer)] = 0; - empty_dbtype[3] = contact; - } else - empty_dbtype[3] = "."; - - logit = ISC_TRUE; - for (empty = empty_zones[empty_zone].zone; - empty != NULL; - empty = empty_zones[++empty_zone].zone) - { - dns_forwarders_t *forwarders = NULL; - dns_view_t *pview = NULL; - - isc_buffer_init(&buffer, empty, strlen(empty)); - isc_buffer_add(&buffer, strlen(empty)); - /* - * Look for zone on drop list. - */ - CHECK(dns_name_fromtext(name, &buffer, dns_rootname, - ISC_FALSE, NULL)); - if (disablelist != NULL && - on_disable_list(disablelist, name)) - continue; - - /* - * This zone already exists. - */ - (void)dns_view_findzone(view, name, &zone); - if (zone != NULL) { - dns_zone_detach(&zone); - continue; - } - - /* - * If we would forward this name don't add a - * empty zone for it. - */ - result = dns_fwdtable_find(view->fwdtable, name, - &forwarders); - if (result == ISC_R_SUCCESS && - forwarders->fwdpolicy == dns_fwdpolicy_only) - continue; - - if (!rfc1918 && empty_zones[empty_zone].rfc1918) { - if (logit) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, - ISC_LOG_WARNING, - "Warning%s%s: " - "'empty-zones-enable/" - "disable-empty-zone' " - "not set: disabling " - "RFC 1918 empty zones", - sep, viewname); - logit = ISC_FALSE; - } - continue; - } - - /* - * See if we can re-use a existing zone. - */ - result = dns_viewlist_find(&ns_g_server->viewlist, - view->name, view->rdclass, - &pview); - if (result != ISC_R_NOTFOUND && - result != ISC_R_SUCCESS) - goto cleanup; - - if (pview != NULL) { - (void)dns_view_findzone(pview, name, &zone); - dns_view_detach(&pview); - if (zone != NULL) - check_dbtype(&zone, empty_dbtypec, - empty_dbtype, mctx); - if (zone != NULL) { - dns_zone_setview(zone, view); - CHECK(dns_view_addzone(view, zone)); - dns_zone_detach(&zone); - continue; - } - } - - CHECK(dns_zone_create(&zone, mctx)); - CHECK(dns_zone_setorigin(zone, name)); - dns_zone_setview(zone, view); - CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); - dns_zone_setclass(zone, view->rdclass); - dns_zone_settype(zone, dns_zone_master); - CHECK(dns_zone_setdbtype(zone, empty_dbtypec, - empty_dbtype)); - if (view->queryacl != NULL) - dns_zone_setqueryacl(zone, view->queryacl); - dns_zone_setdialup(zone, dns_dialuptype_no); - dns_zone_setnotifytype(zone, dns_notifytype_no); - dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, - ISC_TRUE); - CHECK(dns_view_addzone(view, zone)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "automatic empty zone%s%s: %s", - sep, viewname, empty); - dns_zone_detach(&zone); - } - } - - result = ISC_R_SUCCESS; - - cleanup: - if (zone != NULL) - dns_zone_detach(&zone); - if (dispatch4 != NULL) - dns_dispatch_detach(&dispatch4); - if (dispatch6 != NULL) - dns_dispatch_detach(&dispatch6); - if (order != NULL) - dns_order_detach(&order); - if (cmctx != NULL) - isc_mem_detach(&cmctx); - - if (cache != NULL) - dns_cache_detach(&cache); - - return (result); -} - -static isc_result_t -configure_hints(dns_view_t *view, const char *filename) { - isc_result_t result; - dns_db_t *db; - - db = NULL; - result = dns_rootns_create(view->mctx, view->rdclass, filename, &db); - if (result == ISC_R_SUCCESS) { - dns_view_sethints(view, db); - dns_db_detach(&db); - } - - return (result); -} - -static isc_result_t -configure_alternates(const cfg_obj_t *config, dns_view_t *view, - const cfg_obj_t *alternates) -{ - const cfg_obj_t *portobj; - const cfg_obj_t *addresses; - const cfg_listelt_t *element; - isc_result_t result = ISC_R_SUCCESS; - in_port_t port; - - /* - * Determine which port to send requests to. - */ - if (ns_g_lwresdonly && ns_g_port != 0) - port = ns_g_port; - else - CHECKM(ns_config_getport(config, &port), "port"); - - if (alternates != NULL) { - portobj = cfg_tuple_get(alternates, "port"); - if (cfg_obj_isuint32(portobj)) { - isc_uint32_t val = cfg_obj_asuint32(portobj); - if (val > ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, - "port '%u' out of range", val); - return (ISC_R_RANGE); - } - port = (in_port_t) val; - } - } - - addresses = NULL; - if (alternates != NULL) - addresses = cfg_tuple_get(alternates, "addresses"); - - for (element = cfg_list_first(addresses); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *alternate = cfg_listelt_value(element); - isc_sockaddr_t sa; - - if (!cfg_obj_issockaddr(alternate)) { - dns_fixedname_t fixed; - dns_name_t *name; - const char *str = cfg_obj_asstring(cfg_tuple_get( - alternate, "name")); - isc_buffer_t buffer; - in_port_t myport = port; - - isc_buffer_init(&buffer, str, strlen(str)); - isc_buffer_add(&buffer, strlen(str)); - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - CHECK(dns_name_fromtext(name, &buffer, dns_rootname, - ISC_FALSE, NULL)); - - portobj = cfg_tuple_get(alternate, "port"); - if (cfg_obj_isuint32(portobj)) { - isc_uint32_t val = cfg_obj_asuint32(portobj); - if (val > ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, - ISC_LOG_ERROR, - "port '%u' out of range", - val); - return (ISC_R_RANGE); - } - myport = (in_port_t) val; - } - CHECK(dns_resolver_addalternate(view->resolver, NULL, - name, myport)); - continue; - } - - sa = *cfg_obj_assockaddr(alternate); - if (isc_sockaddr_getport(&sa) == 0) - isc_sockaddr_setport(&sa, port); - CHECK(dns_resolver_addalternate(view->resolver, &sa, - NULL, 0)); - } - - cleanup: - return (result); -} - -static isc_result_t -configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin, - const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype) -{ - const cfg_obj_t *portobj; - const cfg_obj_t *faddresses; - const cfg_listelt_t *element; - dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none; - isc_sockaddrlist_t addresses; - isc_sockaddr_t *sa; - isc_result_t result; - in_port_t port; - - /* - * Determine which port to send forwarded requests to. - */ - if (ns_g_lwresdonly && ns_g_port != 0) - port = ns_g_port; - else - CHECKM(ns_config_getport(config, &port), "port"); - - if (forwarders != NULL) { - portobj = cfg_tuple_get(forwarders, "port"); - if (cfg_obj_isuint32(portobj)) { - isc_uint32_t val = cfg_obj_asuint32(portobj); - if (val > ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, - "port '%u' out of range", val); - return (ISC_R_RANGE); - } - port = (in_port_t) val; - } - } - - faddresses = NULL; - if (forwarders != NULL) - faddresses = cfg_tuple_get(forwarders, "addresses"); - - ISC_LIST_INIT(addresses); - - for (element = cfg_list_first(faddresses); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *forwarder = cfg_listelt_value(element); - sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t)); - if (sa == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; - } - *sa = *cfg_obj_assockaddr(forwarder); - if (isc_sockaddr_getport(sa) == 0) - isc_sockaddr_setport(sa, port); - ISC_LINK_INIT(sa, link); - ISC_LIST_APPEND(addresses, sa, link); - } - - if (ISC_LIST_EMPTY(addresses)) { - if (forwardtype != NULL) - cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING, - "no forwarders seen; disabling " - "forwarding"); - fwdpolicy = dns_fwdpolicy_none; - } else { - if (forwardtype == NULL) - fwdpolicy = dns_fwdpolicy_first; - else { - const char *forwardstr = cfg_obj_asstring(forwardtype); - if (strcasecmp(forwardstr, "first") == 0) - fwdpolicy = dns_fwdpolicy_first; - else if (strcasecmp(forwardstr, "only") == 0) - fwdpolicy = dns_fwdpolicy_only; - else - INSIST(0); - } - } - - result = dns_fwdtable_add(view->fwdtable, origin, &addresses, - fwdpolicy); - if (result != ISC_R_SUCCESS) { - char namebuf[DNS_NAME_FORMATSIZE]; - dns_name_format(origin, namebuf, sizeof(namebuf)); - cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING, - "could not set up forwarding for domain '%s': %s", - namebuf, isc_result_totext(result)); - goto cleanup; - } - - result = ISC_R_SUCCESS; - - cleanup: - - while (!ISC_LIST_EMPTY(addresses)) { - sa = ISC_LIST_HEAD(addresses); - ISC_LIST_UNLINK(addresses, sa, link); - isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t)); - } - - return (result); -} - -/* - * Create a new view and add it to the list. - * - * If 'vconfig' is NULL, create the default view. - * - * The view created is attached to '*viewp'. - */ -static isc_result_t -create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist, - dns_view_t **viewp) -{ - isc_result_t result; - const char *viewname; - dns_rdataclass_t viewclass; - dns_view_t *view = NULL; - - if (vconfig != NULL) { - const cfg_obj_t *classobj = NULL; - - viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name")); - classobj = cfg_tuple_get(vconfig, "class"); - result = ns_config_getclass(classobj, dns_rdataclass_in, - &viewclass); - } else { - viewname = "_default"; - viewclass = dns_rdataclass_in; - } - result = dns_viewlist_find(viewlist, viewname, viewclass, &view); - if (result == ISC_R_SUCCESS) - return (ISC_R_EXISTS); - if (result != ISC_R_NOTFOUND) - return (result); - INSIST(view == NULL); - - result = dns_view_create(ns_g_mctx, viewclass, viewname, &view); - if (result != ISC_R_SUCCESS) - return (result); - - ISC_LIST_APPEND(*viewlist, view, link); - dns_view_attach(view, viewp); - return (ISC_R_SUCCESS); -} - -/* - * Configure or reconfigure a zone. - */ -static isc_result_t -configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf) -{ - dns_view_t *pview = NULL; /* Production view */ - dns_zone_t *zone = NULL; /* New or reused zone */ - dns_zone_t *dupzone = NULL; - const cfg_obj_t *options = NULL; - const cfg_obj_t *zoptions = NULL; - const cfg_obj_t *typeobj = NULL; - const cfg_obj_t *forwarders = NULL; - const cfg_obj_t *forwardtype = NULL; - const cfg_obj_t *only = NULL; - isc_result_t result; - isc_result_t tresult; - isc_buffer_t buffer; - dns_fixedname_t fixorigin; - dns_name_t *origin; - const char *zname; - dns_rdataclass_t zclass; - const char *ztypestr; - - options = NULL; - (void)cfg_map_get(config, "options", &options); - - zoptions = cfg_tuple_get(zconfig, "options"); - - /* - * Get the zone origin as a dns_name_t. - */ - zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - isc_buffer_init(&buffer, zname, strlen(zname)); - isc_buffer_add(&buffer, strlen(zname)); - dns_fixedname_init(&fixorigin); - CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin), - &buffer, dns_rootname, ISC_FALSE, NULL)); - origin = dns_fixedname_name(&fixorigin); - - CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"), - view->rdclass, &zclass)); - if (zclass != view->rdclass) { - const char *vname = NULL; - if (vconfig != NULL) - vname = cfg_obj_asstring(cfg_tuple_get(vconfig, - "name")); - else - vname = ""; - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "zone '%s': wrong class for view '%s'", - zname, vname); - result = ISC_R_FAILURE; - goto cleanup; - } - - (void)cfg_map_get(zoptions, "type", &typeobj); - if (typeobj == NULL) { - cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR, - "zone '%s' 'type' not specified", zname); - return (ISC_R_FAILURE); - } - ztypestr = cfg_obj_asstring(typeobj); - - /* - * "hints zones" aren't zones. If we've got one, - * configure it and return. - */ - if (strcasecmp(ztypestr, "hint") == 0) { - const cfg_obj_t *fileobj = NULL; - if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "zone '%s': 'file' not specified", - zname); - result = ISC_R_FAILURE; - goto cleanup; - } - if (dns_name_equal(origin, dns_rootname)) { - const char *hintsfile = cfg_obj_asstring(fileobj); - - result = configure_hints(view, hintsfile); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, - ISC_LOG_ERROR, - "could not configure root hints " - "from '%s': %s", hintsfile, - isc_result_totext(result)); - goto cleanup; - } - /* - * Hint zones may also refer to delegation only points. - */ - only = NULL; - tresult = cfg_map_get(zoptions, "delegation-only", - &only); - if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) - CHECK(dns_view_adddelegationonly(view, origin)); - } else { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "ignoring non-root hint zone '%s'", - zname); - result = ISC_R_SUCCESS; - } - /* Skip ordinary zone processing. */ - goto cleanup; - } - - /* - * "forward zones" aren't zones either. Translate this syntax into - * the appropriate selective forwarding configuration and return. - */ - if (strcasecmp(ztypestr, "forward") == 0) { - forwardtype = NULL; - forwarders = NULL; - - (void)cfg_map_get(zoptions, "forward", &forwardtype); - (void)cfg_map_get(zoptions, "forwarders", &forwarders); - result = configure_forward(config, view, origin, forwarders, - forwardtype); - goto cleanup; - } - - /* - * "delegation-only zones" aren't zones either. - */ - if (strcasecmp(ztypestr, "delegation-only") == 0) { - result = dns_view_adddelegationonly(view, origin); - goto cleanup; - } - - /* - * Check for duplicates in the new zone table. - */ - result = dns_view_findzone(view, origin, &dupzone); - if (result == ISC_R_SUCCESS) { - /* - * We already have this zone! - */ - cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR, - "zone '%s' already exists", zname); - dns_zone_detach(&dupzone); - result = ISC_R_EXISTS; - goto cleanup; - } - INSIST(dupzone == NULL); - - /* - * See if we can reuse an existing zone. This is - * only possible if all of these are true: - * - The zone's view exists - * - A zone with the right name exists in the view - * - The zone is compatible with the config - * options (e.g., an existing master zone cannot - * be reused if the options specify a slave zone) - */ - result = dns_viewlist_find(&ns_g_server->viewlist, - view->name, view->rdclass, - &pview); - if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) - goto cleanup; - if (pview != NULL) - result = dns_view_findzone(pview, origin, &zone); - if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS) - goto cleanup; - if (zone != NULL && !ns_zone_reusable(zone, zconfig)) - dns_zone_detach(&zone); - - if (zone != NULL) { - /* - * We found a reusable zone. Make it use the - * new view. - */ - dns_zone_setview(zone, view); - if (view->acache != NULL) - dns_zone_setacache(zone, view->acache); - } else { - /* - * We cannot reuse an existing zone, we have - * to create a new one. - */ - CHECK(dns_zone_create(&zone, mctx)); - CHECK(dns_zone_setorigin(zone, origin)); - dns_zone_setview(zone, view); - if (view->acache != NULL) - dns_zone_setacache(zone, view->acache); - CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone)); - } - - /* - * If the zone contains a 'forwarders' statement, configure - * selective forwarding. - */ - forwarders = NULL; - if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS) - { - forwardtype = NULL; - (void)cfg_map_get(zoptions, "forward", &forwardtype); - CHECK(configure_forward(config, view, origin, forwarders, - forwardtype)); - } - - /* - * Stub and forward zones may also refer to delegation only points. - */ - only = NULL; - if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS) - { - if (cfg_obj_asboolean(only)) - CHECK(dns_view_adddelegationonly(view, origin)); - } - - /* - * Configure the zone. - */ - CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone)); - - /* - * Add the zone to its view in the new view list. - */ - CHECK(dns_view_addzone(view, zone)); - - cleanup: - if (zone != NULL) - dns_zone_detach(&zone); - if (pview != NULL) - dns_view_detach(&pview); - - return (result); -} - -/* - * Configure a single server quota. - */ -static void -configure_server_quota(const cfg_obj_t **maps, const char *name, - isc_quota_t *quota) -{ - const cfg_obj_t *obj = NULL; - isc_result_t result; - - result = ns_config_get(maps, name, &obj); - INSIST(result == ISC_R_SUCCESS); - isc_quota_max(quota, cfg_obj_asuint32(obj)); -} - -/* - * This function is called as soon as the 'directory' statement has been - * parsed. This can be extended to support other options if necessary. - */ -static isc_result_t -directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) { - isc_result_t result; - const char *directory; - - REQUIRE(strcasecmp("directory", clausename) == 0); - - UNUSED(arg); - UNUSED(clausename); - - /* - * Change directory. - */ - directory = cfg_obj_asstring(obj); - - if (! isc_file_ischdiridempotent(directory)) - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING, - "option 'directory' contains relative path '%s'", - directory); - - result = isc_dir_chdir(directory); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, - "change directory to '%s' failed: %s", - directory, isc_result_totext(result)); - return (result); - } - - return (ISC_R_SUCCESS); -} - -static void -scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { - isc_boolean_t match_mapped = server->aclenv.match_mapped; - - ns_interfacemgr_scan(server->interfacemgr, verbose); - /* - * Update the "localhost" and "localnets" ACLs to match the - * current set of network interfaces. - */ - dns_aclenv_copy(&server->aclenv, - ns_interfacemgr_getaclenv(server->interfacemgr)); - - server->aclenv.match_mapped = match_mapped; -} - -static isc_result_t -add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, - isc_boolean_t wcardport_ok) -{ - ns_listenelt_t *lelt = NULL; - dns_acl_t *src_acl = NULL; - dns_aclelement_t aelt; - isc_result_t result; - isc_sockaddr_t any_sa6; - - REQUIRE(isc_sockaddr_pf(addr) == AF_INET6); - - isc_sockaddr_any6(&any_sa6); - if (!isc_sockaddr_equal(&any_sa6, addr) && - (wcardport_ok || isc_sockaddr_getport(addr) != 0)) { - aelt.type = dns_aclelementtype_ipprefix; - aelt.negative = ISC_FALSE; - aelt.u.ip_prefix.prefixlen = 128; - isc_netaddr_fromin6(&aelt.u.ip_prefix.address, - &addr->type.sin6.sin6_addr); - - result = dns_acl_create(mctx, 1, &src_acl); - if (result != ISC_R_SUCCESS) - return (result); - result = dns_acl_appendelement(src_acl, &aelt); - if (result != ISC_R_SUCCESS) - goto clean; - - result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr), - src_acl, &lelt); - if (result != ISC_R_SUCCESS) - goto clean; - ISC_LIST_APPEND(list->elts, lelt, link); - } - - return (ISC_R_SUCCESS); - - clean: - INSIST(lelt == NULL); - dns_acl_detach(&src_acl); - - return (result); -} - -/* - * Make a list of xxx-source addresses and call ns_interfacemgr_adjust() - * to update the listening interfaces accordingly. - * We currently only consider IPv6, because this only affects IPv6 wildcard - * sockets. - */ -static void -adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { - isc_result_t result; - ns_listenlist_t *list = NULL; - dns_view_t *view; - dns_zone_t *zone, *next; - isc_sockaddr_t addr, *addrp; - - result = ns_listenlist_create(mctx, &list); - if (result != ISC_R_SUCCESS) - return; - - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) { - dns_dispatch_t *dispatch6; - - dispatch6 = dns_resolver_dispatchv6(view->resolver); - if (dispatch6 == NULL) - continue; - result = dns_dispatch_getlocaladdress(dispatch6, &addr); - if (result != ISC_R_SUCCESS) - goto fail; - - /* - * We always add non-wildcard address regardless of whether - * the port is 'any' (the fourth arg is TRUE): if the port is - * specific, we need to add it since it may conflict with a - * listening interface; if it's zero, we'll dynamically open - * query ports, and some of them may override an existing - * wildcard IPv6 port. - */ - result = add_listenelt(mctx, list, &addr, ISC_TRUE); - if (result != ISC_R_SUCCESS) - goto fail; - } - - zone = NULL; - for (result = dns_zone_first(server->zonemgr, &zone); - result == ISC_R_SUCCESS; - next = NULL, result = dns_zone_next(zone, &next), zone = next) { - dns_view_t *zoneview; - - /* - * At this point the zone list may contain a stale zone - * just removed from the configuration. To see the validity, - * check if the corresponding view is in our current view list. - * There may also be old zones that are still in the process - * of shutting down and have detached from their old view - * (zoneview == NULL). - */ - zoneview = dns_zone_getview(zone); - if (zoneview == NULL) - continue; - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL && view != zoneview; - view = ISC_LIST_NEXT(view, link)) - ; - if (view == NULL) - continue; - - addrp = dns_zone_getnotifysrc6(zone); - result = add_listenelt(mctx, list, addrp, ISC_FALSE); - if (result != ISC_R_SUCCESS) - goto fail; - - addrp = dns_zone_getxfrsource6(zone); - result = add_listenelt(mctx, list, addrp, ISC_FALSE); - if (result != ISC_R_SUCCESS) - goto fail; - } - - ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE); - - clean: - ns_listenlist_detach(&list); - return; - - fail: - /* - * Even when we failed the procedure, most of other interfaces - * should work correctly. We therefore just warn it. - */ - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "could not adjust the listen-on list; " - "some interfaces may not work"); - goto clean; -} - -/* - * This event callback is invoked to do periodic network - * interface scanning. - */ -static void -interface_timer_tick(isc_task_t *task, isc_event_t *event) { - isc_result_t result; - ns_server_t *server = (ns_server_t *) event->ev_arg; - INSIST(task == server->task); - UNUSED(task); - isc_event_free(&event); - /* - * XXX should scan interfaces unlocked and get exclusive access - * only to replace ACLs. - */ - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - scan_interfaces(server, ISC_FALSE); - isc_task_endexclusive(server->task); -} - -static void -heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) { - ns_server_t *server = (ns_server_t *) event->ev_arg; - dns_view_t *view; - - UNUSED(task); - isc_event_free(&event); - view = ISC_LIST_HEAD(server->viewlist); - while (view != NULL) { - dns_view_dialup(view); - view = ISC_LIST_NEXT(view, link); - } -} - -static void -pps_timer_tick(isc_task_t *task, isc_event_t *event) { - static unsigned int oldrequests = 0; - unsigned int requests = ns_client_requests; - - UNUSED(task); - isc_event_free(&event); - - /* - * Don't worry about wrapping as the overflow result will be right. - */ - dns_pps = (requests - oldrequests) / 1200; - oldrequests = requests; -} - -/* - * Replace the current value of '*field', a dynamically allocated - * string or NULL, with a dynamically allocated copy of the - * null-terminated string pointed to by 'value', or NULL. - */ -static isc_result_t -setstring(ns_server_t *server, char **field, const char *value) { - char *copy; - - if (value != NULL) { - copy = isc_mem_strdup(server->mctx, value); - if (copy == NULL) - return (ISC_R_NOMEMORY); - } else { - copy = NULL; - } - - if (*field != NULL) - isc_mem_free(server->mctx, *field); - - *field = copy; - return (ISC_R_SUCCESS); -} - -/* - * Replace the current value of '*field', a dynamically allocated - * string or NULL, with another dynamically allocated string - * or NULL if whether 'obj' is a string or void value, respectively. - */ -static isc_result_t -setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) { - if (cfg_obj_isvoid(obj)) - return (setstring(server, field, NULL)); - else - return (setstring(server, field, cfg_obj_asstring(obj))); -} - -static void -set_limit(const cfg_obj_t **maps, const char *configname, - const char *description, isc_resource_t resourceid, - isc_resourcevalue_t defaultvalue) -{ - const cfg_obj_t *obj = NULL; - const char *resource; - isc_resourcevalue_t value; - isc_result_t result; - - if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS) - return; - - if (cfg_obj_isstring(obj)) { - resource = cfg_obj_asstring(obj); - if (strcasecmp(resource, "unlimited") == 0) - value = ISC_RESOURCE_UNLIMITED; - else { - INSIST(strcasecmp(resource, "default") == 0); - value = defaultvalue; - } - } else - value = cfg_obj_asuint64(obj); - - result = isc_resource_setlimit(resourceid, value); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - result == ISC_R_SUCCESS ? - ISC_LOG_DEBUG(3) : ISC_LOG_WARNING, - "set maximum %s to %" ISC_PRINT_QUADFORMAT "d: %s", - description, value, isc_result_totext(result)); -} - -#define SETLIMIT(cfgvar, resource, description) \ - set_limit(maps, cfgvar, description, isc_resource_ ## resource, \ - ns_g_init ## resource) - -static void -set_limits(const cfg_obj_t **maps) { - SETLIMIT("stacksize", stacksize, "stack size"); - SETLIMIT("datasize", datasize, "data size"); - SETLIMIT("coresize", coresize, "core size"); - SETLIMIT("files", openfiles, "open files"); -} - -static isc_result_t -portlist_fromconf(dns_portlist_t *portlist, unsigned int family, - const cfg_obj_t *ports) -{ - const cfg_listelt_t *element; - isc_result_t result = ISC_R_SUCCESS; - - for (element = cfg_list_first(ports); - element != NULL; - element = cfg_list_next(element)) { - const cfg_obj_t *obj = cfg_listelt_value(element); - in_port_t port = (in_port_t)cfg_obj_asuint32(obj); - - result = dns_portlist_add(portlist, family, port); - if (result != ISC_R_SUCCESS) - break; - } - return (result); -} - -static isc_result_t -removed(dns_zone_t *zone, void *uap) { - const char *type; - - if (dns_zone_getview(zone) != uap) - return (ISC_R_SUCCESS); - - switch (dns_zone_gettype(zone)) { - case dns_zone_master: - type = "master"; - break; - case dns_zone_slave: - type = "slave"; - break; - case dns_zone_stub: - type = "stub"; - break; - default: - type = "other"; - break; - } - dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type); - return (ISC_R_SUCCESS); -} - -static isc_result_t -load_configuration(const char *filename, ns_server_t *server, - isc_boolean_t first_time) -{ - cfg_aclconfctx_t aclconfctx; - cfg_obj_t *config; - cfg_parser_t *parser = NULL; - const cfg_listelt_t *element; - const cfg_obj_t *builtin_views; - const cfg_obj_t *maps[3]; - const cfg_obj_t *obj; - const cfg_obj_t *options; - const cfg_obj_t *v4ports, *v6ports; - const cfg_obj_t *views; - dns_view_t *view = NULL; - dns_view_t *view_next; - dns_viewlist_t tmpviewlist; - dns_viewlist_t viewlist; - in_port_t listen_port; - int i; - isc_interval_t interval; - isc_resourcevalue_t files; - isc_result_t result; - isc_uint32_t heartbeat_interval; - isc_uint32_t interface_interval; - isc_uint32_t reserved; - isc_uint32_t udpsize; - - cfg_aclconfctx_init(&aclconfctx); - ISC_LIST_INIT(viewlist); - - /* Ensure exclusive access to configuration data. */ - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* - * Parse the global default pseudo-config file. - */ - if (first_time) { - CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config)); - RUNTIME_CHECK(cfg_map_get(ns_g_config, "options", - &ns_g_defaults) == - ISC_R_SUCCESS); - } - - /* - * Parse the configuration file using the new config code. - */ - result = ISC_R_FAILURE; - config = NULL; - - /* - * Unless this is lwresd with the -C option, parse the config file. - */ - if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_INFO, "loading configuration from '%s'", - filename); - CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser)); - cfg_parser_setcallback(parser, directory_callback, NULL); - result = cfg_parse_file(parser, filename, &cfg_type_namedconf, - &config); - } - - /* - * If this is lwresd with the -C option, or lwresd with no -C or -c - * option where the above parsing failed, parse resolv.conf. - */ - if (ns_g_lwresdonly && - (lwresd_g_useresolvconf || - (!ns_g_conffileset && result == ISC_R_FILENOTFOUND))) - { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_INFO, "loading configuration from '%s'", - lwresd_g_resolvconffile); - if (parser != NULL) - cfg_parser_destroy(&parser); - CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser)); - result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser, - &config); - } - CHECK(result); - - /* - * Check the validity of the configuration. - */ - CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx)); - - /* - * Fill in the maps array, used for resolving defaults. - */ - i = 0; - options = NULL; - result = cfg_map_get(config, "options", &options); - if (result == ISC_R_SUCCESS) - maps[i++] = options; - maps[i++] = ns_g_defaults; - maps[i++] = NULL; - - /* - * Set process limits, which (usually) needs to be done as root. - */ - set_limits(maps); - - /* - * Sanity check on "files" limit. - */ - result = isc_resource_curlimit(isc_resource_openfiles, &files); - if (result == ISC_R_SUCCESS && files < FD_SETSIZE) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "the 'files' limit (%" ISC_PRINT_QUADFORMAT "u) " - "is less than FD_SETSIZE (%d), increase " - "'files' in named.conf or recompile with a " - "smaller FD_SETSIZE.", files, FD_SETSIZE); - if (files > FD_SETSIZE) - files = FD_SETSIZE; - } else - files = FD_SETSIZE; - - /* - * Set the number of socket reserved for TCP, stdio etc. - */ - obj = NULL; - result = ns_config_get(maps, "reserved-sockets", &obj); - INSIST(result == ISC_R_SUCCESS); - reserved = cfg_obj_asuint32(obj); - if (files < 128U) /* Prevent underflow. */ - reserved = 0; - else if (reserved > files - 128U) /* Mimimum UDP space. */ - reserved = files - 128; - if (reserved < 128U) /* Mimimum TCP/stdio space. */ - reserved = 128; - if (reserved + 128U > files) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "less than 128 UDP sockets available after " - "applying 'reserved-sockets' and 'files'"); - } - isc__socketmgr_setreserved(ns_g_socketmgr, reserved); - - /* - * Configure various server options. - */ - configure_server_quota(maps, "transfers-out", &server->xfroutquota); - configure_server_quota(maps, "tcp-clients", &server->tcpquota); - configure_server_quota(maps, "recursive-clients", - &server->recursionquota); - if (server->recursionquota.max > 1000) - isc_quota_soft(&server->recursionquota, - server->recursionquota.max - 100); - else - isc_quota_soft(&server->recursionquota, 0); - - CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx, - ns_g_mctx, &server->blackholeacl)); - if (server->blackholeacl != NULL) - dns_dispatchmgr_setblackhole(ns_g_dispatchmgr, - server->blackholeacl); - - obj = NULL; - result = ns_config_get(maps, "match-mapped-addresses", &obj); - INSIST(result == ISC_R_SUCCESS); - server->aclenv.match_mapped = cfg_obj_asboolean(obj); - - v4ports = NULL; - v6ports = NULL; - (void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports); - (void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports); - if (v4ports != NULL || v6ports != NULL) { - dns_portlist_t *portlist = NULL; - result = dns_portlist_create(ns_g_mctx, &portlist); - if (result == ISC_R_SUCCESS && v4ports != NULL) - result = portlist_fromconf(portlist, AF_INET, v4ports); - if (result == ISC_R_SUCCESS && v6ports != NULL) - portlist_fromconf(portlist, AF_INET6, v6ports); - if (result == ISC_R_SUCCESS) - dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist); - if (portlist != NULL) - dns_portlist_detach(&portlist); - CHECK(result); - } else - dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL); - - /* - * Set the EDNS UDP size when we don't match a view. - */ - obj = NULL; - result = ns_config_get(maps, "edns-udp-size", &obj); - INSIST(result == ISC_R_SUCCESS); - udpsize = cfg_obj_asuint32(obj); - if (udpsize < 512) - udpsize = 512; - if (udpsize > 4096) - udpsize = 4096; - ns_g_udpsize = (isc_uint16_t)udpsize; - - /* - * Configure the zone manager. - */ - obj = NULL; - result = ns_config_get(maps, "transfers-in", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "transfers-per-ns", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "serial-query-rate", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj)); - - /* - * Determine which port to use for listening for incoming connections. - */ - if (ns_g_port != 0) - listen_port = ns_g_port; - else - CHECKM(ns_config_getport(config, &listen_port), "port"); - - /* - * Find the listen queue depth. - */ - obj = NULL; - result = ns_config_get(maps, "tcp-listen-queue", &obj); - INSIST(result == ISC_R_SUCCESS); - ns_g_listen = cfg_obj_asuint32(obj); - if (ns_g_listen < 3) - ns_g_listen = 3; - - /* - * Configure the interface manager according to the "listen-on" - * statement. - */ - { - const cfg_obj_t *clistenon = NULL; - ns_listenlist_t *listenon = NULL; - - clistenon = NULL; - /* - * Even though listen-on is present in the default - * configuration, we can't use it here, since it isn't - * used if we're in lwresd mode. This way is easier. - */ - if (options != NULL) - (void)cfg_map_get(options, "listen-on", &clistenon); - if (clistenon != NULL) { - result = ns_listenlist_fromconfig(clistenon, - config, - &aclconfctx, - ns_g_mctx, - &listenon); - } else if (!ns_g_lwresdonly) { - /* - * Not specified, use default. - */ - CHECK(ns_listenlist_default(ns_g_mctx, listen_port, - ISC_TRUE, &listenon)); - } - if (listenon != NULL) { - ns_interfacemgr_setlistenon4(server->interfacemgr, - listenon); - ns_listenlist_detach(&listenon); - } - } - /* - * Ditto for IPv6. - */ - { - const cfg_obj_t *clistenon = NULL; - ns_listenlist_t *listenon = NULL; - - if (options != NULL) - (void)cfg_map_get(options, "listen-on-v6", &clistenon); - if (clistenon != NULL) { - result = ns_listenlist_fromconfig(clistenon, - config, - &aclconfctx, - ns_g_mctx, - &listenon); - } else if (!ns_g_lwresdonly) { - /* - * Not specified, use default. - */ - CHECK(ns_listenlist_default(ns_g_mctx, listen_port, - ISC_TRUE, &listenon)); - } - if (listenon != NULL) { - ns_interfacemgr_setlistenon6(server->interfacemgr, - listenon); - ns_listenlist_detach(&listenon); - } - } - - /* - * Rescan the interface list to pick up changes in the - * listen-on option. It's important that we do this before we try - * to configure the query source, since the dispatcher we use might - * be shared with an interface. - */ - scan_interfaces(server, ISC_TRUE); - - /* - * Arrange for further interface scanning to occur periodically - * as specified by the "interface-interval" option. - */ - obj = NULL; - result = ns_config_get(maps, "interface-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - interface_interval = cfg_obj_asuint32(obj) * 60; - if (interface_interval == 0) { - CHECK(isc_timer_reset(server->interface_timer, - isc_timertype_inactive, - NULL, NULL, ISC_TRUE)); - } else if (server->interface_interval != interface_interval) { - isc_interval_set(&interval, interface_interval, 0); - CHECK(isc_timer_reset(server->interface_timer, - isc_timertype_ticker, - NULL, &interval, ISC_FALSE)); - } - server->interface_interval = interface_interval; - - /* - * Configure the dialup heartbeat timer. - */ - obj = NULL; - result = ns_config_get(maps, "heartbeat-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - heartbeat_interval = cfg_obj_asuint32(obj) * 60; - if (heartbeat_interval == 0) { - CHECK(isc_timer_reset(server->heartbeat_timer, - isc_timertype_inactive, - NULL, NULL, ISC_TRUE)); - } else if (server->heartbeat_interval != heartbeat_interval) { - isc_interval_set(&interval, heartbeat_interval, 0); - CHECK(isc_timer_reset(server->heartbeat_timer, - isc_timertype_ticker, - NULL, &interval, ISC_FALSE)); - } - server->heartbeat_interval = heartbeat_interval; - - isc_interval_set(&interval, 1200, 0); - CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL, - &interval, ISC_FALSE)); - - /* - * Configure and freeze all explicit views. Explicit - * views that have zones were already created at parsing - * time, but views with no zones must be created here. - */ - views = NULL; - (void)cfg_map_get(config, "view", &views); - for (element = cfg_list_first(views); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *vconfig = cfg_listelt_value(element); - view = NULL; - - CHECK(create_view(vconfig, &viewlist, &view)); - INSIST(view != NULL); - CHECK(configure_view(view, config, vconfig, - ns_g_mctx, &aclconfctx, ISC_TRUE)); - dns_view_freeze(view); - dns_view_detach(&view); - } - - /* - * Make sure we have a default view if and only if there - * were no explicit views. - */ - if (views == NULL) { - /* - * No explicit views; there ought to be a default view. - * There may already be one created as a side effect - * of zone statements, or we may have to create one. - * In either case, we need to configure and freeze it. - */ - CHECK(create_view(NULL, &viewlist, &view)); - CHECK(configure_view(view, config, NULL, ns_g_mctx, - &aclconfctx, ISC_TRUE)); - dns_view_freeze(view); - dns_view_detach(&view); - } - - /* - * Create (or recreate) the built-in views. Currently - * there is only one, the _bind view. - */ - builtin_views = NULL; - RUNTIME_CHECK(cfg_map_get(ns_g_config, "view", - &builtin_views) == ISC_R_SUCCESS); - for (element = cfg_list_first(builtin_views); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *vconfig = cfg_listelt_value(element); - CHECK(create_view(vconfig, &viewlist, &view)); - CHECK(configure_view(view, config, vconfig, ns_g_mctx, - &aclconfctx, ISC_FALSE)); - dns_view_freeze(view); - dns_view_detach(&view); - view = NULL; - } - - /* - * Swap our new view list with the production one. - */ - tmpviewlist = server->viewlist; - server->viewlist = viewlist; - viewlist = tmpviewlist; - - /* - * Load the TKEY information from the configuration. - */ - if (options != NULL) { - dns_tkeyctx_t *t = NULL; - CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy, - &t), - "configuring TKEY"); - if (server->tkeyctx != NULL) - dns_tkeyctx_destroy(&server->tkeyctx); - server->tkeyctx = t; - } - - /* - * Bind the control port(s). - */ - CHECKM(ns_controls_configure(ns_g_server->controls, config, - &aclconfctx), - "binding control channel(s)"); - - /* - * Bind the lwresd port(s). - */ - CHECKM(ns_lwresd_configure(ns_g_mctx, config), - "binding lightweight resolver ports"); - - /* - * Open the source of entropy. - */ - if (first_time) { - obj = NULL; - result = ns_config_get(maps, "random-device", &obj); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "no source of entropy found"); - } else { - const char *randomdev = cfg_obj_asstring(obj); - result = isc_entropy_createfilesource(ns_g_entropy, - randomdev); -#ifdef PATH_RANDOMDEV - if (ns_g_fallbackentropy != NULL) { - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, - ISC_LOG_INFO, - "using pre-chroot entropy source " - "%s", - PATH_RANDOMDEV); - isc_entropy_detach(&ns_g_entropy); - isc_entropy_attach(ns_g_fallbackentropy, - &ns_g_entropy); - } - isc_entropy_detach(&ns_g_fallbackentropy); - } else -#endif - if (result != ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, - NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, - ISC_LOG_INFO, - "could not open entropy source " - "%s: %s", - randomdev, - isc_result_totext(result)); - } - } - - /* - * Relinquish root privileges. Not used due to privsep - */ -#if 0 - if (first_time) - ns_os_changeuser(); -#endif - - /* - * Configure the logging system. - * - * Do this after changing UID to make sure that any log - * files specified in named.conf get created by the - * unprivileged user, not root. - */ - if (ns_g_logstderr) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "ignoring config file logging " - "statement due to -g option"); - } else { - const cfg_obj_t *logobj = NULL; - isc_logconfig_t *logc = NULL; - - CHECKM(isc_logconfig_create(ns_g_lctx, &logc), - "creating new logging configuration"); - - logobj = NULL; - (void)cfg_map_get(config, "logging", &logobj); - if (logobj != NULL) { - CHECKM(ns_log_configure(logc, logobj), - "configuring logging"); - } else { - CHECKM(ns_log_setdefaultchannels(logc), - "setting up default logging channels"); - CHECKM(ns_log_setunmatchedcategory(logc), - "setting up default 'category unmatched'"); - CHECKM(ns_log_setdefaultcategory(logc), - "setting up default 'category default'"); - } - - result = isc_logconfig_use(ns_g_lctx, logc); - if (result != ISC_R_SUCCESS) { - isc_logconfig_destroy(&logc); - CHECKM(result, "installing logging configuration"); - } - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), - "now using logging configuration from " - "config file"); - } - - /* - * Set the default value of the query logging flag depending - * whether a "queries" category has been defined. This is - * a disgusting hack, but we need to do this for BIND 8 - * compatibility. - */ - if (first_time) { - const cfg_obj_t *logobj = NULL; - const cfg_obj_t *categories = NULL; - - obj = NULL; - if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) { - server->log_queries = cfg_obj_asboolean(obj); - } else { - - (void)cfg_map_get(config, "logging", &logobj); - if (logobj != NULL) - (void)cfg_map_get(logobj, "category", - &categories); - if (categories != NULL) { - const cfg_listelt_t *element; - for (element = cfg_list_first(categories); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *catobj; - const char *str; - - obj = cfg_listelt_value(element); - catobj = cfg_tuple_get(obj, "name"); - str = cfg_obj_asstring(catobj); - if (strcasecmp(str, "queries") == 0) - server->log_queries = ISC_TRUE; - } - } - } - } - - if (ns_g_pidfile != NULL) { - ns_os_writepidfile(ns_g_pidfile, first_time); - } else { - obj = NULL; - if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS) - ns_os_writepidfile(cfg_obj_asstring(obj), first_time); - else if (ns_g_lwresdonly) - ns_os_writepidfile(lwresd_g_defaultpidfile, first_time); - else - ns_os_writepidfile(ns_g_defaultpidfile, first_time); - } - - obj = NULL; - if (options != NULL && - cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS) - ns_main_setmemstats(cfg_obj_asstring(obj)); - else - ns_main_setmemstats(NULL); - - obj = NULL; - result = ns_config_get(maps, "statistics-file", &obj); - INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)), - "strdup"); - - obj = NULL; - result = ns_config_get(maps, "dump-file", &obj); - INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)), - "strdup"); - - obj = NULL; - result = ns_config_get(maps, "recursing-file", &obj); - INSIST(result == ISC_R_SUCCESS); - CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)), - "strdup"); - - obj = NULL; - result = ns_config_get(maps, "version", &obj); - if (result == ISC_R_SUCCESS) { - CHECKM(setoptstring(server, &server->version, obj), "strdup"); - server->version_set = ISC_TRUE; - } else { - server->version_set = ISC_FALSE; - } - - obj = NULL; - result = ns_config_get(maps, "hostname", &obj); - if (result == ISC_R_SUCCESS) { - CHECKM(setoptstring(server, &server->hostname, obj), "strdup"); - server->hostname_set = ISC_TRUE; - } else { - server->hostname_set = ISC_FALSE; - } - - obj = NULL; - result = ns_config_get(maps, "server-id", &obj); - server->server_usehostname = ISC_FALSE; - if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) { - server->server_usehostname = ISC_TRUE; - } else if (result == ISC_R_SUCCESS) { - CHECKM(setoptstring(server, &server->server_id, obj), "strdup"); - } else { - result = setstring(server, &server->server_id, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - } - - obj = NULL; - result = ns_config_get(maps, "flush-zones-on-shutdown", &obj); - if (result == ISC_R_SUCCESS) { - server->flushonshutdown = cfg_obj_asboolean(obj); - } else { - server->flushonshutdown = ISC_FALSE; - } - - result = ISC_R_SUCCESS; - - cleanup: - cfg_aclconfctx_destroy(&aclconfctx); - - if (parser != NULL) { - if (config != NULL) - cfg_obj_destroy(parser, &config); - cfg_parser_destroy(&parser); - } - - if (view != NULL) - dns_view_detach(&view); - - /* - * This cleans up either the old production view list - * or our temporary list depending on whether they - * were swapped above or not. - */ - for (view = ISC_LIST_HEAD(viewlist); - view != NULL; - view = view_next) { - view_next = ISC_LIST_NEXT(view, link); - ISC_LIST_UNLINK(viewlist, view, link); - if (result == ISC_R_SUCCESS && - strcmp(view->name, "_bind") != 0) - (void)dns_zt_apply(view->zonetable, ISC_FALSE, - removed, view); - dns_view_detach(&view); - } - - /* - * Adjust the listening interfaces in accordance with the source - * addresses specified in views and zones. - */ - if (isc_net_probeipv6() == ISC_R_SUCCESS) - adjust_interfaces(server, ns_g_mctx); - - /* Relinquish exclusive access to configuration data. */ - isc_task_endexclusive(server->task); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_DEBUG(1), "load_configuration: %s", - isc_result_totext(result)); - - return (result); -} - -static isc_result_t -load_zones(ns_server_t *server, isc_boolean_t stop) { - isc_result_t result; - dns_view_t *view; - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* - * Load zone data from disk. - */ - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - CHECK(dns_view_load(view, stop)); - } - - /* - * Force zone maintenance. Do this after loading - * so that we know when we need to force AXFR of - * slave zones whose master files are missing. - */ - CHECK(dns_zonemgr_forcemaint(server->zonemgr)); - cleanup: - isc_task_endexclusive(server->task); - return (result); -} - -static isc_result_t -load_new_zones(ns_server_t *server, isc_boolean_t stop) { - isc_result_t result; - dns_view_t *view; - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* - * Load zone data from disk. - */ - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - CHECK(dns_view_loadnew(view, stop)); - } - /* - * Force zone maintenance. Do this after loading - * so that we know when we need to force AXFR of - * slave zones whose master files are missing. - */ - dns_zonemgr_resumexfrs(server->zonemgr); - cleanup: - isc_task_endexclusive(server->task); - return (result); -} - -static void -run_server(isc_task_t *task, isc_event_t *event) { - isc_result_t result; - ns_server_t *server = (ns_server_t *)event->ev_arg; - - INSIST(task == server->task); - - isc_event_free(&event); - - CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy, - &ns_g_dispatchmgr), - "creating dispatch manager"); - - CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr, - ns_g_socketmgr, ns_g_dispatchmgr, - &server->interfacemgr), - "creating interface manager"); - - CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, - interface_timer_tick, - server, &server->interface_timer), - "creating interface timer"); - - CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, - heartbeat_timer_tick, - server, &server->heartbeat_timer), - "creating heartbeat timer"); - - CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive, - NULL, NULL, server->task, pps_timer_tick, - server, &server->pps_timer), - "creating pps timer"); - - CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser), - "creating default configuration parser"); - - if (ns_g_lwresdonly) - CHECKFATAL(load_configuration(lwresd_g_conffile, server, - ISC_TRUE), - "loading configuration"); - else - CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE), - "loading configuration"); - - isc_hash_init(); - - CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones"); - - ns_os_started(); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_NOTICE, "running"); -} - -void -ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) { - - REQUIRE(NS_SERVER_VALID(server)); - - server->flushonshutdown = flush; -} - -static void -shutdown_server(isc_task_t *task, isc_event_t *event) { - isc_result_t result; - dns_view_t *view, *view_next; - ns_server_t *server = (ns_server_t *)event->ev_arg; - isc_boolean_t flush = server->flushonshutdown; - - UNUSED(task); - INSIST(task == server->task); - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_INFO, "shutting down%s", - flush ? ": flushing changes" : ""); - - ns_controls_shutdown(server->controls); - end_reserved_dispatches(server, ISC_TRUE); - - cfg_obj_destroy(ns_g_parser, &ns_g_config); - cfg_parser_destroy(&ns_g_parser); - - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = view_next) { - view_next = ISC_LIST_NEXT(view, link); - ISC_LIST_UNLINK(server->viewlist, view, link); - if (flush) - dns_view_flushanddetach(&view); - else - dns_view_detach(&view); - } - - isc_timer_detach(&server->interface_timer); - isc_timer_detach(&server->heartbeat_timer); - isc_timer_detach(&server->pps_timer); - - ns_interfacemgr_shutdown(server->interfacemgr); - ns_interfacemgr_detach(&server->interfacemgr); - - dns_dispatchmgr_destroy(&ns_g_dispatchmgr); - - dns_zonemgr_shutdown(server->zonemgr); - - if (server->blackholeacl != NULL) - dns_acl_detach(&server->blackholeacl); - - dns_db_detach(&server->in_roothints); - - isc_task_endexclusive(server->task); - - isc_task_detach(&server->task); - - isc_event_free(&event); -} - -void -ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { - isc_result_t result; - - ns_server_t *server = isc_mem_get(mctx, sizeof(*server)); - if (server == NULL) - fatal("allocating server object", ISC_R_NOMEMORY); - - server->mctx = mctx; - server->task = NULL; - - /* Initialize configuration data with default values. */ - - result = isc_quota_init(&server->xfroutquota, 10); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - result = isc_quota_init(&server->tcpquota, 10); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - result = isc_quota_init(&server->recursionquota, 100); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - result = dns_aclenv_init(mctx, &server->aclenv); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - /* Initialize server data structures. */ - server->zonemgr = NULL; - server->interfacemgr = NULL; - ISC_LIST_INIT(server->viewlist); - server->in_roothints = NULL; - server->blackholeacl = NULL; - - CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, - &server->in_roothints), - "setting up root hints"); - - CHECKFATAL(isc_mutex_init(&server->reload_event_lock), - "initializing reload event lock"); - server->reload_event = - isc_event_allocate(ns_g_mctx, server, - NS_EVENT_RELOAD, - ns_server_reload, - server, - sizeof(isc_event_t)); - CHECKFATAL(server->reload_event == NULL ? - ISC_R_NOMEMORY : ISC_R_SUCCESS, - "allocating reload event"); - - CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY), - "initializing DST"); - - server->tkeyctx = NULL; - CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, - &server->tkeyctx), - "creating TKEY context"); - - /* - * Setup the server task, which is responsible for coordinating - * startup and shutdown of the server. - */ - CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task), - "creating server task"); - isc_task_setname(server->task, "server", server); - CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server), - "isc_task_onshutdown"); - CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server), - "isc_app_onrun"); - - server->interface_timer = NULL; - server->heartbeat_timer = NULL; - server->pps_timer = NULL; - - server->interface_interval = 0; - server->heartbeat_interval = 0; - - CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr, - ns_g_socketmgr, &server->zonemgr), - "dns_zonemgr_create"); - - server->statsfile = isc_mem_strdup(server->mctx, "named.stats"); - CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, - "isc_mem_strdup"); - server->querystats = NULL; - - server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db"); - CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->recfile = isc_mem_strdup(server->mctx, "named.recursing"); - CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS, - "isc_mem_strdup"); - - server->hostname_set = ISC_FALSE; - server->hostname = NULL; - server->version_set = ISC_FALSE; - server->version = NULL; - server->server_usehostname = ISC_FALSE; - server->server_id = NULL; - - CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats), - "dns_stats_alloccounters"); - - server->flushonshutdown = ISC_FALSE; - server->log_queries = ISC_FALSE; - - server->controls = NULL; - CHECKFATAL(ns_controls_create(server, &server->controls), - "ns_controls_create"); - server->dispatchgen = 0; - ISC_LIST_INIT(server->dispatches); - - server->magic = NS_SERVER_MAGIC; - *serverp = server; -} - -void -ns_server_destroy(ns_server_t **serverp) { - ns_server_t *server = *serverp; - REQUIRE(NS_SERVER_VALID(server)); - - ns_controls_destroy(&server->controls); - - dns_stats_freecounters(server->mctx, &server->querystats); - - isc_mem_free(server->mctx, server->statsfile); - isc_mem_free(server->mctx, server->dumpfile); - isc_mem_free(server->mctx, server->recfile); - - if (server->version != NULL) - isc_mem_free(server->mctx, server->version); - if (server->hostname != NULL) - isc_mem_free(server->mctx, server->hostname); - if (server->server_id != NULL) - isc_mem_free(server->mctx, server->server_id); - - dns_zonemgr_detach(&server->zonemgr); - - if (server->tkeyctx != NULL) - dns_tkeyctx_destroy(&server->tkeyctx); - - dst_lib_destroy(); - - isc_event_free(&server->reload_event); - - INSIST(ISC_LIST_EMPTY(server->viewlist)); - - dns_aclenv_destroy(&server->aclenv); - - isc_quota_destroy(&server->recursionquota); - isc_quota_destroy(&server->tcpquota); - isc_quota_destroy(&server->xfroutquota); - - server->magic = 0; - isc_mem_put(server->mctx, server, sizeof(*server)); - *serverp = NULL; -} - -static void -fatal(const char *msg, isc_result_t result) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_CRITICAL, "%s: %s", msg, - isc_result_totext(result)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, - ISC_LOG_CRITICAL, "exiting (due to fatal error)"); - exit(1); -} - -static void -start_reserved_dispatches(ns_server_t *server) { - - REQUIRE(NS_SERVER_VALID(server)); - - server->dispatchgen++; -} - -static void -end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) { - ns_dispatch_t *dispatch, *nextdispatch; - - REQUIRE(NS_SERVER_VALID(server)); - - for (dispatch = ISC_LIST_HEAD(server->dispatches); - dispatch != NULL; - dispatch = nextdispatch) { - nextdispatch = ISC_LIST_NEXT(dispatch, link); - if (!all && server->dispatchgen == dispatch-> dispatchgen) - continue; - ISC_LIST_UNLINK(server->dispatches, dispatch, link); - dns_dispatch_detach(&dispatch->dispatch); - isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); - } -} - -void -ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) { - ns_dispatch_t *dispatch; - in_port_t port; - char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - isc_result_t result; - unsigned int attrs, attrmask; - - REQUIRE(NS_SERVER_VALID(server)); - - port = isc_sockaddr_getport(addr); - if (port == 0 || port >= 1024) - return; - - for (dispatch = ISC_LIST_HEAD(server->dispatches); - dispatch != NULL; - dispatch = ISC_LIST_NEXT(dispatch, link)) { - if (isc_sockaddr_equal(&dispatch->addr, addr)) - break; - } - if (dispatch != NULL) { - dispatch->dispatchgen = server->dispatchgen; - return; - } - - dispatch = isc_mem_get(server->mctx, sizeof(*dispatch)); - if (dispatch == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; - } - - dispatch->addr = *addr; - dispatch->dispatchgen = server->dispatchgen; - dispatch->dispatch = NULL; - - attrs = 0; - attrs |= DNS_DISPATCHATTR_UDP; - switch (isc_sockaddr_pf(addr)) { - case AF_INET: - attrs |= DNS_DISPATCHATTR_IPV4; - break; - case AF_INET6: - attrs |= DNS_DISPATCHATTR_IPV6; - break; - default: - result = ISC_R_NOTIMPLEMENTED; - goto cleanup; - } - attrmask = 0; - attrmask |= DNS_DISPATCHATTR_UDP; - attrmask |= DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4; - attrmask |= DNS_DISPATCHATTR_IPV6; - - result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, - ns_g_taskmgr, &dispatch->addr, 4096, - 1000, 32768, 16411, 16433, - attrs, attrmask, &dispatch->dispatch); - if (result != ISC_R_SUCCESS) - goto cleanup; - - ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link); - - return; - - cleanup: - if (dispatch != NULL) - isc_mem_put(server->mctx, dispatch, sizeof(*dispatch)); - isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "unable to create dispatch for reserved port %s: %s", - addrbuf, isc_result_totext(result)); -} - - -static isc_result_t -loadconfig(ns_server_t *server) { - isc_result_t result; - start_reserved_dispatches(server); - result = load_configuration(ns_g_lwresdonly ? - lwresd_g_conffile : ns_g_conffile, - server, ISC_FALSE); - if (result == ISC_R_SUCCESS) - end_reserved_dispatches(server, ISC_FALSE); - else - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "reloading configuration failed: %s", - isc_result_totext(result)); - return (result); -} - -static isc_result_t -reload(ns_server_t *server) { - isc_result_t result; - CHECK(loadconfig(server)); - - result = load_zones(server, ISC_FALSE); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "reloading zones failed: %s", - isc_result_totext(result)); - } - cleanup: - return (result); -} - -static void -reconfig(ns_server_t *server) { - isc_result_t result; - CHECK(loadconfig(server)); - - result = load_new_zones(server, ISC_FALSE); - if (result != ISC_R_SUCCESS) { - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_ERROR, - "loading new zones failed: %s", - isc_result_totext(result)); - } - cleanup: ; -} - -/* - * Handle a reload event (from SIGHUP). - */ -static void -ns_server_reload(isc_task_t *task, isc_event_t *event) { - ns_server_t *server = (ns_server_t *)event->ev_arg; - - INSIST(task = server->task); - UNUSED(task); - - (void)reload(server); - - LOCK(&server->reload_event_lock); - INSIST(server->reload_event == NULL); - server->reload_event = event; - UNLOCK(&server->reload_event_lock); -} - -void -ns_server_reloadwanted(ns_server_t *server) { - LOCK(&server->reload_event_lock); - if (server->reload_event != NULL) - isc_task_send(server->task, &server->reload_event); - UNLOCK(&server->reload_event_lock); -} - -static char * -next_token(char **stringp, const char *delim) { - char *res; - - do { - res = strsep(stringp, delim); - if (res == NULL) - break; - } while (*res == '\0'); - return (res); -} - -/* - * Find the zone specified in the control channel command 'args', - * if any. If a zone is specified, point '*zonep' at it, otherwise - * set '*zonep' to NULL. - */ -static isc_result_t -zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) { - char *input, *ptr; - const char *zonetxt; - char *classtxt; - const char *viewtxt = NULL; - dns_fixedname_t name; - isc_result_t result; - isc_buffer_t buf; - dns_view_t *view = NULL; - dns_rdataclass_t rdclass; - - REQUIRE(zonep != NULL && *zonep == NULL); - - input = args; - - /* Skip the command name. */ - ptr = next_token(&input, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - /* Look for the zone name. */ - zonetxt = next_token(&input, " \t"); - if (zonetxt == NULL) - return (ISC_R_SUCCESS); - - /* Look for the optional class name. */ - classtxt = next_token(&input, " \t"); - if (classtxt != NULL) { - /* Look for the optional view name. */ - viewtxt = next_token(&input, " \t"); - } - - isc_buffer_init(&buf, zonetxt, strlen(zonetxt)); - isc_buffer_add(&buf, strlen(zonetxt)); - dns_fixedname_init(&name); - result = dns_name_fromtext(dns_fixedname_name(&name), - &buf, dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - goto fail1; - - if (classtxt != NULL) { - isc_textregion_t r; - r.base = classtxt; - r.length = strlen(classtxt); - result = dns_rdataclass_fromtext(&rdclass, &r); - if (result != ISC_R_SUCCESS) - goto fail1; - } else { - rdclass = dns_rdataclass_in; - } - - if (viewtxt == NULL) - viewtxt = "_default"; - result = dns_viewlist_find(&server->viewlist, viewtxt, - rdclass, &view); - if (result != ISC_R_SUCCESS) - goto fail1; - - result = dns_zt_find(view->zonetable, dns_fixedname_name(&name), - 0, NULL, zonep); - /* Partial match? */ - if (result != ISC_R_SUCCESS && *zonep != NULL) - dns_zone_detach(zonep); - dns_view_detach(&view); - fail1: - return (result); -} - -/* - * Act on a "retransfer" command from the command channel. - */ -isc_result_t -ns_server_retransfercommand(ns_server_t *server, char *args) { - isc_result_t result; - dns_zone_t *zone = NULL; - dns_zonetype_t type; - - result = zone_from_args(server, args, &zone); - if (result != ISC_R_SUCCESS) - return (result); - if (zone == NULL) - return (ISC_R_UNEXPECTEDEND); - type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub) - dns_zone_forcereload(zone); - else - result = ISC_R_NOTFOUND; - dns_zone_detach(&zone); - return (result); -} - -/* - * Act on a "reload" command from the command channel. - */ -isc_result_t -ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { - isc_result_t result; - dns_zone_t *zone = NULL; - dns_zonetype_t type; - const char *msg = NULL; - - result = zone_from_args(server, args, &zone); - if (result != ISC_R_SUCCESS) - return (result); - if (zone == NULL) { - result = reload(server); - if (result == ISC_R_SUCCESS) - msg = "server reload successful"; - } else { - type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub) { - dns_zone_refresh(zone); - dns_zone_detach(&zone); - msg = "zone refresh queued"; - } else { - result = dns_zone_load(zone); - dns_zone_detach(&zone); - switch (result) { - case ISC_R_SUCCESS: - msg = "zone reload successful"; - break; - case DNS_R_CONTINUE: - msg = "zone reload queued"; - result = ISC_R_SUCCESS; - break; - case DNS_R_UPTODATE: - msg = "zone reload up-to-date"; - result = ISC_R_SUCCESS; - break; - default: - /* failure message will be generated by rndc */ - break; - } - } - } - if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text)) - isc_buffer_putmem(text, (const unsigned char *)msg, - strlen(msg) + 1); - return (result); -} - -/* - * Act on a "reconfig" command from the command channel. - */ -isc_result_t -ns_server_reconfigcommand(ns_server_t *server, char *args) { - UNUSED(args); - - reconfig(server); - return (ISC_R_SUCCESS); -} - -/* - * Act on a "notify" command from the command channel. - */ -isc_result_t -ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) { - isc_result_t result; - dns_zone_t *zone = NULL; - const unsigned char msg[] = "zone notify queued"; - - result = zone_from_args(server, args, &zone); - if (result != ISC_R_SUCCESS) - return (result); - if (zone == NULL) - return (ISC_R_UNEXPECTEDEND); - - dns_zone_notify(zone); - dns_zone_detach(&zone); - if (sizeof(msg) <= isc_buffer_availablelength(text)) - isc_buffer_putmem(text, msg, sizeof(msg)); - - return (ISC_R_SUCCESS); -} - -/* - * Act on a "refresh" command from the command channel. - */ -isc_result_t -ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) { - isc_result_t result; - dns_zone_t *zone = NULL; - const unsigned char msg1[] = "zone refresh queued"; - const unsigned char msg2[] = "not a slave or stub zone"; - dns_zonetype_t type; - - result = zone_from_args(server, args, &zone); - if (result != ISC_R_SUCCESS) - return (result); - if (zone == NULL) - return (ISC_R_UNEXPECTEDEND); - - type = dns_zone_gettype(zone); - if (type == dns_zone_slave || type == dns_zone_stub) { - dns_zone_refresh(zone); - dns_zone_detach(&zone); - if (sizeof(msg1) <= isc_buffer_availablelength(text)) - isc_buffer_putmem(text, msg1, sizeof(msg1)); - return (ISC_R_SUCCESS); - } - - dns_zone_detach(&zone); - if (sizeof(msg2) <= isc_buffer_availablelength(text)) - isc_buffer_putmem(text, msg2, sizeof(msg2)); - return (ISC_R_FAILURE); -} - -isc_result_t -ns_server_togglequerylog(ns_server_t *server) { - server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE; - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "query logging is now %s", - server->log_queries ? "on" : "off"); - return (ISC_R_SUCCESS); -} - -static isc_result_t -ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config, - cfg_aclconfctx_t *actx, - isc_mem_t *mctx, ns_listenlist_t **target) -{ - isc_result_t result; - const cfg_listelt_t *element; - ns_listenlist_t *dlist = NULL; - - REQUIRE(target != NULL && *target == NULL); - - result = ns_listenlist_create(mctx, &dlist); - if (result != ISC_R_SUCCESS) - return (result); - - for (element = cfg_list_first(listenlist); - element != NULL; - element = cfg_list_next(element)) - { - ns_listenelt_t *delt = NULL; - const cfg_obj_t *listener = cfg_listelt_value(element); - result = ns_listenelt_fromconfig(listener, config, actx, - mctx, &delt); - if (result != ISC_R_SUCCESS) - goto cleanup; - ISC_LIST_APPEND(dlist->elts, delt, link); - } - *target = dlist; - return (ISC_R_SUCCESS); - - cleanup: - ns_listenlist_detach(&dlist); - return (result); -} - -/* - * Create a listen list from the corresponding configuration - * data structure. - */ -static isc_result_t -ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config, - cfg_aclconfctx_t *actx, - isc_mem_t *mctx, ns_listenelt_t **target) -{ - isc_result_t result; - const cfg_obj_t *portobj; - in_port_t port; - ns_listenelt_t *delt = NULL; - REQUIRE(target != NULL && *target == NULL); - - portobj = cfg_tuple_get(listener, "port"); - if (!cfg_obj_isuint32(portobj)) { - if (ns_g_port != 0) { - port = ns_g_port; - } else { - result = ns_config_getport(config, &port); - if (result != ISC_R_SUCCESS) - return (result); - } - } else { - if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) { - cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR, - "port value '%u' is out of range", - cfg_obj_asuint32(portobj)); - return (ISC_R_RANGE); - } - port = (in_port_t)cfg_obj_asuint32(portobj); - } - - result = ns_listenelt_create(mctx, port, NULL, &delt); - if (result != ISC_R_SUCCESS) - return (result); - - result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), - config, ns_g_lctx, actx, mctx, &delt->acl); - if (result != ISC_R_SUCCESS) { - ns_listenelt_destroy(delt); - return (result); - } - *target = delt; - return (ISC_R_SUCCESS); -} - -isc_result_t -ns_server_dumpstats(ns_server_t *server) { - isc_result_t result; - dns_zone_t *zone, *next; - isc_stdtime_t now; - FILE *fp = NULL; - int i; - int ncounters; - - isc_stdtime_get(&now); - - CHECKMF(isc_stdio_open(server->statsfile, "a", &fp), - "could not open statistics dump file", server->statsfile); - - ncounters = DNS_STATS_NCOUNTERS; - fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now); - - for (i = 0; i < ncounters; i++) - fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT "u\n", - dns_statscounter_names[i], - server->querystats[i]); - - zone = NULL; - for (result = dns_zone_first(server->zonemgr, &zone); - result == ISC_R_SUCCESS; - next = NULL, result = dns_zone_next(zone, &next), zone = next) - { - isc_uint64_t *zonestats = dns_zone_getstatscounters(zone); - if (zonestats != NULL) { - char zonename[DNS_NAME_FORMATSIZE]; - dns_view_t *view; - char *viewname; - - dns_name_format(dns_zone_getorigin(zone), - zonename, sizeof(zonename)); - view = dns_zone_getview(zone); - viewname = view->name; - for (i = 0; i < ncounters; i++) { - fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT - "u %s", - dns_statscounter_names[i], - zonestats[i], - zonename); - if (strcmp(viewname, "_default") != 0) - fprintf(fp, " %s", viewname); - fprintf(fp, "\n"); - } - } - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - CHECK(result); - - fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now); - - cleanup: - if (fp != NULL) - (void)isc_stdio_close(fp); - return (result); -} - -static isc_result_t -add_zone_tolist(dns_zone_t *zone, void *uap) { - struct dumpcontext *dctx = uap; - struct zonelistentry *zle; - - zle = isc_mem_get(dctx->mctx, sizeof *zle); - if (zle == NULL) - return (ISC_R_NOMEMORY); - zle->zone = NULL; - dns_zone_attach(zone, &zle->zone); - ISC_LINK_INIT(zle, link); - ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link); - return (ISC_R_SUCCESS); -} - -static isc_result_t -add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { - struct viewlistentry *vle; - isc_result_t result = ISC_R_SUCCESS; - - /* - * Prevent duplicate views. - */ - for (vle = ISC_LIST_HEAD(dctx->viewlist); - vle != NULL; - vle = ISC_LIST_NEXT(vle, link)) - if (vle->view == view) - return (ISC_R_SUCCESS); - - vle = isc_mem_get(dctx->mctx, sizeof *vle); - if (vle == NULL) - return (ISC_R_NOMEMORY); - vle->view = NULL; - dns_view_attach(view, &vle->view); - ISC_LINK_INIT(vle, link); - ISC_LIST_INIT(vle->zonelist); - ISC_LIST_APPEND(dctx->viewlist, vle, link); - if (dctx->dumpzones) - result = dns_zt_apply(view->zonetable, ISC_TRUE, - add_zone_tolist, dctx); - return (result); -} - -static void -dumpcontext_destroy(struct dumpcontext *dctx) { - struct viewlistentry *vle; - struct zonelistentry *zle; - - vle = ISC_LIST_HEAD(dctx->viewlist); - while (vle != NULL) { - ISC_LIST_UNLINK(dctx->viewlist, vle, link); - zle = ISC_LIST_HEAD(vle->zonelist); - while (zle != NULL) { - ISC_LIST_UNLINK(vle->zonelist, zle, link); - dns_zone_detach(&zle->zone); - isc_mem_put(dctx->mctx, zle, sizeof *zle); - zle = ISC_LIST_HEAD(vle->zonelist); - } - dns_view_detach(&vle->view); - isc_mem_put(dctx->mctx, vle, sizeof *vle); - vle = ISC_LIST_HEAD(dctx->viewlist); - } - if (dctx->version != NULL) - dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE); - if (dctx->db != NULL) - dns_db_detach(&dctx->db); - if (dctx->cache != NULL) - dns_db_detach(&dctx->cache); - if (dctx->task != NULL) - isc_task_detach(&dctx->task); - if (dctx->fp != NULL) - (void)isc_stdio_close(dctx->fp); - if (dctx->mdctx != NULL) - dns_dumpctx_detach(&dctx->mdctx); - isc_mem_put(dctx->mctx, dctx, sizeof *dctx); -} - -static void -dumpdone(void *arg, isc_result_t result) { - struct dumpcontext *dctx = arg; - char buf[1024+32]; - const dns_master_style_t *style; - - if (result != ISC_R_SUCCESS) - goto cleanup; - if (dctx->mdctx != NULL) - dns_dumpctx_detach(&dctx->mdctx); - if (dctx->view == NULL) { - dctx->view = ISC_LIST_HEAD(dctx->viewlist); - if (dctx->view == NULL) - goto done; - INSIST(dctx->zone == NULL); - } else - goto resume; - nextview: - fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name); - resume: - if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) { - style = &dns_master_style_cache; - /* start cache dump */ - if (dctx->view->view->cachedb != NULL) - dns_db_attach(dctx->view->view->cachedb, &dctx->cache); - if (dctx->cache != NULL) { - - fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n", - dctx->view->view->name); - result = dns_master_dumptostreaminc(dctx->mctx, - dctx->cache, NULL, - style, dctx->fp, - dctx->task, - dumpdone, dctx, - &dctx->mdctx); - if (result == DNS_R_CONTINUE) - return; - if (result == ISC_R_NOTIMPLEMENTED) - fprintf(dctx->fp, "; %s\n", - dns_result_totext(result)); - else if (result != ISC_R_SUCCESS) - goto cleanup; - } - } - if (dctx->cache != NULL) { - dns_adb_dump(dctx->view->view->adb, dctx->fp); - dns_db_detach(&dctx->cache); - } - if (dctx->dumpzones) { - style = &dns_master_style_full; - nextzone: - if (dctx->version != NULL) - dns_db_closeversion(dctx->db, &dctx->version, - ISC_FALSE); - if (dctx->db != NULL) - dns_db_detach(&dctx->db); - if (dctx->zone == NULL) - dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist); - else - dctx->zone = ISC_LIST_NEXT(dctx->zone, link); - if (dctx->zone != NULL) { - /* start zone dump */ - dns_zone_name(dctx->zone->zone, buf, sizeof(buf)); - fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf); - result = dns_zone_getdb(dctx->zone->zone, &dctx->db); - if (result != ISC_R_SUCCESS) { - fprintf(dctx->fp, "; %s\n", - dns_result_totext(result)); - goto nextzone; - } - dns_db_currentversion(dctx->db, &dctx->version); - result = dns_master_dumptostreaminc(dctx->mctx, - dctx->db, - dctx->version, - style, dctx->fp, - dctx->task, - dumpdone, dctx, - &dctx->mdctx); - if (result == DNS_R_CONTINUE) - return; - if (result == ISC_R_NOTIMPLEMENTED) { - fprintf(dctx->fp, "; %s\n", - dns_result_totext(result)); - result = ISC_R_SUCCESS; - goto nextzone; - } - if (result != ISC_R_SUCCESS) - goto cleanup; - } - } - if (dctx->view != NULL) - dctx->view = ISC_LIST_NEXT(dctx->view, link); - if (dctx->view != NULL) - goto nextview; - done: - fprintf(dctx->fp, "; Dump complete\n"); - result = isc_stdio_flush(dctx->fp); - if (result == ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "dumpdb complete"); - cleanup: - if (result != ISC_R_SUCCESS) - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "dumpdb failed: %s", dns_result_totext(result)); - dumpcontext_destroy(dctx); -} - -isc_result_t -ns_server_dumpdb(ns_server_t *server, char *args) { - struct dumpcontext *dctx = NULL; - dns_view_t *view; - isc_result_t result; - char *ptr; - const char *sep; - - /* Skip the command name. */ - ptr = next_token(&args, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - dctx = isc_mem_get(server->mctx, sizeof(*dctx)); - if (dctx == NULL) - return (ISC_R_NOMEMORY); - - dctx->mctx = server->mctx; - dctx->dumpcache = ISC_TRUE; - dctx->dumpzones = ISC_FALSE; - dctx->fp = NULL; - ISC_LIST_INIT(dctx->viewlist); - dctx->view = NULL; - dctx->zone = NULL; - dctx->cache = NULL; - dctx->mdctx = NULL; - dctx->db = NULL; - dctx->cache = NULL; - dctx->task = NULL; - dctx->version = NULL; - isc_task_attach(server->task, &dctx->task); - - CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp), - "could not open dump file", server->dumpfile); - - sep = (args == NULL) ? "" : ": "; - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "dumpdb started%s%s", sep, (args != NULL) ? args : ""); - - ptr = next_token(&args, " \t"); - if (ptr != NULL && strcmp(ptr, "-all") == 0) { - dctx->dumpzones = ISC_TRUE; - dctx->dumpcache = ISC_TRUE; - ptr = next_token(&args, " \t"); - } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) { - dctx->dumpzones = ISC_FALSE; - dctx->dumpcache = ISC_TRUE; - ptr = next_token(&args, " \t"); - } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) { - dctx->dumpzones = ISC_TRUE; - dctx->dumpcache = ISC_FALSE; - ptr = next_token(&args, " \t"); - } - - nextview: - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - if (ptr != NULL && strcmp(view->name, ptr) != 0) - continue; - CHECK(add_view_tolist(dctx, view)); - } - if (ptr != NULL) { - ptr = next_token(&args, " \t"); - if (ptr != NULL) - goto nextview; - } - dumpdone(dctx, ISC_R_SUCCESS); - return (ISC_R_SUCCESS); - - cleanup: - if (dctx != NULL) - dumpcontext_destroy(dctx); - return (result); -} - -isc_result_t -ns_server_dumprecursing(ns_server_t *server) { - FILE *fp = NULL; - isc_result_t result; - - CHECKMF(isc_stdio_open(server->recfile, "w", &fp), - "could not open dump file", server->recfile); - fprintf(fp,";\n; Recursing Queries\n;\n"); - ns_interfacemgr_dumprecursing(fp, server->interfacemgr); - fprintf(fp, "; Dump complete\n"); - - cleanup: - if (fp != NULL) - result = isc_stdio_close(fp); - return (result); -} - -isc_result_t -ns_server_setdebuglevel(ns_server_t *server, char *args) { - char *ptr; - char *levelstr; - char *endp; - long newlevel; - - UNUSED(server); - - /* Skip the command name. */ - ptr = next_token(&args, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - /* Look for the new level name. */ - levelstr = next_token(&args, " \t"); - if (levelstr == NULL) { - if (ns_g_debuglevel < 99) - ns_g_debuglevel++; - } else { - newlevel = strtol(levelstr, &endp, 10); - if (*endp != '\0' || newlevel < 0 || newlevel > 99) - return (ISC_R_RANGE); - ns_g_debuglevel = (unsigned int)newlevel; - } - isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel); - return (ISC_R_SUCCESS); -} - -isc_result_t -ns_server_validation(ns_server_t *server, char *args) { - char *ptr, *viewname; - dns_view_t *view; - isc_boolean_t changed = ISC_FALSE; - isc_result_t result; - isc_boolean_t enable; - - /* Skip the command name. */ - ptr = next_token(&args, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - /* Find out what we are to do. */ - ptr = next_token(&args, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") || - !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true")) - enable = ISC_TRUE; - else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") || - !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false")) - enable = ISC_FALSE; - else - return (DNS_R_SYNTAX); - - /* Look for the view name. */ - viewname = next_token(&args, " \t"); - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - if (viewname != NULL && strcasecmp(viewname, view->name) != 0) - continue; - result = dns_view_flushcache(view); - if (result != ISC_R_SUCCESS) - goto out; - view->enablevalidation = enable; - changed = ISC_TRUE; - } - if (changed) - result = ISC_R_SUCCESS; - else - result = ISC_R_FAILURE; - out: - isc_task_endexclusive(server->task); - return (result); -} - -isc_result_t -ns_server_flushcache(ns_server_t *server, char *args) { - char *ptr, *viewname; - dns_view_t *view; - isc_boolean_t flushed; - isc_boolean_t found; - isc_result_t result; - - /* Skip the command name. */ - ptr = next_token(&args, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - /* Look for the view name. */ - viewname = next_token(&args, " \t"); - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - flushed = ISC_TRUE; - found = ISC_FALSE; - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - if (viewname != NULL && strcasecmp(viewname, view->name) != 0) - continue; - found = ISC_TRUE; - result = dns_view_flushcache(view); - if (result != ISC_R_SUCCESS) - flushed = ISC_FALSE; - } - if (flushed && found) { - result = ISC_R_SUCCESS; - } else { - if (!found) - result = ISC_R_NOTFOUND; - else - result = ISC_R_FAILURE; - } - isc_task_endexclusive(server->task); - return (result); -} - -isc_result_t -ns_server_flushname(ns_server_t *server, char *args) { - char *ptr, *target, *viewname; - dns_view_t *view; - isc_boolean_t flushed; - isc_boolean_t found; - isc_result_t result; - isc_buffer_t b; - dns_fixedname_t fixed; - dns_name_t *name; - - /* Skip the command name. */ - ptr = next_token(&args, " \t"); - if (ptr == NULL) - return (ISC_R_UNEXPECTEDEND); - - /* Find the domain name to flush. */ - target = next_token(&args, " \t"); - if (target == NULL) - return (ISC_R_UNEXPECTEDEND); - - isc_buffer_init(&b, target, strlen(target)); - isc_buffer_add(&b, strlen(target)); - dns_fixedname_init(&fixed); - name = dns_fixedname_name(&fixed); - result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) - return (result); - - /* Look for the view name. */ - viewname = next_token(&args, " \t"); - - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - flushed = ISC_TRUE; - found = ISC_FALSE; - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) - { - if (viewname != NULL && strcasecmp(viewname, view->name) != 0) - continue; - found = ISC_TRUE; - result = dns_view_flushname(view, name); - if (result != ISC_R_SUCCESS) - flushed = ISC_FALSE; - } - if (flushed && found) - result = ISC_R_SUCCESS; - else if (!found) - result = ISC_R_NOTFOUND; - else - result = ISC_R_FAILURE; - isc_task_endexclusive(server->task); - return (result); -} - -isc_result_t -ns_server_status(ns_server_t *server, isc_buffer_t *text) { - int zonecount, xferrunning, xferdeferred, soaqueries; - int n; - - zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY); - xferrunning = dns_zonemgr_getcount(server->zonemgr, - DNS_ZONESTATE_XFERRUNNING); - xferdeferred = dns_zonemgr_getcount(server->zonemgr, - DNS_ZONESTATE_XFERDEFERRED); - soaqueries = dns_zonemgr_getcount(server->zonemgr, - DNS_ZONESTATE_SOAQUERY); - n = snprintf((char *)isc_buffer_used(text), - isc_buffer_availablelength(text), - "number of zones: %u\n" - "debug level: %d\n" - "xfers running: %u\n" - "xfers deferred: %u\n" - "soa queries in progress: %u\n" - "query logging is %s\n" - "recursive clients: %d/%d/%d\n" - "tcp clients: %d/%d\n" - "server is up and running", - zonecount, ns_g_debuglevel, xferrunning, xferdeferred, - soaqueries, server->log_queries ? "ON" : "OFF", - server->recursionquota.used, server->recursionquota.soft, - server->recursionquota.max, - server->tcpquota.used, server->tcpquota.max); - if (n == -1) - return (ISC_R_FAILURE); - else if ((unsigned int)n >= isc_buffer_availablelength(text)) - return (ISC_R_NOSPACE); - - isc_buffer_add(text, (unsigned int)n); - return (ISC_R_SUCCESS); -} - -/* - * Act on a "freeze" or "thaw" command from the command channel. - */ -isc_result_t -ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { - isc_result_t result, tresult; - dns_zone_t *zone = NULL; - dns_zonetype_t type; - char classstr[DNS_RDATACLASS_FORMATSIZE]; - char zonename[DNS_NAME_FORMATSIZE]; - dns_view_t *view; - char *journal; - const char *vname, *sep; - isc_boolean_t frozen; - - result = zone_from_args(server, args, &zone); - if (result != ISC_R_SUCCESS) - return (result); - if (zone == NULL) { - result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - tresult = ISC_R_SUCCESS; - for (view = ISC_LIST_HEAD(server->viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) { - result = dns_view_freezezones(view, freeze); - if (result != ISC_R_SUCCESS && - tresult == ISC_R_SUCCESS) - tresult = result; - } - isc_task_endexclusive(server->task); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "%s all zones: %s", - freeze ? "freezing" : "thawing", - isc_result_totext(tresult)); - return (tresult); - } - type = dns_zone_gettype(zone); - if (type != dns_zone_master) { - dns_zone_detach(&zone); - return (ISC_R_NOTFOUND); - } - - frozen = dns_zone_getupdatedisabled(zone); - if (freeze) { - if (frozen) - result = DNS_R_FROZEN; - if (result == ISC_R_SUCCESS) - result = dns_zone_flush(zone); - if (result == ISC_R_SUCCESS) { - journal = dns_zone_getjournal(zone); - if (journal != NULL) - (void)isc_file_remove(journal); - } - } else { - if (frozen) { - result = dns_zone_load(zone); - if (result == DNS_R_CONTINUE || - result == DNS_R_UPTODATE) - result = ISC_R_SUCCESS; - } - } - if (result == ISC_R_SUCCESS) - dns_zone_setupdatedisabled(zone, freeze); - - view = dns_zone_getview(zone); - if (strcmp(view->name, "_bind") == 0 || - strcmp(view->name, "_default") == 0) - { - vname = ""; - sep = ""; - } else { - vname = view->name; - sep = " "; - } - dns_rdataclass_format(dns_zone_getclass(zone), classstr, - sizeof(classstr)); - dns_name_format(dns_zone_getorigin(zone), - zonename, sizeof(zonename)); - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "%s zone '%s/%s'%s%s: %s", - freeze ? "freezing" : "thawing", - zonename, classstr, sep, vname, - isc_result_totext(result)); - dns_zone_detach(&zone); - return (result); -} - -#ifdef HAVE_LIBSCF -/* - * This function adds a message for rndc to echo if named - * is managed by smf and is also running chroot. - */ -isc_result_t -ns_smf_add_message(isc_buffer_t *text) { - unsigned int n; - - n = snprintf((char *)isc_buffer_used(text), - isc_buffer_availablelength(text), - "use svcadm(1M) to manage named"); - if (n >= isc_buffer_availablelength(text)) - return (ISC_R_NOSPACE); - isc_buffer_add(text, n); - return (ISC_R_SUCCESS); -} -#endif /* HAVE_LIBSCF */ diff --git a/usr.sbin/bind/bin/named/sortlist.c b/usr.sbin/bind/bin/named/sortlist.c deleted file mode 100644 index e650e008b96..00000000000 --- a/usr.sbin/bind/bin/named/sortlist.c +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include - -#include -#include - -#include -#include -#include - -ns_sortlisttype_t -ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, - const void **argp) -{ - unsigned int i; - - if (acl == NULL) - goto dont_sort; - - for (i = 0; i < acl->length; i++) { - /* - * 'e' refers to the current 'top level statement' - * in the sortlist (see ARM). - */ - dns_aclelement_t *e = &acl->elements[i]; - dns_aclelement_t *try_elt; - dns_aclelement_t *order_elt = NULL; - const dns_aclelement_t *matched_elt = NULL; - - if (e->type == dns_aclelementtype_nestedacl) { - dns_acl_t *inner = e->u.nestedacl; - - if (inner->length < 1 || inner->length > 2) - goto dont_sort; - if (inner->elements[0].negative) - goto dont_sort; - try_elt = &inner->elements[0]; - if (inner->length == 2) - order_elt = &inner->elements[1]; - } else { - /* - * BIND 8 allows bare elements at the top level - * as an undocumented feature. - */ - try_elt = e; - } - - if (dns_aclelement_match(clientaddr, NULL, try_elt, - &ns_g_server->aclenv, - &matched_elt)) { - if (order_elt != NULL) { - if (order_elt->type == - dns_aclelementtype_nestedacl) { - *argp = order_elt->u.nestedacl; - return (NS_SORTLISTTYPE_2ELEMENT); - } else if (order_elt->type == - dns_aclelementtype_localhost && - ns_g_server->aclenv.localhost != NULL) { - *argp = ns_g_server->aclenv.localhost; - return (NS_SORTLISTTYPE_2ELEMENT); - } else if (order_elt->type == - dns_aclelementtype_localnets && - ns_g_server->aclenv.localnets != NULL) { - *argp = ns_g_server->aclenv.localnets; - return (NS_SORTLISTTYPE_2ELEMENT); - } else { - /* - * BIND 8 allows a bare IP prefix as - * the 2nd element of a 2-element - * sortlist statement. - */ - *argp = order_elt; - return (NS_SORTLISTTYPE_1ELEMENT); - } - } else { - INSIST(matched_elt != NULL); - *argp = matched_elt; - return (NS_SORTLISTTYPE_1ELEMENT); - } - } - } - - /* No match; don't sort. */ - dont_sort: - *argp = NULL; - return (NS_SORTLISTTYPE_NONE); -} - -int -ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) { - const dns_acl_t *sortacl = (const dns_acl_t *) arg; - int match; - - (void)dns_acl_match(addr, NULL, sortacl, - &ns_g_server->aclenv, - &match, NULL); - if (match > 0) - return (match); - else if (match < 0) - return (INT_MAX - (-match)); - else - return (INT_MAX / 2); -} - -int -ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) { - const dns_aclelement_t *matchelt = (const dns_aclelement_t *) arg; - if (dns_aclelement_match(addr, NULL, matchelt, - &ns_g_server->aclenv, - NULL)) { - return (0); - } else { - return (INT_MAX); - } -} - -void -ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr, - dns_addressorderfunc_t *orderp, - const void **argp) -{ - ns_sortlisttype_t sortlisttype; - - sortlisttype = ns_sortlist_setup(sortlist_acl, client_addr, argp); - - switch (sortlisttype) { - case NS_SORTLISTTYPE_1ELEMENT: - *orderp = ns_sortlist_addrorder1; - break; - case NS_SORTLISTTYPE_2ELEMENT: - *orderp = ns_sortlist_addrorder2; - break; - case NS_SORTLISTTYPE_NONE: - *orderp = NULL; - break; - default: - UNEXPECTED_ERROR(__FILE__, __LINE__, - "unexpected return from ns_sortlist_setup(): " - "%d", sortlisttype); - break; - } -} - diff --git a/usr.sbin/bind/bin/named/tkeyconf.c b/usr.sbin/bind/bin/named/tkeyconf.c deleted file mode 100644 index 27d82088acf..00000000000 --- a/usr.sbin/bind/bin/named/tkeyconf.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include /* Required for HP/UX (and others?) */ -#include - -#include - -#include -#include -#include -#include - -#include - -#include - -#define RETERR(x) do { \ - result = (x); \ - if (result != ISC_R_SUCCESS) \ - goto failure; \ - } while (0) - - -isc_result_t -ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, - isc_entropy_t *ectx, dns_tkeyctx_t **tctxp) -{ - isc_result_t result; - dns_tkeyctx_t *tctx = NULL; - const char *s; - isc_uint32_t n; - dns_fixedname_t fname; - dns_name_t *name; - isc_buffer_t b; - const cfg_obj_t *obj; - int type; - - result = dns_tkeyctx_create(mctx, ectx, &tctx); - if (result != ISC_R_SUCCESS) - return (result); - - obj = NULL; - result = cfg_map_get(options, "tkey-dhkey", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(cfg_tuple_get(obj, "name")); - n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid")); - isc_buffer_init(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, - ISC_FALSE, NULL)); - type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY; - RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH, - type, NULL, mctx, &tctx->dhkey)); - } - - obj = NULL; - result = cfg_map_get(options, "tkey-domain", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(obj); - isc_buffer_init(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, - NULL)); - tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t)); - if (tctx->domain == NULL) { - result = ISC_R_NOMEMORY; - goto failure; - } - dns_name_init(tctx->domain, NULL); - RETERR(dns_name_dup(name, mctx, tctx->domain)); - } - - obj = NULL; - result = cfg_map_get(options, "tkey-gssapi-credential", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(obj); - isc_buffer_init(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, - NULL)); - RETERR(dst_gssapi_acquirecred(name, ISC_FALSE, - &tctx->gsscred)); - } - - *tctxp = tctx; - return (ISC_R_SUCCESS); - - failure: - dns_tkeyctx_destroy(&tctx); - return (result); -} - diff --git a/usr.sbin/bind/bin/named/tsigconf.c b/usr.sbin/bind/bin/named/tsigconf.c deleted file mode 100644 index 5e251ff73af..00000000000 --- a/usr.sbin/bind/bin/named/tsigconf.c +++ /dev/null @@ -1,181 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include - -#include - -#include -#include - -#include - -#include -#include - -static isc_result_t -add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring, - isc_mem_t *mctx) -{ - dns_tsigkey_t *tsigkey = NULL; - const cfg_listelt_t *element; - const cfg_obj_t *key = NULL; - const char *keyid = NULL; - unsigned char *secret = NULL; - int secretalloc = 0; - int secretlen = 0; - isc_result_t ret; - isc_stdtime_t now; - isc_uint16_t bits; - - for (element = cfg_list_first(list); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *algobj = NULL; - const cfg_obj_t *secretobj = NULL; - dns_name_t keyname; - dns_name_t *alg; - const char *algstr; - char keynamedata[1024]; - isc_buffer_t keynamesrc, keynamebuf; - const char *secretstr; - isc_buffer_t secretbuf; - - key = cfg_listelt_value(element); - keyid = cfg_obj_asstring(cfg_map_getname(key)); - - algobj = NULL; - secretobj = NULL; - (void)cfg_map_get(key, "algorithm", &algobj); - (void)cfg_map_get(key, "secret", &secretobj); - INSIST(algobj != NULL && secretobj != NULL); - - /* - * Create the key name. - */ - dns_name_init(&keyname, NULL); - isc_buffer_init(&keynamesrc, keyid, strlen(keyid)); - isc_buffer_add(&keynamesrc, strlen(keyid)); - isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata)); - ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname, - ISC_TRUE, &keynamebuf); - if (ret != ISC_R_SUCCESS) - goto failure; - - /* - * Create the algorithm. - */ - algstr = cfg_obj_asstring(algobj); - if (ns_config_getkeyalgorithm(algstr, &alg, &bits) - != ISC_R_SUCCESS) { - cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR, - "key '%s': has a unsupported algorithm '%s'", - keyid, algstr); - ret = DNS_R_BADALG; - goto failure; - } - - secretstr = cfg_obj_asstring(secretobj); - secretalloc = secretlen = strlen(secretstr) * 3 / 4; - secret = isc_mem_get(mctx, secretlen); - if (secret == NULL) { - ret = ISC_R_NOMEMORY; - goto failure; - } - isc_buffer_init(&secretbuf, secret, secretlen); - ret = isc_base64_decodestring(secretstr, &secretbuf); - if (ret != ISC_R_SUCCESS) - goto failure; - secretlen = isc_buffer_usedlength(&secretbuf); - - isc_stdtime_get(&now); - ret = dns_tsigkey_create(&keyname, alg, secret, secretlen, - ISC_FALSE, NULL, now, now, - mctx, ring, &tsigkey); - isc_mem_put(mctx, secret, secretalloc); - secret = NULL; - if (ret != ISC_R_SUCCESS) - goto failure; - /* - * Set digest bits. - */ - dst_key_setbits(tsigkey->key, bits); - dns_tsigkey_detach(&tsigkey); - } - - return (ISC_R_SUCCESS); - - failure: - cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR, - "configuring key '%s': %s", keyid, - isc_result_totext(ret)); - - if (secret != NULL) - isc_mem_put(mctx, secret, secretalloc); - return (ret); -} - -isc_result_t -ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig, - isc_mem_t *mctx, dns_tsig_keyring_t **ringp) -{ - const cfg_obj_t *maps[3]; - const cfg_obj_t *keylist; - dns_tsig_keyring_t *ring = NULL; - isc_result_t result; - int i; - - i = 0; - if (config != NULL) - maps[i++] = config; - if (vconfig != NULL) - maps[i++] = cfg_tuple_get(vconfig, "options"); - maps[i] = NULL; - - result = dns_tsigkeyring_create(mctx, &ring); - if (result != ISC_R_SUCCESS) - return (result); - - for (i = 0; ; i++) { - if (maps[i] == NULL) - break; - keylist = NULL; - result = cfg_map_get(maps[i], "key", &keylist); - if (result != ISC_R_SUCCESS) - continue; - result = add_initial_keys(keylist, ring, mctx); - if (result != ISC_R_SUCCESS) - goto failure; - } - - *ringp = ring; - return (ISC_R_SUCCESS); - - failure: - dns_tsigkeyring_destroy(&ring); - return (result); -} diff --git a/usr.sbin/bind/bin/named/unix/Makefile.in b/usr.sbin/bind/bin/named/unix/Makefile.in deleted file mode 100644 index f29e852bdae..00000000000 --- a/usr.sbin/bind/bin/named/unix/Makefile.in +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1999-2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.8 2004/03/05 04:58:01 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ - ${DNS_INCLUDES} ${ISC_INCLUDES} - -CDEFINES = -CWARNINGS = - -OBJS = os.@O@ - -SRCS = os.c - -TARGETS = ${OBJS} - -@BIND9_MAKE_RULES@ diff --git a/usr.sbin/bind/bin/named/unix/include/named/os.h b/usr.sbin/bind/bin/named/unix/include/named/os.h deleted file mode 100644 index 42ff6b67318..00000000000 --- a/usr.sbin/bind/bin/named/unix/include/named/os.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: os.h,v 1.22.18.3 2005/04/29 00:15:39 marka Exp $ */ - -#ifndef NS_OS_H -#define NS_OS_H 1 - -/*! \file */ - -#include - -void -ns_os_init(const char *progname); - -void -ns_os_daemonize(void); - -void -ns_os_opendevnull(void); - -void -ns_os_closedevnull(void); - -void -ns_os_chroot(const char *root); - -void -ns_os_inituserinfo(const char *username); - -void -ns_os_changeuser(void); - -void -ns_os_minprivs(void); - -void -ns_os_preopenpidfile(const char *filename); - -void -ns_os_writepidfile(const char *filename, isc_boolean_t first_time); - -void -ns_os_shutdown(void); - -isc_result_t -ns_os_gethostname(char *buf, size_t len); - -void -ns_os_shutdownmsg(char *command, isc_buffer_t *text); - -void -ns_os_tzset(void); - -void -ns_os_started(void); - -#endif /* NS_OS_H */ diff --git a/usr.sbin/bind/bin/named/unix/os.c b/usr.sbin/bind/bin/named/unix/os.c deleted file mode 100644 index 1db5ac201e9..00000000000 --- a/usr.sbin/bind/bin/named/unix/os.c +++ /dev/null @@ -1,719 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: os.c,v 1.66.18.11 2006/02/03 23:51:38 marka Exp $ */ - -/*! \file */ - -#include -#include - -#include /* dev_t FreeBSD 2.1 */ -#include - -#include -#include -#include -#include /* Required for initgroups() on IRIX. */ -#include -#include -#include -#include -#include -#ifdef HAVE_TZSET -#include -#endif -#include - -#include -#include -#include -#include -#include -#include - -#include -#include -#ifdef HAVE_LIBSCF -#include -#endif - -static char *pidfile = NULL; -static int pidfilefd = -1; -static isc_boolean_t preopenpidfile = ISC_FALSE; - -static int devnullfd = -1; - -#ifndef ISC_FACILITY -#define ISC_FACILITY LOG_DAEMON -#endif - -/* - * If there's no , we don't care about - */ -#ifndef HAVE_LINUX_CAPABILITY_H -#undef HAVE_SYS_PRCTL_H -#endif - -/* - * Linux defines: - * (T) HAVE_LINUXTHREADS - * (C) HAVE_LINUX_CAPABILITY_H - * (P) HAVE_SYS_PRCTL_H - * The possible cases are: - * none: setuid() normally - * T: no setuid() - * C: setuid() normally, drop caps (keep CAP_SETUID) - * T+C: no setuid(), drop caps (don't keep CAP_SETUID) - * T+C+P: setuid() early, drop caps (keep CAP_SETUID) - * C+P: setuid() normally, drop caps (keep CAP_SETUID) - * P: not possible - * T+P: not possible - * - * if (C) - * caps = BIND_SERVICE + CHROOT + SETGID - * if ((T && C && P) || !T) - * caps += SETUID - * endif - * capset(caps) - * endif - * if (T && C && P && -u) - * setuid() - * else if (T && -u) - * fail - * --> start threads - * if (!T && -u) - * setuid() - * if (C && (P || !-u)) - * caps = BIND_SERVICE - * capset(caps) - * endif - * - * It will be nice when Linux threads work properly with setuid(). - */ - -#ifdef HAVE_LINUXTHREADS -static pid_t mainpid = 0; -#endif - -static struct passwd *runas_pw = NULL; -static isc_boolean_t done_setuid = ISC_FALSE; -static int dfd[2] = { -1, -1 }; - -#ifdef HAVE_LINUX_CAPABILITY_H - -static isc_boolean_t non_root = ISC_FALSE; -static isc_boolean_t non_root_caps = ISC_FALSE; - -/*% - * We define _LINUX_FS_H to prevent it from being included. We don't need - * anything from it, and the files it includes cause warnings with 2.2 - * kernels, and compilation failures (due to conflicts between - * and ) on 2.3 kernels. - */ -#define _LINUX_FS_H - -#include /* Required for syscall(). */ -#include /* Required for _LINUX_CAPABILITY_VERSION. */ - -#ifdef HAVE_SYS_PRCTL_H -#include /* Required for prctl(). */ - -/* - * If the value of PR_SET_KEEPCAPS is not in , define it - * here. This allows setuid() to work on systems running a new enough - * kernel but with /usr/include/linux pointing to "standard" kernel - * headers. - */ -#ifndef PR_SET_KEEPCAPS -#define PR_SET_KEEPCAPS 8 -#endif - -#endif /* HAVE_SYS_PRCTL_H */ - -#ifndef SYS_capset -#ifndef __NR_capset -#include /* Slackware 4.0 needs this. */ -#endif -#define SYS_capset __NR_capset -#endif - -static void -linux_setcaps(unsigned int caps) { - struct __user_cap_header_struct caphead; - struct __user_cap_data_struct cap; - char strbuf[ISC_STRERRORSIZE]; - - if ((getuid() != 0 && !non_root_caps) || non_root) - return; - - memset(&caphead, 0, sizeof(caphead)); - caphead.version = _LINUX_CAPABILITY_VERSION; - caphead.pid = 0; - memset(&cap, 0, sizeof(cap)); - cap.effective = caps; - cap.permitted = caps; - cap.inheritable = 0; - if (syscall(SYS_capset, &caphead, &cap) < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("capset failed: %s:" - " please ensure that the capset kernel" - " module is loaded. see insmod(8)", - strbuf); - } -} - -static void -linux_initialprivs(void) { - unsigned int caps; - - /*% - * We don't need most privileges, so we drop them right away. - * Later on linux_minprivs() will be called, which will drop our - * capabilities to the minimum needed to run the server. - */ - - caps = 0; - - /* - * We need to be able to bind() to privileged ports, notably port 53! - */ - caps |= (1 << CAP_NET_BIND_SERVICE); - - /* - * We need chroot() initially too. - */ - caps |= (1 << CAP_SYS_CHROOT); - -#if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS) - /* - * We can setuid() only if either the kernel supports keeping - * capabilities after setuid() (which we don't know until we've - * tried) or we're not using threads. If either of these is - * true, we want the setuid capability. - */ - caps |= (1 << CAP_SETUID); -#endif - - /* - * Since we call initgroups, we need this. - */ - caps |= (1 << CAP_SETGID); - - /* - * Without this, we run into problems reading a configuration file - * owned by a non-root user and non-world-readable on startup. - */ - caps |= (1 << CAP_DAC_READ_SEARCH); - - /* - * XXX We might want to add CAP_SYS_RESOURCE, though it's not - * clear it would work right given the way linuxthreads work. - * XXXDCL But since we need to be able to set the maximum number - * of files, the stack size, data size, and core dump size to - * support named.conf options, this is now being added to test. - */ - caps |= (1 << CAP_SYS_RESOURCE); - - linux_setcaps(caps); -} - -static void -linux_minprivs(void) { - unsigned int caps; - - /*% - * Drop all privileges except the ability to bind() to privileged - * ports. - * - * It's important that we drop CAP_SYS_CHROOT. If we didn't, it - * chroot() could be used to escape from the chrooted area. - */ - - caps = 0; - caps |= (1 << CAP_NET_BIND_SERVICE); - - /* - * XXX We might want to add CAP_SYS_RESOURCE, though it's not - * clear it would work right given the way linuxthreads work. - * XXXDCL But since we need to be able to set the maximum number - * of files, the stack size, data size, and core dump size to - * support named.conf options, this is now being added to test. - */ - caps |= (1 << CAP_SYS_RESOURCE); - - linux_setcaps(caps); -} - -#ifdef HAVE_SYS_PRCTL_H -static void -linux_keepcaps(void) { - char strbuf[ISC_STRERRORSIZE]; - /*% - * Ask the kernel to allow us to keep our capabilities after we - * setuid(). - */ - - if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) { - if (errno != EINVAL) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("prctl() failed: %s", strbuf); - } - } else { - non_root_caps = ISC_TRUE; - if (getuid() != 0) - non_root = ISC_TRUE; - } -} -#endif - -#endif /* HAVE_LINUX_CAPABILITY_H */ - - -static void -setup_syslog(const char *progname) { - int options; - - options = LOG_PID; -#ifdef LOG_NDELAY - options |= LOG_NDELAY; -#endif - openlog(isc_file_basename(progname), options, ISC_FACILITY); -} - -void -ns_os_init(const char *progname) { - setup_syslog(progname); -#ifdef HAVE_LINUX_CAPABILITY_H - linux_initialprivs(); -#endif -#ifdef HAVE_LINUXTHREADS - mainpid = getpid(); -#endif -#ifdef SIGXFSZ - signal(SIGXFSZ, SIG_IGN); -#endif -} - -void -ns_os_daemonize(void) { - pid_t pid; - char strbuf[ISC_STRERRORSIZE]; - - if (pipe(dfd) == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("pipe(): %s", strbuf); - } - - pid = fork(); - if (pid == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("fork(): %s", strbuf); - } - if (pid != 0) { - int n; - /* - * Wait for the child to finish loading for the first time. - * This would be so much simpler if fork() worked once we - * were multi-threaded. - */ - (void)close(dfd[1]); - do { - char buf; - n = read(dfd[0], &buf, 1); - if (n == 1) - _exit(0); - } while (n == -1 && errno == EINTR); - _exit(1); - } - (void)close(dfd[0]); - - /* - * We're the child. - */ - -#ifdef HAVE_LINUXTHREADS - mainpid = getpid(); -#endif - - if (setsid() == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("setsid(): %s", strbuf); - } - - /* - * Try to set stdin, stdout, and stderr to /dev/null, but press - * on even if it fails. - * - * XXXMLG The close() calls here are unneeded on all but NetBSD, but - * are harmless to include everywhere. dup2() is supposed to close - * the FD if it is in use, but unproven-pthreads-0.16 is broken - * and will end up closing the wrong FD. This will be fixed eventually, - * and these calls will be removed. - */ - if (devnullfd != -1) { - if (devnullfd != STDIN_FILENO) { - (void)close(STDIN_FILENO); - (void)dup2(devnullfd, STDIN_FILENO); - } - if (devnullfd != STDOUT_FILENO) { - (void)close(STDOUT_FILENO); - (void)dup2(devnullfd, STDOUT_FILENO); - } - if (devnullfd != STDERR_FILENO) { - (void)close(STDERR_FILENO); - (void)dup2(devnullfd, STDERR_FILENO); - } - } -} - -void -ns_os_started(void) { - char buf = 0; - - /* - * Signal to the parent that we stated successfully. - */ - if (dfd[0] != -1 && dfd[1] != -1) { - write(dfd[1], &buf, 1); - close(dfd[1]); - dfd[0] = dfd[1] = -1; - } -} - -void -ns_os_opendevnull(void) { - devnullfd = open("/dev/null", O_RDWR, 0); -} - -void -ns_os_closedevnull(void) { - if (devnullfd != STDIN_FILENO && - devnullfd != STDOUT_FILENO && - devnullfd != STDERR_FILENO) { - close(devnullfd); - devnullfd = -1; - } -} - -static isc_boolean_t -all_digits(const char *s) { - if (*s == '\0') - return (ISC_FALSE); - while (*s != '\0') { - if (!isdigit((*s)&0xff)) - return (ISC_FALSE); - s++; - } - return (ISC_TRUE); -} - -void -ns_os_chroot(const char *root) { - char strbuf[ISC_STRERRORSIZE]; -#ifdef HAVE_LIBSCF - ns_smf_chroot = 0; -#endif - if (root != NULL) { - if (chroot(root) < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("chroot(): %s", strbuf); - } - if (chdir("/") < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("chdir(/): %s", strbuf); - } -#ifdef HAVE_LIBSCF - /* Set ns_smf_chroot flag on successful chroot. */ - ns_smf_chroot = 1; -#endif - } -} - -void -ns_os_inituserinfo(const char *username) { - char strbuf[ISC_STRERRORSIZE]; - if (username == NULL) - return; - - if (all_digits(username)) - runas_pw = getpwuid((uid_t)atoi(username)); - else - runas_pw = getpwnam(username); - endpwent(); - - if (runas_pw == NULL) - ns_main_earlyfatal("user '%s' unknown", username); - - if (getuid() == 0) { - if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("initgroups(): %s", strbuf); - } - } - -} - -void -ns_os_changeuser(void) { - char strbuf[ISC_STRERRORSIZE]; - if (runas_pw == NULL || done_setuid) - return; - - done_setuid = ISC_TRUE; - -#ifdef HAVE_LINUXTHREADS -#ifdef HAVE_LINUX_CAPABILITY_H - if (!non_root_caps) - ns_main_earlyfatal("-u with Linux threads not supported: " - "requires kernel support for " - "prctl(PR_SET_KEEPCAPS)"); -#else - ns_main_earlyfatal("-u with Linux threads not supported: " - "no capabilities support or capabilities " - "disabled at build time"); -#endif -#endif - - if (setgid(runas_pw->pw_gid) < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("setgid(): %s", strbuf); - } - - if (setuid(runas_pw->pw_uid) < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlyfatal("setuid(): %s", strbuf); - } - -#if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS) - linux_minprivs(); -#endif -#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE) - /* - * Restore the ability of named to drop core after the setuid() - * call has disabled it. - */ - prctl(PR_SET_DUMPABLE,1,0,0,0); -#endif -} - -void -ns_os_minprivs(void) { -#ifdef HAVE_SYS_PRCTL_H - linux_keepcaps(); -#endif - -#ifdef HAVE_LINUXTHREADS - ns_os_changeuser(); /* Call setuid() before threads are started */ -#endif - -#if defined(HAVE_LINUX_CAPABILITY_H) && defined(HAVE_LINUXTHREADS) - linux_minprivs(); -#endif -} - -static int -safe_open(const char *filename, isc_boolean_t append) { - int fd; - struct stat sb; - - if (stat(filename, &sb) == -1) { - if (errno != ENOENT) - return (-1); - } else if (!S_ISREG(sb.st_mode)) { - errno = EOPNOTSUPP; - return (-1); - } - - if (append) - fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - else { - (void)unlink(filename); - fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); - } - return (fd); -} - -static void -cleanup_pidfile(void) { - if (pidfile != NULL) { - (void)unlink(pidfile); - free(pidfile); - } - pidfile = NULL; -} - -static int -open_pidfile(const char *filename, isc_boolean_t first_time) { - int fd; - size_t len; - char strbuf[ISC_STRERRORSIZE]; - void (*report)(const char *, ...); - - report = first_time ? ns_main_earlyfatal : ns_main_earlywarning; - - cleanup_pidfile(); - - if (filename == NULL) - return -1; - - len = strlen(filename); - pidfile = malloc(len + 1); - if (pidfile == NULL) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("couldn't malloc '%s': %s", filename, strbuf); - return -1; - } - strlcpy(pidfile, filename, len); - - fd = safe_open(filename, ISC_FALSE); - if (fd < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("couldn't open pid file '%s': %s", filename, strbuf); - free(pidfile); - pidfile = NULL; - return -1; - } - - return fd; -} - -void -ns_os_preopenpidfile(const char *filename) { - pidfilefd = open_pidfile(filename, ISC_TRUE); - preopenpidfile = ISC_TRUE; -} - -void -ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { - int fd; - FILE *lockfile; - pid_t pid; - char strbuf[ISC_STRERRORSIZE]; - void (*report)(const char *, ...); - - /* - * The caller must ensure any required synchronization. - */ - - report = first_time ? ns_main_earlyfatal : ns_main_earlywarning; - - if (preopenpidfile == ISC_TRUE) - fd = pidfilefd; - else - fd = open_pidfile(filename, first_time); - - if (fd < 0) return; - - lockfile = fdopen(fd, "w"); - if (lockfile == NULL) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("could not fdopen() pid file '%s': %s", - filename, strbuf); - (void)close(fd); - if (preopenpidfile == ISC_FALSE) cleanup_pidfile(); - return; - } -#ifdef HAVE_LINUXTHREADS - pid = mainpid; -#else - pid = getpid(); -#endif - if (fprintf(lockfile, "%ld\n", (long)pid) < 0) { - (*report)("fprintf() to pid file '%s' failed", filename); - (void)fclose(lockfile); - if (preopenpidfile == ISC_FALSE) cleanup_pidfile(); - return; - } - if (fflush(lockfile) == EOF) { - (*report)("fflush() to pid file '%s' failed", filename); - (void)fclose(lockfile); - if (preopenpidfile == ISC_FALSE) cleanup_pidfile(); - return; - } - (void)fclose(lockfile); - if (preopenpidfile == ISC_TRUE) pidfilefd = -1; -} - -void -ns_os_shutdown(void) { - closelog(); - if (preopenpidfile == ISC_FALSE) cleanup_pidfile(); -} - -isc_result_t -ns_os_gethostname(char *buf, size_t len) { - int n; - - n = gethostname(buf, len); - return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE); -} - -static char * -next_token(char **stringp, const char *delim) { - char *res; - - do { - res = strsep(stringp, delim); - if (res == NULL) - break; - } while (*res == '\0'); - return (res); -} - -void -ns_os_shutdownmsg(char *command, isc_buffer_t *text) { - char *input, *ptr; - int n; - pid_t pid; - - input = command; - - /* Skip the command name. */ - ptr = next_token(&input, " \t"); - if (ptr == NULL) - return; - - ptr = next_token(&input, " \t"); - if (ptr == NULL) - return; - - if (strcmp(ptr, "-p") != 0) - return; - -#ifdef HAVE_LINUXTHREADS - pid = mainpid; -#else - pid = getpid(); -#endif - - n = snprintf((char *)isc_buffer_used(text), - isc_buffer_availablelength(text), - "pid: %ld", (long)pid); - /* Only send a message if it is complete. */ - if (n != -1 && n < isc_buffer_availablelength(text)) - isc_buffer_add(text, (unsigned int)n); -} - -void -ns_os_tzset(void) { -#ifdef HAVE_TZSET - tzset(); -#endif -} diff --git a/usr.sbin/bind/bin/named/update.c b/usr.sbin/bind/bin/named/update.c deleted file mode 100644 index f6795567408..00000000000 --- a/usr.sbin/bind/bin/named/update.c +++ /dev/null @@ -1,3030 +0,0 @@ -/* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: update.c,v 1.109.18.23 2007/08/28 07:20:01 tbox Exp $ */ - -#include - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -/*! \file - * \brief - * This module implements dynamic update as in RFC2136. - */ - -/* - XXX TODO: - - document strict minimality -*/ - -/**************************************************************************/ - -/*% - * Log level for tracing dynamic update protocol requests. - */ -#define LOGLEVEL_PROTOCOL ISC_LOG_INFO - -/*% - * Log level for low-level debug tracing. - */ -#define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8) - -/*% - * Check an operation for failure. These macros all assume that - * the function using them has a 'result' variable and a 'failure' - * label. - */ -#define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -/*% - * Fail unconditionally with result 'code', which must not - * be ISC_R_SUCCESS. The reason for failure presumably has - * been logged already. - * - * The test against ISC_R_SUCCESS is there to keep the Solaris compiler - * from complaining about "end-of-loop code not reached". - */ - -#define FAIL(code) \ - do { \ - result = (code); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -/*% - * Fail unconditionally and log as a client error. - * The test against ISC_R_SUCCESS is there to keep the Solaris compiler - * from complaining about "end-of-loop code not reached". - */ -#define FAILC(code, msg) \ - do { \ - const char *_what = "failed"; \ - result = (code); \ - switch (result) { \ - case DNS_R_NXDOMAIN: \ - case DNS_R_YXDOMAIN: \ - case DNS_R_YXRRSET: \ - case DNS_R_NXRRSET: \ - _what = "unsuccessful"; \ - } \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "update %s: %s (%s)", _what, \ - msg, isc_result_totext(result)); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -#define FAILN(code, name, msg) \ - do { \ - const char *_what = "failed"; \ - result = (code); \ - switch (result) { \ - case DNS_R_NXDOMAIN: \ - case DNS_R_YXDOMAIN: \ - case DNS_R_YXRRSET: \ - case DNS_R_NXRRSET: \ - _what = "unsuccessful"; \ - } \ - if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ - char _nbuf[DNS_NAME_FORMATSIZE]; \ - dns_name_format(name, _nbuf, sizeof(_nbuf)); \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "update %s: %s: %s (%s)", _what, _nbuf, \ - msg, isc_result_totext(result)); \ - } \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -#define FAILNT(code, name, type, msg) \ - do { \ - const char *_what = "failed"; \ - result = (code); \ - switch (result) { \ - case DNS_R_NXDOMAIN: \ - case DNS_R_YXDOMAIN: \ - case DNS_R_YXRRSET: \ - case DNS_R_NXRRSET: \ - _what = "unsuccessful"; \ - } \ - if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \ - char _nbuf[DNS_NAME_FORMATSIZE]; \ - char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \ - dns_name_format(name, _nbuf, sizeof(_nbuf)); \ - dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "update %s: %s/%s: %s (%s)", \ - _what, _nbuf, _tbuf, msg, \ - isc_result_totext(result)); \ - } \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) -/*% - * Fail unconditionally and log as a server error. - * The test against ISC_R_SUCCESS is there to keep the Solaris compiler - * from complaining about "end-of-loop code not reached". - */ -#define FAILS(code, msg) \ - do { \ - result = (code); \ - update_log(client, zone, LOGLEVEL_PROTOCOL, \ - "error: %s: %s", \ - msg, isc_result_totext(result)); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -/**************************************************************************/ - -typedef struct rr rr_t; - -struct rr { - /* dns_name_t name; */ - isc_uint32_t ttl; - dns_rdata_t rdata; -}; - -typedef struct update_event update_event_t; - -struct update_event { - ISC_EVENT_COMMON(update_event_t); - dns_zone_t *zone; - isc_result_t result; - dns_message_t *answer; -}; - -/**************************************************************************/ -/* - * Forward declarations. - */ - -static void update_action(isc_task_t *task, isc_event_t *event); -static void updatedone_action(isc_task_t *task, isc_event_t *event); -static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone); -static void forward_done(isc_task_t *task, isc_event_t *event); - -/**************************************************************************/ - -static void -update_log(ns_client_t *client, dns_zone_t *zone, - int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5); - -static void -update_log(ns_client_t *client, dns_zone_t *zone, - int level, const char *fmt, ...) -{ - va_list ap; - char message[4096]; - char namebuf[DNS_NAME_FORMATSIZE]; - char classbuf[DNS_RDATACLASS_FORMATSIZE]; - - if (client == NULL || zone == NULL) - return; - - if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE) - return; - - dns_name_format(dns_zone_getorigin(zone), namebuf, - sizeof(namebuf)); - dns_rdataclass_format(dns_zone_getclass(zone), classbuf, - sizeof(classbuf)); - - va_start(ap, fmt); - vsnprintf(message, sizeof(message), fmt, ap); - va_end(ap); - - ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE, - level, "updating zone '%s/%s': %s", - namebuf, classbuf, message); -} - -static isc_result_t -checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message, - dns_name_t *zonename, isc_boolean_t slave) -{ - char namebuf[DNS_NAME_FORMATSIZE]; - char classbuf[DNS_RDATACLASS_FORMATSIZE]; - int level = ISC_LOG_ERROR; - const char *msg = "denied"; - isc_result_t result; - - if (slave && acl == NULL) { - result = DNS_R_NOTIMP; - level = ISC_LOG_DEBUG(3); - msg = "disabled"; - } else - result = ns_client_checkaclsilent(client, acl, ISC_FALSE); - - if (result == ISC_R_SUCCESS) { - level = ISC_LOG_DEBUG(3); - msg = "approved"; - } - - dns_name_format(zonename, namebuf, sizeof(namebuf)); - dns_rdataclass_format(client->view->rdclass, classbuf, - sizeof(classbuf)); - - ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, - NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s", - message, namebuf, classbuf, msg); - return (result); -} - -/*% - * Update a single RR in version 'ver' of 'db' and log the - * update in 'diff'. - * - * Ensures: - * \li '*tuple' == NULL. Either the tuple is freed, or its - * ownership has been transferred to the diff. - */ -static isc_result_t -do_one_tuple(dns_difftuple_t **tuple, - dns_db_t *db, dns_dbversion_t *ver, - dns_diff_t *diff) -{ - dns_diff_t temp_diff; - isc_result_t result; - - /* - * Create a singleton diff. - */ - dns_diff_init(diff->mctx, &temp_diff); - ISC_LIST_APPEND(temp_diff.tuples, *tuple, link); - - /* - * Apply it to the database. - */ - result = dns_diff_apply(&temp_diff, db, ver); - ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link); - if (result != ISC_R_SUCCESS) { - dns_difftuple_free(tuple); - return (result); - } - - /* - * Merge it into the current pending journal entry. - */ - dns_diff_appendminimal(diff, tuple); - - /* - * Do not clear temp_diff. - */ - return (ISC_R_SUCCESS); -} - -/*% - * Perform the updates in 'updates' in version 'ver' of 'db' and log the - * update in 'diff'. - * - * Ensures: - * \li 'updates' is empty. - */ -static isc_result_t -do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver, - dns_diff_t *diff) -{ - isc_result_t result; - while (! ISC_LIST_EMPTY(updates->tuples)) { - dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples); - ISC_LIST_UNLINK(updates->tuples, t, link); - CHECK(do_one_tuple(&t, db, ver, diff)); - } - return (ISC_R_SUCCESS); - - failure: - dns_diff_clear(diff); - return (result); -} - -static isc_result_t -update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, - dns_diffop_t op, dns_name_t *name, - dns_ttl_t ttl, dns_rdata_t *rdata) -{ - dns_difftuple_t *tuple = NULL; - isc_result_t result; - result = dns_difftuple_create(diff->mctx, op, - name, ttl, rdata, &tuple); - if (result != ISC_R_SUCCESS) - return (result); - return (do_one_tuple(&tuple, db, ver, diff)); -} - -/**************************************************************************/ -/* - * Callback-style iteration over rdatasets and rdatas. - * - * foreach_rrset() can be used to iterate over the RRsets - * of a name and call a callback function with each - * one. Similarly, foreach_rr() can be used to iterate - * over the individual RRs at name, optionally restricted - * to RRs of a given type. - * - * The callback functions are called "actions" and take - * two arguments: a void pointer for passing arbitrary - * context information, and a pointer to the current RRset - * or RR. By convention, their names end in "_action". - */ - -/* - * XXXRTH We might want to make this public somewhere in libdns. - */ - -/*% - * Function type for foreach_rrset() iterator actions. - */ -typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset); - -/*% - * Function type for foreach_rr() iterator actions. - */ -typedef isc_result_t rr_func(void *data, rr_t *rr); - -/*% - * Internal context struct for foreach_node_rr(). - */ -typedef struct { - rr_func * rr_action; - void * rr_action_data; -} foreach_node_rr_ctx_t; - -/*% - * Internal helper function for foreach_node_rr(). - */ -static isc_result_t -foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { - isc_result_t result; - foreach_node_rr_ctx_t *ctx = data; - for (result = dns_rdataset_first(rdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) - { - rr_t rr = { 0, DNS_RDATA_INIT }; - - dns_rdataset_current(rdataset, &rr.rdata); - rr.ttl = rdataset->ttl; - result = (*ctx->rr_action)(ctx->rr_action_data, &rr); - if (result != ISC_R_SUCCESS) - return (result); - } - if (result != ISC_R_NOMORE) - return (result); - return (ISC_R_SUCCESS); -} - -/*% - * For each rdataset of 'name' in 'ver' of 'db', call 'action' - * with the rdataset and 'action_data' as arguments. If the name - * does not exist, do nothing. - * - * If 'action' returns an error, abort iteration and return the error. - */ -static isc_result_t -foreach_rrset(dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - rrset_func *action, - void *action_data) -{ - isc_result_t result; - dns_dbnode_t *node; - dns_rdatasetiter_t *iter; - - node = NULL; - result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); - if (result != ISC_R_SUCCESS) - return (result); - - iter = NULL; - result = dns_db_allrdatasets(db, node, ver, - (isc_stdtime_t) 0, &iter); - if (result != ISC_R_SUCCESS) - goto cleanup_node; - - for (result = dns_rdatasetiter_first(iter); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(iter)) - { - dns_rdataset_t rdataset; - - dns_rdataset_init(&rdataset); - dns_rdatasetiter_current(iter, &rdataset); - - result = (*action)(action_data, &rdataset); - - dns_rdataset_disassociate(&rdataset); - if (result != ISC_R_SUCCESS) - goto cleanup_iterator; - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - - cleanup_iterator: - dns_rdatasetiter_destroy(&iter); - - cleanup_node: - dns_db_detachnode(db, &node); - - return (result); -} - -/*% - * For each RR of 'name' in 'ver' of 'db', call 'action' - * with the RR and 'action_data' as arguments. If the name - * does not exist, do nothing. - * - * If 'action' returns an error, abort iteration - * and return the error. - */ -static isc_result_t -foreach_node_rr(dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - rr_func *rr_action, - void *rr_action_data) -{ - foreach_node_rr_ctx_t ctx; - ctx.rr_action = rr_action; - ctx.rr_action_data = rr_action_data; - return (foreach_rrset(db, ver, name, - foreach_node_rr_action, &ctx)); -} - - -/*% - * For each of the RRs specified by 'db', 'ver', 'name', 'type', - * (which can be dns_rdatatype_any to match any type), and 'covers', call - * 'action' with the RR and 'action_data' as arguments. If the name - * does not exist, or if no RRset of the given type exists at the name, - * do nothing. - * - * If 'action' returns an error, abort iteration and return the error. - */ -static isc_result_t -foreach_rr(dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers, - rr_func *rr_action, - void *rr_action_data) -{ - - isc_result_t result; - dns_dbnode_t *node; - dns_rdataset_t rdataset; - - if (type == dns_rdatatype_any) - return (foreach_node_rr(db, ver, name, - rr_action, rr_action_data)); - - node = NULL; - result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); - if (result != ISC_R_SUCCESS) - return (result); - - dns_rdataset_init(&rdataset); - result = dns_db_findrdataset(db, node, ver, type, covers, - (isc_stdtime_t) 0, &rdataset, NULL); - if (result == ISC_R_NOTFOUND) { - result = ISC_R_SUCCESS; - goto cleanup_node; - } - if (result != ISC_R_SUCCESS) - goto cleanup_node; - - for (result = dns_rdataset_first(&rdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&rdataset)) - { - rr_t rr = { 0, DNS_RDATA_INIT }; - dns_rdataset_current(&rdataset, &rr.rdata); - rr.ttl = rdataset.ttl; - result = (*rr_action)(rr_action_data, &rr); - if (result != ISC_R_SUCCESS) - goto cleanup_rdataset; - } - if (result != ISC_R_NOMORE) - goto cleanup_rdataset; - result = ISC_R_SUCCESS; - - cleanup_rdataset: - dns_rdataset_disassociate(&rdataset); - cleanup_node: - dns_db_detachnode(db, &node); - - return (result); -} - -/**************************************************************************/ -/* - * Various tests on the database contents (for prerequisites, etc). - */ - -/*% - * Function type for predicate functions that compare a database RR 'db_rr' - * against an update RR 'update_rr'. - */ -typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr); - -/*% - * Helper function for rrset_exists(). - */ -static isc_result_t -rrset_exists_action(void *data, rr_t *rr) { - UNUSED(data); - UNUSED(rr); - return (ISC_R_EXISTS); -} - -/*% - * Utility macro for RR existence checking functions. - * - * If the variable 'result' has the value ISC_R_EXISTS or - * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE, - * respectively, and return success. - * - * If 'result' has any other value, there was a failure. - * Return the failure result code and do not set *exists. - * - * This would be more readable as "do { if ... } while(0)", - * but that form generates tons of warnings on Solaris 2.6. - */ -#define RETURN_EXISTENCE_FLAG \ - return ((result == ISC_R_EXISTS) ? \ - (*exists = ISC_TRUE, ISC_R_SUCCESS) : \ - ((result == ISC_R_SUCCESS) ? \ - (*exists = ISC_FALSE, ISC_R_SUCCESS) : \ - result)) - -/*% - * Set '*exists' to true iff an rrset of the given type exists, - * to false otherwise. - */ -static isc_result_t -rrset_exists(dns_db_t *db, dns_dbversion_t *ver, - dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers, - isc_boolean_t *exists) -{ - isc_result_t result; - result = foreach_rr(db, ver, name, type, covers, - rrset_exists_action, NULL); - RETURN_EXISTENCE_FLAG; -} - -/*% - * Helper function for cname_incompatible_rrset_exists. - */ -static isc_result_t -cname_compatibility_action(void *data, dns_rdataset_t *rrset) { - UNUSED(data); - if (rrset->type != dns_rdatatype_cname && - ! dns_rdatatype_isdnssec(rrset->type)) - return (ISC_R_EXISTS); - return (ISC_R_SUCCESS); -} - -/*% - * Check whether there is an rrset incompatible with adding a CNAME RR, - * i.e., anything but another CNAME (which can be replaced) or a - * DNSSEC RR (which can coexist). - * - * If such an incompatible rrset exists, set '*exists' to ISC_TRUE. - * Otherwise, set it to ISC_FALSE. - */ -static isc_result_t -cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, - dns_name_t *name, isc_boolean_t *exists) { - isc_result_t result; - result = foreach_rrset(db, ver, name, - cname_compatibility_action, NULL); - RETURN_EXISTENCE_FLAG; -} - -/*% - * Helper function for rr_count(). - */ -static isc_result_t -count_rr_action(void *data, rr_t *rr) { - int *countp = data; - UNUSED(rr); - (*countp)++; - return (ISC_R_SUCCESS); -} - -/*% - * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'. - */ -static isc_result_t -rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_rdatatype_t type, dns_rdatatype_t covers, int *countp) -{ - *countp = 0; - return (foreach_rr(db, ver, name, type, covers, - count_rr_action, countp)); -} - -/*% - * Context struct and helper function for name_exists(). - */ - -static isc_result_t -name_exists_action(void *data, dns_rdataset_t *rrset) { - UNUSED(data); - UNUSED(rrset); - return (ISC_R_EXISTS); -} - -/*% - * Set '*exists' to true iff the given name exists, to false otherwise. - */ -static isc_result_t -name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - isc_boolean_t *exists) -{ - isc_result_t result; - result = foreach_rrset(db, ver, name, - name_exists_action, NULL); - RETURN_EXISTENCE_FLAG; -} - -typedef struct { - dns_name_t *name, *signer; - dns_ssutable_t *table; -} ssu_check_t; - -static isc_result_t -ssu_checkrule(void *data, dns_rdataset_t *rrset) { - ssu_check_t *ssuinfo = data; - isc_boolean_t result; - - /* - * If we're deleting all records, it's ok to delete RRSIG and NSEC even - * if we're normally not allowed to. - */ - if (rrset->type == dns_rdatatype_rrsig || - rrset->type == dns_rdatatype_nsec) - return (ISC_R_SUCCESS); - result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer, - ssuinfo->name, rrset->type); - return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE); -} - -static isc_boolean_t -ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_ssutable_t *ssutable, dns_name_t *signer) -{ - isc_result_t result; - ssu_check_t ssuinfo; - - ssuinfo.name = name; - ssuinfo.table = ssutable; - ssuinfo.signer = signer; - result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo); - return (ISC_TF(result == ISC_R_SUCCESS)); -} - -/**************************************************************************/ -/* - * Checking of "RRset exists (value dependent)" prerequisites. - * - * In the RFC2136 section 3.2.5, this is the pseudocode involving - * a variable called "temp", a mapping of tuples to rrsets. - * - * Here, we represent the "temp" data structure as (non-minimial) "dns_diff_t" - * where each typle has op==DNS_DIFFOP_EXISTS. - */ - - -/*% - * Append a tuple asserting the existence of the RR with - * 'name' and 'rdata' to 'diff'. - */ -static isc_result_t -temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) { - isc_result_t result; - dns_difftuple_t *tuple = NULL; - - REQUIRE(DNS_DIFF_VALID(diff)); - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS, - name, 0, rdata, &tuple)); - ISC_LIST_APPEND(diff->tuples, tuple, link); - failure: - return (result); -} - -/*% - * Compare two rdatasets represented as sorted lists of tuples. - * All list elements must have the same owner name and type. - * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset) - * if not. - */ -static isc_result_t -temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) { - for (;;) { - if (a == NULL || b == NULL) - break; - INSIST(a->op == DNS_DIFFOP_EXISTS && - b->op == DNS_DIFFOP_EXISTS); - INSIST(a->rdata.type == b->rdata.type); - INSIST(dns_name_equal(&a->name, &b->name)); - if (dns_rdata_compare(&a->rdata, &b->rdata) != 0) - return (DNS_R_NXRRSET); - a = ISC_LIST_NEXT(a, link); - b = ISC_LIST_NEXT(b, link); - } - if (a != NULL || b != NULL) - return (DNS_R_NXRRSET); - return (ISC_R_SUCCESS); -} - -/*% - * A comparison function defining the sorting order for the entries - * in the "temp" data structure. The major sort key is the owner name, - * followed by the type and rdata. - */ -static int -temp_order(const void *av, const void *bv) { - dns_difftuple_t const * const *ap = av; - dns_difftuple_t const * const *bp = bv; - dns_difftuple_t const *a = *ap; - dns_difftuple_t const *b = *bp; - int r; - r = dns_name_compare(&a->name, &b->name); - if (r != 0) - return (r); - r = (b->rdata.type - a->rdata.type); - if (r != 0) - return (r); - r = dns_rdata_compare(&a->rdata, &b->rdata); - return (r); -} - -/*% - * Check the "RRset exists (value dependent)" prerequisite information - * in 'temp' against the contents of the database 'db'. - * - * Return ISC_R_SUCCESS if the prerequisites are satisfied, - * rcode(dns_rcode_nxrrset) if not. - * - * 'temp' must be pre-sorted. - */ - -static isc_result_t -temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep) -{ - isc_result_t result; - dns_name_t *name; - dns_dbnode_t *node; - dns_difftuple_t *t; - dns_diff_t trash; - - dns_diff_init(mctx, &trash); - - /* - * For each name and type in the prerequisites, - * construct a sorted rdata list of the corresponding - * database contents, and compare the lists. - */ - t = ISC_LIST_HEAD(temp->tuples); - while (t != NULL) { - name = &t->name; - (void)dns_name_copy(name, tmpname, NULL); - *typep = t->rdata.type; - - /* A new unique name begins here. */ - node = NULL; - result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result == ISC_R_NOTFOUND) - return (DNS_R_NXRRSET); - if (result != ISC_R_SUCCESS) - return (result); - - /* A new unique type begins here. */ - while (t != NULL && dns_name_equal(&t->name, name)) { - dns_rdatatype_t type, covers; - dns_rdataset_t rdataset; - dns_diff_t d_rrs; /* Database RRs with - this name and type */ - dns_diff_t u_rrs; /* Update RRs with - this name and type */ - - *typep = type = t->rdata.type; - if (type == dns_rdatatype_rrsig || - type == dns_rdatatype_sig) - covers = dns_rdata_covers(&t->rdata); - else if (type == dns_rdatatype_any) { - dns_db_detachnode(db, &node); - dns_diff_clear(&trash); - return (DNS_R_NXRRSET); - } else - covers = 0; - - /* - * Collect all database RRs for this name and type - * onto d_rrs and sort them. - */ - dns_rdataset_init(&rdataset); - result = dns_db_findrdataset(db, node, ver, type, - covers, (isc_stdtime_t) 0, - &rdataset, NULL); - if (result != ISC_R_SUCCESS) { - dns_db_detachnode(db, &node); - return (DNS_R_NXRRSET); - } - - dns_diff_init(mctx, &d_rrs); - dns_diff_init(mctx, &u_rrs); - - for (result = dns_rdataset_first(&rdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(&rdataset)) - { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_current(&rdataset, &rdata); - result = temp_append(&d_rrs, name, &rdata); - if (result != ISC_R_SUCCESS) - goto failure; - } - if (result != ISC_R_NOMORE) - goto failure; - result = dns_diff_sort(&d_rrs, temp_order); - if (result != ISC_R_SUCCESS) - goto failure; - - /* - * Collect all update RRs for this name and type - * onto u_rrs. No need to sort them here - - * they are already sorted. - */ - while (t != NULL && - dns_name_equal(&t->name, name) && - t->rdata.type == type) - { - dns_difftuple_t *next = - ISC_LIST_NEXT(t, link); - ISC_LIST_UNLINK(temp->tuples, t, link); - ISC_LIST_APPEND(u_rrs.tuples, t, link); - t = next; - } - - /* Compare the two sorted lists. */ - result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples), - ISC_LIST_HEAD(d_rrs.tuples)); - if (result != ISC_R_SUCCESS) - goto failure; - - /* - * We are done with the tuples, but we can't free - * them yet because "name" still points into one - * of them. Move them on a temporary list. - */ - ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link); - ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link); - dns_rdataset_disassociate(&rdataset); - - continue; - - failure: - dns_diff_clear(&d_rrs); - dns_diff_clear(&u_rrs); - dns_diff_clear(&trash); - dns_rdataset_disassociate(&rdataset); - dns_db_detachnode(db, &node); - return (result); - } - - dns_db_detachnode(db, &node); - } - - dns_diff_clear(&trash); - return (ISC_R_SUCCESS); -} - -/**************************************************************************/ -/* - * Conditional deletion of RRs. - */ - -/*% - * Context structure for delete_if(). - */ - -typedef struct { - rr_predicate *predicate; - dns_db_t *db; - dns_dbversion_t *ver; - dns_diff_t *diff; - dns_name_t *name; - dns_rdata_t *update_rr; -} conditional_delete_ctx_t; - -/*% - * Predicate functions for delete_if(). - */ - -/*% - * Return true iff 'db_rr' is neither a SOA nor an NS RR nor - * an RRSIG nor a NSEC. - */ -static isc_boolean_t -type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { - UNUSED(update_rr); - return ((db_rr->type != dns_rdatatype_soa && - db_rr->type != dns_rdatatype_ns && - db_rr->type != dns_rdatatype_rrsig && - db_rr->type != dns_rdatatype_nsec) ? - ISC_TRUE : ISC_FALSE); -} - -/*% - * Return true iff 'db_rr' is neither a RRSIG nor a NSEC. - */ -static isc_boolean_t -type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { - UNUSED(update_rr); - return ((db_rr->type != dns_rdatatype_rrsig && - db_rr->type != dns_rdatatype_nsec) ? - ISC_TRUE : ISC_FALSE); -} - -/*% - * Return true always. - */ -static isc_boolean_t -true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { - UNUSED(update_rr); - UNUSED(db_rr); - return (ISC_TRUE); -} - -/*% - * Return true iff the two RRs have identical rdata. - */ -static isc_boolean_t -rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { - /* - * XXXRTH This is not a problem, but we should consider creating - * dns_rdata_equal() (that used dns_name_equal()), since it - * would be faster. Not a priority. - */ - return (dns_rdata_compare(update_rr, db_rr) == 0 ? - ISC_TRUE : ISC_FALSE); -} - -/*% - * Return true iff 'update_rr' should replace 'db_rr' according - * to the special RFC2136 rules for CNAME, SOA, and WKS records. - * - * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs - * make little sense, so we replace those, too. - */ -static isc_boolean_t -replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) { - if (db_rr->type != update_rr->type) - return (ISC_FALSE); - if (db_rr->type == dns_rdatatype_cname) - return (ISC_TRUE); - if (db_rr->type == dns_rdatatype_dname) - return (ISC_TRUE); - if (db_rr->type == dns_rdatatype_soa) - return (ISC_TRUE); - if (db_rr->type == dns_rdatatype_nsec) - return (ISC_TRUE); - if (db_rr->type == dns_rdatatype_wks) { - /* - * Compare the address and protocol fields only. These - * form the first five bytes of the RR data. Do a - * raw binary comparison; unpacking the WKS RRs using - * dns_rdata_tostruct() might be cleaner in some ways, - * but it would require us to pass around an mctx. - */ - INSIST(db_rr->length >= 5 && update_rr->length >= 5); - return (memcmp(db_rr->data, update_rr->data, 5) == 0 ? - ISC_TRUE : ISC_FALSE); - } - return (ISC_FALSE); -} - -/*% - * Internal helper function for delete_if(). - */ -static isc_result_t -delete_if_action(void *data, rr_t *rr) { - conditional_delete_ctx_t *ctx = data; - if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) { - isc_result_t result; - result = update_one_rr(ctx->db, ctx->ver, ctx->diff, - DNS_DIFFOP_DEL, ctx->name, - rr->ttl, &rr->rdata); - return (result); - } else { - return (ISC_R_SUCCESS); - } -} - -/*% - * Conditionally delete RRs. Apply 'predicate' to the RRs - * specified by 'db', 'ver', 'name', and 'type' (which can - * be dns_rdatatype_any to match any type). Delete those - * RRs for which the predicate returns true, and log the - * deletions in 'diff'. - */ -static isc_result_t -delete_if(rr_predicate *predicate, - dns_db_t *db, - dns_dbversion_t *ver, - dns_name_t *name, - dns_rdatatype_t type, - dns_rdatatype_t covers, - dns_rdata_t *update_rr, - dns_diff_t *diff) -{ - conditional_delete_ctx_t ctx; - ctx.predicate = predicate; - ctx.db = db; - ctx.ver = ver; - ctx.diff = diff; - ctx.name = name; - ctx.update_rr = update_rr; - return (foreach_rr(db, ver, name, type, covers, - delete_if_action, &ctx)); -} - -/**************************************************************************/ -/*% - * Prepare an RR for the addition of the new RR 'ctx->update_rr', - * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting - * the RRs if it is replaced by the new RR or has a conflicting TTL. - * The necessary changes are appended to ctx->del_diff and ctx->add_diff; - * we need to do all deletions before any additions so that we don't run - * into transient states with conflicting TTLs. - */ - -typedef struct { - dns_db_t *db; - dns_dbversion_t *ver; - dns_diff_t *diff; - dns_name_t *name; - dns_rdata_t *update_rr; - dns_ttl_t update_rr_ttl; - isc_boolean_t ignore_add; - dns_diff_t del_diff; - dns_diff_t add_diff; -} add_rr_prepare_ctx_t; - -static isc_result_t -add_rr_prepare_action(void *data, rr_t *rr) { - isc_result_t result = ISC_R_SUCCESS; - add_rr_prepare_ctx_t *ctx = data; - dns_difftuple_t *tuple = NULL; - isc_boolean_t equal; - - /* - * If the update RR is a "duplicate" of the update RR, - * the update should be silently ignored. - */ - equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0); - if (equal && rr->ttl == ctx->update_rr_ttl) { - ctx->ignore_add = ISC_TRUE; - return (ISC_R_SUCCESS); - } - - /* - * If this RR is "equal" to the update RR, it should - * be deleted before the update RR is added. - */ - if (replaces_p(ctx->update_rr, &rr->rdata)) { - CHECK(dns_difftuple_create(ctx->del_diff.mctx, - DNS_DIFFOP_DEL, ctx->name, - rr->ttl, - &rr->rdata, - &tuple)); - dns_diff_append(&ctx->del_diff, &tuple); - return (ISC_R_SUCCESS); - } - - /* - * If this RR differs in TTL from the update RR, - * its TTL must be adjusted. - */ - if (rr->ttl != ctx->update_rr_ttl) { - CHECK(dns_difftuple_create(ctx->del_diff.mctx, - DNS_DIFFOP_DEL, ctx->name, - rr->ttl, - &rr->rdata, - &tuple)); - dns_diff_append(&ctx->del_diff, &tuple); - if (!equal) { - CHECK(dns_difftuple_create(ctx->add_diff.mctx, - DNS_DIFFOP_ADD, ctx->name, - ctx->update_rr_ttl, - &rr->rdata, - &tuple)); - dns_diff_append(&ctx->add_diff, &tuple); - } - } - failure: - return (result); -} - -/**************************************************************************/ -/* - * Miscellaneous subroutines. - */ - -/*% - * Extract a single update RR from 'section' of dynamic update message - * 'msg', with consistency checking. - * - * Stores the owner name, rdata, and TTL of the update RR at 'name', - * 'rdata', and 'ttl', respectively. - */ -static void -get_current_rr(dns_message_t *msg, dns_section_t section, - dns_rdataclass_t zoneclass, - dns_name_t **name, dns_rdata_t *rdata, dns_rdatatype_t *covers, - dns_ttl_t *ttl, - dns_rdataclass_t *update_class) -{ - dns_rdataset_t *rdataset; - isc_result_t result; - dns_message_currentname(msg, section, name); - rdataset = ISC_LIST_HEAD((*name)->list); - INSIST(rdataset != NULL); - INSIST(ISC_LIST_NEXT(rdataset, link) == NULL); - *covers = rdataset->covers; - *ttl = rdataset->ttl; - result = dns_rdataset_first(rdataset); - INSIST(result == ISC_R_SUCCESS); - dns_rdataset_current(rdataset, rdata); - INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE); - *update_class = rdata->rdclass; - rdata->rdclass = zoneclass; -} - -/*% - * Increment the SOA serial number of database 'db', version 'ver'. - * Replace the SOA record in the database, and log the - * change in 'diff'. - */ - - /* - * XXXRTH Failures in this routine will be worth logging, when - * we have a logging system. Failure to find the zonename - * or the SOA rdataset warrant at least an UNEXPECTED_ERROR(). - */ - -static isc_result_t -increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver, - dns_diff_t *diff, isc_mem_t *mctx) -{ - dns_difftuple_t *deltuple = NULL; - dns_difftuple_t *addtuple = NULL; - isc_uint32_t serial; - isc_result_t result; - - CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple)); - CHECK(dns_difftuple_copy(deltuple, &addtuple)); - addtuple->op = DNS_DIFFOP_ADD; - - serial = dns_soa_getserial(&addtuple->rdata); - - /* RFC1982 */ - serial = (serial + 1) & 0xFFFFFFFF; - if (serial == 0) - serial = 1; - - dns_soa_setserial(serial, &addtuple->rdata); - CHECK(do_one_tuple(&deltuple, db, ver, diff)); - CHECK(do_one_tuple(&addtuple, db, ver, diff)); - result = ISC_R_SUCCESS; - - failure: - if (addtuple != NULL) - dns_difftuple_free(&addtuple); - if (deltuple != NULL) - dns_difftuple_free(&deltuple); - return (result); -} - -/*% - * Check that the new SOA record at 'update_rdata' does not - * illegally cause the SOA serial number to decrease or stay - * unchanged relative to the existing SOA in 'db'. - * - * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not. - * - * William King points out that RFC2136 is inconsistent about - * the case where the serial number stays unchanged: - * - * section 3.4.2.2 requires a server to ignore a SOA update request - * if the serial number on the update SOA is less_than_or_equal to - * the zone SOA serial. - * - * section 3.6 requires a server to ignore a SOA update request if - * the serial is less_than the zone SOA serial. - * - * Paul says 3.4.2.2 is correct. - * - */ -static isc_result_t -check_soa_increment(dns_db_t *db, dns_dbversion_t *ver, - dns_rdata_t *update_rdata, - isc_boolean_t *ok) -{ - isc_uint32_t db_serial; - isc_uint32_t update_serial; - isc_result_t result; - - update_serial = dns_soa_getserial(update_rdata); - - result = dns_db_getsoaserial(db, ver, &db_serial); - if (result != ISC_R_SUCCESS) - return (result); - - if (DNS_SERIAL_GE(db_serial, update_serial)) { - *ok = ISC_FALSE; - } else { - *ok = ISC_TRUE; - } - - return (ISC_R_SUCCESS); - -} - -/**************************************************************************/ -/* - * Incremental updating of NSECs and RRSIGs. - */ - -#define MAXZONEKEYS 32 /*%< Maximum number of zone keys supported. */ - -/*% - * We abuse the dns_diff_t type to represent a set of domain names - * affected by the update. - */ -static isc_result_t -namelist_append_name(dns_diff_t *list, dns_name_t *name) { - isc_result_t result; - dns_difftuple_t *tuple = NULL; - static dns_rdata_t dummy_rdata = DNS_RDATA_INIT; - - CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0, - &dummy_rdata, &tuple)); - dns_diff_append(list, &tuple); - failure: - return (result); -} - -static isc_result_t -namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected) -{ - isc_result_t result; - dns_fixedname_t fixedname; - dns_name_t *child; - dns_dbiterator_t *dbit = NULL; - - dns_fixedname_init(&fixedname); - child = dns_fixedname_name(&fixedname); - - CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit)); - - for (result = dns_dbiterator_seek(dbit, name); - result == ISC_R_SUCCESS; - result = dns_dbiterator_next(dbit)) - { - dns_dbnode_t *node = NULL; - CHECK(dns_dbiterator_current(dbit, &node, child)); - dns_db_detachnode(db, &node); - if (! dns_name_issubdomain(child, name)) - break; - CHECK(namelist_append_name(affected, child)); - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - failure: - if (dbit != NULL) - dns_dbiterator_destroy(&dbit); - return (result); -} - - - -/*% - * Helper function for non_nsec_rrset_exists(). - */ -static isc_result_t -is_non_nsec_action(void *data, dns_rdataset_t *rrset) { - UNUSED(data); - if (!(rrset->type == dns_rdatatype_nsec || - (rrset->type == dns_rdatatype_rrsig && - rrset->covers == dns_rdatatype_nsec))) - return (ISC_R_EXISTS); - return (ISC_R_SUCCESS); -} - -/*% - * Check whether there is an rrset other than a NSEC or RRSIG NSEC, - * i.e., anything that justifies the continued existence of a name - * after a secure update. - * - * If such an rrset exists, set '*exists' to ISC_TRUE. - * Otherwise, set it to ISC_FALSE. - */ -static isc_result_t -non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver, - dns_name_t *name, isc_boolean_t *exists) -{ - isc_result_t result; - result = foreach_rrset(db, ver, name, - is_non_nsec_action, NULL); - RETURN_EXISTENCE_FLAG; -} - -/*% - * A comparison function for sorting dns_diff_t:s by name. - */ -static int -name_order(const void *av, const void *bv) { - dns_difftuple_t const * const *ap = av; - dns_difftuple_t const * const *bp = bv; - dns_difftuple_t const *a = *ap; - dns_difftuple_t const *b = *bp; - return (dns_name_compare(&a->name, &b->name)); -} - -static isc_result_t -uniqify_name_list(dns_diff_t *list) { - isc_result_t result; - dns_difftuple_t *p, *q; - - CHECK(dns_diff_sort(list, name_order)); - - p = ISC_LIST_HEAD(list->tuples); - while (p != NULL) { - do { - q = ISC_LIST_NEXT(p, link); - if (q == NULL || ! dns_name_equal(&p->name, &q->name)) - break; - ISC_LIST_UNLINK(list->tuples, q, link); - dns_difftuple_free(&q); - } while (1); - p = ISC_LIST_NEXT(p, link); - } - failure: - return (result); -} - - -static isc_result_t -is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - isc_boolean_t *flag) -{ - isc_result_t result; - dns_fixedname_t foundname; - dns_fixedname_init(&foundname); - result = dns_db_find(db, name, ver, dns_rdatatype_any, - DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD, - (isc_stdtime_t) 0, NULL, - dns_fixedname_name(&foundname), - NULL, NULL); - if (result == ISC_R_SUCCESS) { - *flag = ISC_FALSE; - return (ISC_R_SUCCESS); - } else if (result == DNS_R_ZONECUT) { - /* - * We are at the zonecut. The name will have an NSEC, but - * non-delegation will be omitted from the type bit map. - */ - *flag = ISC_FALSE; - return (ISC_R_SUCCESS); - } else if (result == DNS_R_GLUE || result == DNS_R_DNAME) { - *flag = ISC_TRUE; - return (ISC_R_SUCCESS); - } else { - return (result); - } -} - -/*% - * Find the next/previous name that has a NSEC record. - * In other words, skip empty database nodes and names that - * have had their NSECs removed because they are obscured by - * a zone cut. - */ -static isc_result_t -next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname, - isc_boolean_t forward) -{ - isc_result_t result; - dns_dbiterator_t *dbit = NULL; - isc_boolean_t has_nsec; - unsigned int wraps = 0; - - CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit)); - - CHECK(dns_dbiterator_seek(dbit, oldname)); - do { - dns_dbnode_t *node = NULL; - - if (forward) - result = dns_dbiterator_next(dbit); - else - result = dns_dbiterator_prev(dbit); - if (result == ISC_R_NOMORE) { - /* - * Wrap around. - */ - if (forward) - CHECK(dns_dbiterator_first(dbit)); - else - CHECK(dns_dbiterator_last(dbit)); - wraps++; - if (wraps == 2) { - update_log(client, zone, ISC_LOG_ERROR, - "secure zone with no NSECs"); - result = DNS_R_BADZONE; - goto failure; - } - } - CHECK(dns_dbiterator_current(dbit, &node, newname)); - dns_db_detachnode(db, &node); - - /* - * The iterator may hold the tree lock, and - * rrset_exists() calls dns_db_findnode() which - * may try to reacquire it. To avoid deadlock - * we must pause the iterator first. - */ - CHECK(dns_dbiterator_pause(dbit)); - CHECK(rrset_exists(db, ver, newname, - dns_rdatatype_nsec, 0, &has_nsec)); - - } while (! has_nsec); - failure: - if (dbit != NULL) - dns_dbiterator_destroy(&dbit); - - return (result); -} - -/*% - * Add a NSEC record for "name", recording the change in "diff". - * The existing NSEC is removed. - */ -static isc_result_t -add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl, - dns_diff_t *diff) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - unsigned char buffer[DNS_NSEC_BUFFERSIZE]; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_difftuple_t *tuple = NULL; - dns_fixedname_t fixedname; - dns_name_t *target; - - dns_fixedname_init(&fixedname); - target = dns_fixedname_name(&fixedname); - - /* - * Find the successor name, aka NSEC target. - */ - CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE)); - - /* - * Create the NSEC RDATA. - */ - CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); - dns_rdata_init(&rdata); - CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata)); - dns_db_detachnode(db, &node); - - /* - * Delete the old NSEC and record the change. - */ - CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0, - NULL, diff)); - /* - * Add the new NSEC and record the change. - */ - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, - nsecttl, &rdata, &tuple)); - CHECK(do_one_tuple(&tuple, db, ver, diff)); - INSIST(tuple == NULL); - - failure: - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -/*% - * Add a placeholder NSEC record for "name", recording the change in "diff". - */ -static isc_result_t -add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_diff_t *diff) { - isc_result_t result; - dns_difftuple_t *tuple = NULL; - isc_region_t r; - unsigned char data[1] = { 0 }; /* The root domain, no bits. */ - dns_rdata_t rdata = DNS_RDATA_INIT; - - r.base = data; - r.length = sizeof(data); - dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r); - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, - &rdata, &tuple)); - CHECK(do_one_tuple(&tuple, db, ver, diff)); - failure: - return (result); -} - -static isc_result_t -find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, - isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - const char *directory = dns_zone_getkeydirectory(zone); - CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db), - directory, mctx, maxkeys, keys, nkeys)); - failure: - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -static isc_boolean_t -ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) { - isc_boolean_t ret = ISC_FALSE; - isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE; - isc_result_t result; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_dnskey_t dnskey; - - dns_rdataset_init(&rdataset); - CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, - &rdataset, NULL)); - CHECK(dns_rdataset_first(&rdataset)); - while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) { - dns_rdataset_current(&rdataset, &rdata); - CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL)); - if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) - == DNS_KEYOWNER_ZONE) { - if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) - have_ksk = ISC_TRUE; - else - have_nonksk = ISC_TRUE; - } - dns_rdata_reset(&rdata); - result = dns_rdataset_next(&rdataset); - } - if (have_ksk && have_nonksk) - ret = ISC_TRUE; - failure: - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - return (ret); -} - -/*% - * Add RRSIG records for an RRset, recording the change in "diff". - */ -static isc_result_t -add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, - dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, - unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception, - isc_stdtime_t expire, isc_boolean_t check_ksk) -{ - isc_result_t result; - dns_dbnode_t *node = NULL; - dns_rdataset_t rdataset; - dns_rdata_t sig_rdata = DNS_RDATA_INIT; - isc_buffer_t buffer; - unsigned char data[1024]; /* XXX */ - unsigned int i; - - dns_rdataset_init(&rdataset); - isc_buffer_init(&buffer, data, sizeof(data)); - - /* Get the rdataset to sign. */ - CHECK(dns_db_findnode(db, name, ISC_FALSE, &node)); - CHECK(dns_db_findrdataset(db, node, ver, type, 0, - (isc_stdtime_t) 0, - &rdataset, NULL)); - dns_db_detachnode(db, &node); - - for (i = 0; i < nkeys; i++) { - - if (check_ksk && type != dns_rdatatype_dnskey && - (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0) - continue; - - if (!dst_key_isprivate(keys[i])) - continue; - - /* Calculate the signature, creating a RRSIG RDATA. */ - CHECK(dns_dnssec_sign(name, &rdataset, keys[i], - &inception, &expire, - mctx, &buffer, &sig_rdata)); - - /* Update the database and journal with the RRSIG. */ - /* XXX inefficient - will cause dataset merging */ - CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, - rdataset.ttl, &sig_rdata)); - dns_rdata_reset(&sig_rdata); - } - - failure: - if (dns_rdataset_isassociated(&rdataset)) - dns_rdataset_disassociate(&rdataset); - if (node != NULL) - dns_db_detachnode(db, &node); - return (result); -} - -/*% - * Update RRSIG and NSEC records affected by an update. The original - * update, including the SOA serial update but exluding the RRSIG & NSEC - * changes, is in "diff" and has already been applied to "newver" of "db". - * The database version prior to the update is "oldver". - * - * The necessary RRSIG and NSEC changes will be applied to "newver" - * and added (as a minimal diff) to "diff". - * - * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds. - */ -static isc_result_t -update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *oldver, dns_dbversion_t *newver, - dns_diff_t *diff, isc_uint32_t sigvalidityinterval) -{ - isc_result_t result; - dns_difftuple_t *t; - dns_diff_t diffnames; - dns_diff_t affected; - dns_diff_t sig_diff; - dns_diff_t nsec_diff; - dns_diff_t nsec_mindiff; - isc_boolean_t flag; - dst_key_t *zone_keys[MAXZONEKEYS]; - unsigned int nkeys = 0; - unsigned int i; - isc_stdtime_t now, inception, expire; - dns_ttl_t nsecttl; - dns_rdata_soa_t soa; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_t rdataset; - dns_dbnode_t *node = NULL; - isc_boolean_t check_ksk; - - dns_diff_init(client->mctx, &diffnames); - dns_diff_init(client->mctx, &affected); - - dns_diff_init(client->mctx, &sig_diff); - dns_diff_init(client->mctx, &nsec_diff); - dns_diff_init(client->mctx, &nsec_mindiff); - - result = find_zone_keys(zone, db, newver, client->mctx, - MAXZONEKEYS, zone_keys, &nkeys); - if (result != ISC_R_SUCCESS) { - update_log(client, zone, ISC_LOG_ERROR, - "could not get zone keys for secure dynamic update"); - goto failure; - } - - isc_stdtime_get(&now); - inception = now - 3600; /* Allow for some clock skew. */ - expire = now + sigvalidityinterval; - - /* - * Do we look at the KSK flag on the DNSKEY to determining which - * keys sign which RRsets? First check the zone option then - * check the keys flags to make sure atleast one has a ksk set - * and one doesn't. - */ - check_ksk = ISC_TF((dns_zone_getoptions(zone) & - DNS_ZONEOPT_UPDATECHECKKSK) != 0); - if (check_ksk) - check_ksk = ksk_sanity(db, newver); - - /* - * Get the NSEC's TTL from the SOA MINIMUM field. - */ - CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); - dns_rdataset_init(&rdataset); - CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0, - (isc_stdtime_t) 0, &rdataset, NULL)); - CHECK(dns_rdataset_first(&rdataset)); - dns_rdataset_current(&rdataset, &rdata); - CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); - nsecttl = soa.minimum; - dns_rdataset_disassociate(&rdataset); - dns_db_detachnode(db, &node); - - /* - * Find all RRsets directly affected by the update, and - * update their RRSIGs. Also build a list of names affected - * by the update in "diffnames". - */ - CHECK(dns_diff_sort(diff, temp_order)); - - t = ISC_LIST_HEAD(diff->tuples); - while (t != NULL) { - dns_name_t *name = &t->name; - /* Now "name" is a new, unique name affected by the update. */ - - CHECK(namelist_append_name(&diffnames, name)); - - while (t != NULL && dns_name_equal(&t->name, name)) { - dns_rdatatype_t type; - type = t->rdata.type; - - /* - * Now "name" and "type" denote a new unique RRset - * affected by the update. - */ - - /* Don't sign RRSIGs. */ - if (type == dns_rdatatype_rrsig) - goto skip; - - /* - * Delete all old RRSIGs covering this type, since they - * are all invalid when the signed RRset has changed. - * We may not be able to recreate all of them - tough. - */ - CHECK(delete_if(true_p, db, newver, name, - dns_rdatatype_rrsig, type, - NULL, &sig_diff)); - - /* - * If this RRset still exists after the update, - * add a new signature for it. - */ - CHECK(rrset_exists(db, newver, name, type, 0, &flag)); - if (flag) { - CHECK(add_sigs(db, newver, name, type, - &sig_diff, zone_keys, nkeys, - client->mctx, inception, - expire, check_ksk)); - } - skip: - /* Skip any other updates to the same RRset. */ - while (t != NULL && - dns_name_equal(&t->name, name) && - t->rdata.type == type) - { - t = ISC_LIST_NEXT(t, link); - } - } - } - - /* Remove orphaned NSECs and RRSIG NSECs. */ - for (t = ISC_LIST_HEAD(diffnames.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag)); - if (! flag) { - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_any, 0, - NULL, &sig_diff)); - } - } - - /* - * When a name is created or deleted, its predecessor needs to - * have its NSEC updated. - */ - for (t = ISC_LIST_HEAD(diffnames.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - isc_boolean_t existed, exists; - dns_fixedname_t fixedname; - dns_name_t *prevname; - - dns_fixedname_init(&fixedname); - prevname = dns_fixedname_name(&fixedname); - - CHECK(name_exists(db, oldver, &t->name, &existed)); - CHECK(name_exists(db, newver, &t->name, &exists)); - if (exists == existed) - continue; - - /* - * Find the predecessor. - * When names become obscured or unobscured in this update - * transaction, we may find the wrong predecessor because - * the NSECs have not yet been updated to reflect the delegation - * change. This should not matter because in this case, - * the correct predecessor is either the delegation node or - * a newly unobscured node, and those nodes are on the - * "affected" list in any case. - */ - CHECK(next_active(client, zone, db, newver, - &t->name, prevname, ISC_FALSE)); - CHECK(namelist_append_name(&affected, prevname)); - } - - /* - * Find names potentially affected by delegation changes - * (obscured by adding an NS or DNAME, or unobscured by - * removing one). - */ - for (t = ISC_LIST_HEAD(diffnames.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - isc_boolean_t ns_existed, dname_existed; - isc_boolean_t ns_exists, dname_exists; - - CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0, - &ns_existed)); - CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0, - &dname_existed)); - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, - &ns_exists)); - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0, - &dname_exists)); - if ((ns_exists || dname_exists) == (ns_existed || dname_existed)) - continue; - /* - * There was a delegation change. Mark all subdomains - * of t->name as potentially needing a NSEC update. - */ - CHECK(namelist_append_subdomain(db, &t->name, &affected)); - } - - ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link); - INSIST(ISC_LIST_EMPTY(diffnames.tuples)); - - CHECK(uniqify_name_list(&affected)); - - /* - * Determine which names should have NSECs, and delete/create - * NSECs to make it so. We don't know the final NSEC targets yet, - * so we just create placeholder NSECs with arbitrary contents - * to indicate that their respective owner names should be part of - * the NSEC chain. - */ - for (t = ISC_LIST_HEAD(affected.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - isc_boolean_t exists; - CHECK(name_exists(db, newver, &t->name, &exists)); - if (! exists) - continue; - CHECK(is_glue(db, newver, &t->name, &flag)); - if (flag) { - /* - * This name is obscured. Delete any - * existing NSEC record. - */ - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_nsec, 0, - NULL, &nsec_diff)); - } else { - /* - * This name is not obscured. It should have a NSEC. - */ - CHECK(rrset_exists(db, newver, &t->name, - dns_rdatatype_nsec, 0, &flag)); - if (! flag) - CHECK(add_placeholder_nsec(db, newver, &t->name, - diff)); - } - } - - /* - * Now we know which names are part of the NSEC chain. - * Make them all point at their correct targets. - */ - for (t = ISC_LIST_HEAD(affected.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - CHECK(rrset_exists(db, newver, &t->name, - dns_rdatatype_nsec, 0, &flag)); - if (flag) { - /* - * There is a NSEC, but we don't know if it is correct. - * Delete it and create a correct one to be sure. - * If the update was unnecessary, the diff minimization - * will take care of eliminating it from the journal, - * IXFRs, etc. - * - * The RRSIG bit should always be set in the NSECs - * we generate, because they will all get RRSIG NSECs. - * (XXX what if the zone keys are missing?). - * Because the RRSIG NSECs have not necessarily been - * created yet, the correctness of the bit mask relies - * on the assumption that NSECs are only created if - * there is other data, and if there is other data, - * there are other RRSIGs. - */ - CHECK(add_nsec(client, zone, db, newver, &t->name, - nsecttl, &nsec_diff)); - } - } - - /* - * Minimize the set of NSEC updates so that we don't - * have to regenerate the RRSIG NSECs for NSECs that were - * replaced with identical ones. - */ - while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(nsec_diff.tuples, t, link); - dns_diff_appendminimal(&nsec_mindiff, &t); - } - - /* Update RRSIG NSECs. */ - for (t = ISC_LIST_HEAD(nsec_mindiff.tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) - { - if (t->op == DNS_DIFFOP_DEL) { - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_rrsig, dns_rdatatype_nsec, - NULL, &sig_diff)); - } else if (t->op == DNS_DIFFOP_ADD) { - CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec, - &sig_diff, zone_keys, nkeys, - client->mctx, inception, expire, - check_ksk)); - } else { - INSIST(0); - } - } - - /* Record our changes for the journal. */ - while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) { - ISC_LIST_UNLINK(sig_diff.tuples, t, link); - dns_diff_appendminimal(diff, &t); - } - while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) { - ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link); - dns_diff_appendminimal(diff, &t); - } - - INSIST(ISC_LIST_EMPTY(sig_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nsec_diff.tuples)); - INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples)); - - failure: - dns_diff_clear(&sig_diff); - dns_diff_clear(&nsec_diff); - dns_diff_clear(&nsec_mindiff); - - dns_diff_clear(&affected); - dns_diff_clear(&diffnames); - - for (i = 0; i < nkeys; i++) - dst_key_free(&zone_keys[i]); - - return (result); -} - - -/**************************************************************************/ -/*% - * The actual update code in all its glory. We try to follow - * the RFC2136 pseudocode as closely as possible. - */ - -static isc_result_t -send_update_event(ns_client_t *client, dns_zone_t *zone) { - isc_result_t result = ISC_R_SUCCESS; - update_event_t *event = NULL; - isc_task_t *zonetask = NULL; - ns_client_t *evclient; - - event = (update_event_t *) - isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE, - update_action, NULL, sizeof(*event)); - if (event == NULL) - FAIL(ISC_R_NOMEMORY); - event->zone = zone; - event->result = ISC_R_SUCCESS; - - evclient = NULL; - ns_client_attach(client, &evclient); - INSIST(client->nupdates == 0); - client->nupdates++; - event->ev_arg = evclient; - - dns_zone_gettask(zone, &zonetask); - isc_task_send(zonetask, ISC_EVENT_PTR(&event)); - - failure: - if (event != NULL) - isc_event_free(ISC_EVENT_PTR(&event)); - return (result); -} - -static void -respond(ns_client_t *client, isc_result_t result) { - isc_result_t msg_result; - - msg_result = dns_message_reply(client->message, ISC_TRUE); - if (msg_result != ISC_R_SUCCESS) - goto msg_failure; - client->message->rcode = dns_result_torcode(result); - - ns_client_send(client); - return; - - msg_failure: - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE, - ISC_LOG_ERROR, - "could not create update response message: %s", - isc_result_totext(msg_result)); - ns_client_next(client, msg_result); -} - -void -ns_update_start(ns_client_t *client, isc_result_t sigresult) { - dns_message_t *request = client->message; - isc_result_t result; - dns_name_t *zonename; - dns_rdataset_t *zone_rdataset; - dns_zone_t *zone = NULL; - - /* - * Interpret the zone section. - */ - result = dns_message_firstname(request, DNS_SECTION_ZONE); - if (result != ISC_R_SUCCESS) - FAILC(DNS_R_FORMERR, - "update zone section empty"); - - /* - * The zone section must contain exactly one "question", and - * it must be of type SOA. - */ - zonename = NULL; - dns_message_currentname(request, DNS_SECTION_ZONE, &zonename); - zone_rdataset = ISC_LIST_HEAD(zonename->list); - if (zone_rdataset->type != dns_rdatatype_soa) - FAILC(DNS_R_FORMERR, - "update zone section contains non-SOA"); - if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) - FAILC(DNS_R_FORMERR, - "update zone section contains multiple RRs"); - - /* The zone section must have exactly one name. */ - result = dns_message_nextname(request, DNS_SECTION_ZONE); - if (result != ISC_R_NOMORE) - FAILC(DNS_R_FORMERR, - "update zone section contains multiple RRs"); - - result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, - &zone); - if (result != ISC_R_SUCCESS) - FAILC(DNS_R_NOTAUTH, - "not authoritative for update zone"); - - switch(dns_zone_gettype(zone)) { - case dns_zone_master: - /* - * We can now fail due to a bad signature as we now know - * that we are the master. - */ - if (sigresult != ISC_R_SUCCESS) - FAIL(sigresult); - CHECK(send_update_event(client, zone)); - break; - case dns_zone_slave: - CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), - "update forwarding", zonename, ISC_TRUE)); - CHECK(send_forward_event(client, zone)); - break; - default: - FAILC(DNS_R_NOTAUTH, - "not authoritative for update zone"); - } - return; - - failure: - /* - * We failed without having sent an update event to the zone. - * We are still in the client task context, so we can - * simply give an error response without switching tasks. - */ - respond(client, result); - if (zone != NULL) - dns_zone_detach(&zone); -} - -/*% - * DS records are not allowed to exist without corresponding NS records, - * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change, - * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex". - */ - -static isc_result_t -remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) { - isc_result_t result; - isc_boolean_t ns_exists, ds_exists; - dns_difftuple_t *t; - - for (t = ISC_LIST_HEAD(diff->tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) { - if (t->op != DNS_DIFFOP_ADD || - t->rdata.type != dns_rdatatype_ns) - continue; - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0, - &ns_exists)); - if (ns_exists) - continue; - CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0, - &ds_exists)); - if (!ds_exists) - continue; - CHECK(delete_if(true_p, db, newver, &t->name, - dns_rdatatype_ds, 0, NULL, diff)); - } - return (ISC_R_SUCCESS); - - failure: - return (result); -} - -/* - * This implements the post load integrity checks for mx records. - */ -static isc_result_t -check_mx(ns_client_t *client, dns_zone_t *zone, - dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) -{ - char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")]; - char ownerbuf[DNS_NAME_FORMATSIZE]; - char namebuf[DNS_NAME_FORMATSIZE]; - char altbuf[DNS_NAME_FORMATSIZE]; - dns_difftuple_t *t; - dns_fixedname_t fixed; - dns_name_t *foundname; - dns_rdata_mx_t mx; - dns_rdata_t rdata; - isc_boolean_t ok = ISC_TRUE; - isc_boolean_t isaddress; - isc_result_t result; - struct in6_addr addr6; - struct in_addr addr; - unsigned int options; - - dns_fixedname_init(&fixed); - foundname = dns_fixedname_name(&fixed); - dns_rdata_init(&rdata); - options = dns_zone_getoptions(zone); - - for (t = ISC_LIST_HEAD(diff->tuples); - t != NULL; - t = ISC_LIST_NEXT(t, link)) { - if (t->op != DNS_DIFFOP_ADD || - t->rdata.type != dns_rdatatype_mx) - continue; - - result = dns_rdata_tostruct(&t->rdata, &mx, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - /* - * Check if we will error out if we attempt to reload the - * zone. - */ - dns_name_format(&mx.mx, namebuf, sizeof(namebuf)); - dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf)); - isaddress = ISC_FALSE; - if ((options & DNS_RDATA_CHECKMX) != 0 && - strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) { - if (tmp[strlen(tmp) - 1] == '.') - tmp[strlen(tmp) - 1] = '\0'; - if (inet_aton(tmp, &addr) == 1 || - inet_pton(AF_INET6, tmp, &addr6) == 1) - isaddress = ISC_TRUE; - } - - if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) { - update_log(client, zone, ISC_LOG_ERROR, - "%s/MX: '%s': %s", - ownerbuf, namebuf, - dns_result_totext(DNS_R_MXISADDRESS)); - ok = ISC_FALSE; - } else if (isaddress) { - update_log(client, zone, ISC_LOG_WARNING, - "%s/MX: warning: '%s': %s", - ownerbuf, namebuf, - dns_result_totext(DNS_R_MXISADDRESS)); - } - - /* - * Check zone integrity checks. - */ - if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0) - continue; - result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a, - 0, 0, NULL, foundname, NULL, NULL); - if (result == ISC_R_SUCCESS) - continue; - - if (result == DNS_R_NXRRSET) { - result = dns_db_find(db, &mx.mx, newver, - dns_rdatatype_aaaa, - 0, 0, NULL, foundname, - NULL, NULL); - if (result == ISC_R_SUCCESS) - continue; - } - - if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) { - update_log(client, zone, ISC_LOG_ERROR, - "%s/MX '%s' has no address records " - "(A or AAAA)", ownerbuf, namebuf); - ok = ISC_FALSE; - } else if (result == DNS_R_CNAME) { - update_log(client, zone, ISC_LOG_ERROR, - "%s/MX '%s' is a CNAME (illegal)", - ownerbuf, namebuf); - ok = ISC_FALSE; - } else if (result == DNS_R_DNAME) { - dns_name_format(foundname, altbuf, sizeof altbuf); - update_log(client, zone, ISC_LOG_ERROR, - "%s/MX '%s' is below a DNAME '%s' (illegal)", - ownerbuf, namebuf, altbuf); - ok = ISC_FALSE; - } - } - return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED); -} - -static void -update_action(isc_task_t *task, isc_event_t *event) { - update_event_t *uev = (update_event_t *) event; - dns_zone_t *zone = uev->zone; - ns_client_t *client = (ns_client_t *)event->ev_arg; - - isc_result_t result; - dns_db_t *db = NULL; - dns_dbversion_t *oldver = NULL; - dns_dbversion_t *ver = NULL; - dns_diff_t diff; /* Pending updates. */ - dns_diff_t temp; /* Pending RR existence assertions. */ - isc_boolean_t soa_serial_changed = ISC_FALSE; - isc_mem_t *mctx = client->mctx; - dns_rdatatype_t covers; - dns_message_t *request = client->message; - dns_rdataclass_t zoneclass; - dns_name_t *zonename; - dns_ssutable_t *ssutable = NULL; - dns_fixedname_t tmpnamefixed; - dns_name_t *tmpname = NULL; - unsigned int options; - - INSIST(event->ev_type == DNS_EVENT_UPDATE); - - dns_diff_init(mctx, &diff); - dns_diff_init(mctx, &temp); - - CHECK(dns_zone_getdb(zone, &db)); - zonename = dns_db_origin(db); - zoneclass = dns_db_class(db); - dns_zone_getssutable(zone, &ssutable); - dns_db_currentversion(db, &oldver); - CHECK(dns_db_newversion(db, &ver)); - - /* - * Check prerequisites. - */ - - for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE); - result == ISC_R_SUCCESS; - result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE)) - { - dns_name_t *name = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_ttl_t ttl; - dns_rdataclass_t update_class; - isc_boolean_t flag; - - get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass, - &name, &rdata, &covers, &ttl, &update_class); - - if (ttl != 0) - FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero"); - - if (! dns_name_issubdomain(name, zonename)) - FAILN(DNS_R_NOTZONE, name, - "prerequisite name is out of zone"); - - if (update_class == dns_rdataclass_any) { - if (rdata.length != 0) - FAILC(DNS_R_FORMERR, - "class ANY prerequisite " - "RDATA is not empty"); - if (rdata.type == dns_rdatatype_any) { - CHECK(name_exists(db, ver, name, &flag)); - if (! flag) { - FAILN(DNS_R_NXDOMAIN, name, - "'name in use' prerequisite " - "not satisfied"); - } - } else { - CHECK(rrset_exists(db, ver, name, - rdata.type, covers, &flag)); - if (! flag) { - /* RRset does not exist. */ - FAILNT(DNS_R_NXRRSET, name, rdata.type, - "'rrset exists (value independent)' " - "prerequisite not satisfied"); - } - } - } else if (update_class == dns_rdataclass_none) { - if (rdata.length != 0) - FAILC(DNS_R_FORMERR, - "class NONE prerequisite " - "RDATA is not empty"); - if (rdata.type == dns_rdatatype_any) { - CHECK(name_exists(db, ver, name, &flag)); - if (flag) { - FAILN(DNS_R_YXDOMAIN, name, - "'name not in use' prerequisite " - "not satisfied"); - } - } else { - CHECK(rrset_exists(db, ver, name, - rdata.type, covers, &flag)); - if (flag) { - /* RRset exists. */ - FAILNT(DNS_R_YXRRSET, name, rdata.type, - "'rrset does not exist' " - "prerequisite not satisfied"); - } - } - } else if (update_class == zoneclass) { - /* "temp += rr;" */ - result = temp_append(&temp, name, &rdata); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "temp entry creation failed: %s", - dns_result_totext(result)); - FAIL(ISC_R_UNEXPECTED); - } - } else { - FAILC(DNS_R_FORMERR, "malformed prerequisite"); - } - } - if (result != ISC_R_NOMORE) - FAIL(result); - - - /* - * Perform the final check of the "rrset exists (value dependent)" - * prerequisites. - */ - if (ISC_LIST_HEAD(temp.tuples) != NULL) { - dns_rdatatype_t type; - - /* - * Sort the prerequisite records by owner name, - * type, and rdata. - */ - result = dns_diff_sort(&temp, temp_order); - if (result != ISC_R_SUCCESS) - FAILC(result, "'RRset exists (value dependent)' " - "prerequisite not satisfied"); - - dns_fixedname_init(&tmpnamefixed); - tmpname = dns_fixedname_name(&tmpnamefixed); - result = temp_check(mctx, &temp, db, ver, tmpname, &type); - if (result != ISC_R_SUCCESS) - FAILNT(result, tmpname, type, - "'RRset exists (value dependent)' " - "prerequisite not satisfied"); - } - - update_log(client, zone, LOGLEVEL_DEBUG, - "prerequisites are OK"); - - /* - * Check Requestor's Permissions. It seems a bit silly to do this - * only after prerequisite testing, but that is what RFC2136 says. - */ - result = ISC_R_SUCCESS; - if (ssutable == NULL) - CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), - "update", zonename, ISC_FALSE)); - else if (client->signer == NULL) - CHECK(checkupdateacl(client, NULL, "update", zonename, - ISC_FALSE)); - - if (dns_zone_getupdatedisabled(zone)) - FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled"); - - /* - * Perform the Update Section Prescan. - */ - - for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); - result == ISC_R_SUCCESS; - result = dns_message_nextname(request, DNS_SECTION_UPDATE)) - { - dns_name_t *name = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_ttl_t ttl; - dns_rdataclass_t update_class; - get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, - &name, &rdata, &covers, &ttl, &update_class); - - if (! dns_name_issubdomain(name, zonename)) - FAILC(DNS_R_NOTZONE, - "update RR is outside zone"); - if (update_class == zoneclass) { - /* - * Check for meta-RRs. The RFC2136 pseudocode says - * check for ANY|AXFR|MAILA|MAILB, but the text adds - * "or any other QUERY metatype" - */ - if (dns_rdatatype_ismeta(rdata.type)) { - FAILC(DNS_R_FORMERR, - "meta-RR in update"); - } - result = dns_zone_checknames(zone, name, &rdata); - if (result != ISC_R_SUCCESS) - FAIL(DNS_R_REFUSED); - } else if (update_class == dns_rdataclass_any) { - if (ttl != 0 || rdata.length != 0 || - (dns_rdatatype_ismeta(rdata.type) && - rdata.type != dns_rdatatype_any)) - FAILC(DNS_R_FORMERR, - "meta-RR in update"); - } else if (update_class == dns_rdataclass_none) { - if (ttl != 0 || - dns_rdatatype_ismeta(rdata.type)) - FAILC(DNS_R_FORMERR, - "meta-RR in update"); - } else { - update_log(client, zone, ISC_LOG_WARNING, - "update RR has incorrect class %d", - update_class); - FAIL(DNS_R_FORMERR); - } - /* - * draft-ietf-dnsind-simple-secure-update-01 says - * "Unlike traditional dynamic update, the client - * is forbidden from updating NSEC records." - */ - if (dns_db_issecure(db)) { - if (rdata.type == dns_rdatatype_nsec) { - FAILC(DNS_R_REFUSED, - "explicit NSEC updates are not allowed " - "in secure zones"); - } - else if (rdata.type == dns_rdatatype_rrsig) { - FAILC(DNS_R_REFUSED, - "explicit RRSIG updates are currently not " - "supported in secure zones"); - } - } - - if (ssutable != NULL && client->signer != NULL) { - if (rdata.type != dns_rdatatype_any) { - if (!dns_ssutable_checkrules(ssutable, - client->signer, - name, rdata.type)) - FAILC(DNS_R_REFUSED, - "rejected by secure update"); - } - else { - if (!ssu_checkall(db, ver, name, ssutable, - client->signer)) - FAILC(DNS_R_REFUSED, - "rejected by secure update"); - } - } - } - if (result != ISC_R_NOMORE) - FAIL(result); - - update_log(client, zone, LOGLEVEL_DEBUG, - "update section prescan OK"); - - /* - * Process the Update Section. - */ - - options = dns_zone_getoptions(zone); - for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); - result == ISC_R_SUCCESS; - result = dns_message_nextname(request, DNS_SECTION_UPDATE)) - { - dns_name_t *name = NULL; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_ttl_t ttl; - dns_rdataclass_t update_class; - isc_boolean_t flag; - - get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, - &name, &rdata, &covers, &ttl, &update_class); - - if (update_class == zoneclass) { - - /* - * RFC1123 doesn't allow MF and MD in master zones. */ - if (rdata.type == dns_rdatatype_md || - rdata.type == dns_rdatatype_mf) { - char typebuf[DNS_RDATATYPE_FORMATSIZE]; - - dns_rdatatype_format(rdata.type, typebuf, - sizeof(typebuf)); - update_log(client, zone, LOGLEVEL_PROTOCOL, - "attempt to add %s ignored", - typebuf); - continue; - } - if (rdata.type == dns_rdatatype_ns && - dns_name_iswildcard(name)) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to add wildcard NS record" - "ignored"); - continue; - } - if (rdata.type == dns_rdatatype_cname) { - CHECK(cname_incompatible_rrset_exists(db, ver, - name, - &flag)); - if (flag) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to add CNAME " - "alongside non-CNAME " - "ignored"); - continue; - } - } else { - CHECK(rrset_exists(db, ver, name, - dns_rdatatype_cname, 0, - &flag)); - if (flag && - ! dns_rdatatype_isdnssec(rdata.type)) - { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to add non-CNAME " - "alongside CNAME ignored"); - continue; - } - } - if (rdata.type == dns_rdatatype_soa) { - isc_boolean_t ok; - CHECK(rrset_exists(db, ver, name, - dns_rdatatype_soa, 0, - &flag)); - if (! flag) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to create 2nd " - "SOA ignored"); - continue; - } - CHECK(check_soa_increment(db, ver, &rdata, - &ok)); - if (! ok) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "SOA update failed to " - "increment serial, " - "ignoring it"); - continue; - } - soa_serial_changed = ISC_TRUE; - } - if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 && - dns_name_internalwildcard(name)) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, - sizeof(namestr)); - update_log(client, zone, LOGLEVEL_PROTOCOL, - "warning: ownername '%s' contains " - "a non-terminal wildcard", namestr); - } - - if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { - char namestr[DNS_NAME_FORMATSIZE]; - char typestr[DNS_RDATATYPE_FORMATSIZE]; - dns_name_format(name, namestr, - sizeof(namestr)); - dns_rdatatype_format(rdata.type, typestr, - sizeof(typestr)); - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "adding an RR at '%s' %s", - namestr, typestr); - } - - /* Prepare the affected RRset for the addition. */ - { - add_rr_prepare_ctx_t ctx; - ctx.db = db; - ctx.ver = ver; - ctx.diff = &diff; - ctx.name = name; - ctx.update_rr = &rdata; - ctx.update_rr_ttl = ttl; - ctx.ignore_add = ISC_FALSE; - dns_diff_init(mctx, &ctx.del_diff); - dns_diff_init(mctx, &ctx.add_diff); - CHECK(foreach_rr(db, ver, name, rdata.type, - covers, add_rr_prepare_action, - &ctx)); - - if (ctx.ignore_add) { - dns_diff_clear(&ctx.del_diff); - dns_diff_clear(&ctx.add_diff); - } else { - CHECK(do_diff(&ctx.del_diff, db, ver, &diff)); - CHECK(do_diff(&ctx.add_diff, db, ver, &diff)); - CHECK(update_one_rr(db, ver, &diff, - DNS_DIFFOP_ADD, - name, ttl, &rdata)); - } - } - } else if (update_class == dns_rdataclass_any) { - if (rdata.type == dns_rdatatype_any) { - if (isc_log_wouldlog(ns_g_lctx, - LOGLEVEL_PROTOCOL)) - { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, - sizeof(namestr)); - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "delete all rrsets from " - "name '%s'", namestr); - } - if (dns_name_equal(name, zonename)) { - CHECK(delete_if(type_not_soa_nor_ns_p, - db, ver, name, - dns_rdatatype_any, 0, - &rdata, &diff)); - } else { - CHECK(delete_if(type_not_dnssec, - db, ver, name, - dns_rdatatype_any, 0, - &rdata, &diff)); - } - } else if (dns_name_equal(name, zonename) && - (rdata.type == dns_rdatatype_soa || - rdata.type == dns_rdatatype_ns)) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to delete all SOA " - "or NS records ignored"); - continue; - } else { - if (isc_log_wouldlog(ns_g_lctx, - LOGLEVEL_PROTOCOL)) - { - char namestr[DNS_NAME_FORMATSIZE]; - char typestr[DNS_RDATATYPE_FORMATSIZE]; - dns_name_format(name, namestr, - sizeof(namestr)); - dns_rdatatype_format(rdata.type, - typestr, - sizeof(typestr)); - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "deleting rrset at '%s' %s", - namestr, typestr); - } - CHECK(delete_if(true_p, db, ver, name, - rdata.type, covers, &rdata, - &diff)); - } - } else if (update_class == dns_rdataclass_none) { - /* - * The (name == zonename) condition appears in - * RFC2136 3.4.2.4 but is missing from the pseudocode. - */ - if (dns_name_equal(name, zonename)) { - if (rdata.type == dns_rdatatype_soa) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to delete SOA " - "ignored"); - continue; - } - if (rdata.type == dns_rdatatype_ns) { - int count; - CHECK(rr_count(db, ver, name, - dns_rdatatype_ns, - 0, &count)); - if (count == 1) { - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "attempt to " - "delete last " - "NS ignored"); - continue; - } - } - } - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "deleting an RR"); - CHECK(delete_if(rr_equal_p, db, ver, name, - rdata.type, covers, &rdata, &diff)); - } - } - if (result != ISC_R_NOMORE) - FAIL(result); - - /* - * If any changes were made, increment the SOA serial number, - * update RRSIGs and NSECs (if zone is secure), and write the update - * to the journal. - */ - if (! ISC_LIST_EMPTY(diff.tuples)) { - char *journalfile; - dns_journal_t *journal; - - /* - * Increment the SOA serial, but only if it was not - * changed as a result of an update operation. - */ - if (! soa_serial_changed) { - CHECK(increment_soa_serial(db, ver, &diff, mctx)); - } - - CHECK(check_mx(client, zone, db, ver, &diff)); - - CHECK(remove_orphaned_ds(db, ver, &diff)); - - if (dns_db_issecure(db)) { - result = update_signatures(client, zone, db, oldver, - ver, &diff, - dns_zone_getsigvalidityinterval(zone)); - if (result != ISC_R_SUCCESS) { - update_log(client, zone, - ISC_LOG_ERROR, - "RRSIG/NSEC update failed: %s", - isc_result_totext(result)); - goto failure; - } - } - - journalfile = dns_zone_getjournal(zone); - if (journalfile != NULL) { - update_log(client, zone, LOGLEVEL_DEBUG, - "writing journal %s", journalfile); - - journal = NULL; - result = dns_journal_open(mctx, journalfile, - ISC_TRUE, &journal); - if (result != ISC_R_SUCCESS) - FAILS(result, "journal open failed"); - - result = dns_journal_write_transaction(journal, &diff); - if (result != ISC_R_SUCCESS) { - dns_journal_destroy(&journal); - FAILS(result, "journal write failed"); - } - - dns_journal_destroy(&journal); - } - - /* - * XXXRTH Just a note that this committing code will have - * to change to handle databases that need two-phase - * commit, but this isn't a priority. - */ - update_log(client, zone, LOGLEVEL_DEBUG, - "committing update transaction"); - dns_db_closeversion(db, &ver, ISC_TRUE); - - /* - * Mark the zone as dirty so that it will be written to disk. - */ - dns_zone_markdirty(zone); - - /* - * Notify slaves of the change we just made. - */ - dns_zone_notify(zone); - } else { - update_log(client, zone, LOGLEVEL_DEBUG, "redundant request"); - dns_db_closeversion(db, &ver, ISC_TRUE); - } - result = ISC_R_SUCCESS; - goto common; - - failure: - /* - * The reason for failure should have been logged at this point. - */ - if (ver != NULL) { - update_log(client, zone, LOGLEVEL_DEBUG, - "rolling back"); - dns_db_closeversion(db, &ver, ISC_FALSE); - } - - common: - dns_diff_clear(&temp); - dns_diff_clear(&diff); - - if (oldver != NULL) - dns_db_closeversion(db, &oldver, ISC_FALSE); - - if (db != NULL) - dns_db_detach(&db); - - if (ssutable != NULL) - dns_ssutable_detach(&ssutable); - - if (zone != NULL) - dns_zone_detach(&zone); - - isc_task_detach(&task); - uev->result = result; - uev->ev_type = DNS_EVENT_UPDATEDONE; - uev->ev_action = updatedone_action; - isc_task_send(client->task, &event); - INSIST(event == NULL); -} - -static void -updatedone_action(isc_task_t *task, isc_event_t *event) { - update_event_t *uev = (update_event_t *) event; - ns_client_t *client = (ns_client_t *) event->ev_arg; - - UNUSED(task); - - INSIST(event->ev_type == DNS_EVENT_UPDATEDONE); - INSIST(task == client->task); - - INSIST(client->nupdates > 0); - client->nupdates--; - respond(client, uev->result); - isc_event_free(&event); - ns_client_detach(&client); -} - -/*% - * Update forwarding support. - */ - -static void -forward_fail(isc_task_t *task, isc_event_t *event) { - ns_client_t *client = (ns_client_t *)event->ev_arg; - - UNUSED(task); - - INSIST(client->nupdates > 0); - client->nupdates--; - respond(client, DNS_R_SERVFAIL); - isc_event_free(&event); - ns_client_detach(&client); -} - - -static void -forward_callback(void *arg, isc_result_t result, dns_message_t *answer) { - update_event_t *uev = arg; - ns_client_t *client = uev->ev_arg; - - if (result != ISC_R_SUCCESS) { - INSIST(answer == NULL); - uev->ev_type = DNS_EVENT_UPDATEDONE; - uev->ev_action = forward_fail; - } else { - uev->ev_type = DNS_EVENT_UPDATEDONE; - uev->ev_action = forward_done; - uev->answer = answer; - } - isc_task_send(client->task, ISC_EVENT_PTR(&uev)); -} - -static void -forward_done(isc_task_t *task, isc_event_t *event) { - update_event_t *uev = (update_event_t *) event; - ns_client_t *client = (ns_client_t *)event->ev_arg; - - UNUSED(task); - - INSIST(client->nupdates > 0); - client->nupdates--; - ns_client_sendraw(client, uev->answer); - dns_message_destroy(&uev->answer); - isc_event_free(&event); - ns_client_detach(&client); -} - -static void -forward_action(isc_task_t *task, isc_event_t *event) { - update_event_t *uev = (update_event_t *) event; - dns_zone_t *zone = uev->zone; - ns_client_t *client = (ns_client_t *)event->ev_arg; - isc_result_t result; - - result = dns_zone_forwardupdate(zone, client->message, - forward_callback, event); - if (result != ISC_R_SUCCESS) { - uev->ev_type = DNS_EVENT_UPDATEDONE; - uev->ev_action = forward_fail; - isc_task_send(client->task, &event); - } - dns_zone_detach(&zone); - isc_task_detach(&task); -} - -static isc_result_t -send_forward_event(ns_client_t *client, dns_zone_t *zone) { - isc_result_t result = ISC_R_SUCCESS; - update_event_t *event = NULL; - isc_task_t *zonetask = NULL; - ns_client_t *evclient; - - event = (update_event_t *) - isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE, - forward_action, NULL, sizeof(*event)); - if (event == NULL) - FAIL(ISC_R_NOMEMORY); - event->zone = zone; - event->result = ISC_R_SUCCESS; - - evclient = NULL; - ns_client_attach(client, &evclient); - INSIST(client->nupdates == 0); - client->nupdates++; - event->ev_arg = evclient; - - dns_zone_gettask(zone, &zonetask); - isc_task_send(zonetask, ISC_EVENT_PTR(&event)); - - failure: - if (event != NULL) - isc_event_free(ISC_EVENT_PTR(&event)); - return (result); -} diff --git a/usr.sbin/bind/bin/named/xfrout.c b/usr.sbin/bind/bin/named/xfrout.c deleted file mode 100644 index fbcf41c9760..00000000000 --- a/usr.sbin/bind/bin/named/xfrout.c +++ /dev/null @@ -1,1810 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */ - -#include - -#include -#include -#include -#include -#include - -#include -#include -#ifdef DLZ -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -/*! \file - * \brief - * Outgoing AXFR and IXFR. - */ - -/* - * TODO: - * - IXFR over UDP - */ - -#define XFROUT_COMMON_LOGARGS \ - ns_g_lctx, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT - -#define XFROUT_PROTOCOL_LOGARGS \ - XFROUT_COMMON_LOGARGS, ISC_LOG_INFO - -#define XFROUT_DEBUG_LOGARGS(n) \ - XFROUT_COMMON_LOGARGS, ISC_LOG_DEBUG(n) - -#define XFROUT_RR_LOGARGS \ - XFROUT_COMMON_LOGARGS, XFROUT_RR_LOGLEVEL - -#define XFROUT_RR_LOGLEVEL ISC_LOG_DEBUG(8) - -/*% - * Fail unconditionally and log as a client error. - * The test against ISC_R_SUCCESS is there to keep the Solaris compiler - * from complaining about "end-of-loop code not reached". - */ -#define FAILC(code, msg) \ - do { \ - result = (code); \ - ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \ - NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \ - "bad zone transfer request: %s (%s)", \ - msg, isc_result_totext(code)); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -#define FAILQ(code, msg, question, rdclass) \ - do { \ - char _buf1[DNS_NAME_FORMATSIZE]; \ - char _buf2[DNS_RDATACLASS_FORMATSIZE]; \ - result = (code); \ - dns_name_format(question, _buf1, sizeof(_buf1)); \ - dns_rdataclass_format(rdclass, _buf2, sizeof(_buf2)); \ - ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \ - NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \ - "bad zone transfer request: '%s/%s': %s (%s)", \ - _buf1, _buf2, msg, isc_result_totext(code)); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -#define CHECK(op) \ - do { result = (op); \ - if (result != ISC_R_SUCCESS) goto failure; \ - } while (0) - -/**************************************************************************/ -/*% - * A db_rr_iterator_t is an iterator that iterates over an entire database, - * returning one RR at a time, in some arbitrary order. - */ - -typedef struct db_rr_iterator db_rr_iterator_t; - -/*% db_rr_iterator structure */ -struct db_rr_iterator { - isc_result_t result; - dns_db_t *db; - dns_dbiterator_t *dbit; - dns_dbversion_t *ver; - isc_stdtime_t now; - dns_dbnode_t *node; - dns_fixedname_t fixedname; - dns_rdatasetiter_t *rdatasetit; - dns_rdataset_t rdataset; - dns_rdata_t rdata; -}; - -static isc_result_t -db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver, - isc_stdtime_t now); - -static isc_result_t -db_rr_iterator_first(db_rr_iterator_t *it); - -static isc_result_t -db_rr_iterator_next(db_rr_iterator_t *it); - -static void -db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name, - isc_uint32_t *ttl, dns_rdata_t **rdata); - -static void -db_rr_iterator_destroy(db_rr_iterator_t *it); - -static isc_result_t -db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver, - isc_stdtime_t now) -{ - isc_result_t result; - it->db = db; - it->dbit = NULL; - it->ver = ver; - it->now = now; - it->node = NULL; - result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit); - if (result != ISC_R_SUCCESS) - return (result); - it->rdatasetit = NULL; - dns_rdata_init(&it->rdata); - dns_rdataset_init(&it->rdataset); - dns_fixedname_init(&it->fixedname); - INSIST(! dns_rdataset_isassociated(&it->rdataset)); - it->result = ISC_R_SUCCESS; - return (it->result); -} - -static isc_result_t -db_rr_iterator_first(db_rr_iterator_t *it) { - it->result = dns_dbiterator_first(it->dbit); - /* - * The top node may be empty when out of zone glue exists. - * Walk the tree to find the first node with data. - */ - while (it->result == ISC_R_SUCCESS) { - it->result = dns_dbiterator_current(it->dbit, &it->node, - dns_fixedname_name(&it->fixedname)); - if (it->result != ISC_R_SUCCESS) - return (it->result); - - it->result = dns_db_allrdatasets(it->db, it->node, - it->ver, it->now, - &it->rdatasetit); - if (it->result != ISC_R_SUCCESS) - return (it->result); - - it->result = dns_rdatasetiter_first(it->rdatasetit); - if (it->result != ISC_R_SUCCESS) { - /* - * This node is empty. Try next node. - */ - dns_rdatasetiter_destroy(&it->rdatasetit); - dns_db_detachnode(it->db, &it->node); - it->result = dns_dbiterator_next(it->dbit); - continue; - } - dns_rdatasetiter_current(it->rdatasetit, &it->rdataset); - it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER; - it->result = dns_rdataset_first(&it->rdataset); - return (it->result); - } - return (it->result); -} - - -static isc_result_t -db_rr_iterator_next(db_rr_iterator_t *it) { - if (it->result != ISC_R_SUCCESS) - return (it->result); - - INSIST(it->dbit != NULL); - INSIST(it->node != NULL); - INSIST(it->rdatasetit != NULL); - - it->result = dns_rdataset_next(&it->rdataset); - if (it->result == ISC_R_NOMORE) { - dns_rdataset_disassociate(&it->rdataset); - it->result = dns_rdatasetiter_next(it->rdatasetit); - /* - * The while loop body is executed more than once - * only when an empty dbnode needs to be skipped. - */ - while (it->result == ISC_R_NOMORE) { - dns_rdatasetiter_destroy(&it->rdatasetit); - dns_db_detachnode(it->db, &it->node); - it->result = dns_dbiterator_next(it->dbit); - if (it->result == ISC_R_NOMORE) { - /* We are at the end of the entire database. */ - return (it->result); - } - if (it->result != ISC_R_SUCCESS) - return (it->result); - it->result = dns_dbiterator_current(it->dbit, - &it->node, - dns_fixedname_name(&it->fixedname)); - if (it->result != ISC_R_SUCCESS) - return (it->result); - it->result = dns_db_allrdatasets(it->db, it->node, - it->ver, it->now, - &it->rdatasetit); - if (it->result != ISC_R_SUCCESS) - return (it->result); - it->result = dns_rdatasetiter_first(it->rdatasetit); - } - if (it->result != ISC_R_SUCCESS) - return (it->result); - dns_rdatasetiter_current(it->rdatasetit, &it->rdataset); - it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER; - it->result = dns_rdataset_first(&it->rdataset); - if (it->result != ISC_R_SUCCESS) - return (it->result); - } - return (it->result); -} - -static void -db_rr_iterator_pause(db_rr_iterator_t *it) { - RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS); -} - -static void -db_rr_iterator_destroy(db_rr_iterator_t *it) { - if (dns_rdataset_isassociated(&it->rdataset)) - dns_rdataset_disassociate(&it->rdataset); - if (it->rdatasetit != NULL) - dns_rdatasetiter_destroy(&it->rdatasetit); - if (it->node != NULL) - dns_db_detachnode(it->db, &it->node); - dns_dbiterator_destroy(&it->dbit); -} - -static void -db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name, - isc_uint32_t *ttl, dns_rdata_t **rdata) -{ - REQUIRE(name != NULL && *name == NULL); - REQUIRE(it->result == ISC_R_SUCCESS); - *name = dns_fixedname_name(&it->fixedname); - *ttl = it->rdataset.ttl; - dns_rdata_reset(&it->rdata); - dns_rdataset_current(&it->rdataset, &it->rdata); - *rdata = &it->rdata; -} - -/**************************************************************************/ - -/*% Log an RR (for debugging) */ - -static void -log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) { - isc_result_t result; - isc_buffer_t buf; - char mem[2000]; - dns_rdatalist_t rdl; - dns_rdataset_t rds; - dns_rdata_t rd = DNS_RDATA_INIT; - - rdl.type = rdata->type; - rdl.rdclass = rdata->rdclass; - rdl.ttl = ttl; - ISC_LIST_INIT(rdl.rdata); - ISC_LINK_INIT(&rdl, link); - dns_rdataset_init(&rds); - dns_rdata_init(&rd); - dns_rdata_clone(rdata, &rd); - ISC_LIST_APPEND(rdl.rdata, &rd, link); - RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS); - - isc_buffer_init(&buf, mem, sizeof(mem)); - result = dns_rdataset_totext(&rds, name, - ISC_FALSE, ISC_FALSE, &buf); - - /* - * We could use xfrout_log(), but that would produce - * very long lines with a repetitive prefix. - */ - if (result == ISC_R_SUCCESS) { - /* - * Get rid of final newline. - */ - INSIST(buf.used >= 1 && - ((char *) buf.base)[buf.used - 1] == '\n'); - buf.used--; - - isc_log_write(XFROUT_RR_LOGARGS, "%.*s", - (int)isc_buffer_usedlength(&buf), - (char *)isc_buffer_base(&buf)); - } else { - isc_log_write(XFROUT_RR_LOGARGS, ""); - } -} - -/**************************************************************************/ -/* - * An 'rrstream_t' is a polymorphic iterator that returns - * a stream of resource records. There are multiple implementations, - * e.g. for generating AXFR and IXFR records streams. - */ - -typedef struct rrstream_methods rrstream_methods_t; - -typedef struct rrstream { - isc_mem_t *mctx; - rrstream_methods_t *methods; -} rrstream_t; - -struct rrstream_methods { - isc_result_t (*first)(rrstream_t *); - isc_result_t (*next)(rrstream_t *); - void (*current)(rrstream_t *, - dns_name_t **, - isc_uint32_t *, - dns_rdata_t **); - void (*pause)(rrstream_t *); - void (*destroy)(rrstream_t **); -}; - -static void -rrstream_noop_pause(rrstream_t *rs) { - UNUSED(rs); -} - -/**************************************************************************/ -/* - * An 'ixfr_rrstream_t' is an 'rrstream_t' that returns - * an IXFR-like RR stream from a journal file. - * - * The SOA at the beginning of each sequence of additions - * or deletions are included in the stream, but the extra - * SOAs at the beginning and end of the entire transfer are - * not included. - */ - -typedef struct ixfr_rrstream { - rrstream_t common; - dns_journal_t *journal; -} ixfr_rrstream_t; - -/* Forward declarations. */ -static void -ixfr_rrstream_destroy(rrstream_t **sp); - -static rrstream_methods_t ixfr_rrstream_methods; - -/* - * Returns: anything dns_journal_open() or dns_journal_iter_init() - * may return. - */ - -static isc_result_t -ixfr_rrstream_create(isc_mem_t *mctx, - const char *journal_filename, - isc_uint32_t begin_serial, - isc_uint32_t end_serial, - rrstream_t **sp) -{ - ixfr_rrstream_t *s; - isc_result_t result; - - INSIST(sp != NULL && *sp == NULL); - - s = isc_mem_get(mctx, sizeof(*s)); - if (s == NULL) - return (ISC_R_NOMEMORY); - s->common.mctx = mctx; - s->common.methods = &ixfr_rrstream_methods; - s->journal = NULL; - - CHECK(dns_journal_open(mctx, journal_filename, - ISC_FALSE, &s->journal)); - CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial)); - - *sp = (rrstream_t *) s; - return (ISC_R_SUCCESS); - - failure: - ixfr_rrstream_destroy((rrstream_t **) (void *)&s); - return (result); -} - -static isc_result_t -ixfr_rrstream_first(rrstream_t *rs) { - ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs; - return (dns_journal_first_rr(s->journal)); -} - -static isc_result_t -ixfr_rrstream_next(rrstream_t *rs) { - ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs; - return (dns_journal_next_rr(s->journal)); -} - -static void -ixfr_rrstream_current(rrstream_t *rs, - dns_name_t **name, isc_uint32_t *ttl, - dns_rdata_t **rdata) -{ - ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs; - dns_journal_current_rr(s->journal, name, ttl, rdata); -} - -static void -ixfr_rrstream_destroy(rrstream_t **rsp) { - ixfr_rrstream_t *s = (ixfr_rrstream_t *) *rsp; - if (s->journal != 0) - dns_journal_destroy(&s->journal); - isc_mem_put(s->common.mctx, s, sizeof(*s)); -} - -static rrstream_methods_t ixfr_rrstream_methods = { - ixfr_rrstream_first, - ixfr_rrstream_next, - ixfr_rrstream_current, - rrstream_noop_pause, - ixfr_rrstream_destroy -}; - -/**************************************************************************/ -/* - * An 'axfr_rrstream_t' is an 'rrstream_t' that returns - * an AXFR-like RR stream from a database. - * - * The SOAs at the beginning and end of the transfer are - * not included in the stream. - */ - -typedef struct axfr_rrstream { - rrstream_t common; - db_rr_iterator_t it; - isc_boolean_t it_valid; -} axfr_rrstream_t; - -/* - * Forward declarations. - */ -static void -axfr_rrstream_destroy(rrstream_t **rsp); - -static rrstream_methods_t axfr_rrstream_methods; - -static isc_result_t -axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver, - rrstream_t **sp) -{ - axfr_rrstream_t *s; - isc_result_t result; - - INSIST(sp != NULL && *sp == NULL); - - s = isc_mem_get(mctx, sizeof(*s)); - if (s == NULL) - return (ISC_R_NOMEMORY); - s->common.mctx = mctx; - s->common.methods = &axfr_rrstream_methods; - s->it_valid = ISC_FALSE; - - CHECK(db_rr_iterator_init(&s->it, db, ver, 0)); - s->it_valid = ISC_TRUE; - - *sp = (rrstream_t *) s; - return (ISC_R_SUCCESS); - - failure: - axfr_rrstream_destroy((rrstream_t **) (void *)&s); - return (result); -} - -static isc_result_t -axfr_rrstream_first(rrstream_t *rs) { - axfr_rrstream_t *s = (axfr_rrstream_t *) rs; - isc_result_t result; - result = db_rr_iterator_first(&s->it); - if (result != ISC_R_SUCCESS) - return (result); - /* Skip SOA records. */ - for (;;) { - dns_name_t *name_dummy = NULL; - isc_uint32_t ttl_dummy; - dns_rdata_t *rdata = NULL; - db_rr_iterator_current(&s->it, &name_dummy, - &ttl_dummy, &rdata); - if (rdata->type != dns_rdatatype_soa) - break; - result = db_rr_iterator_next(&s->it); - if (result != ISC_R_SUCCESS) - break; - } - return (result); -} - -static isc_result_t -axfr_rrstream_next(rrstream_t *rs) { - axfr_rrstream_t *s = (axfr_rrstream_t *) rs; - isc_result_t result; - - /* Skip SOA records. */ - for (;;) { - dns_name_t *name_dummy = NULL; - isc_uint32_t ttl_dummy; - dns_rdata_t *rdata = NULL; - result = db_rr_iterator_next(&s->it); - if (result != ISC_R_SUCCESS) - break; - db_rr_iterator_current(&s->it, &name_dummy, - &ttl_dummy, &rdata); - if (rdata->type != dns_rdatatype_soa) - break; - } - return (result); -} - -static void -axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl, - dns_rdata_t **rdata) -{ - axfr_rrstream_t *s = (axfr_rrstream_t *) rs; - db_rr_iterator_current(&s->it, name, ttl, rdata); -} - -static void -axfr_rrstream_pause(rrstream_t *rs) { - axfr_rrstream_t *s = (axfr_rrstream_t *) rs; - db_rr_iterator_pause(&s->it); -} - -static void -axfr_rrstream_destroy(rrstream_t **rsp) { - axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp; - if (s->it_valid) - db_rr_iterator_destroy(&s->it); - isc_mem_put(s->common.mctx, s, sizeof(*s)); -} - -static rrstream_methods_t axfr_rrstream_methods = { - axfr_rrstream_first, - axfr_rrstream_next, - axfr_rrstream_current, - axfr_rrstream_pause, - axfr_rrstream_destroy -}; - -/**************************************************************************/ -/* - * An 'soa_rrstream_t' is a degenerate 'rrstream_t' that returns - * a single SOA record. - */ - -typedef struct soa_rrstream { - rrstream_t common; - dns_difftuple_t *soa_tuple; -} soa_rrstream_t; - -/* - * Forward declarations. - */ -static void -soa_rrstream_destroy(rrstream_t **rsp); - -static rrstream_methods_t soa_rrstream_methods; - -static isc_result_t -soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver, - rrstream_t **sp) -{ - soa_rrstream_t *s; - isc_result_t result; - - INSIST(sp != NULL && *sp == NULL); - - s = isc_mem_get(mctx, sizeof(*s)); - if (s == NULL) - return (ISC_R_NOMEMORY); - s->common.mctx = mctx; - s->common.methods = &soa_rrstream_methods; - s->soa_tuple = NULL; - - CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS, - &s->soa_tuple)); - - *sp = (rrstream_t *) s; - return (ISC_R_SUCCESS); - - failure: - soa_rrstream_destroy((rrstream_t **) (void *)&s); - return (result); -} - -static isc_result_t -soa_rrstream_first(rrstream_t *rs) { - UNUSED(rs); - return (ISC_R_SUCCESS); -} - -static isc_result_t -soa_rrstream_next(rrstream_t *rs) { - UNUSED(rs); - return (ISC_R_NOMORE); -} - -static void -soa_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl, - dns_rdata_t **rdata) -{ - soa_rrstream_t *s = (soa_rrstream_t *) rs; - *name = &s->soa_tuple->name; - *ttl = s->soa_tuple->ttl; - *rdata = &s->soa_tuple->rdata; -} - -static void -soa_rrstream_destroy(rrstream_t **rsp) { - soa_rrstream_t *s = (soa_rrstream_t *) *rsp; - if (s->soa_tuple != NULL) - dns_difftuple_free(&s->soa_tuple); - isc_mem_put(s->common.mctx, s, sizeof(*s)); -} - -static rrstream_methods_t soa_rrstream_methods = { - soa_rrstream_first, - soa_rrstream_next, - soa_rrstream_current, - rrstream_noop_pause, - soa_rrstream_destroy -}; - -/**************************************************************************/ -/* - * A 'compound_rrstream_t' objects owns a soa_rrstream - * and another rrstream, the "data stream". It returns - * a concatenated stream consisting of the soa_rrstream, then - * the data stream, then the soa_rrstream again. - * - * The component streams are owned by the compound_rrstream_t - * and are destroyed with it. - */ - -typedef struct compound_rrstream { - rrstream_t common; - rrstream_t *components[3]; - int state; - isc_result_t result; -} compound_rrstream_t; - -/* - * Forward declarations. - */ -static void -compound_rrstream_destroy(rrstream_t **rsp); - -static isc_result_t -compound_rrstream_next(rrstream_t *rs); - -static rrstream_methods_t compound_rrstream_methods; - -/* - * Requires: - * soa_stream != NULL && *soa_stream != NULL - * data_stream != NULL && *data_stream != NULL - * sp != NULL && *sp == NULL - * - * Ensures: - * *soa_stream == NULL - * *data_stream == NULL - * *sp points to a valid compound_rrstream_t - * The soa and data streams will be destroyed - * when the compound_rrstream_t is destroyed. - */ -static isc_result_t -compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream, - rrstream_t **data_stream, rrstream_t **sp) -{ - compound_rrstream_t *s; - - INSIST(sp != NULL && *sp == NULL); - - s = isc_mem_get(mctx, sizeof(*s)); - if (s == NULL) - return (ISC_R_NOMEMORY); - s->common.mctx = mctx; - s->common.methods = &compound_rrstream_methods; - s->components[0] = *soa_stream; - s->components[1] = *data_stream; - s->components[2] = *soa_stream; - s->state = -1; - s->result = ISC_R_FAILURE; - - *soa_stream = NULL; - *data_stream = NULL; - *sp = (rrstream_t *) s; - return (ISC_R_SUCCESS); -} - -static isc_result_t -compound_rrstream_first(rrstream_t *rs) { - compound_rrstream_t *s = (compound_rrstream_t *) rs; - s->state = 0; - do { - rrstream_t *curstream = s->components[s->state]; - s->result = curstream->methods->first(curstream); - } while (s->result == ISC_R_NOMORE && s->state < 2); - return (s->result); -} - -static isc_result_t -compound_rrstream_next(rrstream_t *rs) { - compound_rrstream_t *s = (compound_rrstream_t *) rs; - rrstream_t *curstream = s->components[s->state]; - s->result = curstream->methods->next(curstream); - while (s->result == ISC_R_NOMORE) { - /* - * Make sure locks held by the current stream - * are released before we switch streams. - */ - curstream->methods->pause(curstream); - if (s->state == 2) - return (ISC_R_NOMORE); - s->state++; - curstream = s->components[s->state]; - s->result = curstream->methods->first(curstream); - } - return (s->result); -} - -static void -compound_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl, - dns_rdata_t **rdata) -{ - compound_rrstream_t *s = (compound_rrstream_t *) rs; - rrstream_t *curstream; - INSIST(0 <= s->state && s->state < 3); - INSIST(s->result == ISC_R_SUCCESS); - curstream = s->components[s->state]; - curstream->methods->current(curstream, name, ttl, rdata); -} - -static void -compound_rrstream_pause(rrstream_t *rs) -{ - compound_rrstream_t *s = (compound_rrstream_t *) rs; - rrstream_t *curstream; - INSIST(0 <= s->state && s->state < 3); - curstream = s->components[s->state]; - curstream->methods->pause(curstream); -} - -static void -compound_rrstream_destroy(rrstream_t **rsp) { - compound_rrstream_t *s = (compound_rrstream_t *) *rsp; - s->components[0]->methods->destroy(&s->components[0]); - s->components[1]->methods->destroy(&s->components[1]); - s->components[2] = NULL; /* Copy of components[0]. */ - isc_mem_put(s->common.mctx, s, sizeof(*s)); -} - -static rrstream_methods_t compound_rrstream_methods = { - compound_rrstream_first, - compound_rrstream_next, - compound_rrstream_current, - compound_rrstream_pause, - compound_rrstream_destroy -}; - -/**************************************************************************/ -/* - * An 'xfrout_ctx_t' contains the state of an outgoing AXFR or IXFR - * in progress. - */ - -typedef struct { - isc_mem_t *mctx; - ns_client_t *client; - unsigned int id; /* ID of request */ - dns_name_t *qname; /* Question name of request */ - dns_rdatatype_t qtype; /* dns_rdatatype_{a,i}xfr */ - dns_rdataclass_t qclass; - dns_db_t *db; - dns_dbversion_t *ver; - isc_quota_t *quota; - rrstream_t *stream; /* The XFR RR stream */ - isc_boolean_t end_of_stream; /* EOS has been reached */ - isc_buffer_t buf; /* Buffer for message owner - names and rdatas */ - isc_buffer_t txlenbuf; /* Transmit length buffer */ - isc_buffer_t txbuf; /* Transmit message buffer */ - void *txmem; - unsigned int txmemlen; - unsigned int nmsg; /* Number of messages sent */ - dns_tsigkey_t *tsigkey; /* Key used to create TSIG */ - isc_buffer_t *lasttsig; /* the last TSIG */ - isc_boolean_t many_answers; - int sends; /* Send in progress */ - isc_boolean_t shuttingdown; - const char *mnemonic; /* Style of transfer */ -} xfrout_ctx_t; - -static isc_result_t -xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, - unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype, - dns_rdataclass_t qclass, - dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota, - rrstream_t *stream, dns_tsigkey_t *tsigkey, - isc_buffer_t *lasttsig, - unsigned int maxtime, - unsigned int idletime, - isc_boolean_t many_answers, - xfrout_ctx_t **xfrp); - -static void -sendstream(xfrout_ctx_t *xfr); - -static void -xfrout_senddone(isc_task_t *task, isc_event_t *event); - -static void -xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg); - -static void -xfrout_maybe_destroy(xfrout_ctx_t *xfr); - -static void -xfrout_ctx_destroy(xfrout_ctx_t **xfrp); - -static void -xfrout_client_shutdown(void *arg, isc_result_t result); - -static void -xfrout_log1(ns_client_t *client, dns_name_t *zonename, - dns_rdataclass_t rdclass, int level, - const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6); - -static void -xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) - ISC_FORMAT_PRINTF(3, 4); - -/**************************************************************************/ - -void -ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { - isc_result_t result; - dns_name_t *question_name; - dns_rdataset_t *question_rdataset; - dns_zone_t *zone = NULL; - dns_db_t *db = NULL; - dns_dbversion_t *ver = NULL; - dns_rdataclass_t question_class; - rrstream_t *soa_stream = NULL; - rrstream_t *data_stream = NULL; - rrstream_t *stream = NULL; - dns_difftuple_t *current_soa_tuple = NULL; - dns_name_t *soa_name; - dns_rdataset_t *soa_rdataset; - dns_rdata_t soa_rdata = DNS_RDATA_INIT; - isc_boolean_t have_soa = ISC_FALSE; - const char *mnemonic = NULL; - isc_mem_t *mctx = client->mctx; - dns_message_t *request = client->message; - xfrout_ctx_t *xfr = NULL; - isc_quota_t *quota = NULL; - dns_transfer_format_t format = client->view->transfer_format; - isc_netaddr_t na; - dns_peer_t *peer = NULL; - isc_buffer_t *tsigbuf = NULL; - char *journalfile; - char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")]; - char keyname[DNS_NAME_FORMATSIZE]; - isc_boolean_t is_poll = ISC_FALSE; -#ifdef DLZ - isc_boolean_t is_dlz = ISC_FALSE; -#endif - - switch (reqtype) { - case dns_rdatatype_axfr: - mnemonic = "AXFR"; - break; - case dns_rdatatype_ixfr: - mnemonic = "IXFR"; - break; - default: - INSIST(0); - break; - } - - ns_client_log(client, - DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT, - ISC_LOG_DEBUG(6), "%s request", mnemonic); - /* - * Apply quota. - */ - result = isc_quota_attach(&ns_g_server->xfroutquota, "a); - if (result != ISC_R_SUCCESS) { - isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING, - "%s request denied: %s", mnemonic, - isc_result_totext(result)); - goto failure; - } - - /* - * Interpret the question section. - */ - result = dns_message_firstname(request, DNS_SECTION_QUESTION); - INSIST(result == ISC_R_SUCCESS); - - /* - * The question section must contain exactly one question, and - * it must be for AXFR/IXFR as appropriate. - */ - question_name = NULL; - dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name); - question_rdataset = ISC_LIST_HEAD(question_name->list); - question_class = question_rdataset->rdclass; - INSIST(question_rdataset->type == reqtype); - if (ISC_LIST_NEXT(question_rdataset, link) != NULL) - FAILC(DNS_R_FORMERR, "multiple questions"); - result = dns_message_nextname(request, DNS_SECTION_QUESTION); - if (result != ISC_R_NOMORE) - FAILC(DNS_R_FORMERR, "multiple questions"); - - result = dns_zt_find(client->view->zonetable, question_name, 0, NULL, - &zone); - - if (result != ISC_R_SUCCESS) -#ifdef DLZ - { - /* - * Normal zone table does not have a match. Try the DLZ database - */ - if (client->view->dlzdatabase != NULL) { - result = dns_dlzallowzonexfr(client->view, - question_name, &client->peeraddr, - &db); - - if (result == ISC_R_NOPERM) { - char _buf1[DNS_NAME_FORMATSIZE]; - char _buf2[DNS_RDATACLASS_FORMATSIZE]; - - result = DNS_R_REFUSED; - dns_name_format(question_name, _buf1, - sizeof(_buf1)); - dns_rdataclass_format(question_class, - _buf2, sizeof(_buf2)); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_XFER_OUT, - ISC_LOG_ERROR, - "zone transfer '%s/%s' denied", - _buf1, _buf2); - goto failure; - } - if (result != ISC_R_SUCCESS) -#endif - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", - question_name, question_class); -#ifdef DLZ - is_dlz = ISC_TRUE; - /* - * DLZ only support full zone transfer, not incremental - */ - if (reqtype != dns_rdatatype_axfr) { - mnemonic = "AXFR-style IXFR"; - reqtype = dns_rdatatype_axfr; - } - - } else { - /* - * not DLZ and not in normal zone table, we are - * not authoritative - */ - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", - question_name, question_class); - } - } else { - /* zone table has a match */ -#endif - switch(dns_zone_gettype(zone)) { - case dns_zone_master: - case dns_zone_slave: - break; /* Master and slave zones are OK for transfer. */ - default: - FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class); - } - CHECK(dns_zone_getdb(zone, &db)); - dns_db_currentversion(db, &ver); -#ifdef DLZ - } -#endif - - xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6), - "%s question section OK", mnemonic); - - /* - * Check the authority section. Look for a SOA record with - * the same name and class as the question. - */ - for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY); - result == ISC_R_SUCCESS; - result = dns_message_nextname(request, DNS_SECTION_AUTHORITY)) - { - soa_name = NULL; - dns_message_currentname(request, DNS_SECTION_AUTHORITY, - &soa_name); - - /* - * Ignore data whose owner name is not the zone apex. - */ - if (! dns_name_equal(soa_name, question_name)) - continue; - - for (soa_rdataset = ISC_LIST_HEAD(soa_name->list); - soa_rdataset != NULL; - soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link)) - { - /* - * Ignore non-SOA data. - */ - if (soa_rdataset->type != dns_rdatatype_soa) - continue; - if (soa_rdataset->rdclass != question_class) - continue; - - CHECK(dns_rdataset_first(soa_rdataset)); - dns_rdataset_current(soa_rdataset, &soa_rdata); - result = dns_rdataset_next(soa_rdataset); - if (result == ISC_R_SUCCESS) - FAILC(DNS_R_FORMERR, - "IXFR authority section " - "has multiple SOAs"); - have_soa = ISC_TRUE; - goto got_soa; - } - } - got_soa: - if (result != ISC_R_NOMORE) - CHECK(result); - - xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6), - "%s authority section OK", mnemonic); - - /* - * Decide whether to allow this transfer. - */ -#ifdef DLZ - /* - * if not a DLZ zone decide whether to allow this transfer. - */ - if (!is_dlz) { -#endif - ns_client_aclmsg("zone transfer", question_name, reqtype, - client->view->rdclass, msg, sizeof(msg)); - CHECK(ns_client_checkacl(client, msg, - dns_zone_getxfracl(zone), ISC_TRUE, - ISC_LOG_ERROR)); -#ifdef DLZ - } -#endif - - /* - * AXFR over UDP is not possible. - */ - if (reqtype == dns_rdatatype_axfr && - (client->attributes & NS_CLIENTATTR_TCP) == 0) - FAILC(DNS_R_FORMERR, "attempted AXFR over UDP"); - - /* - * Look up the requesting server in the peer table. - */ - isc_netaddr_fromsockaddr(&na, &client->peeraddr); - (void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer); - - /* - * Decide on the transfer format (one-answer or many-answers). - */ - if (peer != NULL) - (void)dns_peer_gettransferformat(peer, &format); - - /* - * Get a dynamically allocated copy of the current SOA. - */ -#ifdef DLZ - if (is_dlz) - dns_db_currentversion(db, &ver); -#endif - CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS, - ¤t_soa_tuple)); - - if (reqtype == dns_rdatatype_ixfr) { - isc_uint32_t begin_serial, current_serial; - isc_boolean_t provide_ixfr; - - /* - * Outgoing IXFR may have been disabled for this peer - * or globally. - */ - provide_ixfr = client->view->provideixfr; - if (peer != NULL) - (void) dns_peer_getprovideixfr(peer, &provide_ixfr); - if (provide_ixfr == ISC_FALSE) - goto axfr_fallback; - - if (! have_soa) - FAILC(DNS_R_FORMERR, - "IXFR request missing SOA"); - - begin_serial = dns_soa_getserial(&soa_rdata); - current_serial = dns_soa_getserial(¤t_soa_tuple->rdata); - - /* - * RFC1995 says "If an IXFR query with the same or - * newer version number than that of the server - * is received, it is replied to with a single SOA - * record of the server's current version, just as - * in AXFR". The claim about AXFR is incorrect, - * but other than that, we do as the RFC says. - * - * Sending a single SOA record is also how we refuse - * IXFR over UDP (currently, we always do). - */ - if (DNS_SERIAL_GE(begin_serial, current_serial) || - (client->attributes & NS_CLIENTATTR_TCP) == 0) - { - CHECK(soa_rrstream_create(mctx, db, ver, &stream)); - is_poll = ISC_TRUE; - goto have_stream; - } - journalfile = dns_zone_getjournal(zone); - if (journalfile != NULL) - result = ixfr_rrstream_create(mctx, - journalfile, - begin_serial, - current_serial, - &data_stream); - else - result = ISC_R_NOTFOUND; - if (result == ISC_R_NOTFOUND || - result == ISC_R_RANGE) { - xfrout_log1(client, question_name, question_class, - ISC_LOG_DEBUG(4), - "IXFR version not in journal, " - "falling back to AXFR"); - mnemonic = "AXFR-style IXFR"; - goto axfr_fallback; - } - CHECK(result); - } else { - axfr_fallback: - CHECK(axfr_rrstream_create(mctx, db, ver, - &data_stream)); - } - - /* - * Bracket the the data stream with SOAs. - */ - CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream)); - CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream, - &stream)); - soa_stream = NULL; - data_stream = NULL; - - have_stream: - CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf)); - /* - * Create the xfrout context object. This transfers the ownership - * of "stream", "db", "ver", and "quota" to the xfrout context object. - */ - - - -#ifdef DLZ - if (is_dlz) - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, db, ver, quota, - stream, dns_message_gettsigkey(request), - tsigbuf, - 3600, - 3600, - (format == dns_many_answers) ? - ISC_TRUE : ISC_FALSE, - &xfr)); - else -#endif - CHECK(xfrout_ctx_create(mctx, client, request->id, question_name, - reqtype, question_class, db, ver, quota, - stream, dns_message_gettsigkey(request), - tsigbuf, - dns_zone_getmaxxfrout(zone), - dns_zone_getidleout(zone), - (format == dns_many_answers) ? - ISC_TRUE : ISC_FALSE, - &xfr)); - - xfr->mnemonic = mnemonic; - stream = NULL; - quota = NULL; - - CHECK(xfr->stream->methods->first(xfr->stream)); - - if (xfr->tsigkey != NULL) { - dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname)); - } else - keyname[0] = '\0'; - if (is_poll) - xfrout_log1(client, question_name, question_class, - ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s", - (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname); - else - xfrout_log1(client, question_name, question_class, - ISC_LOG_INFO, "%s started%s%s", mnemonic, - (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname); - - /* - * Hand the context over to sendstream(). Set xfr to NULL; - * sendstream() is responsible for either passing the - * context on to a later event handler or destroying it. - */ - sendstream(xfr); - xfr = NULL; - - result = ISC_R_SUCCESS; - - failure: - if (quota != NULL) - isc_quota_detach("a); - if (current_soa_tuple != NULL) - dns_difftuple_free(¤t_soa_tuple); - if (stream != NULL) - stream->methods->destroy(&stream); - if (soa_stream != NULL) - soa_stream->methods->destroy(&soa_stream); - if (data_stream != NULL) - data_stream->methods->destroy(&data_stream); - if (ver != NULL) - dns_db_closeversion(db, &ver, ISC_FALSE); - if (db != NULL) - dns_db_detach(&db); - if (zone != NULL) - dns_zone_detach(&zone); - /* XXX kludge */ - if (xfr != NULL) { - xfrout_fail(xfr, result, "setting up zone transfer"); - } else if (result != ISC_R_SUCCESS) { - ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, - NS_LOGMODULE_XFER_OUT, - ISC_LOG_DEBUG(3), "zone transfer setup failed"); - ns_client_error(client, result); - } -} - -static isc_result_t -xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, - dns_name_t *qname, dns_rdatatype_t qtype, - dns_rdataclass_t qclass, - dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota, - rrstream_t *stream, dns_tsigkey_t *tsigkey, - isc_buffer_t *lasttsig, unsigned int maxtime, - unsigned int idletime, isc_boolean_t many_answers, - xfrout_ctx_t **xfrp) -{ - xfrout_ctx_t *xfr; - isc_result_t result; - unsigned int len; - void *mem; - - INSIST(xfrp != NULL && *xfrp == NULL); - xfr = isc_mem_get(mctx, sizeof(*xfr)); - if (xfr == NULL) - return (ISC_R_NOMEMORY); - xfr->mctx = mctx; - xfr->client = NULL; - ns_client_attach(client, &xfr->client); - xfr->id = id; - xfr->qname = qname; - xfr->qtype = qtype; - xfr->qclass = qclass; - xfr->db = NULL; - xfr->ver = NULL; - dns_db_attach(db, &xfr->db); - dns_db_attachversion(db, ver, &xfr->ver); - xfr->end_of_stream = ISC_FALSE; - xfr->tsigkey = tsigkey; - xfr->lasttsig = lasttsig; - xfr->txmem = NULL; - xfr->txmemlen = 0; - xfr->nmsg = 0; - xfr->many_answers = many_answers, - xfr->sends = 0; - xfr->shuttingdown = ISC_FALSE; - xfr->mnemonic = NULL; - xfr->buf.base = NULL; - xfr->buf.length = 0; - xfr->txmem = NULL; - xfr->txmemlen = 0; - xfr->stream = NULL; - xfr->quota = NULL; - - /* - * Allocate a temporary buffer for the uncompressed response - * message data. The size should be no more than 65535 bytes - * so that the compressed data will fit in a TCP message, - * and no less than 65535 bytes so that an almost maximum-sized - * RR will fit. Note that although 65535-byte RRs are allowed - * in principle, they cannot be zone-transferred (at least not - * if uncompressible), because the message and RR headers would - * push the size of the TCP message over the 65536 byte limit. - */ - len = 65535; - mem = isc_mem_get(mctx, len); - if (mem == NULL) { - result = ISC_R_NOMEMORY; - goto failure; - } - isc_buffer_init(&xfr->buf, mem, len); - - /* - * Allocate another temporary buffer for the compressed - * response message and its TCP length prefix. - */ - len = 2 + 65535; - mem = isc_mem_get(mctx, len); - if (mem == NULL) { - result = ISC_R_NOMEMORY; - goto failure; - } - isc_buffer_init(&xfr->txlenbuf, mem, 2); - isc_buffer_init(&xfr->txbuf, (char *) mem + 2, len - 2); - xfr->txmem = mem; - xfr->txmemlen = len; - - CHECK(dns_timer_setidle(xfr->client->timer, - maxtime, idletime, ISC_FALSE)); - - /* - * Register a shutdown callback with the client, so that we - * can stop the transfer immediately when the client task - * gets a shutdown event. - */ - xfr->client->shutdown = xfrout_client_shutdown; - xfr->client->shutdown_arg = xfr; - /* - * These MUST be after the last "goto failure;" / CHECK to - * prevent a double free by the caller. - */ - xfr->quota = quota; - xfr->stream = stream; - - *xfrp = xfr; - return (ISC_R_SUCCESS); - -failure: - xfrout_ctx_destroy(&xfr); - return (result); -} - - -/* - * Arrange to send as much as we can of "stream" without blocking. - * - * Requires: - * The stream iterator is initialized and points at an RR, - * or possiby at the end of the stream (that is, the - * _first method of the iterator has been called). - */ -static void -sendstream(xfrout_ctx_t *xfr) { - dns_message_t *tcpmsg = NULL; - dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */ - isc_result_t result; - isc_region_t used; - isc_region_t region; - dns_rdataset_t *qrdataset; - dns_name_t *msgname = NULL; - dns_rdata_t *msgrdata = NULL; - dns_rdatalist_t *msgrdl = NULL; - dns_rdataset_t *msgrds = NULL; - dns_compress_t cctx; - isc_boolean_t cleanup_cctx = ISC_FALSE; - - int n_rrs; - - isc_buffer_clear(&xfr->buf); - isc_buffer_clear(&xfr->txlenbuf); - isc_buffer_clear(&xfr->txbuf); - - if ((xfr->client->attributes & NS_CLIENTATTR_TCP) == 0) { - /* - * In the UDP case, we put the response data directly into - * the client message. - */ - msg = xfr->client->message; - CHECK(dns_message_reply(msg, ISC_TRUE)); - } else { - /* - * TCP. Build a response dns_message_t, temporarily storing - * the raw, uncompressed owner names and RR data contiguously - * in xfr->buf. We know that if the uncompressed data fits - * in xfr->buf, the compressed data will surely fit in a TCP - * message. - */ - - CHECK(dns_message_create(xfr->mctx, - DNS_MESSAGE_INTENTRENDER, &tcpmsg)); - msg = tcpmsg; - - msg->id = xfr->id; - msg->rcode = dns_rcode_noerror; - msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA; - if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0) - msg->flags |= DNS_MESSAGEFLAG_RA; - CHECK(dns_message_settsigkey(msg, xfr->tsigkey)); - CHECK(dns_message_setquerytsig(msg, xfr->lasttsig)); - if (xfr->lasttsig != NULL) - isc_buffer_free(&xfr->lasttsig); - - /* - * Include a question section in the first message only. - * BIND 8.2.1 will not recognize an IXFR if it does not - * have a question section. - */ - if (xfr->nmsg == 0) { - dns_name_t *qname = NULL; - isc_region_t r; - - /* - * Reserve space for the 12-byte message header - * and 4 bytes of question. - */ - isc_buffer_add(&xfr->buf, 12 + 4); - - qrdataset = NULL; - result = dns_message_gettemprdataset(msg, &qrdataset); - if (result != ISC_R_SUCCESS) - goto failure; - dns_rdataset_init(qrdataset); - dns_rdataset_makequestion(qrdataset, - xfr->client->message->rdclass, - xfr->qtype); - - result = dns_message_gettempname(msg, &qname); - if (result != ISC_R_SUCCESS) - goto failure; - dns_name_init(qname, NULL); - isc_buffer_availableregion(&xfr->buf, &r); - INSIST(r.length >= xfr->qname->length); - r.length = xfr->qname->length; - isc_buffer_putmem(&xfr->buf, xfr->qname->ndata, - xfr->qname->length); - dns_name_fromregion(qname, &r); - ISC_LIST_INIT(qname->list); - ISC_LIST_APPEND(qname->list, qrdataset, link); - - dns_message_addname(msg, qname, DNS_SECTION_QUESTION); - } - else - msg->tcp_continuation = 1; - } - - /* - * Try to fit in as many RRs as possible, unless "one-answer" - * format has been requested. - */ - for (n_rrs = 0; ; n_rrs++) { - dns_name_t *name = NULL; - isc_uint32_t ttl; - dns_rdata_t *rdata = NULL; - - unsigned int size; - isc_region_t r; - - msgname = NULL; - msgrdata = NULL; - msgrdl = NULL; - msgrds = NULL; - - xfr->stream->methods->current(xfr->stream, - &name, &ttl, &rdata); - size = name->length + 10 + rdata->length; - isc_buffer_availableregion(&xfr->buf, &r); - if (size >= r.length) { - /* - * RR would not fit. If there are other RRs in the - * buffer, send them now and leave this RR to the - * next message. If this RR overflows the buffer - * all by itself, fail. - * - * In theory some RRs might fit in a TCP message - * when compressed even if they do not fit when - * uncompressed, but surely we don't want - * to send such monstrosities to an unsuspecting - * slave. - */ - if (n_rrs == 0) { - xfrout_log(xfr, ISC_LOG_WARNING, - "RR too large for zone transfer " - "(%d bytes)", size); - /* XXX DNS_R_RRTOOLARGE? */ - result = ISC_R_NOSPACE; - goto failure; - } - break; - } - - if (isc_log_wouldlog(ns_g_lctx, XFROUT_RR_LOGLEVEL)) - log_rr(name, rdata, ttl); /* XXX */ - - result = dns_message_gettempname(msg, &msgname); - if (result != ISC_R_SUCCESS) - goto failure; - dns_name_init(msgname, NULL); - isc_buffer_availableregion(&xfr->buf, &r); - INSIST(r.length >= name->length); - r.length = name->length; - isc_buffer_putmem(&xfr->buf, name->ndata, name->length); - dns_name_fromregion(msgname, &r); - - /* Reserve space for RR header. */ - isc_buffer_add(&xfr->buf, 10); - - result = dns_message_gettemprdata(msg, &msgrdata); - if (result != ISC_R_SUCCESS) - goto failure; - isc_buffer_availableregion(&xfr->buf, &r); - r.length = rdata->length; - isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length); - dns_rdata_init(msgrdata); - dns_rdata_fromregion(msgrdata, - rdata->rdclass, rdata->type, &r); - - result = dns_message_gettemprdatalist(msg, &msgrdl); - if (result != ISC_R_SUCCESS) - goto failure; - msgrdl->type = rdata->type; - msgrdl->rdclass = rdata->rdclass; - msgrdl->ttl = ttl; - ISC_LINK_INIT(msgrdl, link); - ISC_LIST_INIT(msgrdl->rdata); - ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link); - - result = dns_message_gettemprdataset(msg, &msgrds); - if (result != ISC_R_SUCCESS) - goto failure; - dns_rdataset_init(msgrds); - result = dns_rdatalist_tordataset(msgrdl, msgrds); - INSIST(result == ISC_R_SUCCESS); - - ISC_LIST_APPEND(msgname->list, msgrds, link); - - dns_message_addname(msg, msgname, DNS_SECTION_ANSWER); - msgname = NULL; - - result = xfr->stream->methods->next(xfr->stream); - if (result == ISC_R_NOMORE) { - xfr->end_of_stream = ISC_TRUE; - break; - } - CHECK(result); - - if (! xfr->many_answers) - break; - } - - if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) { - CHECK(dns_compress_init(&cctx, -1, xfr->mctx)); - dns_compress_setsensitive(&cctx, ISC_TRUE); - cleanup_cctx = ISC_TRUE; - CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf)); - CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0)); - CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0)); - CHECK(dns_message_renderend(msg)); - dns_compress_invalidate(&cctx); - cleanup_cctx = ISC_FALSE; - - isc_buffer_usedregion(&xfr->txbuf, &used); - isc_buffer_putuint16(&xfr->txlenbuf, - (isc_uint16_t)used.length); - region.base = xfr->txlenbuf.base; - region.length = 2 + used.length; - xfrout_log(xfr, ISC_LOG_DEBUG(8), - "sending TCP message of %d bytes", - used.length); - CHECK(isc_socket_send(xfr->client->tcpsocket, /* XXX */ - ®ion, xfr->client->task, - xfrout_senddone, - xfr)); - xfr->sends++; - } else { - xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response"); - ns_client_send(xfr->client); - xfr->stream->methods->pause(xfr->stream); - xfrout_ctx_destroy(&xfr); - return; - } - - /* Advance lasttsig to be the last TSIG generated */ - CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig)); - - xfr->nmsg++; - - failure: - if (msgname != NULL) { - if (msgrds != NULL) { - if (dns_rdataset_isassociated(msgrds)) - dns_rdataset_disassociate(msgrds); - dns_message_puttemprdataset(msg, &msgrds); - } - if (msgrdl != NULL) { - ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link); - dns_message_puttemprdatalist(msg, &msgrdl); - } - if (msgrdata != NULL) - dns_message_puttemprdata(msg, &msgrdata); - dns_message_puttempname(msg, &msgname); - } - - if (tcpmsg != NULL) - dns_message_destroy(&tcpmsg); - - if (cleanup_cctx) - dns_compress_invalidate(&cctx); - /* - * Make sure to release any locks held by database - * iterators before returning from the event handler. - */ - xfr->stream->methods->pause(xfr->stream); - - if (result == ISC_R_SUCCESS) - return; - - xfrout_fail(xfr, result, "sending zone data"); -} - -static void -xfrout_ctx_destroy(xfrout_ctx_t **xfrp) { - xfrout_ctx_t *xfr = *xfrp; - - INSIST(xfr->sends == 0); - - xfr->client->shutdown = NULL; - xfr->client->shutdown_arg = NULL; - - if (xfr->stream != NULL) - xfr->stream->methods->destroy(&xfr->stream); - if (xfr->buf.base != NULL) - isc_mem_put(xfr->mctx, xfr->buf.base, xfr->buf.length); - if (xfr->txmem != NULL) - isc_mem_put(xfr->mctx, xfr->txmem, xfr->txmemlen); - if (xfr->lasttsig != NULL) - isc_buffer_free(&xfr->lasttsig); - if (xfr->quota != NULL) - isc_quota_detach(&xfr->quota); - if (xfr->ver != NULL) - dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE); - if (xfr->db != NULL) - dns_db_detach(&xfr->db); - - ns_client_detach(&xfr->client); - - isc_mem_put(xfr->mctx, xfr, sizeof(*xfr)); - - *xfrp = NULL; -} - -static void -xfrout_senddone(isc_task_t *task, isc_event_t *event) { - isc_socketevent_t *sev = (isc_socketevent_t *)event; - xfrout_ctx_t *xfr = (xfrout_ctx_t *)event->ev_arg; - isc_result_t evresult = sev->result; - - UNUSED(task); - - INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE); - - isc_event_free(&event); - xfr->sends--; - INSIST(xfr->sends == 0); - - (void)isc_timer_touch(xfr->client->timer); - if (xfr->shuttingdown == ISC_TRUE) { - xfrout_maybe_destroy(xfr); - } else if (evresult != ISC_R_SUCCESS) { - xfrout_fail(xfr, evresult, "send"); - } else if (xfr->end_of_stream == ISC_FALSE) { - sendstream(xfr); - } else { - /* End of zone transfer stream. */ - xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic); - ns_client_next(xfr->client, ISC_R_SUCCESS); - xfrout_ctx_destroy(&xfr); - } -} - -static void -xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg) { - xfr->shuttingdown = ISC_TRUE; - xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s", - msg, isc_result_totext(result)); - xfrout_maybe_destroy(xfr); -} - -static void -xfrout_maybe_destroy(xfrout_ctx_t *xfr) { - INSIST(xfr->shuttingdown == ISC_TRUE); - if (xfr->sends > 0) { - /* - * If we are currently sending, cancel it and wait for - * cancel event before destroying the context. - */ - isc_socket_cancel(xfr->client->tcpsocket, xfr->client->task, - ISC_SOCKCANCEL_SEND); - } else { - ns_client_next(xfr->client, ISC_R_CANCELED); - xfrout_ctx_destroy(&xfr); - } -} - -static void -xfrout_client_shutdown(void *arg, isc_result_t result) { - xfrout_ctx_t *xfr = (xfrout_ctx_t *) arg; - xfrout_fail(xfr, result, "aborted"); -} - -/* - * Log outgoing zone transfer messages in a format like - * : transfer of : - */ - -static void -xfrout_logv(ns_client_t *client, dns_name_t *zonename, - dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap) - ISC_FORMAT_PRINTF(5, 0); - -static void -xfrout_logv(ns_client_t *client, dns_name_t *zonename, - dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap) -{ - char msgbuf[2048]; - char namebuf[DNS_NAME_FORMATSIZE]; - char classbuf[DNS_RDATACLASS_FORMATSIZE]; - - dns_name_format(zonename, namebuf, sizeof(namebuf)); - dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf)); - vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap); - ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, - NS_LOGMODULE_XFER_OUT, level, - "transfer of '%s/%s': %s", namebuf, classbuf, msgbuf); -} - -/* - * Logging function for use when a xfrout_ctx_t has not yet been created. - */ -static void -xfrout_log1(ns_client_t *client, dns_name_t *zonename, - dns_rdataclass_t rdclass, int level, const char *fmt, ...) { - va_list ap; - va_start(ap, fmt); - xfrout_logv(client, zonename, rdclass, level, fmt, ap); - va_end(ap); -} - -/* - * Logging function for use when there is a xfrout_ctx_t. - */ -static void -xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) { - va_list ap; - va_start(ap, fmt); - xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap); - va_end(ap); -} diff --git a/usr.sbin/bind/bin/named/zoneconf.c b/usr.sbin/bind/bin/named/zoneconf.c deleted file mode 100644 index 47a427254f5..00000000000 --- a/usr.sbin/bind/bin/named/zoneconf.c +++ /dev/null @@ -1,913 +0,0 @@ -/* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */ - -/*% */ - -#include - -#include -#include -#include -#include -#include /* Required for HP/UX (and others?) */ -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -/*% - * These are BIND9 server defaults, not necessarily identical to the - * library defaults defined in zone.c. - */ -#define RETERR(x) do { \ - isc_result_t _r = (x); \ - if (_r != ISC_R_SUCCESS) \ - return (_r); \ - } while (0) - -/*% - * Convenience function for configuring a single zone ACL. - */ -static isc_result_t -configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, - const cfg_obj_t *config, const char *aclname, - cfg_aclconfctx_t *actx, dns_zone_t *zone, - void (*setzacl)(dns_zone_t *, dns_acl_t *), - void (*clearzacl)(dns_zone_t *)) -{ - isc_result_t result; - const cfg_obj_t *maps[5]; - const cfg_obj_t *aclobj = NULL; - int i = 0; - dns_acl_t *dacl = NULL; - - if (zconfig != NULL) - maps[i++] = cfg_tuple_get(zconfig, "options"); - if (vconfig != NULL) - maps[i++] = cfg_tuple_get(vconfig, "options"); - if (config != NULL) { - const cfg_obj_t *options = NULL; - (void)cfg_map_get(config, "options", &options); - if (options != NULL) - maps[i++] = options; - } - maps[i++] = ns_g_defaults; - maps[i] = NULL; - - result = ns_config_get(maps, aclname, &aclobj); - if (aclobj == NULL) { - (*clearzacl)(zone); - return (ISC_R_SUCCESS); - } - - result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, - dns_zone_getmctx(zone), &dacl); - if (result != ISC_R_SUCCESS) - return (result); - (*setzacl)(zone, dacl); - dns_acl_detach(&dacl); - return (ISC_R_SUCCESS); -} - -/*% - * Parse the zone update-policy statement. - */ -static isc_result_t -configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) { - const cfg_obj_t *updatepolicy = NULL; - const cfg_listelt_t *element, *element2; - dns_ssutable_t *table = NULL; - isc_mem_t *mctx = dns_zone_getmctx(zone); - isc_result_t result; - - (void)cfg_map_get(zconfig, "update-policy", &updatepolicy); - if (updatepolicy == NULL) { - dns_zone_setssutable(zone, NULL); - return (ISC_R_SUCCESS); - } - - result = dns_ssutable_create(mctx, &table); - if (result != ISC_R_SUCCESS) - return (result); - - for (element = cfg_list_first(updatepolicy); - element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *stmt = cfg_listelt_value(element); - const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode"); - const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity"); - const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype"); - const cfg_obj_t *dname = cfg_tuple_get(stmt, "name"); - const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types"); - const char *str; - isc_boolean_t grant = ISC_FALSE; - unsigned int mtype = DNS_SSUMATCHTYPE_NAME; - dns_fixedname_t fname, fident; - isc_buffer_t b; - dns_rdatatype_t *types; - unsigned int i, n; - - str = cfg_obj_asstring(mode); - if (strcasecmp(str, "grant") == 0) - grant = ISC_TRUE; - else if (strcasecmp(str, "deny") == 0) - grant = ISC_FALSE; - else - INSIST(0); - - str = cfg_obj_asstring(matchtype); - if (strcasecmp(str, "name") == 0) - mtype = DNS_SSUMATCHTYPE_NAME; - else if (strcasecmp(str, "subdomain") == 0) - mtype = DNS_SSUMATCHTYPE_SUBDOMAIN; - else if (strcasecmp(str, "wildcard") == 0) - mtype = DNS_SSUMATCHTYPE_WILDCARD; - else if (strcasecmp(str, "self") == 0) - mtype = DNS_SSUMATCHTYPE_SELF; - else if (strcasecmp(str, "selfsub") == 0) - mtype = DNS_SSUMATCHTYPE_SELFSUB; - else if (strcasecmp(str, "selfwild") == 0) - mtype = DNS_SSUMATCHTYPE_SELFWILD; - else - INSIST(0); - - dns_fixedname_init(&fident); - str = cfg_obj_asstring(identity); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - result = dns_name_fromtext(dns_fixedname_name(&fident), &b, - dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR, - "'%s' is not a valid name", str); - goto cleanup; - } - - dns_fixedname_init(&fname); - str = cfg_obj_asstring(dname); - isc_buffer_init(&b, str, strlen(str)); - isc_buffer_add(&b, strlen(str)); - result = dns_name_fromtext(dns_fixedname_name(&fname), &b, - dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR, - "'%s' is not a valid name", str); - goto cleanup; - } - - n = ns_config_listcount(typelist); - if (n == 0) - types = NULL; - else { - types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t)); - if (types == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; - } - } - - i = 0; - for (element2 = cfg_list_first(typelist); - element2 != NULL; - element2 = cfg_list_next(element2)) - { - const cfg_obj_t *typeobj; - isc_textregion_t r; - - INSIST(i < n); - - typeobj = cfg_listelt_value(element2); - str = cfg_obj_asstring(typeobj); - DE_CONST(str, r.base); - r.length = strlen(str); - - result = dns_rdatatype_fromtext(&types[i++], &r); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR, - "'%s' is not a valid type", str); - isc_mem_put(mctx, types, - n * sizeof(dns_rdatatype_t)); - goto cleanup; - } - } - INSIST(i == n); - - result = dns_ssutable_addrule(table, grant, - dns_fixedname_name(&fident), - mtype, - dns_fixedname_name(&fname), - n, types); - if (types != NULL) - isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t)); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - - } - - result = ISC_R_SUCCESS; - dns_zone_setssutable(zone, table); - - cleanup: - dns_ssutable_detach(&table); - return (result); -} - -/*% - * Convert a config file zone type into a server zone type. - */ -static inline dns_zonetype_t -zonetype_fromconfig(const cfg_obj_t *map) { - const cfg_obj_t *obj = NULL; - isc_result_t result; - - result = cfg_map_get(map, "type", &obj); - INSIST(result == ISC_R_SUCCESS); - return (ns_config_getzonetype(obj)); -} - -/*% - * Helper function for strtoargv(). Pardon the gratuitous recursion. - */ -static isc_result_t -strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp, - char ***argvp, unsigned int n) -{ - isc_result_t result; - - /* Discard leading whitespace. */ - while (*s == ' ' || *s == '\t') - s++; - - if (*s == '\0') { - /* We have reached the end of the string. */ - *argcp = n; - *argvp = isc_mem_get(mctx, n * sizeof(char *)); - if (*argvp == NULL) - return (ISC_R_NOMEMORY); - } else { - char *p = s; - while (*p != ' ' && *p != '\t' && *p != '\0') - p++; - if (*p != '\0') - *p++ = '\0'; - - result = strtoargvsub(mctx, p, argcp, argvp, n + 1); - if (result != ISC_R_SUCCESS) - return (result); - (*argvp)[n] = s; - } - return (ISC_R_SUCCESS); -} - -/*% - * Tokenize the string "s" into whitespace-separated words, - * return the number of words in '*argcp' and an array - * of pointers to the words in '*argvp'. The caller - * must free the array using isc_mem_put(). The string - * is modified in-place. - */ -static isc_result_t -strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) { - return (strtoargvsub(mctx, s, argcp, argvp, 0)); -} - -static void -checknames(dns_zonetype_t ztype, const cfg_obj_t **maps, - const cfg_obj_t **objp) -{ - const char *zone = NULL; - isc_result_t result; - - switch (ztype) { - case dns_zone_slave: zone = "slave"; break; - case dns_zone_master: zone = "master"; break; - default: - INSIST(0); - } - result = ns_checknames_get(maps, zone, objp); - INSIST(result == ISC_R_SUCCESS); -} - -isc_result_t -ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, - dns_zone_t *zone) -{ - isc_result_t result; - const char *zname; - dns_rdataclass_t zclass; - dns_rdataclass_t vclass; - const cfg_obj_t *maps[5]; - const cfg_obj_t *zoptions = NULL; - const cfg_obj_t *options = NULL; - const cfg_obj_t *obj; - const char *filename = NULL; - dns_notifytype_t notifytype = dns_notifytype_yes; - isc_sockaddr_t *addrs; - dns_name_t **keynames; - isc_uint32_t count; - char *cpval; - unsigned int dbargc; - char **dbargv; - static char default_dbtype[] = "rbt"; - isc_mem_t *mctx = dns_zone_getmctx(zone); - dns_dialuptype_t dialup = dns_dialuptype_no; - dns_zonetype_t ztype; - int i; - isc_int32_t journal_size; - isc_boolean_t multi; - isc_boolean_t alt; - dns_view_t *view; - isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE; - isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE; - isc_boolean_t ixfrdiff; - dns_masterformat_t masterformat; - - i = 0; - if (zconfig != NULL) { - zoptions = cfg_tuple_get(zconfig, "options"); - maps[i++] = zoptions; - } - if (vconfig != NULL) - maps[i++] = cfg_tuple_get(vconfig, "options"); - if (config != NULL) { - (void)cfg_map_get(config, "options", &options); - if (options != NULL) - maps[i++] = options; - } - maps[i++] = ns_g_defaults; - maps[i++] = NULL; - - if (vconfig != NULL) - RETERR(ns_config_getclass(cfg_tuple_get(vconfig, "class"), - dns_rdataclass_in, &vclass)); - else - vclass = dns_rdataclass_in; - - /* - * Configure values common to all zone types. - */ - - zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - - RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"), - vclass, &zclass)); - dns_zone_setclass(zone, zclass); - - ztype = zonetype_fromconfig(zoptions); - dns_zone_settype(zone, ztype); - - obj = NULL; - result = cfg_map_get(zoptions, "database", &obj); - if (result == ISC_R_SUCCESS) - cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); - else - cpval = default_dbtype; - - if (cpval == NULL) - return(ISC_R_NOMEMORY); - - result = strtoargv(mctx, cpval, &dbargc, &dbargv); - if (result != ISC_R_SUCCESS && cpval != default_dbtype) { - isc_mem_free(mctx, cpval); - return (result); - } - - /* - * ANSI C is strange here. There is no logical reason why (char **) - * cannot be promoted automatically to (const char * const *) by the - * compiler w/o generating a warning. - */ - result = dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv); - isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv)); - if (cpval != default_dbtype) - isc_mem_free(mctx, cpval); - if (result != ISC_R_SUCCESS) - return (result); - - obj = NULL; - result = cfg_map_get(zoptions, "file", &obj); - if (result == ISC_R_SUCCESS) - filename = cfg_obj_asstring(obj); - - masterformat = dns_masterformat_text; - obj = NULL; - result= ns_config_get(maps, "masterfile-format", &obj); - if (result == ISC_R_SUCCESS) { - const char *masterformatstr = cfg_obj_asstring(obj); - - if (strcasecmp(masterformatstr, "text") == 0) - masterformat = dns_masterformat_text; - else if (strcasecmp(masterformatstr, "raw") == 0) - masterformat = dns_masterformat_raw; - else - INSIST(0); - } - RETERR(dns_zone_setfile2(zone, filename, masterformat)); - - obj = NULL; - result = cfg_map_get(zoptions, "journal", &obj); - if (result == ISC_R_SUCCESS) - RETERR(dns_zone_setjournal(zone, cfg_obj_asstring(obj))); - - if (ztype == dns_zone_slave) - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-notify", ac, zone, - dns_zone_setnotifyacl, - dns_zone_clearnotifyacl)); - /* - * XXXAG This probably does not make sense for stubs. - */ - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-query", ac, zone, - dns_zone_setqueryacl, - dns_zone_clearqueryacl)); - - obj = NULL; - result = ns_config_get(maps, "dialup", &obj); - INSIST(result == ISC_R_SUCCESS); - if (cfg_obj_isboolean(obj)) { - if (cfg_obj_asboolean(obj)) - dialup = dns_dialuptype_yes; - else - dialup = dns_dialuptype_no; - } else { - const char *dialupstr = cfg_obj_asstring(obj); - if (strcasecmp(dialupstr, "notify") == 0) - dialup = dns_dialuptype_notify; - else if (strcasecmp(dialupstr, "notify-passive") == 0) - dialup = dns_dialuptype_notifypassive; - else if (strcasecmp(dialupstr, "refresh") == 0) - dialup = dns_dialuptype_refresh; - else if (strcasecmp(dialupstr, "passive") == 0) - dialup = dns_dialuptype_passive; - else - INSIST(0); - } - dns_zone_setdialup(zone, dialup); - - obj = NULL; - result = ns_config_get(maps, "zone-statistics", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setstatistics(zone, cfg_obj_asboolean(obj))); - - /* - * Configure master functionality. This applies - * to primary masters (type "master") and slaves - * acting as masters (type "slave"), but not to stubs. - */ - if (ztype != dns_zone_stub) { - obj = NULL; - result = ns_config_get(maps, "notify", &obj); - INSIST(result == ISC_R_SUCCESS); - if (cfg_obj_isboolean(obj)) { - if (cfg_obj_asboolean(obj)) - notifytype = dns_notifytype_yes; - else - notifytype = dns_notifytype_no; - } else { - const char *notifystr = cfg_obj_asstring(obj); - if (strcasecmp(notifystr, "explicit") == 0) - notifytype = dns_notifytype_explicit; - else if (strcasecmp(notifystr, "master-only") == 0) - notifytype = dns_notifytype_masteronly; - else - INSIST(0); - } - dns_zone_setnotifytype(zone, notifytype); - - obj = NULL; - result = ns_config_get(maps, "also-notify", &obj); - if (result == ISC_R_SUCCESS) { - isc_sockaddr_t *addrs = NULL; - isc_uint32_t addrcount; - result = ns_config_getiplist(config, obj, 0, mctx, - &addrs, &addrcount); - if (result != ISC_R_SUCCESS) - return (result); - result = dns_zone_setalsonotify(zone, addrs, - addrcount); - ns_config_putiplist(mctx, &addrs, addrcount); - if (result != ISC_R_SUCCESS) - return (result); - } else - RETERR(dns_zone_setalsonotify(zone, NULL, 0)); - - obj = NULL; - result = ns_config_get(maps, "notify-source", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - - obj = NULL; - result = ns_config_get(maps, "notify-source-v6", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - - dns_zone_setisself(zone, ns_client_isself, NULL); - - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-transfer", ac, zone, - dns_zone_setxfracl, - dns_zone_clearxfracl)); - - obj = NULL; - result = ns_config_get(maps, "max-transfer-time-out", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60); - - obj = NULL; - result = ns_config_get(maps, "max-transfer-idle-out", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60); - - obj = NULL; - result = ns_config_get(maps, "max-journal-size", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setjournalsize(zone, -1); - if (cfg_obj_isstring(obj)) { - const char *str = cfg_obj_asstring(obj); - INSIST(strcasecmp(str, "unlimited") == 0); - journal_size = ISC_UINT32_MAX / 2; - } else { - isc_resourcevalue_t value; - value = cfg_obj_asuint64(obj); - if (value > ISC_UINT32_MAX / 2) { - cfg_obj_log(obj, ns_g_lctx, - ISC_LOG_ERROR, - "'max-journal-size " - "%" ISC_PRINT_QUADFORMAT "d' " - "is too large", - value); - RETERR(ISC_R_RANGE); - } - journal_size = (isc_uint32_t)value; - } - dns_zone_setjournalsize(zone, journal_size); - - obj = NULL; - result = ns_config_get(maps, "ixfr-from-differences", &obj); - INSIST(result == ISC_R_SUCCESS); - if (cfg_obj_isboolean(obj)) - ixfrdiff = cfg_obj_asboolean(obj); - else if (strcasecmp(cfg_obj_asstring(obj), "master") && - ztype == dns_zone_master) - ixfrdiff = ISC_TRUE; - else if (strcasecmp(cfg_obj_asstring(obj), "slave") && - ztype == dns_zone_slave) - ixfrdiff = ISC_TRUE; - else - ixfrdiff = ISC_FALSE; - dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff); - - checknames(ztype, maps, &obj); - INSIST(obj != NULL); - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - fail = ISC_FALSE; - check = ISC_TRUE; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - fail = check = ISC_TRUE; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - fail = check = ISC_FALSE; - } else - INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail); - - obj = NULL; - result = ns_config_get(maps, "notify-delay", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setnotifydelay(zone, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "check-sibling", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, - cfg_obj_asboolean(obj)); - - obj = NULL; - result = ns_config_get(maps, "zero-no-soa-ttl", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj)); - } - - /* - * Configure update-related options. These apply to - * primary masters only. - */ - if (ztype == dns_zone_master) { - dns_acl_t *updateacl; - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-update", ac, zone, - dns_zone_setupdateacl, - dns_zone_clearupdateacl)); - - updateacl = dns_zone_getupdateacl(zone); - if (updateacl != NULL && dns_acl_isinsecure(updateacl)) - isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "zone '%s' allows updates by IP " - "address, which is insecure", - zname); - - RETERR(configure_zone_ssutable(zoptions, zone)); - - obj = NULL; - result = ns_config_get(maps, "sig-validity-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setsigvalidityinterval(zone, - cfg_obj_asuint32(obj) * 86400); - - obj = NULL; - result = ns_config_get(maps, "key-directory", &obj); - if (result == ISC_R_SUCCESS) { - filename = cfg_obj_asstring(obj); - if (!isc_file_isabsolute(filename)) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, - "key-directory '%s' " - "is not absolute", filename); - return (ISC_R_FAILURE); - } - RETERR(dns_zone_setkeydirectory(zone, filename)); - } - - obj = NULL; - result = ns_config_get(maps, "check-wildcard", &obj); - if (result == ISC_R_SUCCESS) - check = cfg_obj_asboolean(obj); - else - check = ISC_FALSE; - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check); - - obj = NULL; - result = ns_config_get(maps, "check-mx", &obj); - INSIST(obj != NULL); - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - fail = ISC_FALSE; - check = ISC_TRUE; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - fail = check = ISC_TRUE; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - fail = check = ISC_FALSE; - } else - INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMX, check); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKMXFAIL, fail); - - obj = NULL; - result = ns_config_get(maps, "check-integrity", &obj); - INSIST(obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, - cfg_obj_asboolean(obj)); - - obj = NULL; - result = ns_config_get(maps, "check-mx-cname", &obj); - INSIST(obj != NULL); - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - warn = ISC_TRUE; - ignore = ISC_FALSE; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - warn = ignore = ISC_FALSE; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - warn = ignore = ISC_TRUE; - } else - INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_WARNMXCNAME, warn); - dns_zone_setoption(zone, DNS_ZONEOPT_IGNOREMXCNAME, ignore); - - obj = NULL; - result = ns_config_get(maps, "check-srv-cname", &obj); - INSIST(obj != NULL); - if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { - warn = ISC_TRUE; - ignore = ISC_FALSE; - } else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) { - warn = ignore = ISC_FALSE; - } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { - warn = ignore = ISC_TRUE; - } else - INSIST(0); - dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn); - dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); - - obj = NULL; - result = ns_config_get(maps, "update-check-ksk", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, - cfg_obj_asboolean(obj)); - } - - /* - * Configure update-related options. These apply to - * primary masters only. - */ - if (ztype == dns_zone_master) { - dns_acl_t *updateacl; - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-update", ac, zone, - dns_zone_setupdateacl, - dns_zone_clearupdateacl)); - - updateacl = dns_zone_getupdateacl(zone); - if (updateacl != NULL && dns_acl_isinsecure(updateacl)) - isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_SERVER, ISC_LOG_WARNING, - "zone '%s' allows updates by IP " - "address, which is insecure", - zname); - - RETERR(configure_zone_ssutable(zoptions, zone)); - - obj = NULL; - result = ns_config_get(maps, "sig-validity-interval", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setsigvalidityinterval(zone, - cfg_obj_asuint32(obj) * 86400); - - obj = NULL; - result = ns_config_get(maps, "key-directory", &obj); - if (result == ISC_R_SUCCESS) { - filename = cfg_obj_asstring(obj); - if (!isc_file_isabsolute(filename)) { - cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, - "key-directory '%s' " - "is not absolute", filename); - return (ISC_R_FAILURE); - } - RETERR(dns_zone_setkeydirectory(zone, filename)); - } - - } else if (ztype == dns_zone_slave) { - RETERR(configure_zone_acl(zconfig, vconfig, config, - "allow-update-forwarding", ac, zone, - dns_zone_setforwardacl, - dns_zone_clearforwardacl)); - } - - /* - * Configure slave functionality. - */ - switch (ztype) { - case dns_zone_slave: - case dns_zone_stub: - count = 0; - obj = NULL; - result = cfg_map_get(zoptions, "masters", &obj); - if (obj != NULL) { - addrs = NULL; - keynames = NULL; - RETERR(ns_config_getipandkeylist(config, obj, mctx, - &addrs, &keynames, - &count)); - result = dns_zone_setmasterswithkeys(zone, addrs, - keynames, count); - ns_config_putipandkeylist(mctx, &addrs, &keynames, - count); - } else - result = dns_zone_setmasters(zone, NULL, 0); - RETERR(result); - - multi = ISC_FALSE; - if (count > 1) { - obj = NULL; - result = ns_config_get(maps, "multi-master", &obj); - INSIST(result == ISC_R_SUCCESS); - multi = cfg_obj_asboolean(obj); - } - dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi); - - obj = NULL; - result = ns_config_get(maps, "max-transfer-time-in", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setmaxxfrin(zone, cfg_obj_asuint32(obj) * 60); - - obj = NULL; - result = ns_config_get(maps, "max-transfer-idle-in", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setidlein(zone, cfg_obj_asuint32(obj) * 60); - - obj = NULL; - result = ns_config_get(maps, "max-refresh-time", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setmaxrefreshtime(zone, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "min-refresh-time", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setminrefreshtime(zone, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "max-retry-time", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setmaxretrytime(zone, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "min-retry-time", &obj); - INSIST(result == ISC_R_SUCCESS); - dns_zone_setminretrytime(zone, cfg_obj_asuint32(obj)); - - obj = NULL; - result = ns_config_get(maps, "transfer-source", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj))); - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - - obj = NULL; - result = ns_config_get(maps, "transfer-source-v6", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj))); - ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj)); - - obj = NULL; - result = ns_config_get(maps, "alt-transfer-source", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj))); - - obj = NULL; - result = ns_config_get(maps, "alt-transfer-source-v6", &obj); - INSIST(result == ISC_R_SUCCESS); - RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj))); - - obj = NULL; - (void)ns_config_get(maps, "use-alt-transfer-source", &obj); - if (obj == NULL) { - /* - * Default off when views are in use otherwise - * on for BIND 8 compatibility. - */ - view = dns_zone_getview(zone); - if (view != NULL && strcmp(view->name, "_default") == 0) - alt = ISC_TRUE; - else - alt = ISC_FALSE; - } else - alt = cfg_obj_asboolean(obj); - dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt); - - break; - - default: - break; - } - - return (ISC_R_SUCCESS); -} - -isc_boolean_t -ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { - const cfg_obj_t *zoptions = NULL; - const cfg_obj_t *obj = NULL; - const char *cfilename; - const char *zfilename; - - zoptions = cfg_tuple_get(zconfig, "options"); - - if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone)) - return (ISC_FALSE); - - obj = NULL; - (void)cfg_map_get(zoptions, "file", &obj); - if (obj != NULL) - cfilename = cfg_obj_asstring(obj); - else - cfilename = NULL; - zfilename = dns_zone_getfile(zone); - if (!((cfilename == NULL && zfilename == NULL) || - (cfilename != NULL && zfilename != NULL && - strcmp(cfilename, zfilename) == 0))) - return (ISC_FALSE); - - return (ISC_TRUE); -} diff --git a/usr.sbin/bind/bin/nsupdate/Makefile.in b/usr.sbin/bind/bin/nsupdate/Makefile.in deleted file mode 100644 index 2f546cdfc8e..00000000000 --- a/usr.sbin/bind/bin/nsupdate/Makefile.in +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.22.18.1 2004/07/20 07:03:20 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_VERSION@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISC_INCLUDES} - -CDEFINES = -CWARNINGS = - -LWRESLIBS = ../../lib/lwres/liblwres.@A@ -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -BIND9LIBS = ../../lib/bind9/libbind9.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - -LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - -DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} - -LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@ - -SUBDIRS = - -TARGETS = nsupdate@EXEEXT@ - -OBJS = nsupdate.@O@ - -UOBJS = - -SRCS = nsupdate.c - -MANPAGES = nsupdate.8 - -HTMLPAGES = nsupdate.html - -MANOBJS = ${MANPAGES} ${HTMLPAGES} - -@BIND9_MAKE_RULES@ - -nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS} - -doc man:: ${MANOBJS} - -docclean manclean maintainer-clean:: - rm -f ${MANOBJS} - -clean distclean:: - rm -f ${TARGETS} - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - -install:: nsupdate@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir} - ${INSTALL_DATA} ${srcdir}/nsupdate.8 ${DESTDIR}${mandir}/man8 diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.8 b/usr.sbin/bind/bin/nsupdate/nsupdate.8 deleted file mode 100644 index 7159865ae99..00000000000 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.8 +++ /dev/null @@ -1,348 +0,0 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: nsupdate.8,v 1.30.18.14 2007/05/09 03:33:13 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: nsupdate -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: Jun 30, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -nsupdate \- Dynamic DNS update utility -.SH "SYNOPSIS" -.HP 9 -\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename] -.SH "DESCRIPTION" -.PP -\fBnsupdate\fR -is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record. -.PP -Zones that are under dynamic control via -\fBnsupdate\fR -or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost. -.PP -The resource records that are dynamically added or removed with -\fBnsupdate\fR -have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record. -.PP -The -\fB\-d\fR -option makes -\fBnsupdate\fR -operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server. -.PP -Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to -\fBnsupdate\fR -and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable -\fBkey\fR -and -\fBserver\fR -statements would be added to -\fI/etc/named.conf\fR -so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server. -\fBnsupdate\fR -does not read -\fI/etc/named.conf\fR. -.PP -\fBnsupdate\fR -uses the -\fB\-y\fR -or -\fB\-k\fR -option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the -\fB\-k\fR -option, -\fBnsupdate\fR -reads the shared secret from the file -\fIkeyfile\fR, whose name is of the form -\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file -\fIK{name}.+157.+{random}.key\fR -must also be present. When the -\fB\-y\fR -option is used, a signature is generated from -[\fIhmac:\fR]\fIkeyname:secret.\fR -\fIkeyname\fR -is the name of the key, and -\fIsecret\fR -is the base64 encoded shared secret. Use of the -\fB\-y\fR -option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from -\fBps\fR(1) -or in a history file maintained by the user's shell. -.PP -The -\fB\-k\fR -may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key. -.PP -By default -\fBnsupdate\fR -uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The -\fB\-v\fR -option makes -\fBnsupdate\fR -use a TCP connection. This may be preferable when a batch of update requests is made. -.PP -The -\fB\-t\fR -option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. -.PP -The -\fB\-u\fR -option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. -.PP -The -\fB\-r\fR -option sets the number of UDP retries. The default is 3. If zero, only one update request will be made. -.SH "INPUT FORMAT" -.PP -\fBnsupdate\fR -reads input from -\fIfilename\fR -or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail. -.PP -Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the -\fBsend\fR -command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. -.PP -The command formats and their meaning are as follows: -.PP -\fBserver\fR {servername} [port] -.RS 4 -Sends all dynamic update requests to the name server -\fIservername\fR. When no server statement is provided, -\fBnsupdate\fR -will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. -\fIport\fR -is the port number on -\fIservername\fR -where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. -.RE -.PP -\fBlocal\fR {address} [port] -.RS 4 -Sends all dynamic update requests using the local -\fIaddress\fR. When no local statement is provided, -\fBnsupdate\fR -will send updates using an address and port chosen by the system. -\fIport\fR -can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. -.RE -.PP -\fBzone\fR {zonename} -.RS 4 -Specifies that all updates are to be made to the zone -\fIzonename\fR. If no -\fIzone\fR -statement is provided, -\fBnsupdate\fR -will attempt determine the correct zone to update based on the rest of the input. -.RE -.PP -\fBclass\fR {classname} -.RS 4 -Specify the default class. If no -\fIclass\fR -is specified, the default class is -\fIIN\fR. -.RE -.PP -\fBkey\fR {name} {secret} -.RS 4 -Specifies that all updates are to be TSIG\-signed using the -\fIkeyname\fR -\fIkeysecret\fR -pair. The -\fBkey\fR -command overrides any key specified on the command line via -\fB\-y\fR -or -\fB\-k\fR. -.RE -.PP -\fBprereq nxdomain\fR {domain\-name} -.RS 4 -Requires that no resource record of any type exists with name -\fIdomain\-name\fR. -.RE -.PP -\fBprereq yxdomain\fR {domain\-name} -.RS 4 -Requires that -\fIdomain\-name\fR -exists (has as at least one resource record, of any type). -.RE -.PP -\fBprereq nxrrset\fR {domain\-name} [class] {type} -.RS 4 -Requires that no resource record exists of the specified -\fItype\fR, -\fIclass\fR -and -\fIdomain\-name\fR. If -\fIclass\fR -is omitted, IN (internet) is assumed. -.RE -.PP -\fBprereq yxrrset\fR {domain\-name} [class] {type} -.RS 4 -This requires that a resource record of the specified -\fItype\fR, -\fIclass\fR -and -\fIdomain\-name\fR -must exist. If -\fIclass\fR -is omitted, IN (internet) is assumed. -.RE -.PP -\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} -.RS 4 -The -\fIdata\fR -from each set of prerequisites of this form sharing a common -\fItype\fR, -\fIclass\fR, and -\fIdomain\-name\fR -are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given -\fItype\fR, -\fIclass\fR, and -\fIdomain\-name\fR. The -\fIdata\fR -are written in the standard text representation of the resource record's RDATA. -.RE -.PP -\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] -.RS 4 -Deletes any resource records named -\fIdomain\-name\fR. If -\fItype\fR -and -\fIdata\fR -is provided, only matching resource records will be removed. The internet class is assumed if -\fIclass\fR -is not supplied. The -\fIttl\fR -is ignored, and is only allowed for compatibility. -.RE -.PP -\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} -.RS 4 -Adds a new resource record with the specified -\fIttl\fR, -\fIclass\fR -and -\fIdata\fR. -.RE -.PP -\fBshow\fR -.RS 4 -Displays the current message, containing all of the prerequisites and updates specified since the last send. -.RE -.PP -\fBsend\fR -.RS 4 -Sends the current message. This is equivalent to entering a blank line. -.RE -.PP -\fBanswer\fR -.RS 4 -Displays the answer. -.RE -.PP -Lines beginning with a semicolon are comments and are ignored. -.SH "EXAMPLES" -.PP -The examples below show how -\fBnsupdate\fR -could be used to insert and delete resource records from the -\fBexample.com\fR -zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for -\fBexample.com\fR. -.sp -.RS 4 -.nf -# nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send -.fi -.RE -.sp -.PP -Any A records for -\fBoldhost.example.com\fR -are deleted. And an A record for -\fBnewhost.example.com\fR -with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds). -.sp -.RS 4 -.nf -# nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send -.fi -.RE -.sp -.PP -The prerequisite condition gets the name server to check that there are no resource records of any type for -\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.) -.SH "FILES" -.PP -\fB/etc/resolv.conf\fR -.RS 4 -used to identify default name server -.RE -.PP -\fBK{name}.+157.+{random}.key\fR -.RS 4 -base\-64 encoding of HMAC\-MD5 key created by -\fBdnssec\-keygen\fR(8). -.RE -.PP -\fBK{name}.+157.+{random}.private\fR -.RS 4 -base\-64 encoding of HMAC\-MD5 key created by -\fBdnssec\-keygen\fR(8). -.RE -.SH "SEE ALSO" -.PP -\fBRFC2136\fR(), -\fBRFC3007\fR(), -\fBRFC2104\fR(), -\fBRFC2845\fR(), -\fBRFC1034\fR(), -\fBRFC2535\fR(), -\fBRFC2931\fR(), -\fBnamed\fR(8), -\fBdnssec\-keygen\fR(8). -.SH "BUGS" -.PP -The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. -.SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000\-2003 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.c b/usr.sbin/bind/bin/nsupdate/nsupdate.c deleted file mode 100644 index 96e5c2dcf1b..00000000000 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.c +++ /dev/null @@ -1,2176 +0,0 @@ -/* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: nsupdate.c,v 1.130.18.19 2007/08/28 07:20:01 tbox Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include - -#include - -#ifdef HAVE_ADDRINFO -#ifdef HAVE_GETADDRINFO -#ifdef HAVE_GAISTRERROR -#define USE_GETADDRINFO -#endif -#endif -#endif - -#ifndef USE_GETADDRINFO -#ifndef ISC_PLATFORM_NONSTDHERRNO -extern int h_errno; -#endif -#endif - -#define MAXCMD (4 * 1024) -#define MAXWIRE (64 * 1024) -#define PACKETSIZE ((64 * 1024) - 1) -#define INITTEXT (2 * 1024) -#define MAXTEXT (128 * 1024) -#define FIND_TIMEOUT 5 -#define TTL_MAX 2147483647U /* Maximum signed 32 bit integer. */ - -#define DNSDEFAULTPORT 53 - -#ifndef RESOLV_CONF -#define RESOLV_CONF "/etc/resolv.conf" -#endif - -static isc_boolean_t debugging = ISC_FALSE, ddebugging = ISC_FALSE; -static isc_boolean_t memdebugging = ISC_FALSE; -static isc_boolean_t have_ipv4 = ISC_FALSE; -static isc_boolean_t have_ipv6 = ISC_FALSE; -static isc_boolean_t is_dst_up = ISC_FALSE; -static isc_boolean_t usevc = ISC_FALSE; -static isc_taskmgr_t *taskmgr = NULL; -static isc_task_t *global_task = NULL; -static isc_event_t *global_event = NULL; -static isc_mem_t *mctx = NULL; -static dns_dispatchmgr_t *dispatchmgr = NULL; -static dns_requestmgr_t *requestmgr = NULL; -static isc_socketmgr_t *socketmgr = NULL; -static isc_timermgr_t *timermgr = NULL; -static dns_dispatch_t *dispatchv4 = NULL; -static dns_dispatch_t *dispatchv6 = NULL; -static dns_message_t *updatemsg = NULL; -static dns_fixedname_t fuserzone; -static dns_name_t *userzone = NULL; -static dns_tsigkey_t *tsigkey = NULL; -static dst_key_t *sig0key; -static lwres_context_t *lwctx = NULL; -static lwres_conf_t *lwconf; -static isc_sockaddr_t *servers; -static int ns_inuse = 0; -static int ns_total = 0; -static isc_sockaddr_t *userserver = NULL; -static isc_sockaddr_t *localaddr = NULL; -static char *keystr = NULL, *keyfile = NULL; -static isc_entropy_t *entp = NULL; -static isc_boolean_t shuttingdown = ISC_FALSE; -static FILE *input; -static isc_boolean_t interactive = ISC_TRUE; -static isc_boolean_t seenerror = ISC_FALSE; -static const dns_master_style_t *style; -static int requests = 0; -static unsigned int timeout = 300; -static unsigned int udp_timeout = 3; -static unsigned int udp_retries = 3; -static dns_rdataclass_t defaultclass = dns_rdataclass_in; -static dns_rdataclass_t zoneclass = dns_rdataclass_none; -static dns_message_t *answer = NULL; - -typedef struct nsu_requestinfo { - dns_message_t *msg; - isc_sockaddr_t *addr; -} nsu_requestinfo_t; - -static void -sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, - dns_message_t *msg, dns_request_t **request); -static void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -static void -debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -static void -ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -static void -error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -#define STATUS_MORE (isc_uint16_t)0 -#define STATUS_SEND (isc_uint16_t)1 -#define STATUS_QUIT (isc_uint16_t)2 -#define STATUS_SYNTAX (isc_uint16_t)3 - -static dns_rdataclass_t -getzoneclass(void) { - if (zoneclass == dns_rdataclass_none) - zoneclass = defaultclass; - return (zoneclass); -} - -static isc_boolean_t -setzoneclass(dns_rdataclass_t rdclass) { - if (zoneclass == dns_rdataclass_none || - rdclass == dns_rdataclass_none) - zoneclass = rdclass; - if (zoneclass != rdclass) - return (ISC_FALSE); - return (ISC_TRUE); -} - -static void -fatal(const char *format, ...) { - va_list args; - - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); - exit(1); -} - -static void -error(const char *format, ...) { - va_list args; - - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); -} - -static void -debug(const char *format, ...) { - va_list args; - - if (debugging) { - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); - } -} - -static void -ddebug(const char *format, ...) { - va_list args; - - if (ddebugging) { - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); - } -} - -static inline void -check_result(isc_result_t result, const char *msg) { - if (result != ISC_R_SUCCESS) - fatal("%s: %s", msg, isc_result_totext(result)); -} - -static void * -mem_alloc(void *arg, size_t size) { - return (isc_mem_get(arg, size)); -} - -static void -mem_free(void *arg, void *mem, size_t size) { - isc_mem_put(arg, mem, size); -} - -static char * -nsu_strsep(char **stringp, const char *delim) { - char *string = *stringp; - char *s; - const char *d; - char sc, dc; - - if (string == NULL) - return (NULL); - - for (; *string != '\0'; string++) { - sc = *string; - for (d = delim; (dc = *d) != '\0'; d++) { - if (sc == dc) - break; - } - if (dc == 0) - break; - } - - for (s = string; *s != '\0'; s++) { - sc = *s; - for (d = delim; (dc = *d) != '\0'; d++) { - if (sc == dc) { - *s++ = '\0'; - *stringp = s; - return (string); - } - } - } - *stringp = NULL; - return (string); -} - -static void -reset_system(void) { - isc_result_t result; - - ddebug("reset_system()"); - /* If the update message is still around, destroy it */ - if (updatemsg != NULL) - dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER); - else { - result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, - &updatemsg); - check_result(result, "dns_message_create"); - } - updatemsg->opcode = dns_opcode_update; -} - -static isc_uint16_t -parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) { - isc_uint16_t digestbits = 0; - isc_result_t result; - char buf[20]; - - REQUIRE(hmac != NULL && *hmac == NULL); - REQUIRE(hmacstr != NULL); - - if (len >= sizeof(buf)) - fatal("unknown key type '%.*s'", (int)(len), hmacstr); - - strncpy(buf, hmacstr, len); - buf[len] = 0; - - if (strcasecmp(buf, "hmac-md5") == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; - } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; - result = isc_parse_uint16(&digestbits, &buf[9], 10); - if (result != ISC_R_SUCCESS || digestbits > 128) - fatal("digest-bits out of range [0..128]"); - digestbits = (digestbits +7) & ~0x7U; - } else if (strcasecmp(buf, "hmac-sha1") == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; - } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; - result = isc_parse_uint16(&digestbits, &buf[10], 10); - if (result != ISC_R_SUCCESS || digestbits > 160) - fatal("digest-bits out of range [0..160]"); - digestbits = (digestbits +7) & ~0x7U; - } else if (strcasecmp(buf, "hmac-sha224") == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; - } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; - result = isc_parse_uint16(&digestbits, &buf[12], 10); - if (result != ISC_R_SUCCESS || digestbits > 224) - fatal("digest-bits out of range [0..224]"); - digestbits = (digestbits +7) & ~0x7U; - } else if (strcasecmp(buf, "hmac-sha256") == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; - } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; - result = isc_parse_uint16(&digestbits, &buf[12], 10); - if (result != ISC_R_SUCCESS || digestbits > 256) - fatal("digest-bits out of range [0..256]"); - digestbits = (digestbits +7) & ~0x7U; - } else if (strcasecmp(buf, "hmac-sha384") == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; - } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; - result = isc_parse_uint16(&digestbits, &buf[12], 10); - if (result != ISC_R_SUCCESS || digestbits > 384) - fatal("digest-bits out of range [0..384]"); - digestbits = (digestbits +7) & ~0x7U; - } else if (strcasecmp(buf, "hmac-sha512") == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; - } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; - result = isc_parse_uint16(&digestbits, &buf[12], 10); - if (result != ISC_R_SUCCESS || digestbits > 512) - fatal("digest-bits out of range [0..512]"); - digestbits = (digestbits +7) & ~0x7U; - } else - fatal("unknown key type '%s'", buf); - return (digestbits); -} - -static void -setup_keystr(void) { - unsigned char *secret = NULL; - int secretlen; - isc_buffer_t secretbuf; - isc_result_t result; - isc_buffer_t keynamesrc; - char *secretstr; - char *s, *n; - dns_fixedname_t fkeyname; - dns_name_t *keyname; - char *name; - dns_name_t *hmacname = NULL; - isc_uint16_t digestbits = 0; - - dns_fixedname_init(&fkeyname); - keyname = dns_fixedname_name(&fkeyname); - - debug("Creating key..."); - - s = strchr(keystr, ':'); - if (s == NULL || s == keystr || s[1] == 0) - fatal("key option must specify [hmac:]keyname:secret"); - secretstr = s + 1; - n = strchr(secretstr, ':'); - if (n != NULL) { - if (n == secretstr || n[1] == 0) - fatal("key option must specify [hmac:]keyname:secret"); - name = secretstr; - secretstr = n + 1; - digestbits = parse_hmac(&hmacname, keystr, s - keystr); - } else { - hmacname = DNS_TSIG_HMACMD5_NAME; - name = keystr; - n = s; - } - - isc_buffer_init(&keynamesrc, name, n - name); - isc_buffer_add(&keynamesrc, n - name); - - debug("namefromtext"); - result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, - ISC_FALSE, NULL); - check_result(result, "dns_name_fromtext"); - - secretlen = strlen(secretstr) * 3 / 4; - secret = isc_mem_allocate(mctx, secretlen); - if (secret == NULL) - fatal("out of memory"); - - isc_buffer_init(&secretbuf, secret, secretlen); - result = isc_base64_decodestring(secretstr, &secretbuf); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s: %s\n", - keystr, isc_result_totext(result)); - goto failure; - } - - secretlen = isc_buffer_usedlength(&secretbuf); - - debug("keycreate"); - result = dns_tsigkey_create(keyname, hmacname, secret, secretlen, - ISC_TRUE, NULL, 0, 0, mctx, NULL, &tsigkey); - if (result != ISC_R_SUCCESS) - fprintf(stderr, "could not create key from %s: %s\n", - keystr, dns_result_totext(result)); - else - dst_key_setbits(tsigkey->key, digestbits); - failure: - if (secret != NULL) - isc_mem_free(mctx, secret); -} - -static void -setup_keyfile(void) { - dst_key_t *dstkey = NULL; - isc_result_t result; - dns_name_t *hmacname = NULL; - - debug("Creating key..."); - - result = dst_key_fromnamedfile(keyfile, - DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, - &dstkey); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not read key from %s: %s\n", - keyfile, isc_result_totext(result)); - return; - } - switch (dst_key_alg(dstkey)) { - case DST_ALG_HMACMD5: - hmacname = DNS_TSIG_HMACMD5_NAME; - break; - case DST_ALG_HMACSHA1: - hmacname = DNS_TSIG_HMACSHA1_NAME; - break; - case DST_ALG_HMACSHA224: - hmacname = DNS_TSIG_HMACSHA224_NAME; - break; - case DST_ALG_HMACSHA256: - hmacname = DNS_TSIG_HMACSHA256_NAME; - break; - case DST_ALG_HMACSHA384: - hmacname = DNS_TSIG_HMACSHA384_NAME; - break; - case DST_ALG_HMACSHA512: - hmacname = DNS_TSIG_HMACSHA512_NAME; - break; - } - if (hmacname != NULL) { - result = dns_tsigkey_createfromkey(dst_key_name(dstkey), - hmacname, dstkey, ISC_FALSE, - NULL, 0, 0, mctx, NULL, - &tsigkey); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s: %s\n", - keyfile, isc_result_totext(result)); - dst_key_free(&dstkey); - return; - } - } else - sig0key = dstkey; -} - -static void -doshutdown(void) { - isc_task_detach(&global_task); - - if (userserver != NULL) - isc_mem_put(mctx, userserver, sizeof(isc_sockaddr_t)); - - if (localaddr != NULL) - isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t)); - - if (tsigkey != NULL) { - ddebug("Freeing TSIG key"); - dns_tsigkey_detach(&tsigkey); - } - - if (sig0key != NULL) { - ddebug("Freeing SIG(0) key"); - dst_key_free(&sig0key); - } - - if (updatemsg != NULL) - dns_message_destroy(&updatemsg); - - if (is_dst_up) { - ddebug("Destroy DST lib"); - dst_lib_destroy(); - is_dst_up = ISC_FALSE; - } - - if (entp != NULL) { - ddebug("Detach from entropy"); - isc_entropy_detach(&entp); - } - - lwres_conf_clear(lwctx); - lwres_context_destroy(&lwctx); - - isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t)); - - ddebug("Destroying request manager"); - dns_requestmgr_detach(&requestmgr); - - ddebug("Freeing the dispatchers"); - if (have_ipv4) - dns_dispatch_detach(&dispatchv4); - if (have_ipv6) - dns_dispatch_detach(&dispatchv6); - - ddebug("Shutting down dispatch manager"); - dns_dispatchmgr_destroy(&dispatchmgr); - -} - -static void -maybeshutdown(void) { - ddebug("Shutting down request manager"); - dns_requestmgr_shutdown(requestmgr); - - if (requests != 0) - return; - - doshutdown(); -} - -static void -shutdown_program(isc_task_t *task, isc_event_t *event) { - REQUIRE(task == global_task); - UNUSED(task); - - ddebug("shutdown_program()"); - isc_event_free(&event); - - shuttingdown = ISC_TRUE; - maybeshutdown(); -} - -static void -setup_system(void) { - isc_result_t result; - isc_sockaddr_t bind_any, bind_any6; - lwres_result_t lwresult; - unsigned int attrs, attrmask; - int i; - - ddebug("setup_system()"); - - dns_result_register(); - - result = isc_net_probeipv4(); - if (result == ISC_R_SUCCESS) - have_ipv4 = ISC_TRUE; - - result = isc_net_probeipv6(); - if (result == ISC_R_SUCCESS) - have_ipv6 = ISC_TRUE; - - if (!have_ipv4 && !have_ipv6) - fatal("could not find either IPv4 or IPv6"); - - result = isc_mem_create(0, 0, &mctx); - check_result(result, "isc_mem_create"); - - lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1); - if (lwresult != LWRES_R_SUCCESS) - fatal("lwres_context_create failed"); - - (void)lwres_conf_parse(lwctx, RESOLV_CONF); - lwconf = lwres_conf_get(lwctx); - - ns_total = lwconf->nsnext; - if (ns_total <= 0) { - /* No name servers in resolv.conf; default to loopback. */ - struct in_addr localhost; - ns_total = 1; - servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t)); - if (servers == NULL) - fatal("out of memory"); - localhost.s_addr = htonl(INADDR_LOOPBACK); - isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT); - } else { - servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t)); - if (servers == NULL) - fatal("out of memory"); - for (i = 0; i < ns_total; i++) { - if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) { - struct in_addr in4; - memcpy(&in4, lwconf->nameservers[i].address, 4); - isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT); - } else { - struct in6_addr in6; - memcpy(&in6, lwconf->nameservers[i].address, 16); - isc_sockaddr_fromin6(&servers[i], &in6, - DNSDEFAULTPORT); - } - } - } - - result = isc_entropy_create(mctx, &entp); - check_result(result, "isc_entropy_create"); - - result = isc_hash_create(mctx, entp, DNS_NAME_MAXWIRE); - check_result(result, "isc_hash_create"); - isc_hash_init(); - - result = dns_dispatchmgr_create(mctx, entp, &dispatchmgr); - check_result(result, "dns_dispatchmgr_create"); - - result = isc_socketmgr_create(mctx, &socketmgr); - check_result(result, "dns_socketmgr_create"); - - result = isc_timermgr_create(mctx, &timermgr); - check_result(result, "dns_timermgr_create"); - - result = isc_taskmgr_create(mctx, 1, 0, &taskmgr); - check_result(result, "isc_taskmgr_create"); - - result = isc_task_create(taskmgr, 0, &global_task); - check_result(result, "isc_task_create"); - - result = isc_task_onshutdown(global_task, shutdown_program, NULL); - check_result(result, "isc_task_onshutdown"); - - result = dst_lib_init(mctx, entp, 0); - check_result(result, "dst_lib_init"); - is_dst_up = ISC_TRUE; - - attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP; - attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6; - - if (have_ipv6) { - attrs = DNS_DISPATCHATTR_UDP; - attrs |= DNS_DISPATCHATTR_MAKEQUERY; - attrs |= DNS_DISPATCHATTR_IPV6; - isc_sockaddr_any6(&bind_any6); - result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, - &bind_any6, PACKETSIZE, - 4, 2, 3, 5, - attrs, attrmask, &dispatchv6); - check_result(result, "dns_dispatch_getudp (v6)"); - } - - if (have_ipv4) { - attrs = DNS_DISPATCHATTR_UDP; - attrs |= DNS_DISPATCHATTR_MAKEQUERY; - attrs |= DNS_DISPATCHATTR_IPV4; - isc_sockaddr_any(&bind_any); - result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, - &bind_any, PACKETSIZE, - 4, 2, 3, 5, - attrs, attrmask, &dispatchv4); - check_result(result, "dns_dispatch_getudp (v4)"); - } - - result = dns_requestmgr_create(mctx, timermgr, - socketmgr, taskmgr, dispatchmgr, - dispatchv4, dispatchv6, &requestmgr); - check_result(result, "dns_requestmgr_create"); - - if (keystr != NULL) - setup_keystr(); - else if (keyfile != NULL) - setup_keyfile(); -} - -static void -get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { - int count; - isc_result_t result; - - isc_app_block(); - result = bind9_getaddresses(host, port, sockaddr, 1, &count); - isc_app_unblock(); - if (result != ISC_R_SUCCESS) - fatal("couldn't get address for '%s': %s", - host, isc_result_totext(result)); - INSIST(count == 1); -} - -static void -parse_args(int argc, char **argv) { - int ch; - isc_result_t result; - - debug("parse_args"); - while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1) - { - switch (ch) { - case 'd': - debugging = ISC_TRUE; - break; - case 'D': /* was -dd */ - debugging = ISC_TRUE; - ddebugging = ISC_TRUE; - break; - case 'M': /* was -dm */ - debugging = ISC_TRUE; - ddebugging = ISC_TRUE; - memdebugging = ISC_TRUE; - isc_mem_debugging = ISC_MEM_DEBUGTRACE | - ISC_MEM_DEBUGRECORD; - break; - case 'y': - keystr = isc_commandline_argument; - break; - case 'v': - usevc = ISC_TRUE; - break; - case 'k': - keyfile = isc_commandline_argument; - break; - case 't': - result = isc_parse_uint32(&timeout, - isc_commandline_argument, 10); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "bad timeout '%s'\n", isc_commandline_argument); - exit(1); - } - if (timeout == 0) - timeout = UINT_MAX; - break; - case 'u': - result = isc_parse_uint32(&udp_timeout, - isc_commandline_argument, 10); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "bad udp timeout '%s'\n", isc_commandline_argument); - exit(1); - } - if (udp_timeout == 0) - udp_timeout = UINT_MAX; - break; - case 'r': - result = isc_parse_uint32(&udp_retries, - isc_commandline_argument, 10); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "bad udp retries '%s'\n", isc_commandline_argument); - exit(1); - } - break; - default: - fprintf(stderr, "%s: invalid argument -%c\n", - argv[0], ch); - fprintf(stderr, "usage: nsupdate [-d] " - "[-y keyname:secret | -k keyfile] [-v] " - "[filename]\n"); - exit(1); - } - } - if (keyfile != NULL && keystr != NULL) { - fprintf(stderr, "%s: cannot specify both -k and -y\n", - argv[0]); - exit(1); - } - - if (argv[isc_commandline_index] != NULL) { - if (strcmp(argv[isc_commandline_index], "-") == 0) { - input = stdin; - } else { - result = isc_stdio_open(argv[isc_commandline_index], - "r", &input); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not open '%s': %s\n", - argv[isc_commandline_index], - isc_result_totext(result)); - exit(1); - } - } - interactive = ISC_FALSE; - } -} - -static isc_uint16_t -parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) { - isc_result_t result; - char *word; - isc_buffer_t *namebuf = NULL; - isc_buffer_t source; - - word = nsu_strsep(cmdlinep, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read owner name\n"); - return (STATUS_SYNTAX); - } - - result = dns_message_gettempname(msg, namep); - check_result(result, "dns_message_gettempname"); - result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE); - check_result(result, "isc_buffer_allocate"); - dns_name_init(*namep, NULL); - dns_name_setbuffer(*namep, namebuf); - dns_message_takebuffer(msg, &namebuf); - isc_buffer_init(&source, word, strlen(word)); - isc_buffer_add(&source, strlen(word)); - result = dns_name_fromtext(*namep, &source, dns_rootname, - ISC_FALSE, NULL); - check_result(result, "dns_name_fromtext"); - isc_buffer_invalidate(&source); - return (STATUS_MORE); -} - -static isc_uint16_t -parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass, - dns_rdatatype_t rdatatype, dns_message_t *msg, - dns_rdata_t *rdata) -{ - char *cmdline = *cmdlinep; - isc_buffer_t source, *buf = NULL, *newbuf = NULL; - isc_region_t r; - isc_lex_t *lex = NULL; - dns_rdatacallbacks_t callbacks; - isc_result_t result; - - while (isspace((unsigned char)*cmdline)) - cmdline++; - - if (*cmdline != 0) { - dns_rdatacallbacks_init(&callbacks); - result = isc_lex_create(mctx, strlen(cmdline), &lex); - check_result(result, "isc_lex_create"); - isc_buffer_init(&source, cmdline, strlen(cmdline)); - isc_buffer_add(&source, strlen(cmdline)); - result = isc_lex_openbuffer(lex, &source); - check_result(result, "isc_lex_openbuffer"); - result = isc_buffer_allocate(mctx, &buf, MAXWIRE); - check_result(result, "isc_buffer_allocate"); - result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex, - dns_rootname, 0, mctx, buf, - &callbacks); - isc_lex_destroy(&lex); - if (result == ISC_R_SUCCESS) { - isc_buffer_usedregion(buf, &r); - result = isc_buffer_allocate(mctx, &newbuf, r.length); - check_result(result, "isc_buffer_allocate"); - isc_buffer_putmem(newbuf, r.base, r.length); - isc_buffer_usedregion(newbuf, &r); - dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r); - isc_buffer_free(&buf); - dns_message_takebuffer(msg, &newbuf); - } else { - fprintf(stderr, "invalid rdata format: %s\n", - isc_result_totext(result)); - isc_buffer_free(&buf); - return (STATUS_SYNTAX); - } - } else { - rdata->flags = DNS_RDATA_UPDATE; - } - *cmdlinep = cmdline; - return (STATUS_MORE); -} - -static isc_uint16_t -make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) { - isc_result_t result; - char *word; - dns_name_t *name = NULL; - isc_textregion_t region; - dns_rdataset_t *rdataset = NULL; - dns_rdatalist_t *rdatalist = NULL; - dns_rdataclass_t rdataclass; - dns_rdatatype_t rdatatype; - dns_rdata_t *rdata = NULL; - isc_uint16_t retval; - - ddebug("make_prereq()"); - - /* - * Read the owner name - */ - retval = parse_name(&cmdline, updatemsg, &name); - if (retval != STATUS_MORE) - return (retval); - - /* - * If this is an rrset prereq, read the class or type. - */ - if (isrrset) { - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read class or type\n"); - goto failure; - } - region.base = word; - region.length = strlen(word); - result = dns_rdataclass_fromtext(&rdataclass, ®ion); - if (result == ISC_R_SUCCESS) { - if (!setzoneclass(rdataclass)) { - fprintf(stderr, "class mismatch: %s\n", word); - goto failure; - } - /* - * Now read the type. - */ - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read type\n"); - goto failure; - } - region.base = word; - region.length = strlen(word); - result = dns_rdatatype_fromtext(&rdatatype, ®ion); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "invalid type: %s\n", word); - goto failure; - } - } else { - rdataclass = getzoneclass(); - result = dns_rdatatype_fromtext(&rdatatype, ®ion); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "invalid type: %s\n", word); - goto failure; - } - } - } else - rdatatype = dns_rdatatype_any; - - result = dns_message_gettemprdata(updatemsg, &rdata); - check_result(result, "dns_message_gettemprdata"); - - rdata->data = NULL; - rdata->length = 0; - - if (isrrset && ispositive) { - retval = parse_rdata(&cmdline, rdataclass, rdatatype, - updatemsg, rdata); - if (retval != STATUS_MORE) - goto failure; - } else - rdata->flags = DNS_RDATA_UPDATE; - - result = dns_message_gettemprdatalist(updatemsg, &rdatalist); - check_result(result, "dns_message_gettemprdatalist"); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); - dns_rdatalist_init(rdatalist); - rdatalist->type = rdatatype; - if (ispositive) { - if (isrrset && rdata->data != NULL) - rdatalist->rdclass = rdataclass; - else - rdatalist->rdclass = dns_rdataclass_any; - } else - rdatalist->rdclass = dns_rdataclass_none; - rdatalist->covers = 0; - rdatalist->ttl = 0; - rdata->rdclass = rdatalist->rdclass; - rdata->type = rdatatype; - ISC_LIST_INIT(rdatalist->rdata); - ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - dns_rdataset_init(rdataset); - dns_rdatalist_tordataset(rdatalist, rdataset); - ISC_LIST_INIT(name->list); - ISC_LIST_APPEND(name->list, rdataset, link); - dns_message_addname(updatemsg, name, DNS_SECTION_PREREQUISITE); - return (STATUS_MORE); - - failure: - if (name != NULL) - dns_message_puttempname(updatemsg, &name); - return (STATUS_SYNTAX); -} - -static isc_uint16_t -evaluate_prereq(char *cmdline) { - char *word; - isc_boolean_t ispositive, isrrset; - - ddebug("evaluate_prereq()"); - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read operation code\n"); - return (STATUS_SYNTAX); - } - if (strcasecmp(word, "nxdomain") == 0) { - ispositive = ISC_FALSE; - isrrset = ISC_FALSE; - } else if (strcasecmp(word, "yxdomain") == 0) { - ispositive = ISC_TRUE; - isrrset = ISC_FALSE; - } else if (strcasecmp(word, "nxrrset") == 0) { - ispositive = ISC_FALSE; - isrrset = ISC_TRUE; - } else if (strcasecmp(word, "yxrrset") == 0) { - ispositive = ISC_TRUE; - isrrset = ISC_TRUE; - } else { - fprintf(stderr, "incorrect operation code: %s\n", word); - return (STATUS_SYNTAX); - } - return (make_prereq(cmdline, ispositive, isrrset)); -} - -static isc_uint16_t -evaluate_server(char *cmdline) { - char *word, *server; - long port; - - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read server name\n"); - return (STATUS_SYNTAX); - } - server = word; - - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) - port = DNSDEFAULTPORT; - else { - char *endp; - port = strtol(word, &endp, 10); - if (*endp != 0) { - fprintf(stderr, "port '%s' is not numeric\n", word); - return (STATUS_SYNTAX); - } else if (port < 1 || port > 65535) { - fprintf(stderr, "port '%s' is out of range " - "(1 to 65535)\n", word); - return (STATUS_SYNTAX); - } - } - - if (userserver == NULL) { - userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t)); - if (userserver == NULL) - fatal("out of memory"); - } - - get_address(server, (in_port_t)port, userserver); - - return (STATUS_MORE); -} - -static isc_uint16_t -evaluate_local(char *cmdline) { - char *word, *local; - long port; - struct in_addr in4; - struct in6_addr in6; - - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read server name\n"); - return (STATUS_SYNTAX); - } - local = word; - - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) - port = 0; - else { - char *endp; - port = strtol(word, &endp, 10); - if (*endp != 0) { - fprintf(stderr, "port '%s' is not numeric\n", word); - return (STATUS_SYNTAX); - } else if (port < 1 || port > 65535) { - fprintf(stderr, "port '%s' is out of range " - "(1 to 65535)\n", word); - return (STATUS_SYNTAX); - } - } - - if (localaddr == NULL) { - localaddr = isc_mem_get(mctx, sizeof(isc_sockaddr_t)); - if (localaddr == NULL) - fatal("out of memory"); - } - - if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1) - isc_sockaddr_fromin6(localaddr, &in6, (in_port_t)port); - else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1) - isc_sockaddr_fromin(localaddr, &in4, (in_port_t)port); - else { - fprintf(stderr, "invalid address %s", local); - return (STATUS_SYNTAX); - } - - return (STATUS_MORE); -} - -static isc_uint16_t -evaluate_key(char *cmdline) { - char *namestr; - char *secretstr; - isc_buffer_t b; - isc_result_t result; - dns_fixedname_t fkeyname; - dns_name_t *keyname; - int secretlen; - unsigned char *secret = NULL; - isc_buffer_t secretbuf; - dns_name_t *hmacname = NULL; - isc_uint16_t digestbits = 0; - char *n; - - namestr = nsu_strsep(&cmdline, " \t\r\n"); - if (*namestr == 0) { - fprintf(stderr, "could not read key name\n"); - return (STATUS_SYNTAX); - } - - dns_fixedname_init(&fkeyname); - keyname = dns_fixedname_name(&fkeyname); - - n = strchr(namestr, ':'); - if (n != NULL) { - digestbits = parse_hmac(&hmacname, namestr, n - namestr); - namestr = n + 1; - } else - hmacname = DNS_TSIG_HMACMD5_NAME; - - isc_buffer_init(&b, namestr, strlen(namestr)); - isc_buffer_add(&b, strlen(namestr)); - result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not parse key name\n"); - return (STATUS_SYNTAX); - } - - secretstr = nsu_strsep(&cmdline, "\r\n"); - if (*secretstr == 0) { - fprintf(stderr, "could not read key secret\n"); - return (STATUS_SYNTAX); - } - secretlen = strlen(secretstr) * 3 / 4; - secret = isc_mem_allocate(mctx, secretlen); - if (secret == NULL) - fatal("out of memory"); - - isc_buffer_init(&secretbuf, secret, secretlen); - result = isc_base64_decodestring(secretstr, &secretbuf); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s: %s\n", - secretstr, isc_result_totext(result)); - isc_mem_free(mctx, secret); - return (STATUS_SYNTAX); - } - secretlen = isc_buffer_usedlength(&secretbuf); - - if (tsigkey != NULL) - dns_tsigkey_detach(&tsigkey); - result = dns_tsigkey_create(keyname, hmacname, secret, secretlen, - ISC_TRUE, NULL, 0, 0, mctx, NULL, - &tsigkey); - isc_mem_free(mctx, secret); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s %s: %s\n", - namestr, secretstr, dns_result_totext(result)); - return (STATUS_SYNTAX); - } - dst_key_setbits(tsigkey->key, digestbits); - return (STATUS_MORE); -} - -static isc_uint16_t -evaluate_zone(char *cmdline) { - char *word; - isc_buffer_t b; - isc_result_t result; - - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read zone name\n"); - return (STATUS_SYNTAX); - } - - dns_fixedname_init(&fuserzone); - userzone = dns_fixedname_name(&fuserzone); - isc_buffer_init(&b, word, strlen(word)); - isc_buffer_add(&b, strlen(word)); - result = dns_name_fromtext(userzone, &b, dns_rootname, ISC_FALSE, - NULL); - if (result != ISC_R_SUCCESS) { - userzone = NULL; /* Lest it point to an invalid name */ - fprintf(stderr, "could not parse zone name\n"); - return (STATUS_SYNTAX); - } - - return (STATUS_MORE); -} - -static isc_uint16_t -evaluate_class(char *cmdline) { - char *word; - isc_textregion_t r; - isc_result_t result; - dns_rdataclass_t rdclass; - - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read class name\n"); - return (STATUS_SYNTAX); - } - - r.base = word; - r.length = strlen(word); - result = dns_rdataclass_fromtext(&rdclass, &r); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not parse class name: %s\n", word); - return (STATUS_SYNTAX); - } - switch (rdclass) { - case dns_rdataclass_none: - case dns_rdataclass_any: - case dns_rdataclass_reserved0: - fprintf(stderr, "bad default class: %s\n", word); - return (STATUS_SYNTAX); - default: - defaultclass = rdclass; - } - - return (STATUS_MORE); -} - -static isc_uint16_t -update_addordelete(char *cmdline, isc_boolean_t isdelete) { - isc_result_t result; - dns_name_t *name = NULL; - isc_uint32_t ttl; - char *word; - dns_rdataclass_t rdataclass; - dns_rdatatype_t rdatatype; - dns_rdata_t *rdata = NULL; - dns_rdatalist_t *rdatalist = NULL; - dns_rdataset_t *rdataset = NULL; - isc_textregion_t region; - isc_uint16_t retval; - - ddebug("update_addordelete()"); - - /* - * Read the owner name. - */ - retval = parse_name(&cmdline, updatemsg, &name); - if (retval != STATUS_MORE) - return (retval); - - result = dns_message_gettemprdata(updatemsg, &rdata); - check_result(result, "dns_message_gettemprdata"); - - rdata->rdclass = 0; - rdata->type = 0; - rdata->data = NULL; - rdata->length = 0; - - /* - * If this is an add, read the TTL and verify that it's in range. - * If it's a delete, ignore a TTL if present (for compatibility). - */ - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - if (!isdelete) { - fprintf(stderr, "could not read owner ttl\n"); - goto failure; - } - else { - ttl = 0; - rdataclass = dns_rdataclass_any; - rdatatype = dns_rdatatype_any; - rdata->flags = DNS_RDATA_UPDATE; - goto doneparsing; - } - } - result = isc_parse_uint32(&ttl, word, 10); - if (result != ISC_R_SUCCESS) { - if (isdelete) { - ttl = 0; - goto parseclass; - } else { - fprintf(stderr, "ttl '%s': %s\n", word, - isc_result_totext(result)); - goto failure; - } - } - - if (isdelete) - ttl = 0; - else if (ttl > TTL_MAX) { - fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n", - word, TTL_MAX); - goto failure; - } - - /* - * Read the class or type. - */ - word = nsu_strsep(&cmdline, " \t\r\n"); - parseclass: - if (*word == 0) { - if (isdelete) { - rdataclass = dns_rdataclass_any; - rdatatype = dns_rdatatype_any; - rdata->flags = DNS_RDATA_UPDATE; - goto doneparsing; - } else { - fprintf(stderr, "could not read class or type\n"); - goto failure; - } - } - region.base = word; - region.length = strlen(word); - result = dns_rdataclass_fromtext(&rdataclass, ®ion); - if (result == ISC_R_SUCCESS) { - if (!setzoneclass(rdataclass)) { - fprintf(stderr, "class mismatch: %s\n", word); - goto failure; - } - /* - * Now read the type. - */ - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - if (isdelete) { - rdataclass = dns_rdataclass_any; - rdatatype = dns_rdatatype_any; - rdata->flags = DNS_RDATA_UPDATE; - goto doneparsing; - } else { - fprintf(stderr, "could not read type\n"); - goto failure; - } - } - region.base = word; - region.length = strlen(word); - result = dns_rdatatype_fromtext(&rdatatype, ®ion); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "'%s' is not a valid type: %s\n", - word, isc_result_totext(result)); - goto failure; - } - } else { - rdataclass = getzoneclass(); - result = dns_rdatatype_fromtext(&rdatatype, ®ion); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "'%s' is not a valid class or type: " - "%s\n", word, isc_result_totext(result)); - goto failure; - } - } - - retval = parse_rdata(&cmdline, rdataclass, rdatatype, updatemsg, - rdata); - if (retval != STATUS_MORE) - goto failure; - - if (isdelete) { - if ((rdata->flags & DNS_RDATA_UPDATE) != 0) - rdataclass = dns_rdataclass_any; - else - rdataclass = dns_rdataclass_none; - } else { - if ((rdata->flags & DNS_RDATA_UPDATE) != 0) { - fprintf(stderr, "could not read rdata\n"); - goto failure; - } - } - - doneparsing: - - result = dns_message_gettemprdatalist(updatemsg, &rdatalist); - check_result(result, "dns_message_gettemprdatalist"); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); - dns_rdatalist_init(rdatalist); - rdatalist->type = rdatatype; - rdatalist->rdclass = rdataclass; - rdatalist->covers = rdatatype; - rdatalist->ttl = (dns_ttl_t)ttl; - ISC_LIST_INIT(rdatalist->rdata); - ISC_LIST_APPEND(rdatalist->rdata, rdata, link); - dns_rdataset_init(rdataset); - dns_rdatalist_tordataset(rdatalist, rdataset); - ISC_LIST_INIT(name->list); - ISC_LIST_APPEND(name->list, rdataset, link); - dns_message_addname(updatemsg, name, DNS_SECTION_UPDATE); - return (STATUS_MORE); - - failure: - if (name != NULL) - dns_message_puttempname(updatemsg, &name); - if (rdata != NULL) - dns_message_puttemprdata(updatemsg, &rdata); - return (STATUS_SYNTAX); -} - -static isc_uint16_t -evaluate_update(char *cmdline) { - char *word; - isc_boolean_t isdelete; - - ddebug("evaluate_update()"); - word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { - fprintf(stderr, "could not read operation code\n"); - return (STATUS_SYNTAX); - } - if (strcasecmp(word, "delete") == 0) - isdelete = ISC_TRUE; - else if (strcasecmp(word, "add") == 0) - isdelete = ISC_FALSE; - else { - fprintf(stderr, "incorrect operation code: %s\n", word); - return (STATUS_SYNTAX); - } - return (update_addordelete(cmdline, isdelete)); -} - -static void -setzone(dns_name_t *zonename) { - isc_result_t result; - dns_name_t *name = NULL; - dns_rdataset_t *rdataset = NULL; - - result = dns_message_firstname(updatemsg, DNS_SECTION_ZONE); - if (result == ISC_R_SUCCESS) { - dns_message_currentname(updatemsg, DNS_SECTION_ZONE, &name); - dns_message_removename(updatemsg, name, DNS_SECTION_ZONE); - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; - rdataset = ISC_LIST_HEAD(name->list)) { - ISC_LIST_UNLINK(name->list, rdataset, link); - dns_rdataset_disassociate(rdataset); - dns_message_puttemprdataset(updatemsg, &rdataset); - } - dns_message_puttempname(updatemsg, &name); - } - - if (zonename != NULL) { - result = dns_message_gettempname(updatemsg, &name); - check_result(result, "dns_message_gettempname"); - dns_name_init(name, NULL); - dns_name_clone(zonename, name); - result = dns_message_gettemprdataset(updatemsg, &rdataset); - check_result(result, "dns_message_gettemprdataset"); - dns_rdataset_makequestion(rdataset, getzoneclass(), - dns_rdatatype_soa); - ISC_LIST_INIT(name->list); - ISC_LIST_APPEND(name->list, rdataset, link); - dns_message_addname(updatemsg, name, DNS_SECTION_ZONE); - } -} - -static void -show_message(dns_message_t *msg) { - isc_result_t result; - isc_buffer_t *buf = NULL; - int bufsz; - - ddebug("show_message()"); - - setzone(userzone); - - bufsz = INITTEXT; - do { - if (bufsz > MAXTEXT) { - fprintf(stderr, "could not allocate large enough " - "buffer to display message\n"); - exit(1); - } - if (buf != NULL) - isc_buffer_free(&buf); - result = isc_buffer_allocate(mctx, &buf, bufsz); - check_result(result, "isc_buffer_allocate"); - result = dns_message_totext(msg, style, 0, buf); - bufsz *= 2; - } while (result == ISC_R_NOSPACE); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not convert message to text format.\n"); - isc_buffer_free(&buf); - return; - } - printf("Outgoing update query:\n%.*s", - (int)isc_buffer_usedlength(buf), - (char*)isc_buffer_base(buf)); - isc_buffer_free(&buf); -} - - -static isc_uint16_t -get_next_command(void) { - char cmdlinebuf[MAXCMD]; - char *cmdline; - char *word; - - ddebug("get_next_command()"); - if (interactive) { - fprintf(stdout, "> "); - fflush(stdout); - } - isc_app_block(); - cmdline = fgets(cmdlinebuf, MAXCMD, input); - isc_app_unblock(); - if (cmdline == NULL) - return (STATUS_QUIT); - word = nsu_strsep(&cmdline, " \t\r\n"); - - if (feof(input)) - return (STATUS_QUIT); - if (*word == 0) - return (STATUS_SEND); - if (word[0] == ';') - return (STATUS_MORE); - if (strcasecmp(word, "quit") == 0) - return (STATUS_QUIT); - if (strcasecmp(word, "prereq") == 0) - return (evaluate_prereq(cmdline)); - if (strcasecmp(word, "update") == 0) - return (evaluate_update(cmdline)); - if (strcasecmp(word, "server") == 0) - return (evaluate_server(cmdline)); - if (strcasecmp(word, "local") == 0) - return (evaluate_local(cmdline)); - if (strcasecmp(word, "zone") == 0) - return (evaluate_zone(cmdline)); - if (strcasecmp(word, "class") == 0) - return (evaluate_class(cmdline)); - if (strcasecmp(word, "send") == 0) - return (STATUS_SEND); - if (strcasecmp(word, "show") == 0) { - show_message(updatemsg); - return (STATUS_MORE); - } - if (strcasecmp(word, "answer") == 0) { - if (answer != NULL) - show_message(answer); - return (STATUS_MORE); - } - if (strcasecmp(word, "key") == 0) - return (evaluate_key(cmdline)); - fprintf(stderr, "incorrect section name: %s\n", word); - return (STATUS_SYNTAX); -} - -static isc_boolean_t -user_interaction(void) { - isc_uint16_t result = STATUS_MORE; - - ddebug("user_interaction()"); - while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) { - result = get_next_command(); - if (!interactive && result == STATUS_SYNTAX) - fatal("syntax error"); - } - if (result == STATUS_SEND) - return (ISC_TRUE); - return (ISC_FALSE); - -} - -static void -done_update(void) { - isc_event_t *event = global_event; - ddebug("done_update()"); - isc_task_send(global_task, &event); -} - -static void -check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_any_tsig_t tsig; - - result = dns_rdataset_first(rdataset); - check_result(result, "dns_rdataset_first"); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &tsig, NULL); - check_result(result, "dns_rdata_tostruct"); - if (tsig.error != 0) { - if (isc_buffer_remaininglength(b) < 1) - check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength"); - isc__buffer_putstr(b, "(" /*)*/); - result = dns_tsigrcode_totext(tsig.error, b); - check_result(result, "dns_tsigrcode_totext"); - if (isc_buffer_remaininglength(b) < 1) - check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength"); - isc__buffer_putstr(b, /*(*/ ")"); - } -} - -static void -update_completed(isc_task_t *task, isc_event_t *event) { - dns_requestevent_t *reqev = NULL; - isc_result_t result; - dns_request_t *request; - - UNUSED(task); - - ddebug("update_completed()"); - - requests--; - - REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); - reqev = (dns_requestevent_t *)event; - request = reqev->request; - - if (shuttingdown) { - dns_request_destroy(&request); - isc_event_free(&event); - maybeshutdown(); - return; - } - - if (reqev->result != ISC_R_SUCCESS) { - fprintf(stderr, "; Communication with server failed: %s\n", - isc_result_totext(reqev->result)); - seenerror = ISC_TRUE; - goto done; - } - - result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer); - check_result(result, "dns_message_create"); - result = dns_request_getresponse(request, answer, - DNS_MESSAGEPARSE_PRESERVEORDER); - switch (result) { - case ISC_R_SUCCESS: - break; - case DNS_R_CLOCKSKEW: - case DNS_R_EXPECTEDTSIG: - case DNS_R_TSIGERRORSET: - case DNS_R_TSIGVERIFYFAILURE: - case DNS_R_UNEXPECTEDTSIG: - fprintf(stderr, "; TSIG error with server: %s\n", - isc_result_totext(result)); - seenerror = ISC_TRUE; - break; - default: - check_result(result, "dns_request_getresponse"); - } - - if (answer->rcode != dns_rcode_noerror) { - seenerror = ISC_TRUE; - if (!debugging) { - char buf[64]; - isc_buffer_t b; - dns_rdataset_t *rds; - - isc_buffer_init(&b, buf, sizeof(buf) - 1); - result = dns_rcode_totext(answer->rcode, &b); - check_result(result, "dns_rcode_totext"); - rds = dns_message_gettsig(answer, NULL); - if (rds != NULL) - check_tsig_error(rds, &b); - fprintf(stderr, "update failed: %.*s\n", - (int)isc_buffer_usedlength(&b), buf); - } - } - if (debugging) { - isc_buffer_t *buf = NULL; - int bufsz; - - bufsz = INITTEXT; - do { - if (bufsz > MAXTEXT) { - fprintf(stderr, "could not allocate large " - "enough buffer to display message\n"); - exit(1); - } - if (buf != NULL) - isc_buffer_free(&buf); - result = isc_buffer_allocate(mctx, &buf, bufsz); - check_result(result, "isc_buffer_allocate"); - result = dns_message_totext(answer, style, 0, buf); - bufsz *= 2; - } while (result == ISC_R_NOSPACE); - check_result(result, "dns_message_totext"); - fprintf(stderr, "\nReply from update query:\n%.*s\n", - (int)isc_buffer_usedlength(buf), - (char*)isc_buffer_base(buf)); - isc_buffer_free(&buf); - } - done: - dns_request_destroy(&request); - isc_event_free(&event); - done_update(); -} - -static void -send_update(dns_name_t *zonename, isc_sockaddr_t *master, - isc_sockaddr_t *srcaddr) -{ - isc_result_t result; - dns_request_t *request = NULL; - unsigned int options = 0; - - ddebug("send_update()"); - - setzone(zonename); - - if (usevc) - options |= DNS_REQUESTOPT_TCP; - if (tsigkey == NULL && sig0key != NULL) { - result = dns_message_setsig0key(updatemsg, sig0key); - check_result(result, "dns_message_setsig0key"); - } - if (debugging) { - char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - - isc_sockaddr_format(master, addrbuf, sizeof(addrbuf)); - fprintf(stderr, "Sending update to %s\n", addrbuf); - } - result = dns_request_createvia3(requestmgr, updatemsg, srcaddr, - master, options, tsigkey, timeout, - udp_timeout, udp_retries, global_task, - update_completed, NULL, &request); - check_result(result, "dns_request_createvia3"); - - if (debugging) - show_message(updatemsg); - - requests++; -} - -static void -recvsoa(isc_task_t *task, isc_event_t *event) { - dns_requestevent_t *reqev = NULL; - dns_request_t *request = NULL; - isc_result_t result, eresult; - dns_message_t *rcvmsg = NULL; - dns_section_t section; - dns_name_t *name = NULL; - dns_rdataset_t *soaset = NULL; - dns_rdata_soa_t soa; - dns_rdata_t soarr = DNS_RDATA_INIT; - int pass = 0; - dns_name_t master; - isc_sockaddr_t *serveraddr, tempaddr; - dns_name_t *zonename; - nsu_requestinfo_t *reqinfo; - dns_message_t *soaquery = NULL; - isc_sockaddr_t *addr; - isc_boolean_t seencname = ISC_FALSE; - dns_name_t tname; - unsigned int nlabels; - - UNUSED(task); - - ddebug("recvsoa()"); - - requests--; - - REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); - reqev = (dns_requestevent_t *)event; - request = reqev->request; - eresult = reqev->result; - reqinfo = reqev->ev_arg; - soaquery = reqinfo->msg; - addr = reqinfo->addr; - - if (shuttingdown) { - dns_request_destroy(&request); - dns_message_destroy(&soaquery); - isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); - isc_event_free(&event); - maybeshutdown(); - return; - } - - if (eresult != ISC_R_SUCCESS) { - char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - - isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf)); - fprintf(stderr, "; Communication with %s failed: %s\n", - addrbuf, isc_result_totext(eresult)); - if (userserver != NULL) - fatal("could not talk to specified name server"); - else if (++ns_inuse >= lwconf->nsnext) - fatal("could not talk to any default name server"); - ddebug("Destroying request [%p]", request); - dns_request_destroy(&request); - dns_message_renderreset(soaquery); - dns_message_settsigkey(soaquery, NULL); - sendrequest(localaddr, &servers[ns_inuse], soaquery, &request); - isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); - isc_event_free(&event); - setzoneclass(dns_rdataclass_none); - return; - } - - isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); - reqinfo = NULL; - isc_event_free(&event); - reqev = NULL; - - ddebug("About to create rcvmsg"); - result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg); - check_result(result, "dns_message_create"); - result = dns_request_getresponse(request, rcvmsg, - DNS_MESSAGEPARSE_PRESERVEORDER); - if (result == DNS_R_TSIGERRORSET && userserver != NULL) { - dns_message_destroy(&rcvmsg); - ddebug("Destroying request [%p]", request); - dns_request_destroy(&request); - reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t)); - if (reqinfo == NULL) - fatal("out of memory"); - reqinfo->msg = soaquery; - reqinfo->addr = addr; - dns_message_renderreset(soaquery); - ddebug("retrying soa request without TSIG"); - result = dns_request_createvia3(requestmgr, soaquery, - localaddr, addr, 0, NULL, - FIND_TIMEOUT * 20, - FIND_TIMEOUT, 3, - global_task, recvsoa, reqinfo, - &request); - check_result(result, "dns_request_createvia"); - requests++; - return; - } - check_result(result, "dns_request_getresponse"); - section = DNS_SECTION_ANSWER; - if (debugging) { - isc_buffer_t *buf = NULL; - int bufsz; - bufsz = INITTEXT; - do { - if (buf != NULL) - isc_buffer_free(&buf); - if (bufsz > MAXTEXT) { - fprintf(stderr, "could not allocate enough " - "space for debugging message\n"); - exit(1); - } - result = isc_buffer_allocate(mctx, &buf, bufsz); - check_result(result, "isc_buffer_allocate"); - result = dns_message_totext(rcvmsg, style, 0, buf); - } while (result == ISC_R_NOSPACE); - check_result(result, "dns_message_totext"); - fprintf(stderr, "Reply from SOA query:\n%.*s\n", - (int)isc_buffer_usedlength(buf), - (char*)isc_buffer_base(buf)); - isc_buffer_free(&buf); - } - - if (rcvmsg->rcode != dns_rcode_noerror && - rcvmsg->rcode != dns_rcode_nxdomain) - fatal("response to SOA query was unsuccessful"); - - if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) { - char namebuf[DNS_NAME_FORMATSIZE]; - dns_name_format(userzone, namebuf, sizeof(namebuf)); - error("specified zone '%s' does not exist (NXDOMAIN)", - namebuf); - dns_message_destroy(&rcvmsg); - dns_request_destroy(&request); - dns_message_destroy(&soaquery); - ddebug("Out of recvsoa"); - done_update(); - return; - } - - lookforsoa: - if (pass == 0) - section = DNS_SECTION_ANSWER; - else if (pass == 1) - section = DNS_SECTION_AUTHORITY; - else - goto droplabel; - - result = dns_message_firstname(rcvmsg, section); - if (result != ISC_R_SUCCESS) { - pass++; - goto lookforsoa; - } - while (result == ISC_R_SUCCESS) { - name = NULL; - dns_message_currentname(rcvmsg, section, &name); - soaset = NULL; - result = dns_message_findtype(name, dns_rdatatype_soa, 0, - &soaset); - if (result == ISC_R_SUCCESS) - break; - if (section == DNS_SECTION_ANSWER) { - dns_rdataset_t *tset = NULL; - if (dns_message_findtype(name, dns_rdatatype_cname, 0, - &tset) == ISC_R_SUCCESS - || - dns_message_findtype(name, dns_rdatatype_dname, 0, - &tset) == ISC_R_SUCCESS - ) - { - seencname = ISC_TRUE; - break; - } - } - - result = dns_message_nextname(rcvmsg, section); - } - - if (soaset == NULL && !seencname) { - pass++; - goto lookforsoa; - } - - if (seencname) - goto droplabel; - - if (debugging) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(name, namestr, sizeof(namestr)); - fprintf(stderr, "Found zone name: %s\n", namestr); - } - - result = dns_rdataset_first(soaset); - check_result(result, "dns_rdataset_first"); - - dns_rdata_init(&soarr); - dns_rdataset_current(soaset, &soarr); - result = dns_rdata_tostruct(&soarr, &soa, NULL); - check_result(result, "dns_rdata_tostruct"); - - dns_name_init(&master, NULL); - dns_name_clone(&soa.origin, &master); - - if (userzone != NULL) - zonename = userzone; - else - zonename = name; - - if (debugging) { - char namestr[DNS_NAME_FORMATSIZE]; - dns_name_format(&master, namestr, sizeof(namestr)); - fprintf(stderr, "The master is: %s\n", namestr); - } - - if (userserver != NULL) - serveraddr = userserver; - else { - char serverstr[DNS_NAME_MAXTEXT+1]; - isc_buffer_t buf; - - isc_buffer_init(&buf, serverstr, sizeof(serverstr)); - result = dns_name_totext(&master, ISC_TRUE, &buf); - check_result(result, "dns_name_totext"); - serverstr[isc_buffer_usedlength(&buf)] = 0; - get_address(serverstr, DNSDEFAULTPORT, &tempaddr); - serveraddr = &tempaddr; - } - dns_rdata_freestruct(&soa); - - send_update(zonename, serveraddr, localaddr); - setzoneclass(dns_rdataclass_none); - - dns_message_destroy(&soaquery); - dns_request_destroy(&request); - - out: - dns_message_destroy(&rcvmsg); - ddebug("Out of recvsoa"); - return; - - droplabel: - result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION); - INSIST(result == ISC_R_SUCCESS); - name = NULL; - dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name); - nlabels = dns_name_countlabels(name); - if (nlabels == 1) - fatal("could not find enclosing zone"); - dns_name_init(&tname, NULL); - dns_name_getlabelsequence(name, 1, nlabels - 1, &tname); - dns_name_clone(&tname, name); - dns_request_destroy(&request); - dns_message_renderreset(soaquery); - dns_message_settsigkey(soaquery, NULL); - if (userserver != NULL) - sendrequest(localaddr, userserver, soaquery, &request); - else - sendrequest(localaddr, &servers[ns_inuse], soaquery, - &request); - goto out; -} - -static void -sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, - dns_message_t *msg, dns_request_t **request) -{ - isc_result_t result; - nsu_requestinfo_t *reqinfo; - - reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t)); - if (reqinfo == NULL) - fatal("out of memory"); - reqinfo->msg = msg; - reqinfo->addr = destaddr; - result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0, - (userserver != NULL) ? tsigkey : NULL, - FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, - global_task, recvsoa, reqinfo, request); - check_result(result, "dns_request_createvia"); - requests++; -} - -static void -start_update(void) { - isc_result_t result; - dns_rdataset_t *rdataset = NULL; - dns_name_t *name = NULL; - dns_request_t *request = NULL; - dns_message_t *soaquery = NULL; - dns_name_t *firstname; - dns_section_t section = DNS_SECTION_UPDATE; - - ddebug("start_update()"); - - if (answer != NULL) - dns_message_destroy(&answer); - - if (userzone != NULL && userserver != NULL) { - send_update(userzone, userserver, localaddr); - setzoneclass(dns_rdataclass_none); - return; - } - - result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, - &soaquery); - check_result(result, "dns_message_create"); - - if (userserver == NULL) - soaquery->flags |= DNS_MESSAGEFLAG_RD; - - result = dns_message_gettempname(soaquery, &name); - check_result(result, "dns_message_gettempname"); - - result = dns_message_gettemprdataset(soaquery, &rdataset); - check_result(result, "dns_message_gettemprdataset"); - - dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); - - if (userzone != NULL) { - dns_name_init(name, NULL); - dns_name_clone(userzone, name); - } else { - result = dns_message_firstname(updatemsg, section); - if (result == ISC_R_NOMORE) { - section = DNS_SECTION_PREREQUISITE; - result = dns_message_firstname(updatemsg, section); - } - if (result != ISC_R_SUCCESS) { - dns_message_puttempname(soaquery, &name); - dns_rdataset_disassociate(rdataset); - dns_message_puttemprdataset(soaquery, &rdataset); - dns_message_destroy(&soaquery); - done_update(); - return; - } - firstname = NULL; - dns_message_currentname(updatemsg, section, &firstname); - dns_name_init(name, NULL); - dns_name_clone(firstname, name); - } - - ISC_LIST_INIT(name->list); - ISC_LIST_APPEND(name->list, rdataset, link); - dns_message_addname(soaquery, name, DNS_SECTION_QUESTION); - - if (userserver != NULL) - sendrequest(localaddr, userserver, soaquery, &request); - else { - ns_inuse = 0; - sendrequest(localaddr, &servers[ns_inuse], soaquery, &request); - } -} - -static void -cleanup(void) { - ddebug("cleanup()"); - - if (answer != NULL) - dns_message_destroy(&answer); - ddebug("Shutting down task manager"); - isc_taskmgr_destroy(&taskmgr); - - ddebug("Destroying event"); - isc_event_free(&global_event); - - ddebug("Shutting down socket manager"); - isc_socketmgr_destroy(&socketmgr); - - ddebug("Shutting down timer manager"); - isc_timermgr_destroy(&timermgr); - - ddebug("Destroying hash context"); - isc_hash_destroy(); - - ddebug("Destroying name state"); - dns_name_destroy(); - - ddebug("Destroying memory context"); - if (memdebugging) - isc_mem_stats(mctx, stderr); - isc_mem_destroy(&mctx); -} - -static void -getinput(isc_task_t *task, isc_event_t *event) { - isc_boolean_t more; - - UNUSED(task); - - if (shuttingdown) { - maybeshutdown(); - return; - } - - if (global_event == NULL) - global_event = event; - - reset_system(); - more = user_interaction(); - if (!more) { - isc_app_shutdown(); - return; - } - start_update(); - return; -} - -int -main(int argc, char **argv) { - isc_result_t result; - style = &dns_master_style_debug; - - input = stdin; - - interactive = ISC_TF(isatty(0)); - - isc_app_start(); - - parse_args(argc, argv); - - setup_system(); - - result = isc_app_onrun(mctx, global_task, getinput, NULL); - check_result(result, "isc_app_onrun"); - - (void)isc_app_run(); - - cleanup(); - - isc_app_finish(); - - if (seenerror) - return (2); - else - return (0); -} diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook b/usr.sbin/bind/bin/nsupdate/nsupdate.docbook deleted file mode 100644 index 0abd32ec1e8..00000000000 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.docbook +++ /dev/null @@ -1,657 +0,0 @@ -]> - - - - - - Jun 30, 2000 - - - nsupdate - 8 - BIND9 - - - nsupdate - Dynamic DNS update utility - - - - - 2004 - 2005 - 2006 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2002 - 2003 - Internet Software Consortium. - - - - - - nsupdate - - - - - - - - - - filename - - - - - DESCRIPTION - nsupdate - is used to submit Dynamic DNS Update requests as defined in RFC2136 - to a name server. - This allows resource records to be added or removed from a zone - without manually editing the zone file. - A single update request can contain requests to add or remove more than - one - resource record. - - - Zones that are under dynamic control via - nsupdate - or a DHCP server should not be edited by hand. - Manual edits could - conflict with dynamic updates and cause data to be lost. - - - The resource records that are dynamically added or removed with - nsupdate - have to be in the same zone. - Requests are sent to the zone's master server. - This is identified by the MNAME field of the zone's SOA record. - - - The - - option makes - nsupdate - operate in debug mode. - This provides tracing information about the update requests that are - made and the replies received from the name server. - - - Transaction signatures can be used to authenticate the Dynamic DNS - updates. - These use the TSIG resource record type described in RFC2845 or the - SIG(0) record described in RFC3535 and RFC2931. - TSIG relies on a shared secret that should only be known to - nsupdate and the name server. - Currently, the only supported encryption algorithm for TSIG is - HMAC-MD5, which is defined in RFC 2104. - Once other algorithms are defined for TSIG, applications will need to - ensure they select the appropriate algorithm as well as the key when - authenticating each other. - For instance, suitable - key - and - server - statements would be added to - /etc/named.conf - so that the name server can associate the appropriate secret key - and algorithm with the IP address of the - client application that will be using TSIG authentication. - SIG(0) uses public key cryptography. To use a SIG(0) key, the public - key must be stored in a KEY record in a zone served by the name server. - nsupdate - does not read - /etc/named.conf. - - nsupdate - uses the or option - to provide the shared secret needed to generate a TSIG record - for authenticating Dynamic DNS update requests, default type - HMAC-MD5. These options are mutually exclusive. With the - option, nsupdate reads - the shared secret from the file keyfile, - whose name is of the form - K{name}.+157.+{random}.private. For - historical reasons, the file - K{name}.+157.+{random}.key must also be - present. When the option is used, a - signature is generated from - hmac:keyname:secret. - keyname is the name of the key, and - secret is the base64 encoded shared - secret. Use of the option is discouraged - because the shared secret is supplied as a command line - argument in clear text. This may be visible in the output - from - - ps1 - or in a history file maintained by the user's - shell. - - - The may also be used to specify a SIG(0) key used - to authenticate Dynamic DNS update requests. In this case, the key - specified is not an HMAC-MD5 key. - - - By default - nsupdate - uses UDP to send update requests to the name server unless they are too - large to fit in a UDP request in which case TCP will be used. - The - - option makes - nsupdate - use a TCP connection. - This may be preferable when a batch of update requests is made. - - - The option sets the maximum time an update request - can - take before it is aborted. The default is 300 seconds. Zero can be - used - to disable the timeout. - - - The option sets the UDP retry interval. The default - is - 3 seconds. If zero, the interval will be computed from the timeout - interval - and number of UDP retries. - - - The option sets the number of UDP retries. The - default is - 3. If zero, only one update request will be made. - - - - - INPUT FORMAT - nsupdate - reads input from - filename - or standard input. - Each command is supplied on exactly one line of input. - Some commands are for administrative purposes. - The others are either update instructions or prerequisite checks on the - contents of the zone. - These checks set conditions that some name or set of - resource records (RRset) either exists or is absent from the zone. - These conditions must be met if the entire update request is to succeed. - Updates will be rejected if the tests for the prerequisite conditions - fail. - - - Every update request consists of zero or more prerequisites - and zero or more updates. - This allows a suitably authenticated update request to proceed if some - specified resource records are present or missing from the zone. - A blank input line (or the send command) - causes the - accumulated commands to be sent as one Dynamic DNS update request to the - name server. - - - The command formats and their meaning are as follows: - - - - - server - servername - port - - - - Sends all dynamic update requests to the name server - servername. - When no server statement is provided, - nsupdate - will send updates to the master server of the correct zone. - The MNAME field of that zone's SOA record will identify the - master - server for that zone. - port - is the port number on - servername - where the dynamic update requests get sent. - If no port number is specified, the default DNS port number of - 53 is - used. - - - - - - - local - address - port - - - - Sends all dynamic update requests using the local - address. - - When no local statement is provided, - nsupdate - will send updates using an address and port chosen by the - system. - port - can additionally be used to make requests come from a specific - port. - If no port number is specified, the system will assign one. - - - - - - - zone - zonename - - - - Specifies that all updates are to be made to the zone - zonename. - If no - zone - statement is provided, - nsupdate - will attempt determine the correct zone to update based on the - rest of the input. - - - - - - - class - classname - - - - Specify the default class. - If no class is specified, the - default class is - IN. - - - - - - - key - name - secret - - - - Specifies that all updates are to be TSIG-signed using the - keyname keysecret pair. - The key command - overrides any key specified on the command line via - or . - - - - - - - prereq nxdomain - domain-name - - - - Requires that no resource record of any type exists with name - domain-name. - - - - - - - - prereq yxdomain - domain-name - - - - Requires that - domain-name - exists (has as at least one resource record, of any type). - - - - - - - prereq nxrrset - domain-name - class - type - - - - Requires that no resource record exists of the specified - type, - class - and - domain-name. - If - class - is omitted, IN (internet) is assumed. - - - - - - - - prereq yxrrset - domain-name - class - type - - - - This requires that a resource record of the specified - type, - class - and - domain-name - must exist. - If - class - is omitted, IN (internet) is assumed. - - - - - - - prereq yxrrset - domain-name - class - type - data - - - - The - data - from each set of prerequisites of this form - sharing a common - type, - class, - and - domain-name - are combined to form a set of RRs. This set of RRs must - exactly match the set of RRs existing in the zone at the - given - type, - class, - and - domain-name. - The - data - are written in the standard text representation of the resource - record's - RDATA. - - - - - - - update delete - domain-name - ttl - class - type data - - - - Deletes any resource records named - domain-name. - If - type - and - data - is provided, only matching resource records will be removed. - The internet class is assumed if - class - is not supplied. The - ttl - is ignored, and is only allowed for compatibility. - - - - - - - update add - domain-name - ttl - class - type - data - - - - Adds a new resource record with the specified - ttl, - class - and - data. - - - - - - - show - - - - Displays the current message, containing all of the - prerequisites and - updates specified since the last send. - - - - - - - send - - - - Sends the current message. This is equivalent to entering a - blank line. - - - - - - - answer - - - - Displays the answer. - - - - - - - - - Lines beginning with a semicolon are comments and are ignored. - - - - - - EXAMPLES - - The examples below show how - nsupdate - could be used to insert and delete resource records from the - example.com - zone. - Notice that the input in each example contains a trailing blank line so - that - a group of commands are sent as one dynamic update request to the - master name server for - example.com. - - -# nsupdate -> update delete oldhost.example.com A -> update add newhost.example.com 86400 A 172.16.1.1 -> send - - - - Any A records for - oldhost.example.com - are deleted. - And an A record for - newhost.example.com - with IP address 172.16.1.1 is added. - The newly-added record has a 1 day TTL (86400 seconds). - -# nsupdate -> prereq nxdomain nickname.example.com -> update add nickname.example.com 86400 CNAME somehost.example.com -> send - - - - The prerequisite condition gets the name server to check that there - are no resource records of any type for - nickname.example.com. - - If there are, the update request fails. - If this name does not exist, a CNAME for it is added. - This ensures that when the CNAME is added, it cannot conflict with the - long-standing rule in RFC1034 that a name must not exist as any other - record type if it exists as a CNAME. - (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have - RRSIG, DNSKEY and NSEC records.) - - - - - FILES - - - - /etc/resolv.conf - - - used to identify default name server - - - - - - K{name}.+157.+{random}.key - - - base-64 encoding of HMAC-MD5 key created by - - dnssec-keygen8 - . - - - - - - K{name}.+157.+{random}.private - - - base-64 encoding of HMAC-MD5 key created by - - dnssec-keygen8 - . - - - - - - - - - SEE ALSO - - RFC2136 - , - - RFC3007 - , - - RFC2104 - , - - RFC2845 - , - - RFC1034 - , - - RFC2535 - , - - RFC2931 - , - - named8 - , - - dnssec-keygen8 - . - - - - - BUGS - - The TSIG key is redundantly stored in two separate files. - This is a consequence of nsupdate using the DST library - for its cryptographic operations, and may change in future - releases. - - - diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.html b/usr.sbin/bind/bin/nsupdate/nsupdate.html deleted file mode 100644 index f8e323963a8..00000000000 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.html +++ /dev/null @@ -1,500 +0,0 @@ - - - - - -nsupdate - - -
-
-
-

Name

-

nsupdate — Dynamic DNS update utility

-
-
-

Synopsis

-

nsupdate [-d] [[-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-v] [filename]

-
-
-

DESCRIPTION

-

nsupdate - is used to submit Dynamic DNS Update requests as defined in RFC2136 - to a name server. - This allows resource records to be added or removed from a zone - without manually editing the zone file. - A single update request can contain requests to add or remove more than - one - resource record. -

-

- Zones that are under dynamic control via - nsupdate - or a DHCP server should not be edited by hand. - Manual edits could - conflict with dynamic updates and cause data to be lost. -

-

- The resource records that are dynamically added or removed with - nsupdate - have to be in the same zone. - Requests are sent to the zone's master server. - This is identified by the MNAME field of the zone's SOA record. -

-

- The - -d - option makes - nsupdate - operate in debug mode. - This provides tracing information about the update requests that are - made and the replies received from the name server. -

-

- Transaction signatures can be used to authenticate the Dynamic DNS - updates. - These use the TSIG resource record type described in RFC2845 or the - SIG(0) record described in RFC3535 and RFC2931. - TSIG relies on a shared secret that should only be known to - nsupdate and the name server. - Currently, the only supported encryption algorithm for TSIG is - HMAC-MD5, which is defined in RFC 2104. - Once other algorithms are defined for TSIG, applications will need to - ensure they select the appropriate algorithm as well as the key when - authenticating each other. - For instance, suitable - key - and - server - statements would be added to - /etc/named.conf - so that the name server can associate the appropriate secret key - and algorithm with the IP address of the - client application that will be using TSIG authentication. - SIG(0) uses public key cryptography. To use a SIG(0) key, the public - key must be stored in a KEY record in a zone served by the name server. - nsupdate - does not read - /etc/named.conf. -

-

nsupdate - uses the -y or -k option - to provide the shared secret needed to generate a TSIG record - for authenticating Dynamic DNS update requests, default type - HMAC-MD5. These options are mutually exclusive. With the - -k option, nsupdate reads - the shared secret from the file keyfile, - whose name is of the form - K{name}.+157.+{random}.private. For - historical reasons, the file - K{name}.+157.+{random}.key must also be - present. When the -y option is used, a - signature is generated from - [hmac:]keyname:secret. - keyname is the name of the key, and - secret is the base64 encoded shared - secret. Use of the -y option is discouraged - because the shared secret is supplied as a command line - argument in clear text. This may be visible in the output - from - ps(1) or in a history file maintained by the user's - shell. -

-

- The -k may also be used to specify a SIG(0) key used - to authenticate Dynamic DNS update requests. In this case, the key - specified is not an HMAC-MD5 key. -

-

- By default - nsupdate - uses UDP to send update requests to the name server unless they are too - large to fit in a UDP request in which case TCP will be used. - The - -v - option makes - nsupdate - use a TCP connection. - This may be preferable when a batch of update requests is made. -

-

- The -t option sets the maximum time an update request - can - take before it is aborted. The default is 300 seconds. Zero can be - used - to disable the timeout. -

-

- The -u option sets the UDP retry interval. The default - is - 3 seconds. If zero, the interval will be computed from the timeout - interval - and number of UDP retries. -

-

- The -r option sets the number of UDP retries. The - default is - 3. If zero, only one update request will be made. -

-
-
-

INPUT FORMAT

-

nsupdate - reads input from - filename - or standard input. - Each command is supplied on exactly one line of input. - Some commands are for administrative purposes. - The others are either update instructions or prerequisite checks on the - contents of the zone. - These checks set conditions that some name or set of - resource records (RRset) either exists or is absent from the zone. - These conditions must be met if the entire update request is to succeed. - Updates will be rejected if the tests for the prerequisite conditions - fail. -

-

- Every update request consists of zero or more prerequisites - and zero or more updates. - This allows a suitably authenticated update request to proceed if some - specified resource records are present or missing from the zone. - A blank input line (or the send command) - causes the - accumulated commands to be sent as one Dynamic DNS update request to the - name server. -

-

- The command formats and their meaning are as follows: -

-
-
- server - {servername} - [port] -
-

- Sends all dynamic update requests to the name server - servername. - When no server statement is provided, - nsupdate - will send updates to the master server of the correct zone. - The MNAME field of that zone's SOA record will identify the - master - server for that zone. - port - is the port number on - servername - where the dynamic update requests get sent. - If no port number is specified, the default DNS port number of - 53 is - used. -

-
- local - {address} - [port] -
-

- Sends all dynamic update requests using the local - address. - - When no local statement is provided, - nsupdate - will send updates using an address and port chosen by the - system. - port - can additionally be used to make requests come from a specific - port. - If no port number is specified, the system will assign one. -

-
- zone - {zonename} -
-

- Specifies that all updates are to be made to the zone - zonename. - If no - zone - statement is provided, - nsupdate - will attempt determine the correct zone to update based on the - rest of the input. -

-
- class - {classname} -
-

- Specify the default class. - If no class is specified, the - default class is - IN. -

-
- key - {name} - {secret} -
-

- Specifies that all updates are to be TSIG-signed using the - keyname keysecret pair. - The key command - overrides any key specified on the command line via - -y or -k. -

-
- prereq nxdomain - {domain-name} -
-

- Requires that no resource record of any type exists with name - domain-name. -

-
- prereq yxdomain - {domain-name} -
-

- Requires that - domain-name - exists (has as at least one resource record, of any type). -

-
- prereq nxrrset - {domain-name} - [class] - {type} -
-

- Requires that no resource record exists of the specified - type, - class - and - domain-name. - If - class - is omitted, IN (internet) is assumed. -

-
- prereq yxrrset - {domain-name} - [class] - {type} -
-

- This requires that a resource record of the specified - type, - class - and - domain-name - must exist. - If - class - is omitted, IN (internet) is assumed. -

-
- prereq yxrrset - {domain-name} - [class] - {type} - {data...} -
-

- The - data - from each set of prerequisites of this form - sharing a common - type, - class, - and - domain-name - are combined to form a set of RRs. This set of RRs must - exactly match the set of RRs existing in the zone at the - given - type, - class, - and - domain-name. - The - data - are written in the standard text representation of the resource - record's - RDATA. -

-
- update delete - {domain-name} - [ttl] - [class] - [type [data...]] -
-

- Deletes any resource records named - domain-name. - If - type - and - data - is provided, only matching resource records will be removed. - The internet class is assumed if - class - is not supplied. The - ttl - is ignored, and is only allowed for compatibility. -

-
- update add - {domain-name} - {ttl} - [class] - {type} - {data...} -
-

- Adds a new resource record with the specified - ttl, - class - and - data. -

-
- show -
-

- Displays the current message, containing all of the - prerequisites and - updates specified since the last send. -

-
- send -
-

- Sends the current message. This is equivalent to entering a - blank line. -

-
- answer -
-

- Displays the answer. -

-
-

-

-

- Lines beginning with a semicolon are comments and are ignored. -

-
-
-

EXAMPLES

-

- The examples below show how - nsupdate - could be used to insert and delete resource records from the - example.com - zone. - Notice that the input in each example contains a trailing blank line so - that - a group of commands are sent as one dynamic update request to the - master name server for - example.com. - -

-
-# nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
-> send
-
-

-

-

- Any A records for - oldhost.example.com - are deleted. - And an A record for - newhost.example.com - with IP address 172.16.1.1 is added. - The newly-added record has a 1 day TTL (86400 seconds). -

-
-# nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
-> send
-
-

-

-

- The prerequisite condition gets the name server to check that there - are no resource records of any type for - nickname.example.com. - - If there are, the update request fails. - If this name does not exist, a CNAME for it is added. - This ensures that when the CNAME is added, it cannot conflict with the - long-standing rule in RFC1034 that a name must not exist as any other - record type if it exists as a CNAME. - (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have - RRSIG, DNSKEY and NSEC records.) -

-
-
-

FILES

-
-
/etc/resolv.conf
-

- used to identify default name server -

-
K{name}.+157.+{random}.key
-

- base-64 encoding of HMAC-MD5 key created by - dnssec-keygen(8). -

-
K{name}.+157.+{random}.private
-

- base-64 encoding of HMAC-MD5 key created by - dnssec-keygen(8). -

-
-
-
-

SEE ALSO

-

RFC2136, - RFC3007, - RFC2104, - RFC2845, - RFC1034, - RFC2535, - RFC2931, - named(8), - dnssec-keygen(8). -

-
-
-

BUGS

-

- The TSIG key is redundantly stored in two separate files. - This is a consequence of nsupdate using the DST library - for its cryptographic operations, and may change in future - releases. -

-
-
- diff --git a/usr.sbin/bind/bin/rndc/Makefile.in b/usr.sbin/bind/bin/rndc/Makefile.in deleted file mode 100644 index 4a2b7104ada..00000000000 --- a/usr.sbin/bind/bin/rndc/Makefile.in +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.40.18.4 2007/08/28 07:20:01 tbox Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_VERSION@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - -CDEFINES = -CWARNINGS = - -ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -BIND9LIBS = ../../lib/bind9/libbind9.@A@ - -ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ -DNSDEPLIBS = ../../lib/dns/libdns.@A@ -BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ - -RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@ -RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} - -CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ -CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} - -SRCS= rndc.c rndc-confgen.c - -SUBDIRS = unix - -TARGETS = rndc@EXEEXT@ rndc-confgen@EXEEXT@ - -MANPAGES = rndc.8 rndc-confgen.8 rndc.conf.5 - -HTMLPAGES = rndc.html rndc-confgen.html rndc.conf.html - -MANOBJS = ${MANPAGES} ${HTMLPAGES} - -UOBJS = unix/os.@O@ - -@BIND9_MAKE_RULES@ - -rndc.@O@: rndc.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ - -DRNDC_CONFFILE=\"${sysconfdir}/rndc.conf\" \ - -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \ - -c ${srcdir}/rndc.c - -rndc-confgen.@O@: rndc-confgen.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \ - -c ${srcdir}/rndc-confgen.c - -rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \ - ${RNDCLIBS} - -rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \ - ${UOBJS} ${CONFLIBS} - -doc man:: ${MANOBJS} - -docclean manclean maintainer-clean:: - rm -f ${MANOBJS} - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 - -install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5 - -clean distclean maintainer-clean:: - rm -f ${TARGETS} diff --git a/usr.sbin/bind/bin/rndc/include/rndc/os.h b/usr.sbin/bind/bin/rndc/include/rndc/os.h deleted file mode 100644 index c958540bae2..00000000000 --- a/usr.sbin/bind/bin/rndc/include/rndc/os.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: os.h,v 1.5.18.2 2005/04/29 00:15:41 marka Exp $ */ - -/*! \file */ - -#ifndef RNDC_OS_H -#define RNDC_OS_H 1 - -#include -#include - -ISC_LANG_BEGINDECLS - -FILE *safe_create(const char *filename); -/*%< - * Open 'filename' for writing, truncate if necessary. If the file was - * created ensure that only the owner can read/write it. - */ - -int set_user(FILE *fd, const char *user); -/*%< - * Set the owner of the file refernced by 'fd' to 'user'. - * Returns: - * 0 success - * -1 insufficient permissions, or 'user' does not exist. - */ - -ISC_LANG_ENDDECLS - -#endif diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.8 b/usr.sbin/bind/bin/rndc/rndc-confgen.8 deleted file mode 100644 index d50df2e2a79..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.8 +++ /dev/null @@ -1,211 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2001, 2003 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: rndc-confgen.8,v 1.9.18.11 2007/01/30 00:23:44 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: rndc\-confgen -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: Aug 27, 2001 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -rndc\-confgen \- rndc key generation tool -.SH "SYNOPSIS" -.HP 13 -\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] -.SH "DESCRIPTION" -.PP -\fBrndc\-confgen\fR -generates configuration files for -\fBrndc\fR. It can be used as a convenient alternative to writing the -\fIrndc.conf\fR -file and the corresponding -\fBcontrols\fR -and -\fBkey\fR -statements in -\fInamed.conf\fR -by hand. Alternatively, it can be run with the -\fB\-a\fR -option to set up a -\fIrndc.key\fR -file and avoid the need for a -\fIrndc.conf\fR -file and a -\fBcontrols\fR -statement altogether. -.SH "OPTIONS" -.PP -\-a -.RS 4 -Do automatic -\fBrndc\fR -configuration. This creates a file -\fIrndc.key\fR -in -\fI/etc\fR -(or whatever -\fIsysconfdir\fR -was specified as when -BIND -was built) that is read by both -\fBrndc\fR -and -\fBnamed\fR -on startup. The -\fIrndc.key\fR -file defines a default command channel and authentication key allowing -\fBrndc\fR -to communicate with -\fBnamed\fR -on the local host with no further configuration. -.sp -Running -\fBrndc\-confgen \-a\fR -allows BIND 9 and -\fBrndc\fR -to be used as drop\-in replacements for BIND 8 and -\fBndc\fR, with no changes to the existing BIND 8 -\fInamed.conf\fR -file. -.sp -If a more elaborate configuration than that generated by -\fBrndc\-confgen \-a\fR -is required, for example if rndc is to be used remotely, you should run -\fBrndc\-confgen\fR -without the -\fB\-a\fR -option and set up a -\fIrndc.conf\fR -and -\fInamed.conf\fR -as directed. -.RE -.PP -\-b \fIkeysize\fR -.RS 4 -Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. -.RE -.PP -\-c \fIkeyfile\fR -.RS 4 -Used with the -\fB\-a\fR -option to specify an alternate location for -\fIrndc.key\fR. -.RE -.PP -\-h -.RS 4 -Prints a short summary of the options and arguments to -\fBrndc\-confgen\fR. -.RE -.PP -\-k \fIkeyname\fR -.RS 4 -Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is -\fBrndc\-key\fR. -.RE -.PP -\-p \fIport\fR -.RS 4 -Specifies the command channel port where -\fBnamed\fR -listens for connections from -\fBrndc\fR. The default is 953. -.RE -.PP -\-r \fIrandomfile\fR -.RS 4 -Specifies a source of random data for generating the authorization. If the operating system does not provide a -\fI/dev/random\fR -or equivalent device, the default source of randomness is keyboard input. -\fIrandomdev\fR -specifies the name of a character device or file containing random data to be used instead of the default. The special value -\fIkeyboard\fR -indicates that keyboard input should be used. -.RE -.PP -\-s \fIaddress\fR -.RS 4 -Specifies the IP address where -\fBnamed\fR -listens for command channel connections from -\fBrndc\fR. The default is the loopback address 127.0.0.1. -.RE -.PP -\-t \fIchrootdir\fR -.RS 4 -Used with the -\fB\-a\fR -option to specify a directory where -\fBnamed\fR -will run chrooted. An additional copy of the -\fIrndc.key\fR -will be written relative to this directory so that it will be found by the chrooted -\fBnamed\fR. -.RE -.PP -\-u \fIuser\fR -.RS 4 -Used with the -\fB\-a\fR -option to set the owner of the -\fIrndc.key\fR -file generated. If -\fB\-t\fR -is also specified only the file in the chroot area has its owner changed. -.RE -.SH "EXAMPLES" -.PP -To allow -\fBrndc\fR -to be used with no manual configuration, run -.PP -\fBrndc\-confgen \-a\fR -.PP -To print a sample -\fIrndc.conf\fR -file and corresponding -\fBcontrols\fR -and -\fBkey\fR -statements to be manually inserted into -\fInamed.conf\fR, run -.PP -\fBrndc\-confgen\fR -.SH "SEE ALSO" -.PP -\fBrndc\fR(8), -\fBrndc.conf\fR(5), -\fBnamed\fR(8), -BIND 9 Administrator Reference Manual. -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2001, 2003 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.c b/usr.sbin/bind/bin/rndc/rndc-confgen.c deleted file mode 100644 index 9b3812c572a..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.c +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001, 2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: rndc-confgen.c,v 1.18.18.3 2005/04/29 00:15:40 marka Exp $ */ - -/*! \file */ - -/** - * rndc-confgen generates configuration files for rndc. It can be used - * as a convenient alternative to writing the rndc.conf file and the - * corresponding controls and key statements in named.conf by hand. - * Alternatively, it can be run with the -a option to set up a - * rndc.key file and avoid the need for a rndc.conf file and a - * controls statement altogether. - */ - -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -#include -#include - -#include "util.h" - -#define DEFAULT_KEYLENGTH 128 /*% Bits. */ -#define DEFAULT_KEYNAME "rndc-key" -#define DEFAULT_SERVER "127.0.0.1" -#define DEFAULT_PORT 953 - -static char program[256]; -char *progname; - -isc_boolean_t verbose = ISC_FALSE; - -const char *keyfile, *keydef; - -static void -usage(int status) { - - fprintf(stderr, "\ -Usage:\n\ - %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ -[-s addr] [-t chrootdir] [-u user]\n\ - -a: generate just the key clause and write it to keyfile (%s)\n\ - -b bits: from 1 through 512, default %d; total length of the secret\n\ - -c keyfile: specify an alternate key file (requires -a)\n\ - -k keyname: the name as it will be used in named.conf and rndc.conf\n\ - -p port: the port named will listen on and rndc will connect to\n\ - -r randomfile: a file containing random data\n\ - -s addr: the address to which rndc should connect\n\ - -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ - -u user: set the keyfile owner to \"user\" (requires -a)\n", - progname, keydef, DEFAULT_KEYLENGTH); - - exit (status); -} - -/*% - * Write an rndc.key file to 'keyfile'. If 'user' is non-NULL, - * make that user the owner of the file. The key will have - * the name 'keyname' and the secret in the buffer 'secret'. - */ -static void -write_key_file(const char *keyfile, const char *user, - const char *keyname, isc_buffer_t *secret ) -{ - FILE *fd; - - fd = safe_create(keyfile); - if (fd == NULL) - fatal( "unable to create \"%s\"\n", keyfile); - if (user != NULL) { - if (set_user(fd, user) == -1) - fatal("unable to set file owner\n"); - } - fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n" - "\tsecret \"%.*s\";\n};\n", keyname, - (int)isc_buffer_usedlength(secret), - (char *)isc_buffer_base(secret)); - fflush(fd); - if (ferror(fd)) - fatal("write to %s failed\n", keyfile); - if (fclose(fd)) - fatal("fclose(%s) failed\n", keyfile); - fprintf(stderr, "wrote key file \"%s\"\n", keyfile); -} - -int -main(int argc, char **argv) { - isc_boolean_t show_final_mem = ISC_FALSE; - isc_buffer_t key_rawbuffer; - isc_buffer_t key_txtbuffer; - isc_region_t key_rawregion; - isc_mem_t *mctx = NULL; - isc_entropy_t *ectx = NULL; - isc_entropysource_t *entropy_source = NULL; - isc_result_t result = ISC_R_SUCCESS; - dst_key_t *key = NULL; - const char *keyname = NULL; - const char *randomfile = NULL; - const char *serveraddr = NULL; - char key_rawsecret[64]; - char key_txtsecret[256]; - char *p; - int ch; - int port; - int keysize; - int entropy_flags = 0; - int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE; - struct in_addr addr4_dummy; - struct in6_addr addr6_dummy; - char *chrootdir = NULL; - char *user = NULL; - isc_boolean_t keyonly = ISC_FALSE; - int len; - - keydef = keyfile = RNDC_KEYFILE; - - result = isc_file_progname(*argv, program, sizeof(program)); - if (result != ISC_R_SUCCESS) - memcpy(program, "rndc-confgen", 13); - progname = program; - - keyname = DEFAULT_KEYNAME; - keysize = DEFAULT_KEYLENGTH; - serveraddr = DEFAULT_SERVER; - port = DEFAULT_PORT; - - while ((ch = isc_commandline_parse(argc, argv, - "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) { - switch (ch) { - case 'a': - keyonly = ISC_TRUE; - break; - case 'b': - keysize = strtol(isc_commandline_argument, &p, 10); - if (*p != '\0' || keysize < 0) - fatal("-b requires a non-negative number"); - if (keysize < 1 || keysize > 512) - fatal("-b must be in the range 1 through 512"); - break; - case 'c': - keyfile = isc_commandline_argument; - break; - case 'h': - usage(0); - case 'k': - case 'y': /* Compatible with rndc -y. */ - keyname = isc_commandline_argument; - break; - case 'M': - isc_mem_debugging = ISC_MEM_DEBUGTRACE; - break; - - case 'm': - show_final_mem = ISC_TRUE; - break; - case 'p': - port = strtol(isc_commandline_argument, &p, 10); - if (*p != '\0' || port < 0 || port > 65535) - fatal("port '%s' out of range", - isc_commandline_argument); - break; - case 'r': - randomfile = isc_commandline_argument; - break; - case 's': - serveraddr = isc_commandline_argument; - if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 && - inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1) - fatal("-s should be an IPv4 or IPv6 address"); - break; - case 't': - chrootdir = isc_commandline_argument; - break; - case 'u': - user = isc_commandline_argument; - break; - case 'V': - verbose = ISC_TRUE; - break; - case '?': - usage(1); - break; - default: - fatal("unexpected error parsing command arguments: " - "got %c\n", ch); - break; - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc > 0) - usage(1); - - DO("create memory context", isc_mem_create(0, 0, &mctx)); - - DO("create entropy context", isc_entropy_create(mctx, &ectx)); - - if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) { - randomfile = NULL; - open_keyboard = ISC_ENTROPY_KEYBOARDYES; - } - DO("start entropy source", isc_entropy_usebestsource(ectx, - &entropy_source, - randomfile, - open_keyboard)); - - entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY; - - DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags)); - - DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5, - keysize, 0, 0, - DNS_KEYPROTO_ANY, - dns_rdataclass_in, mctx, &key)); - - isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret)); - - DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer)); - - isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); - isc_buffer_usedregion(&key_rawbuffer, &key_rawregion); - - DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "", - &key_txtbuffer)); - - /* - * Shut down the entropy source now so the "stop typing" message - * does not muck with the output. - */ - if (entropy_source != NULL) - isc_entropy_destroysource(&entropy_source); - - if (key != NULL) - dst_key_free(&key); - - isc_entropy_detach(&ectx); - dst_lib_destroy(); - - if (keyonly) { - write_key_file(keyfile, chrootdir == NULL ? user : NULL, - keyname, &key_txtbuffer); - - if (chrootdir != NULL) { - char *buf; - len = strlen(chrootdir) + strlen(keyfile) + 2; - buf = isc_mem_get(mctx, len); - if (buf == NULL) - fatal("isc_mem_get(%d) failed\n", len); - snprintf(buf, len, "%s%s%s", chrootdir, - (*keyfile != '/') ? "/" : "", keyfile); - - write_key_file(buf, user, keyname, &key_txtbuffer); - isc_mem_put(mctx, buf, len); - } - } else { - printf("\ -# Start of rndc.conf\n\ -key \"%s\" {\n\ - algorithm hmac-md5;\n\ - secret \"%.*s\";\n\ -};\n\ -\n\ -options {\n\ - default-key \"%s\";\n\ - default-server %s;\n\ - default-port %d;\n\ -};\n\ -# End of rndc.conf\n\ -\n\ -# Use with the following in named.conf, adjusting the allow list as needed:\n\ -# key \"%s\" {\n\ -# algorithm hmac-md5;\n\ -# secret \"%.*s\";\n\ -# };\n\ -# \n\ -# controls {\n\ -# inet %s port %d\n\ -# allow { %s; } keys { \"%s\"; };\n\ -# };\n\ -# End of named.conf\n", - keyname, - (int)isc_buffer_usedlength(&key_txtbuffer), - (char *)isc_buffer_base(&key_txtbuffer), - keyname, serveraddr, port, - keyname, - (int)isc_buffer_usedlength(&key_txtbuffer), - (char *)isc_buffer_base(&key_txtbuffer), - serveraddr, port, serveraddr, keyname); - } - - if (show_final_mem) - isc_mem_stats(mctx, stderr); - - isc_mem_destroy(&mctx); - - return (0); -} diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook b/usr.sbin/bind/bin/rndc/rndc-confgen.docbook deleted file mode 100644 index 18ce3c53fd0..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.docbook +++ /dev/null @@ -1,286 +0,0 @@ -]> - - - - - - Aug 27, 2001 - - - - rndc-confgen - 8 - BIND9 - - - - rndc-confgen - rndc key generation tool - - - - - 2004 - 2005 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2001 - 2003 - Internet Software Consortium. - - - - - - rndc-confgen - - - - - - - - - - - - - - - DESCRIPTION - rndc-confgen - generates configuration files - for rndc. It can be used as a - convenient alternative to writing the - rndc.conf file - and the corresponding controls - and key - statements in named.conf by hand. - Alternatively, it can be run with the -a - option to set up a rndc.key file and - avoid the need for a rndc.conf file - and a controls statement altogether. - - - - - - OPTIONS - - - - -a - - - Do automatic rndc configuration. - This creates a file rndc.key - in /etc (or whatever - sysconfdir - was specified as when BIND was - built) - that is read by both rndc - and named on startup. The - rndc.key file defines a default - command channel and authentication key allowing - rndc to communicate with - named on the local host - with no further configuration. - - - Running rndc-confgen -a allows - BIND 9 and rndc to be used as - drop-in - replacements for BIND 8 and ndc, - with no changes to the existing BIND 8 - named.conf file. - - - If a more elaborate configuration than that - generated by rndc-confgen -a - is required, for example if rndc is to be used remotely, - you should run rndc-confgen without - the - -a option and set up a - rndc.conf and - named.conf - as directed. - - - - - - -b keysize - - - Specifies the size of the authentication key in bits. - Must be between 1 and 512 bits; the default is 128. - - - - - - -c keyfile - - - Used with the -a option to specify - an alternate location for rndc.key. - - - - - - -h - - - Prints a short summary of the options and arguments to - rndc-confgen. - - - - - - -k keyname - - - Specifies the key name of the rndc authentication key. - This must be a valid domain name. - The default is rndc-key. - - - - - - -p port - - - Specifies the command channel port where named - listens for connections from rndc. - The default is 953. - - - - - - -r randomfile - - - Specifies a source of random data for generating the - authorization. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. - - - - - - -s address - - - Specifies the IP address where named - listens for command channel connections from - rndc. The default is the loopback - address 127.0.0.1. - - - - - - -t chrootdir - - - Used with the -a option to specify - a directory where named will run - chrooted. An additional copy of the rndc.key - will be written relative to this directory so that - it will be found by the chrooted named. - - - - - - -u user - - - Used with the -a option to set the - owner - of the rndc.key file generated. - If - -t is also specified only the file - in - the chroot area has its owner changed. - - - - - - - - - EXAMPLES - - To allow rndc to be used with - no manual configuration, run - - rndc-confgen -a - - - To print a sample rndc.conf file and - corresponding controls and key - statements to be manually inserted into named.conf, - run - - rndc-confgen - - - - - SEE ALSO - - rndc8 - , - - rndc.conf5 - , - - named8 - , - BIND 9 Administrator Reference Manual. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/rndc/rndc-confgen.html b/usr.sbin/bind/bin/rndc/rndc-confgen.html deleted file mode 100644 index eb376be3538..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc-confgen.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - -rndc-confgen - - -
-
-
-

Name

-

rndc-confgen — rndc key generation tool

-
-
-

Synopsis

-

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-
-
-

DESCRIPTION

-

rndc-confgen - generates configuration files - for rndc. It can be used as a - convenient alternative to writing the - rndc.conf file - and the corresponding controls - and key - statements in named.conf by hand. - Alternatively, it can be run with the -a - option to set up a rndc.key file and - avoid the need for a rndc.conf file - and a controls statement altogether. -

-
-
-

OPTIONS

-
-
-a
-
-

- Do automatic rndc configuration. - This creates a file rndc.key - in /etc (or whatever - sysconfdir - was specified as when BIND was - built) - that is read by both rndc - and named on startup. The - rndc.key file defines a default - command channel and authentication key allowing - rndc to communicate with - named on the local host - with no further configuration. -

-

- Running rndc-confgen -a allows - BIND 9 and rndc to be used as - drop-in - replacements for BIND 8 and ndc, - with no changes to the existing BIND 8 - named.conf file. -

-

- If a more elaborate configuration than that - generated by rndc-confgen -a - is required, for example if rndc is to be used remotely, - you should run rndc-confgen without - the - -a option and set up a - rndc.conf and - named.conf - as directed. -

-
-
-b keysize
-

- Specifies the size of the authentication key in bits. - Must be between 1 and 512 bits; the default is 128. -

-
-c keyfile
-

- Used with the -a option to specify - an alternate location for rndc.key. -

-
-h
-

- Prints a short summary of the options and arguments to - rndc-confgen. -

-
-k keyname
-

- Specifies the key name of the rndc authentication key. - This must be a valid domain name. - The default is rndc-key. -

-
-p port
-

- Specifies the command channel port where named - listens for connections from rndc. - The default is 953. -

-
-r randomfile
-

- Specifies a source of random data for generating the - authorization. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

-
-s address
-

- Specifies the IP address where named - listens for command channel connections from - rndc. The default is the loopback - address 127.0.0.1. -

-
-t chrootdir
-

- Used with the -a option to specify - a directory where named will run - chrooted. An additional copy of the rndc.key - will be written relative to this directory so that - it will be found by the chrooted named. -

-
-u user
-

- Used with the -a option to set the - owner - of the rndc.key file generated. - If - -t is also specified only the file - in - the chroot area has its owner changed. -

-
-
-
-

EXAMPLES

-

- To allow rndc to be used with - no manual configuration, run -

-

rndc-confgen -a -

-

- To print a sample rndc.conf file and - corresponding controls and key - statements to be manually inserted into named.conf, - run -

-

rndc-confgen -

-
-
-

SEE ALSO

-

rndc(8), - rndc.conf(5), - named(8), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/rndc/rndc.8 b/usr.sbin/bind/bin/rndc/rndc.8 deleted file mode 100644 index 946d73fa267..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.8 +++ /dev/null @@ -1,88 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $Id: rndc.8,v 1.2 2007/12/19 09:48:00 jakob Exp $ -.\" -.hy 0 -.ad l -.\"Generated by db2man.xsl. Don't modify this, modify the source. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "RNDC" 8 "June 30, 2000" "" "" -.SH NAME -rndc \- name server control utility -.SH "SYNOPSIS" -.HP 5 -\fBrndc\fR [\fB\-b\ \fIsource\-address\fR\fR] [\fB\-c\ \fIconfig\-file\fR\fR] [\fB\-k\ \fIkey\-file\fR\fR] [\fB\-s\ \fIserver\fR\fR] [\fB\-p\ \fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fIkey_id\fR\fR] {command} -.SH "DESCRIPTION" -.PP -\fBrndc\fR controls the operation of a name server\&. It supersedes the \fBndc\fR utility that was provided in old BIND releases\&. If \fBrndc\fR is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments\&. -.PP -\fBrndc\fR communicates with the name server over a TCP connection, sending commands authenticated with digital signatures\&. In the current versions of \fBrndc\fR and \fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection\&. This provides TSIG\-style authentication for the command request and the name server's response\&. All commands sent over the channel must be signed by a key_id known to the server\&. -.PP -\fBrndc\fR reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use\&. -.SH "OPTIONS" -.TP -\-b \fIsource\-address\fR -Use \fIsource\-address\fR as the source address for the connection to the server\&. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses\&. -.TP -\-c \fIconfig\-file\fR -Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/rndc\&.conf\fR\&. -.TP -\-k \fIkey\-file\fR -Use \fIkey\-file\fR as the key file instead of the default, \fI/etc/rndc\&.key\fR\&. The key in \fI/etc/rndc\&.key\fR will be used to authenticate commands sent to the server if the \fIconfig\-file\fR does not exist\&. -.TP -\-s \fIserver\fR -\fIserver\fR is the name or address of the server which matches a server statement in the configuration file for \fBrndc\fR\&. If no server is supplied on the command line, the host named by the default\-server clause in the options statement of the \fBrndc\fR configuration file will be used\&. -.TP -\-p \fIport\fR -Send commands to TCP port \fIport\fR instead of BIND 9's default control channel port, 953\&. -.TP -\-V -Enable verbose logging\&. -.TP -\-y \fIkey_id\fR -Use the key \fIkey_id\fR from the configuration file\&. \fIkey_id\fR must be known by named with the same algorithm and secret string in order for control message validation to succeed\&. If no \fIkey_id\fR is specified, \fBrndc\fR will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement\&. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers\&. It should therefore not have general read or write access\&. -.PP -For the complete set of commands supported by \fBrndc\fR, see the BIND 9 Administrator Reference Manual or run \fBrndc\fR without arguments to see its help message\&. -.SH "LIMITATIONS" -.PP -\fBrndc\fR does not yet support all the commands of the BIND 8 \fBndc\fR utility\&. -.PP -There is currently no way to provide the shared secret for a \fBkey_id\fR without using the configuration file\&. -.PP -Several error messages could be clearer\&. -.SH "SEE ALSO" -.PP -\fBrndc\&.conf\fR(5), \fBrndc\-confgen\fR(8), \fBnamed\fR(8), \fBnamed\&.conf\fR(5), \fBndc\fR(8), BIND 9 Administrator Reference Manual\&. -.SH "AUTHOR" -.PP -Internet Systems Consortium diff --git a/usr.sbin/bind/bin/rndc/rndc.c b/usr.sbin/bind/bin/rndc/rndc.c deleted file mode 100644 index 79f711b9d41..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.c +++ /dev/null @@ -1,852 +0,0 @@ -/* - * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: rndc.c,v 1.96.18.17.42.3 2008/07/23 23:16:43 marka Exp $ */ - -/*! \file */ - -/* - * Principal Author: DCL - */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include - -#include "util.h" - -#define SERVERADDRS 10 - -char *progname; -isc_boolean_t verbose; - -static const char *admin_conffile; -static const char *admin_keyfile; -static const char *version = VERSION; -static const char *servername = NULL; -static isc_sockaddr_t serveraddrs[SERVERADDRS]; -static isc_sockaddr_t local4, local6; -static isc_boolean_t local4set = ISC_FALSE, local6set = ISC_FALSE; -static int nserveraddrs; -static int currentaddr = 0; -static unsigned int remoteport = 0; -static isc_socketmgr_t *socketmgr = NULL; -static unsigned char databuf[2048]; -static isccc_ccmsg_t ccmsg; -static isccc_region_t secret; -static isc_boolean_t failed = ISC_FALSE; -static isc_mem_t *mctx; -static int sends, recvs, connects; -static char *command; -static char *args; -static char program[256]; -static isc_socket_t *sock = NULL; -static isc_uint32_t serial; - -static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task); - -static void -usage(int status) { - fprintf(stderr, "\ -Usage: %s [-c config] [-s server] [-p port]\n\ - [-k key-file ] [-y key] [-V] command\n\ -\n\ -command is one of the following:\n\ -\n\ - reload Reload configuration file and zones.\n\ - reload zone [class [view]]\n\ - Reload a single zone.\n\ - refresh zone [class [view]]\n\ - Schedule immediate maintenance for a zone.\n\ - retransfer zone [class [view]]\n\ - Retransfer a single zone without checking serial number.\n\ - freeze Suspend updates to all dynamic zones.\n\ - freeze zone [class [view]]\n\ - Suspend updates to a dynamic zone.\n\ - thaw Enable updates to all dynamic zones and reload them.\n\ - thaw zone [class [view]]\n\ - Enable updates to a frozen dynamic zone and reload it.\n\ - notify zone [class [view]]\n\ - Resend NOTIFY messages for the zone.\n\ - reconfig Reload configuration file and new zones only.\n\ - stats Write server statistics to the statistics file.\n\ - querylog Toggle query logging.\n\ - dumpdb [-all|-cache|-zones] [view ...]\n\ - Dump cache(s) to the dump file (/var/named/tmp/named_dump.db).\n\ - stop Save pending updates to master files and stop the server.\n\ - stop -p Save pending updates to master files and stop the server\n\ - reporting process id.\n\ - halt Stop the server without saving pending updates.\n\ - halt -p Stop the server without saving pending updates reporting\n\ - process id.\n\ - trace Increment debugging level by one.\n\ - trace level Change the debugging level.\n\ - notrace Set debugging level to 0.\n\ - flush Flushes all of the server's caches.\n\ - flush [view] Flushes the server's cache for a view.\n\ - flushname name [view]\n\ - Flush the given name from the server's cache(s)\n\ - status Display status of the server.\n\ - recursing Dump the queries that are currently recursing (named.recursing)\n\ - validation newstate [view]\n\ - Enable / disable DNSSEC validation.\n\ - *restart Restart the server.\n\ -\n\ -* == not yet implemented\n\ -Version: %s\n", - progname, version); - - exit(status); -} - -static void -get_addresses(const char *host, in_port_t port) { - isc_result_t result; - int found = 0, count; - - if (*host == '/') { - result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs], - host); - if (result == ISC_R_SUCCESS) - nserveraddrs++; - } else { - count = SERVERADDRS - nserveraddrs; - result = bind9_getaddresses(host, port, - &serveraddrs[nserveraddrs], - count, &found); - nserveraddrs += found; - } - if (result != ISC_R_SUCCESS) - fatal("couldn't get address for '%s': %s", - host, isc_result_totext(result)); - INSIST(nserveraddrs > 0); -} - -static void -rndc_senddone(isc_task_t *task, isc_event_t *event) { - isc_socketevent_t *sevent = (isc_socketevent_t *)event; - - UNUSED(task); - - sends--; - if (sevent->result != ISC_R_SUCCESS) - fatal("send failed: %s", isc_result_totext(sevent->result)); - isc_event_free(&event); - if (sends == 0 && recvs == 0) { - isc_socket_detach(&sock); - isc_task_shutdown(task); - RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); - } -} - -static void -rndc_recvdone(isc_task_t *task, isc_event_t *event) { - isccc_sexpr_t *response = NULL; - isccc_sexpr_t *data; - isccc_region_t source; - char *errormsg = NULL; - char *textmsg = NULL; - isc_result_t result; - - recvs--; - - if (ccmsg.result == ISC_R_EOF) - fatal("connection to remote host closed\n" - "This may indicate that\n" - "* the remote server is using an older version of" - " the command protocol,\n" - "* this host is not authorized to connect,\n" - "* the clocks are not syncronized, or\n" - "* the key is invalid."); - - if (ccmsg.result != ISC_R_SUCCESS) - fatal("recv failed: %s", isc_result_totext(ccmsg.result)); - - source.rstart = isc_buffer_base(&ccmsg.buffer); - source.rend = isc_buffer_used(&ccmsg.buffer); - - DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); - - data = isccc_alist_lookup(response, "_data"); - if (data == NULL) - fatal("no data section in response"); - result = isccc_cc_lookupstring(data, "err", &errormsg); - if (result == ISC_R_SUCCESS) { - failed = ISC_TRUE; - fprintf(stderr, "%s: '%s' failed: %s\n", - progname, command, errormsg); - } - else if (result != ISC_R_NOTFOUND) - fprintf(stderr, "%s: parsing response failed: %s\n", - progname, isc_result_totext(result)); - - result = isccc_cc_lookupstring(data, "text", &textmsg); - if (result == ISC_R_SUCCESS) - printf("%s\n", textmsg); - else if (result != ISC_R_NOTFOUND) - fprintf(stderr, "%s: parsing response failed: %s\n", - progname, isc_result_totext(result)); - - isc_event_free(&event); - isccc_sexpr_free(&response); - if (sends == 0 && recvs == 0) { - isc_socket_detach(&sock); - isc_task_shutdown(task); - RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS); - } -} - -static void -rndc_recvnonce(isc_task_t *task, isc_event_t *event) { - isccc_sexpr_t *response = NULL; - isccc_sexpr_t *_ctrl; - isccc_region_t source; - isc_result_t result; - isc_uint32_t nonce; - isccc_sexpr_t *request = NULL; - isccc_time_t now; - isc_region_t r; - isccc_sexpr_t *data; - isccc_region_t message; - isc_uint32_t len; - isc_buffer_t b; - - recvs--; - - if (ccmsg.result == ISC_R_EOF) - fatal("connection to remote host closed\n" - "This may indicate that\n" - "* the remote server is using an older version of" - " the command protocol,\n" - "* this host is not authorized to connect,\n" - "* the clocks are not syncronized, or\n" - "* the key is invalid."); - - if (ccmsg.result != ISC_R_SUCCESS) - fatal("recv failed: %s", isc_result_totext(ccmsg.result)); - - source.rstart = isc_buffer_base(&ccmsg.buffer); - source.rend = isc_buffer_used(&ccmsg.buffer); - - DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); - - _ctrl = isccc_alist_lookup(response, "_ctrl"); - if (_ctrl == NULL) - fatal("_ctrl section missing"); - nonce = 0; - if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) - nonce = 0; - - isc_stdtime_get(&now); - - DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial, - now, now + 60, &request)); - data = isccc_alist_lookup(request, "_data"); - if (data == NULL) - fatal("_data section missing"); - if (isccc_cc_definestring(data, "type", args) == NULL) - fatal("out of memory"); - if (nonce != 0) { - _ctrl = isccc_alist_lookup(request, "_ctrl"); - if (_ctrl == NULL) - fatal("_ctrl section missing"); - if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL) - fatal("out of memory"); - } - message.rstart = databuf + 4; - message.rend = databuf + sizeof(databuf); - DO("render message", isccc_cc_towire(request, &message, &secret)); - len = sizeof(databuf) - REGION_SIZE(message); - isc_buffer_init(&b, databuf, 4); - isc_buffer_putuint32(&b, len - 4); - r.length = len; - r.base = databuf; - - isccc_ccmsg_cancelread(&ccmsg); - DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task, - rndc_recvdone, NULL)); - recvs++; - DO("send message", isc_socket_send(sock, &r, task, rndc_senddone, - NULL)); - sends++; - - isc_event_free(&event); - isccc_sexpr_free(&response); - return; -} - -static void -rndc_connected(isc_task_t *task, isc_event_t *event) { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - isc_socketevent_t *sevent = (isc_socketevent_t *)event; - isccc_sexpr_t *request = NULL; - isccc_sexpr_t *data; - isccc_time_t now; - isccc_region_t message; - isc_region_t r; - isc_uint32_t len; - isc_buffer_t b; - isc_result_t result; - - connects--; - - if (sevent->result != ISC_R_SUCCESS) { - isc_sockaddr_format(&serveraddrs[currentaddr], socktext, - sizeof(socktext)); - if (sevent->result != ISC_R_CANCELED && - ++currentaddr < nserveraddrs) - { - notify("connection failed: %s: %s", socktext, - isc_result_totext(sevent->result)); - isc_socket_detach(&sock); - isc_event_free(&event); - rndc_startconnect(&serveraddrs[currentaddr], task); - return; - } else - fatal("connect failed: %s: %s", socktext, - isc_result_totext(sevent->result)); - } - - isc_stdtime_get(&now); - DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial, - now, now + 60, &request)); - data = isccc_alist_lookup(request, "_data"); - if (data == NULL) - fatal("_data section missing"); - if (isccc_cc_definestring(data, "type", "null") == NULL) - fatal("out of memory"); - message.rstart = databuf + 4; - message.rend = databuf + sizeof(databuf); - DO("render message", isccc_cc_towire(request, &message, &secret)); - len = sizeof(databuf) - REGION_SIZE(message); - isc_buffer_init(&b, databuf, 4); - isc_buffer_putuint32(&b, len - 4); - r.length = len; - r.base = databuf; - - isccc_ccmsg_init(mctx, sock, &ccmsg); - isccc_ccmsg_setmaxsize(&ccmsg, 1024); - - DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task, - rndc_recvnonce, NULL)); - recvs++; - DO("send message", isc_socket_send(sock, &r, task, rndc_senddone, - NULL)); - sends++; - isc_event_free(&event); -} - -static void -rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) { - isc_result_t result; - int pf; - isc_sockettype_t type; - - char socktext[ISC_SOCKADDR_FORMATSIZE]; - - isc_sockaddr_format(addr, socktext, sizeof(socktext)); - - notify("using server %s (%s)", servername, socktext); - - pf = isc_sockaddr_pf(addr); - if (pf == AF_INET || pf == AF_INET6) - type = isc_sockettype_tcp; - else - type = isc_sockettype_unix; - DO("create socket", isc_socket_create(socketmgr, pf, type, &sock)); - switch (isc_sockaddr_pf(addr)) { - case AF_INET: - DO("bind socket", isc_socket_bind(sock, &local4, 0)); - break; - case AF_INET6: - DO("bind socket", isc_socket_bind(sock, &local6, 0)); - break; - default: - break; - } - DO("connect", isc_socket_connect(sock, addr, task, rndc_connected, - NULL)); - connects++; -} - -static void -rndc_start(isc_task_t *task, isc_event_t *event) { - isc_event_free(&event); - - currentaddr = 0; - rndc_startconnect(&serveraddrs[currentaddr], task); -} - -static void -parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, - cfg_parser_t **pctxp, cfg_obj_t **configp) -{ - isc_result_t result; - const char *conffile = admin_conffile; - const cfg_obj_t *addresses = NULL; - const cfg_obj_t *defkey = NULL; - const cfg_obj_t *options = NULL; - const cfg_obj_t *servers = NULL; - const cfg_obj_t *server = NULL; - const cfg_obj_t *keys = NULL; - const cfg_obj_t *key = NULL; - const cfg_obj_t *defport = NULL; - const cfg_obj_t *secretobj = NULL; - const cfg_obj_t *algorithmobj = NULL; - cfg_obj_t *config = NULL; - const cfg_obj_t *address = NULL; - const cfg_listelt_t *elt; - const char *secretstr; - const char *algorithm; - static char secretarray[1024]; - const cfg_type_t *conftype = &cfg_type_rndcconf; - isc_boolean_t key_only = ISC_FALSE; - const cfg_listelt_t *element; - - if (! isc_file_exists(conffile)) { - conffile = admin_keyfile; - conftype = &cfg_type_rndckey; - - if (! isc_file_exists(conffile)) - fatal("neither %s nor %s was found", - admin_conffile, admin_keyfile); - key_only = ISC_TRUE; - } - - DO("create parser", cfg_parser_create(mctx, log, pctxp)); - - /* - * The parser will output its own errors, so DO() is not used. - */ - result = cfg_parse_file(*pctxp, conffile, conftype, &config); - if (result != ISC_R_SUCCESS) - fatal("could not load rndc configuration"); - - if (!key_only) - (void)cfg_map_get(config, "options", &options); - - if (key_only && servername == NULL) - servername = "127.0.0.1"; - else if (servername == NULL && options != NULL) { - const cfg_obj_t *defserverobj = NULL; - (void)cfg_map_get(options, "default-server", &defserverobj); - if (defserverobj != NULL) - servername = cfg_obj_asstring(defserverobj); - } - - if (servername == NULL) - fatal("no server specified and no default"); - - if (!key_only) { - (void)cfg_map_get(config, "server", &servers); - if (servers != NULL) { - for (elt = cfg_list_first(servers); - elt != NULL; - elt = cfg_list_next(elt)) - { - const char *name; - server = cfg_listelt_value(elt); - name = cfg_obj_asstring(cfg_map_getname(server)); - if (strcasecmp(name, servername) == 0) - break; - server = NULL; - } - } - } - - /* - * Look for the name of the key to use. - */ - if (keyname != NULL) - ; /* Was set on command line, do nothing. */ - else if (server != NULL) { - DO("get key for server", cfg_map_get(server, "key", &defkey)); - keyname = cfg_obj_asstring(defkey); - } else if (options != NULL) { - DO("get default key", cfg_map_get(options, "default-key", - &defkey)); - keyname = cfg_obj_asstring(defkey); - } else if (!key_only) - fatal("no key for server and no default"); - - /* - * Get the key's definition. - */ - if (key_only) - DO("get key", cfg_map_get(config, "key", &key)); - else { - DO("get config key list", cfg_map_get(config, "key", &keys)); - for (elt = cfg_list_first(keys); - elt != NULL; - elt = cfg_list_next(elt)) - { - key = cfg_listelt_value(elt); - if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)), - keyname) == 0) - break; - } - if (elt == NULL) - fatal("no key definition for name %s", keyname); - } - (void)cfg_map_get(key, "secret", &secretobj); - (void)cfg_map_get(key, "algorithm", &algorithmobj); - if (secretobj == NULL || algorithmobj == NULL) - fatal("key must have algorithm and secret"); - - secretstr = cfg_obj_asstring(secretobj); - algorithm = cfg_obj_asstring(algorithmobj); - - if (strcasecmp(algorithm, "hmac-md5") != 0) - fatal("unsupported algorithm: %s", algorithm); - - secret.rstart = (unsigned char *)secretarray; - secret.rend = (unsigned char *)secretarray + sizeof(secretarray); - DO("decode base64 secret", isccc_base64_decode(secretstr, &secret)); - secret.rend = secret.rstart; - secret.rstart = (unsigned char *)secretarray; - - /* - * Find the port to connect to. - */ - if (remoteport != 0) - ; /* Was set on command line, do nothing. */ - else { - if (server != NULL) - (void)cfg_map_get(server, "port", &defport); - if (defport == NULL && options != NULL) - (void)cfg_map_get(options, "default-port", &defport); - } - if (defport != NULL) { - remoteport = cfg_obj_asuint32(defport); - if (remoteport > 65535 || remoteport == 0) - fatal("port %u out of range", remoteport); - } else if (remoteport == 0) - remoteport = NS_CONTROL_PORT; - - if (server != NULL) - result = cfg_map_get(server, "addresses", &addresses); - else - result = ISC_R_NOTFOUND; - if (result == ISC_R_SUCCESS) { - for (element = cfg_list_first(addresses); - element != NULL; - element = cfg_list_next(element)) - { - isc_sockaddr_t sa; - - address = cfg_listelt_value(element); - if (!cfg_obj_issockaddr(address)) { - unsigned int myport; - const char *name; - const cfg_obj_t *obj; - - obj = cfg_tuple_get(address, "name"); - name = cfg_obj_asstring(obj); - obj = cfg_tuple_get(address, "port"); - if (cfg_obj_isuint32(obj)) { - myport = cfg_obj_asuint32(obj); - if (myport > ISC_UINT16_MAX || - myport == 0) - fatal("port %u out of range", - myport); - } else - myport = remoteport; - if (nserveraddrs < SERVERADDRS) - get_addresses(name, (in_port_t) myport); - else - fprintf(stderr, "too many address: " - "%s: dropped\n", name); - continue; - } - sa = *cfg_obj_assockaddr(address); - if (isc_sockaddr_getport(&sa) == 0) - isc_sockaddr_setport(&sa, remoteport); - if (nserveraddrs < SERVERADDRS) - serveraddrs[nserveraddrs++] = sa; - else { - char socktext[ISC_SOCKADDR_FORMATSIZE]; - - isc_sockaddr_format(&sa, socktext, - sizeof(socktext)); - fprintf(stderr, - "too many address: %s: dropped\n", - socktext); - } - } - } - - if (!local4set && server != NULL) { - address = NULL; - cfg_map_get(server, "source-address", &address); - if (address != NULL) { - local4 = *cfg_obj_assockaddr(address); - local4set = ISC_TRUE; - } - } - if (!local4set && options != NULL) { - address = NULL; - cfg_map_get(options, "default-source-address", &address); - if (address != NULL) { - local4 = *cfg_obj_assockaddr(address); - local4set = ISC_TRUE; - } - } - - if (!local6set && server != NULL) { - address = NULL; - cfg_map_get(server, "source-address-v6", &address); - if (address != NULL) { - local6 = *cfg_obj_assockaddr(address); - local6set = ISC_TRUE; - } - } - if (!local6set && options != NULL) { - address = NULL; - cfg_map_get(options, "default-source-address-v6", &address); - if (address != NULL) { - local6 = *cfg_obj_assockaddr(address); - local6set = ISC_TRUE; - } - } - - *configp = config; -} - -int -main(int argc, char **argv) { - isc_boolean_t show_final_mem = ISC_FALSE; - isc_result_t result = ISC_R_SUCCESS; - isc_taskmgr_t *taskmgr = NULL; - isc_task_t *task = NULL; - isc_log_t *log = NULL; - isc_logconfig_t *logconfig = NULL; - isc_logdestination_t logdest; - cfg_parser_t *pctx = NULL; - cfg_obj_t *config = NULL; - const char *keyname = NULL; - struct in_addr in; - struct in6_addr in6; - char *p; - size_t argslen; - int ch; - int i; - - result = isc_file_progname(*argv, program, sizeof(program)); - if (result != ISC_R_SUCCESS) - memcpy(program, "rndc", 5); - progname = program; - - admin_conffile = RNDC_CONFFILE; - admin_keyfile = RNDC_KEYFILE; - - isc_sockaddr_any(&local4); - isc_sockaddr_any6(&local6); - - result = isc_app_start(); - if (result != ISC_R_SUCCESS) - fatal("isc_app_start() failed: %s", isc_result_totext(result)); - - while ((ch = isc_commandline_parse(argc, argv, "b:c:k:Mmp:s:Vy:")) - != -1) { - switch (ch) { - case 'b': - if (inet_pton(AF_INET, isc_commandline_argument, - &in) == 1) { - isc_sockaddr_fromin(&local4, &in, 0); - local4set = ISC_TRUE; - } else if (inet_pton(AF_INET6, isc_commandline_argument, - &in6) == 1) { - isc_sockaddr_fromin6(&local6, &in6, 0); - local6set = ISC_TRUE; - } - break; - - case 'c': - admin_conffile = isc_commandline_argument; - break; - - case 'k': - admin_keyfile = isc_commandline_argument; - break; - - case 'M': - isc_mem_debugging = ISC_MEM_DEBUGTRACE; - break; - - case 'm': - show_final_mem = ISC_TRUE; - break; - - case 'p': - remoteport = atoi(isc_commandline_argument); - if (remoteport > 65535 || remoteport == 0) - fatal("port '%s' out of range", - isc_commandline_argument); - break; - - case 's': - servername = isc_commandline_argument; - break; - - case 'V': - verbose = ISC_TRUE; - break; - - case 'y': - keyname = isc_commandline_argument; - break; - - case '?': - usage(0); - break; - - default: - fatal("unexpected error parsing command arguments: " - "got %c\n", ch); - break; - } - } - - argc -= isc_commandline_index; - argv += isc_commandline_index; - - if (argc < 1) - usage(1); - - isc_random_get(&serial); - - DO("create memory context", isc_mem_create(0, 0, &mctx)); - DO("create socket manager", isc_socketmgr_create(mctx, &socketmgr)); - DO("create task manager", isc_taskmgr_create(mctx, 1, 0, &taskmgr)); - DO("create task", isc_task_create(taskmgr, 0, &task)); - - DO("create logging context", isc_log_create(mctx, &log, &logconfig)); - isc_log_setcontext(log); - DO("setting log tag", isc_log_settag(logconfig, progname)); - logdest.file.stream = stderr; - logdest.file.name = NULL; - logdest.file.versions = ISC_LOG_ROLLNEVER; - logdest.file.maximum_size = 0; - DO("creating log channel", - isc_log_createchannel(logconfig, "stderr", - ISC_LOG_TOFILEDESC, ISC_LOG_INFO, &logdest, - ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL)); - DO("enabling log channel", isc_log_usechannel(logconfig, "stderr", - NULL, NULL)); - - parse_config(mctx, log, keyname, &pctx, &config); - - isccc_result_register(); - - command = *argv; - - /* - * Convert argc/argv into a space-delimited command string - * similar to what the user might enter in interactive mode - * (if that were implemented). - */ - argslen = 0; - for (i = 0; i < argc; i++) - argslen += strlen(argv[i]) + 1; - - args = isc_mem_get(mctx, argslen); - if (args == NULL) - DO("isc_mem_get", ISC_R_NOMEMORY); - - p = args; - for (i = 0; i < argc; i++) { - size_t len = strlen(argv[i]); - memcpy(p, argv[i], len); - p += len; - *p++ = ' '; - } - - p--; - *p++ = '\0'; - INSIST(p == args + argslen); - - notify("%s", command); - - if (strcmp(command, "restart") == 0) - fatal("'%s' is not implemented", command); - - if (nserveraddrs == 0) - get_addresses(servername, (in_port_t) remoteport); - - DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL)); - - result = isc_app_run(); - if (result != ISC_R_SUCCESS) - fatal("isc_app_run() failed: %s", isc_result_totext(result)); - - if (connects > 0 || sends > 0 || recvs > 0) - isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL); - - isc_task_detach(&task); - isc_taskmgr_destroy(&taskmgr); - isc_socketmgr_destroy(&socketmgr); - isc_log_destroy(&log); - isc_log_setcontext(NULL); - - cfg_obj_destroy(pctx, &config); - cfg_parser_destroy(&pctx); - - isc_mem_put(mctx, args, argslen); - isccc_ccmsg_invalidate(&ccmsg); - - dns_name_destroy(); - - if (show_final_mem) - isc_mem_stats(mctx, stderr); - - isc_mem_destroy(&mctx); - - if (failed) - return (1); - - return (0); -} diff --git a/usr.sbin/bind/bin/rndc/rndc.conf b/usr.sbin/bind/bin/rndc/rndc.conf deleted file mode 100644 index 045391156b0..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.conf +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: rndc.conf,v 1.8.18.1 2004/06/18 04:39:39 marka Exp $ */ - -/* - * Sample rndc configuration file. - */ - -options { - default-server localhost; - default-key "key"; -}; - -server localhost { - key "key"; -}; - -key "cc64b3d1db63fc88d7cb5d2f9f57d258" { - algorithm hmac-md5; - secret "34f88008d07deabbe65bd01f1d233d47"; -}; - -server "test1" { - key "cc64b3d1db63fc88d7cb5d2f9f57d258"; - port 5353; - addresses { 10.53.0.1; }; -}; - -key "key" { - algorithm hmac-md5; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; -}; diff --git a/usr.sbin/bind/bin/rndc/rndc.conf.5 b/usr.sbin/bind/bin/rndc/rndc.conf.5 deleted file mode 100644 index 23a1c6b9ccf..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.conf.5 +++ /dev/null @@ -1,214 +0,0 @@ -.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000, 2001 Internet Software Consortium. -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -.\" PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $ISC: rndc.conf.5,v 1.23.18.15 2007/05/09 13:35:47 marka Exp $ -.\" -.hy 0 -.ad l -.\" Title: \fIrndc.conf\fR -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 -.\" Date: June 30, 2000 -.\" Manual: BIND9 -.\" Source: BIND9 -.\" -.TH "\fIRNDC.CONF\fR" "5" "June 30, 2000" "BIND9" "BIND9" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -rndc.conf \- rndc configuration file -.SH "SYNOPSIS" -.HP 10 -\fBrndc.conf\fR -.SH "DESCRIPTION" -.PP -\fIrndc.conf\fR -is the configuration file for -\fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to -\fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported: -.PP -C style: /* */ -.PP -C++ style: // to end of line -.PP -Unix style: # to end of line -.PP -\fIrndc.conf\fR -is much simpler than -\fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement. -.PP -The -\fBoptions\fR -statement contains five clauses. The -\fBdefault\-server\fR -clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to -\fBrndc\fR. The -\fBdefault\-key\fR -clause is followed by the name of a key which is identified by a -\fBkey\fR -statement. If no -\fBkeyid\fR -is provided on the rndc command line, and no -\fBkey\fR -clause is found in a matching -\fBserver\fR -statement, this default key will be used to authenticate the server's commands and responses. The -\fBdefault\-port\fR -clause is followed by the port to connect to on the remote name server. If no -\fBport\fR -option is provided on the rndc command line, and no -\fBport\fR -clause is found in a matching -\fBserver\fR -statement, this default port will be used to connect. The -\fBdefault\-source\-address\fR -and -\fBdefault\-source\-address\-v6\fR -clauses which can be used to set the IPv4 and IPv6 source addresses respectively. -.PP -After the -\fBserver\fR -keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: -\fBkey\fR, -\fBport\fR -and -\fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an -\fBaddresses\fR -clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an -\fBsource\-address\fR -or -\fBsource\-address\-v6\fR -of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively. -.PP -The -\fBkey\fR -statement begins with an identifying string, the name of the key. The statement has two clauses. -\fBalgorithm\fR -identifies the encryption algorithm for -\fBrndc\fR -to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes. -.PP -There are two common ways to generate the base\-64 string for the secret. The BIND 9 program -\fBrndc\-confgen\fR -can be used to generate a random key, or the -\fBmmencode\fR -program, also known as -\fBmimencode\fR, can be used to generate a base\-64 string from known input. -\fBmmencode\fR -does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each. -.SH "EXAMPLE" -.PP -.RS 4 -.nf - options { - default\-server localhost; - default\-key samplekey; - }; -.fi -.RE -.sp -.PP -.RS 4 -.nf - server localhost { - key samplekey; - }; -.fi -.RE -.sp -.PP -.RS 4 -.nf - server testserver { - key testkey; - addresses { localhost port 5353; }; - }; -.fi -.RE -.sp -.PP -.RS 4 -.nf - key samplekey { - algorithm hmac\-md5; - secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; - }; -.fi -.RE -.sp -.PP -.RS 4 -.nf - key testkey { - algorithm hmac\-md5; - secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; - }; -.fi -.RE -.sp -.PP -In the above example, -\fBrndc\fR -will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes. -.PP -If -\fBrndc \-s testserver\fR -is used then -\fBrndc\fR -will connect to server on localhost port 5353 using the key testkey. -.PP -To generate a random secret with -\fBrndc\-confgen\fR: -.PP -\fBrndc\-confgen\fR -.PP -A complete -\fIrndc.conf\fR -file, including the randomly generated key, will be written to the standard output. Commented\-out -\fBkey\fR -and -\fBcontrols\fR -statements for -\fInamed.conf\fR -are also printed. -.PP -To generate a base\-64 secret with -\fBmmencode\fR: -.PP -\fBecho "known plaintext for a secret" | mmencode\fR -.SH "NAME SERVER CONFIGURATION" -.PP -The name server must be configured to accept rndc connections and to recognize the key specified in the -\fIrndc.conf\fR -file, using the controls statement in -\fInamed.conf\fR. See the sections on the -\fBcontrols\fR -statement in the BIND 9 Administrator Reference Manual for details. -.SH "SEE ALSO" -.PP -\fBrndc\fR(8), -\fBrndc\-confgen\fR(8), -\fBmmencode\fR(1), -BIND 9 Administrator Reference Manual. -.SH "AUTHOR" -.PP -Internet Systems Consortium -.SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") -.br -Copyright \(co 2000, 2001 Internet Software Consortium. -.br diff --git a/usr.sbin/bind/bin/rndc/rndc.conf.docbook b/usr.sbin/bind/bin/rndc/rndc.conf.docbook deleted file mode 100644 index 617cf2b8801..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.conf.docbook +++ /dev/null @@ -1,252 +0,0 @@ -]> - - - - - - June 30, 2000 - - - - rndc.conf - 5 - BIND9 - - - - rndc.conf - rndc configuration file - - - - - 2004 - 2005 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - Internet Software Consortium. - - - - - - rndc.conf - - - - - DESCRIPTION - rndc.conf is the configuration file - for rndc, the BIND 9 name server control - utility. This file has a similar structure and syntax to - named.conf. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: - - - C style: /* */ - - - C++ style: // to end of line - - - Unix style: # to end of line - - rndc.conf is much simpler than - named.conf. The file uses three - statements: an options statement, a server statement - and a key statement. - - - The statement contains five clauses. - The clause is followed by the - name or address of a name server. This host will be used when - no name server is given as an argument to - rndc. The - clause is followed by the name of a key which is identified by - a statement. If no - is provided on the rndc command line, - and no clause is found in a matching - statement, this default key will be - used to authenticate the server's commands and responses. The - clause is followed by the port - to connect to on the remote name server. If no - option is provided on the rndc command - line, and no clause is found in a - matching statement, this default port - will be used to connect. - The and - clauses which - can be used to set the IPv4 and IPv6 source addresses - respectively. - - - After the keyword, the server - statement includes a string which is the hostname or address - for a name server. The statement has three possible clauses: - , and - . The key name must match the - name of a key statement in the file. The port number - specifies the port to connect to. If an - clause is supplied these addresses will be used instead of - the server name. Each address can take an optional port. - If an or - of supplied then these will be used to specify the IPv4 and IPv6 - source addresses respectively. - - - The statement begins with an identifying - string, the name of the key. The statement has two clauses. - identifies the encryption algorithm - for rndc to use; currently only HMAC-MD5 - is - supported. This is followed by a secret clause which contains - the base-64 encoding of the algorithm's encryption key. The - base-64 string is enclosed in double quotes. - - - There are two common ways to generate the base-64 string for the - secret. The BIND 9 program rndc-confgen - can - be used to generate a random key, or the - mmencode program, also known as - mimencode, can be used to generate a - base-64 - string from known input. mmencode does - not - ship with BIND 9 but is available on many systems. See the - EXAMPLE section for sample command lines for each. - - - - - EXAMPLE - - - options { - default-server localhost; - default-key samplekey; - }; - - - - server localhost { - key samplekey; - }; - - - - server testserver { - key testkey; - addresses { localhost port 5353; }; - }; - - - - key samplekey { - algorithm hmac-md5; - secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; - }; - - - - key testkey { - algorithm hmac-md5; - secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; - }; - - - - - In the above example, rndc will by - default use - the server at localhost (127.0.0.1) and the key called samplekey. - Commands to the localhost server will use the samplekey key, which - must also be defined in the server's configuration file with the - same name and secret. The key statement indicates that samplekey - uses the HMAC-MD5 algorithm and its secret clause contains the - base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. - - - If rndc -s testserver is used then rndc will - connect to server on localhost port 5353 using the key testkey. - - - To generate a random secret with rndc-confgen: - - rndc-confgen - - - A complete rndc.conf file, including - the - randomly generated key, will be written to the standard - output. Commented-out and - statements for - named.conf are also printed. - - - To generate a base-64 secret with mmencode: - - echo "known plaintext for a secret" | mmencode - - - - - NAME SERVER CONFIGURATION - - The name server must be configured to accept rndc connections and - to recognize the key specified in the rndc.conf - file, using the controls statement in named.conf. - See the sections on the statement in the - BIND 9 Administrator Reference Manual for details. - - - - - SEE ALSO - - rndc8 - , - - rndc-confgen8 - , - - mmencode1 - , - BIND 9 Administrator Reference Manual. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/rndc/rndc.conf.html b/usr.sbin/bind/bin/rndc/rndc.conf.html deleted file mode 100644 index 45c818322f5..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.conf.html +++ /dev/null @@ -1,217 +0,0 @@ - - - - - -rndc.conf - - -
-
-
-

Name

-

rndc.conf — rndc configuration file

-
-
-

Synopsis

-

rndc.conf

-
-
-

DESCRIPTION

-

rndc.conf is the configuration file - for rndc, the BIND 9 name server control - utility. This file has a similar structure and syntax to - named.conf. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: -

-

- C style: /* */ -

-

- C++ style: // to end of line -

-

- Unix style: # to end of line -

-

rndc.conf is much simpler than - named.conf. The file uses three - statements: an options statement, a server statement - and a key statement. -

-

- The options statement contains five clauses. - The default-server clause is followed by the - name or address of a name server. This host will be used when - no name server is given as an argument to - rndc. The default-key - clause is followed by the name of a key which is identified by - a key statement. If no - keyid is provided on the rndc command line, - and no key clause is found in a matching - server statement, this default key will be - used to authenticate the server's commands and responses. The - default-port clause is followed by the port - to connect to on the remote name server. If no - port option is provided on the rndc command - line, and no port clause is found in a - matching server statement, this default port - will be used to connect. - The default-source-address and - default-source-address-v6 clauses which - can be used to set the IPv4 and IPv6 source addresses - respectively. -

-

- After the server keyword, the server - statement includes a string which is the hostname or address - for a name server. The statement has three possible clauses: - key, port and - addresses. The key name must match the - name of a key statement in the file. The port number - specifies the port to connect to. If an addresses - clause is supplied these addresses will be used instead of - the server name. Each address can take an optional port. - If an source-address or source-address-v6 - of supplied then these will be used to specify the IPv4 and IPv6 - source addresses respectively. -

-

- The key statement begins with an identifying - string, the name of the key. The statement has two clauses. - algorithm identifies the encryption algorithm - for rndc to use; currently only HMAC-MD5 - is - supported. This is followed by a secret clause which contains - the base-64 encoding of the algorithm's encryption key. The - base-64 string is enclosed in double quotes. -

-

- There are two common ways to generate the base-64 string for the - secret. The BIND 9 program rndc-confgen - can - be used to generate a random key, or the - mmencode program, also known as - mimencode, can be used to generate a - base-64 - string from known input. mmencode does - not - ship with BIND 9 but is available on many systems. See the - EXAMPLE section for sample command lines for each. -

-
-
-

EXAMPLE

-
-      options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-
-

-

-
-      server localhost {
-        key             samplekey;
-      };
-
-

-

-
-      server testserver {
-        key		testkey;
-        addresses	{ localhost port 5353; };
-      };
-
-

-

-
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
-      };
-
-

-

-
-      key testkey {
-        algorithm	hmac-md5;
-        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
-      };
-
-

-

-

- In the above example, rndc will by - default use - the server at localhost (127.0.0.1) and the key called samplekey. - Commands to the localhost server will use the samplekey key, which - must also be defined in the server's configuration file with the - same name and secret. The key statement indicates that samplekey - uses the HMAC-MD5 algorithm and its secret clause contains the - base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. -

-

- If rndc -s testserver is used then rndc will - connect to server on localhost port 5353 using the key testkey. -

-

- To generate a random secret with rndc-confgen: -

-

rndc-confgen -

-

- A complete rndc.conf file, including - the - randomly generated key, will be written to the standard - output. Commented-out key and - controls statements for - named.conf are also printed. -

-

- To generate a base-64 secret with mmencode: -

-

echo "known plaintext for a secret" | mmencode -

-
-
-

NAME SERVER CONFIGURATION

-

- The name server must be configured to accept rndc connections and - to recognize the key specified in the rndc.conf - file, using the controls statement in named.conf. - See the sections on the controls statement in the - BIND 9 Administrator Reference Manual for details. -

-
-
-

SEE ALSO

-

rndc(8), - rndc-confgen(8), - mmencode(1), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/rndc/rndc.docbook b/usr.sbin/bind/bin/rndc/rndc.docbook deleted file mode 100644 index 1a055c119bb..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.docbook +++ /dev/null @@ -1,253 +0,0 @@ -]> - - - - - - June 30, 2000 - - - - rndc - 8 - BIND9 - - - - rndc - name server control utility - - - - - 2004 - 2005 - 2007 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - Internet Software Consortium. - - - - - - rndc - - - - - - - - command - - - - - DESCRIPTION - rndc - controls the operation of a name - server. It supersedes the ndc utility - that was provided in old BIND releases. If - rndc is invoked with no command line - options or arguments, it prints a short summary of the - supported commands and the available options and their - arguments. - - rndc - communicates with the name server - over a TCP connection, sending commands authenticated with - digital signatures. In the current versions of - rndc and named, - the only supported authentication algorithm is HMAC-MD5, - which uses a shared secret on each end of the connection. - This provides TSIG-style authentication for the command - request and the name server's response. All commands sent - over the channel must be signed by a key_id known to the - server. - - rndc - reads a configuration file to - determine how to contact the name server and decide what - algorithm and key it should use. - - - - - OPTIONS - - - - -b source-address - - - Use source-address - as the source address for the connection to the server. - Multiple instances are permitted to allow setting of both - the IPv4 and IPv6 source addresses. - - - - - - -c config-file - - - Use config-file - as the configuration file instead of the default, - /etc/rndc.conf. - - - - - - -k key-file - - - Use key-file - as the key file instead of the default, - /etc/rndc.key. The key in - /etc/rndc.key will be used to - authenticate - commands sent to the server if the config-file - does not exist. - - - - - - -s server - - server is - the name or address of the server which matches a - server statement in the configuration file for - rndc. If no server is supplied on the - command line, the host named by the default-server clause - in the options statement of the rndc - configuration file will be used. - - - - - - -p port - - - Send commands to TCP port - port - instead - of BIND 9's default control channel port, 953. - - - - - - -V - - - Enable verbose logging. - - - - - - -y key_id - - - Use the key key_id - from the configuration file. - key_id - must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no key_id - is specified, rndc will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. - - - - - - - - For the complete set of commands supported by rndc, - see the BIND 9 Administrator Reference Manual or run - rndc without arguments to see its help - message. - - - - - - LIMITATIONS - rndc - does not yet support all the commands of - the BIND 8 ndc utility. - - - There is currently no way to provide the shared secret for a - without using the configuration file. - - - Several error messages could be clearer. - - - - - SEE ALSO - - rndc.conf5 - , - - rndc-confgen8 - , - - named8 - , - - named.conf5 - , - - ndc8 - , - BIND 9 Administrator Reference Manual. - - - - - AUTHOR - Internet Systems Consortium - - - - diff --git a/usr.sbin/bind/bin/rndc/rndc.html b/usr.sbin/bind/bin/rndc/rndc.html deleted file mode 100644 index 461499f3f78..00000000000 --- a/usr.sbin/bind/bin/rndc/rndc.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - -rndc - - -
-
-
-

Name

-

rndc — name server control utility

-
-
-

Synopsis

-

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-
-
-

DESCRIPTION

-

rndc - controls the operation of a name - server. It supersedes the ndc utility - that was provided in old BIND releases. If - rndc is invoked with no command line - options or arguments, it prints a short summary of the - supported commands and the available options and their - arguments. -

-

rndc - communicates with the name server - over a TCP connection, sending commands authenticated with - digital signatures. In the current versions of - rndc and named, - the only supported authentication algorithm is HMAC-MD5, - which uses a shared secret on each end of the connection. - This provides TSIG-style authentication for the command - request and the name server's response. All commands sent - over the channel must be signed by a key_id known to the - server. -

-

rndc - reads a configuration file to - determine how to contact the name server and decide what - algorithm and key it should use. -

-
-
-

OPTIONS

-
-
-b source-address
-

- Use source-address - as the source address for the connection to the server. - Multiple instances are permitted to allow setting of both - the IPv4 and IPv6 source addresses. -

-
-c config-file
-

- Use config-file - as the configuration file instead of the default, - /etc/rndc.conf. -

-
-k key-file
-

- Use key-file - as the key file instead of the default, - /etc/rndc.key. The key in - /etc/rndc.key will be used to - authenticate - commands sent to the server if the config-file - does not exist. -

-
-s server
-

server is - the name or address of the server which matches a - server statement in the configuration file for - rndc. If no server is supplied on the - command line, the host named by the default-server clause - in the options statement of the rndc - configuration file will be used. -

-
-p port
-

- Send commands to TCP port - port - instead - of BIND 9's default control channel port, 953. -

-
-V
-

- Enable verbose logging. -

-
-y key_id
-

- Use the key key_id - from the configuration file. - key_id - must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no key_id - is specified, rndc will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. -

-
-

- For the complete set of commands supported by rndc, - see the BIND 9 Administrator Reference Manual or run - rndc without arguments to see its help - message. -

-
-
-

LIMITATIONS

-

rndc - does not yet support all the commands of - the BIND 8 ndc utility. -

-

- There is currently no way to provide the shared secret for a - key_id without using the configuration file. -

-

- Several error messages could be clearer. -

-
-
-

SEE ALSO

-

rndc.conf(5), - named(8), - named.conf(5), - ndc(8), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
- diff --git a/usr.sbin/bind/bin/rndc/unix/Makefile.in b/usr.sbin/bind/bin/rndc/unix/Makefile.in deleted file mode 100644 index 30550e42c54..00000000000 --- a/usr.sbin/bind/bin/rndc/unix/Makefile.in +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.3 2004/03/05 04:58:29 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_MAKE_INCLUDES@ - -CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ - ${DNS_INCLUDES} ${ISC_INCLUDES} - -CDEFINES = -CWARNINGS = - -OBJS = os.@O@ - -SRCS = os.c - -TARGETS = ${OBJS} - -@BIND9_MAKE_RULES@ diff --git a/usr.sbin/bind/bin/rndc/unix/os.c b/usr.sbin/bind/bin/rndc/unix/os.c deleted file mode 100644 index 97d5d3b19c1..00000000000 --- a/usr.sbin/bind/bin/rndc/unix/os.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: os.c,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */ - -/*! \file */ - -#include - -#include - -#include -#include -#include -#include -#include -#include -#include - -int -set_user(FILE *fd, const char *user) { - struct passwd *pw; - - pw = getpwnam(user); - if (pw == NULL) { - errno = EINVAL; - return (-1); - } - return (fchown(fileno(fd), pw->pw_uid, -1)); -} - -FILE * -safe_create(const char *filename) { - int fd; - FILE *f; - struct stat sb; - int flags = O_WRONLY; - - if (stat(filename, &sb) == -1) { - if (errno != ENOENT) - return (NULL); - flags = O_WRONLY | O_CREAT | O_EXCL; - } else if (!S_ISREG(sb.st_mode)) { - errno = EOPNOTSUPP; - return (NULL); - } else - flags = O_WRONLY | O_TRUNC; - - fd = open(filename, flags, S_IRUSR | S_IWUSR); - if (fd == -1) - return (NULL); - f = fdopen(fd, "w"); - if (f == NULL) - close(fd); - return (f); -} diff --git a/usr.sbin/bind/bin/rndc/util.c b/usr.sbin/bind/bin/rndc/util.c deleted file mode 100644 index 596fb0bda2b..00000000000 --- a/usr.sbin/bind/bin/rndc/util.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: util.c,v 1.3.18.2 2005/04/29 00:15:40 marka Exp $ */ - -/*! \file */ - -#include - -#include -#include -#include - -#include - -#include "util.h" - -extern isc_boolean_t verbose; -extern const char *progname; - -void -notify(const char *fmt, ...) { - va_list ap; - - if (verbose) { - va_start(ap, fmt); - vfprintf(stderr, fmt, ap); - va_end(ap); - fputs("\n", stderr); - } -} - -void -fatal(const char *format, ...) { - va_list args; - - fprintf(stderr, "%s: ", progname); - va_start(args, format); - vfprintf(stderr, format, args); - va_end(args); - fprintf(stderr, "\n"); - exit(1); -} diff --git a/usr.sbin/bind/bin/rndc/util.h b/usr.sbin/bind/bin/rndc/util.h deleted file mode 100644 index 81d352791c7..00000000000 --- a/usr.sbin/bind/bin/rndc/util.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: util.h,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */ - -#ifndef RNDC_UTIL_H -#define RNDC_UTIL_H 1 - -/*! \file */ - -#include - -#include - -#define NS_CONTROL_PORT 953 - -#undef DO -#define DO(name, function) \ - do { \ - result = function; \ - if (result != ISC_R_SUCCESS) \ - fatal("%s: %s", name, isc_result_totext(result)); \ - else \ - notify("%s", name); \ - } while (0) - -ISC_LANG_BEGINDECLS - -void -notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); - -void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); - -ISC_LANG_ENDDECLS - -#endif /* RNDC_UTIL_H */ diff --git a/usr.sbin/bind/bin/tests/system/masterformat/clean.sh b/usr.sbin/bind/bin/tests/system/masterformat/clean.sh deleted file mode 100644 index eba7eddb478..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/clean.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: clean.sh,v 1.2.2.1 2005/06/20 01:19:29 marka Exp $ - -rm -f named-compilezone -rm -f ns1/example.db.raw -rm -f ns2/example.db -rm -f dig.out.* diff --git a/usr.sbin/bind/bin/tests/system/masterformat/ns1/compile.sh b/usr.sbin/bind/bin/tests/system/masterformat/ns1/compile.sh deleted file mode 100644 index b5fca5cddf3..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/ns1/compile.sh +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright (C) 2005, 2006 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: compile.sh,v 1.2.2.3 2006/01/07 00:23:34 marka Exp $ - -../named-compilezone -D -F raw -o example.db.raw example example.db diff --git a/usr.sbin/bind/bin/tests/system/masterformat/ns1/example.db b/usr.sbin/bind/bin/tests/system/masterformat/ns1/example.db deleted file mode 100644 index ceebcba1e1c..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/ns1/example.db +++ /dev/null @@ -1,54 +0,0 @@ -; Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: example.db,v 1.2.2.2 2005/06/22 00:13:09 marka Exp $ - -$TTL 1D - -@ IN SOA ns hostmaster ( - 1 - 3600 - 1800 - 1814400 - 3 - ) - NS ns -ns A 10.53.0.1 -mx MX 10 mail -a A 10.53.0.1 - A 10.53.0.2 -aaaa AAAA 2001:db8::53 -cname CNAME cname-target -dname DNAME dname-target -txt TXT "this is text" - -;; -;; we are not testing DNSSEC behavior, so we don't care about the semantics -;; of the following records. -dnskey 300 DNSKEY 256 3 1 ( - AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg - +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD - Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R - b9VIE5x7KNHAYTvTO5d4S8M= - ) -ds 300 DS 30795 1 1 ( - 310D27F4D82C1FC2400704EA9939FE6E1CEA - A3B9 ) -nsec 600 NSEC nsecnext NS DS RRSIG NSEC -rrsig 300 RRSIG SOA 1 0 300 20050714214747 ( - 20050614214747 30795 . - yi/RRPAQmn6rnjDQaCqVValBa+ICF00ZldKf - ZSDaoew5mMUh83DlrrPPNeAxrzMSNzDGlJ6P - fdyIFgzPn/CvthF4kjBUAiJTp4r2zhlaUJQ+ - QFo+drYXYgVJo6aA36fj ) diff --git a/usr.sbin/bind/bin/tests/system/masterformat/ns1/named.conf b/usr.sbin/bind/bin/tests/system/masterformat/ns1/named.conf deleted file mode 100644 index 9b1e92494d0..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/ns1/named.conf +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named.conf,v 1.2.2.1 2005/06/20 01:19:32 marka Exp $ */ - -// NS1 - -controls { /* empty */ }; - -options { - pid-file "named.pid"; - listen-on port 5300 { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify no; - dnssec-enable yes; -}; - -zone "example" { - type master; - masterfile-format raw; - file "example.db.raw"; -}; diff --git a/usr.sbin/bind/bin/tests/system/masterformat/ns2/named.conf b/usr.sbin/bind/bin/tests/system/masterformat/ns2/named.conf deleted file mode 100644 index 8777116f8b2..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/ns2/named.conf +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named.conf,v 1.2.2.1 2005/06/20 01:19:33 marka Exp $ */ - -// NS2 - -controls { /* empty */ }; - -options { - pid-file "named.pid"; - listen-on port 5300 { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - notify no; - dnssec-enable yes; -}; - -zone "example" { - type master; - file "example.db"; -}; diff --git a/usr.sbin/bind/bin/tests/system/masterformat/setup.sh b/usr.sbin/bind/bin/tests/system/masterformat/setup.sh deleted file mode 100644 index 37ef16d78b7..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/setup.sh +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (C) 2005, 2006 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: setup.sh,v 1.2.2.3 2006/01/07 00:23:34 marka Exp $ - -ln -s $CHECKZONE named-compilezone -rm -f ns1/example.db.raw -cp ns1/example.db ns2/ -cd ns1 && sh compile.sh diff --git a/usr.sbin/bind/bin/tests/system/masterformat/tests.sh b/usr.sbin/bind/bin/tests/system/masterformat/tests.sh deleted file mode 100644 index 4a6b202c54a..00000000000 --- a/usr.sbin/bind/bin/tests/system/masterformat/tests.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: tests.sh,v 1.2.2.1 2005/06/20 01:19:30 marka Exp $ - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -DIGOPTS="+tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd" - -status=0 - -echo "I:checking that master file in the raw format worked" - -for server in 1 2 -do - for name in ns mx a aaaa cname dname txt rrsig nsec dnskey ds - do - $DIG $DIGOPTS $name.example. $name @10.53.0.$server -p 5300 - echo - done > dig.out.$server -done - -diff dig.out.1 dig.out.2 || status=1 - -echo "I:exit status: $status" -exit $status -#!/bin/sh -# -# Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: tests.sh,v 1.2.2.1 2005/06/20 01:19:30 marka Exp $ - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -DIGOPTS="+tcp +noauth +noadd +nosea +nostat +noquest +nocomm +nocmd" - -status=0 - -echo "I:checking that master file in the raw format worked" - -for server in 1 2 -do - for name in ns mx a aaaa cname dname txt rrsig nsec dnskey ds - do - $DIG $DIGOPTS $name.example. $name @10.53.0.$server -p 5300 - echo - done > dig.out.$server -done - -diff dig.out.1 dig.out.2 || status=1 - -echo "I:exit status: $status" -exit $status diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/clean.sh b/usr.sbin/bind/bin/tests/system/rrsetorder/clean.sh deleted file mode 100644 index a44f5d517a8..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/clean.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2006 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: clean.sh,v 1.2.2.2 2006/03/05 23:58:51 marka Exp $ - -rm -f dig.out.cyclic dig.out.fixed dig.out.random -rm -f ns2/root.bk -rm -f ns?/named.run ns?/named.core - diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good1 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good1 deleted file mode 100644 index d2ca6fc3661..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good1 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.4 -1.2.3.3 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good2 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good2 deleted file mode 100644 index c25c75601e9..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good2 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.3 -1.2.3.2 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good3 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good3 deleted file mode 100644 index e8deb6717db..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good3 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.2 -1.2.3.1 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good4 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good4 deleted file mode 100644 index 3b276939588..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.cyclic.good4 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.1 -1.2.3.4 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.fixed.good b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.fixed.good deleted file mode 100644 index eaf9c631524..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.fixed.good +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.3 -1.2.3.1 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good1 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good1 deleted file mode 100644 index c272c756e22..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good1 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.2 -1.2.3.3 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good10 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good10 deleted file mode 100644 index 6a39e3f3eb6..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good10 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.3 -1.2.3.4 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good11 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good11 deleted file mode 100644 index efbc79247e9..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good11 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.4 -1.2.3.1 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good12 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good12 deleted file mode 100644 index c859a2e6d8e..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good12 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.4 -1.2.3.3 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good13 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good13 deleted file mode 100644 index 49bf54b2a91..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good13 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.1 -1.2.3.2 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good14 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good14 deleted file mode 100644 index 974aa898ee4..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good14 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.1 -1.2.3.4 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good15 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good15 deleted file mode 100644 index e8deb6717db..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good15 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.2 -1.2.3.1 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good16 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good16 deleted file mode 100644 index f4670876fef..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good16 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.2 -1.2.3.4 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good17 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good17 deleted file mode 100644 index 6082a255fca..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good17 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.4 -1.2.3.1 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good18 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good18 deleted file mode 100644 index 07eefa0ec3d..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good18 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.3 -1.2.3.4 -1.2.3.2 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good19 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good19 deleted file mode 100644 index a5530c658ff..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good19 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.1 -1.2.3.2 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good2 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good2 deleted file mode 100644 index 00da93a4d44..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good2 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.2 -1.2.3.4 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good20 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good20 deleted file mode 100644 index 6dcf6daf9dd..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good20 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.1 -1.2.3.3 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good21 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good21 deleted file mode 100644 index 9dcc63f21a1..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good21 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.2 -1.2.3.1 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good22 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good22 deleted file mode 100644 index 4c51aa60758..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good22 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.2 -1.2.3.3 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good23 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good23 deleted file mode 100644 index eaf9c631524..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good23 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.3 -1.2.3.1 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good24 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good24 deleted file mode 100644 index c25c75601e9..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good24 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.4 -1.2.3.3 -1.2.3.2 -1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good3 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good3 deleted file mode 100644 index 4d50059a556..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good3 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.3 -1.2.3.2 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good4 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good4 deleted file mode 100644 index 0b34afab174..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good4 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.3 -1.2.3.4 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good5 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good5 deleted file mode 100644 index efe0e253d40..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good5 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.4 -1.2.3.2 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good6 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good6 deleted file mode 100644 index d2ca6fc3661..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good6 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.1 -1.2.3.4 -1.2.3.3 -1.2.3.2 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good7 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good7 deleted file mode 100644 index 0d8312a2140..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good7 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.1 -1.2.3.3 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good8 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good8 deleted file mode 100644 index 3b276939588..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good8 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.1 -1.2.3.4 -1.2.3.3 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good9 b/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good9 deleted file mode 100644 index 61192afb513..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/dig.out.random.good9 +++ /dev/null @@ -1,4 +0,0 @@ -1.2.3.2 -1.2.3.3 -1.2.3.1 -1.2.3.4 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/ns1/named.conf b/usr.sbin/bind/bin/tests/system/rrsetorder/ns1/named.conf deleted file mode 100644 index 6f618556ec7..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/ns1/named.conf +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (C) 2006 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named.conf,v 1.2.2.1 2006/03/03 00:56:53 marka Exp $ */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - rrset-order { - name "fixed.example" order fixed; - name "random.example" order random; - name "cyclic.example" order cyclic; - type NS order random; - order cyclic; - }; -}; - -zone "." { - type master; - file "root.db"; -}; diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/ns1/root.db b/usr.sbin/bind/bin/tests/system/rrsetorder/ns1/root.db deleted file mode 100644 index e9728899bdf..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/ns1/root.db +++ /dev/null @@ -1,40 +0,0 @@ -; Copyright (C) 2006 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: root.db,v 1.2.2.1 2006/03/03 00:56:53 marka Exp $ - -$TTL 3600 -. SOA hostmaster.isc.org. a.root-servers.nil. ( - 2000042100 - 600 - 600 - 1200 - 600 ) -. NS a.root-servers.nil. -a.root-servers.nil A 10.53.0.1 -; -fixed.example. A 1.2.3.4 -fixed.example. A 1.2.3.3 -fixed.example. A 1.2.3.1 -fixed.example. A 1.2.3.2 -; -random.example. A 1.2.3.1 -random.example. A 1.2.3.2 -random.example. A 1.2.3.3 -random.example. A 1.2.3.4 -; -cyclic.example. A 1.2.3.4 -cyclic.example. A 1.2.3.3 -cyclic.example. A 1.2.3.2 -cyclic.example. A 1.2.3.1 diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/ns2/named.conf b/usr.sbin/bind/bin/tests/system/rrsetorder/ns2/named.conf deleted file mode 100644 index 56607af7fc2..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/ns2/named.conf +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (C) 2006 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named.conf,v 1.2.2.1 2006/03/03 00:56:53 marka Exp $ */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - // flush-zones-on-shutdown yes; - rrset-order { - name "fixed.example" order fixed; - name "random.example" order random; - name "cyclic.example" order cyclic; - type NS order random; - order cyclic; - }; -}; - -zone "." { - type slave; - masters { 10.53.0.1; }; - file "root.bk"; -}; diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/ns3/named.conf b/usr.sbin/bind/bin/tests/system/rrsetorder/ns3/named.conf deleted file mode 100644 index eac6319f4a4..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/ns3/named.conf +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (C) 2006, 2007 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named.conf,v 1.2.2.4 2007/08/28 07:20:02 tbox Exp $ */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - recursion yes; - acache-enable yes; - notify yes; - rrset-order { - name "fixed.example" order fixed; - name "random.example" order random; - name "cyclic.example" order cyclic; - type NS order random; - order cyclic; - }; -}; - -zone "." { - type hint; - file "../../common/root.hint"; -}; - diff --git a/usr.sbin/bind/bin/tests/system/rrsetorder/tests.sh b/usr.sbin/bind/bin/tests/system/rrsetorder/tests.sh deleted file mode 100644 index ec6c4434844..00000000000 --- a/usr.sbin/bind/bin/tests/system/rrsetorder/tests.sh +++ /dev/null @@ -1,329 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2006 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: tests.sh,v 1.2.2.2 2006/03/05 23:58:51 marka Exp $ - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -status=0 - -# -# -# -echo "I: Checking order fixed (master)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.1 fixed.example > dig.out.fixed || ret=1 -cmp -s dig.out.fixed dig.out.fixed.good || ret=1 -done -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -# -# -# -echo "I: Checking order cyclic (master)" -ret=0 -match1=0 -match2=0 -match3=0 -match4=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1 -cmp -s dig.out.cyclic dig.out.cyclic.good1 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good2 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good3 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good4 || \ -ret=1 - -cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1 -cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1 -cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1 -cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1 - -done -match=`expr $match1 + $match2 + $match3 + $match4` -if [ $match != 4 ]; then ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -echo "I: Checking order random (master)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.1 random.example > dig.out.random || ret=1 - match=0 - for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 - do - eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi -done -match=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do - eval "match=\`expr \$match + \$match$i\`" -done -echo "I: Random selection return $match of 24 possible orders in 36 samples" -if [ $match -lt 8 ]; then echo ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -# -# -# -echo "I: Checking order fixed (slave)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.2 fixed.example > dig.out.fixed || ret=1 -cmp -s dig.out.fixed dig.out.fixed.good || ret=1 -done -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -# -# -# -echo "I: Checking order cyclic (slave)" -ret=0 -match1=0 -match2=0 -match3=0 -match4=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 -cmp -s dig.out.cyclic dig.out.cyclic.good1 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good2 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good3 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good4 || \ -ret=1 - -cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1 -cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1 -cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1 -cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1 - -done -match=`expr $match1 + $match2 + $match3 + $match4` -if [ $match != 4 ]; then ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -echo "I: Checking order random (slave)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 - do - eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi -done -match=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do -eval "match=\`expr \$match + \$match$i\`" -done -echo "I: Random selection return $match of 24 possible orders in 36 samples" -if [ $match -lt 8 ]; then echo ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -echo "I: Shutting down slave" - -(cd ..; sh stop.sh rrsetorder ns2 ) - -echo "I: Checking for slave's on disk copy of zone" - -if [ ! -f ns2/root.bk ] -then - echo "I:failed"; - status=`expr $status + 1` -fi - -echo "I: Re-starting slave" - -(cd ..; sh start.sh --noclean rrsetorder ns2 ) - -# -# -# -echo "I: Checking order fixed (slave loaded from disk)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.2 fixed.example > dig.out.fixed || ret=1 -cmp -s dig.out.fixed dig.out.fixed.good || ret=1 -done -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -# -# -# -echo "I: Checking order cyclic (slave loaded from disk)" -ret=0 -match1=0 -match2=0 -match3=0 -match4=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 -cmp -s dig.out.cyclic dig.out.cyclic.good1 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good2 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good3 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good4 || \ -ret=1 - -cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1 -cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1 -cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1 -cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1 - -done -match=`expr $match1 + $match2 + $match3 + $match4` -if [ $match != 4 ]; then ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -echo "I: Checking order random (slave loaded from disk)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 - do - eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi -done -match=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do -eval "match=\`expr \$match + \$match$i\`" -done -echo "I: Random selection return $match of 24 possible orders in 36 samples" -if [ $match -lt 8 ]; then echo ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -# -# -# -echo "I: Checking order fixed (cache)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.3 fixed.example > dig.out.fixed || ret=1 -cmp -s dig.out.fixed dig.out.fixed.good || ret=1 -done -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -# -# -# -echo "I: Checking order cyclic (cache)" -ret=0 -match1=0 -match2=0 -match3=0 -match4=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 -cmp -s dig.out.cyclic dig.out.cyclic.good1 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good2 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good3 || \ -cmp -s dig.out.cyclic dig.out.cyclic.good4 || \ -ret=1 - -cmp -s dig.out.cyclic dig.out.cyclic.good1 && match1=1 -cmp -s dig.out.cyclic dig.out.cyclic.good2 && match2=1 -cmp -s dig.out.cyclic dig.out.cyclic.good3 && match3=1 -cmp -s dig.out.cyclic dig.out.cyclic.good4 && match4=1 - -done -match=`expr $match1 + $match2 + $match3 + $match4` -if [ $match != 4 ]; then ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi -status=`expr $status + $ret` - -echo "I: Checking order random (cache)" -ret=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do - eval match$i=0 -done -for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 -do -$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \ - -p 5300 @10.53.0.3 random.example > dig.out.random || ret=1 - match=0 - for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 - do - eval "cmp -s dig.out.random dig.out.random.good$j && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi -done -match=0 -for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 -do -eval "match=\`expr \$match + \$match$i\`" -done -echo "I: Random selection return $match of 24 possible orders in 36 samples" -if [ $match -lt 8 ]; then echo ret=1; fi -if [ $ret != 0 ]; then echo "I:failed"; fi - -status=`expr $status + $ret` -echo "I:exit status: $status" -exit $status diff --git a/usr.sbin/bind/bin/tests/system/tsig/clean.sh b/usr.sbin/bind/bin/tests/system/tsig/clean.sh deleted file mode 100644 index 3fc74366491..00000000000 --- a/usr.sbin/bind/bin/tests/system/tsig/clean.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2005, 2006 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: clean.sh,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $ - -# -# Clean up after tsig tests. -# - -rm -f dig.out.* diff --git a/usr.sbin/bind/bin/tests/system/tsig/ns1/example.db b/usr.sbin/bind/bin/tests/system/tsig/ns1/example.db deleted file mode 100644 index 3b8002580b9..00000000000 --- a/usr.sbin/bind/bin/tests/system/tsig/ns1/example.db +++ /dev/null @@ -1,151 +0,0 @@ -; Copyright (C) 2005, 2006 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: example.db,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $ - -$ORIGIN . -$TTL 300 ; 5 minutes -example.nil IN SOA ns1.example.nil. hostmaster.example.nil. ( - 1 ; serial - 2000 ; refresh (2000 seconds) - 2000 ; retry (2000 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) -example.nil. NS ns1.example.nil. -ns1.example.nil. A 10.53.0.1 -example.nil. NS ns2.example.nil. -ns2.example.nil. A 10.53.0.2 - -$ORIGIN example.nil. -* MX 10 mail -a TXT "foo foo foo" - PTR foo.net. -$TTL 3600 ; 1 hour -a01 A 0.0.0.0 -a02 A 255.255.255.255 -a601 AAAA ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff -afsdb01 AFSDB 0 hostname -afsdb02 AFSDB 65535 . -$TTL 300 ; 5 minutes -b CNAME foo.net. -c A 73.80.65.49 -$TTL 3600 ; 1 hour -cert01 CERT 65534 65535 PRIVATEOID ( - MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi - WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl - d80jEeC8aTrO+KKmCaY= ) -cname01 CNAME cname-target. -cname02 CNAME cname-target -cname03 CNAME . -$TTL 300 ; 5 minutes -d A 73.80.65.49 -$TTL 3600 ; 1 hour -dname01 DNAME dname-target. -dname02 DNAME dname-target -dname03 DNAME . -$TTL 300 ; 5 minutes -e MX 10 mail - TXT "one" - TXT "three" - TXT "two" - A 73.80.65.49 - A 73.80.65.50 - A 73.80.65.52 - A 73.80.65.51 -f A 73.80.65.52 -$TTL 3600 ; 1 hour -gpos01 GPOS "-22.6882" "116.8652" "250.0" -gpos02 GPOS "" "" "" -hinfo01 HINFO "Generic PC clone" "NetBSD-1.4" -hinfo02 HINFO "PC" "NetBSD" -isdn01 ISDN "isdn-address" -isdn02 ISDN "isdn-address" "subaddress" -isdn03 ISDN "isdn-address" -isdn04 ISDN "isdn-address" "subaddress" -key01 KEY 512 255 1 ( - AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR - yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3 - GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o - jqf0BaqHT+8= ) -kx01 KX 10 kdc -kx02 KX 10 . -loc01 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m -loc02 LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m -mb01 MG madname -mb02 MG . -mg01 MG mgmname -mg02 MG . -minfo01 MINFO rmailbx emailbx -minfo02 MINFO . . -mr01 MR mrname -mr02 MR . -mx01 MX 10 mail -mx02 MX 10 . -naptr01 NAPTR 0 0 "" "" "" . -naptr02 NAPTR 65535 65535 "blurgh" "blorf" "blegh" foo. -nsap-ptr01 NSAP-PTR foo. - NSAP-PTR . -nsap01 NSAP 0x47000580005a0000000001e133ffffff00016100 -nsap02 NSAP 0x47000580005a0000000001e133ffffff00016100 -nxt01 NXT a.secure ( NS SOA MX SIG KEY LOC NXT ) -nxt02 NXT . ( NSAP-PTR NXT ) -nxt03 NXT . ( A ) -nxt04 NXT . ( 127 ) -ptr01 PTR example.nil. -px01 PX 65535 foo. bar. -px02 PX 65535 . . -rp01 RP mbox-dname txt-dname -rp02 RP . . -rt01 RT 0 intermediate-host -rt02 RT 65535 . -$TTL 300 ; 5 minutes -s NS ns.s -$ORIGIN s.example.nil. -ns A 73.80.65.49 -$ORIGIN example.nil. -$TTL 3600 ; 1 hour -sig01 SIG NXT 1 3 3600 20000102030405 ( - 19961211100908 2143 foo - MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi - WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl - d80jEeC8aTrO+KKmCaY= ) -srv01 SRV 0 0 0 . -srv02 SRV 65535 65535 65535 old-slow-box.example.com. -$TTL 301 ; 5 minutes 1 second -t A 73.80.65.49 -$TTL 3600 ; 1 hour -txt01 TXT "foo" -txt02 TXT "foo" "bar" -txt03 TXT "foo" -txt04 TXT "foo" "bar" -txt05 TXT "foo bar" -txt06 TXT "foo bar" -txt07 TXT "foo bar" -txt08 TXT "foo\010bar" -txt09 TXT "foo\010bar" -txt10 TXT "foo bar" -txt11 TXT "\"foo\"" -txt12 TXT "\"foo\"" -$TTL 300 ; 5 minutes -u TXT "txt-not-in-nxt" -$ORIGIN u.example.nil. -a A 73.80.65.49 -b A 73.80.65.49 -$ORIGIN example.nil. -$TTL 3600 ; 1 hour -wks01 WKS 10.0.0.1 6 ( 0 1 2 21 23 ) -wks02 WKS 10.0.0.1 17 ( 0 1 2 53 ) -wks03 WKS 10.0.0.2 6 ( 65535 ) -x2501 X25 "123456789" diff --git a/usr.sbin/bind/bin/tests/system/tsig/ns1/named.conf b/usr.sbin/bind/bin/tests/system/tsig/ns1/named.conf deleted file mode 100644 index 7a4a3b88192..00000000000 --- a/usr.sbin/bind/bin/tests/system/tsig/ns1/named.conf +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2005, 2006 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $ISC: named.conf,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $ */ - -controls { /* empty */ }; - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port 5300; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify no; -}; - -key "md5" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5; -}; - -key "sha1" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; - algorithm hmac-sha1; -}; - -key "sha224" { - secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; - algorithm hmac-sha224; -}; - -key "sha256" { - secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; - algorithm hmac-sha256; -}; - -key "sha384" { - secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; - algorithm hmac-sha384; -}; - -key "sha512" { - secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; - algorithm hmac-sha512; -}; - -key "md5-trunc" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5-80; -}; - -key "sha1-trunc" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; - algorithm hmac-sha1-80; -}; - -key "sha224-trunc" { - secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="; - algorithm hmac-sha224-112; -}; - -key "sha256-trunc" { - secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="; - algorithm hmac-sha256-128; -}; - -key "sha384-trunc" { - secret "OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h"; - algorithm hmac-sha384-192; -}; - -key "sha512-trunc" { - secret "jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg=="; - algorithm hmac-sha512-256; -}; - -zone "example.nil" { - type master; - file "example.db"; -}; diff --git a/usr.sbin/bind/bin/tests/system/tsig/tests.sh b/usr.sbin/bind/bin/tests/system/tsig/tests.sh deleted file mode 100644 index 90992b52309..00000000000 --- a/usr.sbin/bind/bin/tests/system/tsig/tests.sh +++ /dev/null @@ -1,218 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2005, 2006 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: tests.sh,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $ - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -# -# Shared secrets. -# -md5="97rnFx24Tfna4mHPfgnerA==" -sha1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" -sha224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" -sha256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" -sha384="OaDdoAk2LAcLtYeUnsT7A9XHjsb6ZEma7OCvUpMraQIJX6HetGrlKmF7yglO1G2h" -sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4fe6Uasc0ckctEmg==" - -status=0 - -echo "I:fetching using hmac-md5 (old form)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.old || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-md5 (new form)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-md5:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.new || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha1" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha1:sha1:$sha1" @10.53.0.1 soa -p 5300 > dig.out.sha1 || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha224" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha224:sha224:$sha224" @10.53.0.1 soa -p 5300 > dig.out.sha224 || ret=1 -grep -i "sha224.*TSIG.*NOERROR" dig.out.sha224 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha256" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha256:sha256:$sha256" @10.53.0.1 soa -p 5300 > dig.out.sha256 || ret=1 -grep -i "sha256.*TSIG.*NOERROR" dig.out.sha256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha384" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha384:sha384:$sha384" @10.53.0.1 soa -p 5300 > dig.out.sha384 || ret=1 -grep -i "sha384.*TSIG.*NOERROR" dig.out.sha384 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha512" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha512:sha512:$sha512" @10.53.0.1 soa -p 5300 > dig.out.sha512 || ret=1 -grep -i "sha512.*TSIG.*NOERROR" dig.out.sha512 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -# -# -# Truncated TSIG -# -# -echo "I:fetching using hmac-md5 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5.trunc || ret=1 -grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha1 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha1-80:sha1-trunc:$sha1" @10.53.0.1 soa -p 5300 > dig.out.sha1.trunc || ret=1 -grep -i "sha1.*TSIG.*NOERROR" dig.out.sha1.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha224 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha224-112:sha224-trunc:$sha224" @10.53.0.1 soa -p 5300 > dig.out.sha224.trunc || ret=1 -grep -i "sha224-trunc.*TSIG.*NOERROR" dig.out.sha224.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha256 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha256-128:sha256-trunc:$sha256" @10.53.0.1 soa -p 5300 > dig.out.sha256.trunc || ret=1 -grep -i "sha256-trunc.*TSIG.*NOERROR" dig.out.sha256.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha384 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha384-192:sha384-trunc:$sha384" @10.53.0.1 soa -p 5300 > dig.out.sha384.trunc || ret=1 -grep -i "sha384-trunc.*TSIG.*NOERROR" dig.out.sha384.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha512-256 (trunc)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha512-256:sha512-trunc:$sha512" @10.53.0.1 soa -p 5300 > dig.out.sha512.trunc || ret=1 -grep -i "sha512-trunc.*TSIG.*NOERROR" dig.out.sha512.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - - -# -# -# Check for bad truncation. -# -# -echo "I:fetching using hmac-md5-80 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa -p 5300 > dig.out.md5-80 || ret=1 -grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha1-80 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha1-80:sha1:$sha1" @10.53.0.1 soa -p 5300 > dig.out.sha1-80 || ret=1 -grep -i "sha1.*TSIG.*BADTRUNC" dig.out.sha1-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha224-112 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha224-112:sha224:$sha224" @10.53.0.1 soa -p 5300 > dig.out.sha224-112 || ret=1 -grep -i "sha224.*TSIG.*BADTRUNC" dig.out.sha224-112 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha256-128 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha256-128:sha256:$sha256" @10.53.0.1 soa -p 5300 > dig.out.sha256-128 || ret=1 -grep -i "sha256.*TSIG.*BADTRUNC" dig.out.sha256-128 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha384-192 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha384-192:sha384:$sha384" @10.53.0.1 soa -p 5300 > dig.out.sha384-192 || ret=1 -grep -i "sha384.*TSIG.*BADTRUNC" dig.out.sha384-192 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -echo "I:fetching using hmac-sha512-256 (BADTRUNC)" -ret=0 -$DIG +tcp +nosea +nostat +noquest +nocomm +nocmd example.nil.\ - -y "hmac-sha512-256:sha512:$sha512" @10.53.0.1 soa -p 5300 > dig.out.sha512-256 || ret=1 -grep -i "sha512.*TSIG.*BADTRUNC" dig.out.sha512-256 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo "I: failed"; status=1 -fi - -exit $status - - diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/a.db b/usr.sbin/bind/bin/tests/system/zonechecks/a.db deleted file mode 100644 index 03b0dc50703..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/a.db +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: a.db,v 1.2.2.2 2004/11/24 23:49:16 marka Exp $ - -@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 -@ 3600 IN NS 127.0.0.1 -127.0.0.1 3600 IN A 127.0.0.1 diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/aaaa.db b/usr.sbin/bind/bin/tests/system/zonechecks/aaaa.db deleted file mode 100644 index 960961ec517..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/aaaa.db +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: aaaa.db,v 1.2.2.2 2004/11/24 23:49:16 marka Exp $ - -@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 -@ 3600 IN NS ::1 -::1 3600 IN AAAA ::1 diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/clean.sh b/usr.sbin/bind/bin/tests/system/zonechecks/clean.sh deleted file mode 100644 index 992db941a65..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/clean.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: clean.sh,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $ - -rm -f *.out diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/cname.db b/usr.sbin/bind/bin/tests/system/zonechecks/cname.db deleted file mode 100644 index f7226332395..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/cname.db +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: cname.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $ - -@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 -@ 3600 IN NS ns -ns 3600 IN CNAME @ diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/dname.db b/usr.sbin/bind/bin/tests/system/zonechecks/dname.db deleted file mode 100644 index 27cb320c6d9..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/dname.db +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: dname.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $ - -@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 -@ 3600 IN NS ns -@ 3600 IN DNAME . diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/noaddress.db b/usr.sbin/bind/bin/tests/system/zonechecks/noaddress.db deleted file mode 100644 index 6db58e85d4e..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/noaddress.db +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: noaddress.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $ - -@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 -@ 3600 IN NS ns -ns 3600 IN TXT this name has no address records diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/nxdomain.db b/usr.sbin/bind/bin/tests/system/zonechecks/nxdomain.db deleted file mode 100644 index 1451ce76196..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/nxdomain.db +++ /dev/null @@ -1,19 +0,0 @@ -; Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -; -; Permission to use, copy, modify, and distribute this software for any -; purpose with or without fee is hereby granted, provided that the above -; copyright notice and this permission notice appear in all copies. -; -; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -; PERFORMANCE OF THIS SOFTWARE. - -; $ISC: nxdomain.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $ - -@ 3600 IN SOA ns hostmaster 1 3600 1200 604800 3600 -@ 3600 IN NS ns -; There are no records at all with the ownername of "ns". diff --git a/usr.sbin/bind/bin/tests/system/zonechecks/tests.sh b/usr.sbin/bind/bin/tests/system/zonechecks/tests.sh deleted file mode 100644 index 23a7df36a07..00000000000 --- a/usr.sbin/bind/bin/tests/system/zonechecks/tests.sh +++ /dev/null @@ -1,164 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: tests.sh,v 1.2.2.1 2004/11/23 05:24:49 marka Exp $ - -SYSTEMTESTTOP=.. -. $SYSTEMTESTTOP/conf.sh - -status=0 - -# -echo "I: checking that we detect a NS which refers to a CNAME" -if $CHECKZONE . cname.db > cname.out 2>&1 -then - echo "I:failed (status)"; status=1 -else - if grep "is a CNAME" cname.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -fi - -# -echo "I: checking that we detect a NS which is below a DNAME" -if $CHECKZONE . dname.db > dname.out 2>&1 -then - echo "I:failed (status)"; status=1 -else - if grep "is below a DNAME" dname.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -fi - -# -echo "I: checking that we detect a NS which has no address records (A/AAAA)" -if $CHECKZONE . noaddress.db > noaddress.out -then - echo "I:failed (status)"; status=1 -else - if grep "has no address records" noaddress.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -fi - -# -echo "I: checking that we detect a NS which has no records" -if $CHECKZONE . nxdomain.db > nxdomain.out -then - echo "I:failed (status)"; status=1 -else - if grep "has no address records" noaddress.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -fi - -# -echo "I: checking that we detect a NS which looks like a A record (fail)" -if $CHECKZONE -n fail . a.db > a.out 2>&1 -then - echo "I:failed (status)"; status=1 -else - if grep "appears to be an address" a.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -fi - -# -echo "I: checking that we detect a NS which looks like a A record (warn=default)" -if $CHECKZONE . a.db > a.out 2>&1 -then - if grep "appears to be an address" a.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -else - echo "I:failed (status)"; status=1 -fi - -# -echo "I: checking that we detect a NS which looks like a A record (ignore)" -if $CHECKZONE -n ignore . a.db > a.out 2>&1 -then - if grep "appears to be an address" a.out > /dev/null - then - echo "I:failed (message)"; status=1 - else - : - fi -else - echo "I:failed (status)"; status=1 -fi - -# -echo "I: checking that we detect a NS which looks like a AAAA record (fail)" -if $CHECKZONE -n fail . aaaa.db > aaaa.out 2>&1 -then - echo "I:failed (status)"; status=1 -else - if grep "appears to be an address" aaaa.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -fi - -# -echo "I: checking that we detect a NS which looks like a AAAA record (warn=default)" -if $CHECKZONE . aaaa.db > aaaa.out 2>&1 -then - if grep "appears to be an address" aaaa.out > /dev/null - then - : - else - echo "I:failed (message)"; status=1 - fi -else - echo "I:failed (status)"; status=1 -fi - -# -echo "I: checking that we detect a NS which looks like a AAAA record (ignore)" -if $CHECKZONE -n ignore . aaaa.db > aaaa.out 2>&1 -then - if grep "appears to be an address" aaaa.out > /dev/null - then - echo "I:failed (message)"; status=1 - else - : - fi -else - echo "I:failed (status)"; status=1 -fi -echo "I:exit status: $status" -exit $? diff --git a/usr.sbin/bind/doc/Makefile.in b/usr.sbin/bind/doc/Makefile.in deleted file mode 100644 index b6a753bae3c..00000000000 --- a/usr.sbin/bind/doc/Makefile.in +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000, 2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.5.18.2 2005/07/23 04:35:12 marka Exp $ - -# This Makefile is a placeholder. It exists merely to make -# sure that its directory gets created in the object directory -# tree when doing a build using separate object directories. - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -SUBDIRS = arm misc xsl -TARGETS = - -@BIND9_MAKE_RULES@ diff --git a/usr.sbin/bind/doc/arm/Bv9ARM-book.xml b/usr.sbin/bind/doc/arm/Bv9ARM-book.xml deleted file mode 100644 index dd010d5d5ba..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM-book.xml +++ /dev/null @@ -1,12353 +0,0 @@ -]> - - - - - BIND 9 Administrator Reference Manual - - - - 2004 - 2005 - 2006 - 2007 - 2008 - Internet Systems Consortium, Inc. ("ISC") - - - 2000 - 2001 - 2002 - 2003 - Internet Software Consortium. - - - - - Introduction - - The Internet Domain Name System (DNS) - consists of the syntax - to specify the names of entities in the Internet in a hierarchical - manner, the rules used for delegating authority over names, and the - system implementation that actually maps names to Internet - addresses. DNS data is maintained in a - group of distributed - hierarchical databases. - - - - Scope of Document - - - The Berkeley Internet Name Domain - (BIND) implements a - domain name server for a number of operating systems. This - document provides basic information about the installation and - care of the Internet Systems Consortium (ISC) - BIND version 9 software package for - system administrators. - - - - This version of the manual corresponds to BIND version 9.4. - - - - - Organization of This Document - - In this document, Section 1 introduces - the basic DNS and BIND concepts. Section 2 - describes resource requirements for running BIND in various - environments. Information in Section 3 is - task-oriented in its presentation and is - organized functionally, to aid in the process of installing the - BIND 9 software. The task-oriented - section is followed by - Section 4, which contains more advanced - concepts that the system administrator may need for implementing - certain options. Section 5 - describes the BIND 9 lightweight - resolver. The contents of Section 6 are - organized as in a reference manual to aid in the ongoing - maintenance of the software. Section 7 addresses - security considerations, and - Section 8 contains troubleshooting help. The - main body of the document is followed by several - appendices which contain useful reference - information, such as a bibliography and - historic information related to BIND - and the Domain Name - System. - - - - Conventions Used in This Document - - - In this document, we use the following general typographic - conventions: - - - - - - - - - - - To describe: - - - - - We use the style: - - - - - - - a pathname, filename, URL, hostname, - mailing list name, or new term or concept - - - - - Fixed width - - - - - - - literal user - input - - - - - Fixed Width Bold - - - - - - - program output - - - - - Fixed Width - - - - - - - - - The following conventions are used in descriptions of the - BIND configuration file: - - - - - - - - To describe: - - - - - We use the style: - - - - - - - keywords - - - - - Fixed Width - - - - - - - variables - - - - - Fixed Width - - - - - - - Optional input - - - - - Text is enclosed in square brackets - - - - - - - - - - The Domain Name System (<acronym>DNS</acronym>) - - The purpose of this document is to explain the installation - and upkeep of the BIND (Berkeley Internet - Name Domain) software package, and we - begin by reviewing the fundamentals of the Domain Name System - (DNS) as they relate to BIND. - - - - DNS Fundamentals - - - The Domain Name System (DNS) is a hierarchical, distributed - database. It stores information for mapping Internet host names to - IP - addresses and vice versa, mail routing information, and other data - used by Internet applications. - - - - Clients look up information in the DNS by calling a - resolver library, which sends queries to one or - more name servers and interprets the responses. - The BIND 9 software distribution - contains a - name server, named, and two resolver - libraries, liblwres and libbind. - - - - Domains and Domain Names - - - The data stored in the DNS is identified by domain names that are organized as a tree according to - organizational or administrative boundaries. Each node of the tree, - called a domain, is given a label. The domain - name of the - node is the concatenation of all the labels on the path from the - node to the root node. This is represented - in written form as a string of labels listed from right to left and - separated by dots. A label need only be unique within its parent - domain. - - - - For example, a domain name for a host at the - company Example, Inc. could be - ourhost.example.com, - where com is the - top level domain to which - ourhost.example.com belongs, - example is - a subdomain of com, and - ourhost is the - name of the host. - - - - For administrative purposes, the name space is partitioned into - areas called zones, each starting at a node and - extending down to the leaf nodes or to nodes where other zones - start. - The data for each zone is stored in a name server, which answers queries about the zone using the - DNS protocol. - - - - The data associated with each domain name is stored in the - form of resource records (RRs). - Some of the supported resource record types are described in - . - - - - For more detailed information about the design of the DNS and - the DNS protocol, please refer to the standards documents listed in - . - - - - - Zones - - To properly operate a name server, it is important to understand - the difference between a zone - and a domain. - - - - As stated previously, a zone is a point of delegation in - the DNS tree. A zone consists of - those contiguous parts of the domain - tree for which a name server has complete information and over which - it has authority. It contains all domain names from a certain point - downward in the domain tree except those which are delegated to - other zones. A delegation point is marked by one or more - NS records in the - parent zone, which should be matched by equivalent NS records at - the root of the delegated zone. - - - - For instance, consider the example.com - domain which includes names - such as host.aaa.example.com and - host.bbb.example.com even though - the example.com zone includes - only delegations for the aaa.example.com and - bbb.example.com zones. A zone can - map - exactly to a single domain, but could also include only part of a - domain, the rest of which could be delegated to other - name servers. Every name in the DNS - tree is a - domain, even if it is - terminal, that is, has no - subdomains. Every subdomain is a domain and - every domain except the root is also a subdomain. The terminology is - not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 - to - gain a complete understanding of this difficult and subtle - topic. - - - - Though BIND is called a "domain name - server", - it deals primarily in terms of zones. The master and slave - declarations in the named.conf file - specify - zones, not domains. When you ask some other site if it is willing to - be a slave server for your domain, you are - actually asking for slave service for some collection of zones. - - - - - Authoritative Name Servers - - - Each zone is served by at least - one authoritative name server, - which contains the complete data for the zone. - To make the DNS tolerant of server and network failures, - most zones have two or more authoritative servers, on - different networks. - - - - Responses from authoritative servers have the "authoritative - answer" (AA) bit set in the response packets. This makes them - easy to identify when debugging DNS configurations using tools like - dig (). - - - - The Primary Master - - - The authoritative server where the master copy of the zone - data is maintained is called the - primary master server, or simply the - primary. Typically it loads the zone - contents from some local file edited by humans or perhaps - generated mechanically from some other local file which is - edited by humans. This file is called the - zone file or - master file. - - - - In some cases, however, the master file may not be edited - by humans at all, but may instead be the result of - dynamic update operations. - - - - - Slave Servers - - The other authoritative servers, the slave - servers (also known as secondary servers) - load - the zone contents from another server using a replication process - known as a zone transfer. Typically the data - are - transferred directly from the primary master, but it is also - possible - to transfer it from another slave. In other words, a slave server - may itself act as a master to a subordinate slave server. - - - - - Stealth Servers - - - Usually all of the zone's authoritative servers are listed in - NS records in the parent zone. These NS records constitute - a delegation of the zone from the parent. - The authoritative servers are also listed in the zone file itself, - at the top level or apex - of the zone. You can list servers in the zone's top-level NS - records that are not in the parent's NS delegation, but you cannot - list servers in the parent's delegation that are not present at - the zone's top level. - - - - A stealth server is a server that is - authoritative for a zone but is not listed in that zone's NS - records. Stealth servers can be used for keeping a local copy of - a - zone to speed up access to the zone's records or to make sure that - the - zone is available even if all the "official" servers for the zone - are - inaccessible. - - - - A configuration where the primary master server itself is a - stealth server is often referred to as a "hidden primary" - configuration. One use for this configuration is when the primary - master - is behind a firewall and therefore unable to communicate directly - with the outside world. - - - - - - - - Caching Name Servers - - - - - The resolver libraries provided by most operating systems are - stub resolvers, meaning that they are not - capable of - performing the full DNS resolution process by themselves by talking - directly to the authoritative servers. Instead, they rely on a - local - name server to perform the resolution on their behalf. Such a - server - is called a recursive name server; it performs - recursive lookups for local clients. - - - - To improve performance, recursive servers cache the results of - the lookups they perform. Since the processes of recursion and - caching are intimately connected, the terms - recursive server and - caching server are often used synonymously. - - - - The length of time for which a record may be retained in - the cache of a caching name server is controlled by the - Time To Live (TTL) field associated with each resource record. - - - - Forwarding - - - Even a caching name server does not necessarily perform - the complete recursive lookup itself. Instead, it can - forward some or all of the queries - that it cannot satisfy from its cache to another caching name - server, - commonly referred to as a forwarder. - - - - There may be one or more forwarders, - and they are queried in turn until the list is exhausted or an - answer - is found. Forwarders are typically used when you do not - wish all the servers at a given site to interact directly with the - rest of - the Internet servers. A typical scenario would involve a number - of internal DNS servers and an - Internet firewall. Servers unable - to pass packets through the firewall would forward to the server - that can do it, and that server would query the Internet DNS servers - on the internal server's behalf. - - - - - - - Name Servers in Multiple Roles - - - The BIND name server can - simultaneously act as - a master for some zones, a slave for other zones, and as a caching - (recursive) server for a set of local clients. - - - - However, since the functions of authoritative name service - and caching/recursive name service are logically separate, it is - often advantageous to run them on separate server machines. - - A server that only provides authoritative name service - (an authoritative-only server) can run with - recursion disabled, improving reliability and security. - - A server that is not authoritative for any zones and only provides - recursive service to local - clients (a caching-only server) - does not need to be reachable from the Internet at large and can - be placed inside a firewall. - - - - - - - - - <acronym>BIND</acronym> Resource Requirements - - - Hardware requirements - - - DNS hardware requirements have - traditionally been quite modest. - For many installations, servers that have been pensioned off from - active duty have performed admirably as DNS servers. - - - The DNSSEC features of BIND 9 - may prove to be quite - CPU intensive however, so organizations that make heavy use of these - features may wish to consider larger systems for these applications. - BIND 9 is fully multithreaded, allowing - full utilization of - multiprocessor systems for installations that need it. - - - - CPU Requirements - - CPU requirements for BIND 9 range from - i486-class machines - for serving of static zones without caching, to enterprise-class - machines if you intend to process many dynamic updates and DNSSEC - signed zones, serving many thousands of queries per second. - - - - - Memory Requirements - - The memory of the server has to be large enough to fit the - cache and zones loaded off disk. The max-cache-size - option can be used to limit the amount of memory used by the cache, - at the expense of reducing cache hit rates and causing more DNS - traffic. - Additionally, if additional section caching - () is enabled, - the max-acache-size option can be used to - limit the amount - of memory used by the mechanism. - It is still good practice to have enough memory to load - all zone and cache data into memory — unfortunately, the best - way - to determine this for a given installation is to watch the name server - in operation. After a few weeks the server process should reach - a relatively stable size where entries are expiring from the cache as - fast as they are being inserted. - - - - - - Name Server Intensive Environment Issues - - For name server intensive environments, there are two alternative - configurations that may be used. The first is where clients and - any second-level internal name servers query a main name server, which - has enough memory to build a large cache. This approach minimizes - the bandwidth used by external name lookups. The second alternative - is to set up second-level internal name servers to make queries - independently. - In this configuration, none of the individual machines needs to - have as much memory or CPU power as in the first alternative, but - this has the disadvantage of making many more external queries, - as none of the name servers share their cached data. - - - - - Supported Operating Systems - - ISC BIND 9 compiles and runs on a large - number - of Unix-like operating system and on NT-derived versions of - Microsoft Windows such as Windows 2000 and Windows XP. For an - up-to-date - list of supported systems, see the README file in the top level - directory - of the BIND 9 source distribution. - - - - - - Name Server Configuration - - In this section we provide some suggested configurations along - with guidelines for their use. We suggest reasonable values for - certain option settings. - - - - Sample Configurations - - A Caching-only Name Server - - The following sample configuration is appropriate for a caching-only - name server for use by clients internal to a corporation. All - queries - from outside clients are refused using the allow-query - option. Alternatively, the same effect could be achieved using - suitable - firewall rules. - - - -// Two corporate subnets we wish to allow queries from. -acl corpnets { 192.168.4.0/24; 192.168.7.0/24; }; -options { - directory "/etc/namedb"; // Working directory - allow-query { corpnets; }; -}; -// Provide a reverse mapping for the loopback address 127.0.0.1 -zone "0.0.127.in-addr.arpa" { - type master; - file "localhost.rev"; - notify no; -}; - - - - - - An Authoritative-only Name Server - - This sample configuration is for an authoritative-only server - that is the master server for "example.com" - and a slave for the subdomain "eng.example.com". - - - -options { - directory "/etc/namedb"; // Working directory - allow-query-cache { none; }; // Do not allow access to cache - allow-query { any; }; // This is the default - recursion no; // Do not provide recursive service -}; - -// Provide a reverse mapping for the loopback address 127.0.0.1 -zone "0.0.127.in-addr.arpa" { - type master; - file "localhost.rev"; - notify no; -}; -// We are the master server for example.com -zone "example.com" { - type master; - file "example.com.db"; - // IP addresses of slave servers allowed to transfer example.com - allow-transfer { - 192.168.4.14; - 192.168.5.53; - }; -}; -// We are a slave server for eng.example.com -zone "eng.example.com" { - type slave; - file "eng.example.com.bk"; - // IP address of eng.example.com master server - masters { 192.168.4.12; }; -}; - - - - - - - Load Balancing - - - - A primitive form of load balancing can be achieved in - the DNS by using multiple records - (such as multiple A records) for one name. - - - - For example, if you have three WWW servers with network addresses - of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the - following means that clients will connect to each machine one third - of the time: - - - - - - - - - - - - - - Name - - - - - TTL - - - - - CLASS - - - - - TYPE - - - - - Resource Record (RR) Data - - - - - - - www - - - - - 600 - - - - - IN - - - - - A - - - - - 10.0.0.1 - - - - - - - - - - 600 - - - - - IN - - - - - A - - - - - 10.0.0.2 - - - - - - - - - - 600 - - - - - IN - - - - - A - - - - - 10.0.0.3 - - - - - - - - When a resolver queries for these records, BIND will rotate - them and respond to the query with the records in a different - order. In the example above, clients will randomly receive - records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients - will use the first record returned and discard the rest. - - - For more detail on ordering responses, check the - rrset-order substatement in the - options statement, see - . - - - - - - Name Server Operations - - - Tools for Use With the Name Server Daemon - - This section describes several indispensable diagnostic, - administrative and monitoring tools available to the system - administrator for controlling and debugging the name server - daemon. - - - Diagnostic Tools - - The dig, host, and - nslookup programs are all command - line tools - for manually querying name servers. They differ in style and - output format. - - - - - dig - - - The domain information groper (dig) - is the most versatile and complete of these lookup tools. - It has two modes: simple interactive - mode for a single query, and batch mode which executes a - query for - each in a list of several query lines. All query options are - accessible - from the command line. - - - dig - @server - domain - query-type - query-class - +query-option - -dig-option - %comment - - - The usual simple use of dig will take the form - - - dig @server domain query-type query-class - - - For more information and a list of available commands and - options, see the dig man - page. - - - - - - host - - - The host utility emphasizes - simplicity - and ease of use. By default, it converts - between host names and Internet addresses, but its - functionality - can be extended with the use of options. - - - host - -aCdlnrsTwv - -c class - -N ndots - -t type - -W timeout - -R retries - -m flag - -4 - -6 - hostname - server - - - For more information and a list of available commands and - options, see the host man - page. - - - - - - nslookup - - nslookup - has two modes: interactive and - non-interactive. Interactive mode allows the user to - query name servers for information about various - hosts and domains or to print a list of hosts in a - domain. Non-interactive mode is used to print just - the name and requested information for a host or - domain. - - - nslookup - -option - - host-to-find - - server - - - - Interactive mode is entered when no arguments are given (the - default name server will be used) or when the first argument - is a - hyphen (`-') and the second argument is the host name or - Internet address - of a name server. - - - Non-interactive mode is used when the name or Internet - address - of the host to be looked up is given as the first argument. - The - optional second argument specifies the host name or address - of a name server. - - - Due to its arcane user interface and frequently inconsistent - behavior, we do not recommend the use of nslookup. - Use dig instead. - - - - - - - - - Administrative Tools - - Administrative tools play an integral part in the management - of a server. - - - - - named-checkconf - - - The named-checkconf program - checks the syntax of a named.conf file. - - - named-checkconf - -jvz - -t directory - filename - - - - - - named-checkzone - - - The named-checkzone program - checks a master file for - syntax and consistency. - - - named-checkzone - -djqvD - -c class - -o output - -t directory - -w directory - -k (ignore|warn|fail) - -n (ignore|warn|fail) - -W (ignore|warn) - zone - filename - - - - - named-compilezone - - - Similar to named-checkzone, but - it always dumps the zone content to a specified file - (typically in a different format). - - - - - - rndc - - - The remote name daemon control - (rndc) program allows the - system - administrator to control the operation of a name server. - Since BIND 9.2, rndc - supports all the commands of the BIND 8 ndc - utility except ndc start and - ndc restart, which were also - not supported in ndc's - channel mode. - If you run rndc without any - options - it will display a usage message as follows: - - - rndc - -c config - -s server - -p port - -y key - command - command - - The command - is one of the following: - - - - - - reload - - - Reload configuration file and zones. - - - - - - reload zone - class - view - - - Reload the given zone. - - - - - - refresh zone - class - view - - - Schedule zone maintenance for the given zone. - - - - - - retransfer zone - - class - view - - - Retransfer the given zone from the master. - - - - - - - freeze - zone - class - view - - - Suspend updates to a dynamic zone. If no zone is - specified, - then all zones are suspended. This allows manual - edits to be made to a zone normally updated by dynamic - update. It - also causes changes in the journal file to be synced - into the master - and the journal file to be removed. All dynamic - update attempts will - be refused while the zone is frozen. - - - - - - thaw - zone - class - view - - - Enable updates to a frozen dynamic zone. If no zone - is - specified, then all frozen zones are enabled. This - causes - the server to reload the zone from disk, and - re-enables dynamic updates - after the load has completed. After a zone is thawed, - dynamic updates - will no longer be refused. - - - - - - notify zone - class - view - - - Resend NOTIFY messages for the zone. - - - - - - reconfig - - - Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full reload when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. - - - - - - stats - - - Write server statistics to the statistics file. - - - - - - querylog - - - Toggle query logging. Query logging can also be enabled - by explicitly directing the queries - category to a - channel in the - logging section of - named.conf or by specifying - querylog yes; in the - options section of - named.conf. - - - - - - dumpdb - -all|-cache|-zone - view ... - - - Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. - - - - - - stop -p - - - Stop the server, making sure any recent changes - made through dynamic update or IXFR are first saved to - the master files of the updated zones. - If -p is specified named's process id is returned. - This allows an external process to determine when named - had completed stopping. - - - - - - halt -p - - - Stop the server immediately. Recent changes - made through dynamic update or IXFR are not saved to - the master files, but will be rolled forward from the - journal files when the server is restarted. - If -p is specified named's process id is returned. - This allows an external process to determine when named - had completed halting. - - - - - - trace - - - Increment the servers debugging level by one. - - - - - - trace level - - - Sets the server's debugging level to an explicit - value. - - - - - - notrace - - - Sets the server's debugging level to 0. - - - - - - flush - - - Flushes the server's cache. - - - - - - flushname name - - - Flushes the given name from the server's cache. - - - - - - status - - - Display status of the server. - Note that the number of zones includes the internal bind/CH zone - and the default ./IN - hint zone if there is not an - explicit root zone configured. - - - - - - recursing - - - Dump the list of queries named is currently recursing - on. - - - - - - - - A configuration file is required, since all - communication with the server is authenticated with - digital signatures that rely on a shared secret, and - there is no way to provide that secret other than with a - configuration file. The default location for the - rndc configuration file is - /etc/rndc.conf, but an - alternate - location can be specified with the - option. If the configuration file is not found, - rndc will also look in - /etc/rndc.key (or whatever - sysconfdir was defined when - the BIND build was - configured). - The rndc.key file is - generated by - running rndc-confgen -a as - described in - . - - - - The format of the configuration file is similar to - that of named.conf, but - limited to - only four statements, the options, - key, server and - include - statements. These statements are what associate the - secret keys to the servers with which they are meant to - be shared. The order of statements is not - significant. - - - - The options statement has - three clauses: - default-server, default-key, - and default-port. - default-server takes a - host name or address argument and represents the server - that will - be contacted if no - option is provided on the command line. - default-key takes - the name of a key as its argument, as defined by a key statement. - default-port specifies the - port to which - rndc should connect if no - port is given on the command line or in a - server statement. - - - - The key statement defines a - key to be used - by rndc when authenticating - with - named. Its syntax is - identical to the - key statement in named.conf. - The keyword key is - followed by a key name, which must be a valid - domain name, though it need not actually be hierarchical; - thus, - a string like "rndc_key" is a valid - name. - The key statement has two - clauses: - algorithm and secret. - While the configuration parser will accept any string as the - argument - to algorithm, currently only the string "hmac-md5" - has any meaning. The secret is a base-64 encoded string - as specified in RFC 3548. - - - - The server statement - associates a key - defined using the key - statement with a server. - The keyword server is followed by a - host name or address. The server statement - has two clauses: key and port. - The key clause specifies the - name of the key - to be used when communicating with this server, and the - port clause can be used to - specify the port rndc should - connect - to on the server. - - - - A sample minimal configuration file is as follows: - - - -key rndc_key { - algorithm "hmac-md5"; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; -}; -options { - default-server 127.0.0.1; - default-key rndc_key; -}; - - - - This file, if installed as /etc/rndc.conf, - would allow the command: - - - - $ rndc reload - - - - to connect to 127.0.0.1 port 953 and cause the name server - to reload, if a name server on the local machine were - running with - following controls statements: - - - -controls { - inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; -}; - - - - and it had an identical key statement for - rndc_key. - - - - Running the rndc-confgen - program will - conveniently create a rndc.conf - file for you, and also display the - corresponding controls - statement that you need to - add to named.conf. - Alternatively, - you can run rndc-confgen -a - to set up - a rndc.key file and not - modify - named.conf at all. - - - - - - - - - - - Signals - - Certain UNIX signals cause the name server to take specific - actions, as described in the following table. These signals can - be sent using the kill command. - - - - - - - - - SIGHUP - - - - Causes the server to read named.conf and - reload the database. - - - - - - SIGTERM - - - - Causes the server to clean up and exit. - - - - - - SIGINT - - - - Causes the server to clean up and exit. - - - - - - - - - - - - Advanced DNS Features - - - - Notify - - DNS NOTIFY is a mechanism that allows master - servers to notify their slave servers of changes to a zone's data. In - response to a NOTIFY from a master server, the - slave will check to see that its version of the zone is the - current version and, if not, initiate a zone transfer. - - - - For more information about DNS - NOTIFY, see the description of the - notify option in and - the description of the zone option also-notify in - . The NOTIFY - protocol is specified in RFC 1996. - - - - As a slave zone can also be a master to other slaves, named, - by default, sends NOTIFY messages for every zone - it loads. Specifying notify master-only; will - cause named to only send NOTIFY for master - zones that it loads. - - - - - - Dynamic Update - - - Dynamic Update is a method for adding, replacing or deleting - records in a master server by sending it a special form of DNS - messages. The format and meaning of these messages is specified - in RFC 2136. - - - - Dynamic update is enabled by - including an allow-update or - update-policy clause in the - zone statement. - - - - Updating of secure zones (zones using DNSSEC) follows - RFC 3007: RRSIG and NSEC records affected by updates are automatically - regenerated by the server using an online zone key. - Update authorization is based - on transaction signatures and an explicit server policy. - - - - The journal file - - - All changes made to a zone using dynamic update are stored - in the zone's journal file. This file is automatically created - by the server when the first dynamic update takes place. - The name of the journal file is formed by appending the extension - .jnl to the name of the - corresponding zone - file unless specifically overridden. The journal file is in a - binary format and should not be edited manually. - - - - The server will also occasionally write ("dump") - the complete contents of the updated zone to its zone file. - This is not done immediately after - each dynamic update, because that would be too slow when a large - zone is updated frequently. Instead, the dump is delayed by - up to 15 minutes, allowing additional updates to take place. - - - - When a server is restarted after a shutdown or crash, it will replay - the journal file to incorporate into the zone any updates that - took - place after the last zone dump. - - - - Changes that result from incoming incremental zone transfers are - also - journalled in a similar way. - - - - The zone files of dynamic zones cannot normally be edited by - hand because they are not guaranteed to contain the most recent - dynamic changes — those are only in the journal file. - The only way to ensure that the zone file of a dynamic zone - is up to date is to run rndc stop. - - - - If you have to make changes to a dynamic zone - manually, the following procedure will work: Disable dynamic updates - to the zone using - rndc freeze zone. - This will also remove the zone's .jnl file - and update the master file. Edit the zone file. Run - rndc thaw zone - to reload the changed zone and re-enable dynamic updates. - - - - - - - - Incremental Zone Transfers (IXFR) - - - The incremental zone transfer (IXFR) protocol is a way for - slave servers to transfer only changed data, instead of having to - transfer the entire zone. The IXFR protocol is specified in RFC - 1995. See . - - - - When acting as a master, BIND 9 - supports IXFR for those zones - where the necessary change history information is available. These - include master zones maintained by dynamic update and slave zones - whose data was obtained by IXFR. For manually maintained master - zones, and for slave zones obtained by performing a full zone - transfer (AXFR), IXFR is supported only if the option - ixfr-from-differences is set - to yes. - - - - When acting as a slave, BIND 9 will - attempt to use IXFR unless - it is explicitly disabled. For more information about disabling - IXFR, see the description of the request-ixfr clause - of the server statement. - - - - - Split DNS - - Setting up different views, or visibility, of the DNS space to - internal and external resolvers is usually referred to as a - Split DNS setup. There are several - reasons an organization would want to set up its DNS this way. - - - One common reason for setting up a DNS system this way is - to hide "internal" DNS information from "external" clients on the - Internet. There is some debate as to whether or not this is actually - useful. - Internal DNS information leaks out in many ways (via email headers, - for example) and most savvy "attackers" can find the information - they need using other means. - However, since listing addresses of internal servers that - external clients cannot possibly reach can result in - connection delays and other annoyances, an organization may - choose to use a Split DNS to present a consistent view of itself - to the outside world. - - - Another common reason for setting up a Split DNS system is - to allow internal networks that are behind filters or in RFC 1918 - space (reserved IP space, as documented in RFC 1918) to resolve DNS - on the Internet. Split DNS can also be used to allow mail from outside - back in to the internal network. - - - Example split DNS setup - - Let's say a company named Example, Inc. - (example.com) - has several corporate sites that have an internal network with - reserved - Internet Protocol (IP) space and an external demilitarized zone (DMZ), - or "outside" section of a network, that is available to the public. - - - Example, Inc. wants its internal clients - to be able to resolve external hostnames and to exchange mail with - people on the outside. The company also wants its internal resolvers - to have access to certain internal-only zones that are not available - at all outside of the internal network. - - - In order to accomplish this, the company will set up two sets - of name servers. One set will be on the inside network (in the - reserved - IP space) and the other set will be on bastion hosts, which are - "proxy" - hosts that can talk to both sides of its network, in the DMZ. - - - The internal servers will be configured to forward all queries, - except queries for site1.internal, site2.internal, site1.example.com, - and site2.example.com, to the servers - in the - DMZ. These internal servers will have complete sets of information - for site1.example.com, site2.example.com, site1.internal, - and site2.internal. - - - To protect the site1.internal and site2.internal domains, - the internal name servers must be configured to disallow all queries - to these domains from any external hosts, including the bastion - hosts. - - - The external servers, which are on the bastion hosts, will - be configured to serve the "public" version of the site1 and site2.example.com zones. - This could include things such as the host records for public servers - (www.example.com and ftp.example.com), - and mail exchange (MX) records (a.mx.example.com and b.mx.example.com). - - - In addition, the public site1 and site2.example.com zones - should have special MX records that contain wildcard (`*') records - pointing to the bastion hosts. This is needed because external mail - servers do not have any other way of looking up how to deliver mail - to those internal hosts. With the wildcard records, the mail will - be delivered to the bastion host, which can then forward it on to - internal hosts. - - - Here's an example of a wildcard MX record: - - * IN MX 10 external1.example.com. - - Now that they accept mail on behalf of anything in the internal - network, the bastion hosts will need to know how to deliver mail - to internal hosts. In order for this to work properly, the resolvers - on - the bastion hosts will need to be configured to point to the internal - name servers for DNS resolution. - - - Queries for internal hostnames will be answered by the internal - servers, and queries for external hostnames will be forwarded back - out to the DNS servers on the bastion hosts. - - - In order for all this to work properly, internal clients will - need to be configured to query only the internal - name servers for DNS queries. This could also be enforced via - selective - filtering on the network. - - - If everything has been set properly, Example, Inc.'s - internal clients will now be able to: - - - - - Look up any hostnames in the site1 - and - site2.example.com zones. - - - - - Look up any hostnames in the site1.internal and - site2.internal domains. - - - - Look up any hostnames on the Internet. - - - Exchange mail with both internal and external people. - - - - Hosts on the Internet will be able to: - - - - - Look up any hostnames in the site1 - and - site2.example.com zones. - - - - - Exchange mail with anyone in the site1 and - site2.example.com zones. - - - - - - Here is an example configuration for the setup we just - described above. Note that this is only configuration information; - for information on how to configure your zone files, see . - - - - Internal DNS server config: - - - - -acl internals { 172.16.72.0/24; 192.168.1.0/24; }; - -acl externals { bastion-ips-go-here; }; - -options { - ... - ... - forward only; - forwarders { // forward to external servers - bastion-ips-go-here; - }; - allow-transfer { none; }; // sample allow-transfer (no one) - allow-query { internals; externals; }; // restrict query access - allow-recursion { internals; }; // restrict recursion - ... - ... -}; - -zone "site1.example.com" { // sample master zone - type master; - file "m/site1.example.com"; - forwarders { }; // do normal iterative - // resolution (do not forward) - allow-query { internals; externals; }; - allow-transfer { internals; }; -}; - -zone "site2.example.com" { // sample slave zone - type slave; - file "s/site2.example.com"; - masters { 172.16.72.3; }; - forwarders { }; - allow-query { internals; externals; }; - allow-transfer { internals; }; -}; - -zone "site1.internal" { - type master; - file "m/site1.internal"; - forwarders { }; - allow-query { internals; }; - allow-transfer { internals; } -}; - -zone "site2.internal" { - type slave; - file "s/site2.internal"; - masters { 172.16.72.3; }; - forwarders { }; - allow-query { internals }; - allow-transfer { internals; } -}; - - - - External (bastion host) DNS server config: - - - -acl internals { 172.16.72.0/24; 192.168.1.0/24; }; - -acl externals { bastion-ips-go-here; }; - -options { - ... - ... - allow-transfer { none; }; // sample allow-transfer (no one) - allow-query { any; }; // default query access - allow-query-cache { internals; externals; }; // restrict cache access - allow-recursion { internals; externals; }; // restrict recursion - ... - ... -}; - -zone "site1.example.com" { // sample slave zone - type master; - file "m/site1.foo.com"; - allow-transfer { internals; externals; }; -}; - -zone "site2.example.com" { - type slave; - file "s/site2.foo.com"; - masters { another_bastion_host_maybe; }; - allow-transfer { internals; externals; } -}; - - - - In the resolv.conf (or equivalent) on - the bastion host(s): - - - -search ... -nameserver 172.16.72.2 -nameserver 172.16.72.3 -nameserver 172.16.72.4 - - - - - - TSIG - - This is a short guide to setting up Transaction SIGnatures - (TSIG) based transaction security in BIND. It describes changes - to the configuration file as well as what changes are required for - different features, including the process of creating transaction - keys and using transaction signatures with BIND. - - - BIND primarily supports TSIG for server - to server communication. - This includes zone transfer, notify, and recursive query messages. - Resolvers based on newer versions of BIND 8 have limited support - for TSIG. - - - - TSIG can also be useful for dynamic update. A primary - server for a dynamic zone should control access to the dynamic - update service, but IP-based access control is insufficient. - The cryptographic access control provided by TSIG - is far superior. The nsupdate - program supports TSIG via the and - command line options or inline by use - of the key. - - - - Generate Shared Keys for Each Pair of Hosts - - A shared secret is generated to be shared between host1 and host2. - An arbitrary key name is chosen: "host1-host2.". The key name must - be the same on both hosts. - - - Automatic Generation - - The following command will generate a 128-bit (16 byte) HMAC-MD5 - key as described above. Longer keys are better, but shorter keys - are easier to read. Note that the maximum key length is 512 bits; - keys longer than that will be digested with MD5 to produce a - 128-bit key. - - - dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2. - - - The key is in the file Khost1-host2.+157+00000.private. - Nothing directly uses this file, but the base-64 encoded string - following "Key:" - can be extracted from the file and used as a shared secret: - - Key: La/E5CjG9O+os1jq0a2jdA== - - The string "La/E5CjG9O+os1jq0a2jdA==" can - be used as the shared secret. - - - - Manual Generation - - The shared secret is simply a random sequence of bits, encoded - in base-64. Most ASCII strings are valid base-64 strings (assuming - the length is a multiple of 4 and only valid characters are used), - so the shared secret can be manually generated. - - - Also, a known string can be run through mmencode or - a similar program to generate base-64 encoded data. - - - - - Copying the Shared Secret to Both Machines - - This is beyond the scope of DNS. A secure transport mechanism - should be used. This could be secure FTP, ssh, telephone, etc. - - - - Informing the Servers of the Key's Existence - - Imagine host1 and host 2 - are - both servers. The following is added to each server's named.conf file: - - - -key host1-host2. { - algorithm hmac-md5; - secret "La/E5CjG9O+os1jq0a2jdA=="; -}; - - - - The algorithm, hmac-md5, is the only one supported by BIND. - The secret is the one generated above. Since this is a secret, it - is recommended that either named.conf be non-world - readable, or the key directive be added to a non-world readable - file that is included by - named.conf. - - - At this point, the key is recognized. This means that if the - server receives a message signed by this key, it can verify the - signature. If the signature is successfully verified, the - response is signed by the same key. - - - - - Instructing the Server to Use the Key - - Since keys are shared between two hosts only, the server must - be told when keys are to be used. The following is added to the named.conf file - for host1, if the IP address of host2 is - 10.1.2.3: - - - -server 10.1.2.3 { - keys { host1-host2. ;}; -}; - - - - Multiple keys may be present, but only the first is used. - This directive does not contain any secrets, so it may be in a - world-readable - file. - - - If host1 sends a message that is a request - to that address, the message will be signed with the specified key. host1 will - expect any responses to signed messages to be signed with the same - key. - - - A similar statement must be present in host2's - configuration file (with host1's address) for host2 to - sign request messages to host1. - - - - TSIG Key Based Access Control - - BIND allows IP addresses and ranges - to be specified in ACL - definitions and - allow-{ query | transfer | update } - directives. - This has been extended to allow TSIG keys also. The above key would - be denoted key host1-host2. - - - An example of an allow-update directive would be: - - - -allow-update { key host1-host2. ;}; - - - - This allows dynamic updates to succeed only if the request - was signed by a key named - "host1-host2.". - - - You may want to read about the more - powerful update-policy statement in . - - - - - Errors - - - The processing of TSIG signed messages can result in - several errors. If a signed message is sent to a non-TSIG aware - server, a FORMERR (format error) will be returned, since the server will not - understand the record. This is a result of misconfiguration, - since the server must be explicitly configured to send a TSIG - signed message to a specific server. - - - - If a TSIG aware server receives a message signed by an - unknown key, the response will be unsigned with the TSIG - extended error code set to BADKEY. If a TSIG aware server - receives a message with a signature that does not validate, the - response will be unsigned with the TSIG extended error code set - to BADSIG. If a TSIG aware server receives a message with a time - outside of the allowed range, the response will be signed with - the TSIG extended error code set to BADTIME, and the time values - will be adjusted so that the response can be successfully - verified. In any of these cases, the message's rcode (response code) is set to - NOTAUTH (not authenticated). - - - - - - TKEY - - TKEY - is a mechanism for automatically generating a shared secret - between two hosts. There are several "modes" of - TKEY that specify how the key is generated - or assigned. BIND 9 implements only one of - these modes, the Diffie-Hellman key exchange. Both hosts are - required to have a Diffie-Hellman KEY record (although this - record is not required to be present in a zone). The - TKEY process must use signed messages, - signed either by TSIG or SIG(0). The result of - TKEY is a shared secret that can be used to - sign messages with TSIG. TKEY can also be - used to delete shared secrets that it had previously - generated. - - - - The TKEY process is initiated by a - client - or server by sending a signed TKEY - query - (including any appropriate KEYs) to a TKEY-aware server. The - server response, if it indicates success, will contain a - TKEY record and any appropriate keys. - After - this exchange, both participants have enough information to - determine the shared secret; the exact process depends on the - TKEY mode. When using the - Diffie-Hellman - TKEY mode, Diffie-Hellman keys are - exchanged, - and the shared secret is derived by both participants. - - - - - SIG(0) - - - BIND 9 partially supports DNSSEC SIG(0) - transaction signatures as specified in RFC 2535 and RFC2931. - SIG(0) - uses public/private keys to authenticate messages. Access control - is performed in the same manner as TSIG keys; privileges can be - granted or denied based on the key name. - - - - When a SIG(0) signed message is received, it will only be - verified if the key is known and trusted by the server; the server - will not attempt to locate and/or validate the key. - - - - SIG(0) signing of multiple-message TCP streams is not - supported. - - - - The only tool shipped with BIND 9 that - generates SIG(0) signed messages is nsupdate. - - - - - DNSSEC - - - Cryptographic authentication of DNS information is possible - through the DNS Security (DNSSEC-bis) extensions, - defined in RFC 4033, RFC 4034, and RFC 4035. - This section describes the creation and use of DNSSEC signed zones. - - - - In order to set up a DNSSEC secure zone, there are a series - of steps which must be followed. BIND - 9 ships - with several tools - that are used in this process, which are explained in more detail - below. In all cases, the option prints a - full list of parameters. Note that the DNSSEC tools require the - keyset files to be in the working directory or the - directory specified by the option, and - that the tools shipped with BIND 9.2.x and earlier are not compatible - with the current ones. - - - - There must also be communication with the administrators of - the parent and/or child zone to transmit keys. A zone's security - status must be indicated by the parent zone for a DNSSEC capable - resolver to trust its data. This is done through the presence - or absence of a DS record at the - delegation - point. - - - - For other servers to trust data in this zone, they must - either be statically configured with this zone's zone key or the - zone key of another zone above this one in the DNS tree. - - - - Generating Keys - - - The dnssec-keygen program is used to - generate keys. - - - - A secure zone must contain one or more zone keys. The - zone keys will sign all other records in the zone, as well as - the zone keys of any secure delegated zones. Zone keys must - have the same name as the zone, a name type of - ZONE, and must be usable for - authentication. - It is recommended that zone keys use a cryptographic algorithm - designated as "mandatory to implement" by the IETF; currently - the only one is RSASHA1. - - - - The following command will generate a 768-bit RSASHA1 key for - the child.example zone: - - - - dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example. - - - - Two output files will be produced: - Kchild.example.+005+12345.key and - Kchild.example.+005+12345.private - (where - 12345 is an example of a key tag). The key filenames contain - the key name (child.example.), - algorithm (3 - is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in - this case). - The private key (in the .private - file) is - used to generate signatures, and the public key (in the - .key file) is used for signature - verification. - - - - To generate another key with the same properties (but with - a different key tag), repeat the above command. - - - - The public keys should be inserted into the zone file by - including the .key files using - $INCLUDE statements. - - - - - Signing the Zone - - - The dnssec-signzone program is used - to - sign a zone. - - - - Any keyset files corresponding - to secure subzones should be present. The zone signer will - generate NSEC and RRSIG - records for the zone, as well as DS - for - the child zones if '-d' is specified. - If '-d' is not specified, then - DS RRsets for - the secure child zones need to be added manually. - - - - The following command signs the zone, assuming it is in a - file called zone.child.example. By - default, all zone keys which have an available private key are - used to generate signatures. - - - - dnssec-signzone -o child.example zone.child.example - - - - One output file is produced: - zone.child.example.signed. This - file - should be referenced by named.conf - as the - input file for the zone. - - - dnssec-signzone - will also produce a keyset and dsset files and optionally a - dlvset file. These are used to provide the parent zone - administrators with the DNSKEYs (or their - corresponding DS records) that are the - secure entry point to the zone. - - - - - - Configuring Servers - - - To enable named to respond appropriately - to DNS requests from DNSSEC aware clients, - dnssec-enable must be set to yes. - - - - To enable named to validate answers from - other servers both dnssec-enable and - dnssec-validation must be set and some - trusted-keys must be configured - into named.conf. - - - - trusted-keys are copies of DNSKEY RRs - for zones that are used to form the first link in the - cryptographic chain of trust. All keys listed in - trusted-keys (and corresponding zones) - are deemed to exist and only the listed keys will be used - to validated the DNSKEY RRset that they are from. - - - - trusted-keys are described in more detail - later in this document. - - - - Unlike BIND 8, BIND - 9 does not verify signatures on load, so zone keys for - authoritative zones do not need to be specified in the - configuration file. - - - - After DNSSEC gets established, a typical DNSSEC configuration - will look something like the following. It has a one or - more public keys for the root. This allows answers from - outside the organization to be validated. It will also - have several keys for parts of the namespace the organization - controls. These are here to ensure that named is immune - to compromises in the DNSSEC components of the security - of parent zones. - - - -trusted-keys { - - /* Root Key */ -"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/ - E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3 - zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz - MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M - /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M - iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI - Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3"; - -/* Key for our organization's forward zone */ -example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe - 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb - OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC - lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt - 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b - iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn - SCThlHf3xiYleDbt/o1OTQ09A0="; - -/* Key for our reverse zone. */ -2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA - VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0 - tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0 - yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ - 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06 - zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL - 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD - 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib"; -}; - -options { - ... - dnssec-enable yes; - dnssec-validation yes; -}; - - - - None of the keys listed in this example are valid. In particular, - the root key is not valid. - - - - - - - IPv6 Support in <acronym>BIND</acronym> 9 - - - BIND 9 fully supports all currently - defined forms of IPv6 - name to address and address to name lookups. It will also use - IPv6 addresses to make queries when running on an IPv6 capable - system. - - - - For forward lookups, BIND 9 supports - only AAAA records. RFC 3363 deprecated the use of A6 records, - and client-side support for A6 records was accordingly removed - from BIND 9. - However, authoritative BIND 9 name servers still - load zone files containing A6 records correctly, answer queries - for A6 records, and accept zone transfer for a zone containing A6 - records. - - - - For IPv6 reverse lookups, BIND 9 supports - the traditional "nibble" format used in the - ip6.arpa domain, as well as the older, deprecated - ip6.int domain. - Older versions of BIND 9 - supported the "binary label" (also known as "bitstring") format, - but support of binary labels has been completely removed per - RFC 3363. - Many applications in BIND 9 do not understand - the binary label format at all any more, and will return an - error if given. - In particular, an authoritative BIND 9 - name server will not load a zone file containing binary labels. - - - - For an overview of the format and structure of IPv6 addresses, - see . - - - - Address Lookups Using AAAA Records - - - The IPv6 AAAA record is a parallel to the IPv4 A record, - and, unlike the deprecated A6 record, specifies the entire - IPv6 address in a single record. For example, - - - -$ORIGIN example.com. -host 3600 IN AAAA 2001:db8::1 - - - - Use of IPv4-in-IPv6 mapped addresses is not recommended. - If a host has an IPv4 address, use an A record, not - a AAAA, with ::ffff:192.168.42.1 as - the address. - - - - Address to Name Lookups Using Nibble Format - - - When looking up an address in nibble format, the address - components are simply reversed, just as in IPv4, and - ip6.arpa. is appended to the - resulting name. - For example, the following would provide reverse name lookup for - a host with address - 2001:db8::1. - - - -$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com. - - - - - - - - The <acronym>BIND</acronym> 9 Lightweight Resolver - - The Lightweight Resolver Library - - Traditionally applications have been linked with a stub resolver - library that sends recursive DNS queries to a local caching name - server. - - - IPv6 once introduced new complexity into the resolution process, - such as following A6 chains and DNAME records, and simultaneous - lookup of IPv4 and IPv6 addresses. Though most of the complexity was - then removed, these are hard or impossible - to implement in a traditional stub resolver. - - - BIND 9 therefore can also provide resolution - services to local clients - using a combination of a lightweight resolver library and a resolver - daemon process running on the local host. These communicate using - a simple UDP-based protocol, the "lightweight resolver protocol" - that is distinct from and simpler than the full DNS protocol. - - - - Running a Resolver Daemon - - - To use the lightweight resolver interface, the system must - run the resolver daemon lwresd or a - local - name server configured with a lwres - statement. - - - - By default, applications using the lightweight resolver library will - make - UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. - The - address can be overridden by lwserver - lines in - /etc/resolv.conf. - - - - The daemon currently only looks in the DNS, but in the future - it may use other sources such as /etc/hosts, - NIS, etc. - - - - The lwresd daemon is essentially a - caching-only name server that responds to requests using the - lightweight - resolver protocol rather than the DNS protocol. Because it needs - to run on each host, it is designed to require no or minimal - configuration. - Unless configured otherwise, it uses the name servers listed on - nameserver lines in /etc/resolv.conf - as forwarders, but is also capable of doing the resolution - autonomously if - none are specified. - - - The lwresd daemon may also be - configured with a - named.conf style configuration file, - in - /etc/lwresd.conf by default. A name - server may also - be configured to act as a lightweight resolver daemon using the - lwres statement in named.conf. - - - - - - - <acronym>BIND</acronym> 9 Configuration Reference - - - BIND 9 configuration is broadly similar - to BIND 8; however, there are a few new - areas - of configuration, such as views. BIND - 8 configuration files should work with few alterations in BIND - 9, although more complex configurations should be reviewed to check - if they can be more efficiently implemented using the new features - found in BIND 9. - - - - BIND 4 configuration files can be - converted to the new format - using the shell script - contrib/named-bootconf/named-bootconf.sh. - - - Configuration File Elements - - Following is a list of elements used throughout the BIND configuration - file documentation: - - - - - - - - - - acl_name - - - - - The name of an address_match_list as - defined by the acl statement. - - - - - - - address_match_list - - - - - A list of one or more - ip_addr, - ip_prefix, key_id, - or acl_name elements, see - . - - - - - - - masters_list - - - - - A named list of one or more ip_addr - with optional key_id and/or - ip_port. - A masters_list may include other - masters_lists. - - - - - - - domain_name - - - - - A quoted string which will be used as - a DNS name, for example "my.test.domain". - - - - - - - dotted_decimal - - - - - One to four integers valued 0 through - 255 separated by dots (`.'), such as 123, - 45.67 or 89.123.45.67. - - - - - - - ip4_addr - - - - - An IPv4 address with exactly four elements - in dotted_decimal notation. - - - - - - - ip6_addr - - - - - An IPv6 address, such as 2001:db8::1234. - IPv6 scoped addresses that have ambiguity on their scope - zones must be - disambiguated by an appropriate zone ID with the percent - character - (`%') as delimiter. - It is strongly recommended to use string zone names rather - than - numeric identifiers, in order to be robust against system - configuration changes. - However, since there is no standard mapping for such names - and - identifier values, currently only interface names as link - identifiers - are supported, assuming one-to-one mapping between - interfaces and links. - For example, a link-local address fe80::1 on the - link attached to the interface ne0 - can be specified as fe80::1%ne0. - Note that on most systems link-local addresses always have - the - ambiguity, and need to be disambiguated. - - - - - - - ip_addr - - - - - An ip4_addr or ip6_addr. - - - - - - - ip_port - - - - - An IP port number. - The number is limited to 0 - through 65535, with values - below 1024 typically restricted to use by processes running - as root. - In some cases, an asterisk (`*') character can be used as a - placeholder to - select a random high-numbered port. - - - - - - - ip_prefix - - - - - An IP network specified as an ip_addr, - followed by a slash (`/') and then the number of bits in the - netmask. - Trailing zeros in a ip_addr - may omitted. - For example, 127/8 is the - network 127.0.0.0 with - netmask 255.0.0.0 and 1.2.3.0/28 is - network 1.2.3.0 with netmask 255.255.255.240. - - - - - - - key_id - - - - - A domain_name representing - the name of a shared key, to be used for transaction - security. - - - - - - - key_list - - - - - A list of one or more - key_ids, - separated by semicolons and ending with a semicolon. - - - - - - - number - - - - - A non-negative 32-bit integer - (i.e., a number between 0 and 4294967295, inclusive). - Its acceptable value might further - be limited by the context in which it is used. - - - - - - - path_name - - - - - A quoted string which will be used as - a pathname, such as zones/master/my.test.domain. - - - - - - - size_spec - - - - - A number, the word unlimited, - or the word default. - - - An unlimited size_spec requests unlimited - use, or the maximum available amount. A default size_spec uses - the limit that was in force when the server was started. - - - A number can optionally be - followed by a scaling factor: - K or k - for kilobytes, - M or m - for megabytes, and - G or g for gigabytes, - which scale by 1024, 1024*1024, and 1024*1024*1024 - respectively. - - - The value must be representable as a 64-bit unsigned integer - (0 to 18446744073709551615, inclusive). - Using unlimited is the best - way - to safely set a really large number. - - - - - - - yes_or_no - - - - - Either yes or no. - The words true and false are - also accepted, as are the numbers 1 - and 0. - - - - - - - dialup_option - - - - - One of yes, - no, notify, - notify-passive, refresh or - passive. - When used in a zone, notify-passive, - refresh, and passive - are restricted to slave and stub zones. - - - - - - - - Address Match Lists - - Syntax - -address_match_list = address_match_list_element ; - address_match_list_element; ... -address_match_list_element = ! (ip_address /length | - key key_id | acl_name | { address_match_list } ) - - - - - Definition and Usage - - Address match lists are primarily used to determine access - control for various server operations. They are also used in - the listen-on and sortlist - statements. The elements - which constitute an address match list can be any of the - following: - - - - an IP address (IPv4 or IPv6) - - - an IP prefix (in `/' notation) - - - - a key ID, as defined by the key - statement - - - - the name of an address match list defined with - the acl statement - - - - a nested address match list enclosed in braces - - - - - Elements can be negated with a leading exclamation mark (`!'), - and the match list names "any", "none", "localhost", and - "localnets" - are predefined. More information on those names can be found in - the description of the acl statement. - - - - The addition of the key clause made the name of this syntactic - element something of a misnomer, since security keys can be used - to validate access without regard to a host or network address. - Nonetheless, - the term "address match list" is still used throughout the - documentation. - - - - When a given IP address or prefix is compared to an address - match list, the list is traversed in order until an element - matches. - The interpretation of a match depends on whether the list is being - used - for access control, defining listen-on ports, or in a sortlist, - and whether the element was negated. - - - - When used as an access control list, a non-negated match - allows access and a negated match denies access. If - there is no match, access is denied. The clauses - allow-notify, - allow-query, - allow-query-cache, - allow-transfer, - allow-update, - allow-update-forwarding, and - blackhole all use address match - lists. Similarly, the listen-on option will cause the - server to not accept queries on any of the machine's - addresses which do not match the list. - - - - Because of the first-match aspect of the algorithm, an element - that defines a subset of another element in the list should come - before the broader element, regardless of whether either is - negated. For - example, in - 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 - element is - completely useless because the algorithm will match any lookup for - 1.2.3.13 to the 1.2.3/24 element. - Using ! 1.2.3.13; 1.2.3/24 fixes - that problem by having 1.2.3.13 blocked by the negation but all - other 1.2.3.* hosts fall through. - - - - - - Comment Syntax - - - The BIND 9 comment syntax allows for - comments to appear - anywhere that whitespace may appear in a BIND configuration - file. To appeal to programmers of all kinds, they can be written - in the C, C++, or shell/perl style. - - - - Syntax - - - /* This is a BIND comment as in C */ - // This is a BIND comment as in C++ - # This is a BIND comment as in common UNIX shells and perl - - - - Definition and Usage - - Comments may appear anywhere that whitespace may appear in - a BIND configuration file. - - - C-style comments start with the two characters /* (slash, - star) and end with */ (star, slash). Because they are completely - delimited with these characters, they can be used to comment only - a portion of a line or to span multiple lines. - - - C-style comments cannot be nested. For example, the following - is not valid because the entire comment ends with the first */: - - - -/* This is the start of a comment. - This is still part of the comment. -/* This is an incorrect attempt at nesting a comment. */ - This is no longer in any comment. */ - - - - - - C++-style comments start with the two characters // (slash, - slash) and continue to the end of the physical line. They cannot - be continued across multiple physical lines; to have one logical - comment span multiple lines, each line must use the // pair. - - - For example: - - - -// This is the start of a comment. The next line -// is a new comment, even though it is logically -// part of the previous comment. - - - - - Shell-style (or perl-style, if you prefer) comments start - with the character # (number sign) - and continue to the end of the - physical line, as in C++ comments. - - - For example: - - - - -# This is the start of a comment. The next line -# is a new comment, even though it is logically -# part of the previous comment. - - - - - - - You cannot use the semicolon (`;') character - to start a comment such as you would in a zone file. The - semicolon indicates the end of a configuration - statement. - - - - - - - - Configuration File Grammar - - - A BIND 9 configuration consists of - statements and comments. - Statements end with a semicolon. Statements and comments are the - only elements that can appear without enclosing braces. Many - statements contain a block of sub-statements, which are also - terminated with a semicolon. - - - - The following statements are supported: - - - - - - - - - - acl - - - - defines a named IP address - matching list, for access control and other uses. - - - - - - controls - - - - declares control channels to be used - by the rndc utility. - - - - - - include - - - - includes a file. - - - - - - key - - - - specifies key information for use in - authentication and authorization using TSIG. - - - - - - logging - - - - specifies what the server logs, and where - the log messages are sent. - - - - - - lwres - - - - configures named to - also act as a light-weight resolver daemon (lwresd). - - - - - - masters - - - - defines a named masters list for - inclusion in stub and slave zone masters clauses. - - - - - - options - - - - controls global server configuration - options and sets defaults for other statements. - - - - - - server - - - - sets certain configuration options on - a per-server basis. - - - - - - trusted-keys - - - - defines trusted DNSSEC keys. - - - - - - view - - - - defines a view. - - - - - - zone - - - - defines a zone. - - - - - - - - - The logging and - options statements may only occur once - per - configuration. - - - - <command>acl</command> Statement Grammar - -acl acl-name { - address_match_list -}; - - - - - <command>acl</command> Statement Definition and - Usage - - - The acl statement assigns a symbolic - name to an address match list. It gets its name from a primary - use of address match lists: Access Control Lists (ACLs). - - - - Note that an address match list's name must be defined - with acl before it can be used - elsewhere; no - forward references are allowed. - - - - The following ACLs are built-in: - - - - - - - - - - any - - - - Matches all hosts. - - - - - - none - - - - Matches no hosts. - - - - - - localhost - - - - Matches the IPv4 and IPv6 addresses of all network - interfaces on the system. - - - - - - localnets - - - - Matches any host on an IPv4 or IPv6 network - for which the system has an interface. - Some systems do not provide a way to determine the prefix - lengths of - local IPv6 addresses. - In such a case, localnets - only matches the local - IPv6 addresses, just like localhost. - - - - - - - - - - <command>controls</command> Statement Grammar - -controls { - [ inet ( ip_addr | * ) [ port ip_port ] allow { address_match_list } - keys { key_list }; ] - [ inet ...; ] - [ unix path perm number owner number group number keys { key_list }; ] - [ unix ...; ] -}; - - - - - - <command>controls</command> Statement Definition and - Usage - - - The controls statement declares control - channels to be used by system administrators to control the - operation of the name server. These control channels are - used by the rndc utility to send - commands to and retrieve non-DNS results from a name server. - - - - An inet control channel is a TCP socket - listening at the specified ip_port on the - specified ip_addr, which can be an IPv4 or IPv6 - address. An ip_addr of * (asterisk) is - interpreted as the IPv4 wildcard address; connections will be - accepted on any of the system's IPv4 addresses. - To listen on the IPv6 wildcard address, - use an ip_addr of ::. - If you will only use rndc on the local host, - using the loopback address (127.0.0.1 - or ::1) is recommended for maximum security. - - - - If no port is specified, port 953 is used. The asterisk - "*" cannot be used for ip_port. - - - - The ability to issue commands over the control channel is - restricted by the allow and - keys clauses. - Connections to the control channel are permitted based on the - address_match_list. This is for simple - IP address based filtering only; any key_id - elements of the address_match_list - are ignored. - - - - A unix control channel is a UNIX domain - socket listening at the specified path in the file system. - Access to the socket is specified by the perm, - owner and group clauses. - Note on some platforms (SunOS and Solaris) the permissions - (perm) are applied to the parent directory - as the permissions on the socket itself are ignored. - - - - The primary authorization mechanism of the command - channel is the key_list, which - contains a list of key_ids. - Each key_id in the key_list - is authorized to execute commands over the control channel. - See in ) - for information about configuring keys in rndc. - - - - If no controls statement is present, - named will set up a default - control channel listening on the loopback address 127.0.0.1 - and its IPv6 counterpart ::1. - In this case, and also when the controls statement - is present but does not have a keys clause, - named will attempt to load the command channel key - from the file rndc.key in - /etc (or whatever sysconfdir - was specified as when BIND was built). - To create a rndc.key file, run - rndc-confgen -a. - - - - The rndc.key feature was created to - ease the transition of systems from BIND 8, - which did not have digital signatures on its command channel - messages and thus did not have a keys clause. - - It makes it possible to use an existing BIND 8 - configuration file in BIND 9 unchanged, - and still have rndc work the same way - ndc worked in BIND 8, simply by executing the - command rndc-confgen -a after BIND 9 is - installed. - - - - Since the rndc.key feature - is only intended to allow the backward-compatible usage of - BIND 8 configuration files, this - feature does not - have a high degree of configurability. You cannot easily change - the key name or the size of the secret, so you should make a - rndc.conf with your own key if you - wish to change - those things. The rndc.key file - also has its - permissions set such that only the owner of the file (the user that - named is running as) can access it. - If you - desire greater flexibility in allowing other users to access - rndc commands, then you need to create - a - rndc.conf file and make it group - readable by a group - that contains the users who should have access. - - - - To disable the command channel, use an empty - controls statement: - controls { };. - - - - - <command>include</command> Statement Grammar - include filename; - - - <command>include</command> Statement Definition and - Usage - - - The include statement inserts the - specified file at the point where the include - statement is encountered. The include - statement facilitates the administration of configuration - files - by permitting the reading or writing of some things but not - others. For example, the statement could include private keys - that are readable only by the name server. - - - - - <command>key</command> Statement Grammar - -key key_id { - algorithm string; - secret string; -}; - - - - - - <command>key</command> Statement Definition and Usage - - - The key statement defines a shared - secret key for use with TSIG (see ) - or the command channel - (see ). - - - - The key statement can occur at the - top level - of the configuration file or inside a view - statement. Keys defined in top-level key - statements can be used in all views. Keys intended for use in - a controls statement - (see ) - must be defined at the top level. - - - - The key_id, also known as the - key name, is a domain name uniquely identifying the key. It can - be used in a server - statement to cause requests sent to that - server to be signed with this key, or in address match lists to - verify that incoming requests have been signed with a key - matching this name, algorithm, and secret. - - - - The algorithm_id is a string - that specifies a security/authentication algorithm. Named - supports hmac-md5, - hmac-sha1, hmac-sha224, - hmac-sha256, hmac-sha384 - and hmac-sha512 TSIG authentication. - Truncated hashes are supported by appending the minimum - number of required bits preceded by a dash, e.g. - hmac-sha1-80. The - secret_string is the secret - to be used by the algorithm, and is treated as a base-64 - encoded string. - - - - - <command>logging</command> Statement Grammar - -logging { - [ channel channel_name { - ( file path name - [ versions ( number | unlimited ) ] - [ size size spec ] - | syslog syslog_facility - | stderr - | null ); - [ severity ( | | | | - | [ level ] | ); ] - [ print-category or ; ] - [ print-severity or ; ] - [ print-time or ; ] - }; ] - [ category category_name { - channel_name ; [ channel_name ; ... ] - }; ] - ... -}; - - - - - - <command>logging</command> Statement Definition and - Usage - - - The logging statement configures a - wide - variety of logging options for the name server. Its channel phrase - associates output methods, format options and severity levels with - a name that can then be used with the category phrase - to select how various classes of messages are logged. - - - Only one logging statement is used to - define - as many channels and categories as are wanted. If there is no logging statement, - the logging configuration will be: - - -logging { - category default { default_syslog; default_debug; }; - category unmatched { null; }; -}; - - - - In BIND 9, the logging configuration - is only established when - the entire configuration file has been parsed. In BIND 8, it was - established as soon as the logging - statement - was parsed. When the server is starting up, all logging messages - regarding syntax errors in the configuration file go to the default - channels, or to standard error if the "" option - was specified. - - - - The <command>channel</command> Phrase - - - All log output goes to one or more channels; - you can make as many of them as you want. - - - - Every channel definition must include a destination clause that - says whether messages selected for the channel go to a file, to a - particular syslog facility, to the standard error stream, or are - discarded. It can optionally also limit the message severity level - that will be accepted by the channel (the default is - info), and whether to include a - named-generated time stamp, the - category name - and/or severity level (the default is not to include any). - - - - The null destination clause - causes all messages sent to the channel to be discarded; - in that case, other options for the channel are meaningless. - - - - The file destination clause directs - the channel - to a disk file. It can include limitations - both on how large the file is allowed to become, and how many - versions - of the file will be saved each time the file is opened. - - - - If you use the versions log file - option, then - named will retain that many backup - versions of the file by - renaming them when opening. For example, if you choose to keep - three old versions - of the file lamers.log, then just - before it is opened - lamers.log.1 is renamed to - lamers.log.2, lamers.log.0 is renamed - to lamers.log.1, and lamers.log is - renamed to lamers.log.0. - You can say versions unlimited to - not limit - the number of versions. - If a size option is associated with - the log file, - then renaming is only done when the file being opened exceeds the - indicated size. No backup versions are kept by default; any - existing - log file is simply appended. - - - - The size option for files is used - to limit log - growth. If the file ever exceeds the size, then named will - stop writing to the file unless it has a versions option - associated with it. If backup versions are kept, the files are - rolled as - described above and a new one begun. If there is no - versions option, no more data will - be written to the log - until some out-of-band mechanism removes or truncates the log to - less than the - maximum size. The default behavior is not to limit the size of - the - file. - - - - Example usage of the size and - versions options: - - -channel an_example_channel { - file "example.log" versions 3 size 20m; - print-time yes; - print-category yes; -}; - - - - The syslog destination clause - directs the - channel to the system log. Its argument is a - syslog facility as described in the syslog man - page. Known facilities are kern, user, - mail, daemon, auth, - syslog, lpr, news, - uucp, cron, authpriv, - ftp, local0, local1, - local2, local3, local4, - local5, local6 and - local7, however not all facilities - are supported on - all operating systems. - How syslog will handle messages - sent to - this facility is described in the syslog.conf man - page. If you have a system which uses a very old version of syslog that - only uses two arguments to the openlog() function, - then this clause is silently ignored. - - - The severity clause works like syslog's - "priorities", except that they can also be used if you are writing - straight to a file rather than using syslog. - Messages which are not at least of the severity level given will - not be selected for the channel; messages of higher severity - levels - will be accepted. - - - If you are using syslog, then the syslog.conf priorities - will also determine what eventually passes through. For example, - defining a channel facility and severity as daemon and debug but - only logging daemon.warning via syslog.conf will - cause messages of severity info and - notice to - be dropped. If the situation were reversed, with named writing - messages of only warning or higher, - then syslogd would - print all messages it received from the channel. - - - - The stderr destination clause - directs the - channel to the server's standard error stream. This is intended - for - use when the server is running as a foreground process, for - example - when debugging a configuration. - - - - The server can supply extensive debugging information when - it is in debugging mode. If the server's global debug level is - greater - than zero, then debugging mode will be active. The global debug - level is set either by starting the named server - with the flag followed by a positive integer, - or by running rndc trace. - The global debug level - can be set to zero, and debugging mode turned off, by running rndc -notrace. All debugging messages in the server have a debug - level, and higher debug levels give more detailed output. Channels - that specify a specific debug severity, for example: - - -channel specific_debug_level { - file "foo"; - severity debug 3; -}; - - - - will get debugging output of level 3 or less any time the - server is in debugging mode, regardless of the global debugging - level. Channels with dynamic - severity use the - server's global debug level to determine what messages to print. - - - If print-time has been turned on, - then - the date and time will be logged. print-time may - be specified for a syslog channel, - but is usually - pointless since syslog also prints - the date and - time. If print-category is - requested, then the - category of the message will be logged as well. Finally, if print-severity is - on, then the severity level of the message will be logged. The print- options may - be used in any combination, and will always be printed in the - following - order: time, category, severity. Here is an example where all - three print- options - are on: - - - - 28-Feb-2000 15:05:32.863 general: notice: running - - - - There are four predefined channels that are used for - named's default logging as follows. - How they are - used is described in . - - -channel default_syslog { - syslog daemon; // send to syslog's daemon - // facility - severity info; // only send priority info - // and higher -}; - -channel default_debug { - file "named.run"; // write to named.run in - // the working directory - // Note: stderr is used instead - // of "named.run" - // if the server is started - // with the '-f' option. - severity dynamic; // log at the server's - // current debug level -}; - -channel default_stderr { - stderr; // writes to stderr - severity info; // only send priority info - // and higher -}; - -channel null { - null; // toss anything sent to - // this channel -}; - - - - The default_debug channel has the - special - property that it only produces output when the server's debug - level is - nonzero. It normally writes to a file called named.run - in the server's working directory. - - - - For security reasons, when the "" - command line option is used, the named.run file - is created only after named has - changed to the - new UID, and any debug output generated while named is - starting up and still running as root is discarded. If you need - to capture this output, you must run the server with the "" - option and redirect standard error to a file. - - - - Once a channel is defined, it cannot be redefined. Thus you - cannot alter the built-in channels directly, but you can modify - the default logging by pointing categories at channels you have - defined. - - - - - The <command>category</command> Phrase - - - There are many categories, so you can send the logs you want - to see wherever you want, without seeing logs you don't want. If - you don't specify a list of channels for a category, then log - messages - in that category will be sent to the default category - instead. If you don't specify a default category, the following - "default default" is used: - - -category default { default_syslog; default_debug; }; - - - - As an example, let's say you want to log security events to - a file, but you also want keep the default logging behavior. You'd - specify the following: - - -channel my_security_channel { - file "my_security_file"; - severity info; -}; -category security { - my_security_channel; - default_syslog; - default_debug; -}; - - - To discard all messages in a category, specify the null channel: - - -category xfer-out { null; }; -category notify { null; }; - - - - Following are the available categories and brief descriptions - of the types of log information they contain. More - categories may be added in future BIND releases. - - - - - - - - - default - - - - The default category defines the logging - options for those categories where no specific - configuration has been - defined. - - - - - - general - - - - The catch-all. Many things still aren't - classified into categories, and they all end up here. - - - - - - database - - - - Messages relating to the databases used - internally by the name server to store zone and cache - data. - - - - - - security - - - - Approval and denial of requests. - - - - - - config - - - - Configuration file parsing and processing. - - - - - - resolver - - - - DNS resolution, such as the recursive - lookups performed on behalf of clients by a caching name - server. - - - - - - xfer-in - - - - Zone transfers the server is receiving. - - - - - - xfer-out - - - - Zone transfers the server is sending. - - - - - - notify - - - - The NOTIFY protocol. - - - - - - client - - - - Processing of client requests. - - - - - - unmatched - - - - Messages that named was unable to determine the - class of or for which there was no matching view. - A one line summary is also logged to the client category. - This category is best sent to a file or stderr, by - default it is sent to - the null channel. - - - - - - network - - - - Network operations. - - - - - - update - - - - Dynamic updates. - - - - - - update-security - - - - Approval and denial of update requests. - - - - - - queries - - - - Specify where queries should be logged to. - - - At startup, specifying the category queries will also - enable query logging unless querylog option has been - specified. - - - The query log entry reports the client's IP address and - port number, and the - query name, class and type. It also reports whether the - Recursion Desired - flag was set (+ if set, - if not set), EDNS was in use - (E) or if the - query was signed (S). - - - client 127.0.0.1#62536: query: www.example.com IN AAAA +SE - - - client ::1#62537: query: www.example.net IN AAAA -SE - - - - - - dispatch - - - - Dispatching of incoming packets to the - server modules where they are to be processed. - - - - - - dnssec - - - - DNSSEC and TSIG protocol processing. - - - - - - lame-servers - - - - Lame servers. These are misconfigurations - in remote servers, discovered by BIND 9 when trying to - query - those servers during resolution. - - - - - - delegation-only - - - - Delegation only. Logs queries that have have - been forced to NXDOMAIN as the result of a - delegation-only zone or - a delegation-only in a - hint or stub zone declaration. - - - - - - - - - - - <command>lwres</command> Statement Grammar - - - This is the grammar of the lwres - statement in the named.conf file: - - -lwres { - listen-on { ip_addr port ip_port ; ip_addr port ip_port ; ... }; - view view_name; - search { domain_name ; domain_name ; ... }; - ndots number; -}; - - - - - <command>lwres</command> Statement Definition and Usage - - - The lwres statement configures the - name - server to also act as a lightweight resolver server. (See - .) There may be multiple - lwres statements configuring - lightweight resolver servers with different properties. - - - - The listen-on statement specifies a - list of - addresses (and ports) that this instance of a lightweight resolver - daemon - should accept requests on. If no port is specified, port 921 is - used. - If this statement is omitted, requests will be accepted on - 127.0.0.1, - port 921. - - - - The view statement binds this - instance of a - lightweight resolver daemon to a view in the DNS namespace, so that - the - response will be constructed in the same manner as a normal DNS - query - matching this view. If this statement is omitted, the default view - is - used, and if there is no default view, an error is triggered. - - - - The search statement is equivalent to - the - search statement in - /etc/resolv.conf. It provides a - list of domains - which are appended to relative names in queries. - - - - The ndots statement is equivalent to - the - ndots statement in - /etc/resolv.conf. It indicates the - minimum - number of dots in a relative domain name that should result in an - exact match lookup before search path elements are appended. - - - - <command>masters</command> Statement Grammar - - -masters name port ip_port { ( masters_list | ip_addr port ip_port key key ) ; ... }; - - - - - - <command>masters</command> Statement Definition and - Usage - masters - lists allow for a common set of masters to be easily used by - multiple stub and slave zones. - - - - - <command>options</command> Statement Grammar - - - This is the grammar of the options - statement in the named.conf file: - - -options { - version version_string; - hostname hostname_string; - server-id server_id_string; - directory path_name; - key-directory path_name; - named-xfer path_name; - tkey-domain domainname; - tkey-dhkey key_name key_tag; - cache-file path_name; - dump-file path_name; - memstatistics-file path_name; - pid-file path_name; - recursing-file path_name; - statistics-file path_name; - zone-statistics yes_or_no; - auth-nxdomain yes_or_no; - deallocate-on-exit yes_or_no; - dialup dialup_option; - fake-iquery yes_or_no; - fetch-glue yes_or_no; - flush-zones-on-shutdown yes_or_no; - has-old-clients yes_or_no; - host-statistics yes_or_no; - host-statistics-max number; - minimal-responses yes_or_no; - multiple-cnames yes_or_no; - notify yes_or_no | explicit | master-only; - recursion yes_or_no; - rfc2308-type1 yes_or_no; - use-id-pool yes_or_no; - maintain-ixfr-base yes_or_no; - dnssec-enable yes_or_no; - dnssec-validation yes_or_no; - dnssec-lookaside domain trust-anchor domain; - dnssec-must-be-secure domain yes_or_no; - dnssec-accept-expired yes_or_no; - forward ( only | first ); - forwarders { ip_addr port ip_port ; ... }; - dual-stack-servers port ip_port { - ( domain_name port ip_port | - ip_addr port ip_port ) ; - ... }; - check-names ( master | slave | response ) - ( warn | fail | ignore ); - check-mx ( warn | fail | ignore ); - check-wildcard yes_or_no; - check-integrity yes_or_no; - check-mx-cname ( warn | fail | ignore ); - check-srv-cname ( warn | fail | ignore ); - check-sibling yes_or_no; - allow-notify { address_match_list }; - allow-query { address_match_list }; - allow-query-cache { address_match_list }; - allow-transfer { address_match_list }; - allow-recursion { address_match_list }; - allow-update { address_match_list }; - allow-update-forwarding { address_match_list }; - update-check-ksk yes_or_no; - allow-v6-synthesis { address_match_list }; - blackhole { address_match_list }; - avoid-v4-udp-ports { port_list }; - avoid-v6-udp-ports { port_list }; - listen-on port ip_port { address_match_list }; - listen-on-v6 port ip_port { address_match_list }; - query-source ( ( ip4_addr | * ) - port ( ip_port | * ) | - address ( ip4_addr | * ) - port ( ip_port | * ) ) ; - query-source-v6 ( ( ip6_addr | * ) - port ( ip_port | * ) | - address ( ip6_addr | * ) - port ( ip_port | * ) ) ; - max-transfer-time-in number; - max-transfer-time-out number; - max-transfer-idle-in number; - max-transfer-idle-out number; - tcp-clients number; - reserved-sockets number; - recursive-clients number; - serial-query-rate number; - serial-queries number; - tcp-listen-queue number; - transfer-format ( one-answer | many-answers ); - transfers-in number; - transfers-out number; - transfers-per-ns number; - transfer-source (ip4_addr | *) port ip_port ; - transfer-source-v6 (ip6_addr | *) port ip_port ; - alt-transfer-source (ip4_addr | *) port ip_port ; - alt-transfer-source-v6 (ip6_addr | *) port ip_port ; - use-alt-transfer-source yes_or_no; - notify-delay seconds ; - notify-source (ip4_addr | *) port ip_port ; - notify-source-v6 (ip6_addr | *) port ip_port ; - also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; - max-ixfr-log-size number; - max-journal-size size_spec; - coresize size_spec ; - datasize size_spec ; - files size_spec ; - stacksize size_spec ; - cleaning-interval number; - heartbeat-interval number; - interface-interval number; - statistics-interval number; - topology { address_match_list }; - sortlist { address_match_list }; - rrset-order { order_spec ; order_spec ; ... }; - lame-ttl number; - max-ncache-ttl number; - max-cache-ttl number; - sig-validity-interval number ; - min-roots number; - use-ixfr yes_or_no ; - provide-ixfr yes_or_no; - request-ixfr yes_or_no; - treat-cr-as-space yes_or_no ; - min-refresh-time number ; - max-refresh-time number ; - min-retry-time number ; - max-retry-time number ; - port ip_port; - additional-from-auth yes_or_no ; - additional-from-cache yes_or_no ; - random-device path_name ; - max-cache-size size_spec ; - match-mapped-addresses yes_or_no; - preferred-glue ( A | AAAA | NONE ); - edns-udp-size number; - max-udp-size number; - root-delegation-only exclude { namelist } ; - querylog yes_or_no ; - disable-algorithms domain { algorithm; algorithm; }; - acache-enable yes_or_no ; - acache-cleaning-interval number; - max-acache-size size_spec ; - clients-per-query number ; - max-clients-per-query number ; - masterfile-format (text|raw) ; - empty-server name ; - empty-contact name ; - empty-zones-enable yes_or_no ; - disable-empty-zone zone_name ; - zero-no-soa-ttl yes_or_no ; - zero-no-soa-ttl-cache yes_or_no ; -}; - - - - - - <command>options</command> Statement Definition and - Usage - - - The options statement sets up global - options - to be used by BIND. This statement - may appear only - once in a configuration file. If there is no options - statement, an options block with each option set to its default will - be used. - - - - - - directory - - - The working directory of the server. - Any non-absolute pathnames in the configuration file will be - taken - as relative to this directory. The default location for most - server - output files (e.g. named.run) - is this directory. - If a directory is not specified, the working directory - defaults to `.', the directory from - which the server - was started. The directory specified should be an absolute - path. - - - - - - key-directory - - - When performing dynamic update of secure zones, the - directory where the public and private key files should be - found, - if different than the current working directory. The - directory specified - must be an absolute path. - - - - - - named-xfer - - - This option is obsolete. - It was used in BIND 8 to - specify the pathname to the named-xfer program. - In BIND 9, no separate named-xfer program is - needed; its functionality is built into the name server. - - - - - - - tkey-domain - - - The domain appended to the names of all - shared keys generated with - TKEY. When a client - requests a TKEY exchange, it - may or may not specify - the desired name for the key. If present, the name of the - shared - key will be "client specified part" + - "tkey-domain". - Otherwise, the name of the shared key will be "random hex -digits" + "tkey-domain". In most cases, - the domainname should be the - server's domain - name. - - - - - - tkey-dhkey - - - The Diffie-Hellman key used by the server - to generate shared keys with clients using the Diffie-Hellman - mode - of TKEY. The server must be - able to load the - public and private keys from files in the working directory. - In - most cases, the keyname should be the server's host name. - - - - - - cache-file - - - This is for testing only. Do not use. - - - - - - dump-file - - - The pathname of the file the server dumps - the database to when instructed to do so with - rndc dumpdb. - If not specified, the default is named_dump.db. - - - - - - memstatistics-file - - - The pathname of the file the server writes memory - usage statistics to on exit. If specified the - statistics will be written to the file on exit. - - - In BIND 9.5 and later this will - default to named.memstats. - BIND 9.5 will also introduce - memstatistics to control the - writing. - - - - - - pid-file - - - The pathname of the file the server writes its process ID - in. If not specified, the default is /var/run/named.pid. - The pid-file is used by programs that want to send signals to - the running - name server. Specifying pid-file none disables the - use of a PID file — no file will be written and any - existing one will be removed. Note that none - is a keyword, not a filename, and therefore is not enclosed - in - double quotes. - - - - - - recursing-file - - - The pathname of the file the server dumps - the queries that are currently recursing when instructed - to do so with rndc recursing. - If not specified, the default is named.recursing. - - - - - - statistics-file - - - The pathname of the file the server appends statistics - to when instructed to do so using rndc stats. - If not specified, the default is named.stats in the - server's current directory. The format of the file is - described - in . - - - - - - port - - - The UDP/TCP port number the server uses for - receiving and sending DNS protocol traffic. - The default is 53. This option is mainly intended for server - testing; - a server using a port other than 53 will not be able to - communicate with - the global DNS. - - - - - - random-device - - - The source of entropy to be used by the server. Entropy is - primarily needed - for DNSSEC operations, such as TKEY transactions and dynamic - update of signed - zones. This options specifies the device (or file) from which - to read - entropy. If this is a file, operations requiring entropy will - fail when the - file has been exhausted. If not specified, the default value - is - /dev/random - (or equivalent) when present, and none otherwise. The - random-device option takes - effect during - the initial configuration load at server startup time and - is ignored on subsequent reloads. - - - - - - preferred-glue - - - If specified, the listed type (A or AAAA) will be emitted - before other glue - in the additional section of a query response. - The default is not to prefer any type (NONE). - - - - - - root-delegation-only - - - Turn on enforcement of delegation-only in TLDs (top level domains) and root zones - with an optional - exclude list. - - - Note some TLDs are not delegation only (e.g. "DE", "LV", "US" - and "MUSEUM"). - - - -options { - root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; -}; - - - - - - - disable-algorithms - - - Disable the specified DNSSEC algorithms at and below the - specified name. - Multiple disable-algorithms - statements are allowed. - Only the most specific will be applied. - - - - - - dnssec-lookaside - - - When set, dnssec-lookaside - provides the - validator with an alternate method to validate DNSKEY records - at the - top of a zone. When a DNSKEY is at or below a domain - specified by the - deepest dnssec-lookaside, and - the normal dnssec validation - has left the key untrusted, the trust-anchor will be append to - the key - name and a DLV record will be looked up to see if it can - validate the - key. If the DLV record validates a DNSKEY (similarly to the - way a DS - record does) the DNSKEY RRset is deemed to be trusted. - - - - - - dnssec-must-be-secure - - - Specify hierarchies which must be or may not be secure (signed and - validated). - If yes, then named will only accept - answers if they - are secure. - If no, then normal dnssec validation - applies - allowing for insecure answers to be accepted. - The specified domain must be under a trusted-key or - dnssec-lookaside must be - active. - - - - - - - - Boolean Options - - - - - auth-nxdomain - - - If yes, then the AA bit - is always set on NXDOMAIN responses, even if the server is - not actually - authoritative. The default is no; - this is - a change from BIND 8. If you - are using very old DNS software, you - may need to set it to yes. - - - - - - deallocate-on-exit - - - This option was used in BIND - 8 to enable checking - for memory leaks on exit. BIND 9 ignores the option and always performs - the checks. - - - - - - dialup - - - If yes, then the - server treats all zones as if they are doing zone transfers - across - a dial-on-demand dialup link, which can be brought up by - traffic - originating from this server. This has different effects - according - to zone type and concentrates the zone maintenance so that - it all - happens in a short interval, once every heartbeat-interval and - hopefully during the one call. It also suppresses some of - the normal - zone maintenance traffic. The default is no. - - - The dialup option - may also be specified in the view and - zone statements, - in which case it overrides the global dialup - option. - - - If the zone is a master zone, then the server will send out a - NOTIFY - request to all the slaves (default). This should trigger the - zone serial - number check in the slave (providing it supports NOTIFY) - allowing the slave - to verify the zone while the connection is active. - The set of servers to which NOTIFY is sent can be controlled - by - notify and also-notify. - - - If the - zone is a slave or stub zone, then the server will suppress - the regular - "zone up to date" (refresh) queries and only perform them - when the - heartbeat-interval expires in - addition to sending - NOTIFY requests. - - - Finer control can be achieved by using - notify which only sends NOTIFY - messages, - notify-passive which sends NOTIFY - messages and - suppresses the normal refresh queries, refresh - which suppresses normal refresh processing and sends refresh - queries - when the heartbeat-interval - expires, and - passive which just disables normal - refresh - processing. - - - - - - - - - - - - - dialup mode - - - - - normal refresh - - - - - heart-beat refresh - - - - - heart-beat notify - - - - - - no (default) - - - - yes - - - - - no - - - - - no - - - - - - yes - - - - no - - - - - yes - - - - - yes - - - - - - notify - - - - yes - - - - - no - - - - - yes - - - - - - refresh - - - - no - - - - - yes - - - - - no - - - - - - passive - - - - no - - - - - no - - - - - no - - - - - - notify-passive - - - - no - - - - - no - - - - - yes - - - - - - - - - Note that normal NOTIFY processing is not affected by - dialup. - - - - - - - fake-iquery - - - In BIND 8, this option - enabled simulating the obsolete DNS query type - IQUERY. BIND 9 never does - IQUERY simulation. - - - - - - fetch-glue - - - This option is obsolete. - In BIND 8, fetch-glue yes - caused the server to attempt to fetch glue resource records - it - didn't have when constructing the additional - data section of a response. This is now considered a bad - idea - and BIND 9 never does it. - - - - - - flush-zones-on-shutdown - - - When the nameserver exits due receiving SIGTERM, - flush or do not flush any pending zone writes. The default - is - flush-zones-on-shutdown no. - - - - - - has-old-clients - - - This option was incorrectly implemented - in BIND 8, and is ignored by BIND 9. - To achieve the intended effect - of - has-old-clients yes, specify - the two separate options auth-nxdomain yes - and rfc2308-type1 no instead. - - - - - - host-statistics - - - In BIND 8, this enables keeping of - statistics for every host that the name server interacts - with. - Not implemented in BIND 9. - - - - - - maintain-ixfr-base - - - This option is obsolete. - It was used in BIND 8 to - determine whether a transaction log was - kept for Incremental Zone Transfer. BIND 9 maintains a transaction - log whenever possible. If you need to disable outgoing - incremental zone - transfers, use provide-ixfr no. - - - - - - minimal-responses - - - If yes, then when generating - responses the server will only add records to the authority - and additional data sections when they are required (e.g. - delegations, negative responses). This may improve the - performance of the server. - The default is no. - - - - - - multiple-cnames - - - This option was used in BIND 8 to allow - a domain name to have multiple CNAME records in violation of - the DNS standards. BIND 9.2 onwards - always strictly enforces the CNAME rules both in master - files and dynamic updates. - - - - - - notify - - - If yes (the default), - DNS NOTIFY messages are sent when a zone the server is - authoritative for - changes, see . The messages are - sent to the - servers listed in the zone's NS records (except the master - server identified - in the SOA MNAME field), and to any servers listed in the - also-notify option. - - - If master-only, notifies are only - sent - for master zones. - If explicit, notifies are sent only - to - servers explicitly listed using also-notify. - If no, no notifies are sent. - - - The notify option may also be - specified in the zone - statement, - in which case it overrides the options notify statement. - It would only be necessary to turn off this option if it - caused slaves - to crash. - - - - - - recursion - - - If yes, and a - DNS query requests recursion, then the server will attempt - to do - all the work required to answer the query. If recursion is - off - and the server does not already know the answer, it will - return a - referral response. The default is - yes. - Note that setting recursion no does not prevent - clients from getting data from the server's cache; it only - prevents new data from being cached as an effect of client - queries. - Caching may still occur as an effect the server's internal - operation, such as NOTIFY address lookups. - See also fetch-glue above. - - - - - - rfc2308-type1 - - - Setting this to yes will - cause the server to send NS records along with the SOA - record for negative - answers. The default is no. - - - - Not yet implemented in BIND - 9. - - - - - - - use-id-pool - - - This option is obsolete. - BIND 9 always allocates query - IDs from a pool. - - - - - - zone-statistics - - - If yes, the server will collect - statistical data on all zones (unless specifically turned - off - on a per-zone basis by specifying zone-statistics no - in the zone statement). - These statistics may be accessed - using rndc stats, which will - dump them to the file listed - in the statistics-file. See - also . - - - - - - use-ixfr - - - This option is obsolete. - If you need to disable IXFR to a particular server or - servers, see - the information on the provide-ixfr option - in . - See also - . - - - - - - provide-ixfr - - - See the description of - provide-ixfr in - . - - - - - - request-ixfr - - - See the description of - request-ixfr in - . - - - - - - treat-cr-as-space - - - This option was used in BIND - 8 to make - the server treat carriage return ("\r") characters the same way - as a space or tab character, - to facilitate loading of zone files on a UNIX system that - were generated - on an NT or DOS machine. In BIND 9, both UNIX "\n" - and NT/DOS "\r\n" newlines - are always accepted, - and the option is ignored. - - - - - - additional-from-auth - additional-from-cache - - - - These options control the behavior of an authoritative - server when - answering queries which have additional data, or when - following CNAME - and DNAME chains. - - - - When both of these options are set to yes - (the default) and a - query is being answered from authoritative data (a zone - configured into the server), the additional data section of - the - reply will be filled in using data from other authoritative - zones - and from the cache. In some situations this is undesirable, - such - as when there is concern over the correctness of the cache, - or - in servers where slave zones may be added and modified by - untrusted third parties. Also, avoiding - the search for this additional data will speed up server - operations - at the possible expense of additional queries to resolve - what would - otherwise be provided in the additional section. - - - - For example, if a query asks for an MX record for host foo.example.com, - and the record found is "MX 10 mail.example.net", normally the address - records (A and AAAA) for mail.example.net will be provided as well, - if known, even though they are not in the example.com zone. - Setting these options to no - disables this behavior and makes - the server only search for additional data in the zone it - answers from. - - - - These options are intended for use in authoritative-only - servers, or in authoritative-only views. Attempts to set - them to no without also - specifying - recursion no will cause the - server to - ignore the options and log a warning message. - - - - Specifying additional-from-cache no actually - disables the use of the cache not only for additional data - lookups - but also when looking up the answer. This is usually the - desired - behavior in an authoritative-only server where the - correctness of - the cached data is an issue. - - - - When a name server is non-recursively queried for a name - that is not - below the apex of any served zone, it normally answers with - an - "upwards referral" to the root servers or the servers of - some other - known parent of the query name. Since the data in an - upwards referral - comes from the cache, the server will not be able to provide - upwards - referrals when additional-from-cache no - has been specified. Instead, it will respond to such - queries - with REFUSED. This should not cause any problems since - upwards referrals are not required for the resolution - process. - - - - - - - match-mapped-addresses - - - If yes, then an - IPv4-mapped IPv6 address will match any address match - list entries that match the corresponding IPv4 address. - Enabling this option is sometimes useful on IPv6-enabled - Linux - systems, to work around a kernel quirk that causes IPv4 - TCP connections such as zone transfers to be accepted - on an IPv6 socket using mapped addresses, causing - address match lists designed for IPv4 to fail to match. - The use of this option for any other purpose is discouraged. - - - - - - ixfr-from-differences - - - When yes and the server loads a new version of a master - zone from its zone file or receives a new version of a slave - file by a non-incremental zone transfer, it will compare - the new version to the previous one and calculate a set - of differences. The differences are then logged in the - zone's journal file such that the changes can be transmitted - to downstream slaves as an incremental zone transfer. - - - By allowing incremental zone transfers to be used for - non-dynamic zones, this option saves bandwidth at the - expense of increased CPU and memory consumption at the - master. - In particular, if the new version of a zone is completely - different from the previous one, the set of differences - will be of a size comparable to the combined size of the - old and new zone version, and the server will need to - temporarily allocate memory to hold this complete - difference set. - - ixfr-from-differences - also accepts master and - slave at the view and options - levels which causes - ixfr-from-differences to apply to - all master or - slave zones respectively. - - - - - - multi-master - - - This should be set when you have multiple masters for a zone - and the - addresses refer to different machines. If yes, named will - not log - when the serial number on the master is less than what named - currently - has. The default is no. - - - - - - dnssec-enable - - - Enable DNSSEC support in named. Unless set to yes, - named behaves as if it does not support DNSSEC. - The default is yes. - - - - - - dnssec-validation - - - Enable DNSSEC validation in named. - Note dnssec-enable also needs to be - set to yes to be effective. - The default is no. - - - - - - dnssec-accept-expired - - - Accept expired signatures when verifying DNSSEC signatures. - The default is no. - Setting this option to "yes" leaves named vulnerable to replay attacks. - - - - - - querylog - - - Specify whether query logging should be started when named - starts. - If querylog is not specified, - then the query logging - is determined by the presence of the logging category queries. - - - - - - check-names - - - This option is used to restrict the character set and syntax - of - certain domain names in master files and/or DNS responses - received - from the network. The default varies according to usage - area. For - master zones the default is fail. - For slave zones the default - is warn. - For answers received from the network (response) - the default is ignore. - - - The rules for legal hostnames and mail domains are derived - from RFC 952 and RFC 821 as modified by RFC 1123. - - check-names - applies to the owner names of A, AAA and MX records. - It also applies to the domain names in the RDATA of NS, SOA - and MX records. - It also applies to the RDATA of PTR records where the owner - name indicated that it is a reverse lookup of a hostname - (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). - - - - - - check-mx - - - Check whether the MX record appears to refer to a IP address. - The default is to warn. Other possible - values are fail and - ignore. - - - - - - check-wildcard - - - This option is used to check for non-terminal wildcards. - The use of non-terminal wildcards is almost always as a - result of a failure - to understand the wildcard matching algorithm (RFC 1034). - This option - affects master zones. The default (yes) is to check - for non-terminal wildcards and issue a warning. - - - - - - check-integrity - - - Perform post load zone integrity checks on master - zones. This checks that MX and SRV records refer - to address (A or AAAA) records and that glue - address records exist for delegated zones. For - MX and SRV records only in-zone hostnames are - checked (for out-of-zone hostnames use named-checkzone). - For NS records only names below top of zone are - checked (for out-of-zone names and glue consistency - checks use named-checkzone). The default is - yes. - - - - - - check-mx-cname - - - If check-integrity is set then - fail, warn or ignore MX records that refer - to CNAMES. The default is to warn. - - - - - - check-srv-cname - - - If check-integrity is set then - fail, warn or ignore SRV records that refer - to CNAMES. The default is to warn. - - - - - - check-sibling - - - When performing integrity checks, also check that - sibling glue exists. The default is yes. - - - - - - zero-no-soa-ttl - - - When returning authoritative negative responses to - SOA queries set the TTL of the SOA recored returned in - the authority section to zero. - The default is yes. - - - - - - zero-no-soa-ttl-cache - - - When caching a negative response to a SOA query - set the TTL to zero. - The default is no. - - - - - - update-check-ksk - - - When regenerating the RRSIGs following a UPDATE - request to a secure zone, check the KSK flag on - the DNSKEY RR to determine if this key should be - used to generate the RRSIG. This flag is ignored - if there are not DNSKEY RRs both with and without - a KSK. - The default is yes. - - - - - - - - - - Forwarding - - The forwarding facility can be used to create a large site-wide - cache on a few servers, reducing traffic over links to external - name servers. It can also be used to allow queries by servers that - do not have direct access to the Internet, but wish to look up - exterior - names anyway. Forwarding occurs only on those queries for which - the server is not authoritative and does not have the answer in - its cache. - - - - - forward - - - This option is only meaningful if the - forwarders list is not empty. A value of first, - the default, causes the server to query the forwarders - first — and - if that doesn't answer the question, the server will then - look for - the answer itself. If only is - specified, the - server will only query the forwarders. - - - - - - forwarders - - - Specifies the IP addresses to be used - for forwarding. The default is the empty list (no - forwarding). - - - - - - - - Forwarding can also be configured on a per-domain basis, allowing - for the global forwarding options to be overridden in a variety - of ways. You can set particular domains to use different - forwarders, - or have a different forward only/first behavior, - or not forward at all, see . - - - - - Dual-stack Servers - - Dual-stack servers are used as servers of last resort to work - around - problems in reachability due the lack of support for either IPv4 - or IPv6 - on the host machine. - - - - - dual-stack-servers - - - Specifies host names or addresses of machines with access to - both IPv4 and IPv6 transports. If a hostname is used, the - server must be able - to resolve the name using only the transport it has. If the - machine is dual - stacked, then the dual-stack-servers have no effect unless - access to a transport has been disabled on the command line - (e.g. named -4). - - - - - - - - Access Control - - - Access to the server can be restricted based on the IP address - of the requesting system. See for - details on how to specify IP address lists. - - - - - - allow-notify - - - Specifies which hosts are allowed to - notify this server, a slave, of zone changes in addition - to the zone masters. - allow-notify may also be - specified in the - zone statement, in which case - it overrides the - options allow-notify - statement. It is only meaningful - for a slave zone. If not specified, the default is to - process notify messages - only from a zone's master. - - - - - - allow-query - - - Specifies which hosts are allowed to ask ordinary - DNS questions. allow-query may - also be specified in the zone - statement, in which case it overrides the - options allow-query statement. - If not specified, the default is to allow queries - from all hosts. - - - - allow-query-cache is now - used to specify access to the cache. - - - - - - - allow-query-cache - - - Specifies which hosts are allowed to get answers - from the cache. If allow-query-cache - is not set then allow-recursion - is used if set, otherwise allow-query - is used if set, otherwise the default - (localnets; - localhost;) is used. - - - - - - allow-recursion - - - Specifies which hosts are allowed to make recursive - queries through this server. If - allow-recursion is not set - then allow-query-cache is - used if set, otherwise allow-query - is used if set, otherwise the default - (localnets; - localhost;) is used. - - - - - - allow-update - - - Specifies which hosts are allowed to - submit Dynamic DNS updates for master zones. The default is - to deny - updates from all hosts. Note that allowing updates based - on the requestor's IP address is insecure; see - for details. - - - - - - allow-update-forwarding - - - Specifies which hosts are allowed to - submit Dynamic DNS updates to slave zones to be forwarded to - the - master. The default is { none; }, - which - means that no update forwarding will be performed. To - enable - update forwarding, specify - allow-update-forwarding { any; };. - Specifying values other than { none; } or - { any; } is usually - counterproductive, since - the responsibility for update access control should rest - with the - master server, not the slaves. - - - Note that enabling the update forwarding feature on a slave - server - may expose master servers relying on insecure IP address - based - access control to attacks; see - for more details. - - - - - - allow-v6-synthesis - - - This option was introduced for the smooth transition from - AAAA - to A6 and from "nibble labels" to binary labels. - However, since both A6 and binary labels were then - deprecated, - this option was also deprecated. - It is now ignored with some warning messages. - - - - - - allow-transfer - - - Specifies which hosts are allowed to - receive zone transfers from the server. allow-transfer may - also be specified in the zone - statement, in which - case it overrides the options allow-transfer statement. - If not specified, the default is to allow transfers to all - hosts. - - - - - - blackhole - - - Specifies a list of addresses that the - server will not accept queries from or use to resolve a - query. Queries - from these addresses will not be responded to. The default - is none. - - - - - - - - - - Interfaces - - The interfaces and ports that the server will answer queries - from may be specified using the listen-on option. listen-on takes - an optional port, and an address_match_list. - The server will listen on all interfaces allowed by the address - match list. If a port is not specified, port 53 will be used. - - - Multiple listen-on statements are - allowed. - For example, - - -listen-on { 5.6.7.8; }; -listen-on port 1234 { !1.2.3.4; 1.2/16; }; - - - - will enable the name server on port 53 for the IP address - 5.6.7.8, and on port 1234 of an address on the machine in net - 1.2 that is not 1.2.3.4. - - - - If no listen-on is specified, the - server will listen on port 53 on all interfaces. - - - - The listen-on-v6 option is used to - specify the interfaces and the ports on which the server will - listen - for incoming queries sent using IPv6. - - - - When { any; } is - specified - as the address_match_list for the - listen-on-v6 option, - the server does not bind a separate socket to each IPv6 interface - address as it does for IPv4 if the operating system has enough API - support for IPv6 (specifically if it conforms to RFC 3493 and RFC - 3542). - Instead, it listens on the IPv6 wildcard address. - If the system only has incomplete API support for IPv6, however, - the behavior is the same as that for IPv4. - - - - A list of particular IPv6 addresses can also be specified, in - which case - the server listens on a separate socket for each specified - address, - regardless of whether the desired API is supported by the system. - - - - Multiple listen-on-v6 options can - be used. - For example, - - -listen-on-v6 { any; }; -listen-on-v6 port 1234 { !2001:db8::/32; any; }; - - - - will enable the name server on port 53 for any IPv6 addresses - (with a single wildcard socket), - and on port 1234 of IPv6 addresses that is not in the prefix - 2001:db8::/32 (with separate sockets for each matched address.) - - - - To make the server not listen on any IPv6 address, use - - -listen-on-v6 { none; }; - - - - If no listen-on-v6 option is - specified, - the server will not listen on any IPv6 address. - - - - - Query Address - - If the server doesn't know the answer to a question, it will - query other name servers. query-source specifies - the address and port used for such queries. For queries sent over - IPv6, there is a separate query-source-v6 option. - If address is * (asterisk) or is omitted, - a wildcard IP address (INADDR_ANY) - will be used. - If port is * or is omitted, - a random unprivileged port number is picked up and will be - used for each query. - It is generally strongly discouraged to - specify a particular port for the - query-source or - query-source-v6 options; - it implicitly disables the use of randomized port numbers - and leads to insecure operation. - The avoid-v4-udp-ports - and avoid-v6-udp-ports options can be used - to prevent named - from selecting certain ports. The defaults are: - - -query-source address * port *; -query-source-v6 address * port *; - - - - - The address specified in the query-source option - is used for both UDP and TCP queries, but the port applies only - to - UDP queries. TCP queries always use a random - unprivileged port. - - - - - Solaris 2.5.1 and earlier does not support setting the source - address for TCP sockets. - - - - - See also transfer-source and - notify-source. - - - - - - Zone Transfers - - BIND has mechanisms in place to - facilitate zone transfers - and set limits on the amount of load that transfers place on the - system. The following options apply to zone transfers. - - - - - - also-notify - - - Defines a global list of IP addresses of name servers - that are also sent NOTIFY messages whenever a fresh copy of - the - zone is loaded, in addition to the servers listed in the - zone's NS records. - This helps to ensure that copies of the zones will - quickly converge on stealth servers. If an also-notify list - is given in a zone statement, - it will override - the options also-notify - statement. When a zone notify - statement - is set to no, the IP - addresses in the global also-notify list will - not be sent NOTIFY messages for that zone. The default is - the empty - list (no global notification list). - - - - - - max-transfer-time-in - - - Inbound zone transfers running longer than - this many minutes will be terminated. The default is 120 - minutes - (2 hours). The maximum value is 28 days (40320 minutes). - - - - - - max-transfer-idle-in - - - Inbound zone transfers making no progress - in this many minutes will be terminated. The default is 60 - minutes - (1 hour). The maximum value is 28 days (40320 minutes). - - - - - - max-transfer-time-out - - - Outbound zone transfers running longer than - this many minutes will be terminated. The default is 120 - minutes - (2 hours). The maximum value is 28 days (40320 minutes). - - - - - - max-transfer-idle-out - - - Outbound zone transfers making no progress - in this many minutes will be terminated. The default is 60 - minutes (1 - hour). The maximum value is 28 days (40320 minutes). - - - - - - serial-query-rate - - - Slave servers will periodically query master servers - to find out if zone serial numbers have changed. Each such - query uses - a minute amount of the slave server's network bandwidth. To - limit the - amount of bandwidth used, BIND 9 limits the rate at which - queries are - sent. The value of the serial-query-rate option, - an integer, is the maximum number of queries sent per - second. - The default is 20. - - - - - - serial-queries - - - In BIND 8, the serial-queries - option - set the maximum number of concurrent serial number queries - allowed to be outstanding at any given time. - BIND 9 does not limit the number of outstanding - serial queries and ignores the serial-queries option. - Instead, it limits the rate at which the queries are sent - as defined using the serial-query-rate option. - - - - - - transfer-format - - - - Zone transfers can be sent using two different formats, - one-answer and - many-answers. - The transfer-format option is used - on the master server to determine which format it sends. - one-answer uses one DNS message per - resource record transferred. - many-answers packs as many resource - records as possible into a message. - many-answers is more efficient, but is - only supported by relatively new slave servers, - such as BIND 9, BIND - 8.x and BIND 4.9.5 onwards. - The many-answers format is also supported by - recent Microsoft Windows nameservers. - The default is many-answers. - transfer-format may be overridden on a - per-server basis by using the server - statement. - - - - - - - transfers-in - - - The maximum number of inbound zone transfers - that can be running concurrently. The default value is 10. - Increasing transfers-in may - speed up the convergence - of slave zones, but it also may increase the load on the - local system. - - - - - - transfers-out - - - The maximum number of outbound zone transfers - that can be running concurrently. Zone transfer requests in - excess - of the limit will be refused. The default value is 10. - - - - - - transfers-per-ns - - - The maximum number of inbound zone transfers - that can be concurrently transferring from a given remote - name server. - The default value is 2. - Increasing transfers-per-ns - may - speed up the convergence of slave zones, but it also may - increase - the load on the remote name server. transfers-per-ns may - be overridden on a per-server basis by using the transfers phrase - of the server statement. - - - - - - transfer-source - - transfer-source - determines which local address will be bound to IPv4 - TCP connections used to fetch zones transferred - inbound by the server. It also determines the - source IPv4 address, and optionally the UDP port, - used for the refresh queries and forwarded dynamic - updates. If not set, it defaults to a system - controlled value which will usually be the address - of the interface "closest to" the remote end. This - address must appear in the remote end's - allow-transfer option for the - zone being transferred, if one is specified. This - statement sets the - transfer-source for all zones, - but can be overridden on a per-view or per-zone - basis by including a - transfer-source statement within - the view or - zone block in the configuration - file. - - - - Solaris 2.5.1 and earlier does not support setting the - source address for TCP sockets. - - - - - - - transfer-source-v6 - - - The same as transfer-source, - except zone transfers are performed using IPv6. - - - - - - alt-transfer-source - - - An alternate transfer source if the one listed in - transfer-source fails and - use-alt-transfer-source is - set. - - - If you do not wish the alternate transfer source - to be used, you should set - use-alt-transfer-source - appropriately and you should not depend upon - getting a answer back to the first refresh - query. - - - - - - alt-transfer-source-v6 - - - An alternate transfer source if the one listed in - transfer-source-v6 fails and - use-alt-transfer-source is - set. - - - - - - use-alt-transfer-source - - - Use the alternate transfer sources or not. If views are - specified this defaults to no - otherwise it defaults to - yes (for BIND 8 - compatibility). - - - - - - notify-source - - notify-source - determines which local source address, and - optionally UDP port, will be used to send NOTIFY - messages. This address must appear in the slave - server's masters zone clause or - in an allow-notify clause. This - statement sets the notify-source - for all zones, but can be overridden on a per-zone or - per-view basis by including a - notify-source statement within - the zone or - view block in the configuration - file. - - - - Solaris 2.5.1 and earlier does not support setting the - source address for TCP sockets. - - - - - - - notify-source-v6 - - - Like notify-source, - but applies to notify messages sent to IPv6 addresses. - - - - - - - - - - Bad UDP Port Lists - avoid-v4-udp-ports - and avoid-v6-udp-ports specify a list - of IPv4 and IPv6 UDP ports that will not be used as system - assigned source ports for UDP sockets. These lists - prevent named from choosing as its random source port a - port that is blocked by your firewall. If a query went - out with such a source port, the answer would not get by - the firewall and the name server would have to query - again. - - - - - Operating System Resource Limits - - - The server's usage of many system resources can be limited. - Scaled values are allowed when specifying resource limits. For - example, 1G can be used instead of - 1073741824 to specify a limit of - one - gigabyte. unlimited requests - unlimited use, or the - maximum available amount. default - uses the limit - that was in force when the server was started. See the description - of size_spec in . - - - - The following options set operating system resource limits for - the name server process. Some operating systems don't support - some or - any of the limits. On such systems, a warning will be issued if - the - unsupported limit is used. - - - - - - coresize - - - The maximum size of a core dump. The default - is default. - - - - - - datasize - - - The maximum amount of data memory the server - may use. The default is default. - This is a hard limit on server memory usage. - If the server attempts to allocate memory in excess of this - limit, the allocation will fail, which may in turn leave - the server unable to perform DNS service. Therefore, - this option is rarely useful as a way of limiting the - amount of memory used by the server, but it can be used - to raise an operating system data size limit that is - too small by default. If you wish to limit the amount - of memory used by the server, use the - max-cache-size and - recursive-clients - options instead. - - - - - - files - - - The maximum number of files the server - may have open concurrently. The default is unlimited. - - - - - - stacksize - - - The maximum amount of stack memory the server - may use. The default is default. - - - - - - - - - - Server Resource Limits - - - The following options set limits on the server's - resource consumption that are enforced internally by the - server rather than the operating system. - - - - - - max-ixfr-log-size - - - This option is obsolete; it is accepted - and ignored for BIND 8 compatibility. The option - max-journal-size performs a - similar function in BIND 9. - - - - - - max-journal-size - - - Sets a maximum size for each journal file - (see ). When the journal file - approaches - the specified size, some of the oldest transactions in the - journal - will be automatically removed. The default is - unlimited. - - - - - - host-statistics-max - - - In BIND 8, specifies the maximum number of host statistics - entries to be kept. - Not implemented in BIND 9. - - - - - - recursive-clients - - - The maximum number of simultaneous recursive lookups - the server will perform on behalf of clients. The default - is - 1000. Because each recursing - client uses a fair - bit of memory, on the order of 20 kilobytes, the value of - the - recursive-clients option may - have to be decreased - on hosts with limited memory. - - - - - - tcp-clients - - - The maximum number of simultaneous client TCP - connections that the server will accept. - The default is 100. - - - - - - reserved-sockets - - - The number of file descriptors reserved for TCP, stdio, - etc. This needs to be big enough to cover the number of - interfaces named listens on, tcp-clients as well as - to provide room for outgoing TCP queries and incoming zone - transfers. The default is 512. - The minimum value is 128 and the - maximum value is 128 less than - 'files' or FD_SETSIZE (whichever is smaller). This - option may be removed in the future. - - - - - - max-cache-size - - - The maximum amount of memory to use for the - server's cache, in bytes. When the amount of data in the - cache - reaches this limit, the server will cause records to expire - prematurely so that the limit is not exceeded. In a server - with - multiple views, the limit applies separately to the cache of - each - view. The default is unlimited, meaning that - records are purged from the cache only when their TTLs - expire. - - - - - - tcp-listen-queue - - - The listen queue depth. The default and minimum is 3. - If the kernel supports the accept filter "dataready" this - also controls how - many TCP connections that will be queued in kernel space - waiting for - some data before being passed to accept. Values less than 3 - will be - silently raised. - - - - - - - - - - Periodic Task Intervals - - - - - cleaning-interval - - - The server will remove expired resource records - from the cache every cleaning-interval minutes. - The default is 60 minutes. The maximum value is 28 days - (40320 minutes). - If set to 0, no periodic cleaning will occur. - - - - - - heartbeat-interval - - - The server will perform zone maintenance tasks - for all zones marked as dialup whenever this - interval expires. The default is 60 minutes. Reasonable - values are up - to 1 day (1440 minutes). The maximum value is 28 days - (40320 minutes). - If set to 0, no zone maintenance for these zones will occur. - - - - - - interface-interval - - - The server will scan the network interface list - every interface-interval - minutes. The default - is 60 minutes. The maximum value is 28 days (40320 minutes). - If set to 0, interface scanning will only occur when - the configuration file is loaded. After the scan, the - server will - begin listening for queries on any newly discovered - interfaces (provided they are allowed by the - listen-on configuration), and - will - stop listening on interfaces that have gone away. - - - - - - statistics-interval - - - Name server statistics will be logged - every statistics-interval - minutes. The default is - 60. The maximum value is 28 days (40320 minutes). - If set to 0, no statistics will be logged. - - - Not yet implemented in - BIND 9. - - - - - - - - - - - Topology - - - All other things being equal, when the server chooses a name - server - to query from a list of name servers, it prefers the one that is - topologically closest to itself. The topology statement - takes an address_match_list and - interprets it - in a special way. Each top-level list element is assigned a - distance. - Non-negated elements get a distance based on their position in the - list, where the closer the match is to the start of the list, the - shorter the distance is between it and the server. A negated match - will be assigned the maximum distance from the server. If there - is no match, the address will get a distance which is further than - any non-negated list element, and closer than any negated element. - For example, - - -topology { - 10/8; - !1.2.3/24; - { 1.2/16; 3/8; }; -}; - - - will prefer servers on network 10 the most, followed by hosts - on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the - exception of hosts on network 1.2.3 (netmask 255.255.255.0), which - is preferred least of all. - - - The default topology is - - - topology { localhost; localnets; }; - - - - - The topology option - is not implemented in BIND 9. - - - - - - - The <command>sortlist</command> Statement - - - The response to a DNS query may consist of multiple resource - records (RRs) forming a resource records set (RRset). - The name server will normally return the - RRs within the RRset in an indeterminate order - (but see the rrset-order - statement in ). - The client resolver code should rearrange the RRs as appropriate, - that is, using any addresses on the local net in preference to - other addresses. - However, not all resolvers can do this or are correctly - configured. - When a client is using a local server, the sorting can be performed - in the server, based on the client's address. This only requires - configuring the name servers, not all the clients. - - - - The sortlist statement (see below) - takes - an address_match_list and - interprets it even - more specifically than the topology - statement - does (). - Each top level statement in the sortlist must - itself be an explicit address_match_list with - one or two elements. The first element (which may be an IP - address, - an IP prefix, an ACL name or a nested address_match_list) - of each top level list is checked against the source address of - the query until a match is found. - - - Once the source address of the query has been matched, if - the top level statement contains only one element, the actual - primitive - element that matched the source address is used to select the - address - in the response to move to the beginning of the response. If the - statement is a list of two elements, then the second element is - treated the same as the address_match_list in - a topology statement. Each top - level element - is assigned a distance and the address in the response with the - minimum - distance is moved to the beginning of the response. - - - In the following example, any queries received from any of - the addresses of the host itself will get responses preferring - addresses - on any of the locally connected networks. Next most preferred are - addresses - on the 192.168.1/24 network, and after that either the - 192.168.2/24 - or - 192.168.3/24 network with no preference shown between these two - networks. Queries received from a host on the 192.168.1/24 network - will prefer other addresses on that network to the 192.168.2/24 - and - 192.168.3/24 networks. Queries received from a host on the - 192.168.4/24 - or the 192.168.5/24 network will only prefer other addresses on - their directly connected networks. - - -sortlist { - { localhost; // IF the local host - { localnets; // THEN first fit on the - 192.168.1/24; // following nets - { 192.168.2/24; 192.168.3/24; }; }; }; - { 192.168.1/24; // IF on class C 192.168.1 - { 192.168.1/24; // THEN use .1, or .2 or .3 - { 192.168.2/24; 192.168.3/24; }; }; }; - { 192.168.2/24; // IF on class C 192.168.2 - { 192.168.2/24; // THEN use .2, or .1 or .3 - { 192.168.1/24; 192.168.3/24; }; }; }; - { 192.168.3/24; // IF on class C 192.168.3 - { 192.168.3/24; // THEN use .3, or .1 or .2 - { 192.168.1/24; 192.168.2/24; }; }; }; - { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net - }; -}; - - - The following example will give reasonable behavior for the - local host and hosts on directly connected networks. It is similar - to the behavior of the address sort in BIND 4.9.x. Responses sent - to queries from the local host will favor any of the directly - connected - networks. Responses sent to queries from any other hosts on a - directly - connected network will prefer addresses on that same network. - Responses - to other queries will not be sorted. - - -sortlist { - { localhost; localnets; }; - { localnets; }; -}; - - - - - RRset Ordering - - When multiple records are returned in an answer it may be - useful to configure the order of the records placed into the - response. - The rrset-order statement permits - configuration - of the ordering of the records in a multiple record response. - See also the sortlist statement, - . - - - - An order_spec is defined as - follows: - - - class class_name - type type_name - name "domain_name" - order ordering - - - If no class is specified, the default is ANY. - If no type is specified, the default is ANY. - If no name is specified, the default is "*" (asterisk). - - - The legal values for ordering are: - - - - - - - - - fixed - - - - Records are returned in the order they - are defined in the zone file. - - - - - - random - - - - Records are returned in some random order. - - - - - - cyclic - - - - Records are returned in a round-robin - order. - - - - - - - - For example: - - -rrset-order { - class IN type A name "host.example.com" order random; - order cyclic; -}; - - - - will cause any responses for type A records in class IN that - have "host.example.com" as a - suffix, to always be returned - in random order. All other records are returned in cyclic order. - - - If multiple rrset-order statements - appear, - they are not combined — the last one applies. - - - - - The rrset-order statement - is not yet fully implemented in BIND 9. - BIND 9 currently does not fully support "fixed" ordering. - - - - - - Tuning - - - - - lame-ttl - - - Sets the number of seconds to cache a - lame server indication. 0 disables caching. (This is - NOT recommended.) - The default is 600 (10 minutes) and the - maximum value is - 1800 (30 minutes). - - - - - - - max-ncache-ttl - - - To reduce network traffic and increase performance, - the server stores negative answers. max-ncache-ttl is - used to set a maximum retention time for these answers in - the server - in seconds. The default - max-ncache-ttl is 10800 seconds (3 hours). - max-ncache-ttl cannot exceed - 7 days and will - be silently truncated to 7 days if set to a greater value. - - - - - - max-cache-ttl - - - Sets the maximum time for which the server will - cache ordinary (positive) answers. The default is - one week (7 days). - - - - - - min-roots - - - The minimum number of root servers that - is required for a request for the root servers to be - accepted. The default - is 2. - - - - Not implemented in BIND 9. - - - - - - - sig-validity-interval - - - Specifies the number of days into the - future when DNSSEC signatures automatically generated as a - result - of dynamic updates () - will expire. The default is 30 days. - The maximum value is 10 years (3660 days). The signature - inception time is unconditionally set to one hour before the - current time - to allow for a limited amount of clock skew. - - - - - - min-refresh-time - max-refresh-time - min-retry-time - max-retry-time - - - These options control the server's behavior on refreshing a - zone - (querying for SOA changes) or retrying failed transfers. - Usually the SOA values for the zone are used, but these - values - are set by the master, giving slave server administrators - little - control over their contents. - - - These options allow the administrator to set a minimum and - maximum - refresh and retry time either per-zone, per-view, or - globally. - These options are valid for slave and stub zones, - and clamp the SOA refresh and retry times to the specified - values. - - - - - - edns-udp-size - - - Sets the advertised EDNS UDP buffer size in bytes. Valid - values are 512 to 4096 (values outside this range - will be silently adjusted). The default value is - 4096. The usual reason for setting edns-udp-size to - a non-default value is to get UDP answers to pass - through broken firewalls that block fragmented - packets and/or block UDP packets that are greater - than 512 bytes. - - - - - - max-udp-size - - - Sets the maximum EDNS UDP message size named will - send in bytes. Valid values are 512 to 4096 (values outside - this range will be silently adjusted). The default - value is 4096. The usual reason for setting - max-udp-size to a non-default value is to get UDP - answers to pass through broken firewalls that - block fragmented packets and/or block UDP packets - that are greater than 512 bytes. - This is independent of the advertised receive - buffer (edns-udp-size). - - - - - - masterfile-format - - Specifies - the file format of zone files (see - ). - The default value is text, which is the - standard textual representation. Files in other formats - than text are typically expected - to be generated by the named-compilezone tool. - Note that when a zone file in a different format than - text is loaded, named - may omit some of the checks which would be performed for a - file in the text format. In particular, - check-names checks do not apply - for the raw format. This means - a zone file in the raw format - must be generated with the same check level as that - specified in the named configuration - file. This statement sets the - masterfile-format for all zones, - but can be overridden on a per-zone or per-view basis - by including a masterfile-format - statement within the zone or - view block in the configuration - file. - - - - - - clients-per-query - max-clients-per-query - - These set the - initial value (minimum) and maximum number of recursive - simultanious clients for any given query - (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. named will attempt to - self tune this value and changes will be logged. The - default values are 10 and 100. - - - This value should reflect how many queries come in for - a given name in the time it takes to resolve that name. - If the number of queries exceed this value, named will - assume that it is dealing with a non-responsive zone - and will drop additional queries. If it gets a response - after dropping queries, it will raise the estimate. The - estimate will then be lowered in 20 minutes if it has - remained unchanged. - - - If clients-per-query is set to zero, - then there is no limit on the number of clients per query - and no queries will be dropped. - - - If max-clients-per-query is set to zero, - then there is no upper bound other than imposed by - recursive-clients. - - - - - - notify-delay - - - The delay, in seconds, between sending sets of notify - messages for a zone. The default is zero. - - - - - - - - - Built-in server information zones - - - The server provides some helpful diagnostic information - through a number of built-in zones under the - pseudo-top-level-domain bind in the - CHAOS class. These zones are part - of a - built-in view (see ) of - class - CHAOS which is separate from the - default view of - class IN; therefore, any global - server options - such as allow-query do not apply - the these zones. - If you feel the need to disable these zones, use the options - below, or hide the built-in CHAOS - view by - defining an explicit view of class CHAOS - that matches all clients. - - - - - - version - - - The version the server should report - via a query of the name version.bind - with type TXT, class CHAOS. - The default is the real version number of this server. - Specifying version none - disables processing of the queries. - - - - - - hostname - - - The hostname the server should report via a query of - the name hostname.bind - with type TXT, class CHAOS. - This defaults to the hostname of the machine hosting the - name server as - found by the gethostname() function. The primary purpose of such queries - is to - identify which of a group of anycast servers is actually - answering your queries. Specifying hostname none; - disables processing of the queries. - - - - - - server-id - - - The ID of the server should report via a query of - the name ID.SERVER - with type TXT, class CHAOS. - The primary purpose of such queries is to - identify which of a group of anycast servers is actually - answering your queries. Specifying server-id none; - disables processing of the queries. - Specifying server-id hostname; will cause named to - use the hostname as found by the gethostname() function. - The default server-id is none. - - - - - - - - - - Built-in Empty Zones - - Named has some built-in empty zones (SOA and NS records only). - These are for zones that should normally be answered locally - and which queries should not be sent to the Internet's root - servers. The official servers which cover these namespaces - return NXDOMAIN responses to these queries. In particular, - these cover the reverse namespace for addresses from RFC 1918 and - RFC 3330. They also include the reverse namespace for IPv6 local - address (locally assigned), IPv6 link local addresses, the IPv6 - loopback address and the IPv6 unknown addresss. - - - Named will attempt to determine if a built in zone already exists - or is active (covered by a forward-only forwarding declaration) - and will not not create a empty zone in that case. - - - The current list of empty zones is: - - 10.IN-ADDR.ARPA - 127.IN-ADDR.ARPA - 254.169.IN-ADDR.ARPA - 16.172.IN-ADDR.ARPA - 17.172.IN-ADDR.ARPA - 18.172.IN-ADDR.ARPA - 19.172.IN-ADDR.ARPA - 20.172.IN-ADDR.ARPA - 21.172.IN-ADDR.ARPA - 22.172.IN-ADDR.ARPA - 23.172.IN-ADDR.ARPA - 24.172.IN-ADDR.ARPA - 25.172.IN-ADDR.ARPA - 26.172.IN-ADDR.ARPA - 27.172.IN-ADDR.ARPA - 28.172.IN-ADDR.ARPA - 29.172.IN-ADDR.ARPA - 30.172.IN-ADDR.ARPA - 31.172.IN-ADDR.ARPA - 168.192.IN-ADDR.ARPA - 2.0.192.IN-ADDR.ARPA - 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA - 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA - D.F.IP6.ARPA - 8.E.F.IP6.ARPA - 9.E.F.IP6.ARPA - A.E.F.IP6.ARPA - B.E.F.IP6.ARPA - - - - Empty zones are settable at the view level and only apply to - views of class IN. Disabled empty zones are only inherited - from options if there are no disabled empty zones specified - at the view level. To override the options list of disabled - zones, you can disable the root zone at the view level, for example: - - disable-empty-zone "."; - - - - If you are using the address ranges covered here, you should - already have reverse zones covering the addresses you use. - In practice this appears to not be the case with many queries - being made to the infrastructure servers for names in these - spaces. So many in fact that sacrificial servers were needed - to be deployed to channel the query load away from the - infrastructure servers. - - - The real parent servers for these zones should disable all - empty zone under the parent zone they serve. For the real - root servers, this is all built in empty zones. This will - enable them to return referrals to deeper in the tree. - - - - empty-server - - - Specify what server name will appear in the returned - SOA record for empty zones. If none is specified, then - the zone's name will be used. - - - - - - empty-contact - - - Specify what contact name will appear in the returned - SOA record for empty zones. If none is specified, then - "." will be used. - - - - - - empty-zones-enable - - - Enable or disable all empty zones. By default they - are enabled. - - - - - - disable-empty-zone - - - Disable individual empty zones. By default none are - disabled. This option can be specified multiple times. - - - - - - - - The Statistics File - - - The statistics file generated by BIND 9 - is similar, but not identical, to that - generated by BIND 8. - - - The statistics dump begins with a line, like: - - - +++ Statistics Dump +++ (973798949) - - - The number in parentheses is a standard - Unix-style timestamp, measured as seconds since January 1, 1970. - Following - that line are a series of lines containing a counter type, the - value of the - counter, optionally a zone name, and optionally a view name. - The lines without view and zone listed are global statistics for - the entire server. - Lines with a zone and view name for the given view and zone (the - view name is - omitted for the default view). - - - The statistics dump ends with the line where the - number is identical to the number in the beginning line; for example: - - - --- Statistics Dump --- (973798949) - - - The following statistics counters are maintained: - - - - - - - - - success - - - - The number of - successful queries made to the server or zone. A - successful query - is defined as query which returns a NOERROR response - with at least - one answer RR. - - - - - - referral - - - - The number of queries which resulted - in referral responses. - - - - - - nxrrset - - - - The number of queries which resulted in - NOERROR responses with no data. - - - - - - nxdomain - - - - The number - of queries which resulted in NXDOMAIN responses. - - - - - - failure - - - - The number of queries which resulted in a - failure response other than those above. - - - - - - recursion - - - - The number of queries which caused the server - to perform recursion in order to find the final answer. - - - - - - duplicate - - - - The number of queries which the server attempted to - recurse but discover a existing query with the same - IP address, port, query id, name, type and class - already being processed. - - - - - - dropped - - - - The number of queries for which the server - discovered a excessive number of existing - recursive queries for the same name, type and - class and were subsequently dropped. - - - - - - - - - Each query received by the server will cause exactly one of - success, - referral, - nxrrset, - nxdomain, or - failure - to be incremented, and may additionally cause the - recursion counter to be - incremented. - - - - - - Additional Section Caching - - - The additional section cache, also called acache, - is an internal cache to improve the response performance of BIND 9. - When additional section caching is enabled, BIND 9 will - cache an internal short-cut to the additional section content for - each answer RR. - Note that acache is an internal caching - mechanism of BIND 9, and is not related to the DNS caching - server function. - - - - Additional section caching does not change the - response content (except the RRsets ordering of the additional - section, see below), but can improve the response performance - significantly. - It is particularly effective when BIND 9 acts as an authoritative - server for a zone that has many delegations with many glue RRs. - - - - In order to obtain the maximum performance improvement - from additional section caching, setting - additional-from-cache - to no is recommended, since the current - implementation of acache - does not short-cut of additional section information from the - DNS cache data. - - - - One obvious disadvantage of acache is - that it requires much more - memory for the internal cached data. - Thus, if the response performance does not matter and memory - consumption is much more critical, the - acache mechanism can be - disabled by setting acache-enable to - no. - It is also possible to specify the upper limit of memory - consumption - for acache by using max-acache-size. - - - - Additional section caching also has a minor effect on the - RRset ordering in the additional section. - Without acache, - cyclic order is effective for the additional - section as well as the answer and authority sections. - However, additional section caching fixes the ordering when it - first caches an RRset for the additional section, and the same - ordering will be kept in succeeding responses, regardless of the - setting of rrset-order. - The effect of this should be minor, however, since an - RRset in the additional section - typically only contains a small number of RRs (and in many cases - it only contains a single RR), in which case the - ordering does not matter much. - - - - The following is a summary of options related to - acache. - - - - - - acache-enable - - - If yes, additional section caching is - enabled. The default value is no. - - - - - - acache-cleaning-interval - - - The server will remove stale cache entries, based on an LRU - based - algorithm, every acache-cleaning-interval minutes. - The default is 60 minutes. - If set to 0, no periodic cleaning will occur. - - - - - - max-acache-size - - - The maximum amount of memory in bytes to use for the server's acache. - When the amount of data in the acache reaches this limit, - the server - will clean more aggressively so that the limit is not - exceeded. - In a server with multiple views, the limit applies - separately to the - acache of each view. - The default is unlimited, - meaning that - entries are purged from the acache only at the - periodic cleaning time. - - - - - - - - - - - - <command>server</command> Statement Grammar - -server ip_addr[/prefixlen] { - bogus yes_or_no ; - provide-ixfr yes_or_no ; - request-ixfr yes_or_no ; - edns yes_or_no ; - edns-udp-size number ; - max-udp-size number ; - transfers number ; - transfer-format ( one-answer | many-answers ) ; ] - keys { string ; string ; ... } ; - transfer-source (ip4_addr | *) port ip_port ; - transfer-source-v6 (ip6_addr | *) port ip_port ; - notify-source (ip4_addr | *) port ip_port ; - notify-source-v6 (ip6_addr | *) port ip_port ; - query-source address ( ip_addr | * ) port ( ip_port | * ) ; - query-source-v6 address ( ip_addr | * ) port ( ip_port | * ) ; -}; - - - - - - <command>server</command> Statement Definition and - Usage - - - The server statement defines - characteristics - to be associated with a remote name server. If a prefix length is - specified, then a range of servers is covered. Only the most - specific - server clause applies regardless of the order in - named.conf. - - - - The server statement can occur at - the top level of the - configuration file or inside a view - statement. - If a view statement contains - one or more server statements, only - those - apply to the view and any top-level ones are ignored. - If a view contains no server - statements, - any top-level server statements are - used as - defaults. - - - - If you discover that a remote server is giving out bad data, - marking it as bogus will prevent further queries to it. The - default - value of bogus is no. - - - The provide-ixfr clause determines - whether - the local server, acting as master, will respond with an - incremental - zone transfer when the given remote server, a slave, requests it. - If set to yes, incremental transfer - will be provided - whenever possible. If set to no, - all transfers - to the remote server will be non-incremental. If not set, the - value - of the provide-ixfr option in the - view or - global options block is used as a default. - - - - The request-ixfr clause determines - whether - the local server, acting as a slave, will request incremental zone - transfers from the given remote server, a master. If not set, the - value of the request-ixfr option in - the view or - global options block is used as a default. - - - - IXFR requests to servers that do not support IXFR will - automatically - fall back to AXFR. Therefore, there is no need to manually list - which servers support IXFR and which ones do not; the global - default - of yes should always work. - The purpose of the provide-ixfr and - request-ixfr clauses is - to make it possible to disable the use of IXFR even when both - master - and slave claim to support it, for example if one of the servers - is buggy and crashes or corrupts data when IXFR is used. - - - - The edns clause determines whether - the local server will attempt to use EDNS when communicating - with the remote server. The default is yes. - - - - The edns-udp-size option sets the EDNS UDP size - that is advertised by named when querying the remote server. - Valid values are 512 to 4096 bytes (values outside this range will be - silently adjusted). This option is useful when you wish to - advertises a different value to this server than the value you - advertise globally, for example, when there is a firewall at the - remote site that is blocking large replies. - - - - The max-udp-size option sets the - maximum EDNS UDP message size named will send. Valid - values are 512 to 4096 bytes (values outside this range will - be silently adjusted). This option is useful when you - know that there is a firewall that is blocking large - replies from named. - - - - The server supports two zone transfer methods. The first, one-answer, - uses one DNS message per resource record transferred. many-answers packs - as many resource records as possible into a message. many-answers is - more efficient, but is only known to be understood by BIND 9, BIND - 8.x, and patched versions of BIND - 4.9.5. You can specify which method - to use for a server with the transfer-format option. - If transfer-format is not - specified, the transfer-format - specified - by the options statement will be - used. - - - transfers - is used to limit the number of concurrent inbound zone - transfers from the specified server. If no - transfers clause is specified, the - limit is set according to the - transfers-per-ns option. - - - - The keys clause identifies a - key_id defined by the key statement, - to be used for transaction security (TSIG, ) - when talking to the remote server. - When a request is sent to the remote server, a request signature - will be generated using the key specified here and appended to the - message. A request originating from the remote server is not - required - to be signed by this key. - - - - Although the grammar of the keys - clause - allows for multiple keys, only a single key per server is - currently - supported. - - - - The transfer-source and - transfer-source-v6 clauses specify - the IPv4 and IPv6 source - address to be used for zone transfer with the remote server, - respectively. - For an IPv4 remote server, only transfer-source can - be specified. - Similarly, for an IPv6 remote server, only - transfer-source-v6 can be - specified. - For more details, see the description of - transfer-source and - transfer-source-v6 in - . - - - - The notify-source and - notify-source-v6 clauses specify the - IPv4 and IPv6 source address to be used for notify - messages sent to remote servers, respectively. For an - IPv4 remote server, only notify-source - can be specified. Similarly, for an IPv6 remote server, - only notify-source-v6 can be specified. - - - - The query-source and - query-source-v6 clauses specify the - IPv4 and IPv6 source address to be used for queries - sent to remote servers, respectively. For an IPv4 - remote server, only query-source can - be specified. Similarly, for an IPv6 remote server, - only query-source-v6 can be specified. - - - - - - <command>trusted-keys</command> Statement Grammar - -trusted-keys { - string number number number string ; - string number number number string ; ... -}; - - - - - <command>trusted-keys</command> Statement Definition - and Usage - - The trusted-keys statement defines - DNSSEC security roots. DNSSEC is described in . A security root is defined when the - public key for a non-authoritative zone is known, but - cannot be securely obtained through DNS, either because - it is the DNS root zone or because its parent zone is - unsigned. Once a key has been configured as a trusted - key, it is treated as if it had been validated and - proven secure. The resolver attempts DNSSEC validation - on all DNS data in subdomains of a security root. - - - All keys (and corresponding zones) listed in - trusted-keys are deemed to exist regardless - of what parent zones say. Similarly for all keys listed in - trusted-keys only those keys are - used to validate the DNSKEY RRset. The parent's DS RRset - will not be used. - - - The trusted-keys statement can contain - multiple key entries, each consisting of the key's - domain name, flags, protocol, algorithm, and the Base-64 - representation of the key data. - - - - - <command>view</command> Statement Grammar - -view view_name - class { - match-clients { address_match_list }; - match-destinations { address_match_list }; - match-recursive-only yes_or_no ; - view_option; ... - zone_statement; ... -}; - - - - - <command>view</command> Statement Definition and Usage - - - The view statement is a powerful - feature - of BIND 9 that lets a name server - answer a DNS query differently - depending on who is asking. It is particularly useful for - implementing - split DNS setups without having to run multiple servers. - - - - Each view statement defines a view - of the - DNS namespace that will be seen by a subset of clients. A client - matches - a view if its source IP address matches the - address_match_list of the view's - match-clients clause and its - destination IP address matches - the address_match_list of the - view's - match-destinations clause. If not - specified, both - match-clients and match-destinations - default to matching all addresses. In addition to checking IP - addresses - match-clients and match-destinations - can also take keys which provide an - mechanism for the - client to select the view. A view can also be specified - as match-recursive-only, which - means that only recursive - requests from matching clients will match that view. - The order of the view statements is - significant — - a client request will be resolved in the context of the first - view that it matches. - - - - Zones defined within a view - statement will - be only be accessible to clients that match the view. - By defining a zone of the same name in multiple views, different - zone data can be given to different clients, for example, - "internal" - and "external" clients in a split DNS setup. - - - - Many of the options given in the options statement - can also be used within a view - statement, and then - apply only when resolving queries with that view. When no - view-specific - value is given, the value in the options statement - is used as a default. Also, zone options can have default values - specified - in the view statement; these - view-specific defaults - take precedence over those in the options statement. - - - - Views are class specific. If no class is given, class IN - is assumed. Note that all non-IN views must contain a hint zone, - since only the IN class has compiled-in default hints. - - - - If there are no view statements in - the config - file, a default view that matches any client is automatically - created - in class IN. Any zone statements - specified on - the top level of the configuration file are considered to be part - of - this default view, and the options - statement will - apply to the default view. If any explicit view - statements are present, all zone - statements must - occur inside view statements. - - - - Here is an example of a typical split DNS setup implemented - using view statements: - - -view "internal" { - // This should match our internal networks. - match-clients { 10.0.0.0/8; }; - - // Provide recursive service to internal clients only. - recursion yes; - - // Provide a complete view of the example.com zone - // including addresses of internal hosts. - zone "example.com" { - type master; - file "example-internal.db"; - }; -}; - -view "external" { - // Match all clients not matched by the previous view. - match-clients { any; }; - - // Refuse recursive service to external clients. - recursion no; - - // Provide a restricted view of the example.com zone - // containing only publicly accessible hosts. - zone "example.com" { - type master; - file "example-external.db"; - }; -}; - - - - - <command>zone</command> - Statement Grammar - -zone zone_name class { - type master; - allow-query { address_match_list }; - allow-transfer { address_match_list }; - allow-update { address_match_list }; - update-policy { update_policy_rule ... }; - also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; - check-names (warn|fail|ignore) ; - check-mx (warn|fail|ignore) ; - check-wildcard yes_or_no; - check-integrity yes_or_no ; - dialup dialup_option ; - file string ; - masterfile-format (text|raw) ; - journal string ; - forward (only|first) ; - forwarders { ip_addr port ip_port ; ... }; - ixfr-base string ; - ixfr-tmp-file string ; - maintain-ixfr-base yes_or_no ; - max-ixfr-log-size number ; - max-transfer-idle-out number ; - max-transfer-time-out number ; - notify yes_or_no | explicit | master-only ; - notify-delay seconds ; - pubkey number number number string ; - notify-source (ip4_addr | *) port ip_port ; - notify-source-v6 (ip6_addr | *) port ip_port ; - zone-statistics yes_or_no ; - sig-validity-interval number ; - database string ; - min-refresh-time number ; - max-refresh-time number ; - min-retry-time number ; - max-retry-time number ; - key-directory path_name; - zero-no-soa-ttl yes_or_no ; -}; - -zone zone_name class { - type slave; - allow-notify { address_match_list }; - allow-query { address_match_list }; - allow-transfer { address_match_list }; - allow-update-forwarding { address_match_list }; - update-check-ksk yes_or_no; - also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; - check-names (warn|fail|ignore) ; - dialup dialup_option ; - file string ; - masterfile-format (text|raw) ; - journal string ; - forward (only|first) ; - forwarders { ip_addr port ip_port ; ... }; - ixfr-base string ; - ixfr-tmp-file string ; - maintain-ixfr-base yes_or_no ; - masters port ip_port { ( masters_list | ip_addr port ip_port key key ) ; ... }; - max-ixfr-log-size number ; - max-transfer-idle-in number ; - max-transfer-idle-out number ; - max-transfer-time-in number ; - max-transfer-time-out number ; - notify yes_or_no | explicit | master-only ; - pubkey number number number string ; - transfer-source (ip4_addr | *) port ip_port ; - transfer-source-v6 (ip6_addr | *) port ip_port ; - alt-transfer-source (ip4_addr | *) port ip_port ; - alt-transfer-source-v6 (ip6_addr | *) port ip_port ; - use-alt-transfer-source yes_or_no; - notify-source (ip4_addr | *) port ip_port ; - notify-source-v6 (ip6_addr | *) port ip_port ; - zone-statistics yes_or_no ; - database string ; - min-refresh-time number ; - max-refresh-time number ; - min-retry-time number ; - max-retry-time number ; - multi-master yes_or_no ; - zero-no-soa-ttl yes_or_no ; -}; - -zone zone_name class { - type hint; - file string ; - delegation-only yes_or_no ; - check-names (warn|fail|ignore) ; // Not Implemented. -}; - -zone zone_name class { - type stub; - allow-query { address_match_list }; - check-names (warn|fail|ignore) ; - dialup dialup_option ; - delegation-only yes_or_no ; - file string ; - masterfile-format (text|raw) ; - forward (only|first) ; - forwarders { ip_addr port ip_port ; ... }; - masters port ip_port { ( masters_list | ip_addr port ip_port key key ) ; ... }; - max-transfer-idle-in number ; - max-transfer-time-in number ; - pubkey number number number string ; - transfer-source (ip4_addr | *) port ip_port ; - transfer-source-v6 (ip6_addr | *) port ip_port ; - alt-transfer-source (ip4_addr | *) port ip_port ; - alt-transfer-source-v6 (ip6_addr | *) port ip_port ; - use-alt-transfer-source yes_or_no; - zone-statistics yes_or_no ; - database string ; - min-refresh-time number ; - max-refresh-time number ; - min-retry-time number ; - max-retry-time number ; - multi-master yes_or_no ; -}; - -zone zone_name class { - type forward; - forward (only|first) ; - forwarders { ip_addr port ip_port ; ... }; - delegation-only yes_or_no ; -}; - -zone zone_name class { - type delegation-only; -}; - - - - - - <command>zone</command> Statement Definition and Usage - - Zone Types - - - - - - - - - - - master - - - - - The server has a master copy of the data - for the zone and will be able to provide authoritative - answers for - it. - - - - - - - slave - - - - - A slave zone is a replica of a master - zone. The masters list - specifies one or more IP addresses - of master servers that the slave contacts to update - its copy of the zone. - Masters list elements can also be names of other - masters lists. - By default, transfers are made from port 53 on the - servers; this can - be changed for all servers by specifying a port number - before the - list of IP addresses, or on a per-server basis after - the IP address. - Authentication to the master can also be done with - per-server TSIG keys. - If a file is specified, then the - replica will be written to this file whenever the zone - is changed, - and reloaded from this file on a server restart. Use - of a file is - recommended, since it often speeds server startup and - eliminates - a needless waste of bandwidth. Note that for large - numbers (in the - tens or hundreds of thousands) of zones per server, it - is best to - use a two-level naming scheme for zone filenames. For - example, - a slave server for the zone example.com might place - the zone contents into a file called - ex/example.com where ex/ is - just the first two letters of the zone name. (Most - operating systems - behave very slowly if you put 100 000 files into - a single directory.) - - - - - - - stub - - - - - A stub zone is similar to a slave zone, - except that it replicates only the NS records of a - master zone instead - of the entire zone. Stub zones are not a standard part - of the DNS; - they are a feature specific to the BIND implementation. - - - - Stub zones can be used to eliminate the need for glue - NS record - in a parent zone at the expense of maintaining a stub - zone entry and - a set of name server addresses in named.conf. - This usage is not recommended for new configurations, - and BIND 9 - supports it only in a limited way. - In BIND 4/8, zone - transfers of a parent zone - included the NS records from stub children of that - zone. This meant - that, in some cases, users could get away with - configuring child stubs - only in the master server for the parent zone. BIND - 9 never mixes together zone data from different zones - in this - way. Therefore, if a BIND 9 master serving a parent - zone has child stub zones configured, all the slave - servers for the - parent zone also need to have the same child stub - zones - configured. - - - - Stub zones can also be used as a way of forcing the - resolution - of a given domain to use a particular set of - authoritative servers. - For example, the caching name servers on a private - network using - RFC1918 addressing may be configured with stub zones - for - 10.in-addr.arpa - to use a set of internal name servers as the - authoritative - servers for that domain. - - - - - - - forward - - - - - A "forward zone" is a way to configure - forwarding on a per-domain basis. A zone statement - of type forward can - contain a forward - and/or forwarders - statement, - which will apply to queries within the domain given by - the zone - name. If no forwarders - statement is present or - an empty list for forwarders is given, then no - forwarding will be done for the domain, canceling the - effects of - any forwarders in the options statement. Thus - if you want to use this type of zone to change the - behavior of the - global forward option - (that is, "forward first" - to, then "forward only", or vice versa, but want to - use the same - servers as set globally) you need to re-specify the - global forwarders. - - - - - - - hint - - - - - The initial set of root name servers is - specified using a "hint zone". When the server starts - up, it uses - the root hints to find a root name server and get the - most recent - list of root name servers. If no hint zone is - specified for class - IN, the server uses a compiled-in default set of root - servers hints. - Classes other than IN have no built-in defaults hints. - - - - - - - delegation-only - - - - - This is used to enforce the delegation-only - status of infrastructure zones (e.g. COM, NET, ORG). - Any answer that - is received without an explicit or implicit delegation - in the authority - section will be treated as NXDOMAIN. This does not - apply to the zone - apex. This should not be applied to leaf zones. - - - delegation-only has no - effect on answers received - from forwarders. - - - - - - - - - - Class - - The zone's name may optionally be followed by a class. If - a class is not specified, class IN (for Internet), - is assumed. This is correct for the vast majority of cases. - - - The hesiod class is - named for an information service from MIT's Project Athena. It - is - used to share information about various systems databases, such - as users, groups, printers and so on. The keyword - HS is - a synonym for hesiod. - - - Another MIT development is Chaosnet, a LAN protocol created - in the mid-1970s. Zone data for it can be specified with the CHAOS class. - - - - - Zone Options - - - - - allow-notify - - - See the description of - allow-notify in . - - - - - - allow-query - - - See the description of - allow-query in . - - - - - - allow-transfer - - - See the description of allow-transfer - in . - - - - - - allow-update - - - See the description of allow-update - in . - - - - - - update-policy - - - Specifies a "Simple Secure Update" policy. See - . - - - - - - allow-update-forwarding - - - See the description of allow-update-forwarding - in . - - - - - - also-notify - - - Only meaningful if notify - is - active for this zone. The set of machines that will - receive a - DNS NOTIFY message - for this zone is made up of all the listed name servers - (other than - the primary master) for the zone plus any IP addresses - specified - with also-notify. A port - may be specified - with each also-notify - address to send the notify - messages to a port other than the default of 53. - also-notify is not - meaningful for stub zones. - The default is the empty list. - - - - - - check-names - - - This option is used to restrict the character set and - syntax of - certain domain names in master files and/or DNS responses - received from the - network. The default varies according to zone type. For master zones the default is fail. For slave - zones the default is warn. - - - - - - check-mx - - - See the description of - check-mx in . - - - - - - check-wildcard - - - See the description of - check-wildcard in . - - - - - - check-integrity - - - See the description of - check-integrity in . - - - - - - check-sibling - - - See the description of - check-sibling in . - - - - - - zero-no-soa-ttl - - - See the description of - zero-no-soa-ttl in . - - - - - - update-check-ksk - - - See the description of - update-check-ksk in . - - - - - - database - - - Specify the type of database to be used for storing the - zone data. The string following the database keyword - is interpreted as a list of whitespace-delimited words. - The first word - identifies the database type, and any subsequent words are - passed - as arguments to the database to be interpreted in a way - specific - to the database type. - - - The default is "rbt", BIND 9's - native in-memory - red-black-tree database. This database does not take - arguments. - - - Other values are possible if additional database drivers - have been linked into the server. Some sample drivers are - included - with the distribution but none are linked in by default. - - - - - - dialup - - - See the description of - dialup in . - - - - - - delegation-only - - - The flag only applies to hint and stub zones. If set - to yes, then the zone will also be - treated as if it - is also a delegation-only type zone. - - - - - - forward - - - Only meaningful if the zone has a forwarders - list. The only value causes - the lookup to fail - after trying the forwarders and getting no answer, while first would - allow a normal lookup to be tried. - - - - - - forwarders - - - Used to override the list of global forwarders. - If it is not specified in a zone of type forward, - no forwarding is done for the zone and the global options are - not used. - - - - - - ixfr-base - - - Was used in BIND 8 to - specify the name - of the transaction log (journal) file for dynamic update - and IXFR. - BIND 9 ignores the option - and constructs the name of the journal - file by appending ".jnl" - to the name of the - zone file. - - - - - - ixfr-tmp-file - - - Was an undocumented option in BIND 8. - Ignored in BIND 9. - - - - - - journal - - - Allow the default journal's filename to be overridden. - The default is the zone's filename with ".jnl" appended. - This is applicable to master and slave zones. - - - - - - max-transfer-time-in - - - See the description of - max-transfer-time-in in . - - - - - - max-transfer-idle-in - - - See the description of - max-transfer-idle-in in . - - - - - - max-transfer-time-out - - - See the description of - max-transfer-time-out in . - - - - - - max-transfer-idle-out - - - See the description of - max-transfer-idle-out in . - - - - - - notify - - - See the description of - notify in . - - - - - - notify-delay - - - See the description of - notify-delay in . - - - - - - pubkey - - - In BIND 8, this option was - intended for specifying - a public zone key for verification of signatures in DNSSEC - signed - zones when they are loaded from disk. BIND 9 does not verify signatures - on load and ignores the option. - - - - - - zone-statistics - - - If yes, the server will keep - statistical - information for this zone, which can be dumped to the - statistics-file defined in - the server options. - - - - - - sig-validity-interval - - - See the description of - sig-validity-interval in . - - - - - - transfer-source - - - See the description of - transfer-source in . - - - - - - transfer-source-v6 - - - See the description of - transfer-source-v6 in . - - - - - - alt-transfer-source - - - See the description of - alt-transfer-source in . - - - - - - alt-transfer-source-v6 - - - See the description of - alt-transfer-source-v6 in . - - - - - - use-alt-transfer-source - - - See the description of - use-alt-transfer-source in . - - - - - - - notify-source - - - See the description of - notify-source in . - - - - - - notify-source-v6 - - - See the description of - notify-source-v6 in . - - - - - - min-refresh-time - max-refresh-time - min-retry-time - max-retry-time - - - See the description in . - - - - - - ixfr-from-differences - - - See the description of - ixfr-from-differences in . - - - - - - key-directory - - - See the description of - key-directory in . - - - - - - multi-master - - - See the description of multi-master in - . - - - - - - masterfile-format - - - See the description of masterfile-format - in . - - - - - - - - - Dynamic Update Policies - - BIND 9 supports two alternative - methods of granting clients - the right to perform dynamic updates to a zone, - configured by the allow-update - and - update-policy option, - respectively. - - - The allow-update clause works the - same - way as in previous versions of BIND. It grants given clients the - permission to update any record of any name in the zone. - - - The update-policy clause is new - in BIND - 9 and allows more fine-grained control over what updates are - allowed. - A set of rules is specified, where each rule either grants or - denies - permissions for one or more names to be updated by one or more - identities. - If the dynamic update request message is signed (that is, it - includes - either a TSIG or SIG(0) record), the identity of the signer can - be determined. - - - Rules are specified in the update-policy zone - option, and are only meaningful for master zones. When the update-policy statement - is present, it is a configuration error for the allow-update statement - to be present. The update-policy - statement only - examines the signer of a message; the source address is not - relevant. - - - This is how a rule definition looks: - - - -( grant | deny ) identity nametype name types - - - - Each rule grants or denies privileges. Once a message has - successfully matched a rule, the operation is immediately - granted - or denied and no further rules are examined. A rule is matched - when the signer matches the identity field, the name matches the - name field in accordance with the nametype field, and the type - matches - the types specified in the type field. - - - - The identity field specifies a name or a wildcard name. - Normally, this - is the name of the TSIG or SIG(0) key used to sign the update - request. When a - TKEY exchange has been used to create a shared secret, the - identity of the - shared secret is the same as the identity of the key used to - authenticate the - TKEY exchange. When the identity field specifies a - wildcard name, it is subject to DNS wildcard expansion, so the - rule will apply - to multiple identities. The identity field must - contain a fully-qualified domain name. - - - - The nametype field has 6 - values: - name, subdomain, - wildcard, self, - selfsub, and selfwild. - - - - - - - - - - name - - - - Exact-match semantics. This rule matches - when the name being updated is identical - to the contents of the - name field. - - - - - - - subdomain - - - - This rule matches when the name being updated - is a subdomain of, or identical to, the - contents of the name - field. - - - - - - - wildcard - - - - The name field - is subject to DNS wildcard expansion, and - this rule matches when the name being updated - name is a valid expansion of the wildcard. - - - - - - - self - - - - - This rule matches when the name being updated - matches the contents of the - identity field. - The name field - is ignored, but should be the same as the - identity field. - The self nametype is - most useful when allowing using one key per - name to update, where the key has the same - name as the name to be updated. The - identity would - be specified as * (an asterisk) in - this case. - - - - - - - selfsub - - - - This rule is similar to self - except that subdomains of self - can also be updated. - - - - - - - selfwild - - - - This rule is similar to self - except that only subdomains of - self can be updated. - - - - - - - - - In all cases, the name - field must - specify a fully-qualified domain name. - - - - If no types are explicitly specified, this rule matches all - types except - RRSIG, NS, SOA, and NSEC. Types may be specified by name, including - "ANY" (ANY matches all types except NSEC, which can never be - updated). - Note that when an attempt is made to delete all records - associated with a - name, the rules are checked for each existing record type. - - - - - - Zone File - - Types of Resource Records and When to Use Them - - This section, largely borrowed from RFC 1034, describes the - concept of a Resource Record (RR) and explains when each is used. - Since the publication of RFC 1034, several new RRs have been - identified - and implemented in the DNS. These are also included. - - - Resource Records - - - A domain name identifies a node. Each node has a set of - resource information, which may be empty. The set of resource - information associated with a particular name is composed of - separate RRs. The order of RRs in a set is not significant and - need not be preserved by name servers, resolvers, or other - parts of the DNS. However, sorting of multiple RRs is - permitted for optimization purposes, for example, to specify - that a particular nearby server be tried first. See and . - - - - The components of a Resource Record are: - - - - - - - - - - owner name - - - - - The domain name where the RR is found. - - - - - - - type - - - - - An encoded 16-bit value that specifies - the type of the resource record. - - - - - - - TTL - - - - - The time-to-live of the RR. This field - is a 32-bit integer in units of seconds, and is - primarily used by - resolvers when they cache RRs. The TTL describes how - long a RR can - be cached before it should be discarded. - - - - - - - class - - - - - An encoded 16-bit value that identifies - a protocol family or instance of a protocol. - - - - - - - RDATA - - - - - The resource data. The format of the - data is type (and sometimes class) specific. - - - - - - - - The following are types of valid RRs: - - - - - - - - - - A - - - - - A host address. In the IN class, this is a - 32-bit IP address. Described in RFC 1035. - - - - - - - AAAA - - - - - IPv6 address. Described in RFC 1886. - - - - - - - A6 - - - - - IPv6 address. This can be a partial - address (a suffix) and an indirection to the name - where the rest of the - address (the prefix) can be found. Experimental. - Described in RFC 2874. - - - - - - - AFSDB - - - - - Location of AFS database servers. - Experimental. Described in RFC 1183. - - - - - - - APL - - - - - Address prefix list. Experimental. - Described in RFC 3123. - - - - - - - CERT - - - - - Holds a digital certificate. - Described in RFC 2538. - - - - - - - CNAME - - - - - Identifies the canonical name of an alias. - Described in RFC 1035. - - - - - - - DNAME - - - - - Replaces the domain name specified with - another name to be looked up, effectively aliasing an - entire - subtree of the domain name space rather than a single - record - as in the case of the CNAME RR. - Described in RFC 2672. - - - - - - - DNSKEY - - - - - Stores a public key associated with a signed - DNS zone. Described in RFC 4034. - - - - - - - DS - - - - - Stores the hash of a public key associated with a - signed DNS zone. Described in RFC 4034. - - - - - - - GPOS - - - - - Specifies the global position. Superseded by LOC. - - - - - - - HINFO - - - - - Identifies the CPU and OS used by a host. - Described in RFC 1035. - - - - - - - ISDN - - - - - Representation of ISDN addresses. - Experimental. Described in RFC 1183. - - - - - - - KEY - - - - - Stores a public key associated with a - DNS name. Used in original DNSSEC; replaced - by DNSKEY in DNSSECbis, but still used with - SIG(0). Described in RFCs 2535 and 2931. - - - - - - - KX - - - - - Identifies a key exchanger for this - DNS name. Described in RFC 2230. - - - - - - - LOC - - - - - For storing GPS info. Described in RFC 1876. - Experimental. - - - - - - - MX - - - - - Identifies a mail exchange for the domain with - a 16-bit preference value (lower is better) - followed by the host name of the mail exchange. - Described in RFC 974, RFC 1035. - - - - - - - NAPTR - - - - - Name authority pointer. Described in RFC 2915. - - - - - - - NSAP - - - - - A network service access point. - Described in RFC 1706. - - - - - - - NS - - - - - The authoritative name server for the - domain. Described in RFC 1035. - - - - - - - NSEC - - - - - Used in DNSSECbis to securely indicate that - RRs with an owner name in a certain name interval do - not exist in - a zone and indicate what RR types are present for an - existing name. - Described in RFC 4034. - - - - - - - NXT - - - - - Used in DNSSEC to securely indicate that - RRs with an owner name in a certain name interval do - not exist in - a zone and indicate what RR types are present for an - existing name. - Used in original DNSSEC; replaced by NSEC in - DNSSECbis. - Described in RFC 2535. - - - - - - - PTR - - - - - A pointer to another part of the domain - name space. Described in RFC 1035. - - - - - - - PX - - - - - Provides mappings between RFC 822 and X.400 - addresses. Described in RFC 2163. - - - - - - - RP - - - - - Information on persons responsible - for the domain. Experimental. Described in RFC 1183. - - - - - - - RRSIG - - - - - Contains DNSSECbis signature data. Described - in RFC 4034. - - - - - - - RT - - - - - Route-through binding for hosts that - do not have their own direct wide area network - addresses. - Experimental. Described in RFC 1183. - - - - - - - SIG - - - - - Contains DNSSEC signature data. Used in - original DNSSEC; replaced by RRSIG in - DNSSECbis, but still used for SIG(0). - Described in RFCs 2535 and 2931. - - - - - - - SOA - - - - - Identifies the start of a zone of authority. - Described in RFC 1035. - - - - - - - SRV - - - - - Information about well known network - services (replaces WKS). Described in RFC 2782. - - - - - - - TXT - - - - - Text records. Described in RFC 1035. - - - - - - - WKS - - - - - Information about which well known - network services, such as SMTP, that a domain - supports. Historical. - - - - - - - X25 - - - - - Representation of X.25 network addresses. - Experimental. Described in RFC 1183. - - - - - - - - The following classes of resource records - are currently valid in the DNS: - - - - - - - - - - IN - - - - - The Internet. - - - - - - - - CH - - - - - Chaosnet, a LAN protocol created at MIT in the - mid-1970s. - Rarely used for its historical purpose, but reused for - BIND's - built-in server information zones, e.g., - version.bind. - - - - - - - - HS - - - - - Hesiod, an information service - developed by MIT's Project Athena. It is used to share - information - about various systems databases, such as users, - groups, printers - and so on. - - - - - - - - - - The owner name is often implicit, rather than forming an - integral - part of the RR. For example, many name servers internally form - tree - or hash structures for the name space, and chain RRs off nodes. - The remaining RR parts are the fixed header (type, class, TTL) - which is consistent for all RRs, and a variable part (RDATA) - that - fits the needs of the resource being described. - - - The meaning of the TTL field is a time limit on how long an - RR can be kept in a cache. This limit does not apply to - authoritative - data in zones; it is also timed out, but by the refreshing - policies - for the zone. The TTL is assigned by the administrator for the - zone where the data originates. While short TTLs can be used to - minimize caching, and a zero TTL prohibits caching, the - realities - of Internet performance suggest that these times should be on - the - order of days for the typical host. If a change can be - anticipated, - the TTL can be reduced prior to the change to minimize - inconsistency - during the change, and then increased back to its former value - following - the change. - - - The data in the RDATA section of RRs is carried as a combination - of binary strings and domain names. The domain names are - frequently - used as "pointers" to other data in the DNS. - - - - Textual expression of RRs - - RRs are represented in binary form in the packets of the DNS - protocol, and are usually represented in highly encoded form - when - stored in a name server or resolver. In the examples provided - in - RFC 1034, a style similar to that used in master files was - employed - in order to show the contents of RRs. In this format, most RRs - are shown on a single line, although continuation lines are - possible - using parentheses. - - - The start of the line gives the owner of the RR. If a line - begins with a blank, then the owner is assumed to be the same as - that of the previous RR. Blank lines are often included for - readability. - - - Following the owner, we list the TTL, type, and class of the - RR. Class and type use the mnemonics defined above, and TTL is - an integer before the type field. In order to avoid ambiguity - in - parsing, type and class mnemonics are disjoint, TTLs are - integers, - and the type mnemonic is always last. The IN class and TTL - values - are often omitted from examples in the interests of clarity. - - - The resource data or RDATA section of the RR are given using - knowledge of the typical representation for the data. - - - For example, we might show the RRs carried in a message as: - - - - - - - - - - ISI.EDU. - - - - - MX - - - - - 10 VENERA.ISI.EDU. - - - - - - - - - - MX - - - - - 10 VAXA.ISI.EDU - - - - - - - VENERA.ISI.EDU - - - - - A - - - - - 128.9.0.32 - - - - - - - - - - A - - - - - 10.1.0.52 - - - - - - - VAXA.ISI.EDU - - - - - A - - - - - 10.2.0.27 - - - - - - - - - - A - - - - - 128.9.0.33 - - - - - - - - The MX RRs have an RDATA section which consists of a 16-bit - number followed by a domain name. The address RRs use a - standard - IP address format to contain a 32-bit internet address. - - - The above example shows six RRs, with two RRs at each of three - domain names. - - - Similarly we might see: - - - - - - - - - - XX.LCS.MIT.EDU. - - - - - IN A - - - - - 10.0.0.44 - - - - - - - - CH A - - - - - MIT.EDU. 2420 - - - - - - - - This example shows two addresses for - XX.LCS.MIT.EDU, each of a different class. - - - - - - Discussion of MX Records - - - As described above, domain servers store information as a - series of resource records, each of which contains a particular - piece of information about a given domain name (which is usually, - but not always, a host). The simplest way to think of a RR is as - a typed pair of data, a domain name matched with a relevant datum, - and stored with some additional type information to help systems - determine when the RR is relevant. - - - - MX records are used to control delivery of email. The data - specified in the record is a priority and a domain name. The - priority - controls the order in which email delivery is attempted, with the - lowest number first. If two priorities are the same, a server is - chosen randomly. If no servers at a given priority are responding, - the mail transport agent will fall back to the next largest - priority. - Priority numbers do not have any absolute meaning — they are - relevant - only respective to other MX records for that domain name. The - domain - name given is the machine to which the mail will be delivered. - It must have an associated address record - (A or AAAA) — CNAME is not sufficient. - - - For a given domain, if there is both a CNAME record and an - MX record, the MX record is in error, and will be ignored. - Instead, - the mail will be delivered to the server specified in the MX - record - pointed to by the CNAME. - - - For example: - - - - - - - - - - - - - example.com. - - - - - IN - - - - - MX - - - - - 10 - - - - - mail.example.com. - - - - - - - - - - IN - - - - - MX - - - - - 10 - - - - - mail2.example.com. - - - - - - - - - - IN - - - - - MX - - - - - 20 - - - - - mail.backup.org. - - - - - - - mail.example.com. - - - - - IN - - - - - A - - - - - 10.0.0.1 - - - - - - - - - - mail2.example.com. - - - - - IN - - - - - A - - - - - 10.0.0.2 - - - - - - - - - - Mail delivery will be attempted to mail.example.com and - mail2.example.com (in - any order), and if neither of those succeed, delivery to mail.backup.org will - be attempted. - - - - Setting TTLs - - The time-to-live of the RR field is a 32-bit integer represented - in units of seconds, and is primarily used by resolvers when they - cache RRs. The TTL describes how long a RR can be cached before it - should be discarded. The following three types of TTL are - currently - used in a zone file. - - - - - - - - - - SOA - - - - - The last field in the SOA is the negative - caching TTL. This controls how long other servers will - cache no-such-domain - (NXDOMAIN) responses from you. - - - The maximum time for - negative caching is 3 hours (3h). - - - - - - - $TTL - - - - - The $TTL directive at the top of the - zone file (before the SOA) gives a default TTL for every - RR without - a specific TTL set. - - - - - - - RR TTLs - - - - - Each RR can have a TTL as the second - field in the RR, which will control how long other - servers can cache - the it. - - - - - - - - All of these TTLs default to units of seconds, though units - can be explicitly specified, for example, 1h30m. - - - - Inverse Mapping in IPv4 - - Reverse name resolution (that is, translation from IP address - to name) is achieved by means of the in-addr.arpa domain - and PTR records. Entries in the in-addr.arpa domain are made in - least-to-most significant order, read left to right. This is the - opposite order to the way IP addresses are usually written. Thus, - a machine with an IP address of 10.1.2.3 would have a - corresponding - in-addr.arpa name of - 3.2.1.10.in-addr.arpa. This name should have a PTR resource record - whose data field is the name of the machine or, optionally, - multiple - PTR records if the machine has more than one name. For example, - in the example.com domain: - - - - - - - - - - $ORIGIN - - - - - 2.1.10.in-addr.arpa - - - - - - - 3 - - - - - IN PTR foo.example.com. - - - - - - - - - The $ORIGIN lines in the examples - are for providing context to the examples only — they do not - necessarily - appear in the actual usage. They are only used here to indicate - that the example is relative to the listed origin. - - - - - Other Zone File Directives - - The Master File Format was initially defined in RFC 1035 and - has subsequently been extended. While the Master File Format - itself - is class independent all records in a Master File must be of the - same - class. - - - Master File Directives include $ORIGIN, $INCLUDE, - and $TTL. - - - The <command>$ORIGIN</command> Directive - - Syntax: $ORIGIN - domain-name - comment - - $ORIGIN - sets the domain name that will be appended to any - unqualified records. When a zone is first read in there - is an implicit $ORIGIN - <zone-name>. - The current $ORIGIN is appended to - the domain specified in the $ORIGIN - argument if it is not absolute. - - - -$ORIGIN example.com. -WWW CNAME MAIN-SERVER - - - - is equivalent to - - - -WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. - - - - - The <command>$INCLUDE</command> Directive - - Syntax: $INCLUDE - filename - -origin - comment - - - Read and process the file filename as - if it were included into the file at this point. If origin is - specified the file is processed with $ORIGIN set - to that value, otherwise the current $ORIGIN is - used. - - - The origin and the current domain name - revert to the values they had prior to the $INCLUDE once - the file has been read. - - - - RFC 1035 specifies that the current origin should be restored - after - an $INCLUDE, but it is silent - on whether the current - domain name should also be restored. BIND 9 restores both of - them. - This could be construed as a deviation from RFC 1035, a - feature, or both. - - - - - The <command>$TTL</command> Directive - - Syntax: $TTL - default-ttl - -comment - - - Set the default Time To Live (TTL) for subsequent records - with undefined TTLs. Valid TTLs are of the range 0-2147483647 - seconds. - - $TTL - is defined in RFC 2308. - - - - - <acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive - - Syntax: $GENERATE - range - lhs - ttl - class - type - rhs - comment - - $GENERATE - is used to create a series of resource records that only - differ from each other by an - iterator. $GENERATE can be used to - easily generate the sets of records required to support - sub /24 reverse delegations described in RFC 2317: - Classless IN-ADDR.ARPA delegation. - - -$ORIGIN 0.0.192.IN-ADDR.ARPA. -$GENERATE 1-2 0 NS SERVER$.EXAMPLE. -$GENERATE 1-127 $ CNAME $.0 - - - is equivalent to - - -0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. -0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. -1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. -2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. -... -127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. - - - - - - - - - - range - - - - This can be one of two forms: start-stop - or start-stop/step. If the first form is used, then step - is set to - 1. All of start, stop and step must be positive. - - - - - - lhs - - - This - describes the owner name of the resource records - to be created. Any single $ - (dollar sign) - symbols within the lhs side - are replaced by the iterator value. - - To get a $ in the output, you need to escape the - $ using a backslash - \, - e.g. \$. The - $ may optionally be followed - by modifiers which change the offset from the - iterator, field width and base. - - Modifiers are introduced by a - { (left brace) immediately following the - $ as - ${offset[,width[,base]]}. - For example, ${-20,3,d} - subtracts 20 from the current value, prints the - result as a decimal in a zero-padded field of - width 3. - - Available output forms are decimal - (d), octal - (o) and hexadecimal - (x or X - for uppercase). The default modifier is - ${0,0,d}. If the - lhs is not absolute, the - current $ORIGIN is appended - to the name. - - - For compatibility with earlier versions, $$ is still - recognized as indicating a literal $ in the output. - - - - - - ttl - - - - Specifies the time-to-live of the generated records. If - not specified this will be inherited using the - normal ttl inheritance rules. - - class - and ttl can be - entered in either order. - - - - - - class - - - - Specifies the class of the generated records. - This must match the zone class if it is - specified. - - class - and ttl can be - entered in either order. - - - - - - type - - - - At present the only supported types are - PTR, CNAME, DNAME, A, AAAA and NS. - - - - - - rhs - - - - rhs is a domain name. It is processed - similarly to lhs. - - - - - - - - The $GENERATE directive is a BIND extension - and not part of the standard zone file format. - - - BIND 8 does not support the optional TTL and CLASS fields. - - - - - Additional File Formats - - In addition to the standard textual format, BIND 9 - supports the ability to read or dump to zone files in - other formats. The raw format is - currently available as an additional format. It is a - binary format representing BIND 9's internal data - structure directly, thereby remarkably improving the - loading time. - - - For a primary server, a zone file in the - raw format is expected to be - generated from a textual zone file by the - named-compilezone command. For a - secondary server or for a dynamic zone, it is automatically - generated (if this format is specified by the - masterfile-format option) when - named dumps the zone contents after - zone transfer or when applying prior updates. - - - If a zone file in a binary format needs manual modification, - it first must be converted to a textual form by the - named-compilezone command. All - necessary modification should go to the text file, which - should then be converted to the binary form by the - named-compilezone command again. - - - Although the raw format uses the - network byte order and avoids architecture-dependent - data alignment so that it is as much portable as - possible, it is primarily expected to be used inside - the same single system. In order to export a zone - file in the raw format or make a - portable backup of the file, it is recommended to - convert the file to the standard textual representation. - - - - - - <acronym>BIND</acronym> 9 Security Considerations - - Access Control Lists - - Access Control Lists (ACLs), are address match lists that - you can set up and nickname for future use in allow-notify, - allow-query, allow-recursion, - blackhole, allow-transfer, - etc. - - - Using ACLs allows you to have finer control over who can access - your name server, without cluttering up your config files with huge - lists of IP addresses. - - - It is a good idea to use ACLs, and to - control access to your server. Limiting access to your server by - outside parties can help prevent spoofing and denial of service (DoS) attacks against - your server. - - - Here is an example of how to properly apply ACLs: - - - -// Set up an ACL named "bogusnets" that will block RFC1918 space -// and some reserved space, which is commonly used in spoofing attacks. -acl bogusnets { - 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; - 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; -}; - -// Set up an ACL called our-nets. Replace this with the real IP numbers. -acl our-nets { x.x.x.x/24; x.x.x.x/21; }; -options { - ... - ... - allow-query { our-nets; }; - allow-recursion { our-nets; }; - ... - blackhole { bogusnets; }; - ... -}; - -zone "example.com" { - type master; - file "m/example.com"; - allow-query { any; }; -}; - - - - This allows recursive queries of the server from the outside - unless recursion has been previously disabled. - - - For more information on how to use ACLs to protect your server, - see the AUSCERT advisory at: - - - ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos - - - - <command>Chroot</command> and <command>Setuid</command> - - On UNIX servers, it is possible to run BIND in a chrooted environment - (using the chroot() function) by specifying the "" - option. This can help improve system security by placing BIND in - a "sandbox", which will limit the damage done if a server is - compromised. - - - Another useful feature in the UNIX version of BIND is the - ability to run the daemon as an unprivileged user ( user ). - We suggest running as an unprivileged user when using the chroot feature. - - - Here is an example command line to load BIND in a chroot sandbox, - /var/named, and to run named setuid to - user 202: - - - /usr/local/bin/named -u 202 -t /var/named - - - - The <command>chroot</command> Environment - - - In order for a chroot environment - to - work properly in a particular directory - (for example, /var/named), - you will need to set up an environment that includes everything - BIND needs to run. - From BIND's point of view, /var/named is - the root of the filesystem. You will need to adjust the values of - options like - like directory and pid-file to account - for this. - - - Unlike with earlier versions of BIND, you typically will - not need to compile named - statically nor install shared libraries under the new root. - However, depending on your operating system, you may need - to set up things like - /dev/zero, - /dev/random, - /dev/log, and - /etc/localtime. - - - - - Using the <command>setuid</command> Function - - - Prior to running the named daemon, - use - the touch utility (to change file - access and - modification times) or the chown - utility (to - set the user id and/or group id) on files - to which you want BIND - to write. - - - Note that if the named daemon is running as an - unprivileged user, it will not be able to bind to new restricted - ports if the server is reloaded. - - - - - - Dynamic Update Security - - - Access to the dynamic - update facility should be strictly limited. In earlier versions of - BIND, the only way to do this was - based on the IP - address of the host requesting the update, by listing an IP address - or - network prefix in the allow-update - zone option. - This method is insecure since the source address of the update UDP - packet - is easily forged. Also note that if the IP addresses allowed by the - allow-update option include the - address of a slave - server which performs forwarding of dynamic updates, the master can - be - trivially attacked by sending the update to the slave, which will - forward it to the master with its own source IP address causing the - master to approve it without question. - - - - For these reasons, we strongly recommend that updates be - cryptographically authenticated by means of transaction signatures - (TSIG). That is, the allow-update - option should - list only TSIG key names, not IP addresses or network - prefixes. Alternatively, the new update-policy - option can be used. - - - - Some sites choose to keep all dynamically-updated DNS data - in a subdomain and delegate that subdomain to a separate zone. This - way, the top-level zone containing critical data such as the IP - addresses - of public web and mail servers need not allow dynamic update at - all. - - - - - - - Troubleshooting - - Common Problems - - It's not working; how can I figure out what's wrong? - - - The best solution to solving installation and - configuration issues is to take preventative measures by setting - up logging files beforehand. The log files provide a - source of hints and information that can be used to figure out - what went wrong and how to fix the problem. - - - - - - Incrementing and Changing the Serial Number - - - Zone serial numbers are just numbers — they aren't - date related. A lot of people set them to a number that - represents a date, usually of the form YYYYMMDDRR. - Occasionally they will make a mistake and set them to a - "date in the future" then try to correct them by setting - them to the "current date". This causes problems because - serial numbers are used to indicate that a zone has been - updated. If the serial number on the slave server is - lower than the serial number on the master, the slave - server will attempt to update its copy of the zone. - - - - Setting the serial number to a lower number on the master - server than the slave server means that the slave will not perform - updates to its copy of the zone. - - - - The solution to this is to add 2147483647 (2^31-1) to the - number, reload the zone and make sure all slaves have updated to - the new zone serial number, then reset the number to what you want - it to be, and reload the zone again. - - - - - Where Can I Get Help? - - - The Internet Systems Consortium - (ISC) offers a wide range - of support and service agreements for BIND and DHCP servers. Four - levels of premium support are available and each level includes - support for all ISC programs, - significant discounts on products - and training, and a recognized priority on bug fixes and - non-funded feature requests. In addition, ISC offers a standard - support agreement package which includes services ranging from bug - fix announcements to remote support. It also includes training in - BIND and DHCP. - - - - To discuss arrangements for support, contact - info@isc.org or visit the - ISC web page at - http://www.isc.org/services/support/ - to read more. - - - - - Appendices - - Acknowledgments - - A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym> - - - Although the "official" beginning of the Domain Name - System occurred in 1984 with the publication of RFC 920, the - core of the new system was described in 1983 in RFCs 882 and - 883. From 1984 to 1987, the ARPAnet (the precursor to today's - Internet) became a testbed of experimentation for developing the - new naming/addressing scheme in a rapidly expanding, - operational network environment. New RFCs were written and - published in 1987 that modified the original documents to - incorporate improvements based on the working model. RFC 1034, - "Domain Names-Concepts and Facilities", and RFC 1035, "Domain - Names-Implementation and Specification" were published and - became the standards upon which all DNS implementations are - built. - - - - The first working domain name server, called "Jeeves", was - written in 1983-84 by Paul Mockapetris for operation on DEC - Tops-20 - machines located at the University of Southern California's - Information - Sciences Institute (USC-ISI) and SRI International's Network - Information - Center (SRI-NIC). A DNS server for - Unix machines, the Berkeley Internet - Name Domain (BIND) package, was - written soon after by a group of - graduate students at the University of California at Berkeley - under - a grant from the US Defense Advanced Research Projects - Administration - (DARPA). - - - Versions of BIND through - 4.8.3 were maintained by the Computer - Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark - Painter, David Riggle and Songnian Zhou made up the initial BIND - project team. After that, additional work on the software package - was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment - Corporation - employee on loan to the CSRG, worked on BIND for 2 years, from 1985 - to 1987. Many other people also contributed to BIND development - during that time: Doug Kingston, Craig Partridge, Smoot - Carl-Mitchell, - Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently - handled by Mike Karels and Øivind Kure. - - - BIND versions 4.9 and 4.9.1 were - released by Digital Equipment - Corporation (now Compaq Computer Corporation). Paul Vixie, then - a DEC employee, became BIND's - primary caretaker. He was assisted - by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan - Beecher, Andrew - Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat - Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe - Wolfhugel, and others. - - - In 1994, BIND version 4.9.2 was sponsored by - Vixie Enterprises. Paul - Vixie became BIND's principal - architect/programmer. - - - BIND versions from 4.9.3 onward - have been developed and maintained - by the Internet Systems Consortium and its predecessor, - the Internet Software Consortium, with support being provided - by ISC's sponsors. - - - As co-architects/programmers, Bob Halley and - Paul Vixie released the first production-ready version of - BIND version 8 in May 1997. - - - BIND version 9 was released in September 2000 and is a - major rewrite of nearly all aspects of the underlying - BIND architecture. - - - BIND version 4 is officially deprecated and BIND version - 8 development is considered maintenance-only in favor - of BIND version 9. No additional development is done - on BIND version 4 or BIND version 8 other than for - security-related patches. - - - BIND development work is made - possible today by the sponsorship - of several corporations, and by the tireless work efforts of - numerous individuals. - - - - - General <acronym>DNS</acronym> Reference Information - - IPv6 addresses (AAAA) - - IPv6 addresses are 128-bit identifiers for interfaces and - sets of interfaces which were introduced in the DNS to facilitate - scalable Internet routing. There are three types of addresses: Unicast, - an identifier for a single interface; - Anycast, - an identifier for a set of interfaces; and Multicast, - an identifier for a set of interfaces. Here we describe the global - Unicast address scheme. For more information, see RFC 3587, - "Global Unicast Address Format." - - - IPv6 unicast addresses consist of a - global routing prefix, a - subnet identifier, and an - interface identifier. - - - The global routing prefix is provided by the - upstream provider or ISP, and (roughly) corresponds to the - IPv4 network section - of the address range. - - The subnet identifier is for local subnetting, much the - same as subnetting an - IPv4 /16 network into /24 subnets. - - The interface identifier is the address of an individual - interface on a given network; in IPv6, addresses belong to - interfaces rather than to machines. - - - The subnetting capability of IPv6 is much more flexible than - that of IPv4: subnetting can be carried out on bit boundaries, - in much the same way as Classless InterDomain Routing - (CIDR), and the DNS PTR representation ("nibble" format) - makes setting up reverse zones easier. - - - The Interface Identifier must be unique on the local link, - and is usually generated automatically by the IPv6 - implementation, although it is usually possible to - override the default setting if necessary. A typical IPv6 - address might look like: - 2001:db8:201:9:a00:20ff:fe81:2b32 - - - IPv6 address specifications often contain long strings - of zeros, so the architects have included a shorthand for - specifying - them. The double colon (`::') indicates the longest possible - string - of zeros that can fit, and can be used only once in an address. - - - - - Bibliography (and Suggested Reading) - - Request for Comments (RFCs) - - Specification documents for the Internet protocol suite, including - the DNS, are published as part of - the Request for Comments (RFCs) - series of technical notes. The standards themselves are defined - by the Internet Engineering Task Force (IETF) and the Internet - Engineering Steering Group (IESG). RFCs can be obtained online via FTP at: - - - - ftp://www.isi.edu/in-notes/RFCxxxx.txt - - - - (where xxxx is - the number of the RFC). RFCs are also available via the Web at: - - - http://www.ietf.org/rfc/. - - - - - Standards - - RFC974 - - Partridge - C. - - Mail Routing and the Domain System - January 1986 - - - RFC1034 - - Mockapetris - P.V. - - Domain Names — Concepts and Facilities - November 1987 - - - RFC1035 - - Mockapetris - P. V. - Domain Names — Implementation and - Specification - November 1987 - - - - - Proposed Standards - - - RFC2181 - - Elz - R., R. Bush - - Clarifications to the <acronym>DNS</acronym> - Specification - July 1997 - - - RFC2308 - - Andrews - M. - - Negative Caching of <acronym>DNS</acronym> - Queries - March 1998 - - - RFC1995 - - Ohta - M. - - Incremental Zone Transfer in <acronym>DNS</acronym> - August 1996 - - - RFC1996 - - Vixie - P. - - A Mechanism for Prompt Notification of Zone Changes - August 1996 - - - RFC2136 - - - Vixie - P. - - - S. - Thomson - - - Y. - Rekhter - - - J. - Bound - - - Dynamic Updates in the Domain Name System - April 1997 - - - RFC2671 - - - P. - Vixie - - - Extension Mechanisms for DNS (EDNS0) - August 1997 - - - RFC2672 - - - M. - Crawford - - - Non-Terminal DNS Name Redirection - August 1999 - - - RFC2845 - - - Vixie - P. - - - O. - Gudmundsson - - - D. - Eastlake - 3rd - - - B. - Wellington - - - Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG) - May 2000 - - - RFC2930 - - - D. - Eastlake - 3rd - - - Secret Key Establishment for DNS (TKEY RR) - September 2000 - - - RFC2931 - - - D. - Eastlake - 3rd - - - DNS Request and Transaction Signatures (SIG(0)s) - September 2000 - - - RFC3007 - - - B. - Wellington - - - Secure Domain Name System (DNS) Dynamic Update - November 2000 - - - RFC3645 - - - S. - Kwan - - - P. - Garg - - - J. - Gilroy - - - L. - Esibov - - - J. - Westhead - - - R. - Hall - - - Generic Security Service Algorithm for Secret - Key Transaction Authentication for DNS - (GSS-TSIG) - October 2003 - - - - <acronym>DNS</acronym> Security Proposed Standards - - RFC3225 - - - D. - Conrad - - - Indicating Resolver Support of DNSSEC - December 2001 - - - RFC3833 - - - D. - Atkins - - - R. - Austein - - - Threat Analysis of the Domain Name System (DNS) - August 2004 - - - RFC4033 - - - R. - Arends - - - R. - Austein - - - M. - Larson - - - D. - Massey - - - S. - Rose - - - DNS Security Introduction and Requirements - March 2005 - - - RFC4044 - - - R. - Arends - - - R. - Austein - - - M. - Larson - - - D. - Massey - - - S. - Rose - - - Resource Records for the DNS Security Extensions - March 2005 - - - RFC4035 - - - R. - Arends - - - R. - Austein - - - M. - Larson - - - D. - Massey - - - S. - Rose - - - Protocol Modifications for the DNS - Security Extensions - March 2005 - - - - Other Important RFCs About <acronym>DNS</acronym> - Implementation - - RFC1535 - - Gavron - E. - - A Security Problem and Proposed Correction With Widely - Deployed <acronym>DNS</acronym> Software. - October 1993 - - - RFC1536 - - - Kumar - A. - - - J. - Postel - - - C. - Neuman - - - P. - Danzig - - - S. - Miller - - - Common <acronym>DNS</acronym> Implementation - Errors and Suggested Fixes - October 1993 - - - RFC1982 - - - Elz - R. - - - R. - Bush - - - Serial Number Arithmetic - August 1996 - - - RFC4074 - - - Morishita - Y. - - - T. - Jinmei - - - Common Misbehaviour Against <acronym>DNS</acronym> - Queries for IPv6 Addresses - May 2005 - - - - Resource Record Types - - RFC1183 - - - Everhart - C.F. - - - L. A. - Mamakos - - - R. - Ullmann - - - P. - Mockapetris - - - New <acronym>DNS</acronym> RR Definitions - October 1990 - - - RFC1706 - - - Manning - B. - - - R. - Colella - - - <acronym>DNS</acronym> NSAP Resource Records - October 1994 - - - RFC2168 - - - Daniel - R. - - - M. - Mealling - - - Resolution of Uniform Resource Identifiers using - the Domain Name System - June 1997 - - - RFC1876 - - - Davis - C. - - - P. - Vixie - - - T. - Goodwin - - - I. - Dickinson - - - A Means for Expressing Location Information in the - Domain - Name System - January 1996 - - - RFC2052 - - - Gulbrandsen - A. - - - P. - Vixie - - - A <acronym>DNS</acronym> RR for Specifying the - Location of - Services. - October 1996 - - - RFC2163 - - Allocchio - A. - - Using the Internet <acronym>DNS</acronym> to - Distribute MIXER - Conformant Global Address Mapping - January 1998 - - - RFC2230 - - Atkinson - R. - - Key Exchange Delegation Record for the <acronym>DNS</acronym> - October 1997 - - - RFC2536 - - Eastlake - D. - 3rd - - DSA KEYs and SIGs in the Domain Name System (DNS) - March 1999 - - - RFC2537 - - Eastlake - D. - 3rd - - RSA/MD5 KEYs and SIGs in the Domain Name System (DNS) - March 1999 - - - RFC2538 - - - Eastlake - D. - 3rd - - - Gudmundsson - O. - - - Storing Certificates in the Domain Name System (DNS) - March 1999 - - - RFC2539 - - - Eastlake - D. - 3rd - - - Storage of Diffie-Hellman Keys in the Domain Name System (DNS) - March 1999 - - - RFC2540 - - - Eastlake - D. - 3rd - - - Detached Domain Name System (DNS) Information - March 1999 - - - RFC2782 - - Gulbrandsen - A. - - - Vixie - P. - - - Esibov - L. - - A DNS RR for specifying the location of services (DNS SRV) - February 2000 - - - RFC2915 - - Mealling - M. - - - Daniel - R. - - The Naming Authority Pointer (NAPTR) DNS Resource Record - September 2000 - - - RFC3110 - - Eastlake - D. - 3rd - - RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS) - May 2001 - - - RFC3123 - - Koch - P. - - A DNS RR Type for Lists of Address Prefixes (APL RR) - June 2001 - - - RFC3596 - - - Thomson - S. - - - C. - Huitema - - - V. - Ksinant - - - M. - Souissi - - - <acronym>DNS</acronym> Extensions to support IP - version 6 - October 2003 - - - RFC3597 - - Gustafsson - A. - - Handling of Unknown DNS Resource Record (RR) Types - September 2003 - - - - <acronym>DNS</acronym> and the Internet - - RFC1101 - - Mockapetris - P. V. - - <acronym>DNS</acronym> Encoding of Network Names - and Other Types - April 1989 - - - RFC1123 - - Braden - R. - - Requirements for Internet Hosts - Application and - Support - October 1989 - - - RFC1591 - - Postel - J. - - Domain Name System Structure and Delegation - March 1994 - - - RFC2317 - - - Eidnes - H. - - - G. - de Groot - - - P. - Vixie - - - Classless IN-ADDR.ARPA Delegation - March 1998 - - - RFC2826 - - - Internet Architecture Board - - - IAB Technical Comment on the Unique DNS Root - May 2000 - - - RFC2929 - - - Eastlake - D. - 3rd - - - Brunner-Williams - E. - - - Manning - B. - - - Domain Name System (DNS) IANA Considerations - September 2000 - - - - <acronym>DNS</acronym> Operations - - RFC1033 - - Lottor - M. - - Domain administrators operations guide. - November 1987 - - - RFC1537 - - Beertema - P. - - Common <acronym>DNS</acronym> Data File - Configuration Errors - October 1993 - - - RFC1912 - - Barr - D. - - Common <acronym>DNS</acronym> Operational and - Configuration Errors - February 1996 - - - RFC2010 - - - Manning - B. - - - P. - Vixie - - - Operational Criteria for Root Name Servers. - October 1996 - - - RFC2219 - - - Hamilton - M. - - - R. - Wright - - - Use of <acronym>DNS</acronym> Aliases for - Network Services. - October 1997 - - - - Internationalized Domain Names - - RFC2825 - - - IAB - - - Daigle - R. - - - A Tangled Web: Issues of I18N, Domain Names, - and the Other Internet protocols - May 2000 - - - RFC3490 - - - Faltstrom - P. - - - Hoffman - P. - - - Costello - A. - - - Internationalizing Domain Names in Applications (IDNA) - March 2003 - - - RFC3491 - - - Hoffman - P. - - - Blanchet - M. - - - Nameprep: A Stringprep Profile for Internationalized Domain Names - March 2003 - - - RFC3492 - - - Costello - A. - - - Punycode: A Bootstring encoding of Unicode - for Internationalized Domain Names in - Applications (IDNA) - March 2003 - - - - Other <acronym>DNS</acronym>-related RFCs - - - Note: the following list of RFCs, although - DNS-related, are not - concerned with implementing software. - - - - RFC1464 - - Rosenbaum - R. - - Using the Domain Name System To Store Arbitrary String - Attributes - May 1993 - - - RFC1713 - - Romao - A. - - Tools for <acronym>DNS</acronym> Debugging - November 1994 - - - RFC1794 - - Brisco - T. - - <acronym>DNS</acronym> Support for Load - Balancing - April 1995 - - - RFC2240 - - Vaughan - O. - - A Legal Basis for Domain Name Allocation - November 1997 - - - RFC2345 - - - Klensin - J. - - - T. - Wolf - - - G. - Oglesby - - - Domain Names and Company Name Retrieval - May 1998 - - - RFC2352 - - Vaughan - O. - - A Convention For Using Legal Names as Domain Names - May 1998 - - - RFC3071 - - - Klensin - J. - - - Reflections on the DNS, RFC 1591, and Categories of Domains - February 2001 - - - RFC3258 - - - Hardie - T. - - - Distributing Authoritative Name Servers via - Shared Unicast Addresses - April 2002 - - - RFC3901 - - - Durand - A. - - - J. - Ihren - - - DNS IPv6 Transport Operational Guidelines - September 2004 - - - - Obsolete and Unimplemented Experimental RFC - - RFC1712 - - - Farrell - C. - - - M. - Schulze - - - S. - Pleitner - - - D. - Baldoni - - - <acronym>DNS</acronym> Encoding of Geographical - Location - November 1994 - - - RFC2673 - - - Crawford - M. - - - Binary Labels in the Domain Name System - August 1999 - - - RFC2874 - - - Crawford - M. - - - Huitema - C. - - - DNS Extensions to Support IPv6 Address Aggregation - and Renumbering - July 2000 - - - - Obsoleted DNS Security RFCs - - - Most of these have been consolidated into RFC4033, - RFC4034 and RFC4035 which collectively describe DNSSECbis. - - - - RFC2065 - - - Eastlake - 3rd - D. - - - C. - Kaufman - - - Domain Name System Security Extensions - January 1997 - - - RFC2137 - - Eastlake - 3rd - D. - - Secure Domain Name System Dynamic Update - April 1997 - - - RFC2535 - - - Eastlake - 3rd - D. - - - Domain Name System Security Extensions - March 1999 - - - RFC3008 - - - Wellington - B. - - - Domain Name System Security (DNSSEC) - Signing Authority - November 2000 - - - RFC3090 - - - Lewis - E. - - - DNS Security Extension Clarification on Zone Status - March 2001 - - - RFC3445 - - - Massey - D. - - - Rose - S. - - - Limiting the Scope of the KEY Resource Record (RR) - December 2002 - - - RFC3655 - - - Wellington - B. - - - Gudmundsson - O. - - - Redefinition of DNS Authenticated Data (AD) bit - November 2003 - - - RFC3658 - - - Gudmundsson - O. - - - Delegation Signer (DS) Resource Record (RR) - December 2003 - - - RFC3755 - - - Weiler - S. - - - Legacy Resolver Compatibility for Delegation Signer (DS) - May 2004 - - - RFC3757 - - - Kolkman - O. - - - Schlyter - J. - - - Lewis - E. - - - Domain Name System KEY (DNSKEY) Resource Record - (RR) Secure Entry Point (SEP) Flag - April 2004 - - - RFC3845 - - - Schlyter - J. - - - DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format - August 2004 - - - - - - Internet Drafts - - Internet Drafts (IDs) are rough-draft working documents of - the Internet Engineering Task Force. They are, in essence, RFCs - in the preliminary stages of development. Implementors are - cautioned not - to regard IDs as archival, and they should not be quoted or cited - in any formal documents unless accompanied by the disclaimer that - they are "works in progress." IDs have a lifespan of six months - after which they are deleted unless updated by their authors. - - - - Other Documents About <acronym>BIND</acronym> - - - - - - Albitz - Paul - - - Cricket - Liu - - - <acronym>DNS</acronym> and <acronym>BIND</acronym> - - 1998 - Sebastopol, CA: O'Reilly and Associates - - - - - - - - - Manual pages - - - - - - - - - - - - - - - - - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch01.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch01.html deleted file mode 100644 index 44b706049ca..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch01.html +++ /dev/null @@ -1,560 +0,0 @@ - - - - - -Chapter 1. Introduction - - - - - - - -
- - - - - - - -
Chapter 1. Introduction
-Prev   Next -
-
-
-
-

-Chapter 1. Introduction

-
-

Table of Contents

-
-
Scope of Document
-
Organization of This Document
-
Conventions Used in This Document
-
The Domain Name System (DNS)
-
-
DNS Fundamentals
-
Domains and Domain Names
-
Zones
-
Authoritative Name Servers
-
Caching Name Servers
-
Name Servers in Multiple Roles
-
-
-
-

- The Internet Domain Name System (DNS) - consists of the syntax - to specify the names of entities in the Internet in a hierarchical - manner, the rules used for delegating authority over names, and the - system implementation that actually maps names to Internet - addresses. DNS data is maintained in a - group of distributed - hierarchical databases. -

-
-

-Scope of Document

-

- The Berkeley Internet Name Domain - (BIND) implements a - domain name server for a number of operating systems. This - document provides basic information about the installation and - care of the Internet Systems Consortium (ISC) - BIND version 9 software package for - system administrators. -

-

- This version of the manual corresponds to BIND version 9.4. -

-
-
-

-Organization of This Document

-

- In this document, Section 1 introduces - the basic DNS and BIND concepts. Section 2 - describes resource requirements for running BIND in various - environments. Information in Section 3 is - task-oriented in its presentation and is - organized functionally, to aid in the process of installing the - BIND 9 software. The task-oriented - section is followed by - Section 4, which contains more advanced - concepts that the system administrator may need for implementing - certain options. Section 5 - describes the BIND 9 lightweight - resolver. The contents of Section 6 are - organized as in a reference manual to aid in the ongoing - maintenance of the software. Section 7 addresses - security considerations, and - Section 8 contains troubleshooting help. The - main body of the document is followed by several - appendices which contain useful reference - information, such as a bibliography and - historic information related to BIND - and the Domain Name - System. -

-
-
-

-Conventions Used in This Document

-

- In this document, we use the following general typographic - conventions: -

-
---- - - - - - - - - - - - - - - - - - - -
-

- To describe: -

- 		-

- We use the style: -

-
-

- a pathname, filename, URL, hostname, - mailing list name, or new term or concept -

- 		-

- Fixed width -

-
-

- literal user - input -

- 		-

- Fixed Width Bold -

-
-

- program output -

- 		-

- Fixed Width -

-
-

- The following conventions are used in descriptions of the - BIND configuration file:

-
---- - - - - - - - - - - - - - - - - - - -
-

- To describe: -

- 		-

- We use the style: -

-
-

- keywords -

- 		-

- Fixed Width -

-
-

- variables -

- 		-

- Fixed Width -

-
-

- Optional input -

- 		-

- [Text is enclosed in square brackets] -

-
-

-

-
-
-

-The Domain Name System (DNS)

-

- The purpose of this document is to explain the installation - and upkeep of the BIND (Berkeley Internet - Name Domain) software package, and we - begin by reviewing the fundamentals of the Domain Name System - (DNS) as they relate to BIND. -

-
-

-DNS Fundamentals

-

- The Domain Name System (DNS) is a hierarchical, distributed - database. It stores information for mapping Internet host names to - IP - addresses and vice versa, mail routing information, and other data - used by Internet applications. -

-

- Clients look up information in the DNS by calling a - resolver library, which sends queries to one or - more name servers and interprets the responses. - The BIND 9 software distribution - contains a - name server, named, and two resolver - libraries, liblwres and libbind. -

-
-
-

-Domains and Domain Names

-

- The data stored in the DNS is identified by domain names that are organized as a tree according to - organizational or administrative boundaries. Each node of the tree, - called a domain, is given a label. The domain - name of the - node is the concatenation of all the labels on the path from the - node to the root node. This is represented - in written form as a string of labels listed from right to left and - separated by dots. A label need only be unique within its parent - domain. -

-

- For example, a domain name for a host at the - company Example, Inc. could be - ourhost.example.com, - where com is the - top level domain to which - ourhost.example.com belongs, - example is - a subdomain of com, and - ourhost is the - name of the host. -

-

- For administrative purposes, the name space is partitioned into - areas called zones, each starting at a node and - extending down to the leaf nodes or to nodes where other zones - start. - The data for each zone is stored in a name server, which answers queries about the zone using the - DNS protocol. -

-

- The data associated with each domain name is stored in the - form of resource records (RRs). - Some of the supported resource record types are described in - the section called “Types of Resource Records and When to Use Them”. -

-

- For more detailed information about the design of the DNS and - the DNS protocol, please refer to the standards documents listed in - the section called “Request for Comments (RFCs)”. -

-
-
-

-Zones

-

- To properly operate a name server, it is important to understand - the difference between a zone - and a domain. -

-

- As stated previously, a zone is a point of delegation in - the DNS tree. A zone consists of - those contiguous parts of the domain - tree for which a name server has complete information and over which - it has authority. It contains all domain names from a certain point - downward in the domain tree except those which are delegated to - other zones. A delegation point is marked by one or more - NS records in the - parent zone, which should be matched by equivalent NS records at - the root of the delegated zone. -

-

- For instance, consider the example.com - domain which includes names - such as host.aaa.example.com and - host.bbb.example.com even though - the example.com zone includes - only delegations for the aaa.example.com and - bbb.example.com zones. A zone can - map - exactly to a single domain, but could also include only part of a - domain, the rest of which could be delegated to other - name servers. Every name in the DNS - tree is a - domain, even if it is - terminal, that is, has no - subdomains. Every subdomain is a domain and - every domain except the root is also a subdomain. The terminology is - not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 - to - gain a complete understanding of this difficult and subtle - topic. -

-

- Though BIND is called a "domain name - server", - it deals primarily in terms of zones. The master and slave - declarations in the named.conf file - specify - zones, not domains. When you ask some other site if it is willing to - be a slave server for your domain, you are - actually asking for slave service for some collection of zones. -

-
-
-

-Authoritative Name Servers

-

- Each zone is served by at least - one authoritative name server, - which contains the complete data for the zone. - To make the DNS tolerant of server and network failures, - most zones have two or more authoritative servers, on - different networks. -

-

- Responses from authoritative servers have the "authoritative - answer" (AA) bit set in the response packets. This makes them - easy to identify when debugging DNS configurations using tools like - dig (the section called “Diagnostic Tools”). -

-
-

-The Primary Master

-

- The authoritative server where the master copy of the zone - data is maintained is called the - primary master server, or simply the - primary. Typically it loads the zone - contents from some local file edited by humans or perhaps - generated mechanically from some other local file which is - edited by humans. This file is called the - zone file or - master file. -

-

- In some cases, however, the master file may not be edited - by humans at all, but may instead be the result of - dynamic update operations. -

-
-
-

-Slave Servers

-

- The other authoritative servers, the slave - servers (also known as secondary servers) - load - the zone contents from another server using a replication process - known as a zone transfer. Typically the data - are - transferred directly from the primary master, but it is also - possible - to transfer it from another slave. In other words, a slave server - may itself act as a master to a subordinate slave server. -

-
-
-

-Stealth Servers

-

- Usually all of the zone's authoritative servers are listed in - NS records in the parent zone. These NS records constitute - a delegation of the zone from the parent. - The authoritative servers are also listed in the zone file itself, - at the top level or apex - of the zone. You can list servers in the zone's top-level NS - records that are not in the parent's NS delegation, but you cannot - list servers in the parent's delegation that are not present at - the zone's top level. -

-

- A stealth server is a server that is - authoritative for a zone but is not listed in that zone's NS - records. Stealth servers can be used for keeping a local copy of - a - zone to speed up access to the zone's records or to make sure that - the - zone is available even if all the "official" servers for the zone - are - inaccessible. -

-

- A configuration where the primary master server itself is a - stealth server is often referred to as a "hidden primary" - configuration. One use for this configuration is when the primary - master - is behind a firewall and therefore unable to communicate directly - with the outside world. -

-
-
-
-

-Caching Name Servers

-

- The resolver libraries provided by most operating systems are - stub resolvers, meaning that they are not - capable of - performing the full DNS resolution process by themselves by talking - directly to the authoritative servers. Instead, they rely on a - local - name server to perform the resolution on their behalf. Such a - server - is called a recursive name server; it performs - recursive lookups for local clients. -

-

- To improve performance, recursive servers cache the results of - the lookups they perform. Since the processes of recursion and - caching are intimately connected, the terms - recursive server and - caching server are often used synonymously. -

-

- The length of time for which a record may be retained in - the cache of a caching name server is controlled by the - Time To Live (TTL) field associated with each resource record. -

-
-

-Forwarding

-

- Even a caching name server does not necessarily perform - the complete recursive lookup itself. Instead, it can - forward some or all of the queries - that it cannot satisfy from its cache to another caching name - server, - commonly referred to as a forwarder. -

-

- There may be one or more forwarders, - and they are queried in turn until the list is exhausted or an - answer - is found. Forwarders are typically used when you do not - wish all the servers at a given site to interact directly with the - rest of - the Internet servers. A typical scenario would involve a number - of internal DNS servers and an - Internet firewall. Servers unable - to pass packets through the firewall would forward to the server - that can do it, and that server would query the Internet DNS servers - on the internal server's behalf. -

-
-
-
-

-Name Servers in Multiple Roles

-

- The BIND name server can - simultaneously act as - a master for some zones, a slave for other zones, and as a caching - (recursive) server for a set of local clients. -

-

- However, since the functions of authoritative name service - and caching/recursive name service are logically separate, it is - often advantageous to run them on separate server machines. - - A server that only provides authoritative name service - (an authoritative-only server) can run with - recursion disabled, improving reliability and security. - - A server that is not authoritative for any zones and only provides - recursive service to local - clients (a caching-only server) - does not need to be reachable from the Internet at large and can - be placed inside a firewall. -

-
-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
BIND 9 Administrator Reference Manual Home Chapter 2. BIND Resource Requirements
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch02.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch02.html deleted file mode 100644 index 3df4df6a8a1..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch02.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - -Chapter 2. BIND Resource Requirements - - - - - - - -
- - - - - - - -
Chapter 2. BIND Resource Requirements
-Prev   Next -
-
-
-
-

-Chapter 2. BIND Resource Requirements

-
-

Table of Contents

-
-
Hardware requirements
-
CPU Requirements
-
Memory Requirements
-
Name Server Intensive Environment Issues
-
Supported Operating Systems
-
-
-
-

-Hardware requirements

-

- DNS hardware requirements have - traditionally been quite modest. - For many installations, servers that have been pensioned off from - active duty have performed admirably as DNS servers. -

-

- The DNSSEC features of BIND 9 - may prove to be quite - CPU intensive however, so organizations that make heavy use of these - features may wish to consider larger systems for these applications. - BIND 9 is fully multithreaded, allowing - full utilization of - multiprocessor systems for installations that need it. -

-
-
-

-CPU Requirements

-

- CPU requirements for BIND 9 range from - i486-class machines - for serving of static zones without caching, to enterprise-class - machines if you intend to process many dynamic updates and DNSSEC - signed zones, serving many thousands of queries per second. -

-
-
-

-Memory Requirements

-

- The memory of the server has to be large enough to fit the - cache and zones loaded off disk. The max-cache-size - option can be used to limit the amount of memory used by the cache, - at the expense of reducing cache hit rates and causing more DNS - traffic. - Additionally, if additional section caching - (the section called “Additional Section Caching”) is enabled, - the max-acache-size option can be used to - limit the amount - of memory used by the mechanism. - It is still good practice to have enough memory to load - all zone and cache data into memory — unfortunately, the best - way - to determine this for a given installation is to watch the name server - in operation. After a few weeks the server process should reach - a relatively stable size where entries are expiring from the cache as - fast as they are being inserted. -

-
-
-

-Name Server Intensive Environment Issues

-

- For name server intensive environments, there are two alternative - configurations that may be used. The first is where clients and - any second-level internal name servers query a main name server, which - has enough memory to build a large cache. This approach minimizes - the bandwidth used by external name lookups. The second alternative - is to set up second-level internal name servers to make queries - independently. - In this configuration, none of the individual machines needs to - have as much memory or CPU power as in the first alternative, but - this has the disadvantage of making many more external queries, - as none of the name servers share their cached data. -

-
-
-

-Supported Operating Systems

-

- ISC BIND 9 compiles and runs on a large - number - of Unix-like operating system and on NT-derived versions of - Microsoft Windows such as Windows 2000 and Windows XP. For an - up-to-date - list of supported systems, see the README file in the top level - directory - of the BIND 9 source distribution. -

-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 1. Introduction Home Chapter 3. Name Server Configuration
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html deleted file mode 100644 index c6ff6fe1d40..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch03.html +++ /dev/null @@ -1,808 +0,0 @@ - - - - - -Chapter 3. Name Server Configuration - - - - - - - -
- - - - - - - -
Chapter 3. Name Server Configuration
-Prev   Next -
-
-
-
-

-Chapter 3. Name Server Configuration

-
-

Table of Contents

-
-
Sample Configurations
-
-
A Caching-only Name Server
-
An Authoritative-only Name Server
-
-
Load Balancing
-
Name Server Operations
-
-
Tools for Use With the Name Server Daemon
-
Signals
-
-
-
-

- In this section we provide some suggested configurations along - with guidelines for their use. We suggest reasonable values for - certain option settings. -

-
-

-Sample Configurations

-
-

-A Caching-only Name Server

-

- The following sample configuration is appropriate for a caching-only - name server for use by clients internal to a corporation. All - queries - from outside clients are refused using the allow-query - option. Alternatively, the same effect could be achieved using - suitable - firewall rules. -

-
-// Two corporate subnets we wish to allow queries from.
-acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-options {
-     directory "/etc/namedb";           // Working directory
-     allow-query { corpnets; };
-};
-// Provide a reverse mapping for the loopback address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-
-
-
-

-An Authoritative-only Name Server

-

- This sample configuration is for an authoritative-only server - that is the master server for "example.com" - and a slave for the subdomain "eng.example.com". -

-
-options {
-     directory "/etc/namedb";           // Working directory
-     allow-query-cache { none; };       // Do not allow access to cache
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
-};
-
-// Provide a reverse mapping for the loopback address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-// We are the master server for example.com
-zone "example.com" {
-     type master;
-     file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
-     allow-transfer {
-          192.168.4.14;
-          192.168.5.53;
-     };
-};
-// We are a slave server for eng.example.com
-zone "eng.example.com" {
-     type slave;
-     file "eng.example.com.bk";
-     // IP address of eng.example.com master server
-     masters { 192.168.4.12; };
-};
-
-
-
-
-

-Load Balancing

-

- A primitive form of load balancing can be achieved in - the DNS by using multiple records - (such as multiple A records) for one name. -

-

- For example, if you have three WWW servers with network addresses - of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the - following means that clients will connect to each machine one third - of the time: -

-
------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- Name -

- 		-

- TTL -

- 		-

- CLASS -

- 		-

- TYPE -

- 		-

- Resource Record (RR) Data -

-
-

- www -

- 		-

- 600 -

- 		-

- IN -

- 		-

- A -

- 		-

- 10.0.0.1 -

-
-

- 		-

- 600 -

- 		-

- IN -

- 		-

- A -

- 		-

- 10.0.0.2 -

-
-

- 		-

- 600 -

- 		-

- IN -

- 		-

- A -

- 		-

- 10.0.0.3 -

-
-

- When a resolver queries for these records, BIND will rotate - them and respond to the query with the records in a different - order. In the example above, clients will randomly receive - records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients - will use the first record returned and discard the rest. -

-

- For more detail on ordering responses, check the - rrset-order substatement in the - options statement, see - RRset Ordering. -

-
-
-

-Name Server Operations

-
-

-Tools for Use With the Name Server Daemon

-

- This section describes several indispensable diagnostic, - administrative and monitoring tools available to the system - administrator for controlling and debugging the name server - daemon. -

-
-

-Diagnostic Tools

-

- The dig, host, and - nslookup programs are all command - line tools - for manually querying name servers. They differ in style and - output format. -

-
-
dig
-
-

- The domain information groper (dig) - is the most versatile and complete of these lookup tools. - It has two modes: simple interactive - mode for a single query, and batch mode which executes a - query for - each in a list of several query lines. All query options are - accessible - from the command line. -

-

dig [@server] domain [query-type] [query-class] [+query-option] [-dig-option] [%comment]

-

- The usual simple use of dig will take the form -

-

- dig @server domain query-type query-class -

-

- For more information and a list of available commands and - options, see the dig man - page. -

-
-
host
-
-

- The host utility emphasizes - simplicity - and ease of use. By default, it converts - between host names and Internet addresses, but its - functionality - can be extended with the use of options. -

-

host [-aCdlnrsTwv] [-c class] [-N ndots] [-t type] [-W timeout] [-R retries] [-m flag] [-4] [-6] hostname [server]

-

- For more information and a list of available commands and - options, see the host man - page. -

-
-
nslookup
-
-

nslookup - has two modes: interactive and - non-interactive. Interactive mode allows the user to - query name servers for information about various - hosts and domains or to print a list of hosts in a - domain. Non-interactive mode is used to print just - the name and requested information for a host or - domain. -

-

nslookup [-option...] [[host-to-find] | [- [server]]]

-

- Interactive mode is entered when no arguments are given (the - default name server will be used) or when the first argument - is a - hyphen (`-') and the second argument is the host name or - Internet address - of a name server. -

-

- Non-interactive mode is used when the name or Internet - address - of the host to be looked up is given as the first argument. - The - optional second argument specifies the host name or address - of a name server. -

-

- Due to its arcane user interface and frequently inconsistent - behavior, we do not recommend the use of nslookup. - Use dig instead. -

-
-
-
-
-

-Administrative Tools

-

- Administrative tools play an integral part in the management - of a server. -

-
-
-named-checkconf -
-
-

- The named-checkconf program - checks the syntax of a named.conf file. -

-

named-checkconf [-jvz] [-t directory] [filename]

-
-
-named-checkzone -
-
-

- The named-checkzone program - checks a master file for - syntax and consistency. -

-

named-checkzone [-djqvD] [-c class] [-o output] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-W (ignore|warn)] zone [filename]

-
-
-named-compilezone -
-

- Similar to named-checkzone, but - it always dumps the zone content to a specified file - (typically in a different format). -

-
-rndc -
-
-

- The remote name daemon control - (rndc) program allows the - system - administrator to control the operation of a name server. - Since BIND 9.2, rndc - supports all the commands of the BIND 8 ndc - utility except ndc start and - ndc restart, which were also - not supported in ndc's - channel mode. - If you run rndc without any - options - it will display a usage message as follows: -

-

rndc [-c config] [-s server] [-p port] [-y key] command [command...]

-

The command - is one of the following: -

-
-
reload
-

- Reload configuration file and zones. -

-
reload zone - [class - [view]]
-

- Reload the given zone. -

-
refresh zone - [class - [view]]
-

- Schedule zone maintenance for the given zone. -

-
retransfer zone - - [class - [view]]
-

- Retransfer the given zone from the master. -

-
freeze - [zone - [class - [view]]]
-

- Suspend updates to a dynamic zone. If no zone is - specified, - then all zones are suspended. This allows manual - edits to be made to a zone normally updated by dynamic - update. It - also causes changes in the journal file to be synced - into the master - and the journal file to be removed. All dynamic - update attempts will - be refused while the zone is frozen. -

-
thaw - [zone - [class - [view]]]
-

- Enable updates to a frozen dynamic zone. If no zone - is - specified, then all frozen zones are enabled. This - causes - the server to reload the zone from disk, and - re-enables dynamic updates - after the load has completed. After a zone is thawed, - dynamic updates - will no longer be refused. -

-
notify zone - [class - [view]]
-

- Resend NOTIFY messages for the zone. -

-
reconfig
-

- Reload the configuration file and load new zones, - but do not reload existing zone files even if they - have changed. - This is faster than a full reload when there - is a large number of zones because it avoids the need - to examine the - modification times of the zones files. -

-
stats
-

- Write server statistics to the statistics file. -

-
querylog
-

- Toggle query logging. Query logging can also be enabled - by explicitly directing the queries - category to a - channel in the - logging section of - named.conf or by specifying - querylog yes; in the - options section of - named.conf. -

-
dumpdb - [-all|-cache|-zone] - [view ...]
-

- Dump the server's caches (default) and/or zones to - the - dump file for the specified views. If no view is - specified, all - views are dumped. -

-
stop [-p]
-

- Stop the server, making sure any recent changes - made through dynamic update or IXFR are first saved to - the master files of the updated zones. - If -p is specified named's process id is returned. - This allows an external process to determine when named - had completed stopping. -

-
halt [-p]
-

- Stop the server immediately. Recent changes - made through dynamic update or IXFR are not saved to - the master files, but will be rolled forward from the - journal files when the server is restarted. - If -p is specified named's process id is returned. - This allows an external process to determine when named - had completed halting. -

-
trace
-

- Increment the servers debugging level by one. -

-
trace level
-

- Sets the server's debugging level to an explicit - value. -

-
notrace
-

- Sets the server's debugging level to 0. -

-
flush
-

- Flushes the server's cache. -

-
flushname name
-

- Flushes the given name from the server's cache. -

-
status
-

- Display status of the server. - Note that the number of zones includes the internal bind/CH zone - and the default ./IN - hint zone if there is not an - explicit root zone configured. -

-
recursing
-

- Dump the list of queries named is currently recursing - on. -

-
-

- A configuration file is required, since all - communication with the server is authenticated with - digital signatures that rely on a shared secret, and - there is no way to provide that secret other than with a - configuration file. The default location for the - rndc configuration file is - /etc/rndc.conf, but an - alternate - location can be specified with the -c - option. If the configuration file is not found, - rndc will also look in - /etc/rndc.key (or whatever - sysconfdir was defined when - the BIND build was - configured). - The rndc.key file is - generated by - running rndc-confgen -a as - described in - the section called “controls Statement Definition and - Usage”. -

-

- The format of the configuration file is similar to - that of named.conf, but - limited to - only four statements, the options, - key, server and - include - statements. These statements are what associate the - secret keys to the servers with which they are meant to - be shared. The order of statements is not - significant. -

-

- The options statement has - three clauses: - default-server, default-key, - and default-port. - default-server takes a - host name or address argument and represents the server - that will - be contacted if no -s - option is provided on the command line. - default-key takes - the name of a key as its argument, as defined by a key statement. - default-port specifies the - port to which - rndc should connect if no - port is given on the command line or in a - server statement. -

-

- The key statement defines a - key to be used - by rndc when authenticating - with - named. Its syntax is - identical to the - key statement in named.conf. - The keyword key is - followed by a key name, which must be a valid - domain name, though it need not actually be hierarchical; - thus, - a string like "rndc_key" is a valid - name. - The key statement has two - clauses: - algorithm and secret. - While the configuration parser will accept any string as the - argument - to algorithm, currently only the string "hmac-md5" - has any meaning. The secret is a base-64 encoded string - as specified in RFC 3548. -

-

- The server statement - associates a key - defined using the key - statement with a server. - The keyword server is followed by a - host name or address. The server statement - has two clauses: key and port. - The key clause specifies the - name of the key - to be used when communicating with this server, and the - port clause can be used to - specify the port rndc should - connect - to on the server. -

-

- A sample minimal configuration file is as follows: -

-
-key rndc_key {
-     algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-options {
-     default-server 127.0.0.1;
-     default-key    rndc_key;
-};
-
-

- This file, if installed as /etc/rndc.conf, - would allow the command: -

-

- $ rndc reload -

-

- to connect to 127.0.0.1 port 953 and cause the name server - to reload, if a name server on the local machine were - running with - following controls statements: -

-
-controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
-};
-
-

- and it had an identical key statement for - rndc_key. -

-

- Running the rndc-confgen - program will - conveniently create a rndc.conf - file for you, and also display the - corresponding controls - statement that you need to - add to named.conf. - Alternatively, - you can run rndc-confgen -a - to set up - a rndc.key file and not - modify - named.conf at all. -

-
-
-
-
-
-

-Signals

-

- Certain UNIX signals cause the name server to take specific - actions, as described in the following table. These signals can - be sent using the kill command. -

-
---- - - - - - - - - - - - - - - -
-

SIGHUP

- 		-

- Causes the server to read named.conf and - reload the database. -

-
-

SIGTERM

- 		-

- Causes the server to clean up and exit. -

-
-

SIGINT

- 		-

- Causes the server to clean up and exit. -

-
-
-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 2. BIND Resource Requirements Home Chapter 4. Advanced DNS Features
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html deleted file mode 100644 index d938fca6a71..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch04.html +++ /dev/null @@ -1,1028 +0,0 @@ - - - - - -Chapter 4. Advanced DNS Features - - - - - - - -
- - - - - - - -
Chapter 4. Advanced DNS Features
-Prev   Next -
-
-
-
-

-Chapter 4. Advanced DNS Features

-
-

Table of Contents

-
-
Notify
-
Dynamic Update
-
The journal file
-
Incremental Zone Transfers (IXFR)
-
Split DNS
-
Example split DNS setup
-
TSIG
-
-
Generate Shared Keys for Each Pair of Hosts
-
Copying the Shared Secret to Both Machines
-
Informing the Servers of the Key's Existence
-
Instructing the Server to Use the Key
-
TSIG Key Based Access Control
-
Errors
-
-
TKEY
-
SIG(0)
-
DNSSEC
-
-
Generating Keys
-
Signing the Zone
-
Configuring Servers
-
-
IPv6 Support in BIND 9
-
-
Address Lookups Using AAAA Records
-
Address to Name Lookups Using Nibble Format
-
-
-
-
-

-Notify

-

- DNS NOTIFY is a mechanism that allows master - servers to notify their slave servers of changes to a zone's data. In - response to a NOTIFY from a master server, the - slave will check to see that its version of the zone is the - current version and, if not, initiate a zone transfer. -

-

- For more information about DNS - NOTIFY, see the description of the - notify option in the section called “Boolean Options” and - the description of the zone option also-notify in - the section called “Zone Transfers”. The NOTIFY - protocol is specified in RFC 1996. -

-
-

Note

- As a slave zone can also be a master to other slaves, named, - by default, sends NOTIFY messages for every zone - it loads. Specifying notify master-only; will - cause named to only send NOTIFY for master - zones that it loads. -
-
-
-

-Dynamic Update

-

- Dynamic Update is a method for adding, replacing or deleting - records in a master server by sending it a special form of DNS - messages. The format and meaning of these messages is specified - in RFC 2136. -

-

- Dynamic update is enabled by - including an allow-update or - update-policy clause in the - zone statement. -

-

- Updating of secure zones (zones using DNSSEC) follows - RFC 3007: RRSIG and NSEC records affected by updates are automatically - regenerated by the server using an online zone key. - Update authorization is based - on transaction signatures and an explicit server policy. -

-
-

-The journal file

-

- All changes made to a zone using dynamic update are stored - in the zone's journal file. This file is automatically created - by the server when the first dynamic update takes place. - The name of the journal file is formed by appending the extension - .jnl to the name of the - corresponding zone - file unless specifically overridden. The journal file is in a - binary format and should not be edited manually. -

-

- The server will also occasionally write ("dump") - the complete contents of the updated zone to its zone file. - This is not done immediately after - each dynamic update, because that would be too slow when a large - zone is updated frequently. Instead, the dump is delayed by - up to 15 minutes, allowing additional updates to take place. -

-

- When a server is restarted after a shutdown or crash, it will replay - the journal file to incorporate into the zone any updates that - took - place after the last zone dump. -

-

- Changes that result from incoming incremental zone transfers are - also - journalled in a similar way. -

-

- The zone files of dynamic zones cannot normally be edited by - hand because they are not guaranteed to contain the most recent - dynamic changes — those are only in the journal file. - The only way to ensure that the zone file of a dynamic zone - is up to date is to run rndc stop. -

-

- If you have to make changes to a dynamic zone - manually, the following procedure will work: Disable dynamic updates - to the zone using - rndc freeze zone. - This will also remove the zone's .jnl file - and update the master file. Edit the zone file. Run - rndc thaw zone - to reload the changed zone and re-enable dynamic updates. -

-
-
-
-

-Incremental Zone Transfers (IXFR)

-

- The incremental zone transfer (IXFR) protocol is a way for - slave servers to transfer only changed data, instead of having to - transfer the entire zone. The IXFR protocol is specified in RFC - 1995. See Proposed Standards. -

-

- When acting as a master, BIND 9 - supports IXFR for those zones - where the necessary change history information is available. These - include master zones maintained by dynamic update and slave zones - whose data was obtained by IXFR. For manually maintained master - zones, and for slave zones obtained by performing a full zone - transfer (AXFR), IXFR is supported only if the option - ixfr-from-differences is set - to yes. -

-

- When acting as a slave, BIND 9 will - attempt to use IXFR unless - it is explicitly disabled. For more information about disabling - IXFR, see the description of the request-ixfr clause - of the server statement. -

-
-
-

-Split DNS

-

- Setting up different views, or visibility, of the DNS space to - internal and external resolvers is usually referred to as a - Split DNS setup. There are several - reasons an organization would want to set up its DNS this way. -

-

- One common reason for setting up a DNS system this way is - to hide "internal" DNS information from "external" clients on the - Internet. There is some debate as to whether or not this is actually - useful. - Internal DNS information leaks out in many ways (via email headers, - for example) and most savvy "attackers" can find the information - they need using other means. - However, since listing addresses of internal servers that - external clients cannot possibly reach can result in - connection delays and other annoyances, an organization may - choose to use a Split DNS to present a consistent view of itself - to the outside world. -

-

- Another common reason for setting up a Split DNS system is - to allow internal networks that are behind filters or in RFC 1918 - space (reserved IP space, as documented in RFC 1918) to resolve DNS - on the Internet. Split DNS can also be used to allow mail from outside - back in to the internal network. -

-
-

-Example split DNS setup

-

- Let's say a company named Example, Inc. - (example.com) - has several corporate sites that have an internal network with - reserved - Internet Protocol (IP) space and an external demilitarized zone (DMZ), - or "outside" section of a network, that is available to the public. -

-

- Example, Inc. wants its internal clients - to be able to resolve external hostnames and to exchange mail with - people on the outside. The company also wants its internal resolvers - to have access to certain internal-only zones that are not available - at all outside of the internal network. -

-

- In order to accomplish this, the company will set up two sets - of name servers. One set will be on the inside network (in the - reserved - IP space) and the other set will be on bastion hosts, which are - "proxy" - hosts that can talk to both sides of its network, in the DMZ. -

-

- The internal servers will be configured to forward all queries, - except queries for site1.internal, site2.internal, site1.example.com, - and site2.example.com, to the servers - in the - DMZ. These internal servers will have complete sets of information - for site1.example.com, site2.example.com, site1.internal, - and site2.internal. -

-

- To protect the site1.internal and site2.internal domains, - the internal name servers must be configured to disallow all queries - to these domains from any external hosts, including the bastion - hosts. -

-

- The external servers, which are on the bastion hosts, will - be configured to serve the "public" version of the site1 and site2.example.com zones. - This could include things such as the host records for public servers - (www.example.com and ftp.example.com), - and mail exchange (MX) records (a.mx.example.com and b.mx.example.com). -

-

- In addition, the public site1 and site2.example.com zones - should have special MX records that contain wildcard (`*') records - pointing to the bastion hosts. This is needed because external mail - servers do not have any other way of looking up how to deliver mail - to those internal hosts. With the wildcard records, the mail will - be delivered to the bastion host, which can then forward it on to - internal hosts. -

-

- Here's an example of a wildcard MX record: -

-
*   IN MX 10 external1.example.com.
-

- Now that they accept mail on behalf of anything in the internal - network, the bastion hosts will need to know how to deliver mail - to internal hosts. In order for this to work properly, the resolvers - on - the bastion hosts will need to be configured to point to the internal - name servers for DNS resolution. -

-

- Queries for internal hostnames will be answered by the internal - servers, and queries for external hostnames will be forwarded back - out to the DNS servers on the bastion hosts. -

-

- In order for all this to work properly, internal clients will - need to be configured to query only the internal - name servers for DNS queries. This could also be enforced via - selective - filtering on the network. -

-

- If everything has been set properly, Example, Inc.'s - internal clients will now be able to: -

-
    -
  • - Look up any hostnames in the site1 - and - site2.example.com zones. -
    • -
  • - Look up any hostnames in the site1.internal and - site2.internal domains. -
    • -
  • Look up any hostnames on the Internet.
    • -
  • Exchange mail with both internal and external people.
    • -
-

- Hosts on the Internet will be able to: -

-
    -
  • - Look up any hostnames in the site1 - and - site2.example.com zones. -
    • -
  • - Exchange mail with anyone in the site1 and - site2.example.com zones. -
    • -
-

- Here is an example configuration for the setup we just - described above. Note that this is only configuration information; - for information on how to configure your zone files, see the section called “Sample Configurations”. -

-

- Internal DNS server config: -

-
-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
-    ...
-    ...
-    forward only;
-    forwarders {                                // forward to external servers
-        bastion-ips-go-here;
-    };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
-    ...
-    ...
-};
-
-zone "site1.example.com" {                      // sample master zone
-  type master;
-  file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site2.example.com" {                      // sample slave zone
-  type slave;
-  file "s/site2.example.com";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site1.internal" {
-  type master;
-  file "m/site1.internal";
-  forwarders { };
-  allow-query { internals; };
-  allow-transfer { internals; }
-};
-
-zone "site2.internal" {
-  type slave;
-  file "s/site2.internal";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals };
-  allow-transfer { internals; }
-};
-
-

- External (bastion host) DNS server config: -

-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
-  ...
-  ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { any; };                         // default query access
-  allow-query-cache { internals; externals; };  // restrict cache access
-  allow-recursion { internals; externals; };    // restrict recursion
-  ...
-  ...
-};
-
-zone "site1.example.com" {                      // sample slave zone
-  type master;
-  file "m/site1.foo.com";
-  allow-transfer { internals; externals; };
-};
-
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.foo.com";
-  masters { another_bastion_host_maybe; };
-  allow-transfer { internals; externals; }
-};
-
-

- In the resolv.conf (or equivalent) on - the bastion host(s): -

-
-search ...
-nameserver 172.16.72.2
-nameserver 172.16.72.3
-nameserver 172.16.72.4
-
-
-
-
-

-TSIG

-

- This is a short guide to setting up Transaction SIGnatures - (TSIG) based transaction security in BIND. It describes changes - to the configuration file as well as what changes are required for - different features, including the process of creating transaction - keys and using transaction signatures with BIND. -

-

- BIND primarily supports TSIG for server - to server communication. - This includes zone transfer, notify, and recursive query messages. - Resolvers based on newer versions of BIND 8 have limited support - for TSIG. -

-

- TSIG can also be useful for dynamic update. A primary - server for a dynamic zone should control access to the dynamic - update service, but IP-based access control is insufficient. - The cryptographic access control provided by TSIG - is far superior. The nsupdate - program supports TSIG via the -k and - -y command line options or inline by use - of the key. -

-
-

-Generate Shared Keys for Each Pair of Hosts

-

- A shared secret is generated to be shared between host1 and host2. - An arbitrary key name is chosen: "host1-host2.". The key name must - be the same on both hosts. -

-
-

-Automatic Generation

-

- The following command will generate a 128-bit (16 byte) HMAC-MD5 - key as described above. Longer keys are better, but shorter keys - are easier to read. Note that the maximum key length is 512 bits; - keys longer than that will be digested with MD5 to produce a - 128-bit key. -

-

- dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2. -

-

- The key is in the file Khost1-host2.+157+00000.private. - Nothing directly uses this file, but the base-64 encoded string - following "Key:" - can be extracted from the file and used as a shared secret: -

-
Key: La/E5CjG9O+os1jq0a2jdA==
-

- The string "La/E5CjG9O+os1jq0a2jdA==" can - be used as the shared secret. -

-
-
-

-Manual Generation

-

- The shared secret is simply a random sequence of bits, encoded - in base-64. Most ASCII strings are valid base-64 strings (assuming - the length is a multiple of 4 and only valid characters are used), - so the shared secret can be manually generated. -

-

- Also, a known string can be run through mmencode or - a similar program to generate base-64 encoded data. -

-
-
-
-

-Copying the Shared Secret to Both Machines

-

- This is beyond the scope of DNS. A secure transport mechanism - should be used. This could be secure FTP, ssh, telephone, etc. -

-
-
-

-Informing the Servers of the Key's Existence

-

- Imagine host1 and host 2 - are - both servers. The following is added to each server's named.conf file: -

-
-key host1-host2. {
-  algorithm hmac-md5;
-  secret "La/E5CjG9O+os1jq0a2jdA==";
-};
-
-

- The algorithm, hmac-md5, is the only one supported by BIND. - The secret is the one generated above. Since this is a secret, it - is recommended that either named.conf be non-world - readable, or the key directive be added to a non-world readable - file that is included by - named.conf. -

-

- At this point, the key is recognized. This means that if the - server receives a message signed by this key, it can verify the - signature. If the signature is successfully verified, the - response is signed by the same key. -

-
-
-

-Instructing the Server to Use the Key

-

- Since keys are shared between two hosts only, the server must - be told when keys are to be used. The following is added to the named.conf file - for host1, if the IP address of host2 is - 10.1.2.3: -

-
-server 10.1.2.3 {
-  keys { host1-host2. ;};
-};
-
-

- Multiple keys may be present, but only the first is used. - This directive does not contain any secrets, so it may be in a - world-readable - file. -

-

- If host1 sends a message that is a request - to that address, the message will be signed with the specified key. host1 will - expect any responses to signed messages to be signed with the same - key. -

-

- A similar statement must be present in host2's - configuration file (with host1's address) for host2 to - sign request messages to host1. -

-
-
-

-TSIG Key Based Access Control

-

- BIND allows IP addresses and ranges - to be specified in ACL - definitions and - allow-{ query | transfer | update } - directives. - This has been extended to allow TSIG keys also. The above key would - be denoted key host1-host2. -

-

- An example of an allow-update directive would be: -

-
-allow-update { key host1-host2. ;};
-
-

- This allows dynamic updates to succeed only if the request - was signed by a key named - "host1-host2.". -

-

- You may want to read about the more - powerful update-policy statement in the section called “Dynamic Update Policies”. -

-
-
-

-Errors

-

- The processing of TSIG signed messages can result in - several errors. If a signed message is sent to a non-TSIG aware - server, a FORMERR (format error) will be returned, since the server will not - understand the record. This is a result of misconfiguration, - since the server must be explicitly configured to send a TSIG - signed message to a specific server. -

-

- If a TSIG aware server receives a message signed by an - unknown key, the response will be unsigned with the TSIG - extended error code set to BADKEY. If a TSIG aware server - receives a message with a signature that does not validate, the - response will be unsigned with the TSIG extended error code set - to BADSIG. If a TSIG aware server receives a message with a time - outside of the allowed range, the response will be signed with - the TSIG extended error code set to BADTIME, and the time values - will be adjusted so that the response can be successfully - verified. In any of these cases, the message's rcode (response code) is set to - NOTAUTH (not authenticated). -

-
-
-
-

-TKEY

-

TKEY - is a mechanism for automatically generating a shared secret - between two hosts. There are several "modes" of - TKEY that specify how the key is generated - or assigned. BIND 9 implements only one of - these modes, the Diffie-Hellman key exchange. Both hosts are - required to have a Diffie-Hellman KEY record (although this - record is not required to be present in a zone). The - TKEY process must use signed messages, - signed either by TSIG or SIG(0). The result of - TKEY is a shared secret that can be used to - sign messages with TSIG. TKEY can also be - used to delete shared secrets that it had previously - generated. -

-

- The TKEY process is initiated by a - client - or server by sending a signed TKEY - query - (including any appropriate KEYs) to a TKEY-aware server. The - server response, if it indicates success, will contain a - TKEY record and any appropriate keys. - After - this exchange, both participants have enough information to - determine the shared secret; the exact process depends on the - TKEY mode. When using the - Diffie-Hellman - TKEY mode, Diffie-Hellman keys are - exchanged, - and the shared secret is derived by both participants. -

-
-
-

-SIG(0)

-

- BIND 9 partially supports DNSSEC SIG(0) - transaction signatures as specified in RFC 2535 and RFC2931. - SIG(0) - uses public/private keys to authenticate messages. Access control - is performed in the same manner as TSIG keys; privileges can be - granted or denied based on the key name. -

-

- When a SIG(0) signed message is received, it will only be - verified if the key is known and trusted by the server; the server - will not attempt to locate and/or validate the key. -

-

- SIG(0) signing of multiple-message TCP streams is not - supported. -

-

- The only tool shipped with BIND 9 that - generates SIG(0) signed messages is nsupdate. -

-
-
-

-DNSSEC

-

- Cryptographic authentication of DNS information is possible - through the DNS Security (DNSSEC-bis) extensions, - defined in RFC 4033, RFC 4034, and RFC 4035. - This section describes the creation and use of DNSSEC signed zones. -

-

- In order to set up a DNSSEC secure zone, there are a series - of steps which must be followed. BIND - 9 ships - with several tools - that are used in this process, which are explained in more detail - below. In all cases, the -h option prints a - full list of parameters. Note that the DNSSEC tools require the - keyset files to be in the working directory or the - directory specified by the -d option, and - that the tools shipped with BIND 9.2.x and earlier are not compatible - with the current ones. -

-

- There must also be communication with the administrators of - the parent and/or child zone to transmit keys. A zone's security - status must be indicated by the parent zone for a DNSSEC capable - resolver to trust its data. This is done through the presence - or absence of a DS record at the - delegation - point. -

-

- For other servers to trust data in this zone, they must - either be statically configured with this zone's zone key or the - zone key of another zone above this one in the DNS tree. -

-
-

-Generating Keys

-

- The dnssec-keygen program is used to - generate keys. -

-

- A secure zone must contain one or more zone keys. The - zone keys will sign all other records in the zone, as well as - the zone keys of any secure delegated zones. Zone keys must - have the same name as the zone, a name type of - ZONE, and must be usable for - authentication. - It is recommended that zone keys use a cryptographic algorithm - designated as "mandatory to implement" by the IETF; currently - the only one is RSASHA1. -

-

- The following command will generate a 768-bit RSASHA1 key for - the child.example zone: -

-

- dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example. -

-

- Two output files will be produced: - Kchild.example.+005+12345.key and - Kchild.example.+005+12345.private - (where - 12345 is an example of a key tag). The key filenames contain - the key name (child.example.), - algorithm (3 - is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in - this case). - The private key (in the .private - file) is - used to generate signatures, and the public key (in the - .key file) is used for signature - verification. -

-

- To generate another key with the same properties (but with - a different key tag), repeat the above command. -

-

- The public keys should be inserted into the zone file by - including the .key files using - $INCLUDE statements. -

-
-
-

-Signing the Zone

-

- The dnssec-signzone program is used - to - sign a zone. -

-

- Any keyset files corresponding - to secure subzones should be present. The zone signer will - generate NSEC and RRSIG - records for the zone, as well as DS - for - the child zones if '-d' is specified. - If '-d' is not specified, then - DS RRsets for - the secure child zones need to be added manually. -

-

- The following command signs the zone, assuming it is in a - file called zone.child.example. By - default, all zone keys which have an available private key are - used to generate signatures. -

-

- dnssec-signzone -o child.example zone.child.example -

-

- One output file is produced: - zone.child.example.signed. This - file - should be referenced by named.conf - as the - input file for the zone. -

-

dnssec-signzone - will also produce a keyset and dsset files and optionally a - dlvset file. These are used to provide the parent zone - administrators with the DNSKEYs (or their - corresponding DS records) that are the - secure entry point to the zone. -

-
-
-

-Configuring Servers

-

- To enable named to respond appropriately - to DNS requests from DNSSEC aware clients, - dnssec-enable must be set to yes. -

-

- To enable named to validate answers from - other servers both dnssec-enable and - dnssec-validation must be set and some - trusted-keys must be configured - into named.conf. -

-

- trusted-keys are copies of DNSKEY RRs - for zones that are used to form the first link in the - cryptographic chain of trust. All keys listed in - trusted-keys (and corresponding zones) - are deemed to exist and only the listed keys will be used - to validated the DNSKEY RRset that they are from. -

-

- trusted-keys are described in more detail - later in this document. -

-

- Unlike BIND 8, BIND - 9 does not verify signatures on load, so zone keys for - authoritative zones do not need to be specified in the - configuration file. -

-

- After DNSSEC gets established, a typical DNSSEC configuration - will look something like the following. It has a one or - more public keys for the root. This allows answers from - outside the organization to be validated. It will also - have several keys for parts of the namespace the organization - controls. These are here to ensure that named is immune - to compromises in the DNSSEC components of the security - of parent zones. -

-
-trusted-keys {
-
-        /* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
-
-/* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
-                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-                      SCThlHf3xiYleDbt/o1OTQ09A0=";
-
-/* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
-                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
-};
-
-options {
-        ...
-        dnssec-enable yes;
-        dnssec-validation yes;
-};
-
-
-

Note

- None of the keys listed in this example are valid. In particular, - the root key is not valid. -
-
-
-
-

-IPv6 Support in BIND 9

-

- BIND 9 fully supports all currently - defined forms of IPv6 - name to address and address to name lookups. It will also use - IPv6 addresses to make queries when running on an IPv6 capable - system. -

-

- For forward lookups, BIND 9 supports - only AAAA records. RFC 3363 deprecated the use of A6 records, - and client-side support for A6 records was accordingly removed - from BIND 9. - However, authoritative BIND 9 name servers still - load zone files containing A6 records correctly, answer queries - for A6 records, and accept zone transfer for a zone containing A6 - records. -

-

- For IPv6 reverse lookups, BIND 9 supports - the traditional "nibble" format used in the - ip6.arpa domain, as well as the older, deprecated - ip6.int domain. - Older versions of BIND 9 - supported the "binary label" (also known as "bitstring") format, - but support of binary labels has been completely removed per - RFC 3363. - Many applications in BIND 9 do not understand - the binary label format at all any more, and will return an - error if given. - In particular, an authoritative BIND 9 - name server will not load a zone file containing binary labels. -

-

- For an overview of the format and structure of IPv6 addresses, - see the section called “IPv6 addresses (AAAA)”. -

-
-

-Address Lookups Using AAAA Records

-

- The IPv6 AAAA record is a parallel to the IPv4 A record, - and, unlike the deprecated A6 record, specifies the entire - IPv6 address in a single record. For example, -

-
-$ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
-
-

- Use of IPv4-in-IPv6 mapped addresses is not recommended. - If a host has an IPv4 address, use an A record, not - a AAAA, with ::ffff:192.168.42.1 as - the address. -

-
-
-

-Address to Name Lookups Using Nibble Format

-

- When looking up an address in nibble format, the address - components are simply reversed, just as in IPv4, and - ip6.arpa. is appended to the - resulting name. - For example, the following would provide reverse name lookup for - a host with address - 2001:db8::1. -

-
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
-
-
-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 3. Name Server Configuration Home Chapter 5. The BIND 9 Lightweight Resolver
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html deleted file mode 100644 index cecaaf5997d..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch05.html +++ /dev/null @@ -1,143 +0,0 @@ - - - - - -Chapter 5. The BIND 9 Lightweight Resolver - - - - - - - -
- - - - - - - -
Chapter 5. The BIND 9 Lightweight Resolver
-Prev   Next -
-
-
-
-

-Chapter 5. The BIND 9 Lightweight Resolver

-
-

Table of Contents

-
-
The Lightweight Resolver Library
-
Running a Resolver Daemon
-
-
-
-

-The Lightweight Resolver Library

-

- Traditionally applications have been linked with a stub resolver - library that sends recursive DNS queries to a local caching name - server. -

-

- IPv6 once introduced new complexity into the resolution process, - such as following A6 chains and DNAME records, and simultaneous - lookup of IPv4 and IPv6 addresses. Though most of the complexity was - then removed, these are hard or impossible - to implement in a traditional stub resolver. -

-

- BIND 9 therefore can also provide resolution - services to local clients - using a combination of a lightweight resolver library and a resolver - daemon process running on the local host. These communicate using - a simple UDP-based protocol, the "lightweight resolver protocol" - that is distinct from and simpler than the full DNS protocol. -

-
-
-

-Running a Resolver Daemon

-

- To use the lightweight resolver interface, the system must - run the resolver daemon lwresd or a - local - name server configured with a lwres - statement. -

-

- By default, applications using the lightweight resolver library will - make - UDP requests to the IPv4 loopback address (127.0.0.1) on port 921. - The - address can be overridden by lwserver - lines in - /etc/resolv.conf. -

-

- The daemon currently only looks in the DNS, but in the future - it may use other sources such as /etc/hosts, - NIS, etc. -

-

- The lwresd daemon is essentially a - caching-only name server that responds to requests using the - lightweight - resolver protocol rather than the DNS protocol. Because it needs - to run on each host, it is designed to require no or minimal - configuration. - Unless configured otherwise, it uses the name servers listed on - nameserver lines in /etc/resolv.conf - as forwarders, but is also capable of doing the resolution - autonomously if - none are specified. -

-

- The lwresd daemon may also be - configured with a - named.conf style configuration file, - in - /etc/lwresd.conf by default. A name - server may also - be configured to act as a lightweight resolver daemon using the - lwres statement in named.conf. -

-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 4. Advanced DNS Features Home Chapter 6. BIND 9 Configuration Reference
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html deleted file mode 100644 index 65f71cd5083..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch06.html +++ /dev/null @@ -1,7122 +0,0 @@ - - - - - -Chapter 6. BIND 9 Configuration Reference - - - - - - - -
- - - - - - - -
Chapter 6. BIND 9 Configuration Reference
-Prev   Next -
-
-
-
-

-Chapter 6. BIND 9 Configuration Reference

-
-

Table of Contents

-
-
Configuration File Elements
-
-
Address Match Lists
-
Comment Syntax
-
-
Configuration File Grammar
-
-
acl Statement Grammar
-
acl Statement Definition and - Usage
-
controls Statement Grammar
-
controls Statement Definition and - Usage
-
include Statement Grammar
-
include Statement Definition and - Usage
-
key Statement Grammar
-
key Statement Definition and Usage
-
logging Statement Grammar
-
logging Statement Definition and - Usage
-
lwres Statement Grammar
-
lwres Statement Definition and Usage
-
masters Statement Grammar
-
masters Statement Definition and - Usage
-
options Statement Grammar
-
options Statement Definition and - Usage
-
server Statement Grammar
-
server Statement Definition and - Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition - and Usage
-
view Statement Grammar
-
view Statement Definition and Usage
-
zone - Statement Grammar
-
zone Statement Definition and Usage
-
-
Zone File
-
-
Types of Resource Records and When to Use Them
-
Discussion of MX Records
-
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
-
Additional File Formats
-
-
-
-

- BIND 9 configuration is broadly similar - to BIND 8; however, there are a few new - areas - of configuration, such as views. BIND - 8 configuration files should work with few alterations in BIND - 9, although more complex configurations should be reviewed to check - if they can be more efficiently implemented using the new features - found in BIND 9. -

-

- BIND 4 configuration files can be - converted to the new format - using the shell script - contrib/named-bootconf/named-bootconf.sh. -

-
-

-Configuration File Elements

-

- Following is a list of elements used throughout the BIND configuration - file documentation: -

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- acl_name -

- 		-

- The name of an address_match_list as - defined by the acl statement. -

-
-

- address_match_list -

- 		-

- A list of one or more - ip_addr, - ip_prefix, key_id, - or acl_name elements, see - the section called “Address Match Lists”. -

-
-

- masters_list -

- 		-

- A named list of one or more ip_addr - with optional key_id and/or - ip_port. - A masters_list may include other - masters_lists. -

-
-

- domain_name -

- 		-

- A quoted string which will be used as - a DNS name, for example "my.test.domain". -

-
-

- dotted_decimal -

- 		-

- One to four integers valued 0 through - 255 separated by dots (`.'), such as 123, - 45.67 or 89.123.45.67. -

-
-

- ip4_addr -

- 		-

- An IPv4 address with exactly four elements - in dotted_decimal notation. -

-
-

- ip6_addr -

- 		-

- An IPv6 address, such as 2001:db8::1234. - IPv6 scoped addresses that have ambiguity on their scope - zones must be - disambiguated by an appropriate zone ID with the percent - character - (`%') as delimiter. - It is strongly recommended to use string zone names rather - than - numeric identifiers, in order to be robust against system - configuration changes. - However, since there is no standard mapping for such names - and - identifier values, currently only interface names as link - identifiers - are supported, assuming one-to-one mapping between - interfaces and links. - For example, a link-local address fe80::1 on the - link attached to the interface ne0 - can be specified as fe80::1%ne0. - Note that on most systems link-local addresses always have - the - ambiguity, and need to be disambiguated. -

-
-

- ip_addr -

- 		-

- An ip4_addr or ip6_addr. -

-
-

- ip_port -

- 		-

- An IP port number. - The number is limited to 0 - through 65535, with values - below 1024 typically restricted to use by processes running - as root. - In some cases, an asterisk (`*') character can be used as a - placeholder to - select a random high-numbered port. -

-
-

- ip_prefix -

- 		-

- An IP network specified as an ip_addr, - followed by a slash (`/') and then the number of bits in the - netmask. - Trailing zeros in a ip_addr - may omitted. - For example, 127/8 is the - network 127.0.0.0 with - netmask 255.0.0.0 and 1.2.3.0/28 is - network 1.2.3.0 with netmask 255.255.255.240. -

-
-

- key_id -

- 		-

- A domain_name representing - the name of a shared key, to be used for transaction - security. -

-
-

- key_list -

- 		-

- A list of one or more - key_ids, - separated by semicolons and ending with a semicolon. -

-
-

- number -

- 		-

- A non-negative 32-bit integer - (i.e., a number between 0 and 4294967295, inclusive). - Its acceptable value might further - be limited by the context in which it is used. -

-
-

- path_name -

- 		-

- A quoted string which will be used as - a pathname, such as zones/master/my.test.domain. -

-
-

- size_spec -

- 		-

- A number, the word unlimited, - or the word default. -

-

- An unlimited size_spec requests unlimited - use, or the maximum available amount. A default size_spec uses - the limit that was in force when the server was started. -

-

- A number can optionally be - followed by a scaling factor: - K or k - for kilobytes, - M or m - for megabytes, and - G or g for gigabytes, - which scale by 1024, 1024*1024, and 1024*1024*1024 - respectively. -

-

- The value must be representable as a 64-bit unsigned integer - (0 to 18446744073709551615, inclusive). - Using unlimited is the best - way - to safely set a really large number. -

-
-

- yes_or_no -

- 		-

- Either yes or no. - The words true and false are - also accepted, as are the numbers 1 - and 0. -

-
-

- dialup_option -

- 		-

- One of yes, - no, notify, - notify-passive, refresh or - passive. - When used in a zone, notify-passive, - refresh, and passive - are restricted to slave and stub zones. -

-
-
-

-Address Match Lists

-
-

-Syntax

-
address_match_list = address_match_list_element ;
-  [ address_match_list_element; ... ]
-address_match_list_element = [ ! ] (ip_address [/length] |
-   key key_id | acl_name | { address_match_list } )
-
-
-
-

-Definition and Usage

-

- Address match lists are primarily used to determine access - control for various server operations. They are also used in - the listen-on and sortlist - statements. The elements - which constitute an address match list can be any of the - following: -

-
    -
  • an IP address (IPv4 or IPv6)
    • -
  • an IP prefix (in `/' notation)
    • -
  • - a key ID, as defined by the key - statement -
    • -
  • the name of an address match list defined with - the acl statement -
    • -
  • a nested address match list enclosed in braces
    • -
-

- Elements can be negated with a leading exclamation mark (`!'), - and the match list names "any", "none", "localhost", and - "localnets" - are predefined. More information on those names can be found in - the description of the acl statement. -

-

- The addition of the key clause made the name of this syntactic - element something of a misnomer, since security keys can be used - to validate access without regard to a host or network address. - Nonetheless, - the term "address match list" is still used throughout the - documentation. -

-

- When a given IP address or prefix is compared to an address - match list, the list is traversed in order until an element - matches. - The interpretation of a match depends on whether the list is being - used - for access control, defining listen-on ports, or in a sortlist, - and whether the element was negated. -

-

- When used as an access control list, a non-negated match - allows access and a negated match denies access. If - there is no match, access is denied. The clauses - allow-notify, - allow-query, - allow-query-cache, - allow-transfer, - allow-update, - allow-update-forwarding, and - blackhole all use address match - lists. Similarly, the listen-on option will cause the - server to not accept queries on any of the machine's - addresses which do not match the list. -

-

- Because of the first-match aspect of the algorithm, an element - that defines a subset of another element in the list should come - before the broader element, regardless of whether either is - negated. For - example, in - 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 - element is - completely useless because the algorithm will match any lookup for - 1.2.3.13 to the 1.2.3/24 element. - Using ! 1.2.3.13; 1.2.3/24 fixes - that problem by having 1.2.3.13 blocked by the negation but all - other 1.2.3.* hosts fall through. -

-
-
-
-

-Comment Syntax

-

- The BIND 9 comment syntax allows for - comments to appear - anywhere that whitespace may appear in a BIND configuration - file. To appeal to programmers of all kinds, they can be written - in the C, C++, or shell/perl style. -

-
-

-Syntax

-

-

-
/* This is a BIND comment as in C */
-

-

-
// This is a BIND comment as in C++
-

-

-
# This is a BIND comment as in common UNIX shells and perl
-

-

-
-
-

-Definition and Usage

-

- Comments may appear anywhere that whitespace may appear in - a BIND configuration file. -

-

- C-style comments start with the two characters /* (slash, - star) and end with */ (star, slash). Because they are completely - delimited with these characters, they can be used to comment only - a portion of a line or to span multiple lines. -

-

- C-style comments cannot be nested. For example, the following - is not valid because the entire comment ends with the first */: -

-

- -

-
/* This is the start of a comment.
-   This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
-   This is no longer in any comment. */
-
-

- -

-

- C++-style comments start with the two characters // (slash, - slash) and continue to the end of the physical line. They cannot - be continued across multiple physical lines; to have one logical - comment span multiple lines, each line must use the // pair. -

-

- For example: -

-

- -

-
// This is the start of a comment.  The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-
-

- -

-

- Shell-style (or perl-style, if you prefer) comments start - with the character # (number sign) - and continue to the end of the - physical line, as in C++ comments. -

-

- For example: -

-

- -

-
# This is the start of a comment.  The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-
-

- -

-
-

Warning

-

- You cannot use the semicolon (`;') character - to start a comment such as you would in a zone file. The - semicolon indicates the end of a configuration - statement. -

-
-
-
-
-
-

-Configuration File Grammar

-

- A BIND 9 configuration consists of - statements and comments. - Statements end with a semicolon. Statements and comments are the - only elements that can appear without enclosing braces. Many - statements contain a block of sub-statements, which are also - terminated with a semicolon. -

-

- The following statements are supported: -

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

acl

- 		-

- defines a named IP address - matching list, for access control and other uses. -

-
-

controls

- 		-

- declares control channels to be used - by the rndc utility. -

-
-

include

- 		-

- includes a file. -

-
-

key

- 		-

- specifies key information for use in - authentication and authorization using TSIG. -

-
-

logging

- 		-

- specifies what the server logs, and where - the log messages are sent. -

-
-

lwres

- 		-

- configures named to - also act as a light-weight resolver daemon (lwresd). -

-
-

masters

- 		-

- defines a named masters list for - inclusion in stub and slave zone masters clauses. -

-
-

options

- 		-

- controls global server configuration - options and sets defaults for other statements. -

-
-

server

- 		-

- sets certain configuration options on - a per-server basis. -

-
-

trusted-keys

- 		-

- defines trusted DNSSEC keys. -

-
-

view

- 		-

- defines a view. -

-
-

zone

- 		-

- defines a zone. -

-
-

- The logging and - options statements may only occur once - per - configuration. -

-
-

-acl Statement Grammar

-
acl acl-name {
-    address_match_list
-};
-
-
-
-

-acl Statement Definition and - Usage

-

- The acl statement assigns a symbolic - name to an address match list. It gets its name from a primary - use of address match lists: Access Control Lists (ACLs). -

-

- Note that an address match list's name must be defined - with acl before it can be used - elsewhere; no - forward references are allowed. -

-

- The following ACLs are built-in: -

-
---- - - - - - - - - - - - - - - - - - - -
-

any

- 		-

- Matches all hosts. -

-
-

none

- 		-

- Matches no hosts. -

-
-

localhost

- 		-

- Matches the IPv4 and IPv6 addresses of all network - interfaces on the system. -

-
-

localnets

- 		-

- Matches any host on an IPv4 or IPv6 network - for which the system has an interface. - Some systems do not provide a way to determine the prefix - lengths of - local IPv6 addresses. - In such a case, localnets - only matches the local - IPv6 addresses, just like localhost. -

-
-
-
-

-controls Statement Grammar

-
controls {
-   [ inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
-                keys { key_list }; ]
-   [ inet ...; ]
-   [ unix path perm number owner number group number keys { key_list }; ]
-   [ unix ...; ]
-};
-
-
-
-

-controls Statement Definition and - Usage

-

- The controls statement declares control - channels to be used by system administrators to control the - operation of the name server. These control channels are - used by the rndc utility to send - commands to and retrieve non-DNS results from a name server. -

-

- An inet control channel is a TCP socket - listening at the specified ip_port on the - specified ip_addr, which can be an IPv4 or IPv6 - address. An ip_addr of * (asterisk) is - interpreted as the IPv4 wildcard address; connections will be - accepted on any of the system's IPv4 addresses. - To listen on the IPv6 wildcard address, - use an ip_addr of ::. - If you will only use rndc on the local host, - using the loopback address (127.0.0.1 - or ::1) is recommended for maximum security. -

-

- If no port is specified, port 953 is used. The asterisk - "*" cannot be used for ip_port. -

-

- The ability to issue commands over the control channel is - restricted by the allow and - keys clauses. - Connections to the control channel are permitted based on the - address_match_list. This is for simple - IP address based filtering only; any key_id - elements of the address_match_list - are ignored. -

-

- A unix control channel is a UNIX domain - socket listening at the specified path in the file system. - Access to the socket is specified by the perm, - owner and group clauses. - Note on some platforms (SunOS and Solaris) the permissions - (perm) are applied to the parent directory - as the permissions on the socket itself are ignored. -

-

- The primary authorization mechanism of the command - channel is the key_list, which - contains a list of key_ids. - Each key_id in the key_list - is authorized to execute commands over the control channel. - See Remote Name Daemon Control application in the section called “Administrative Tools”) - for information about configuring keys in rndc. -

-

- If no controls statement is present, - named will set up a default - control channel listening on the loopback address 127.0.0.1 - and its IPv6 counterpart ::1. - In this case, and also when the controls statement - is present but does not have a keys clause, - named will attempt to load the command channel key - from the file rndc.key in - /etc (or whatever sysconfdir - was specified as when BIND was built). - To create a rndc.key file, run - rndc-confgen -a. -

-

- The rndc.key feature was created to - ease the transition of systems from BIND 8, - which did not have digital signatures on its command channel - messages and thus did not have a keys clause. - - It makes it possible to use an existing BIND 8 - configuration file in BIND 9 unchanged, - and still have rndc work the same way - ndc worked in BIND 8, simply by executing the - command rndc-confgen -a after BIND 9 is - installed. -

-

- Since the rndc.key feature - is only intended to allow the backward-compatible usage of - BIND 8 configuration files, this - feature does not - have a high degree of configurability. You cannot easily change - the key name or the size of the secret, so you should make a - rndc.conf with your own key if you - wish to change - those things. The rndc.key file - also has its - permissions set such that only the owner of the file (the user that - named is running as) can access it. - If you - desire greater flexibility in allowing other users to access - rndc commands, then you need to create - a - rndc.conf file and make it group - readable by a group - that contains the users who should have access. -

-

- To disable the command channel, use an empty - controls statement: - controls { };. -

-
-
-

-include Statement Grammar

-
include filename;
-
-
-

-include Statement Definition and - Usage

-

- The include statement inserts the - specified file at the point where the include - statement is encountered. The include - statement facilitates the administration of configuration - files - by permitting the reading or writing of some things but not - others. For example, the statement could include private keys - that are readable only by the name server. -

-
-
-

-key Statement Grammar

-
key key_id {
-    algorithm string;
-    secret string;
-};
-
-
-
-

-key Statement Definition and Usage

-

- The key statement defines a shared - secret key for use with TSIG (see the section called “TSIG”) - or the command channel - (see the section called “controls Statement Definition and - Usage”). -

-

- The key statement can occur at the - top level - of the configuration file or inside a view - statement. Keys defined in top-level key - statements can be used in all views. Keys intended for use in - a controls statement - (see the section called “controls Statement Definition and - Usage”) - must be defined at the top level. -

-

- The key_id, also known as the - key name, is a domain name uniquely identifying the key. It can - be used in a server - statement to cause requests sent to that - server to be signed with this key, or in address match lists to - verify that incoming requests have been signed with a key - matching this name, algorithm, and secret. -

-

- The algorithm_id is a string - that specifies a security/authentication algorithm. Named - supports hmac-md5, - hmac-sha1, hmac-sha224, - hmac-sha256, hmac-sha384 - and hmac-sha512 TSIG authentication. - Truncated hashes are supported by appending the minimum - number of required bits preceded by a dash, e.g. - hmac-sha1-80. The - secret_string is the secret - to be used by the algorithm, and is treated as a base-64 - encoded string. -

-
-
-

-logging Statement Grammar

-
logging {
-   [ channel channel_name {
-     ( file path name
-         [ versions ( number | unlimited ) ]
-         [ size size spec ]
-       | syslog syslog_facility
-       | stderr
-       | null );
-     [ severity (critical | error | warning | notice |
-                 info | debug [ level ] | dynamic ); ]
-     [ print-category yes or no; ]
-     [ print-severity yes or no; ]
-     [ print-time yes or no; ]
-   }; ]
-   [ category category_name {
-     channel_name ; [ channel_name ; ... ]
-   }; ]
-   ...
-};
-
-
-
-

-logging Statement Definition and - Usage

-

- The logging statement configures a - wide - variety of logging options for the name server. Its channel phrase - associates output methods, format options and severity levels with - a name that can then be used with the category phrase - to select how various classes of messages are logged. -

-

- Only one logging statement is used to - define - as many channels and categories as are wanted. If there is no logging statement, - the logging configuration will be: -

-
logging {
-     category default { default_syslog; default_debug; };
-     category unmatched { null; };
-};
-
-

- In BIND 9, the logging configuration - is only established when - the entire configuration file has been parsed. In BIND 8, it was - established as soon as the logging - statement - was parsed. When the server is starting up, all logging messages - regarding syntax errors in the configuration file go to the default - channels, or to standard error if the "-g" option - was specified. -

-
-

-The channel Phrase

-

- All log output goes to one or more channels; - you can make as many of them as you want. -

-

- Every channel definition must include a destination clause that - says whether messages selected for the channel go to a file, to a - particular syslog facility, to the standard error stream, or are - discarded. It can optionally also limit the message severity level - that will be accepted by the channel (the default is - info), and whether to include a - named-generated time stamp, the - category name - and/or severity level (the default is not to include any). -

-

- The null destination clause - causes all messages sent to the channel to be discarded; - in that case, other options for the channel are meaningless. -

-

- The file destination clause directs - the channel - to a disk file. It can include limitations - both on how large the file is allowed to become, and how many - versions - of the file will be saved each time the file is opened. -

-

- If you use the versions log file - option, then - named will retain that many backup - versions of the file by - renaming them when opening. For example, if you choose to keep - three old versions - of the file lamers.log, then just - before it is opened - lamers.log.1 is renamed to - lamers.log.2, lamers.log.0 is renamed - to lamers.log.1, and lamers.log is - renamed to lamers.log.0. - You can say versions unlimited to - not limit - the number of versions. - If a size option is associated with - the log file, - then renaming is only done when the file being opened exceeds the - indicated size. No backup versions are kept by default; any - existing - log file is simply appended. -

-

- The size option for files is used - to limit log - growth. If the file ever exceeds the size, then named will - stop writing to the file unless it has a versions option - associated with it. If backup versions are kept, the files are - rolled as - described above and a new one begun. If there is no - versions option, no more data will - be written to the log - until some out-of-band mechanism removes or truncates the log to - less than the - maximum size. The default behavior is not to limit the size of - the - file. -

-

- Example usage of the size and - versions options: -

-
channel an_example_channel {
-    file "example.log" versions 3 size 20m;
-    print-time yes;
-    print-category yes;
-};
-
-

- The syslog destination clause - directs the - channel to the system log. Its argument is a - syslog facility as described in the syslog man - page. Known facilities are kern, user, - mail, daemon, auth, - syslog, lpr, news, - uucp, cron, authpriv, - ftp, local0, local1, - local2, local3, local4, - local5, local6 and - local7, however not all facilities - are supported on - all operating systems. - How syslog will handle messages - sent to - this facility is described in the syslog.conf man - page. If you have a system which uses a very old version of syslog that - only uses two arguments to the openlog() function, - then this clause is silently ignored. -

-

- The severity clause works like syslog's - "priorities", except that they can also be used if you are writing - straight to a file rather than using syslog. - Messages which are not at least of the severity level given will - not be selected for the channel; messages of higher severity - levels - will be accepted. -

-

- If you are using syslog, then the syslog.conf priorities - will also determine what eventually passes through. For example, - defining a channel facility and severity as daemon and debug but - only logging daemon.warning via syslog.conf will - cause messages of severity info and - notice to - be dropped. If the situation were reversed, with named writing - messages of only warning or higher, - then syslogd would - print all messages it received from the channel. -

-

- The stderr destination clause - directs the - channel to the server's standard error stream. This is intended - for - use when the server is running as a foreground process, for - example - when debugging a configuration. -

-

- The server can supply extensive debugging information when - it is in debugging mode. If the server's global debug level is - greater - than zero, then debugging mode will be active. The global debug - level is set either by starting the named server - with the -d flag followed by a positive integer, - or by running rndc trace. - The global debug level - can be set to zero, and debugging mode turned off, by running rndc -notrace. All debugging messages in the server have a debug - level, and higher debug levels give more detailed output. Channels - that specify a specific debug severity, for example: -

-
channel specific_debug_level {
-    file "foo";
-    severity debug 3;
-};
-
-

- will get debugging output of level 3 or less any time the - server is in debugging mode, regardless of the global debugging - level. Channels with dynamic - severity use the - server's global debug level to determine what messages to print. -

-

- If print-time has been turned on, - then - the date and time will be logged. print-time may - be specified for a syslog channel, - but is usually - pointless since syslog also prints - the date and - time. If print-category is - requested, then the - category of the message will be logged as well. Finally, if print-severity is - on, then the severity level of the message will be logged. The print- options may - be used in any combination, and will always be printed in the - following - order: time, category, severity. Here is an example where all - three print- options - are on: -

-

- 28-Feb-2000 15:05:32.863 general: notice: running -

-

- There are four predefined channels that are used for - named's default logging as follows. - How they are - used is described in the section called “The category Phrase”. -

-
channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
-
-channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
-};
-
-channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
-};
-
-channel null {
-   null;                                // toss anything sent to
-                                        // this channel
-};
-
-

- The default_debug channel has the - special - property that it only produces output when the server's debug - level is - nonzero. It normally writes to a file called named.run - in the server's working directory. -

-

- For security reasons, when the "-u" - command line option is used, the named.run file - is created only after named has - changed to the - new UID, and any debug output generated while named is - starting up and still running as root is discarded. If you need - to capture this output, you must run the server with the "-g" - option and redirect standard error to a file. -

-

- Once a channel is defined, it cannot be redefined. Thus you - cannot alter the built-in channels directly, but you can modify - the default logging by pointing categories at channels you have - defined. -

-
-
-

-The category Phrase

-

- There are many categories, so you can send the logs you want - to see wherever you want, without seeing logs you don't want. If - you don't specify a list of channels for a category, then log - messages - in that category will be sent to the default category - instead. If you don't specify a default category, the following - "default default" is used: -

-
category default { default_syslog; default_debug; };
-
-

- As an example, let's say you want to log security events to - a file, but you also want keep the default logging behavior. You'd - specify the following: -

-
channel my_security_channel {
-    file "my_security_file";
-    severity info;
-};
-category security {
-    my_security_channel;
-    default_syslog;
-    default_debug;
-};
-

- To discard all messages in a category, specify the null channel: -

-
category xfer-out { null; };
-category notify { null; };
-
-

- Following are the available categories and brief descriptions - of the types of log information they contain. More - categories may be added in future BIND releases. -

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

default

- 		-

- The default category defines the logging - options for those categories where no specific - configuration has been - defined. -

-
-

general

- 		-

- The catch-all. Many things still aren't - classified into categories, and they all end up here. -

-
-

database

- 		-

- Messages relating to the databases used - internally by the name server to store zone and cache - data. -

-
-

security

- 		-

- Approval and denial of requests. -

-
-

config

- 		-

- Configuration file parsing and processing. -

-
-

resolver

- 		-

- DNS resolution, such as the recursive - lookups performed on behalf of clients by a caching name - server. -

-
-

xfer-in

- 		-

- Zone transfers the server is receiving. -

-
-

xfer-out

- 		-

- Zone transfers the server is sending. -

-
-

notify

- 		-

- The NOTIFY protocol. -

-
-

client

- 		-

- Processing of client requests. -

-
-

unmatched

- 		-

- Messages that named was unable to determine the - class of or for which there was no matching view. - A one line summary is also logged to the client category. - This category is best sent to a file or stderr, by - default it is sent to - the null channel. -

-
-

network

- 		-

- Network operations. -

-
-

update

- 		-

- Dynamic updates. -

-
-

update-security

- 		-

- Approval and denial of update requests. -

-
-

queries

- 		-

- Specify where queries should be logged to. -

-

- At startup, specifying the category queries will also - enable query logging unless querylog option has been - specified. -

-

- The query log entry reports the client's IP address and - port number, and the - query name, class and type. It also reports whether the - Recursion Desired - flag was set (+ if set, - if not set), EDNS was in use - (E) or if the - query was signed (S). -

-

- client 127.0.0.1#62536: query: www.example.com IN AAAA +SE -

-

- client ::1#62537: query: www.example.net IN AAAA -SE -

-
-

dispatch

- 		-

- Dispatching of incoming packets to the - server modules where they are to be processed. -

-
-

dnssec

- 		-

- DNSSEC and TSIG protocol processing. -

-
-

lame-servers

- 		-

- Lame servers. These are misconfigurations - in remote servers, discovered by BIND 9 when trying to - query - those servers during resolution. -

-
-

delegation-only

- 		-

- Delegation only. Logs queries that have have - been forced to NXDOMAIN as the result of a - delegation-only zone or - a delegation-only in a - hint or stub zone declaration. -

-
-
-
-
-

-lwres Statement Grammar

-

- This is the grammar of the lwres - statement in the named.conf file: -

-
lwres {
-    [ listen-on { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
-    [ view view_name; ]
-    [ search { domain_name ; [ domain_name ; ... ] }; ]
-    [ ndots number; ]
-};
-
-
-
-

-lwres Statement Definition and Usage

-

- The lwres statement configures the - name - server to also act as a lightweight resolver server. (See - the section called “Running a Resolver Daemon”.) There may be multiple - lwres statements configuring - lightweight resolver servers with different properties. -

-

- The listen-on statement specifies a - list of - addresses (and ports) that this instance of a lightweight resolver - daemon - should accept requests on. If no port is specified, port 921 is - used. - If this statement is omitted, requests will be accepted on - 127.0.0.1, - port 921. -

-

- The view statement binds this - instance of a - lightweight resolver daemon to a view in the DNS namespace, so that - the - response will be constructed in the same manner as a normal DNS - query - matching this view. If this statement is omitted, the default view - is - used, and if there is no default view, an error is triggered. -

-

- The search statement is equivalent to - the - search statement in - /etc/resolv.conf. It provides a - list of domains - which are appended to relative names in queries. -

-

- The ndots statement is equivalent to - the - ndots statement in - /etc/resolv.conf. It indicates the - minimum - number of dots in a relative domain name that should result in an - exact match lookup before search path elements are appended. -

-
-
-

-masters Statement Grammar

-
-masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] };
-
-
-
-

-masters Statement Definition and - Usage

-

masters - lists allow for a common set of masters to be easily used by - multiple stub and slave zones. -

-
-
-

-options Statement Grammar

-

- This is the grammar of the options - statement in the named.conf file: -

-
options {
-    [ version version_string; ]
-    [ hostname hostname_string; ]
-    [ server-id server_id_string; ]
-    [ directory path_name; ]
-    [ key-directory path_name; ]
-    [ named-xfer path_name; ]
-    [ tkey-domain domainname; ]
-    [ tkey-dhkey key_name key_tag; ]
-    [ cache-file path_name; ]
-    [ dump-file path_name; ]
-    [ memstatistics-file path_name; ]
-    [ pid-file path_name; ]
-    [ recursing-file path_name; ]
-    [ statistics-file path_name; ]
-    [ zone-statistics yes_or_no; ]
-    [ auth-nxdomain yes_or_no; ]
-    [ deallocate-on-exit yes_or_no; ]
-    [ dialup dialup_option; ]
-    [ fake-iquery yes_or_no; ]
-    [ fetch-glue yes_or_no; ]
-    [ flush-zones-on-shutdown yes_or_no; ]
-    [ has-old-clients yes_or_no; ]
-    [ host-statistics yes_or_no; ]
-    [ host-statistics-max number; ]
-    [ minimal-responses yes_or_no; ]
-    [ multiple-cnames yes_or_no; ]
-    [ notify yes_or_no | explicit | master-only; ]
-    [ recursion yes_or_no; ]
-    [ rfc2308-type1 yes_or_no; ]
-    [ use-id-pool yes_or_no; ]
-    [ maintain-ixfr-base yes_or_no; ]
-    [ dnssec-enable yes_or_no; ]
-    [ dnssec-validation yes_or_no; ]
-    [ dnssec-lookaside domain trust-anchor domain; ]
-    [ dnssec-must-be-secure domain yes_or_no; ]
-    [ dnssec-accept-expired yes_or_no; ]
-    [ forward ( only | first ); ]
-    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
-    [ dual-stack-servers [port ip_port] {
-        ( domain_name [port ip_port] |
-          ip_addr [port ip_port] ) ; 
-        ... }; ]
-    [ check-names ( master | slave | response )
-        ( warn | fail | ignore ); ]
-    [ check-mx ( warn | fail | ignore ); ]
-    [ check-wildcard yes_or_no; ]
-    [ check-integrity yes_or_no; ]
-    [ check-mx-cname ( warn | fail | ignore ); ]
-    [ check-srv-cname ( warn | fail | ignore ); ]
-    [ check-sibling yes_or_no; ]
-    [ allow-notify { address_match_list }; ]
-    [ allow-query { address_match_list }; ]
-    [ allow-query-cache { address_match_list }; ]
-    [ allow-transfer { address_match_list }; ]
-    [ allow-recursion { address_match_list }; ]
-    [ allow-update { address_match_list }; ]
-    [ allow-update-forwarding { address_match_list }; ]
-    [ update-check-ksk yes_or_no; ]
-    [ allow-v6-synthesis { address_match_list }; ]
-    [ blackhole { address_match_list }; ]
-    [ avoid-v4-udp-ports { port_list }; ]
-    [ avoid-v6-udp-ports { port_list }; ]
-    [ listen-on [ port ip_port ] { address_match_list }; ]
-    [ listen-on-v6 [ port ip_port ] { address_match_list }; ]
-    [ query-source ( ( ip4_addr | * )
-        [ port ( ip_port | * ) ] |
-        [ address ( ip4_addr | * ) ]
-        [ port ( ip_port | * ) ] ) ; ]
-    [ query-source-v6 ( ( ip6_addr | * )
-        [ port ( ip_port | * ) ] | 
-        [ address ( ip6_addr | * ) ] 
-        [ port ( ip_port | * ) ] ) ; ]
-    [ max-transfer-time-in number; ]
-    [ max-transfer-time-out number; ]
-    [ max-transfer-idle-in number; ]
-    [ max-transfer-idle-out number; ]
-    [ tcp-clients number; ]
-    [ recursive-clients number; ]
-    [ serial-query-rate number; ]
-    [ serial-queries number; ]
-    [ tcp-listen-queue number; ]
-    [ transfer-format ( one-answer | many-answers ); ]
-    [ transfers-in  number; ]
-    [ transfers-out number; ]
-    [ transfers-per-ns number; ]
-    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ use-alt-transfer-source yes_or_no; ]
-    [ notify-delay seconds ; ]
-    [ notify-source (ip4_addr | *) [port ip_port] ; ]
-    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
-    [ max-ixfr-log-size number; ]
-    [ max-journal-size size_spec; ]
-    [ coresize size_spec ; ]
-    [ datasize size_spec ; ]
-    [ files size_spec ; ]
-    [ stacksize size_spec ; ]
-    [ cleaning-interval number; ]
-    [ heartbeat-interval number; ]
-    [ interface-interval number; ]
-    [ statistics-interval number; ]
-    [ topology { address_match_list }];
-    [ sortlist { address_match_list }];
-    [ rrset-order { order_spec ; [ order_spec ; ... ] ] };
-    [ lame-ttl number; ]
-    [ max-ncache-ttl number; ]
-    [ max-cache-ttl number; ]
-    [ sig-validity-interval number ; ]
-    [ min-roots number; ]
-    [ use-ixfr yes_or_no ; ]
-    [ provide-ixfr yes_or_no; ]
-    [ request-ixfr yes_or_no; ]
-    [ treat-cr-as-space yes_or_no ; ]
-    [ min-refresh-time number ; ]
-    [ max-refresh-time number ; ]
-    [ min-retry-time number ; ]
-    [ max-retry-time number ; ]
-    [ port ip_port; ]
-    [ additional-from-auth yes_or_no ; ]
-    [ additional-from-cache yes_or_no ; ]
-    [ random-device path_name ; ]
-    [ max-cache-size size_spec ; ]
-    [ match-mapped-addresses yes_or_no; ]
-    [ preferred-glue ( A | AAAA | NONE ); ]
-    [ edns-udp-size number; ]
-    [ max-udp-size number; ]
-    [ root-delegation-only [ exclude { namelist } ] ; ]
-    [ querylog yes_or_no ; ]
-    [ disable-algorithms domain { algorithm; [ algorithm; ] }; ]
-    [ acache-enable yes_or_no ; ]
-    [ acache-cleaning-interval number; ]
-    [ max-acache-size size_spec ; ]
-    [ clients-per-query number ; ]
-    [ max-clients-per-query number ; ]
-    [ masterfile-format (text|raw) ; ]
-    [ empty-server name ; ]
-    [ empty-contact name ; ]
-    [ empty-zones-enable yes_or_no ; ]
-    [ disable-empty-zone zone_name ; ]
-    [ zero-no-soa-ttl yes_or_no ; ]
-    [ zero-no-soa-ttl-cache yes_or_no ; ]
-};
-
-
-
-

-options Statement Definition and - Usage

-

- The options statement sets up global - options - to be used by BIND. This statement - may appear only - once in a configuration file. If there is no options - statement, an options block with each option set to its default will - be used. -

-
-
directory
-

- The working directory of the server. - Any non-absolute pathnames in the configuration file will be - taken - as relative to this directory. The default location for most - server - output files (e.g. named.run) - is this directory. - If a directory is not specified, the working directory - defaults to `.', the directory from - which the server - was started. The directory specified should be an absolute - path. -

-
key-directory
-

- When performing dynamic update of secure zones, the - directory where the public and private key files should be - found, - if different than the current working directory. The - directory specified - must be an absolute path. -

-
named-xfer
-

- This option is obsolete. - It was used in BIND 8 to - specify the pathname to the named-xfer program. - In BIND 9, no separate named-xfer program is - needed; its functionality is built into the name server. -

-
tkey-domain
-

- The domain appended to the names of all - shared keys generated with - TKEY. When a client - requests a TKEY exchange, it - may or may not specify - the desired name for the key. If present, the name of the - shared - key will be "client specified part" + - "tkey-domain". - Otherwise, the name of the shared key will be "random hex -digits" + "tkey-domain". In most cases, - the domainname should be the - server's domain - name. -

-
tkey-dhkey
-

- The Diffie-Hellman key used by the server - to generate shared keys with clients using the Diffie-Hellman - mode - of TKEY. The server must be - able to load the - public and private keys from files in the working directory. - In - most cases, the keyname should be the server's host name. -

-
cache-file
-

- This is for testing only. Do not use. -

-
dump-file
-

- The pathname of the file the server dumps - the database to when instructed to do so with - rndc dumpdb. - If not specified, the default is named_dump.db. -

-
memstatistics-file
-
-

- The pathname of the file the server writes memory - usage statistics to on exit. If specified the - statistics will be written to the file on exit. -

-

- In BIND 9.5 and later this will - default to named.memstats. - BIND 9.5 will also introduce - memstatistics to control the - writing. -

-
-
pid-file
-

- The pathname of the file the server writes its process ID - in. If not specified, the default is /var/run/named.pid. - The pid-file is used by programs that want to send signals to - the running - name server. Specifying pid-file none disables the - use of a PID file — no file will be written and any - existing one will be removed. Note that none - is a keyword, not a filename, and therefore is not enclosed - in - double quotes. -

-
recursing-file
-

- The pathname of the file the server dumps - the queries that are currently recursing when instructed - to do so with rndc recursing. - If not specified, the default is named.recursing. -

-
statistics-file
-

- The pathname of the file the server appends statistics - to when instructed to do so using rndc stats. - If not specified, the default is named.stats in the - server's current directory. The format of the file is - described - in the section called “The Statistics File”. -

-
port
-

- The UDP/TCP port number the server uses for - receiving and sending DNS protocol traffic. - The default is 53. This option is mainly intended for server - testing; - a server using a port other than 53 will not be able to - communicate with - the global DNS. -

-
random-device
-

- The source of entropy to be used by the server. Entropy is - primarily needed - for DNSSEC operations, such as TKEY transactions and dynamic - update of signed - zones. This options specifies the device (or file) from which - to read - entropy. If this is a file, operations requiring entropy will - fail when the - file has been exhausted. If not specified, the default value - is - /dev/random - (or equivalent) when present, and none otherwise. The - random-device option takes - effect during - the initial configuration load at server startup time and - is ignored on subsequent reloads. -

-
preferred-glue
-

- If specified, the listed type (A or AAAA) will be emitted - before other glue - in the additional section of a query response. - The default is not to prefer any type (NONE). -

-
root-delegation-only
-
-

- Turn on enforcement of delegation-only in TLDs (top level domains) and root zones - with an optional - exclude list. -

-

- Note some TLDs are not delegation only (e.g. "DE", "LV", "US" - and "MUSEUM"). -

-
-options {
-        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-
-
-
disable-algorithms
-

- Disable the specified DNSSEC algorithms at and below the - specified name. - Multiple disable-algorithms - statements are allowed. - Only the most specific will be applied. -

-
dnssec-lookaside
-

- When set, dnssec-lookaside - provides the - validator with an alternate method to validate DNSKEY records - at the - top of a zone. When a DNSKEY is at or below a domain - specified by the - deepest dnssec-lookaside, and - the normal dnssec validation - has left the key untrusted, the trust-anchor will be append to - the key - name and a DLV record will be looked up to see if it can - validate the - key. If the DLV record validates a DNSKEY (similarly to the - way a DS - record does) the DNSKEY RRset is deemed to be trusted. -

-
dnssec-must-be-secure
-

- Specify hierarchies which must be or may not be secure (signed and - validated). - If yes, then named will only accept - answers if they - are secure. - If no, then normal dnssec validation - applies - allowing for insecure answers to be accepted. - The specified domain must be under a trusted-key or - dnssec-lookaside must be - active. -

-
-
-

-Boolean Options

-
-
auth-nxdomain
-

- If yes, then the AA bit - is always set on NXDOMAIN responses, even if the server is - not actually - authoritative. The default is no; - this is - a change from BIND 8. If you - are using very old DNS software, you - may need to set it to yes. -

-
deallocate-on-exit
-

- This option was used in BIND - 8 to enable checking - for memory leaks on exit. BIND 9 ignores the option and always performs - the checks. -

-
dialup
-
-

- If yes, then the - server treats all zones as if they are doing zone transfers - across - a dial-on-demand dialup link, which can be brought up by - traffic - originating from this server. This has different effects - according - to zone type and concentrates the zone maintenance so that - it all - happens in a short interval, once every heartbeat-interval and - hopefully during the one call. It also suppresses some of - the normal - zone maintenance traffic. The default is no. -

-

- The dialup option - may also be specified in the view and - zone statements, - in which case it overrides the global dialup - option. -

-

- If the zone is a master zone, then the server will send out a - NOTIFY - request to all the slaves (default). This should trigger the - zone serial - number check in the slave (providing it supports NOTIFY) - allowing the slave - to verify the zone while the connection is active. - The set of servers to which NOTIFY is sent can be controlled - by - notify and also-notify. -

-

- If the - zone is a slave or stub zone, then the server will suppress - the regular - "zone up to date" (refresh) queries and only perform them - when the - heartbeat-interval expires in - addition to sending - NOTIFY requests. -

-

- Finer control can be achieved by using - notify which only sends NOTIFY - messages, - notify-passive which sends NOTIFY - messages and - suppresses the normal refresh queries, refresh - which suppresses normal refresh processing and sends refresh - queries - when the heartbeat-interval - expires, and - passive which just disables normal - refresh - processing. -

-
------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- dialup mode -

- 		-

- normal refresh -

- 		-

- heart-beat refresh -

- 		-

- heart-beat notify -

-
-

no (default)

- 		-

- yes -

- 		-

- no -

- 		-

- no -

-
-

yes

- 		-

- no -

- 		-

- yes -

- 		-

- yes -

-
-

notify

- 		-

- yes -

- 		-

- no -

- 		-

- yes -

-
-

refresh

- 		-

- no -

- 		-

- yes -

- 		-

- no -

-
-

passive

- 		-

- no -

- 		-

- no -

- 		-

- no -

-
-

notify-passive

- 		-

- no -

- 		-

- no -

- 		-

- yes -

-
-

- Note that normal NOTIFY processing is not affected by - dialup. -

-
-
fake-iquery
-

- In BIND 8, this option - enabled simulating the obsolete DNS query type - IQUERY. BIND 9 never does - IQUERY simulation. -

-
fetch-glue
-

- This option is obsolete. - In BIND 8, fetch-glue yes - caused the server to attempt to fetch glue resource records - it - didn't have when constructing the additional - data section of a response. This is now considered a bad - idea - and BIND 9 never does it. -

-
flush-zones-on-shutdown
-

- When the nameserver exits due receiving SIGTERM, - flush or do not flush any pending zone writes. The default - is - flush-zones-on-shutdown no. -

-
has-old-clients
-

- This option was incorrectly implemented - in BIND 8, and is ignored by BIND 9. - To achieve the intended effect - of - has-old-clients yes, specify - the two separate options auth-nxdomain yes - and rfc2308-type1 no instead. -

-
host-statistics
-

- In BIND 8, this enables keeping of - statistics for every host that the name server interacts - with. - Not implemented in BIND 9. -

-
maintain-ixfr-base
-

- This option is obsolete. - It was used in BIND 8 to - determine whether a transaction log was - kept for Incremental Zone Transfer. BIND 9 maintains a transaction - log whenever possible. If you need to disable outgoing - incremental zone - transfers, use provide-ixfr no. -

-
minimal-responses
-

- If yes, then when generating - responses the server will only add records to the authority - and additional data sections when they are required (e.g. - delegations, negative responses). This may improve the - performance of the server. - The default is no. -

-
multiple-cnames
-

- This option was used in BIND 8 to allow - a domain name to have multiple CNAME records in violation of - the DNS standards. BIND 9.2 onwards - always strictly enforces the CNAME rules both in master - files and dynamic updates. -

-
notify
-
-

- If yes (the default), - DNS NOTIFY messages are sent when a zone the server is - authoritative for - changes, see the section called “Notify”. The messages are - sent to the - servers listed in the zone's NS records (except the master - server identified - in the SOA MNAME field), and to any servers listed in the - also-notify option. -

-

- If master-only, notifies are only - sent - for master zones. - If explicit, notifies are sent only - to - servers explicitly listed using also-notify. - If no, no notifies are sent. -

-

- The notify option may also be - specified in the zone - statement, - in which case it overrides the options notify statement. - It would only be necessary to turn off this option if it - caused slaves - to crash. -

-
-
recursion
-

- If yes, and a - DNS query requests recursion, then the server will attempt - to do - all the work required to answer the query. If recursion is - off - and the server does not already know the answer, it will - return a - referral response. The default is - yes. - Note that setting recursion no does not prevent - clients from getting data from the server's cache; it only - prevents new data from being cached as an effect of client - queries. - Caching may still occur as an effect the server's internal - operation, such as NOTIFY address lookups. - See also fetch-glue above. -

-
rfc2308-type1
-
-

- Setting this to yes will - cause the server to send NS records along with the SOA - record for negative - answers. The default is no. -

-
-

Note

-

- Not yet implemented in BIND - 9. -

-
-
-
use-id-pool
-

- This option is obsolete. - BIND 9 always allocates query - IDs from a pool. -

-
zone-statistics
-

- If yes, the server will collect - statistical data on all zones (unless specifically turned - off - on a per-zone basis by specifying zone-statistics no - in the zone statement). - These statistics may be accessed - using rndc stats, which will - dump them to the file listed - in the statistics-file. See - also the section called “The Statistics File”. -

-
use-ixfr
-

- This option is obsolete. - If you need to disable IXFR to a particular server or - servers, see - the information on the provide-ixfr option - in the section called “server Statement Definition and - Usage”. - See also - the section called “Incremental Zone Transfers (IXFR)”. -

-
provide-ixfr
-

- See the description of - provide-ixfr in - the section called “server Statement Definition and - Usage”. -

-
request-ixfr
-

- See the description of - request-ixfr in - the section called “server Statement Definition and - Usage”. -

-
treat-cr-as-space
-

- This option was used in BIND - 8 to make - the server treat carriage return ("\r") characters the same way - as a space or tab character, - to facilitate loading of zone files on a UNIX system that - were generated - on an NT or DOS machine. In BIND 9, both UNIX "\n" - and NT/DOS "\r\n" newlines - are always accepted, - and the option is ignored. -

-
-additional-from-auth, additional-from-cache -
-
-

- These options control the behavior of an authoritative - server when - answering queries which have additional data, or when - following CNAME - and DNAME chains. -

-

- When both of these options are set to yes - (the default) and a - query is being answered from authoritative data (a zone - configured into the server), the additional data section of - the - reply will be filled in using data from other authoritative - zones - and from the cache. In some situations this is undesirable, - such - as when there is concern over the correctness of the cache, - or - in servers where slave zones may be added and modified by - untrusted third parties. Also, avoiding - the search for this additional data will speed up server - operations - at the possible expense of additional queries to resolve - what would - otherwise be provided in the additional section. -

-

- For example, if a query asks for an MX record for host foo.example.com, - and the record found is "MX 10 mail.example.net", normally the address - records (A and AAAA) for mail.example.net will be provided as well, - if known, even though they are not in the example.com zone. - Setting these options to no - disables this behavior and makes - the server only search for additional data in the zone it - answers from. -

-

- These options are intended for use in authoritative-only - servers, or in authoritative-only views. Attempts to set - them to no without also - specifying - recursion no will cause the - server to - ignore the options and log a warning message. -

-

- Specifying additional-from-cache no actually - disables the use of the cache not only for additional data - lookups - but also when looking up the answer. This is usually the - desired - behavior in an authoritative-only server where the - correctness of - the cached data is an issue. -

-

- When a name server is non-recursively queried for a name - that is not - below the apex of any served zone, it normally answers with - an - "upwards referral" to the root servers or the servers of - some other - known parent of the query name. Since the data in an - upwards referral - comes from the cache, the server will not be able to provide - upwards - referrals when additional-from-cache no - has been specified. Instead, it will respond to such - queries - with REFUSED. This should not cause any problems since - upwards referrals are not required for the resolution - process. -

-
-
match-mapped-addresses
-

- If yes, then an - IPv4-mapped IPv6 address will match any address match - list entries that match the corresponding IPv4 address. - Enabling this option is sometimes useful on IPv6-enabled - Linux - systems, to work around a kernel quirk that causes IPv4 - TCP connections such as zone transfers to be accepted - on an IPv6 socket using mapped addresses, causing - address match lists designed for IPv4 to fail to match. - The use of this option for any other purpose is discouraged. -

-
ixfr-from-differences
-
-

- When yes and the server loads a new version of a master - zone from its zone file or receives a new version of a slave - file by a non-incremental zone transfer, it will compare - the new version to the previous one and calculate a set - of differences. The differences are then logged in the - zone's journal file such that the changes can be transmitted - to downstream slaves as an incremental zone transfer. -

-

- By allowing incremental zone transfers to be used for - non-dynamic zones, this option saves bandwidth at the - expense of increased CPU and memory consumption at the - master. - In particular, if the new version of a zone is completely - different from the previous one, the set of differences - will be of a size comparable to the combined size of the - old and new zone version, and the server will need to - temporarily allocate memory to hold this complete - difference set. -

-

ixfr-from-differences - also accepts master and - slave at the view and options - levels which causes - ixfr-from-differences to apply to - all master or - slave zones respectively. -

-
-
multi-master
-

- This should be set when you have multiple masters for a zone - and the - addresses refer to different machines. If yes, named will - not log - when the serial number on the master is less than what named - currently - has. The default is no. -

-
dnssec-enable
-

- Enable DNSSEC support in named. Unless set to yes, - named behaves as if it does not support DNSSEC. - The default is yes. -

-
dnssec-validation
-

- Enable DNSSEC validation in named. - Note dnssec-enable also needs to be - set to yes to be effective. - The default is no. -

-
dnssec-accept-expired
-

- Accept expired signatures when verifying DNSSEC signatures. - The default is no. - Setting this option to "yes" leaves named vulnerable to replay attacks. -

-
querylog
-

- Specify whether query logging should be started when named - starts. - If querylog is not specified, - then the query logging - is determined by the presence of the logging category queries. -

-
check-names
-
-

- This option is used to restrict the character set and syntax - of - certain domain names in master files and/or DNS responses - received - from the network. The default varies according to usage - area. For - master zones the default is fail. - For slave zones the default - is warn. - For answers received from the network (response) - the default is ignore. -

-

- The rules for legal hostnames and mail domains are derived - from RFC 952 and RFC 821 as modified by RFC 1123. -

-

check-names - applies to the owner names of A, AAA and MX records. - It also applies to the domain names in the RDATA of NS, SOA - and MX records. - It also applies to the RDATA of PTR records where the owner - name indicated that it is a reverse lookup of a hostname - (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). -

-
-
check-mx
-

- Check whether the MX record appears to refer to a IP address. - The default is to warn. Other possible - values are fail and - ignore. -

-
check-wildcard
-

- This option is used to check for non-terminal wildcards. - The use of non-terminal wildcards is almost always as a - result of a failure - to understand the wildcard matching algorithm (RFC 1034). - This option - affects master zones. The default (yes) is to check - for non-terminal wildcards and issue a warning. -

-
check-integrity
-

- Perform post load zone integrity checks on master - zones. This checks that MX and SRV records refer - to address (A or AAAA) records and that glue - address records exist for delegated zones. For - MX and SRV records only in-zone hostnames are - checked (for out-of-zone hostnames use named-checkzone). - For NS records only names below top of zone are - checked (for out-of-zone names and glue consistency - checks use named-checkzone). The default is - yes. -

-
check-mx-cname
-

- If check-integrity is set then - fail, warn or ignore MX records that refer - to CNAMES. The default is to warn. -

-
check-srv-cname
-

- If check-integrity is set then - fail, warn or ignore SRV records that refer - to CNAMES. The default is to warn. -

-
check-sibling
-

- When performing integrity checks, also check that - sibling glue exists. The default is yes. -

-
zero-no-soa-ttl
-

- When returning authoritative negative responses to - SOA queries set the TTL of the SOA recored returned in - the authority section to zero. - The default is yes. -

-
zero-no-soa-ttl-cache
-

- When caching a negative response to a SOA query - set the TTL to zero. - The default is no. -

-
update-check-ksk
-

- When regenerating the RRSIGs following a UPDATE - request to a secure zone, check the KSK flag on - the DNSKEY RR to determine if this key should be - used to generate the RRSIG. This flag is ignored - if there are not DNSKEY RRs both with and without - a KSK. - The default is yes. -

-
-
-
-

-Forwarding

-

- The forwarding facility can be used to create a large site-wide - cache on a few servers, reducing traffic over links to external - name servers. It can also be used to allow queries by servers that - do not have direct access to the Internet, but wish to look up - exterior - names anyway. Forwarding occurs only on those queries for which - the server is not authoritative and does not have the answer in - its cache. -

-
-
forward
-

- This option is only meaningful if the - forwarders list is not empty. A value of first, - the default, causes the server to query the forwarders - first — and - if that doesn't answer the question, the server will then - look for - the answer itself. If only is - specified, the - server will only query the forwarders. -

-
forwarders
-

- Specifies the IP addresses to be used - for forwarding. The default is the empty list (no - forwarding). -

-
-

- Forwarding can also be configured on a per-domain basis, allowing - for the global forwarding options to be overridden in a variety - of ways. You can set particular domains to use different - forwarders, - or have a different forward only/first behavior, - or not forward at all, see the section called “zone - Statement Grammar”. -

-
-
-

-Dual-stack Servers

-

- Dual-stack servers are used as servers of last resort to work - around - problems in reachability due the lack of support for either IPv4 - or IPv6 - on the host machine. -

-
-
dual-stack-servers
-

- Specifies host names or addresses of machines with access to - both IPv4 and IPv6 transports. If a hostname is used, the - server must be able - to resolve the name using only the transport it has. If the - machine is dual - stacked, then the dual-stack-servers have no effect unless - access to a transport has been disabled on the command line - (e.g. named -4). -

-
-
-
-

-Access Control

-

- Access to the server can be restricted based on the IP address - of the requesting system. See the section called “Address Match Lists” for - details on how to specify IP address lists. -

-
-
allow-notify
-

- Specifies which hosts are allowed to - notify this server, a slave, of zone changes in addition - to the zone masters. - allow-notify may also be - specified in the - zone statement, in which case - it overrides the - options allow-notify - statement. It is only meaningful - for a slave zone. If not specified, the default is to - process notify messages - only from a zone's master. -

-
allow-query
-
-

- Specifies which hosts are allowed to ask ordinary - DNS questions. allow-query may - also be specified in the zone - statement, in which case it overrides the - options allow-query statement. - If not specified, the default is to allow queries - from all hosts. -

-
-

Note

-

- allow-query-cache is now - used to specify access to the cache. -

-
-
-
allow-query-cache
-

- Specifies which hosts are allowed to get answers - from the cache. If allow-query-cache - is not set then allow-recursion - is used if set, otherwise allow-query - is used if set, otherwise the default - (localnets; - localhost;) is used. -

-
allow-recursion
-

- Specifies which hosts are allowed to make recursive - queries through this server. If - allow-recursion is not set - then allow-query-cache is - used if set, otherwise allow-query - is used if set, otherwise the default - (localnets; - localhost;) is used. -

-
allow-update
-

- Specifies which hosts are allowed to - submit Dynamic DNS updates for master zones. The default is - to deny - updates from all hosts. Note that allowing updates based - on the requestor's IP address is insecure; see - the section called “Dynamic Update Security” for details. -

-
allow-update-forwarding
-
-

- Specifies which hosts are allowed to - submit Dynamic DNS updates to slave zones to be forwarded to - the - master. The default is { none; }, - which - means that no update forwarding will be performed. To - enable - update forwarding, specify - allow-update-forwarding { any; };. - Specifying values other than { none; } or - { any; } is usually - counterproductive, since - the responsibility for update access control should rest - with the - master server, not the slaves. -

-

- Note that enabling the update forwarding feature on a slave - server - may expose master servers relying on insecure IP address - based - access control to attacks; see the section called “Dynamic Update Security” - for more details. -

-
-
allow-v6-synthesis
-

- This option was introduced for the smooth transition from - AAAA - to A6 and from "nibble labels" to binary labels. - However, since both A6 and binary labels were then - deprecated, - this option was also deprecated. - It is now ignored with some warning messages. -

-
allow-transfer
-

- Specifies which hosts are allowed to - receive zone transfers from the server. allow-transfer may - also be specified in the zone - statement, in which - case it overrides the options allow-transfer statement. - If not specified, the default is to allow transfers to all - hosts. -

-
blackhole
-

- Specifies a list of addresses that the - server will not accept queries from or use to resolve a - query. Queries - from these addresses will not be responded to. The default - is none. -

-
-
-
-

-Interfaces

-

- The interfaces and ports that the server will answer queries - from may be specified using the listen-on option. listen-on takes - an optional port, and an address_match_list. - The server will listen on all interfaces allowed by the address - match list. If a port is not specified, port 53 will be used. -

-

- Multiple listen-on statements are - allowed. - For example, -

-
listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-
-

- will enable the name server on port 53 for the IP address - 5.6.7.8, and on port 1234 of an address on the machine in net - 1.2 that is not 1.2.3.4. -

-

- If no listen-on is specified, the - server will listen on port 53 on all interfaces. -

-

- The listen-on-v6 option is used to - specify the interfaces and the ports on which the server will - listen - for incoming queries sent using IPv6. -

-

- When

-
{ any; }
-

is - specified - as the address_match_list for the - listen-on-v6 option, - the server does not bind a separate socket to each IPv6 interface - address as it does for IPv4 if the operating system has enough API - support for IPv6 (specifically if it conforms to RFC 3493 and RFC - 3542). - Instead, it listens on the IPv6 wildcard address. - If the system only has incomplete API support for IPv6, however, - the behavior is the same as that for IPv4. -

-

- A list of particular IPv6 addresses can also be specified, in - which case - the server listens on a separate socket for each specified - address, - regardless of whether the desired API is supported by the system. -

-

- Multiple listen-on-v6 options can - be used. - For example, -

-
listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-
-

- will enable the name server on port 53 for any IPv6 addresses - (with a single wildcard socket), - and on port 1234 of IPv6 addresses that is not in the prefix - 2001:db8::/32 (with separate sockets for each matched address.) -

-

- To make the server not listen on any IPv6 address, use -

-
listen-on-v6 { none; };
-
-

- If no listen-on-v6 option is - specified, - the server will not listen on any IPv6 address. -

-
-
-

-Query Address

-

- If the server doesn't know the answer to a question, it will - query other name servers. query-source specifies - the address and port used for such queries. For queries sent over - IPv6, there is a separate query-source-v6 option. - If address is * (asterisk) or is omitted, - a wildcard IP address (INADDR_ANY) - will be used. - If port is * or is omitted, - a random unprivileged port number is picked up and will be - used for each query. - It is generally strongly discouraged to - specify a particular port for the - query-source or - query-source-v6 - options; it implicitly disables the use of randomized port numbers - and leads to insecure operation. - The avoid-v4-udp-ports - and avoid-v6-udp-ports options can be used - to prevent named - from selecting certain ports. The defaults are: -

-
query-source address * port *;
-query-source-v6 address * port *;
-
-
-

Note

-

- The address specified in the query-source option - is used for both UDP and TCP queries, but the port applies only - to - UDP queries. TCP queries always use a random - unprivileged port. -

-
-
-

Note

-

- Solaris 2.5.1 and earlier does not support setting the source - address for TCP sockets. -

-
-
-

Note

-

- See also transfer-source and - notify-source. -

-
-
-
-

-Zone Transfers

-

- BIND has mechanisms in place to - facilitate zone transfers - and set limits on the amount of load that transfers place on the - system. The following options apply to zone transfers. -

-
-
also-notify
-

- Defines a global list of IP addresses of name servers - that are also sent NOTIFY messages whenever a fresh copy of - the - zone is loaded, in addition to the servers listed in the - zone's NS records. - This helps to ensure that copies of the zones will - quickly converge on stealth servers. If an also-notify list - is given in a zone statement, - it will override - the options also-notify - statement. When a zone notify - statement - is set to no, the IP - addresses in the global also-notify list will - not be sent NOTIFY messages for that zone. The default is - the empty - list (no global notification list). -

-
max-transfer-time-in
-

- Inbound zone transfers running longer than - this many minutes will be terminated. The default is 120 - minutes - (2 hours). The maximum value is 28 days (40320 minutes). -

-
max-transfer-idle-in
-

- Inbound zone transfers making no progress - in this many minutes will be terminated. The default is 60 - minutes - (1 hour). The maximum value is 28 days (40320 minutes). -

-
max-transfer-time-out
-

- Outbound zone transfers running longer than - this many minutes will be terminated. The default is 120 - minutes - (2 hours). The maximum value is 28 days (40320 minutes). -

-
max-transfer-idle-out
-

- Outbound zone transfers making no progress - in this many minutes will be terminated. The default is 60 - minutes (1 - hour). The maximum value is 28 days (40320 minutes). -

-
serial-query-rate
-

- Slave servers will periodically query master servers - to find out if zone serial numbers have changed. Each such - query uses - a minute amount of the slave server's network bandwidth. To - limit the - amount of bandwidth used, BIND 9 limits the rate at which - queries are - sent. The value of the serial-query-rate option, - an integer, is the maximum number of queries sent per - second. - The default is 20. -

-
serial-queries
-

- In BIND 8, the serial-queries - option - set the maximum number of concurrent serial number queries - allowed to be outstanding at any given time. - BIND 9 does not limit the number of outstanding - serial queries and ignores the serial-queries option. - Instead, it limits the rate at which the queries are sent - as defined using the serial-query-rate option. -

-
transfer-format
-

- Zone transfers can be sent using two different formats, - one-answer and - many-answers. - The transfer-format option is used - on the master server to determine which format it sends. - one-answer uses one DNS message per - resource record transferred. - many-answers packs as many resource - records as possible into a message. - many-answers is more efficient, but is - only supported by relatively new slave servers, - such as BIND 9, BIND - 8.x and BIND 4.9.5 onwards. - The many-answers format is also supported by - recent Microsoft Windows nameservers. - The default is many-answers. - transfer-format may be overridden on a - per-server basis by using the server - statement. -

-
transfers-in
-

- The maximum number of inbound zone transfers - that can be running concurrently. The default value is 10. - Increasing transfers-in may - speed up the convergence - of slave zones, but it also may increase the load on the - local system. -

-
transfers-out
-

- The maximum number of outbound zone transfers - that can be running concurrently. Zone transfer requests in - excess - of the limit will be refused. The default value is 10. -

-
transfers-per-ns
-

- The maximum number of inbound zone transfers - that can be concurrently transferring from a given remote - name server. - The default value is 2. - Increasing transfers-per-ns - may - speed up the convergence of slave zones, but it also may - increase - the load on the remote name server. transfers-per-ns may - be overridden on a per-server basis by using the transfers phrase - of the server statement. -

-
transfer-source
-
-

transfer-source - determines which local address will be bound to IPv4 - TCP connections used to fetch zones transferred - inbound by the server. It also determines the - source IPv4 address, and optionally the UDP port, - used for the refresh queries and forwarded dynamic - updates. If not set, it defaults to a system - controlled value which will usually be the address - of the interface "closest to" the remote end. This - address must appear in the remote end's - allow-transfer option for the - zone being transferred, if one is specified. This - statement sets the - transfer-source for all zones, - but can be overridden on a per-view or per-zone - basis by including a - transfer-source statement within - the view or - zone block in the configuration - file. -

-
-

Note

-

- Solaris 2.5.1 and earlier does not support setting the - source address for TCP sockets. -

-
-
-
transfer-source-v6
-

- The same as transfer-source, - except zone transfers are performed using IPv6. -

-
alt-transfer-source
-
-

- An alternate transfer source if the one listed in - transfer-source fails and - use-alt-transfer-source is - set. -

-
-

Note

- If you do not wish the alternate transfer source - to be used, you should set - use-alt-transfer-source - appropriately and you should not depend upon - getting a answer back to the first refresh - query. -
-
-
alt-transfer-source-v6
-

- An alternate transfer source if the one listed in - transfer-source-v6 fails and - use-alt-transfer-source is - set. -

-
use-alt-transfer-source
-

- Use the alternate transfer sources or not. If views are - specified this defaults to no - otherwise it defaults to - yes (for BIND 8 - compatibility). -

-
notify-source
-
-

notify-source - determines which local source address, and - optionally UDP port, will be used to send NOTIFY - messages. This address must appear in the slave - server's masters zone clause or - in an allow-notify clause. This - statement sets the notify-source - for all zones, but can be overridden on a per-zone or - per-view basis by including a - notify-source statement within - the zone or - view block in the configuration - file. -

-
-

Note

-

- Solaris 2.5.1 and earlier does not support setting the - source address for TCP sockets. -

-
-
-
notify-source-v6
-

- Like notify-source, - but applies to notify messages sent to IPv6 addresses. -

-
-
-
-

-Bad UDP Port Lists

-

avoid-v4-udp-ports - and avoid-v6-udp-ports specify a list - of IPv4 and IPv6 UDP ports that will not be used as system - assigned source ports for UDP sockets. These lists - prevent named from choosing as its random source port a - port that is blocked by your firewall. If a query went - out with such a source port, the answer would not get by - the firewall and the name server would have to query - again. -

-
-
-

-Operating System Resource Limits

-

- The server's usage of many system resources can be limited. - Scaled values are allowed when specifying resource limits. For - example, 1G can be used instead of - 1073741824 to specify a limit of - one - gigabyte. unlimited requests - unlimited use, or the - maximum available amount. default - uses the limit - that was in force when the server was started. See the description - of size_spec in the section called “Configuration File Elements”. -

-

- The following options set operating system resource limits for - the name server process. Some operating systems don't support - some or - any of the limits. On such systems, a warning will be issued if - the - unsupported limit is used. -

-
-
coresize
-

- The maximum size of a core dump. The default - is default. -

-
datasize
-

- The maximum amount of data memory the server - may use. The default is default. - This is a hard limit on server memory usage. - If the server attempts to allocate memory in excess of this - limit, the allocation will fail, which may in turn leave - the server unable to perform DNS service. Therefore, - this option is rarely useful as a way of limiting the - amount of memory used by the server, but it can be used - to raise an operating system data size limit that is - too small by default. If you wish to limit the amount - of memory used by the server, use the - max-cache-size and - recursive-clients - options instead. -

-
files
-

- The maximum number of files the server - may have open concurrently. The default is unlimited. -

-
stacksize
-

- The maximum amount of stack memory the server - may use. The default is default. -

-
-
-
-

-Server Resource Limits

-

- The following options set limits on the server's - resource consumption that are enforced internally by the - server rather than the operating system. -

-
-
max-ixfr-log-size
-

- This option is obsolete; it is accepted - and ignored for BIND 8 compatibility. The option - max-journal-size performs a - similar function in BIND 9. -

-
max-journal-size
-

- Sets a maximum size for each journal file - (see the section called “The journal file”). When the journal file - approaches - the specified size, some of the oldest transactions in the - journal - will be automatically removed. The default is - unlimited. -

-
host-statistics-max
-

- In BIND 8, specifies the maximum number of host statistics - entries to be kept. - Not implemented in BIND 9. -

-
recursive-clients
-

- The maximum number of simultaneous recursive lookups - the server will perform on behalf of clients. The default - is - 1000. Because each recursing - client uses a fair - bit of memory, on the order of 20 kilobytes, the value of - the - recursive-clients option may - have to be decreased - on hosts with limited memory. -

-
tcp-clients
-

- The maximum number of simultaneous client TCP - connections that the server will accept. - The default is 100. -

-
max-cache-size
-

- The maximum amount of memory to use for the - server's cache, in bytes. When the amount of data in the - cache - reaches this limit, the server will cause records to expire - prematurely so that the limit is not exceeded. In a server - with - multiple views, the limit applies separately to the cache of - each - view. The default is unlimited, meaning that - records are purged from the cache only when their TTLs - expire. -

-
tcp-listen-queue
-

- The listen queue depth. The default and minimum is 3. - If the kernel supports the accept filter "dataready" this - also controls how - many TCP connections that will be queued in kernel space - waiting for - some data before being passed to accept. Values less than 3 - will be - silently raised. -

-
-
-
-

-Periodic Task Intervals

-
-
cleaning-interval
-

- The server will remove expired resource records - from the cache every cleaning-interval minutes. - The default is 60 minutes. The maximum value is 28 days - (40320 minutes). - If set to 0, no periodic cleaning will occur. -

-
heartbeat-interval
-

- The server will perform zone maintenance tasks - for all zones marked as dialup whenever this - interval expires. The default is 60 minutes. Reasonable - values are up - to 1 day (1440 minutes). The maximum value is 28 days - (40320 minutes). - If set to 0, no zone maintenance for these zones will occur. -

-
interface-interval
-

- The server will scan the network interface list - every interface-interval - minutes. The default - is 60 minutes. The maximum value is 28 days (40320 minutes). - If set to 0, interface scanning will only occur when - the configuration file is loaded. After the scan, the - server will - begin listening for queries on any newly discovered - interfaces (provided they are allowed by the - listen-on configuration), and - will - stop listening on interfaces that have gone away. -

-
statistics-interval
-
-

- Name server statistics will be logged - every statistics-interval - minutes. The default is - 60. The maximum value is 28 days (40320 minutes). - If set to 0, no statistics will be logged. -

-
-

Note

-

- Not yet implemented in - BIND 9. -

-
-
-
-
-
-

-Topology

-

- All other things being equal, when the server chooses a name - server - to query from a list of name servers, it prefers the one that is - topologically closest to itself. The topology statement - takes an address_match_list and - interprets it - in a special way. Each top-level list element is assigned a - distance. - Non-negated elements get a distance based on their position in the - list, where the closer the match is to the start of the list, the - shorter the distance is between it and the server. A negated match - will be assigned the maximum distance from the server. If there - is no match, the address will get a distance which is further than - any non-negated list element, and closer than any negated element. - For example, -

-
topology {
-    10/8;
-    !1.2.3/24;
-    { 1.2/16; 3/8; };
-};
-

- will prefer servers on network 10 the most, followed by hosts - on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the - exception of hosts on network 1.2.3 (netmask 255.255.255.0), which - is preferred least of all. -

-

- The default topology is -

-
    topology { localhost; localnets; };
-
-
-

Note

-

- The topology option - is not implemented in BIND 9. -

-
-
-
-

-The sortlist Statement

-

- The response to a DNS query may consist of multiple resource - records (RRs) forming a resource records set (RRset). - The name server will normally return the - RRs within the RRset in an indeterminate order - (but see the rrset-order - statement in the section called “RRset Ordering”). - The client resolver code should rearrange the RRs as appropriate, - that is, using any addresses on the local net in preference to - other addresses. - However, not all resolvers can do this or are correctly - configured. - When a client is using a local server, the sorting can be performed - in the server, based on the client's address. This only requires - configuring the name servers, not all the clients. -

-

- The sortlist statement (see below) - takes - an address_match_list and - interprets it even - more specifically than the topology - statement - does (the section called “Topology”). - Each top level statement in the sortlist must - itself be an explicit address_match_list with - one or two elements. The first element (which may be an IP - address, - an IP prefix, an ACL name or a nested address_match_list) - of each top level list is checked against the source address of - the query until a match is found. -

-

- Once the source address of the query has been matched, if - the top level statement contains only one element, the actual - primitive - element that matched the source address is used to select the - address - in the response to move to the beginning of the response. If the - statement is a list of two elements, then the second element is - treated the same as the address_match_list in - a topology statement. Each top - level element - is assigned a distance and the address in the response with the - minimum - distance is moved to the beginning of the response. -

-

- In the following example, any queries received from any of - the addresses of the host itself will get responses preferring - addresses - on any of the locally connected networks. Next most preferred are - addresses - on the 192.168.1/24 network, and after that either the - 192.168.2/24 - or - 192.168.3/24 network with no preference shown between these two - networks. Queries received from a host on the 192.168.1/24 network - will prefer other addresses on that network to the 192.168.2/24 - and - 192.168.3/24 networks. Queries received from a host on the - 192.168.4/24 - or the 192.168.5/24 network will only prefer other addresses on - their directly connected networks. -

-
sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
-            { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
-            { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
-    };
-};
-

- The following example will give reasonable behavior for the - local host and hosts on directly connected networks. It is similar - to the behavior of the address sort in BIND 4.9.x. Responses sent - to queries from the local host will favor any of the directly - connected - networks. Responses sent to queries from any other hosts on a - directly - connected network will prefer addresses on that same network. - Responses - to other queries will not be sorted. -

-
sortlist {
-           { localhost; localnets; };
-           { localnets; };
-};
-
-
-
-

-RRset Ordering

-

- When multiple records are returned in an answer it may be - useful to configure the order of the records placed into the - response. - The rrset-order statement permits - configuration - of the ordering of the records in a multiple record response. - See also the sortlist statement, - the section called “The sortlist Statement”. -

-

- An order_spec is defined as - follows: -

-

- [class class_name] - [type type_name] - [name "domain_name"] - order ordering -

-

- If no class is specified, the default is ANY. - If no type is specified, the default is ANY. - If no name is specified, the default is "*" (asterisk). -

-

- The legal values for ordering are: -

-
---- - - - - - - - - - - - - - - -
-

fixed

- 		-

- Records are returned in the order they - are defined in the zone file. -

-
-

random

- 		-

- Records are returned in some random order. -

-
-

cyclic

- 		-

- Records are returned in a round-robin - order. -

-
-

- For example: -

-
rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-
-

- will cause any responses for type A records in class IN that - have "host.example.com" as a - suffix, to always be returned - in random order. All other records are returned in cyclic order. -

-

- If multiple rrset-order statements - appear, - they are not combined — the last one applies. -

-
-

Note

-

- The rrset-order statement - is not yet fully implemented in BIND 9. - BIND 9 currently does not fully support "fixed" ordering. -

-
-
-
-

-Tuning

-
-
lame-ttl
-

- Sets the number of seconds to cache a - lame server indication. 0 disables caching. (This is - NOT recommended.) - The default is 600 (10 minutes) and the - maximum value is - 1800 (30 minutes). -

-
max-ncache-ttl
-

- To reduce network traffic and increase performance, - the server stores negative answers. max-ncache-ttl is - used to set a maximum retention time for these answers in - the server - in seconds. The default - max-ncache-ttl is 10800 seconds (3 hours). - max-ncache-ttl cannot exceed - 7 days and will - be silently truncated to 7 days if set to a greater value. -

-
max-cache-ttl
-

- Sets the maximum time for which the server will - cache ordinary (positive) answers. The default is - one week (7 days). -

-
min-roots
-
-

- The minimum number of root servers that - is required for a request for the root servers to be - accepted. The default - is 2. -

-
-

Note

-

- Not implemented in BIND 9. -

-
-
-
sig-validity-interval
-

- Specifies the number of days into the - future when DNSSEC signatures automatically generated as a - result - of dynamic updates (the section called “Dynamic Update”) - will expire. The default is 30 days. - The maximum value is 10 years (3660 days). The signature - inception time is unconditionally set to one hour before the - current time - to allow for a limited amount of clock skew. -

-
-min-refresh-time, max-refresh-time, min-retry-time, max-retry-time -
-
-

- These options control the server's behavior on refreshing a - zone - (querying for SOA changes) or retrying failed transfers. - Usually the SOA values for the zone are used, but these - values - are set by the master, giving slave server administrators - little - control over their contents. -

-

- These options allow the administrator to set a minimum and - maximum - refresh and retry time either per-zone, per-view, or - globally. - These options are valid for slave and stub zones, - and clamp the SOA refresh and retry times to the specified - values. -

-
-
edns-udp-size
-

- Sets the advertised EDNS UDP buffer size in bytes. Valid - values are 512 to 4096 (values outside this range - will be silently adjusted). The default value is - 4096. The usual reason for setting edns-udp-size to - a non-default value is to get UDP answers to pass - through broken firewalls that block fragmented - packets and/or block UDP packets that are greater - than 512 bytes. -

-
max-udp-size
-

- Sets the maximum EDNS UDP message size named will - send in bytes. Valid values are 512 to 4096 (values outside - this range will be silently adjusted). The default - value is 4096. The usual reason for setting - max-udp-size to a non-default value is to get UDP - answers to pass through broken firewalls that - block fragmented packets and/or block UDP packets - that are greater than 512 bytes. - This is independent of the advertised receive - buffer (edns-udp-size). -

-
masterfile-format
-

Specifies - the file format of zone files (see - the section called “Additional File Formats”). - The default value is text, which is the - standard textual representation. Files in other formats - than text are typically expected - to be generated by the named-compilezone tool. - Note that when a zone file in a different format than - text is loaded, named - may omit some of the checks which would be performed for a - file in the text format. In particular, - check-names checks do not apply - for the raw format. This means - a zone file in the raw format - must be generated with the same check level as that - specified in the named configuration - file. This statement sets the - masterfile-format for all zones, - but can be overridden on a per-zone or per-view basis - by including a masterfile-format - statement within the zone or - view block in the configuration - file. -

-
-clients-per-query, max-clients-per-query -
-
-

These set the - initial value (minimum) and maximum number of recursive - simultanious clients for any given query - (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. named will attempt to - self tune this value and changes will be logged. The - default values are 10 and 100. -

-

- This value should reflect how many queries come in for - a given name in the time it takes to resolve that name. - If the number of queries exceed this value, named will - assume that it is dealing with a non-responsive zone - and will drop additional queries. If it gets a response - after dropping queries, it will raise the estimate. The - estimate will then be lowered in 20 minutes if it has - remained unchanged. -

-

- If clients-per-query is set to zero, - then there is no limit on the number of clients per query - and no queries will be dropped. -

-

- If max-clients-per-query is set to zero, - then there is no upper bound other than imposed by - recursive-clients. -

-
-
notify-delay
-

- The delay, in seconds, between sending sets of notify - messages for a zone. The default is zero. -

-
-
-
-

-Built-in server information zones

-

- The server provides some helpful diagnostic information - through a number of built-in zones under the - pseudo-top-level-domain bind in the - CHAOS class. These zones are part - of a - built-in view (see the section called “view Statement Grammar”) of - class - CHAOS which is separate from the - default view of - class IN; therefore, any global - server options - such as allow-query do not apply - the these zones. - If you feel the need to disable these zones, use the options - below, or hide the built-in CHAOS - view by - defining an explicit view of class CHAOS - that matches all clients. -

-
-
version
-

- The version the server should report - via a query of the name version.bind - with type TXT, class CHAOS. - The default is the real version number of this server. - Specifying version none - disables processing of the queries. -

-
hostname
-

- The hostname the server should report via a query of - the name hostname.bind - with type TXT, class CHAOS. - This defaults to the hostname of the machine hosting the - name server as - found by the gethostname() function. The primary purpose of such queries - is to - identify which of a group of anycast servers is actually - answering your queries. Specifying hostname none; - disables processing of the queries. -

-
server-id
-

- The ID of the server should report via a query of - the name ID.SERVER - with type TXT, class CHAOS. - The primary purpose of such queries is to - identify which of a group of anycast servers is actually - answering your queries. Specifying server-id none; - disables processing of the queries. - Specifying server-id hostname; will cause named to - use the hostname as found by the gethostname() function. - The default server-id is none. -

-
-
-
-

-Built-in Empty Zones

-

- Named has some built-in empty zones (SOA and NS records only). - These are for zones that should normally be answered locally - and which queries should not be sent to the Internet's root - servers. The official servers which cover these namespaces - return NXDOMAIN responses to these queries. In particular, - these cover the reverse namespace for addresses from RFC 1918 and - RFC 3330. They also include the reverse namespace for IPv6 local - address (locally assigned), IPv6 link local addresses, the IPv6 - loopback address and the IPv6 unknown addresss. -

-

- Named will attempt to determine if a built in zone already exists - or is active (covered by a forward-only forwarding declaration) - and will not not create a empty zone in that case. -

-

- The current list of empty zones is: -

-
    -
  • 10.IN-ADDR.ARPA
    • -
  • 127.IN-ADDR.ARPA
    • -
  • 254.169.IN-ADDR.ARPA
    • -
  • 16.172.IN-ADDR.ARPA
    • -
  • 17.172.IN-ADDR.ARPA
    • -
  • 18.172.IN-ADDR.ARPA
    • -
  • 19.172.IN-ADDR.ARPA
    • -
  • 20.172.IN-ADDR.ARPA
    • -
  • 21.172.IN-ADDR.ARPA
    • -
  • 22.172.IN-ADDR.ARPA
    • -
  • 23.172.IN-ADDR.ARPA
    • -
  • 24.172.IN-ADDR.ARPA
    • -
  • 25.172.IN-ADDR.ARPA
    • -
  • 26.172.IN-ADDR.ARPA
    • -
  • 27.172.IN-ADDR.ARPA
    • -
  • 28.172.IN-ADDR.ARPA
    • -
  • 29.172.IN-ADDR.ARPA
    • -
  • 30.172.IN-ADDR.ARPA
    • -
  • 31.172.IN-ADDR.ARPA
    • -
  • 168.192.IN-ADDR.ARPA
    • -
  • 2.0.192.IN-ADDR.ARPA
    • -
  • 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    • -
  • 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    • -
  • D.F.IP6.ARPA
    • -
  • 8.E.F.IP6.ARPA
    • -
  • 9.E.F.IP6.ARPA
    • -
  • A.E.F.IP6.ARPA
    • -
  • B.E.F.IP6.ARPA
    • -
-

-

-

- Empty zones are settable at the view level and only apply to - views of class IN. Disabled empty zones are only inherited - from options if there are no disabled empty zones specified - at the view level. To override the options list of disabled - zones, you can disable the root zone at the view level, for example: -

-
-            disable-empty-zone ".";
-
-

-

-

- If you are using the address ranges covered here, you should - already have reverse zones covering the addresses you use. - In practice this appears to not be the case with many queries - being made to the infrastructure servers for names in these - spaces. So many in fact that sacrificial servers were needed - to be deployed to channel the query load away from the - infrastructure servers. -

-
-

Note

- The real parent servers for these zones should disable all - empty zone under the parent zone they serve. For the real - root servers, this is all built in empty zones. This will - enable them to return referrals to deeper in the tree. -
-
-
empty-server
-

- Specify what server name will appear in the returned - SOA record for empty zones. If none is specified, then - the zone's name will be used. -

-
empty-contact
-

- Specify what contact name will appear in the returned - SOA record for empty zones. If none is specified, then - "." will be used. -

-
empty-zones-enable
-

- Enable or disable all empty zones. By default they - are enabled. -

-
disable-empty-zone
-

- Disable individual empty zones. By default none are - disabled. This option can be specified multiple times. -

-
-
-
-

-The Statistics File

-

- The statistics file generated by BIND 9 - is similar, but not identical, to that - generated by BIND 8. -

-

- The statistics dump begins with a line, like: -

-

- +++ Statistics Dump +++ (973798949) -

-

- The number in parentheses is a standard - Unix-style timestamp, measured as seconds since January 1, 1970. - Following - that line are a series of lines containing a counter type, the - value of the - counter, optionally a zone name, and optionally a view name. - The lines without view and zone listed are global statistics for - the entire server. - Lines with a zone and view name for the given view and zone (the - view name is - omitted for the default view). -

-

- The statistics dump ends with the line where the - number is identical to the number in the beginning line; for example: -

-

- --- Statistics Dump --- (973798949) -

-

- The following statistics counters are maintained: -

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

success

- 		-

- The number of - successful queries made to the server or zone. A - successful query - is defined as query which returns a NOERROR response - with at least - one answer RR. -

-
-

referral

- 		-

- The number of queries which resulted - in referral responses. -

-
-

nxrrset

- 		-

- The number of queries which resulted in - NOERROR responses with no data. -

-
-

nxdomain

- 		-

- The number - of queries which resulted in NXDOMAIN responses. -

-
-

failure

- 		-

- The number of queries which resulted in a - failure response other than those above. -

-
-

recursion

- 		-

- The number of queries which caused the server - to perform recursion in order to find the final answer. -

-
-

duplicate

- 		-

- The number of queries which the server attempted to - recurse but discover a existing query with the same - IP address, port, query id, name, type and class - already being processed. -

-
-

dropped

- 		-

- The number of queries for which the server - discovered a excessive number of existing - recursive queries for the same name, type and - class and were subsequently dropped. -

-
-

- Each query received by the server will cause exactly one of - success, - referral, - nxrrset, - nxdomain, or - failure - to be incremented, and may additionally cause the - recursion counter to be - incremented. -

-
-
-

-Additional Section Caching

-

- The additional section cache, also called acache, - is an internal cache to improve the response performance of BIND 9. - When additional section caching is enabled, BIND 9 will - cache an internal short-cut to the additional section content for - each answer RR. - Note that acache is an internal caching - mechanism of BIND 9, and is not related to the DNS caching - server function. -

-

- Additional section caching does not change the - response content (except the RRsets ordering of the additional - section, see below), but can improve the response performance - significantly. - It is particularly effective when BIND 9 acts as an authoritative - server for a zone that has many delegations with many glue RRs. -

-

- In order to obtain the maximum performance improvement - from additional section caching, setting - additional-from-cache - to no is recommended, since the current - implementation of acache - does not short-cut of additional section information from the - DNS cache data. -

-

- One obvious disadvantage of acache is - that it requires much more - memory for the internal cached data. - Thus, if the response performance does not matter and memory - consumption is much more critical, the - acache mechanism can be - disabled by setting acache-enable to - no. - It is also possible to specify the upper limit of memory - consumption - for acache by using max-acache-size. -

-

- Additional section caching also has a minor effect on the - RRset ordering in the additional section. - Without acache, - cyclic order is effective for the additional - section as well as the answer and authority sections. - However, additional section caching fixes the ordering when it - first caches an RRset for the additional section, and the same - ordering will be kept in succeeding responses, regardless of the - setting of rrset-order. - The effect of this should be minor, however, since an - RRset in the additional section - typically only contains a small number of RRs (and in many cases - it only contains a single RR), in which case the - ordering does not matter much. -

-

- The following is a summary of options related to - acache. -

-
-
acache-enable
-

- If yes, additional section caching is - enabled. The default value is no. -

-
acache-cleaning-interval
-

- The server will remove stale cache entries, based on an LRU - based - algorithm, every acache-cleaning-interval minutes. - The default is 60 minutes. - If set to 0, no periodic cleaning will occur. -

-
max-acache-size
-

- The maximum amount of memory in bytes to use for the server's acache. - When the amount of data in the acache reaches this limit, - the server - will clean more aggressively so that the limit is not - exceeded. - In a server with multiple views, the limit applies - separately to the - acache of each view. - The default is unlimited, - meaning that - entries are purged from the acache only at the - periodic cleaning time. -

-
-
-
-
-

-server Statement Grammar

-
server ip_addr[/prefixlen] {
-    [ bogus yes_or_no ; ]
-    [ provide-ixfr yes_or_no ; ]
-    [ request-ixfr yes_or_no ; ]
-    [ edns yes_or_no ; ]
-    [ edns-udp-size number ; ]
-    [ max-udp-size number ; ]
-    [ transfers number ; ]
-    [ transfer-format ( one-answer | many-answers ) ; ]]
-    [ keys { string ; [ string ; [...]] } ; ]
-    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ notify-source (ip4_addr | *) [port ip_port] ; ]
-    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
-    [ query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ]
-};
-
-
-
-

-server Statement Definition and - Usage

-

- The server statement defines - characteristics - to be associated with a remote name server. If a prefix length is - specified, then a range of servers is covered. Only the most - specific - server clause applies regardless of the order in - named.conf. -

-

- The server statement can occur at - the top level of the - configuration file or inside a view - statement. - If a view statement contains - one or more server statements, only - those - apply to the view and any top-level ones are ignored. - If a view contains no server - statements, - any top-level server statements are - used as - defaults. -

-

- If you discover that a remote server is giving out bad data, - marking it as bogus will prevent further queries to it. The - default - value of bogus is no. -

-

- The provide-ixfr clause determines - whether - the local server, acting as master, will respond with an - incremental - zone transfer when the given remote server, a slave, requests it. - If set to yes, incremental transfer - will be provided - whenever possible. If set to no, - all transfers - to the remote server will be non-incremental. If not set, the - value - of the provide-ixfr option in the - view or - global options block is used as a default. -

-

- The request-ixfr clause determines - whether - the local server, acting as a slave, will request incremental zone - transfers from the given remote server, a master. If not set, the - value of the request-ixfr option in - the view or - global options block is used as a default. -

-

- IXFR requests to servers that do not support IXFR will - automatically - fall back to AXFR. Therefore, there is no need to manually list - which servers support IXFR and which ones do not; the global - default - of yes should always work. - The purpose of the provide-ixfr and - request-ixfr clauses is - to make it possible to disable the use of IXFR even when both - master - and slave claim to support it, for example if one of the servers - is buggy and crashes or corrupts data when IXFR is used. -

-

- The edns clause determines whether - the local server will attempt to use EDNS when communicating - with the remote server. The default is yes. -

-

- The edns-udp-size option sets the EDNS UDP size - that is advertised by named when querying the remote server. - Valid values are 512 to 4096 bytes (values outside this range will be - silently adjusted). This option is useful when you wish to - advertises a different value to this server than the value you - advertise globally, for example, when there is a firewall at the - remote site that is blocking large replies. -

-

- The max-udp-size option sets the - maximum EDNS UDP message size named will send. Valid - values are 512 to 4096 bytes (values outside this range will - be silently adjusted). This option is useful when you - know that there is a firewall that is blocking large - replies from named. -

-

- The server supports two zone transfer methods. The first, one-answer, - uses one DNS message per resource record transferred. many-answers packs - as many resource records as possible into a message. many-answers is - more efficient, but is only known to be understood by BIND 9, BIND - 8.x, and patched versions of BIND - 4.9.5. You can specify which method - to use for a server with the transfer-format option. - If transfer-format is not - specified, the transfer-format - specified - by the options statement will be - used. -

-

transfers - is used to limit the number of concurrent inbound zone - transfers from the specified server. If no - transfers clause is specified, the - limit is set according to the - transfers-per-ns option. -

-

- The keys clause identifies a - key_id defined by the key statement, - to be used for transaction security (TSIG, the section called “TSIG”) - when talking to the remote server. - When a request is sent to the remote server, a request signature - will be generated using the key specified here and appended to the - message. A request originating from the remote server is not - required - to be signed by this key. -

-

- Although the grammar of the keys - clause - allows for multiple keys, only a single key per server is - currently - supported. -

-

- The transfer-source and - transfer-source-v6 clauses specify - the IPv4 and IPv6 source - address to be used for zone transfer with the remote server, - respectively. - For an IPv4 remote server, only transfer-source can - be specified. - Similarly, for an IPv6 remote server, only - transfer-source-v6 can be - specified. - For more details, see the description of - transfer-source and - transfer-source-v6 in - the section called “Zone Transfers”. -

-

- The notify-source and - notify-source-v6 clauses specify the - IPv4 and IPv6 source address to be used for notify - messages sent to remote servers, respectively. For an - IPv4 remote server, only notify-source - can be specified. Similarly, for an IPv6 remote server, - only notify-source-v6 can be specified. -

-

- The query-source and - query-source-v6 clauses specify the - IPv4 and IPv6 source address to be used for queries - sent to remote servers, respectively. For an IPv4 - remote server, only query-source can - be specified. Similarly, for an IPv6 remote server, - only query-source-v6 can be specified. -

-
-
-

-trusted-keys Statement Grammar

-
trusted-keys {
-    string number number number string ;
-    [ string number number number string ; [...]]
-};
-
-
-
-

-trusted-keys Statement Definition - and Usage

-

- The trusted-keys statement defines - DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the - public key for a non-authoritative zone is known, but - cannot be securely obtained through DNS, either because - it is the DNS root zone or because its parent zone is - unsigned. Once a key has been configured as a trusted - key, it is treated as if it had been validated and - proven secure. The resolver attempts DNSSEC validation - on all DNS data in subdomains of a security root. -

-

- All keys (and corresponding zones) listed in - trusted-keys are deemed to exist regardless - of what parent zones say. Similarly for all keys listed in - trusted-keys only those keys are - used to validate the DNSKEY RRset. The parent's DS RRset - will not be used. -

-

- The trusted-keys statement can contain - multiple key entries, each consisting of the key's - domain name, flags, protocol, algorithm, and the Base-64 - representation of the key data. -

-
-
-

-view Statement Grammar

-
view view_name
-      [class] {
-      match-clients { address_match_list };
-      match-destinations { address_match_list };
-      match-recursive-only yes_or_no ;
-      [ view_option; ...]
-      [ zone_statement; ...]
-};
-
-
-
-

-view Statement Definition and Usage

-

- The view statement is a powerful - feature - of BIND 9 that lets a name server - answer a DNS query differently - depending on who is asking. It is particularly useful for - implementing - split DNS setups without having to run multiple servers. -

-

- Each view statement defines a view - of the - DNS namespace that will be seen by a subset of clients. A client - matches - a view if its source IP address matches the - address_match_list of the view's - match-clients clause and its - destination IP address matches - the address_match_list of the - view's - match-destinations clause. If not - specified, both - match-clients and match-destinations - default to matching all addresses. In addition to checking IP - addresses - match-clients and match-destinations - can also take keys which provide an - mechanism for the - client to select the view. A view can also be specified - as match-recursive-only, which - means that only recursive - requests from matching clients will match that view. - The order of the view statements is - significant — - a client request will be resolved in the context of the first - view that it matches. -

-

- Zones defined within a view - statement will - be only be accessible to clients that match the view. - By defining a zone of the same name in multiple views, different - zone data can be given to different clients, for example, - "internal" - and "external" clients in a split DNS setup. -

-

- Many of the options given in the options statement - can also be used within a view - statement, and then - apply only when resolving queries with that view. When no - view-specific - value is given, the value in the options statement - is used as a default. Also, zone options can have default values - specified - in the view statement; these - view-specific defaults - take precedence over those in the options statement. -

-

- Views are class specific. If no class is given, class IN - is assumed. Note that all non-IN views must contain a hint zone, - since only the IN class has compiled-in default hints. -

-

- If there are no view statements in - the config - file, a default view that matches any client is automatically - created - in class IN. Any zone statements - specified on - the top level of the configuration file are considered to be part - of - this default view, and the options - statement will - apply to the default view. If any explicit view - statements are present, all zone - statements must - occur inside view statements. -

-

- Here is an example of a typical split DNS setup implemented - using view statements: -

-
view "internal" {
-      // This should match our internal networks.
-      match-clients { 10.0.0.0/8; };
-
-      // Provide recursive service to internal clients only.
-      recursion yes;
-
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
-      zone "example.com" {
-            type master;
-            file "example-internal.db";
-      };
-};
-
-view "external" {
-      // Match all clients not matched by the previous view.
-      match-clients { any; };
-
-      // Refuse recursive service to external clients.
-      recursion no;
-
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
-      zone "example.com" {
-           type master;
-           file "example-external.db";
-      };
-};
-
-
-
-

-zone - Statement Grammar

-
zone zone_name [class] {
-    type master;
-    [ allow-query { address_match_list }; ]
-    [ allow-transfer { address_match_list }; ]
-    [ allow-update { address_match_list }; ]
-    [ update-policy { update_policy_rule [...] }; ]
-    [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
-    [ check-names (warn|fail|ignore) ; ]
-    [ check-mx (warn|fail|ignore) ; ]
-    [ check-wildcard yes_or_no; ]
-    [ check-integrity yes_or_no ; ]
-    [ dialup dialup_option ; ]
-    [ file string ; ]
-    [ masterfile-format (text|raw) ; ]
-    [ journal string ; ]
-    [ forward (only|first) ; ]
-    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
-    [ ixfr-base string ; ]
-    [ ixfr-tmp-file string ; ]
-    [ maintain-ixfr-base yes_or_no ; ]
-    [ max-ixfr-log-size number ; ]
-    [ max-transfer-idle-out number ; ]
-    [ max-transfer-time-out number ; ]
-    [ notify yes_or_no | explicit | master-only ; ]
-    [ notify-delay seconds ; ]
-    [ pubkey number number number string ; ]
-    [ notify-source (ip4_addr | *) [port ip_port] ; ]
-    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ zone-statistics yes_or_no ; ]
-    [ sig-validity-interval number ; ]
-    [ database string ; ]
-    [ min-refresh-time number ; ]
-    [ max-refresh-time number ; ]
-    [ min-retry-time number ; ]
-    [ max-retry-time number ; ]
-    [ key-directory path_name; ]
-    [ zero-no-soa-ttl yes_or_no ; ]
-};
-
-zone zone_name [class] {
-    type slave;
-    [ allow-notify { address_match_list }; ]
-    [ allow-query { address_match_list }; ]
-    [ allow-transfer { address_match_list }; ]
-    [ allow-update-forwarding { address_match_list }; ]
-    [ update-check-ksk yes_or_no; ]
-    [ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
-    [ check-names (warn|fail|ignore) ; ]
-    [ dialup dialup_option ; ]
-    [ file string ; ]
-    [ masterfile-format (text|raw) ; ]
-    [ journal string ; ]
-    [ forward (only|first) ; ]
-    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
-    [ ixfr-base string ; ]
-    [ ixfr-tmp-file string ; ]
-    [ maintain-ixfr-base yes_or_no ; ]
-    [ masters [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] }; ]
-    [ max-ixfr-log-size number ; ]
-    [ max-transfer-idle-in number ; ]
-    [ max-transfer-idle-out number ; ]
-    [ max-transfer-time-in number ; ]
-    [ max-transfer-time-out number ; ]
-    [ notify yes_or_no | explicit | master-only ; ]
-    [ pubkey number number number string ; ]
-    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ use-alt-transfer-source yes_or_no; ]
-    [ notify-source (ip4_addr | *) [port ip_port] ; ]
-    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ zone-statistics yes_or_no ; ]
-    [ database string ; ]
-    [ min-refresh-time number ; ]
-    [ max-refresh-time number ; ]
-    [ min-retry-time number ; ]
-    [ max-retry-time number ; ]
-    [ multi-master yes_or_no ; ]
-    [ zero-no-soa-ttl yes_or_no ; ]
-};
-
-zone zone_name [class] {
-    type hint;
-    file string ;
-    [ delegation-only yes_or_no ; ]
-    [ check-names (warn|fail|ignore) ; // Not Implemented. ]
-};
-
-zone zone_name [class] {
-    type stub;
-    [ allow-query { address_match_list }; ]
-    [ check-names (warn|fail|ignore) ; ]
-    [ dialup dialup_option ; ]
-    [ delegation-only yes_or_no ; ]
-    [ file string ; ]
-    [ masterfile-format (text|raw) ; ]
-    [ forward (only|first) ; ]
-    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
-    [ masters [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] }; ]
-    [ max-transfer-idle-in number ; ]
-    [ max-transfer-time-in number ; ]
-    [ pubkey number number number string ; ]
-    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
-    [ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
-    [ use-alt-transfer-source yes_or_no; ]
-    [ zone-statistics yes_or_no ; ]
-    [ database string ; ]
-    [ min-refresh-time number ; ]
-    [ max-refresh-time number ; ]
-    [ min-retry-time number ; ]
-    [ max-retry-time number ; ]
-    [ multi-master yes_or_no ; ]
-};
-
-zone zone_name [class] {
-    type forward;
-    [ forward (only|first) ; ]
-    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
-    [ delegation-only yes_or_no ; ]
-};
-
-zone zone_name [class] {
-    type delegation-only;
-};
-
-
-
-
-

-zone Statement Definition and Usage

-
-

-Zone Types

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- master -

- 		-

- The server has a master copy of the data - for the zone and will be able to provide authoritative - answers for - it. -

-
-

- slave -

- 		-

- A slave zone is a replica of a master - zone. The masters list - specifies one or more IP addresses - of master servers that the slave contacts to update - its copy of the zone. - Masters list elements can also be names of other - masters lists. - By default, transfers are made from port 53 on the - servers; this can - be changed for all servers by specifying a port number - before the - list of IP addresses, or on a per-server basis after - the IP address. - Authentication to the master can also be done with - per-server TSIG keys. - If a file is specified, then the - replica will be written to this file whenever the zone - is changed, - and reloaded from this file on a server restart. Use - of a file is - recommended, since it often speeds server startup and - eliminates - a needless waste of bandwidth. Note that for large - numbers (in the - tens or hundreds of thousands) of zones per server, it - is best to - use a two-level naming scheme for zone filenames. For - example, - a slave server for the zone example.com might place - the zone contents into a file called - ex/example.com where ex/ is - just the first two letters of the zone name. (Most - operating systems - behave very slowly if you put 100 000 files into - a single directory.) -

-
-

- stub -

- 		-

- A stub zone is similar to a slave zone, - except that it replicates only the NS records of a - master zone instead - of the entire zone. Stub zones are not a standard part - of the DNS; - they are a feature specific to the BIND implementation. -

- -

- Stub zones can be used to eliminate the need for glue - NS record - in a parent zone at the expense of maintaining a stub - zone entry and - a set of name server addresses in named.conf. - This usage is not recommended for new configurations, - and BIND 9 - supports it only in a limited way. - In BIND 4/8, zone - transfers of a parent zone - included the NS records from stub children of that - zone. This meant - that, in some cases, users could get away with - configuring child stubs - only in the master server for the parent zone. BIND - 9 never mixes together zone data from different zones - in this - way. Therefore, if a BIND 9 master serving a parent - zone has child stub zones configured, all the slave - servers for the - parent zone also need to have the same child stub - zones - configured. -

- -

- Stub zones can also be used as a way of forcing the - resolution - of a given domain to use a particular set of - authoritative servers. - For example, the caching name servers on a private - network using - RFC1918 addressing may be configured with stub zones - for - 10.in-addr.arpa - to use a set of internal name servers as the - authoritative - servers for that domain. -

-
-

- forward -

- 		-

- A "forward zone" is a way to configure - forwarding on a per-domain basis. A zone statement - of type forward can - contain a forward - and/or forwarders - statement, - which will apply to queries within the domain given by - the zone - name. If no forwarders - statement is present or - an empty list for forwarders is given, then no - forwarding will be done for the domain, canceling the - effects of - any forwarders in the options statement. Thus - if you want to use this type of zone to change the - behavior of the - global forward option - (that is, "forward first" - to, then "forward only", or vice versa, but want to - use the same - servers as set globally) you need to re-specify the - global forwarders. -

-
-

- hint -

- 		-

- The initial set of root name servers is - specified using a "hint zone". When the server starts - up, it uses - the root hints to find a root name server and get the - most recent - list of root name servers. If no hint zone is - specified for class - IN, the server uses a compiled-in default set of root - servers hints. - Classes other than IN have no built-in defaults hints. -

-
-

- delegation-only -

- 		-

- This is used to enforce the delegation-only - status of infrastructure zones (e.g. COM, NET, ORG). - Any answer that - is received without an explicit or implicit delegation - in the authority - section will be treated as NXDOMAIN. This does not - apply to the zone - apex. This should not be applied to leaf zones. -

-

- delegation-only has no - effect on answers received - from forwarders. -

-
-
-
-

-Class

-

- The zone's name may optionally be followed by a class. If - a class is not specified, class IN (for Internet), - is assumed. This is correct for the vast majority of cases. -

-

- The hesiod class is - named for an information service from MIT's Project Athena. It - is - used to share information about various systems databases, such - as users, groups, printers and so on. The keyword - HS is - a synonym for hesiod. -

-

- Another MIT development is Chaosnet, a LAN protocol created - in the mid-1970s. Zone data for it can be specified with the CHAOS class. -

-
-
-

-Zone Options

-
-
allow-notify
-

- See the description of - allow-notify in the section called “Access Control”. -

-
allow-query
-

- See the description of - allow-query in the section called “Access Control”. -

-
allow-transfer
-

- See the description of allow-transfer - in the section called “Access Control”. -

-
allow-update
-

- See the description of allow-update - in the section called “Access Control”. -

-
update-policy
-

- Specifies a "Simple Secure Update" policy. See - the section called “Dynamic Update Policies”. -

-
allow-update-forwarding
-

- See the description of allow-update-forwarding - in the section called “Access Control”. -

-
also-notify
-

- Only meaningful if notify - is - active for this zone. The set of machines that will - receive a - DNS NOTIFY message - for this zone is made up of all the listed name servers - (other than - the primary master) for the zone plus any IP addresses - specified - with also-notify. A port - may be specified - with each also-notify - address to send the notify - messages to a port other than the default of 53. - also-notify is not - meaningful for stub zones. - The default is the empty list. -

-
check-names
-

- This option is used to restrict the character set and - syntax of - certain domain names in master files and/or DNS responses - received from the - network. The default varies according to zone type. For master zones the default is fail. For slave - zones the default is warn. -

-
check-mx
-

- See the description of - check-mx in the section called “Boolean Options”. -

-
check-wildcard
-

- See the description of - check-wildcard in the section called “Boolean Options”. -

-
check-integrity
-

- See the description of - check-integrity in the section called “Boolean Options”. -

-
check-sibling
-

- See the description of - check-sibling in the section called “Boolean Options”. -

-
zero-no-soa-ttl
-

- See the description of - zero-no-soa-ttl in the section called “Boolean Options”. -

-
update-check-ksk
-

- See the description of - update-check-ksk in the section called “Boolean Options”. -

-
database
-
-

- Specify the type of database to be used for storing the - zone data. The string following the database keyword - is interpreted as a list of whitespace-delimited words. - The first word - identifies the database type, and any subsequent words are - passed - as arguments to the database to be interpreted in a way - specific - to the database type. -

-

- The default is "rbt", BIND 9's - native in-memory - red-black-tree database. This database does not take - arguments. -

-

- Other values are possible if additional database drivers - have been linked into the server. Some sample drivers are - included - with the distribution but none are linked in by default. -

-
-
dialup
-

- See the description of - dialup in the section called “Boolean Options”. -

-
delegation-only
-

- The flag only applies to hint and stub zones. If set - to yes, then the zone will also be - treated as if it - is also a delegation-only type zone. -

-
forward
-

- Only meaningful if the zone has a forwarders - list. The only value causes - the lookup to fail - after trying the forwarders and getting no answer, while first would - allow a normal lookup to be tried. -

-
forwarders
-

- Used to override the list of global forwarders. - If it is not specified in a zone of type forward, - no forwarding is done for the zone and the global options are - not used. -

-
ixfr-base
-

- Was used in BIND 8 to - specify the name - of the transaction log (journal) file for dynamic update - and IXFR. - BIND 9 ignores the option - and constructs the name of the journal - file by appending ".jnl" - to the name of the - zone file. -

-
ixfr-tmp-file
-

- Was an undocumented option in BIND 8. - Ignored in BIND 9. -

-
journal
-

- Allow the default journal's filename to be overridden. - The default is the zone's filename with ".jnl" appended. - This is applicable to master and slave zones. -

-
max-transfer-time-in
-

- See the description of - max-transfer-time-in in the section called “Zone Transfers”. -

-
max-transfer-idle-in
-

- See the description of - max-transfer-idle-in in the section called “Zone Transfers”. -

-
max-transfer-time-out
-

- See the description of - max-transfer-time-out in the section called “Zone Transfers”. -

-
max-transfer-idle-out
-

- See the description of - max-transfer-idle-out in the section called “Zone Transfers”. -

-
notify
-

- See the description of - notify in the section called “Boolean Options”. -

-
notify-delay
-

- See the description of - notify-delay in the section called “Tuning”. -

-
pubkey
-

- In BIND 8, this option was - intended for specifying - a public zone key for verification of signatures in DNSSEC - signed - zones when they are loaded from disk. BIND 9 does not verify signatures - on load and ignores the option. -

-
zone-statistics
-

- If yes, the server will keep - statistical - information for this zone, which can be dumped to the - statistics-file defined in - the server options. -

-
sig-validity-interval
-

- See the description of - sig-validity-interval in the section called “Tuning”. -

-
transfer-source
-

- See the description of - transfer-source in the section called “Zone Transfers”. -

-
transfer-source-v6
-

- See the description of - transfer-source-v6 in the section called “Zone Transfers”. -

-
alt-transfer-source
-

- See the description of - alt-transfer-source in the section called “Zone Transfers”. -

-
alt-transfer-source-v6
-

- See the description of - alt-transfer-source-v6 in the section called “Zone Transfers”. -

-
use-alt-transfer-source
-

- See the description of - use-alt-transfer-source in the section called “Zone Transfers”. -

-
notify-source
-

- See the description of - notify-source in the section called “Zone Transfers”. -

-
notify-source-v6
-

- See the description of - notify-source-v6 in the section called “Zone Transfers”. -

-
-min-refresh-time, max-refresh-time, min-retry-time, max-retry-time -
-

- See the description in the section called “Tuning”. -

-
ixfr-from-differences
-

- See the description of - ixfr-from-differences in the section called “Boolean Options”. -

-
key-directory
-

- See the description of - key-directory in the section called “options Statement Definition and - Usage”. -

-
multi-master
-

- See the description of multi-master in - the section called “Boolean Options”. -

-
masterfile-format
-

- See the description of masterfile-format - in the section called “Tuning”. -

-
-
-
-

-Dynamic Update Policies

-

- BIND 9 supports two alternative - methods of granting clients - the right to perform dynamic updates to a zone, - configured by the allow-update - and - update-policy option, - respectively. -

-

- The allow-update clause works the - same - way as in previous versions of BIND. It grants given clients the - permission to update any record of any name in the zone. -

-

- The update-policy clause is new - in BIND - 9 and allows more fine-grained control over what updates are - allowed. - A set of rules is specified, where each rule either grants or - denies - permissions for one or more names to be updated by one or more - identities. - If the dynamic update request message is signed (that is, it - includes - either a TSIG or SIG(0) record), the identity of the signer can - be determined. -

-

- Rules are specified in the update-policy zone - option, and are only meaningful for master zones. When the update-policy statement - is present, it is a configuration error for the allow-update statement - to be present. The update-policy - statement only - examines the signer of a message; the source address is not - relevant. -

-

- This is how a rule definition looks: -

-
-( grant | deny ) identity nametype name [ types ]
-
-

- Each rule grants or denies privileges. Once a message has - successfully matched a rule, the operation is immediately - granted - or denied and no further rules are examined. A rule is matched - when the signer matches the identity field, the name matches the - name field in accordance with the nametype field, and the type - matches - the types specified in the type field. -

-

- The identity field specifies a name or a wildcard name. - Normally, this - is the name of the TSIG or SIG(0) key used to sign the update - request. When a - TKEY exchange has been used to create a shared secret, the - identity of the - shared secret is the same as the identity of the key used to - authenticate the - TKEY exchange. When the identity field specifies a - wildcard name, it is subject to DNS wildcard expansion, so the - rule will apply - to multiple identities. The identity field must - contain a fully-qualified domain name. -

-

- The nametype field has 6 - values: - name, subdomain, - wildcard, self, - selfsub, and selfwild. -

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- name -

- 		-

- Exact-match semantics. This rule matches - when the name being updated is identical - to the contents of the - name field. -

-
-

- subdomain -

- 		-

- This rule matches when the name being updated - is a subdomain of, or identical to, the - contents of the name - field. -

-
-

- wildcard -

- 		-

- The name field - is subject to DNS wildcard expansion, and - this rule matches when the name being updated - name is a valid expansion of the wildcard. -

-
-

- self -

- 		-

- This rule matches when the name being updated - matches the contents of the - identity field. - The name field - is ignored, but should be the same as the - identity field. - The self nametype is - most useful when allowing using one key per - name to update, where the key has the same - name as the name to be updated. The - identity would - be specified as * (an asterisk) in - this case. -

-
-

- selfsub -

- 		-

- This rule is similar to self - except that subdomains of self - can also be updated. -

-
-

- selfwild -

- 		-

- This rule is similar to self - except that only subdomains of - self can be updated. -

-
-

- In all cases, the name - field must - specify a fully-qualified domain name. -

-

- If no types are explicitly specified, this rule matches all - types except - RRSIG, NS, SOA, and NSEC. Types may be specified by name, including - "ANY" (ANY matches all types except NSEC, which can never be - updated). - Note that when an attempt is made to delete all records - associated with a - name, the rules are checked for each existing record type. -

-
-
-
-
-

-Zone File

-
-

-Types of Resource Records and When to Use Them

-

- This section, largely borrowed from RFC 1034, describes the - concept of a Resource Record (RR) and explains when each is used. - Since the publication of RFC 1034, several new RRs have been - identified - and implemented in the DNS. These are also included. -

-
-

-Resource Records

-

- A domain name identifies a node. Each node has a set of - resource information, which may be empty. The set of resource - information associated with a particular name is composed of - separate RRs. The order of RRs in a set is not significant and - need not be preserved by name servers, resolvers, or other - parts of the DNS. However, sorting of multiple RRs is - permitted for optimization purposes, for example, to specify - that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. -

-

- The components of a Resource Record are: -

-
---- - - - - - - - - - - - - - - - - - - - - - - -
-

- owner name -

- 		-

- The domain name where the RR is found. -

-
-

- type -

- 		-

- An encoded 16-bit value that specifies - the type of the resource record. -

-
-

- TTL -

- 		-

- The time-to-live of the RR. This field - is a 32-bit integer in units of seconds, and is - primarily used by - resolvers when they cache RRs. The TTL describes how - long a RR can - be cached before it should be discarded. -

-
-

- class -

- 		-

- An encoded 16-bit value that identifies - a protocol family or instance of a protocol. -

-
-

- RDATA -

- 		-

- The resource data. The format of the - data is type (and sometimes class) specific. -

-
-

- The following are types of valid RRs: -

-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- A -

- 		-

- A host address. In the IN class, this is a - 32-bit IP address. Described in RFC 1035. -

-
-

- AAAA -

- 		-

- IPv6 address. Described in RFC 1886. -

-
-

- A6 -

- 		-

- IPv6 address. This can be a partial - address (a suffix) and an indirection to the name - where the rest of the - address (the prefix) can be found. Experimental. - Described in RFC 2874. -

-
-

- AFSDB -

- 		-

- Location of AFS database servers. - Experimental. Described in RFC 1183. -

-
-

- APL -

- 		-

- Address prefix list. Experimental. - Described in RFC 3123. -

-
-

- CERT -

- 		-

- Holds a digital certificate. - Described in RFC 2538. -

-
-

- CNAME -

- 		-

- Identifies the canonical name of an alias. - Described in RFC 1035. -

-
-

- DNAME -

- 		-

- Replaces the domain name specified with - another name to be looked up, effectively aliasing an - entire - subtree of the domain name space rather than a single - record - as in the case of the CNAME RR. - Described in RFC 2672. -

-
-

- DNSKEY -

- 		-

- Stores a public key associated with a signed - DNS zone. Described in RFC 4034. -

-
-

- DS -

- 		-

- Stores the hash of a public key associated with a - signed DNS zone. Described in RFC 4034. -

-
-

- GPOS -

- 		-

- Specifies the global position. Superseded by LOC. -

-
-

- HINFO -

- 		-

- Identifies the CPU and OS used by a host. - Described in RFC 1035. -

-
-

- ISDN -

- 		-

- Representation of ISDN addresses. - Experimental. Described in RFC 1183. -

-
-

- KEY -

- 		-

- Stores a public key associated with a - DNS name. Used in original DNSSEC; replaced - by DNSKEY in DNSSECbis, but still used with - SIG(0). Described in RFCs 2535 and 2931. -

-
-

- KX -

- 		-

- Identifies a key exchanger for this - DNS name. Described in RFC 2230. -

-
-

- LOC -

- 		-

- For storing GPS info. Described in RFC 1876. - Experimental. -

-
-

- MX -

- 		-

- Identifies a mail exchange for the domain with - a 16-bit preference value (lower is better) - followed by the host name of the mail exchange. - Described in RFC 974, RFC 1035. -

-
-

- NAPTR -

- 		-

- Name authority pointer. Described in RFC 2915. -

-
-

- NSAP -

- 		-

- A network service access point. - Described in RFC 1706. -

-
-

- NS -

- 		-

- The authoritative name server for the - domain. Described in RFC 1035. -

-
-

- NSEC -

- 		-

- Used in DNSSECbis to securely indicate that - RRs with an owner name in a certain name interval do - not exist in - a zone and indicate what RR types are present for an - existing name. - Described in RFC 4034. -

-
-

- NXT -

- 		-

- Used in DNSSEC to securely indicate that - RRs with an owner name in a certain name interval do - not exist in - a zone and indicate what RR types are present for an - existing name. - Used in original DNSSEC; replaced by NSEC in - DNSSECbis. - Described in RFC 2535. -

-
-

- PTR -

- 		-

- A pointer to another part of the domain - name space. Described in RFC 1035. -

-
-

- PX -

- 		-

- Provides mappings between RFC 822 and X.400 - addresses. Described in RFC 2163. -

-
-

- RP -

- 		-

- Information on persons responsible - for the domain. Experimental. Described in RFC 1183. -

-
-

- RRSIG -

- 		-

- Contains DNSSECbis signature data. Described - in RFC 4034. -

-
-

- RT -

- 		-

- Route-through binding for hosts that - do not have their own direct wide area network - addresses. - Experimental. Described in RFC 1183. -

-
-

- SIG -

- 		-

- Contains DNSSEC signature data. Used in - original DNSSEC; replaced by RRSIG in - DNSSECbis, but still used for SIG(0). - Described in RFCs 2535 and 2931. -

-
-

- SOA -

- 		-

- Identifies the start of a zone of authority. - Described in RFC 1035. -

-
-

- SRV -

- 		-

- Information about well known network - services (replaces WKS). Described in RFC 2782. -

-
-

- TXT -

- 		-

- Text records. Described in RFC 1035. -

-
-

- WKS -

- 		-

- Information about which well known - network services, such as SMTP, that a domain - supports. Historical. -

-
-

- X25 -

- 		-

- Representation of X.25 network addresses. - Experimental. Described in RFC 1183. -

-
-

- The following classes of resource records - are currently valid in the DNS: -

-
---- - - - - - - - - - - - - - - -
-

- IN -

- 		-

- The Internet. -

-
-

- CH -

- 		-

- Chaosnet, a LAN protocol created at MIT in the - mid-1970s. - Rarely used for its historical purpose, but reused for - BIND's - built-in server information zones, e.g., - version.bind. -

-
-

- HS -

- 		-

- Hesiod, an information service - developed by MIT's Project Athena. It is used to share - information - about various systems databases, such as users, - groups, printers - and so on. -

-
-

- The owner name is often implicit, rather than forming an - integral - part of the RR. For example, many name servers internally form - tree - or hash structures for the name space, and chain RRs off nodes. - The remaining RR parts are the fixed header (type, class, TTL) - which is consistent for all RRs, and a variable part (RDATA) - that - fits the needs of the resource being described. -

-

- The meaning of the TTL field is a time limit on how long an - RR can be kept in a cache. This limit does not apply to - authoritative - data in zones; it is also timed out, but by the refreshing - policies - for the zone. The TTL is assigned by the administrator for the - zone where the data originates. While short TTLs can be used to - minimize caching, and a zero TTL prohibits caching, the - realities - of Internet performance suggest that these times should be on - the - order of days for the typical host. If a change can be - anticipated, - the TTL can be reduced prior to the change to minimize - inconsistency - during the change, and then increased back to its former value - following - the change. -

-

- The data in the RDATA section of RRs is carried as a combination - of binary strings and domain names. The domain names are - frequently - used as "pointers" to other data in the DNS. -

-
-
-

-Textual expression of RRs

-

- RRs are represented in binary form in the packets of the DNS - protocol, and are usually represented in highly encoded form - when - stored in a name server or resolver. In the examples provided - in - RFC 1034, a style similar to that used in master files was - employed - in order to show the contents of RRs. In this format, most RRs - are shown on a single line, although continuation lines are - possible - using parentheses. -

-

- The start of the line gives the owner of the RR. If a line - begins with a blank, then the owner is assumed to be the same as - that of the previous RR. Blank lines are often included for - readability. -

-

- Following the owner, we list the TTL, type, and class of the - RR. Class and type use the mnemonics defined above, and TTL is - an integer before the type field. In order to avoid ambiguity - in - parsing, type and class mnemonics are disjoint, TTLs are - integers, - and the type mnemonic is always last. The IN class and TTL - values - are often omitted from examples in the interests of clarity. -

-

- The resource data or RDATA section of the RR are given using - knowledge of the typical representation for the data. -

-

- For example, we might show the RRs carried in a message as: -

-
----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- ISI.EDU. -

- 		-

- MX -

- 		-

- 10 VENERA.ISI.EDU. -

-
-

- 		-

- MX -

- 		-

- 10 VAXA.ISI.EDU -

-
-

- VENERA.ISI.EDU -

- 		-

- A -

- 		-

- 128.9.0.32 -

-
-

- 		-

- A -

- 		-

- 10.1.0.52 -

-
-

- VAXA.ISI.EDU -

- 		-

- A -

- 		-

- 10.2.0.27 -

-
-

- 		-

- A -

- 		-

- 128.9.0.33 -

-
-

- The MX RRs have an RDATA section which consists of a 16-bit - number followed by a domain name. The address RRs use a - standard - IP address format to contain a 32-bit internet address. -

-

- The above example shows six RRs, with two RRs at each of three - domain names. -

-

- Similarly we might see: -

-
----- - - - - - - - - - - - - -
-

- XX.LCS.MIT.EDU. -

- 		-

- IN A -

- 		-

- 10.0.0.44 -

-
  -

- CH A -

- 		-

- MIT.EDU. 2420 -

-
-

- This example shows two addresses for - XX.LCS.MIT.EDU, each of a different class. -

-
-
-
-

-Discussion of MX Records

-

- As described above, domain servers store information as a - series of resource records, each of which contains a particular - piece of information about a given domain name (which is usually, - but not always, a host). The simplest way to think of a RR is as - a typed pair of data, a domain name matched with a relevant datum, - and stored with some additional type information to help systems - determine when the RR is relevant. -

-

- MX records are used to control delivery of email. The data - specified in the record is a priority and a domain name. The - priority - controls the order in which email delivery is attempted, with the - lowest number first. If two priorities are the same, a server is - chosen randomly. If no servers at a given priority are responding, - the mail transport agent will fall back to the next largest - priority. - Priority numbers do not have any absolute meaning — they are - relevant - only respective to other MX records for that domain name. The - domain - name given is the machine to which the mail will be delivered. - It must have an associated address record - (A or AAAA) — CNAME is not sufficient. -

-

- For a given domain, if there is both a CNAME record and an - MX record, the MX record is in error, and will be ignored. - Instead, - the mail will be delivered to the server specified in the MX - record - pointed to by the CNAME. -

-

- For example: -

-
------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

- example.com. -

- 		-

- IN -

- 		-

- MX -

- 		-

- 10 -

- 		-

- mail.example.com. -

-
-

- 		-

- IN -

- 		-

- MX -

- 		-

- 10 -

- 		-

- mail2.example.com. -

-
-

- 		-

- IN -

- 		-

- MX -

- 		-

- 20 -

- 		-

- mail.backup.org. -

-
-

- mail.example.com. -

- 		-

- IN -

- 		-

- A -

- 		-

- 10.0.0.1 -

- 		-

-
-

- mail2.example.com. -

- 		-

- IN -

- 		-

- A -

- 		-

- 10.0.0.2 -

- 		-

-
-

- Mail delivery will be attempted to mail.example.com and - mail2.example.com (in - any order), and if neither of those succeed, delivery to mail.backup.org will - be attempted. -

-
-
-

-Setting TTLs

-

- The time-to-live of the RR field is a 32-bit integer represented - in units of seconds, and is primarily used by resolvers when they - cache RRs. The TTL describes how long a RR can be cached before it - should be discarded. The following three types of TTL are - currently - used in a zone file. -

-
---- - - - - - - - - - - - - - - -
-

- SOA -

- 		-

- The last field in the SOA is the negative - caching TTL. This controls how long other servers will - cache no-such-domain - (NXDOMAIN) responses from you. -

-

- The maximum time for - negative caching is 3 hours (3h). -

-
-

- $TTL -

- 		-

- The $TTL directive at the top of the - zone file (before the SOA) gives a default TTL for every - RR without - a specific TTL set. -

-
-

- RR TTLs -

- 		-

- Each RR can have a TTL as the second - field in the RR, which will control how long other - servers can cache - the it. -

-
-

- All of these TTLs default to units of seconds, though units - can be explicitly specified, for example, 1h30m. -

-
-
-

-Inverse Mapping in IPv4

-

- Reverse name resolution (that is, translation from IP address - to name) is achieved by means of the in-addr.arpa domain - and PTR records. Entries in the in-addr.arpa domain are made in - least-to-most significant order, read left to right. This is the - opposite order to the way IP addresses are usually written. Thus, - a machine with an IP address of 10.1.2.3 would have a - corresponding - in-addr.arpa name of - 3.2.1.10.in-addr.arpa. This name should have a PTR resource record - whose data field is the name of the machine or, optionally, - multiple - PTR records if the machine has more than one name. For example, - in the [example.com] domain: -

-
---- - - - - - - - - - - -
-

- $ORIGIN -

- 		-

- 2.1.10.in-addr.arpa -

-
-

- 3 -

- 		-

- IN PTR foo.example.com. -

-
-
-

Note

-

- The $ORIGIN lines in the examples - are for providing context to the examples only — they do not - necessarily - appear in the actual usage. They are only used here to indicate - that the example is relative to the listed origin. -

-
-
-
-

-Other Zone File Directives

-

- The Master File Format was initially defined in RFC 1035 and - has subsequently been extended. While the Master File Format - itself - is class independent all records in a Master File must be of the - same - class. -

-

- Master File Directives include $ORIGIN, $INCLUDE, - and $TTL. -

-
-

-The $ORIGIN Directive

-

- Syntax: $ORIGIN - domain-name - [comment] -

-

$ORIGIN - sets the domain name that will be appended to any - unqualified records. When a zone is first read in there - is an implicit $ORIGIN - <zone-name>. - The current $ORIGIN is appended to - the domain specified in the $ORIGIN - argument if it is not absolute. -

-
-$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER
-
-

- is equivalent to -

-
-WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-
-
-
-

-The $INCLUDE Directive

-

- Syntax: $INCLUDE - filename - [ -origin ] - [ comment ] -

-

- Read and process the file filename as - if it were included into the file at this point. If origin is - specified the file is processed with $ORIGIN set - to that value, otherwise the current $ORIGIN is - used. -

-

- The origin and the current domain name - revert to the values they had prior to the $INCLUDE once - the file has been read. -

-
-

Note

-

- RFC 1035 specifies that the current origin should be restored - after - an $INCLUDE, but it is silent - on whether the current - domain name should also be restored. BIND 9 restores both of - them. - This could be construed as a deviation from RFC 1035, a - feature, or both. -

-
-
-
-

-The $TTL Directive

-

- Syntax: $TTL - default-ttl - [ -comment ] -

-

- Set the default Time To Live (TTL) for subsequent records - with undefined TTLs. Valid TTLs are of the range 0-2147483647 - seconds. -

-

$TTL - is defined in RFC 2308. -

-
-
-
-

-BIND Master File Extension: the $GENERATE Directive

-

- Syntax: $GENERATE - range - lhs - [ttl] - [class] - type - rhs - [comment] -

-

$GENERATE - is used to create a series of resource records that only - differ from each other by an - iterator. $GENERATE can be used to - easily generate the sets of records required to support - sub /24 reverse delegations described in RFC 2317: - Classless IN-ADDR.ARPA delegation. -

-
$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0
-

- is equivalent to -

-
0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-
-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
-

range

- 		-

- This can be one of two forms: start-stop - or start-stop/step. If the first form is used, then step - is set to - 1. All of start, stop and step must be positive. -

-
-

lhs

- 		-

This - describes the owner name of the resource records - to be created. Any single $ - (dollar sign) - symbols within the lhs side - are replaced by the iterator value. - - To get a $ in the output, you need to escape the - $ using a backslash - \, - e.g. \$. The - $ may optionally be followed - by modifiers which change the offset from the - iterator, field width and base. - - Modifiers are introduced by a - { (left brace) immediately following the - $ as - ${offset[,width[,base]]}. - For example, ${-20,3,d} - subtracts 20 from the current value, prints the - result as a decimal in a zero-padded field of - width 3. - - Available output forms are decimal - (d), octal - (o) and hexadecimal - (x or X - for uppercase). The default modifier is - ${0,0,d}. If the - lhs is not absolute, the - current $ORIGIN is appended - to the name. -

-

- For compatibility with earlier versions, $$ is still - recognized as indicating a literal $ in the output. -

-
-

ttl

- 		-

- Specifies the time-to-live of the generated records. If - not specified this will be inherited using the - normal ttl inheritance rules. -

-

class - and ttl can be - entered in either order. -

-
-

class

- 		-

- Specifies the class of the generated records. - This must match the zone class if it is - specified. -

-

class - and ttl can be - entered in either order. -

-
-

type

- 		-

- At present the only supported types are - PTR, CNAME, DNAME, A, AAAA and NS. -

-
-

rhs

- 		-

- rhs is a domain name. It is processed - similarly to lhs. -

-
-

- The $GENERATE directive is a BIND extension - and not part of the standard zone file format. -

-

- BIND 8 does not support the optional TTL and CLASS fields. -

-
-
-

-Additional File Formats

-

- In addition to the standard textual format, BIND 9 - supports the ability to read or dump to zone files in - other formats. The raw format is - currently available as an additional format. It is a - binary format representing BIND 9's internal data - structure directly, thereby remarkably improving the - loading time. -

-

- For a primary server, a zone file in the - raw format is expected to be - generated from a textual zone file by the - named-compilezone command. For a - secondary server or for a dynamic zone, it is automatically - generated (if this format is specified by the - masterfile-format option) when - named dumps the zone contents after - zone transfer or when applying prior updates. -

-

- If a zone file in a binary format needs manual modification, - it first must be converted to a textual form by the - named-compilezone command. All - necessary modification should go to the text file, which - should then be converted to the binary form by the - named-compilezone command again. -

-

- Although the raw format uses the - network byte order and avoids architecture-dependent - data alignment so that it is as much portable as - possible, it is primarily expected to be used inside - the same single system. In order to export a zone - file in the raw format or make a - portable backup of the file, it is recommended to - convert the file to the standard textual representation. -

-
-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 5. The BIND 9 Lightweight Resolver Home Chapter 7. BIND 9 Security Considerations
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html deleted file mode 100644 index 208ee600191..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch07.html +++ /dev/null @@ -1,253 +0,0 @@ - - - - - -Chapter 7. BIND 9 Security Considerations - - - - - - - -
- - - - - - - -
Chapter 7. BIND 9 Security Considerations
-Prev   Next -
-
-
-
-

-Chapter 7. BIND 9 Security Considerations

-
-

Table of Contents

-
-
Access Control Lists
-
Chroot and Setuid
-
-
The chroot Environment
-
Using the setuid Function
-
-
Dynamic Update Security
-
-
-
-

-Access Control Lists

-

- Access Control Lists (ACLs), are address match lists that - you can set up and nickname for future use in allow-notify, - allow-query, allow-recursion, - blackhole, allow-transfer, - etc. -

-

- Using ACLs allows you to have finer control over who can access - your name server, without cluttering up your config files with huge - lists of IP addresses. -

-

- It is a good idea to use ACLs, and to - control access to your server. Limiting access to your server by - outside parties can help prevent spoofing and denial of service (DoS) attacks against - your server. -

-

- Here is an example of how to properly apply ACLs: -

-
-// Set up an ACL named "bogusnets" that will block RFC1918 space
-// and some reserved space, which is commonly used in spoofing attacks.
-acl bogusnets {
-        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
-        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
-};
-
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; };
-options {
-  ...
-  ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
-  ...
-  blackhole { bogusnets; };
-  ...
-};
-
-zone "example.com" {
-  type master;
-  file "m/example.com";
-  allow-query { any; };
-};
-
-

- This allows recursive queries of the server from the outside - unless recursion has been previously disabled. -

-

- For more information on how to use ACLs to protect your server, - see the AUSCERT advisory at: -

-

- ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos -

-
-
-

-Chroot and Setuid -

-

- On UNIX servers, it is possible to run BIND in a chrooted environment - (using the chroot() function) by specifying the "-t" - option. This can help improve system security by placing BIND in - a "sandbox", which will limit the damage done if a server is - compromised. -

-

- Another useful feature in the UNIX version of BIND is the - ability to run the daemon as an unprivileged user ( -u user ). - We suggest running as an unprivileged user when using the chroot feature. -

-

- Here is an example command line to load BIND in a chroot sandbox, - /var/named, and to run named setuid to - user 202: -

-

- /usr/local/bin/named -u 202 -t /var/named -

-
-

-The chroot Environment

-

- In order for a chroot environment - to - work properly in a particular directory - (for example, /var/named), - you will need to set up an environment that includes everything - BIND needs to run. - From BIND's point of view, /var/named is - the root of the filesystem. You will need to adjust the values of - options like - like directory and pid-file to account - for this. -

-

- Unlike with earlier versions of BIND, you typically will - not need to compile named - statically nor install shared libraries under the new root. - However, depending on your operating system, you may need - to set up things like - /dev/zero, - /dev/random, - /dev/log, and - /etc/localtime. -

-
-
-

-Using the setuid Function

-

- Prior to running the named daemon, - use - the touch utility (to change file - access and - modification times) or the chown - utility (to - set the user id and/or group id) on files - to which you want BIND - to write. -

-
-

Note

- Note that if the named daemon is running as an - unprivileged user, it will not be able to bind to new restricted - ports if the server is reloaded. -
-
-
-
-

-Dynamic Update Security

-

- Access to the dynamic - update facility should be strictly limited. In earlier versions of - BIND, the only way to do this was - based on the IP - address of the host requesting the update, by listing an IP address - or - network prefix in the allow-update - zone option. - This method is insecure since the source address of the update UDP - packet - is easily forged. Also note that if the IP addresses allowed by the - allow-update option include the - address of a slave - server which performs forwarding of dynamic updates, the master can - be - trivially attacked by sending the update to the slave, which will - forward it to the master with its own source IP address causing the - master to approve it without question. -

-

- For these reasons, we strongly recommend that updates be - cryptographically authenticated by means of transaction signatures - (TSIG). That is, the allow-update - option should - list only TSIG key names, not IP addresses or network - prefixes. Alternatively, the new update-policy - option can be used. -

-

- Some sites choose to keep all dynamically-updated DNS data - in a subdomain and delegate that subdomain to a separate zone. This - way, the top-level zone containing critical data such as the IP - addresses - of public web and mail servers need not allow dynamic update at - all. -

-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 6. BIND 9 Configuration Reference Home Chapter 8. Troubleshooting
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html deleted file mode 100644 index 4b99b6793be..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch08.html +++ /dev/null @@ -1,139 +0,0 @@ - - - - - -Chapter 8. Troubleshooting - - - - - - - -
- - - - - - - -
Chapter 8. Troubleshooting
-Prev   Next -
-
-
-
-

-Chapter 8. Troubleshooting

-
-

Table of Contents

-
-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
-
-
-
-

-Common Problems

-
-

-It's not working; how can I figure out what's wrong?

-

- The best solution to solving installation and - configuration issues is to take preventative measures by setting - up logging files beforehand. The log files provide a - source of hints and information that can be used to figure out - what went wrong and how to fix the problem. -

-
-
-
-

-Incrementing and Changing the Serial Number

-

- Zone serial numbers are just numbers — they aren't - date related. A lot of people set them to a number that - represents a date, usually of the form YYYYMMDDRR. - Occasionally they will make a mistake and set them to a - "date in the future" then try to correct them by setting - them to the "current date". This causes problems because - serial numbers are used to indicate that a zone has been - updated. If the serial number on the slave server is - lower than the serial number on the master, the slave - server will attempt to update its copy of the zone. -

-

- Setting the serial number to a lower number on the master - server than the slave server means that the slave will not perform - updates to its copy of the zone. -

-

- The solution to this is to add 2147483647 (2^31-1) to the - number, reload the zone and make sure all slaves have updated to - the new zone serial number, then reset the number to what you want - it to be, and reload the zone again. -

-
-
-

-Where Can I Get Help?

-

- The Internet Systems Consortium - (ISC) offers a wide range - of support and service agreements for BIND and DHCP servers. Four - levels of premium support are available and each level includes - support for all ISC programs, - significant discounts on products - and training, and a recognized priority on bug fixes and - non-funded feature requests. In addition, ISC offers a standard - support agreement package which includes services ranging from bug - fix announcements to remote support. It also includes training in - BIND and DHCP. -

-

- To discuss arrangements for support, contact - info@isc.org or visit the - ISC web page at - http://www.isc.org/services/support/ - to read more. -

-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 7. BIND 9 Security Considerations Home Appendix A. Appendices
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html deleted file mode 100644 index 783224f9772..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch09.html +++ /dev/null @@ -1,630 +0,0 @@ - - - - - -Appendix A. Appendices - - - - - - - -
- - - - - - - -
Appendix A. Appendices
-Prev   Next -
-
-
-
-

-Appendix A. Appendices

-
-

Table of Contents

-
-
Acknowledgments
-
A Brief History of the DNS and BIND
-
General DNS Reference Information
-
IPv6 addresses (AAAA)
-
Bibliography (and Suggested Reading)
-
-
Request for Comments (RFCs)
-
Internet Drafts
-
Other Documents About BIND
-
-
-
-
-

-Acknowledgments

-
-

-A Brief History of the DNS and BIND -

-

- Although the "official" beginning of the Domain Name - System occurred in 1984 with the publication of RFC 920, the - core of the new system was described in 1983 in RFCs 882 and - 883. From 1984 to 1987, the ARPAnet (the precursor to today's - Internet) became a testbed of experimentation for developing the - new naming/addressing scheme in a rapidly expanding, - operational network environment. New RFCs were written and - published in 1987 that modified the original documents to - incorporate improvements based on the working model. RFC 1034, - "Domain Names-Concepts and Facilities", and RFC 1035, "Domain - Names-Implementation and Specification" were published and - became the standards upon which all DNS implementations are - built. -

-

- The first working domain name server, called "Jeeves", was - written in 1983-84 by Paul Mockapetris for operation on DEC - Tops-20 - machines located at the University of Southern California's - Information - Sciences Institute (USC-ISI) and SRI International's Network - Information - Center (SRI-NIC). A DNS server for - Unix machines, the Berkeley Internet - Name Domain (BIND) package, was - written soon after by a group of - graduate students at the University of California at Berkeley - under - a grant from the US Defense Advanced Research Projects - Administration - (DARPA). -

-

- Versions of BIND through - 4.8.3 were maintained by the Computer - Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark - Painter, David Riggle and Songnian Zhou made up the initial BIND - project team. After that, additional work on the software package - was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment - Corporation - employee on loan to the CSRG, worked on BIND for 2 years, from 1985 - to 1987. Many other people also contributed to BIND development - during that time: Doug Kingston, Craig Partridge, Smoot - Carl-Mitchell, - Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently - handled by Mike Karels and Øivind Kure. -

-

- BIND versions 4.9 and 4.9.1 were - released by Digital Equipment - Corporation (now Compaq Computer Corporation). Paul Vixie, then - a DEC employee, became BIND's - primary caretaker. He was assisted - by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan - Beecher, Andrew - Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat - Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe - Wolfhugel, and others. -

-

- In 1994, BIND version 4.9.2 was sponsored by - Vixie Enterprises. Paul - Vixie became BIND's principal - architect/programmer. -

-

- BIND versions from 4.9.3 onward - have been developed and maintained - by the Internet Systems Consortium and its predecessor, - the Internet Software Consortium, with support being provided - by ISC's sponsors. -

-

- As co-architects/programmers, Bob Halley and - Paul Vixie released the first production-ready version of - BIND version 8 in May 1997. -

-

- BIND version 9 was released in September 2000 and is a - major rewrite of nearly all aspects of the underlying - BIND architecture. -

-

- BIND version 4 is officially deprecated and BIND version - 8 development is considered maintenance-only in favor - of BIND version 9. No additional development is done - on BIND version 4 or BIND version 8 other than for - security-related patches. -

-

- BIND development work is made - possible today by the sponsorship - of several corporations, and by the tireless work efforts of - numerous individuals. -

-
-
-
-

-General DNS Reference Information

-
-

-IPv6 addresses (AAAA)

-

- IPv6 addresses are 128-bit identifiers for interfaces and - sets of interfaces which were introduced in the DNS to facilitate - scalable Internet routing. There are three types of addresses: Unicast, - an identifier for a single interface; - Anycast, - an identifier for a set of interfaces; and Multicast, - an identifier for a set of interfaces. Here we describe the global - Unicast address scheme. For more information, see RFC 3587, - "Global Unicast Address Format." -

-

- IPv6 unicast addresses consist of a - global routing prefix, a - subnet identifier, and an - interface identifier. -

-

- The global routing prefix is provided by the - upstream provider or ISP, and (roughly) corresponds to the - IPv4 network section - of the address range. - - The subnet identifier is for local subnetting, much the - same as subnetting an - IPv4 /16 network into /24 subnets. - - The interface identifier is the address of an individual - interface on a given network; in IPv6, addresses belong to - interfaces rather than to machines. -

-

- The subnetting capability of IPv6 is much more flexible than - that of IPv4: subnetting can be carried out on bit boundaries, - in much the same way as Classless InterDomain Routing - (CIDR), and the DNS PTR representation ("nibble" format) - makes setting up reverse zones easier. -

-

- The Interface Identifier must be unique on the local link, - and is usually generated automatically by the IPv6 - implementation, although it is usually possible to - override the default setting if necessary. A typical IPv6 - address might look like: - 2001:db8:201:9:a00:20ff:fe81:2b32 -

-

- IPv6 address specifications often contain long strings - of zeros, so the architects have included a shorthand for - specifying - them. The double colon (`::') indicates the longest possible - string - of zeros that can fit, and can be used only once in an address. -

-
-
-
-

-Bibliography (and Suggested Reading)

-
-

-Request for Comments (RFCs)

-

- Specification documents for the Internet protocol suite, including - the DNS, are published as part of - the Request for Comments (RFCs) - series of technical notes. The standards themselves are defined - by the Internet Engineering Task Force (IETF) and the Internet - Engineering Steering Group (IESG). RFCs can be obtained online via FTP at: -

-

- - ftp://www.isi.edu/in-notes/RFCxxxx.txt - -

-

- (where xxxx is - the number of the RFC). RFCs are also available via the Web at: -

-

- http://www.ietf.org/rfc/. -

-
-

-Bibliography

-
-

Standards

-
-

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

-
-
-

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

-
-
-

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and - Specification. November 1987.

-
-
-
-

-Proposed Standards

-
-

[RFC2181] R., R. Bush Elz. Clarifications to the DNS - Specification. July 1997.

-
-
-

[RFC2308] M. Andrews. Negative Caching of DNS - Queries. March 1998.

-
-
-

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

-
-
-

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

-
-
-

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

-
-
-

[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997.

-
-
-

[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999.

-
-
-

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

-
-
-

[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000.

-
-
-

[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000.

-
-
-

[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000.

-
-
-

[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret - Key Transaction Authentication for DNS - (GSS-TSIG). October 2003.

-
-
-
-

-DNS Security Proposed Standards

-
-

[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001.

-
-
-

[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004.

-
-
-

[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005.

-
-
-

[RFC4044] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005.

-
-
-

[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS - Security Extensions. March 2005.

-
-
-
-

Other Important RFCs About DNS - Implementation

-
-

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely - Deployed DNS Software.. October 1993.

-
-
-

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation - Errors and Suggested Fixes. October 1993.

-
-
-

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

-
-
-

[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS - Queries for IPv6 Addresses. May 2005.

-
-
-
-

Resource Record Types

-
-

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

-
-
-

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

-
-
-

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using - the Domain Name System. June 1997.

-
-
-

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the - Domain - Name System. January 1996.

-
-
-

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the - Location of - Services.. October 1996.

-
-
-

[RFC2163] A. Allocchio. Using the Internet DNS to - Distribute MIXER - Conformant Global Address Mapping. January 1998.

-
-
-

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

-
-
-

[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999.

-
-
-

[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999.

-
-
-

[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999.

-
-
-

[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999.

-
-
-

[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999.

-
-
-

[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000.

-
-
-

[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000.

-
-
-

[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001.

-
-
-

[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001.

-
-
-

[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP - version 6. October 2003.

-
-
-

[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003.

-
-
-
-

-DNS and the Internet

-
-

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names - and Other Types. April 1989.

-
-
-

[RFC1123] Braden. Requirements for Internet Hosts - Application and - Support. October 1989.

-
-
-

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

-
-
-

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

-
-
-

[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000.

-
-
-

[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000.

-
-
-
-

-DNS Operations

-
-

[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987.

-
-
-

[RFC1537] P. Beertema. Common DNS Data File - Configuration Errors. October 1993.

-
-
-

[RFC1912] D. Barr. Common DNS Operational and - Configuration Errors. February 1996.

-
-
-

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

-
-
-

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for - Network Services.. October 1997.

-
-
-
-

Internationalized Domain Names

-
-

[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names, - and the Other Internet protocols. May 2000.

-
-
-

[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003.

-
-
-

[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003.

-
-
-

[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode - for Internationalized Domain Names in - Applications (IDNA). March 2003.

-
-
-
-

Other DNS-related RFCs

-
-

Note

-

- Note: the following list of RFCs, although - DNS-related, are not - concerned with implementing software. -

-
-
-

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String - Attributes. May 1993.

-
-
-

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

-
-
-

[RFC1794] T. Brisco. DNS Support for Load - Balancing. April 1995.

-
-
-

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

-
-
-

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

-
-
-

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

-
-
-

[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001.

-
-
-

[RFC3258] T. Hardie. Distributing Authoritative Name Servers via - Shared Unicast Addresses. April 2002.

-
-
-

[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004.

-
-
-
-

Obsolete and Unimplemented Experimental RFC

-
-

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical - Location. November 1994.

-
-
-

[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999.

-
-
-

[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation - and Renumbering. July 2000.

-
-
-
-

Obsoleted DNS Security RFCs

-
-

Note

-

- Most of these have been consolidated into RFC4033, - RFC4034 and RFC4035 which collectively describe DNSSECbis. -

-
-
-

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

-
-
-

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

-
-
-

[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999.

-
-
-

[RFC3008] B. Wellington. Domain Name System Security (DNSSEC) - Signing Authority. November 2000.

-
-
-

[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001.

-
-
-

[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002.

-
-
-

[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003.

-
-
-

[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003.

-
-
-

[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004.

-
-
-

[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record - (RR) Secure Entry Point (SEP) Flag. April 2004.

-
-
-

[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004.

-
-
-
-
-
-

-Internet Drafts

-

- Internet Drafts (IDs) are rough-draft working documents of - the Internet Engineering Task Force. They are, in essence, RFCs - in the preliminary stages of development. Implementors are - cautioned not - to regard IDs as archival, and they should not be quoted or cited - in any formal documents unless accompanied by the disclaimer that - they are "works in progress." IDs have a lifespan of six months - after which they are deleted unless updated by their authors. -

-
-
-

-Other Documents About BIND -

-

-
-

-Bibliography

-
-

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

-
-
-
-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Chapter 8. Troubleshooting Home Manual pages
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.ch10.html b/usr.sbin/bind/doc/arm/Bv9ARM.ch10.html deleted file mode 100644 index badc692a2ff..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.ch10.html +++ /dev/null @@ -1,102 +0,0 @@ - - - - - -Manual pages - - - - - - - -
- - - - - - - -
Manual pages
-Prev   Next -
-
-
-
-
-

-Manual pages

-
-
-
-

Table of Contents

-
-
-dig — DNS lookup utility -
-
-host — DNS lookup utility -
-
-dnssec-keygen — DNSSEC key generation tool -
-
-dnssec-signzone — DNSSEC zone signing tool -
-
-named-checkconf — named configuration file syntax checking tool -
-
-named-checkzone — zone file validity checking or converting tool -
-
-named — Internet domain name server -
-
-rndc — name server control utility -
-
-rndc.conf — rndc configuration file -
-
-rndc-confgen — rndc key generation tool -
-
-
-
-
-
- - - - - - - - - - - -
-Prev   Next -
Appendix A. Appendices Home dig
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.html b/usr.sbin/bind/doc/arm/Bv9ARM.html deleted file mode 100644 index f730286fe60..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.html +++ /dev/null @@ -1,262 +0,0 @@ - - - - - -BIND 9 Administrator Reference Manual - - - - - -
- - - - - - - -
BIND 9 Administrator Reference Manual
   Next -
-
-
-
-
-
-

-BIND 9 Administrator Reference Manual

-

Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")

-

Copyright © 2000-2003 Internet Software Consortium.

-
-
-
-
-

Table of Contents

-
-
1. Introduction
-
-
Scope of Document
-
Organization of This Document
-
Conventions Used in This Document
-
The Domain Name System (DNS)
-
-
DNS Fundamentals
-
Domains and Domain Names
-
Zones
-
Authoritative Name Servers
-
Caching Name Servers
-
Name Servers in Multiple Roles
-
-
-
2. BIND Resource Requirements
-
-
Hardware requirements
-
CPU Requirements
-
Memory Requirements
-
Name Server Intensive Environment Issues
-
Supported Operating Systems
-
-
3. Name Server Configuration
-
-
Sample Configurations
-
-
A Caching-only Name Server
-
An Authoritative-only Name Server
-
-
Load Balancing
-
Name Server Operations
-
-
Tools for Use With the Name Server Daemon
-
Signals
-
-
-
4. Advanced DNS Features
-
-
Notify
-
Dynamic Update
-
The journal file
-
Incremental Zone Transfers (IXFR)
-
Split DNS
-
Example split DNS setup
-
TSIG
-
-
Generate Shared Keys for Each Pair of Hosts
-
Copying the Shared Secret to Both Machines
-
Informing the Servers of the Key's Existence
-
Instructing the Server to Use the Key
-
TSIG Key Based Access Control
-
Errors
-
-
TKEY
-
SIG(0)
-
DNSSEC
-
-
Generating Keys
-
Signing the Zone
-
Configuring Servers
-
-
IPv6 Support in BIND 9
-
-
Address Lookups Using AAAA Records
-
Address to Name Lookups Using Nibble Format
-
-
-
5. The BIND 9 Lightweight Resolver
-
-
The Lightweight Resolver Library
-
Running a Resolver Daemon
-
-
6. BIND 9 Configuration Reference
-
-
Configuration File Elements
-
-
Address Match Lists
-
Comment Syntax
-
-
Configuration File Grammar
-
-
acl Statement Grammar
-
acl Statement Definition and - Usage
-
controls Statement Grammar
-
controls Statement Definition and - Usage
-
include Statement Grammar
-
include Statement Definition and - Usage
-
key Statement Grammar
-
key Statement Definition and Usage
-
logging Statement Grammar
-
logging Statement Definition and - Usage
-
lwres Statement Grammar
-
lwres Statement Definition and Usage
-
masters Statement Grammar
-
masters Statement Definition and - Usage
-
options Statement Grammar
-
options Statement Definition and - Usage
-
server Statement Grammar
-
server Statement Definition and - Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition - and Usage
-
view Statement Grammar
-
view Statement Definition and Usage
-
zone - Statement Grammar
-
zone Statement Definition and Usage
-
-
Zone File
-
-
Types of Resource Records and When to Use Them
-
Discussion of MX Records
-
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
-
Additional File Formats
-
-
-
7. BIND 9 Security Considerations
-
-
Access Control Lists
-
Chroot and Setuid
-
-
The chroot Environment
-
Using the setuid Function
-
-
Dynamic Update Security
-
-
8. Troubleshooting
-
-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
-
-
A. Appendices
-
-
Acknowledgments
-
A Brief History of the DNS and BIND
-
General DNS Reference Information
-
IPv6 addresses (AAAA)
-
Bibliography (and Suggested Reading)
-
-
Request for Comments (RFCs)
-
Internet Drafts
-
Other Documents About BIND
-
-
-
I. Manual pages
-
-
-dig — DNS lookup utility -
-
-host — DNS lookup utility -
-
-dnssec-keygen — DNSSEC key generation tool -
-
-dnssec-signzone — DNSSEC zone signing tool -
-
-named-checkconf — named configuration file syntax checking tool -
-
-named-checkzone — zone file validity checking or converting tool -
-
-named — Internet domain name server -
-
-rndc — name server control utility -
-
-rndc.conf — rndc configuration file -
-
-rndc-confgen — rndc key generation tool -
-
-
-
-
-
-
- - - - - - - - - - - -
   Next -
   Chapter 1. Introduction
-
- - diff --git a/usr.sbin/bind/doc/arm/Bv9ARM.pdf b/usr.sbin/bind/doc/arm/Bv9ARM.pdf deleted file mode 100644 index 6119ca4ce24..00000000000 --- a/usr.sbin/bind/doc/arm/Bv9ARM.pdf +++ /dev/null @@ -1,8964 +0,0 @@ -%PDF-1.4 -5 0 obj -<< /S /GoTo /D (chapter.1) >> -endobj -8 0 obj -(1 Introduction) -endobj -9 0 obj -<< /S /GoTo /D (section.1.1) >> -endobj -12 0 obj -(1.1 Scope of Document) -endobj -13 0 obj -<< /S /GoTo /D (section.1.2) >> -endobj -16 0 obj -(1.2 Organization of This Document) -endobj -17 0 obj -<< /S /GoTo /D (section.1.3) >> -endobj -20 0 obj -(1.3 Conventions Used in This Document) -endobj -21 0 obj -<< /S /GoTo /D (section.1.4) >> -endobj -24 0 obj -(1.4 The Domain Name System \(DNS\)) -endobj -25 0 obj -<< /S /GoTo /D (subsection.1.4.1) >> -endobj -28 0 obj -(1.4.1 DNS Fundamentals) -endobj -29 0 obj -<< /S /GoTo /D (subsection.1.4.2) >> -endobj -32 0 obj -(1.4.2 Domains and Domain Names) -endobj -33 0 obj -<< /S /GoTo /D (subsection.1.4.3) >> -endobj -36 0 obj -(1.4.3 Zones) -endobj -37 0 obj -<< /S /GoTo /D (subsection.1.4.4) >> -endobj -40 0 obj -(1.4.4 Authoritative Name Servers) -endobj -41 0 obj -<< /S /GoTo /D (subsubsection.1.4.4.1) >> -endobj -44 0 obj -(1.4.4.1 The Primary Master) -endobj -45 0 obj -<< /S /GoTo /D (subsubsection.1.4.4.2) >> -endobj -48 0 obj -(1.4.4.2 Slave Servers) -endobj -49 0 obj -<< /S /GoTo /D (subsubsection.1.4.4.3) >> -endobj -52 0 obj -(1.4.4.3 Stealth Servers) -endobj -53 0 obj -<< /S /GoTo /D (subsection.1.4.5) >> -endobj -56 0 obj -(1.4.5 Caching Name Servers) -endobj -57 0 obj -<< /S /GoTo /D (subsubsection.1.4.5.1) >> -endobj -60 0 obj -(1.4.5.1 Forwarding) -endobj -61 0 obj -<< /S /GoTo /D (subsection.1.4.6) >> -endobj -64 0 obj -(1.4.6 Name Servers in Multiple Roles) -endobj -65 0 obj -<< /S /GoTo /D (chapter.2) >> -endobj -68 0 obj -(2 BIND Resource Requirements) -endobj -69 0 obj -<< /S /GoTo /D (section.2.1) >> -endobj -72 0 obj -(2.1 Hardware requirements) -endobj -73 0 obj -<< /S /GoTo /D (section.2.2) >> -endobj -76 0 obj -(2.2 CPU Requirements) -endobj -77 0 obj -<< /S /GoTo /D (section.2.3) >> -endobj -80 0 obj -(2.3 Memory Requirements) -endobj -81 0 obj -<< /S /GoTo /D (section.2.4) >> -endobj -84 0 obj -(2.4 Name Server Intensive Environment Issues) -endobj -85 0 obj -<< /S /GoTo /D (section.2.5) >> -endobj -88 0 obj -(2.5 Supported Operating Systems) -endobj -89 0 obj -<< /S /GoTo /D (chapter.3) >> -endobj -92 0 obj -(3 Name Server Configuration) -endobj -93 0 obj -<< /S /GoTo /D (section.3.1) >> -endobj -96 0 obj -(3.1 Sample Configurations) -endobj -97 0 obj -<< /S /GoTo /D (subsection.3.1.1) >> -endobj -100 0 obj -(3.1.1 A Caching-only Name Server) -endobj -101 0 obj -<< /S /GoTo /D (subsection.3.1.2) >> -endobj -104 0 obj -(3.1.2 An Authoritative-only Name Server) -endobj -105 0 obj -<< /S /GoTo /D (section.3.2) >> -endobj -108 0 obj -(3.2 Load Balancing) -endobj -109 0 obj -<< /S /GoTo /D (section.3.3) >> -endobj -112 0 obj -(3.3 Name Server Operations) -endobj -113 0 obj -<< /S /GoTo /D (subsection.3.3.1) >> -endobj -116 0 obj -(3.3.1 Tools for Use With the Name Server Daemon) -endobj -117 0 obj -<< /S /GoTo /D (subsubsection.3.3.1.1) >> -endobj -120 0 obj -(3.3.1.1 Diagnostic Tools) -endobj -121 0 obj -<< /S /GoTo /D (subsubsection.3.3.1.2) >> -endobj -124 0 obj -(3.3.1.2 Administrative Tools) -endobj -125 0 obj -<< /S /GoTo /D (subsection.3.3.2) >> -endobj -128 0 obj -(3.3.2 Signals) -endobj -129 0 obj -<< /S /GoTo /D (chapter.4) >> -endobj -132 0 obj -(4 Advanced DNS Features) -endobj -133 0 obj -<< /S /GoTo /D (section.4.1) >> -endobj -136 0 obj -(4.1 Notify) -endobj -137 0 obj -<< /S /GoTo /D (section.4.2) >> -endobj -140 0 obj -(4.2 Dynamic Update) -endobj -141 0 obj -<< /S /GoTo /D (subsection.4.2.1) >> -endobj -144 0 obj -(4.2.1 The journal file) -endobj -145 0 obj -<< /S /GoTo /D (section.4.3) >> -endobj -148 0 obj -(4.3 Incremental Zone Transfers \(IXFR\)) -endobj -149 0 obj -<< /S /GoTo /D (section.4.4) >> -endobj -152 0 obj -(4.4 Split DNS) -endobj -153 0 obj -<< /S /GoTo /D (section.4.5) >> -endobj -156 0 obj -(4.5 TSIG) -endobj -157 0 obj -<< /S /GoTo /D (subsection.4.5.1) >> -endobj -160 0 obj -(4.5.1 Generate Shared Keys for Each Pair of Hosts) -endobj -161 0 obj -<< /S /GoTo /D (subsubsection.4.5.1.1) >> -endobj -164 0 obj -(4.5.1.1 Automatic Generation) -endobj -165 0 obj -<< /S /GoTo /D (subsubsection.4.5.1.2) >> -endobj -168 0 obj -(4.5.1.2 Manual Generation) -endobj -169 0 obj -<< /S /GoTo /D (subsection.4.5.2) >> -endobj -172 0 obj -(4.5.2 Copying the Shared Secret to Both Machines) -endobj -173 0 obj -<< /S /GoTo /D (subsection.4.5.3) >> -endobj -176 0 obj -(4.5.3 Informing the Servers of the Key's Existence) -endobj -177 0 obj -<< /S /GoTo /D (subsection.4.5.4) >> -endobj -180 0 obj -(4.5.4 Instructing the Server to Use the Key) -endobj -181 0 obj -<< /S /GoTo /D (subsection.4.5.5) >> -endobj -184 0 obj -(4.5.5 TSIG Key Based Access Control) -endobj -185 0 obj -<< /S /GoTo /D (subsection.4.5.6) >> -endobj -188 0 obj -(4.5.6 Errors) -endobj -189 0 obj -<< /S /GoTo /D (section.4.6) >> -endobj -192 0 obj -(4.6 TKEY) -endobj -193 0 obj -<< /S /GoTo /D (section.4.7) >> -endobj -196 0 obj -(4.7 SIG\(0\)) -endobj -197 0 obj -<< /S /GoTo /D (section.4.8) >> -endobj -200 0 obj -(4.8 DNSSEC) -endobj -201 0 obj -<< /S /GoTo /D (subsection.4.8.1) >> -endobj -204 0 obj -(4.8.1 Generating Keys) -endobj -205 0 obj -<< /S /GoTo /D (subsection.4.8.2) >> -endobj -208 0 obj -(4.8.2 Signing the Zone) -endobj -209 0 obj -<< /S /GoTo /D (subsection.4.8.3) >> -endobj -212 0 obj -(4.8.3 Configuring Servers) -endobj -213 0 obj -<< /S /GoTo /D (section.4.9) >> -endobj -216 0 obj -(4.9 IPv6 Support in BIND 9) -endobj -217 0 obj -<< /S /GoTo /D (subsection.4.9.1) >> -endobj -220 0 obj -(4.9.1 Address Lookups Using AAAA Records) -endobj -221 0 obj -<< /S /GoTo /D (subsection.4.9.2) >> -endobj -224 0 obj -(4.9.2 Address to Name Lookups Using Nibble Format) -endobj -225 0 obj -<< /S /GoTo /D (chapter.5) >> -endobj -228 0 obj -(5 The BIND 9 Lightweight Resolver) -endobj -229 0 obj -<< /S /GoTo /D (section.5.1) >> -endobj -232 0 obj -(5.1 The Lightweight Resolver Library) -endobj -233 0 obj -<< /S /GoTo /D (section.5.2) >> -endobj -236 0 obj -(5.2 Running a Resolver Daemon) -endobj -237 0 obj -<< /S /GoTo /D (chapter.6) >> -endobj -240 0 obj -(6 BIND 9 Configuration Reference) -endobj -241 0 obj -<< /S /GoTo /D (section.6.1) >> -endobj -244 0 obj -(6.1 Configuration File Elements) -endobj -245 0 obj -<< /S /GoTo /D (subsection.6.1.1) >> -endobj -248 0 obj -(6.1.1 Address Match Lists) -endobj -249 0 obj -<< /S /GoTo /D (subsubsection.6.1.1.1) >> -endobj -252 0 obj -(6.1.1.1 Syntax) -endobj -253 0 obj -<< /S /GoTo /D (subsubsection.6.1.1.2) >> -endobj -256 0 obj -(6.1.1.2 Definition and Usage) -endobj -257 0 obj -<< /S /GoTo /D (subsection.6.1.2) >> -endobj -260 0 obj -(6.1.2 Comment Syntax) -endobj -261 0 obj -<< /S /GoTo /D (subsubsection.6.1.2.1) >> -endobj -264 0 obj -(6.1.2.1 Syntax) -endobj -265 0 obj -<< /S /GoTo /D (subsubsection.6.1.2.2) >> -endobj -268 0 obj -(6.1.2.2 Definition and Usage) -endobj -269 0 obj -<< /S /GoTo /D (section.6.2) >> -endobj -272 0 obj -(6.2 Configuration File Grammar) -endobj -273 0 obj -<< /S /GoTo /D (subsection.6.2.1) >> -endobj -276 0 obj -(6.2.1 acl Statement Grammar) -endobj -277 0 obj -<< /S /GoTo /D (subsection.6.2.2) >> -endobj -280 0 obj -(6.2.2 acl Statement Definition and Usage) -endobj -281 0 obj -<< /S /GoTo /D (subsection.6.2.3) >> -endobj -284 0 obj -(6.2.3 controls Statement Grammar) -endobj -285 0 obj -<< /S /GoTo /D (subsection.6.2.4) >> -endobj -288 0 obj -(6.2.4 controls Statement Definition and Usage) -endobj -289 0 obj -<< /S /GoTo /D (subsection.6.2.5) >> -endobj -292 0 obj -(6.2.5 include Statement Grammar) -endobj -293 0 obj -<< /S /GoTo /D (subsection.6.2.6) >> -endobj -296 0 obj -(6.2.6 include Statement Definition and Usage) -endobj -297 0 obj -<< /S /GoTo /D (subsection.6.2.7) >> -endobj -300 0 obj -(6.2.7 key Statement Grammar) -endobj -301 0 obj -<< /S /GoTo /D (subsection.6.2.8) >> -endobj -304 0 obj -(6.2.8 key Statement Definition and Usage) -endobj -305 0 obj -<< /S /GoTo /D (subsection.6.2.9) >> -endobj -308 0 obj -(6.2.9 logging Statement Grammar) -endobj -309 0 obj -<< /S /GoTo /D (subsection.6.2.10) >> -endobj -312 0 obj -(6.2.10 logging Statement Definition and Usage) -endobj -313 0 obj -<< /S /GoTo /D (subsubsection.6.2.10.1) >> -endobj -316 0 obj -(6.2.10.1 The channel Phrase) -endobj -317 0 obj -<< /S /GoTo /D (subsubsection.6.2.10.2) >> -endobj -320 0 obj -(6.2.10.2 The category Phrase) -endobj -321 0 obj -<< /S /GoTo /D (subsection.6.2.11) >> -endobj -324 0 obj -(6.2.11 lwres Statement Grammar) -endobj -325 0 obj -<< /S /GoTo /D (subsection.6.2.12) >> -endobj -328 0 obj -(6.2.12 lwres Statement Definition and Usage) -endobj -329 0 obj -<< /S /GoTo /D (subsection.6.2.13) >> -endobj -332 0 obj -(6.2.13 masters Statement Grammar) -endobj -333 0 obj -<< /S /GoTo /D (subsection.6.2.14) >> -endobj -336 0 obj -(6.2.14 masters Statement Definition and Usage) -endobj -337 0 obj -<< /S /GoTo /D (subsection.6.2.15) >> -endobj -340 0 obj -(6.2.15 options Statement Grammar) -endobj -341 0 obj -<< /S /GoTo /D (subsection.6.2.16) >> -endobj -344 0 obj -(6.2.16 options Statement Definition and Usage) -endobj -345 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.1) >> -endobj -348 0 obj -(6.2.16.1 Boolean Options) -endobj -349 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.2) >> -endobj -352 0 obj -(6.2.16.2 Forwarding) -endobj -353 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.3) >> -endobj -356 0 obj -(6.2.16.3 Dual-stack Servers) -endobj -357 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.4) >> -endobj -360 0 obj -(6.2.16.4 Access Control) -endobj -361 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.5) >> -endobj -364 0 obj -(6.2.16.5 Interfaces) -endobj -365 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.6) >> -endobj -368 0 obj -(6.2.16.6 Query Address) -endobj -369 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.7) >> -endobj -372 0 obj -(6.2.16.7 Zone Transfers) -endobj -373 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.8) >> -endobj -376 0 obj -(6.2.16.8 Bad UDP Port Lists) -endobj -377 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.9) >> -endobj -380 0 obj -(6.2.16.9 Operating System Resource Limits) -endobj -381 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.10) >> -endobj -384 0 obj -(6.2.16.10 Server Resource Limits) -endobj -385 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.11) >> -endobj -388 0 obj -(6.2.16.11 Periodic Task Intervals) -endobj -389 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.12) >> -endobj -392 0 obj -(6.2.16.12 Topology) -endobj -393 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.13) >> -endobj -396 0 obj -(6.2.16.13 The sortlist Statement) -endobj -397 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.14) >> -endobj -400 0 obj -(6.2.16.14 RRset Ordering) -endobj -401 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.15) >> -endobj -404 0 obj -(6.2.16.15 Tuning) -endobj -405 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.16) >> -endobj -408 0 obj -(6.2.16.16 Built-in server information zones) -endobj -409 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.17) >> -endobj -412 0 obj -(6.2.16.17 The Statistics File) -endobj -413 0 obj -<< /S /GoTo /D (subsection.6.2.17) >> -endobj -416 0 obj -(6.2.17 server Statement Grammar) -endobj -417 0 obj -<< /S /GoTo /D (subsection.6.2.18) >> -endobj -420 0 obj -(6.2.18 server Statement Definition and Usage) -endobj -421 0 obj -<< /S /GoTo /D (subsection.6.2.19) >> -endobj -424 0 obj -(6.2.19 trusted-keys Statement Grammar) -endobj -425 0 obj -<< /S /GoTo /D (subsection.6.2.20) >> -endobj -428 0 obj -(6.2.20 trusted-keys Statement Definition and Usage) -endobj -429 0 obj -<< /S /GoTo /D (subsection.6.2.21) >> -endobj -432 0 obj -(6.2.21 view Statement Grammar) -endobj -433 0 obj -<< /S /GoTo /D (subsection.6.2.22) >> -endobj -436 0 obj -(6.2.22 view Statement Definition and Usage) -endobj -437 0 obj -<< /S /GoTo /D (subsection.6.2.23) >> -endobj -440 0 obj -(6.2.23 zone Statement Grammar) -endobj -441 0 obj -<< /S /GoTo /D (subsection.6.2.24) >> -endobj -444 0 obj -(6.2.24 zone Statement Definition and Usage) -endobj -445 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.1) >> -endobj -448 0 obj -(6.2.24.1 Zone Types) -endobj -449 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.2) >> -endobj -452 0 obj -(6.2.24.2 Class) -endobj -453 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.3) >> -endobj -456 0 obj -(6.2.24.3 Zone Options) -endobj -457 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.4) >> -endobj -460 0 obj -(6.2.24.4 Dynamic Update Policies) -endobj -461 0 obj -<< /S /GoTo /D (section.6.3) >> -endobj -464 0 obj -(6.3 Zone File) -endobj -465 0 obj -<< /S /GoTo /D (subsection.6.3.1) >> -endobj -468 0 obj -(6.3.1 Types of Resource Records and When to Use Them) -endobj -469 0 obj -<< /S /GoTo /D (subsubsection.6.3.1.1) >> -endobj -472 0 obj -(6.3.1.1 Resource Records) -endobj -473 0 obj -<< /S /GoTo /D (subsubsection.6.3.1.2) >> -endobj -476 0 obj -(6.3.1.2 Textual expression of RRs) -endobj -477 0 obj -<< /S /GoTo /D (subsection.6.3.2) >> -endobj -480 0 obj -(6.3.2 Discussion of MX Records) -endobj -481 0 obj -<< /S /GoTo /D (subsection.6.3.3) >> -endobj -484 0 obj -(6.3.3 Setting TTLs) -endobj -485 0 obj -<< /S /GoTo /D (subsection.6.3.4) >> -endobj -488 0 obj -(6.3.4 Inverse Mapping in IPv4) -endobj -489 0 obj -<< /S /GoTo /D (subsection.6.3.5) >> -endobj -492 0 obj -(6.3.5 Other Zone File Directives) -endobj -493 0 obj -<< /S /GoTo /D (subsubsection.6.3.5.1) >> -endobj -496 0 obj -(6.3.5.1 The \044ORIGIN Directive) -endobj -497 0 obj -<< /S /GoTo /D (subsubsection.6.3.5.2) >> -endobj -500 0 obj -(6.3.5.2 The \044INCLUDE Directive) -endobj -501 0 obj -<< /S /GoTo /D (subsubsection.6.3.5.3) >> -endobj -504 0 obj -(6.3.5.3 The \044TTL Directive) -endobj -505 0 obj -<< /S /GoTo /D (subsection.6.3.6) >> -endobj -508 0 obj -(6.3.6 BIND Master File Extension: the \044GENERATE Directive) -endobj -509 0 obj -<< /S /GoTo /D (chapter.7) >> -endobj -512 0 obj -(7 BIND 9 Security Considerations) -endobj -513 0 obj -<< /S /GoTo /D (section.7.1) >> -endobj -516 0 obj -(7.1 Access Control Lists) -endobj -517 0 obj -<< /S /GoTo /D (section.7.2) >> -endobj -520 0 obj -(7.2 chroot and setuid \(for UNIX servers\)) -endobj -521 0 obj -<< /S /GoTo /D (subsection.7.2.1) >> -endobj -524 0 obj -(7.2.1 The chroot Environment) -endobj -525 0 obj -<< /S /GoTo /D (subsection.7.2.2) >> -endobj -528 0 obj -(7.2.2 Using the setuid Function) -endobj -529 0 obj -<< /S /GoTo /D (section.7.3) >> -endobj -532 0 obj -(7.3 Dynamic Update Security) -endobj -533 0 obj -<< /S /GoTo /D (chapter.8) >> -endobj -536 0 obj -(8 Troubleshooting) -endobj -537 0 obj -<< /S /GoTo /D (section.8.1) >> -endobj -540 0 obj -(8.1 Common Problems) -endobj -541 0 obj -<< /S /GoTo /D (subsection.8.1.1) >> -endobj -544 0 obj -(8.1.1 It's not working; how can I figure out what's wrong?) -endobj -545 0 obj -<< /S /GoTo /D (section.8.2) >> -endobj -548 0 obj -(8.2 Incrementing and Changing the Serial Number) -endobj -549 0 obj -<< /S /GoTo /D (section.8.3) >> -endobj -552 0 obj -(8.3 Where Can I Get Help?) -endobj -553 0 obj -<< /S /GoTo /D (appendix.A) >> -endobj -556 0 obj -(A Appendices) -endobj -557 0 obj -<< /S /GoTo /D (section.A.1) >> -endobj -560 0 obj -(A.1 Acknowledgments) -endobj -561 0 obj -<< /S /GoTo /D (subsection.A.1.1) >> -endobj -564 0 obj -(A.1.1 A Brief History of the DNS and BIND) -endobj -565 0 obj -<< /S /GoTo /D (section.A.2) >> -endobj -568 0 obj -(A.2 General DNS Reference Information) -endobj -569 0 obj -<< /S /GoTo /D (subsection.A.2.1) >> -endobj -572 0 obj -(A.2.1 IPv6 addresses \(AAAA\)) -endobj -573 0 obj -<< /S /GoTo /D (section.A.3) >> -endobj -576 0 obj -(A.3 Bibliography \(and Suggested Reading\)) -endobj -577 0 obj -<< /S /GoTo /D (subsection.A.3.1) >> -endobj -580 0 obj -(A.3.1 Request for Comments \(RFCs\)) -endobj -581 0 obj -<< /S /GoTo /D (subsection.A.3.2) >> -endobj -584 0 obj -(A.3.2 Internet Drafts) -endobj -585 0 obj -<< /S /GoTo /D (subsection.A.3.3) >> -endobj -588 0 obj -(A.3.3 Other Documents About BIND) -endobj -589 0 obj -<< /S /GoTo /D [590 0 R /FitH ] >> -endobj -592 0 obj << -/Length 221 -/Filter /FlateDecode ->> -stream -xڍOKA Åïû)rlÁ‰“ݙ£¥* -ö s“Öv*…îÖêçw¶[‹ É!$ùñy¾A0ôê¨hž Ömåá­Üî+:3j‚¦"eøãê$ -•ŽC@³ÿÄ~ᤊµ„μa,â>OÕõ2PL¦¶@±f/páÒæe2X.¦ŽÍOâØn6í®Û½ûæxèÇÕsÞæ>wë<ŽOM÷Ñ짫ôX,ˆ0šñɂ%(¸ 8 l'‡åá3·¯ù¬¥Wcgïm¨nÓå—ïðÄpˆçßÑ}ÂmR_endstream -endobj -590 0 obj << -/Type /Page -/Contents 592 0 R -/Resources 591 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R ->> endobj -593 0 obj << -/D [590 0 R /XYZ 85.0394 794.5015 null] ->> endobj -594 0 obj << -/D [590 0 R /XYZ 85.0394 769.5949 null] ->> endobj -591 0 obj << -/Font << /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -604 0 obj << -/Length 302 -/Filter /FlateDecode ->> -stream -xÚµ’ÁNÃ0 @ïýŠWiõ;N–+CãºÞ4º±ÃZÔ¡ý= ekCì‚zˆ-?ÙÉ«µÂði%¬'¯œ7 ¨E­v ªM¨Ý%ú‹1 †9$ª»)’„ÈÀ4tR?hÍÈìTæăeâˆßÉdfXyð–¬*ÖJ³ƒxŸU pËкC¿%!šqš‘` ¥‹æU[6UÙvÙâ°oËݾKòºÚ×M»}ۍì -Ҍ5†y‚K"3_äñ©Žã“Ûâd&Šk­rF‡âåOŸt6Ä/kã|ßõ7ôŸ±÷¨ûú/Ú­×íûS“êé¨> endobj -605 0 obj << -/D [603 0 R /XYZ 56.6929 794.5015 null] ->> endobj -602 0 obj << -/Font << /F43 600 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -611 0 obj << -/Length 2204 -/Filter /FlateDecode ->> -stream -xÚÝYKã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ6X4ЦJ,²XõÕWE›® üѵ)á&[+“¥‚P±.ö+²Þ»¿¯h˜“ žŠŒsxXx»\§B3µÞÌyû°úË÷[3’JÉÄúá鸗T:5<3ë‡òçäÝ.ïFÛßm˜ ½ûõáTËR¥uj¶©2D{…ÍØ·åTŒUۄé|mR#™Œ³肹nöÃÎÂÒZ:5Û7vħ÷í>¯Ì÷aÎýaíÇ¿AÞ¼‡ê*)Úf¨†qÀ×í~ŽqýáЌùïAØYg‹êép1³ý.V±ÍXJURÝѤÁ¡S‚3ºSQš!XôA8 g$qáŒ&9>î*ÛçýÕI±«Š¼Fé>op³Ê’7 àíqoú;LµÛÜ-2 ¶DùSÛã ´µÝæcÕlÃ>Ó¸kûj3(iŸm˜ëvț°R؊‚“¼ƒÏNDý‰ª}WÛ=ø!÷qÝ00tÜå.\J$y1Ny]P¾Ï»Gѕ0ÅûD³8;Ųôž°Ã`‡ŒÐ<¨âÔ2sœV qå -,¨ç÷ì!â–ÁÇ­_«:”BôbSHúêqý"b)Nê6̽Uó4Ky&Y@qFR&9bž¦BJI³¸‚|¾o‹Éyn9˜N¥2ódÈhòÖöŸ ¨| -.ƒpŽ(£cžÀØeÄÛ߇”É1hÎ}€£¼œi5ǵÛ{˜¸™[N˜‡YÓþÑ‘?—ûì¬÷ÚfÉËŽLð*]jàŒ>˜ /£_üS‡±{®Jރ÷«‡Uí#ô@?¶SPļõ“†@8ŸÕ”8(0¾~b3Ó+ˆš¾æq ‚ÖOóø·áÕÓÔøúrI)u垙vð>¯JÔEK"K 0$€qÀ7؝°H|!Z36î¹sîqA"Úל…zî5ï’a<¡ÈÔuû§<–¢! ô{‚.8[W)W*f­wI^vPþªb‡jW® ðÛ·G6…§¼|Î!ëÊãLŸhmèX@|dæ-φR× Ÿ—²9ùºt“@¢4ÖwcêOñݱèb?’Âö£¯·î¡íÜé—ABSÍ%½f™ˆŒ`8_b©JÎØÈ  ®¶»ñźÿ&ˆH93ÙM mýŒm©«ßJ†E1Û¸¦d@¶[—Á‡%3ž]q°SKÁ‡!U‘ NeR]'ˆò°uVô} ¦?a{bøöXú`Œí( é6[bŒçk›m‹)åU¡ØM€‰ )ŒžgL“ãF,8AÆÈEÞ]{ p—eäšAU-9I¦R›X -Îz谟-&¸Ð 3*¡ÉõÈs Ť窅p)ÀÕ|ɽd‰NµÒђYZº[EèÆáî²k[Ÿˆ· ®¡ös¼ílÝ9ŒI0&uÚT©’Ƕ<àÈ;Wªà\ÌúHxòÄ$ψɩåÁšKÉgà–¬#PÿÚu¶)+WùO¡Oý²C^’*:à¦ö4Õ8¾F$z‚jà:)Ï=1ëvß8’ޞÜ< ž+ח/•=à£D°ëmõXWí¶Ï»Ýa©îAÒ -#ˆ|ó@_4ç›Øæ¬ñv¯ñÐdÛ0ß%’›hF±ÓRHAêtKqBwÁ4‚º@…¼H#¼ã]‹ÉC‹ ù³#ܶ ýäC¼ÜUÍ·õšØ;GÝS¯é_BO ‘¾è²}á -D’­m<ìpҡèàíƵáGó¿sV­þöpüöÆHh5]S¡S"¡•+ö«ßV?ÿJÖ劬X‘”-Ö/ðÞ4@ -ûUÆaH„Ž’zu¿úש혵7-@=k…aõùR›x¦ Í$l©éñû¨ 8ó”r“J“…{ŽošÂ%Ö¼+·q&R˜§×ó-¾Íêã’_0›CØieÎÍþéñ&\†ñP_B¸ÎX -ñŠ‡È\:4W› û¿ƒãPé¡Kÿú3E›pbøÏðÓכ|N®Á̐mrǯÜÀǝû"ÄÑmÆáFOXm–üøï¼Á™»vg3×êX×.¾8¨H1ºa¾¿ú†Ë}c_l¿?:ÖۈžòÛ7Cô¥ç„ZDôÌsßW¿;Ž•@¿/U9înƒ÷Õìý7ú¹èI¾^ÊSÂY„Øx*+À*}¬yÝôüÌ6z5F¼4\·„Ÿ¹ñ3ýää‡oÛº¼ ¥W3ýÿJF¥ÄPó%$­lqú>õ%‘¦ñs šmñZº´úÍ­¾‚Ð-༚¹Ü0÷—¢Ò]!àÁ²ù/W¿2OÁ@¨0_k½ø3aüõoÃEê~L\D‡ äŒdë0ÉE_¹=þàxZ)îö+‘Xendstream -endobj -610 0 obj << -/Type /Page -/Contents 611 0 R -/Resources 609 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R ->> endobj -612 0 obj << -/D [610 0 R /XYZ 85.0394 794.5015 null] ->> endobj -6 0 obj << -/D [610 0 R /XYZ 85.0394 769.5949 null] ->> endobj -613 0 obj << -/D [610 0 R /XYZ 85.0394 582.8476 null] ->> endobj -10 0 obj << -/D [610 0 R /XYZ 85.0394 512.9824 null] ->> endobj -614 0 obj << -/D [610 0 R /XYZ 85.0394 474.7837 null] ->> endobj -14 0 obj << -/D [610 0 R /XYZ 85.0394 399.5462 null] ->> endobj -615 0 obj << -/D [610 0 R /XYZ 85.0394 363.8828 null] ->> endobj -18 0 obj << -/D [610 0 R /XYZ 85.0394 223.0066 null] ->> endobj -619 0 obj << -/D [610 0 R /XYZ 85.0394 190.9009 null] ->> endobj -620 0 obj << -/D [610 0 R /XYZ 85.0394 170.4169 null] ->> endobj -621 0 obj << -/D [610 0 R /XYZ 85.0394 158.4617 null] ->> endobj -609 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F58 627 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -630 0 obj << -/Length 3297 -/Filter /FlateDecode ->> -stream -xÚÍZÝsÛÆ×_ÁGhÆDï8àúæÄv£ÌÄN-u2m’%ŒA&@ÑÊ_ßÝÛ= +ӦӌpÜ;Üí×íþv!¹ð'W± Uv•Ø(Œ…ŒWÛý•XÝÃÜß®$¯YûEëñªoî®þòΨ• ­Qfu·핆"Måê.ÿ9a^Ã"¸ûîíõZÅ"xóá‡×7ïiüþõL½ýçíÝÛhü‹ˆÅ›÷·ð×k)M"‚o¿{ýãÝۏ4/y˛÷w?¼ùÇ·w7Þ_ÿz÷ýÕÛ»ë±dRhdùóÕÏ¿ŠU~%BmÓxu‚"”ÖªÕþ*ŠuGZ{Juu{õ÷aÃѬ{uQSR„JƒV檊ô’ªb­´SÕÝCAâ횪jNe}O?·MýXÔ}ÙԲõL^|슜FeMϼ趇²½ÐìèÙû¾¹yÿfØü!Ôýñá ^ÿBUÅ_/UjÒÐH\GQÿ¿K§Ê†‰H.túŸ½åù+pŠÐÆñW8 ÷ìÅCÿÆt«µ—ihÆ2웑½’(´i²J´_†Ìu-¥ š±Î7 ³µL•ÖÁO×JŒLt¡ÿ®ZÐod“ÐJ‹ç ¼üwÒ¡5ÜÅÿ‰Â”ãö^ôp¯1·/Š#§±OÅÓ©q¾›w(;(9½¢TB' -·ú]ù=ÛüTæýÃóÚ"FìŸ\]FB'_W—T°› xð˜ÊlS¨®F\üyue,ÄÇ(¿®+±6¦4óÁ…»¬ò‘°=öpqðóݵUAñ¥ç9Ž‰E½­šYìì>'ÑusȶŸŠ¾ûõYŽyý£4zÎ0ÿðª„ ӒҝLk=Nu³”§’4ŒR )πý4$ë³Õ@Ô(ÔäÃQÎ3°«° 9†`'~;d¿7Í>óæxŸí™zûÔõÅ~Ü՘¸dOØĎ²jª‚öxh‰SIˆýƒó äÍö¸‡4Kt¢Â|C³Å—¶"®ÜK¼KYw}VU>sÂTVç48¶ŸŠ¢½<Œßãô ¤®Ùõ§³Ç!›àpÙ}ñ -%g:”…vQpÂÅàۛâÞ1¤Í‘h¯Ç²`St.ÌíŽuž¡YÕєc fxItÖ>ŒYû0=h¨p†“Y73áô›:-åÙdçk@6ƒÔ*ŒNÐ(Ù/à(²ú»1óËfCۑÙuéÄ°@Hõ!u"N¢ñq¢÷{<”ŁŒ´}(·Yõêz‰$ÈË®‡¤ì1Šà yÖg›¬+žšÔ7=‘»ž²^Ññþõ®9ìÙkpü\2÷>k[2"nV÷Å¡.œGM×½™:’³ÆÁ͏ô;Ës>·óKØ?ãà±ÜDz,])Á‰eET÷bsì‡óGLóbÞË (ê@CÔÀ’(g”êüž#yÒ¶mšu˜56HC% -ßV%˜ÞÅî8¨šæŽ-='*%=rÅޏL°¹–Á Á”ÃlpcN³f’f!$§&â4ËÚl*Ðق j )AK^\•<O%¾¢óNà=tZWÔ9KóùXJg ˜mĦf¾›=÷ìC \®•Ñ¡²6ö:§œX“·»Ãhå–!(§ŠÅ9¼h§<°MKç¡ÎµW$X -XªèÐÓUÌ·-Ž9²áÈòѓ‡”á֐ûjî(”ÑÃso˜ûë$ -^ ±c$<‹0q7|9_²­Õ†å}žW³kö'Fó;; -¬´Ä‚T*L’T _Œº#H¸Âª‘¾v—‹17ûÍ6e½( ¤V!ý^‹au­¢$Œ5:ÆexU>¼ºðØ]hâ2%àšQ¸•`”œ£^N3.KUaàn$®tñWäXæbñé߁`1ww ˆ â< žûø.},œ³jdhâÈ«ªÈzZöKà‚¸½Ïêò7|ƌ±D=-gö³í–‹Bœh =‰¾vq ””†B"@_NwN6€ÖTÓE‡g–ïËïÌ>DÛ4˜üÐÿBL=6x›¹@Su“ó"‚Úà =ðëâµtÑÎEa•€ñ9”•=º–o~Íðƒox¼Ã{©¥… Û·^&­ - v}¬ÏX0Ú¹w”ð«­á(ã'A…ý·}›ÕKaNÅ -®ˆðNóvrüM½ —J”¿šÛæXåtÞ¦Xh"D°’Œ6Ë*d!C`ka{GR7Ÿ<3–¡ˆaÁÄ3O Gx%™ªdàré(ȂV¤^ôniSR”¬àZ-Qªâ=‡ÞnaCëqÍY‰¡²õ±®9ÐF/ˆ/eƑõ™\±©ï="˜l¯1’ -/!ﺄt˜Ê!âz)3â½;nÎ1Bfš„IES=Ãå\Ü J^P0Öö*C¡{Ò<ÕՒ4ÑX§¾Ñ24=롘Ÿõ£òIL›„iŒæ—ЈYrDö^4á«eüy8ê ¨æ¡ÃÆE€¾Ä$ár=NÔ.{›¡½žñJN› ùÀ•Ò©/~ƒ½–À€C©Í(]ꯤLᎽ™q ïùÉf7p[’È^`{Ê<±ô˜ [Ös.g°ŸqªiD%…ôږpg²p›Ž†TgœW¦Îw™Vr¹C’Ù »! r/G!DAéÇÎQxá÷—ÊEï;c 9nÓ-Á@ -B†Oƒ³qù°à®ié ŽÁtáK4¼ Ý «&÷cT¤Á à±þ…㊠Ûýç›e8 ÀµÓÈxV‡eí¦o¶MµT«AôUƒ€¡ -2”6¾¸/d€$e8Ž£¬ëšmÉ)~c^¤›#9GP³aäŒω1Î+{£  Qir_T©ÑPýø"ëHރ¨€¬óE Ÿò7>aãæãÇ7èx6 -nÏ´ 1Ì)*¡qNÚ«´|=^?ï‰ÏvEán‹íù›ÔL¡¼d!¿”JN¸™µx‡U/01ßmä¨*´!­ZDWæÜÞp•V^¸¸QVT‰%-3¬¾è -N -JÐ}y_s5·[®6¹æʹÙÔø: 5ˎׇ»â0®ö’ÁÅ.bD¬ÙøsÃLê1w¾©ÐõÏ;Š´PµBÙºR" -êi¤`À5”Rñ͒wÊèg۔NÑ@q÷HyQ÷>>Xêÿ"n¹ÿë(܁”pêLGõg¹nd³#:ííOüv´pͱyYÞA jà¶x$F‹ g"^sîF™‰C[ g%MšÅQ<¦ñ ]¢>d|ȶ±ÐpŸ]bsÙ÷Ýl*oÒ ‚õ„Úx{ê:8”=YÊ!½Ø}âÀUç®[êZ-ˆÿ1¹¡8‘Áà¹i¿2zo[úa=™¶9ÕÜDf°ë ˜v|ÒX¡øåw[´ýR7lºVÊÊVé(ÝÊEiEe%’=’ƒÀ®g¡Ñ—F/‘Úa‰—ÃDG¤}vøD›Zj~$îÎ[¥åõs(Á’| ‚„7¿Žž"2öuœÓ–²g„¹þ†î±\¶JPÞ9Vî¨×0î€çm.?ûŸåcV Ûyì;ÅXY]‚ì¡s¶\FŽ­Å¬†Ïý_˜ŽÃH/æ0±zñ?~ïÿŒÿujE¨ûÔ3É0Åþ ˜B½G3Æýÿ–Í9ÿ7pðÒendstream -endobj -629 0 obj << -/Type /Page -/Contents 630 0 R -/Resources 628 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R -/Annots [ 640 0 R 641 0 R ] ->> endobj -640 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [272.8897 231.1055 329.1084 243.1651] -/Subtype /Link -/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >> ->> endobj -641 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [190.6691 203.5826 249.6573 212.9922] -/Subtype /Link -/A << /S /GoTo /D (rfcs) >> ->> endobj -631 0 obj << -/D [629 0 R /XYZ 56.6929 794.5015 null] ->> endobj -635 0 obj << -/D [629 0 R /XYZ 56.6929 756.8229 null] ->> endobj -636 0 obj << -/D [629 0 R /XYZ 56.6929 744.8677 null] ->> endobj -22 0 obj << -/D [629 0 R /XYZ 56.6929 651.295 null] ->> endobj -637 0 obj << -/D [629 0 R /XYZ 56.6929 612.4036 null] ->> endobj -26 0 obj << -/D [629 0 R /XYZ 56.6929 567.3837 null] ->> endobj -638 0 obj << -/D [629 0 R /XYZ 56.6929 542.6255 null] ->> endobj -30 0 obj << -/D [629 0 R /XYZ 56.6929 441.1968 null] ->> endobj -639 0 obj << -/D [629 0 R /XYZ 56.6929 415.1634 null] ->> endobj -34 0 obj << -/D [629 0 R /XYZ 56.6929 188.7253 null] ->> endobj -642 0 obj << -/D [629 0 R /XYZ 56.6929 161.3171 null] ->> endobj -628 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -647 0 obj << -/Length 3284 -/Filter /FlateDecode ->> -stream -xÚ¥ZKsÛF¾ëWð¶TÕ™f•ØÞ8U¶³6S[©$„D”@€KR´¿~û5HBö¦¶tà g0ÝÓϯÒ z‘ºHÙ,^$Y9¥Ýb{¸Q‹˜ûǍ–5«°h5]õýúæ»wÞ,²(óÆ/Ö÷“½ÒH¥©^¬w¿-øñîçõÛÏ·+ãÔRG·+çÕòýÇõçOo~ùaýþÓÇەÖ>Á¹Xf×?¾ååo>}¸{ÿ‘Çï>õ˯_Öo?ðøwåԛ_àGßþ±þéæízzz2­,Šüï›ßþP‹ð§Ù,u‹gxP‘Î2³8ÜÄÎF.¶6Pª›/7ÿ6œÌÒ«sšr6\j’UÅvNU.‹¼5–Tõ®9Á©L¼,ë¶Ëëmñwx´j¹mê¶Ü4é–ݾÀ£~÷Î%“ µ¶QcE[æ‡cUDÛæÀ‹Ï¸û$Ê2¥eí®9äe͜Ÿ÷åvÏ|Êz[õ»¢å‰:?ðÐ-۞—Ä˼“ÄÃ8Ó^vß7måy‘ð•ÅÊ:e&ŸÒ0pÎÐâyqŠŒO­l˜×»9®Yd”1S¦›Í&úº´ÑQš&á­â©@5ØtÜôxHûš¾yãþGuc8d²ô?M]0“‰‚MSW/LßUñw%X§îÁ/XiÊF*1J{Å!\”fÞ¥M 0/d¦£$6ßPr ->悺¾­ßó=ñä-„¸Éüò~T”¡Òå6¯™tȏ<€­·é¦»†‰9ÿ´eýPɛì¾*:YnúŽUe@Vk¼ ªÒâ_}µ»]Y­—yÕ6<;àƒ3 ù˜Ÿ:5÷ò -ÿ aR>½xºÕé²h/^‘xÂá„÷FÞKBîD 6=ñÎGmqz*N-‡:÷€·0CŠrò‚Q~I!­Øiy’g:–UÈeË¿¹ÜO n³HyïÏ3ÅL„fGÁÙÈq'å^XuËk^]ObÙ£+N‡²Î«f6Ë*άÛç0k…´Ïådu3ÃÎûH™”m¿á³µ3üâ$JÂBr_7Uøðª„hÕÁk}n Ò±MÈ}­3.’ ÒhPȞ0ç=„Á¶8vLgS€ Ø4/v'—ø$£l ¶Y×á}ÖnS5‘·ð *aUÖ]_våS1JyæxOÏ蜃mÿðÀ¾Áɦ@òKÓ3‰.ß1ùó»ZA]¶H1c&’FdÖɖ SH-– ï@úéDŒ¾†*‰¥sù×Q bٗ-Svà ÍïJ™m_usñÄ6x -ì(ÏÀ¸kŽåv?¬I6IiùZª…UjùýûoxÄü zçUE®8ƒéw(žÁÆø,Q#ŽrœGµhK!ƒ»¬ËÃã©<䧒òò‘MЦ-³áC«!ãƪöÂ␷¥”gÞ¬m•?ÑjpÕb[å§P¬J„Ÿ‡(¨ë*•xÁ“í :Ô÷suÑDé‚hJ˜¶Çb[Þ¿0?:9‰b÷D¢D+ž-ɖÿÚ5ÓÅã<@“G¦´ÍAv i”]Áñª¡'q–^Ä+*Ðr²Xª[~~.«Š] ABÃDÊæðœócPPؚLÆ"NDñ4—j/&ÿrªµÎ˱QŽ4f õ³ç{‘©öQDŸ3ëHØr+’ËÇêãŠjâÈëØ\"6ðî-ºG ºþŠë±üf1¼r¾£áÂ~|­À5ïz^§²Ë%ñ ìçz†°Ÿ àŒJ0±ÚCñ j˜SÉ5VàŽÈ€Æ°EvLÛ¼ð/e+ø­Š¼•!¾7c"‡cðO~.-¾' #1ý æTP¾2«'ŒGœoB°tT‰è‰ñH>Ét@Þå]Î#¶”¬dCyààFècô…e M–ëÛÌ,±R$²Á#ê7$ƒ$Æ Hiªâ”דɲ@ N4N”@¬‹î¹9=2õ>/«^ðÖâÔ,MÛñJr ^·'ß#NÏ ÙøÐGFªhz5—«§Îr‰‘8I'´îsÑ!‡q“,﹄ð)½4%.½x^$5¡ÃsôÕkX¼ÚgNಠÔ»;êOi~Cˆö—·^鸳hŽ¤å©c¾}œ=|Ña -t6ƒôÎ.žEÛœ˜®ý"´†)ÐPÖ'Y >sú®Ø@1çLä 8·ÄýЏÅV÷í°²kšJ¨UùX ¡?R:ŽLêCüìʇ¹øH¡÷öv¨ -N]6ö̚bóg&r™¦Öž'O |žöäaýjúÂuO~½/Jð¥Ø²êW±…–êÂù†¼g#éèêB[zOqª Ñ÷zöÖ`Xµš.»–ðz7ёŽfÔ ¥12Ô-Æp0“Ú1߂ œq‚ü?¨xᇠ¾™iS$ÉU*œ¤ œ~ÆÂ+u)d¤PÆÛæøÂӄ^’$,ó!IÒ^€ç°Jbº¤¤>¡¨K6ºÎæ1š;<í( -`S‡¹3k^S Ôd gh&øäIL½Il9©A’oKHá¨âؼ"8žÎŒ»é²2‘.":ï;æR5ù®™MúìXSuÀ—“,ˆòTâ=@< ¸ —»’šU¤o^øwßòZ¶ ÷ÚAJô…úŽìûü(IE õ…w„àPl÷y]n²à‚i’Žƒx@$‡Ã )Ì’y¸Çb솤Ax“ð0Ç“¤Ð˝ÂëâP3hyޔÚGÐwøó[º±¤½glê"'á…f#ê(õ.´È!z¾ºk¬#§­\e&M "I-FòD<ÉFòÄƉ ‡qv@4%ÀPÌ f’BK@H½ªL)FÒÌÄ!ä`8gq(8 - ‰\ù€uó\ ú›»‹ÐÊE&KƝ lvó¡ÛbܜóäzO ²¡®×˜€äFTŠ˜®–Úb1¢ÓËëP‰T ù -–Úñ S;É´v¬Ç@Ι‰÷XA\u·zI éGÞp[´Â!è·oÃת1ø©Kݙcãâ b{?›ØÅÇzÌWÎgˆBÕòåâ݆û ÜKò<Š"…ƒµ£{Ážçñ'Œy%R¨%?Êbr†ø’€¶’dH²ô !%©;é>‘Öl“ú‚¿rׂ4m[n(]$rQ‰5'hƒßêæd¬ˆSäӘ‰›¿¯çÀ^X 1øÌðxGðžsÁ¿c”(ÝaÇ/u½ìÚ¢’ šC´g{L³ -f²}¿¾ewÅkÑá"ªkŽ¼¸*žŠÙûg:‹¿Q¨³Ô…r•‹?ç?k¥Ï'º÷³Á 4ì±_þJ {ÏtþRâ-©ŠI£bñàõÌF“I8܊ÏEÔéÃ參±¶½‰’عK´Cʜ† ->ðű„€q™°? BBGÏ$3)ɶN.Žq‡•³p^ Žç¦_c8 YšËžÓòr~ÂWI¥„`­CƔß.4Oƒ†ùš˜¤æÙûâ»yÄ<Ž­§[D(ÜO)AP½œ-°Ð4{ -,õ@ž/$½ñŸI:,ºHˆ>\)H÷R§oó…, È8šÊ/>R"<ã7$a RڅÛɧaݔµé¹ÛÂN‰ _º‘o}K ¦è Hz,Š#£áãH:t6ôžH¤(? „µRבõ±(äƒMä©|Ë Š>¬4²<|i\ÃΔ âxš½ÕjB5~ ŵÃM |á„RæCEÊË*߄ò= €%ól¼¸jÆï#e^ÉUÖx»Æ¬ÚyþùTR€ -¤„H¯DÃÊhuy¿ÄÄÉÅ>2/­& MO‹žÀ=A;ZT¢Éà²Á›.ߑuÍ}Wˆ ,À¾Ô´ 'þ6Œ¨­}¹Ûõ\§(b‹J!.éÞÅËO\Ïbôd°¶½“ÏX3¯2‘'\ç -À‚I£Ê€:¨lòΦؗtË$dÀ§~FWùڗ².X꾙Z¿¯Gÿ >½m‡ûü!/°:âÛ2`ÁÁ½š¾Ã‚ðoµ‹^ûè¤ñßtfnÚÔð!âÿþo ñŸ¢â$²ijæ¯ì¬Êðkõ *Í]Ýh†ÿº–ü¿ E×endstream -endobj -646 0 obj << -/Type /Page -/Contents 647 0 R -/Resources 645 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R -/Annots [ 650 0 R 651 0 R ] ->> endobj -650 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [519.8432 488.7856 539.579 500.8452] -/Subtype /Link -/A << /S /GoTo /D (diagnostic_tools) >> ->> endobj -651 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [84.0431 477.498 133.308 488.8901] -/Subtype /Link -/A << /S /GoTo /D (diagnostic_tools) >> ->> endobj -648 0 obj << -/D [646 0 R /XYZ 85.0394 794.5015 null] ->> endobj -38 0 obj << -/D [646 0 R /XYZ 85.0394 599.0929 null] ->> endobj -649 0 obj << -/D [646 0 R /XYZ 85.0394 568.7172 null] ->> endobj -42 0 obj << -/D [646 0 R /XYZ 85.0394 457.9037 null] ->> endobj -652 0 obj << -/D [646 0 R /XYZ 85.0394 429.0681 null] ->> endobj -46 0 obj << -/D [646 0 R /XYZ 85.0394 352.2747 null] ->> endobj -653 0 obj << -/D [646 0 R /XYZ 85.0394 326.5176 null] ->> endobj -50 0 obj << -/D [646 0 R /XYZ 85.0394 247.1936 null] ->> endobj -654 0 obj << -/D [646 0 R /XYZ 85.0394 221.4964 null] ->> endobj -645 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -658 0 obj << -/Length 2395 -/Filter /FlateDecode ->> -stream -xÚ¥˒ã¶ñ>_¡[4UM|VNcï:;.ïl¼#RŽXK‚²HÎDùút£ )q*©Jé@ Ñh4úݐX…ð«$ Ò"*VYI(’UÙ܅«Xû۝`œCÚL±~ØÞ}ÿS­Š H£tµ=LhåA˜çbµÝÿ¾AÜ…p½ýôñ~%áú×ϏO4~zøÌÐç‚ÔÕî¬Î•îhz²íkµ×{‚ì.ômÚ®§Q{ÒgÕ?0í.]¯»?Y+:XJÒ KQ–""à YêúawËÓÒ]’$ˆ£Hð¾ï`S!׍VÆsÐUïFšÙuŒØ‰i{$¼ÚH)ƒ4ò/~ Yª“ÚՈ›Âíô…KÚsC‡¤–4 C]Ó¬’þ -C_µ†÷“$KÝu°‚$BM§á¶×pUó§í+¢Yöµ[n¯øPClÏÕÆÞ,t7"GëA?¯ˆ—%ë­ä^¬Ï8Ši<P˜Ú£$sáD–¹[Øó`›½|-Öm©j‚2@ZÒg‚Zþ2/7õ”öDBþ{£Š‰ìôQÕæóy(óˑºY¿?ÆUG_౶† cµ`„yäi.ٖXÄùCaÝZž,‚P‚_¶ñ~G'ÿ•îéË÷îNÒH‹ÇÚÍuÛ~NK֟áÅÝN8Àá“6ðÊu¥Mº%ã Îcˆ>" -åäÿ÷E´ýÈ4_Wóq€Â1®L©Á$ š]3ˆ»:5vG áˆáý‘©°‚‡ºïhýz‡êîèö]fǃÎÓ4Y?WÀƸqÁ´'~e=Hä²q8åÛÚ,)³§µÒ‡P„úà“ÊôU£z2|Äl¿ÓÖAbÁ6 ½^V¯öÂL¾£]8-õV¹i@:sÚE^Œ§¢D8œÙ5Þ¥ ZL‚¢Hò+Çñ×»i½64:ç3ÝÅ´æÒ´CÒB¬¯kN٘NÐPjm^ú#­¾ P[ÕðªµV¼«’±ÔÌÂZûݬQ¢°ÓS¤^UF3Jeæ_²­b´Hχ?É 'äÂ8rÁ7WÝR”3èÉÔƐbC5|É$`°½O’uÕø¹Žñ¾õËvû Õ/#]»(ÕumYùñü­BâH«’G.xvPê)ÔÉ0`3ˆæUä;!&ÕW®)~jÏoê¼GÙü×úáã+™JJ±7˜!L\`L'!9[ï[랸Þö<ÐèµPmXWÀ˜+`ÂBâmsªuϳ›h™r$¡qÕC.µ#*Æ̶ OŒÓR¢A˜¥ê«Ô,ã,Êf)%€TD苘ÖÚPµ¦_…µ Jþðç ©Ì U,8š°eå„ã²ww¸Ðä@FØ9@ëŽÆÎè‘^ËǍ£>;’Îô%›¾Mi¡!KçQ•5Ùø;N+mÓ´¦¾Lmí Ï4`[í[gÃïg\…œKv1jAº -é8¡‰<b)¢«„†—¤X&Á(tÀ`ǀÖØABzAŒvŠO\X¿¤†Y/(UH2D&§¦›HŒc#âg Fj:”tŽ†ZaÍlñ;úêÕÐõŽŒclò¦Ð1ݛUfL*ýÐfOV° »kÞÈ2ßåTaIt¡5Šó¸ðvD‡FØ¥´o @Vc$ꎴDF‡Î˜‹I9€GöŒFӗêÕïª~1‡[sM#L½ÐJ”=Íæ5/B(ÊTº*"r±·P‘ËHÑh^f6±¶ˆ³õã’P£ÔóóÖ—‰µWìHh¢ˆ 34;²ÜkM‘·Çt!c‰Ë„úâ‚ Ù,+C€ Ï0Ãì@—|¹ÛÞVúNÏî u+ˆMŽU·êxõ¤Êoºç³ú#EáåèšÐæÇ,݉…I9õDäù’Õ‚ù-жc0ÂXk—÷Œ_õ^dÊuRòÈSþìȺÝåê´Qb¦6Ì3Ñ”*@ù^9єHüÙÿþ‚¢é؊$!˜Ž!<µ·}1­BìiÅZ€‡ŽB®pa@̍_”"Ä*Æ:ŒêzIc{ýªëö䣱ý4ƒ+#ÆÈÞgÙÐå* ¹±1¶-à~ÍV=Š{f…w!Ž˜Û¡¾ñºÚ¿*Ó«ÆX¯LB°` -E„©/XR.Wn_=˜Iú~†Æ£:Ռòµ­õÿü,’…ëŸ>ÐÈõ¶“ö2sB`ÕÀAÊhª¡‡°‡ñ mÌHððiÄy&@hýCŽÂÔã{lX¬Õ«¾ÚÀùüfõ -7c®ûrún„u謘+Òi+í{Lßf÷s»x¯÷¼j>µoz,)✌{»B¸ÂNL‰ÖєŠwáÞ6Ü3.¹Ú¸­JžP4…-|×ﯛ×÷¶Šé[ÕµëöÅ'ηÔjt¼ˆˆ¨fË9'g…k¥äí „ 6BgØ ç¹vÔ Z3?p}w’‡ÎßmƒfåÁáÖ/—’’qo9“W=k£éµ€§Ï:é(%£Ù,—Ì¡D$ÝÃ܌âƞ½ðš‘Y^d®|¶—`3„£ØÍR/+rC”¥7í=,î«s!Wüˆåy”_…zÿâAÑL‘Ÿº*µ«êª¿L A0uÀ›ò%Ê=_¼#5Œ¬!À—j'$ue¿¢nØÃçY¾:št†£™Î´{ÝñDo…¤]Œwƒt“^— -öºD‘äó‡÷ -ÈYÊ%…ÂÜÂÑÔÈhÛ=LÜ1÷t!8Žßbeì}’ €}ú'¥‡Ð7d©¸Š„µjòr—x¨î˜æ¨¯œjUºÆ¦2ˆ}¯Ë²wþ`€ô…ÿ -,üúD÷ÿù0þgÌóhü_AÎzÚ0(2é™B±¤7Œ»?)n9ÿԋö`endstream -endobj -657 0 obj << -/Type /Page -/Contents 658 0 R -/Resources 656 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R ->> endobj -659 0 obj << -/D [657 0 R /XYZ 56.6929 794.5015 null] ->> endobj -54 0 obj << -/D [657 0 R /XYZ 56.6929 769.5949 null] ->> endobj -660 0 obj << -/D [657 0 R /XYZ 56.6929 749.4437 null] ->> endobj -58 0 obj << -/D [657 0 R /XYZ 56.6929 609.0996 null] ->> endobj -661 0 obj << -/D [657 0 R /XYZ 56.6929 584.3177 null] ->> endobj -62 0 obj << -/D [657 0 R /XYZ 56.6929 437.466 null] ->> endobj -662 0 obj << -/D [657 0 R /XYZ 56.6929 410.2571 null] ->> endobj -656 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -665 0 obj << -/Length 1888 -/Filter /FlateDecode ->> -stream -xڕXK“Û6 ¾çWø¨‰UIÔÃ:6iÚ¦3Ítší©ékÑgõpEʎóë  -oÔN:>Á ÓM¿t³+âDÔù¦ªó¸HÒb³ï_%›#Ìýô*e™¼q‘ ƒ•Ùm!vq±ËªÍviäÍã«ï~̳M–Äe™›ÇCX«¬ª8)ª|óØü½måɪéa›I”=üõø ©åqµ«RTK`‰ -Œì„SxóþÃ$ý»2ã<í•ý=ëIõj°&˜IóXäeÆfÊ".ŎÖÍâôa›&Iý,§æ"'63}mFlê¸.³’­ˆ4Îïþ‡A­Ì¢VNé.BCøEc¥ˆˆFƒŽ@£idh²•gEÊv’¶zd×]‰õ¤Ô@h[6׏26~؊¼Š~'èåÀJz0LH4e^#¯ˆŒšÎjâ%m+-:…n¤i\EæÜୀû¼.P'5°£Žtá@ƒƒógìi$÷V{ýf¶W¢n6Oj:ŒSï-ɦד|êXNúR(àÇa£u¼KÚèc‹6«J|÷–h94D¼ÿí\uPÒÎtCœñ@_N júôòJĉœ:ó -v¤ïý9ùö·?ˆÐƒÅ(y•v¼(ØúC•GýDŸŒÎöQú‹Ü®€;2<¤’£zù¬ˆj•<_‰œ óœGN^aR1÷…ç¥wˆ‹6-«ŒôÝâºq·FåîяÍÕXÕ³•Ã8…åüZòtêôžÒ-^óŠƒ ¨é£ÑÚ.3e:°ú¹³Ú¶´eÙ¨CWç$òxÑÃñ¦@ò³ÕD%†‹ƒ7ć¸WƸ ƒêÍ "7p'Ë»B¬¯oGê¼”O]mざ¼ˆÌS†–Œ¡…eœVQ… Ω¥u²††fœHPˆ‘ªYGGÅBášâHç»r»ï¤a½Ü·zP/ âõsaÇÆÖ1-jOô—1(]ààÆÙÒ`ïì_¯¦7&\.À…™N“6Êï¹·dIéq¯ãL„»e ÑÞÐ✽ ‡‚ ß\Ùãf‘=ŸiËHo% ÐF ä€v®­:¢‚§Ék…î0kHºïß³š´2þ<°Á}kþ;ƒ8'Яª§ëÿË¡|”pzo¢´?àY?IXKt됤\ŒñÄBhZ ã|lÙ‹~J’̲¶·ùÀ$ΔëF¼ìľ4Ú¹öIƒìE²º7Ù(À¸^¼ªm]LC,²xGh†µ‚³¬M -͞3_·F^¢vß2Ëm @=¦Â­F́4F€!g,©£ï֋Húԅˆ‹Rφ´‚ñ¥É{ìÅI@Á®!šë8ìnåè$÷ØNý;+ß‚ÇO7Œî®:êÒª‚0è»áª¼›ù|ÒSèûþ”œ(’ ‹®ó Ý9.8 }]YàIëps”V·s ’¹Ççùdp#Eí[šƒN"wy‚“¸YœpÅ3ÁnÈÒÄ|òŒå‘!GC´Â©!㶃۳,x“ô^BÊ7`+^è¡QPGÈÆvt#pý3À¿R^¤6?L*2»<¼<(¼ÀÛú¬›Yò[eÑØÂ,¾#üSc$×>àHêgw†¨¼R)¥ÜeO½D’E'xxNDJCs˜²8¦îáRá6÷Ý8&RhHfž¥ vëͱ™ »3ٜå`å‘ ».'Áÿ!žD":dÇ =òÿ+½øÌ^ßÃ1G{Ñ\8¤Þ²ípƒ¸žøÏO9l -½z÷þËòÿP‰"Æÿ»Öþíò"ۛ ýÕµDg(°±È’`Ý«^.þ7ûzµ;TÃendstream -endobj -664 0 obj << -/Type /Page -/Contents 665 0 R -/Resources 663 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 672 0 R ->> endobj -666 0 obj << -/D [664 0 R /XYZ 85.0394 794.5015 null] ->> endobj -66 0 obj << -/D [664 0 R /XYZ 85.0394 769.5949 null] ->> endobj -667 0 obj << -/D [664 0 R /XYZ 85.0394 573.1436 null] ->> endobj -70 0 obj << -/D [664 0 R /XYZ 85.0394 573.1436 null] ->> endobj -668 0 obj << -/D [664 0 R /XYZ 85.0394 538.4223 null] ->> endobj -74 0 obj << -/D [664 0 R /XYZ 85.0394 433.7668 null] ->> endobj -669 0 obj << -/D [664 0 R /XYZ 85.0394 392.81 null] ->> endobj -78 0 obj << -/D [664 0 R /XYZ 85.0394 329.225 null] ->> endobj -670 0 obj << -/D [664 0 R /XYZ 85.0394 290.8035 null] ->> endobj -82 0 obj << -/D [664 0 R /XYZ 85.0394 191.4678 null] ->> endobj -671 0 obj << -/D [664 0 R /XYZ 85.0394 156.6041 null] ->> endobj -663 0 obj << -/Font << /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -675 0 obj << -/Length 561 -/Filter /FlateDecode ->> -stream -xÚ¥T]o›0}çWø¤áúƒý˜¦´K¥¤)MSׇ4¸ÆÇÚþûl¢tOŠÌ=çúúÜÃu0@êÁ€ùÐD€@x!ÌÀî`!°Wܝ…MŽ;&¹Ó¬ëĺºõ PøÄÉ뤇ˆs ’ôÉ&AGU@v¼Y¯"‡vÞ8.aÈ~X‡ÑÌ <;Y¬î4“p;.¶ç_gë$Œ4EL¡ëÅÊìÂøaÍÃ1zÜ,¢p®’ØyNî­09ö0í#Ú7ðÛzzF UíÞ[RÁxS‚X–Ç(d¥#’[±õx,8a‡­Ÿú†$TytiœGö õ9uŽ Hx@Fç#¤<骪¬[™×*YoÛ¬ØÇ>šVš¾cU—N>.áÐ -.â¹ÚáñÑ@/°…vå¡ÊrÙèh[¤ú¥v¸ÝN- Ãê%ßÖæö^j¶è/²ÖTùª×M‘½»yöˤ”يmÙg'žùæ0fgEZ¾M«D¯W}›}cCÁ˜qJ™¤fƒ*þ¶ìEøD•ìWjw•Û–nºm¥Æó¬i53ÈTH3qWÁZW󥏘ÝH©áö§)…³›e¨Á‘ÜàYq–¨^ÊÊ)ÿÈ\ci6¸&wmYhVËÐûÎzÓ÷ç4ìB/MÙ 5vRÇ©j¨Î^º6+ ø¯±§ ö³úɐªŸqò¿¯Äé 圜¦}:•„#(zÕwÉ/„WçRù_`éendstream -endobj -674 0 obj << -/Type /Page -/Contents 675 0 R -/Resources 673 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 672 0 R ->> endobj -676 0 obj << -/D [674 0 R /XYZ 56.6929 794.5015 null] ->> endobj -86 0 obj << -/D [674 0 R /XYZ 56.6929 769.5949 null] ->> endobj -677 0 obj << -/D [674 0 R /XYZ 56.6929 744.7247 null] ->> endobj -673 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -680 0 obj << -/Length 1190 -/Filter /FlateDecode ->> -stream -xÚÍW;ã6î÷W[É@D‹¤ž¸j³y )‚1pE.-S¶p²¨ˆ”Mpÿ=C)Û» -.AŠ.D‡óøfæ“EW üèªÌH«tUT)Éš­êÓC²:ÀÙ·Ôë¤'YÊ9lN㌗$+Y±Šo|¹}Ø|“²KHž³lµmf_y8\Øb0r\Ç,K"¾þeû=^KIQÔ^KÀENhŝþâ$Qù'9žÃÅgÕHv˜FaZÕ{3|U‘*g¹·’S’EêÌ|×ÃÅ*Ì±ÕvÅ#-kwՉ/ŸÃ¸¦e¤Îkµ{/ÓêVÓá µ‘{´Pß¡QItª?x«­9¢êas]ÛK¯Ô¨ÌQ¶#Ê&-É:NS½_W,’ÁœV6=›¥¤Ê2æû½‹Uj€%¿PC[ãR5øDM¡U/vWSƒOÖZÓö2—ƒ¦„§9ó@¦”äIE_Nè:¦Iõ§!{~ Ål(„ì qJXî ͦž¼Q!ŒXõÝ JÞT±Ð,³ý…¸l- <Ïâ®S—ÖÖÂn5D Uíüé«Ú¡Ð¶†}ŠÁ÷Á0¶Â{pÛVÍ)x#wñZIïâuþ|·òÜWÛ -¡Ä¸ØyýºkeoôRÛƤ(fÕ>Sç9³áƒÂСgr–FO×üu’ckûÌnÌã„;5íÚÚZ -®Ý‰ÀÁ ®vª“Fmo¨íµ<ç­ כùØò²P°¬$e‘s¯‹mè:1ÂRÊØrOC´g 8SJ£/^µ¼žÛD66øf÷µšº=.w^ÅMž¥—úܜ•©5×ù°íH\„Å稌¦Nj?(Yq߇hÅÍK’’dÃÒw÷ÂâVøéÝRSbµf›VƒU¤,‹ê^oߎPõwšiꍎýîÑ:°Â€Ð{5~t5°›ëÅ¥Ünúê6«ê}èñbdËy…X~ÕÙMˆÃ#4˨½ìÜ0ëæÚUëè;¥†¨?zÀюŸÊ ð…]ÊìwÕ{ NtÛ>¶÷‰ñøYÀÍË0Go¨q1˦킗NÕ¢;*m¤÷øn)¦^™¶ñ@÷êó˜.ð} -ó:ó= |ïß;O“9ª¦ÎÎö¿¤}GÞ´rDïXF÷-˃*–ž•A üXˆÆ*ÎT:æ( Jƒ?W{»@àß^™ý|`,] Ž4ÉHÁୈ„(s F ‡w€×Àèo!¡©8+½ç ¯÷\'<ÏuâìáÅÿ!wT:íöê$Z_¡¿ˆ™Be“„ç!føïâ^Ž­¬ào!¿m‰CÁe5€B=—Òÿ1ëˆþåJ8q™ÞÇn´«ðœb/1ufi> endobj -681 0 obj << -/D [679 0 R /XYZ 85.0394 794.5015 null] ->> endobj -90 0 obj << -/D [679 0 R /XYZ 85.0394 769.5949 null] ->> endobj -682 0 obj << -/D [679 0 R /XYZ 85.0394 575.896 null] ->> endobj -94 0 obj << -/D [679 0 R /XYZ 85.0394 529.2011 null] ->> endobj -683 0 obj << -/D [679 0 R /XYZ 85.0394 492.9468 null] ->> endobj -98 0 obj << -/D [679 0 R /XYZ 85.0394 492.9468 null] ->> endobj -684 0 obj << -/D [679 0 R /XYZ 85.0394 466.0581 null] ->> endobj -102 0 obj << -/D [679 0 R /XYZ 85.0394 237.1121 null] ->> endobj -685 0 obj << -/D [679 0 R /XYZ 85.0394 206.4074 null] ->> endobj -678 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -688 0 obj << -/Length 1948 -/Filter /FlateDecode ->> -stream -xÚÍXëÛ6ÿî¿BØO23|I¢.Ÿ6¯v‹d“sÜ.Š^?h-îZˆ®$ïvïÐÿ½C)Ë^9›Þ¸Â€5$‡ÃáÃy~,ˆb§< ’T’ˆ²(XW3ÜÂØw3æxži1æz¹š=ó %iÌã`u3’¥UŠ«ü—PAæ †—çïßÌ<¢á§7Ëy…?ÁǶ?||³<Ÿ'2\]|¸ü4_$4•á«ïÏ?®<ÇÓ2^}¸|{ñݏ{9ó_W?ÌÞ¬†]Œwʨ0[ømö˯4ÈaÃ?Ì(©Š‚{hPÂҔÕLF‚DRßSÎ>Íþ9Ú©“È1J¸”C%#èTL"EUD)‰ºþa«ç‹˜Ò°Êº^·/̖@î‚1’F·L7Eé˜ÎÊf•›¦ëI«ïÎ&¹ë¦/n¿neÁS¢T’zN<·?&ç?Žs¯ÜšYëˆ~s *ҝnï<}Ó8BÿžUÛR“uSM­ðï¦öûqža×ìŒI}ÿ*X#á$¿>ûân/>ºÝæy«»NwØlnÜ6ËìNwìƳ²lîuîjÜ·ÍêîF?nÊJXN™Äõe)',V \NnÈ3D$_qø‹ÉUþ¢ed'@:6‹ú–<ÆØ4¹Ïž„foV‘'­ãP>¹þ|l!ìKrhÇ[;uO&TB®ÎoÏ~F§Ì_`×Wœ×ó·’L!ÁÇ…"N8S©sÓ|¾`d½k²]êˬÌêuQߺùbä°`:W$NRtUçó…2ܶEUô…9hӄí Y(LOi…êzn›ë¬výgdëM¡ï´ã.ܨu3†xmâ„å@þ]7Ȫve_lKÇéTkçL…zÝØoÞ -:ýÀ²¦ÜeVi2 $$\ف·f"WÂ_àgÐJyXܘ^>4sîÞX»7¼ý•Ð8puu…ýƒÓ0û¢ßàx­ûû¦ýŒÝÆ°ìdt?f¼¹Á!1æǜ®Éݼ:Gn×-žMú@JP¤GÍpíÖ¤2Û¹S¡Oã°ð  Yip\Hö›ÌÉ^—…®{×}_”¥ënêZ¯q–æ«3¿Teì¡vË4žè7ª†zxµ>§Ù•þÇqZ@ZPˆ2–~]^À ò+¥ó‚ÿn–×c¤ëI pYŽô3E-üž"fDĒ IÇÁV‚P‹8@ M,H—`òó…T‚…«Õ;cRI¾zwþÉÞ·„‡«Ÿ?B -&Ã¥îš=€µF—±ŒÛÿ¢].áŸaûuÖgÇ' x­˜FÁXÛÿ 5K!ɬüb*S"iz"ó‚oMÓ(¶ÞßßCöšp‚¯6ÊDxq ]’SãžbÊÙp‹O£³_÷ۂóM N$òb5‹ 0 LÂ^àD¥…ǃ"A¡{_v”ÑzcTxDdªâ§PðM•sVO£"N£2Zï[¡²/rþޑSF̸4’¤ÅÖ£¢‹')(Ì ð)á„ÿó!‡dŠBFeq¿Úh›káãÂnSڜÕôü¶Óm¡;l¸ÂDwÝéñ”!lB`q¾¼¸|ã.êyΦÏz=©Üêu~°þ¶ñ68"ï^Ÿ/Ùd~t">Šè›»ñ³ƒ„Ól²äõÆþú3r8 ³…ÅþRqb1(cí­…¤rÑ´9Ö7Ç7’(m‘·Û]wæ*Thr°„=æ“KÁå(ÝìfÛ ìÄ*Æeê5–°›2I¯>õTÄÁxTlSBjo$–S¯c#ö/8ÇdTY.mÆÍ9?ŒàHîœ&I<Öç‘Ó˜¾¬Æ#YFb#M¸ÚjstÐãGê¦÷,ÛmÓöÖV¹;)èF'g¨Ôà˕³bèhj{ǁBóåÌΈ«Üh®»u[\ö¸/-”LŽ*ã_ð.îfw`ÞÙu‰•ÛDÝ+aRø×IWöbÞk_Ýó„}™Üê6ÛÕ>R¢,U¸àÃK'sÒVsÆXØ4¥ÓÉF CüèÃÕ\$!Özã =­ÆëLWpUO•á¢—UaµÑþ¦‹ 7:¨¦Û¬ÄFQƒOÙêº38aW^d·5øµbm╂ -<¯ŠºèzÀ—hƒ NÑ7xn¦Ýã^-Çߏ¸ïÆ+òÐ-&Ë3ú¸âㅱÌæ?  Lì1h–eÎÈڍ™ƒu®1šëÝímáûX j(ÿüd¹-°`ÿÊÇ«9”ÏڋAÛóSv¦aM݊.º©(ÓA[àiM9¹™˜¼Ã4x2õüÚ·é½S’ Üŧ½Á)9¥ì!}¤¹Ä~¬úŸ> endobj -693 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [55.6967 208.0574 126.0739 220.117] -/Subtype /Link -/A << /S /GoTo /D (rrset_ordering) >> ->> endobj -689 0 obj << -/D [687 0 R /XYZ 56.6929 794.5015 null] ->> endobj -106 0 obj << -/D [687 0 R /XYZ 56.6929 492.2203 null] ->> endobj -690 0 obj << -/D [687 0 R /XYZ 56.6929 453.7474 null] ->> endobj -691 0 obj << -/D [687 0 R /XYZ 56.6929 385.673 null] ->> endobj -692 0 obj << -/D [687 0 R /XYZ 56.6929 373.7178 null] ->> endobj -110 0 obj << -/D [687 0 R /XYZ 56.6929 177.8714 null] ->> endobj -694 0 obj << -/D [687 0 R /XYZ 56.6929 136.2124 null] ->> endobj -114 0 obj << -/D [687 0 R /XYZ 56.6929 136.2124 null] ->> endobj -695 0 obj << -/D [687 0 R /XYZ 56.6929 109.3045 null] ->> endobj -686 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -699 0 obj << -/Length 2677 -/Filter /FlateDecode ->> -stream -xÚÕZÝsÛ¸÷_¡—N¥éÅA°O—Ë%×ÜÌ%×ÄiÒ̔– ‹w©);Îôï À$EJÎø©ãàò·ËÅ~f3 -l¦SBE.gY.IJY:[î®èìžýtÅìÍ$ç,Ku -¿rL6È‚ëær[4ͨJI– -9ýË*$·•KM|6c$=ýÍ!]Æï;ä§ä²rËÛiFãJùÓEù­o™ª½¸eŸGâ5ÄƜHÊ!Á@iÁ¡øzÌà©Çæ¢EˆŒ¸lúqÅYªܗ!z´ÅïflÞI,´Ç;B}ïM„âZVgÞ±Ša×A‚æ®îF±~NìÖ“¡´¸+ÊmãžpÍ°ôÀÀù]¿•œ*B€ó§Šåç3lF¤Áí'"î!|MV5©€ -˜ê UM—jºª‰TÝ*µËԆKÎ `œÂfPšÎðÄ+³.ŽÛÖn¾€¨ÅÕe]Y· ¾ucÚ{c*|´Á¢–mYì« =“¢<ÄT@4°7¶H©Œ7ÎbµB³nŒî&”¾eë­s}¬–Ö, ÿéÖ|ƒÝx 5_ZS­Ì*¸u»8óI ð¦>™ØSÊ U°“ÏH¢]ŒéÄ©.&v™ƒr¡KzŽL]ŒéÄ©¢ibxOŠ—«íáúþ.Äûd9–E8ôh<"ò¼ÛBFÄ·«‡jU·ßØ^œÈû˜¸†):ù×e¼rg {BŽóïG ÅP&2ÑÏÛÓJÓ<5žIïv_]C;’ÜÉr͟Z=}[97Hé¶baêÿ6ïMnF[|Zâ“<³§@ò|âëRM'¾H5Ä̓AUWIç©ÍjÚgš.=ö°îÍí¶¾¼6~Ä3˜Ê œÚo'Rf«7H¸®Ñ„™?‚‘÷è­qŽín–=Ú,&a4Uy/9ô=[çÁ(aäŒ~%qVµÂ…û+Zs -ÑWðXèöh{Ѧ»ä¡n¾Â¡=aDû…‰¯’qâY‡ã`Ï »J¹ò4wÕçʝ.Ž.škQÅ¢Õ2¦ü€fÝéÐsç½0Ý<ì"E‘ÿ“üٟhZçl]ðÆ@i¿º„ä½‚ÎQtÕ©êGBL§Ædfü h4¨0“sÜ®#ÐI<< “0²Û_ŒGv„ -µ#÷‚+ÏÌ.¹Qø}lHì¬'¬#[÷BÏã–jü½ñO¬ Ö֕,¿r4êӒÀ°Á_T3 ·Ü>íl‹kÖ´?ë€gè£î¸fq3où§{³,-²²ó» -#¿UÃ¥ìœô­£e0fÆOØGG÷ãÑê‹aº°¿®Ï³”Z;Gà32’ØMZKÿ&žPÃ`3GÕÚû¤M4Ý×ە³)îÊÚIdϸ¹žß{¤•—¡ª=-âÕ -ÅðEàð{» åÈm–&™Œ%â¹J&•…S4¦ý±1ã7dh¿á¸Š†Ö+2–0‘Û®SÙ$F”d²sõÈýÕã‹Õ®¬@•‡"TO½~ÄÆqìýpãfkámñ -ñPà·æ6žøï‹CÛ¿)ˆí<ÔӐF½…Ÿ• ŽÕÚLf„ju¡ÖîRM×ڑ*8Â*YnÌòw°ÄõIÉ­R5Y~^€H5"A¿)HÌû"Lž71;’1ؚ“Œçüô¢Õ·RöÕf°/ÍCÕ_†{rZ8ë“ñfØ C&äPœp¥ÒxIGùvú>Æ^ÄjÊÄs*¨.ÆtU©.VuŒAŸcK¥çÈÔÁ˜®ê"ÕØûâî·»¯gOF˜bŒZÇ8s0˶ÆK½á)$Š§ì[ïEÖåÖLœ;€kNU÷¼`Ìy50¦ê¼ë>ÒL;®§hëk]™S·…’LŸciNx÷]²¼ËüœÃêS‡ VÂƉ'9lÂhӆ; t¬xõqêÏñ´$&Ø%^O_Ž¦Dpö¬kȈpæbi¦ÝÐo¶H‰ý¯†4Œ=ûŸƒÿg -LYhÍǍ@P†žgA(+> endobj -700 0 obj << -/D [698 0 R /XYZ 85.0394 794.5015 null] ->> endobj -118 0 obj << -/D [698 0 R /XYZ 85.0394 769.5949 null] ->> endobj -655 0 obj << -/D [698 0 R /XYZ 85.0394 749.3395 null] ->> endobj -122 0 obj << -/D [698 0 R /XYZ 85.0394 221.8894 null] ->> endobj -704 0 obj << -/D [698 0 R /XYZ 85.0394 197.4323 null] ->> endobj -697 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -707 0 obj << -/Length 3116 -/Filter /FlateDecode ->> -stream -xÚåZK“Û6¾Ï¯Ð-œªŒA‚{ó&vÖ©Z;±'û(ÇŽHiS¤"R3–+?~h$Ň¼Éa·²¥ƒ°Ù 4_?¶¢ðc+‘(áÉ*NB")“«Íþ†®vðìÛfi֎hݧúËÝͳ—_%$‰x´ºÛöx)B•b«»ì} ˆ ·À¯ŸÿíÅíšK¼{ñöVÊàïðgúo¾ñöùmw¯Þ¼~w»Ži_ÿõù÷wŽâ:¯ß¼~ùêÛ;>·î¾»yqçWÑ_)£B/ᗛ÷è*ƒwC‰H”\=A‡–$|µ¿ ¥ 2”7ïn~ð {OÍ«Sš %%R†rµ!Q ŠŠE$‘„ö‹æ͇†LH$¸ðʗqOùŠ™$rå©´ò«tŸgëÍC¾ùø¹®òÛuDið~ýüËã7\o£5õìeÜçÆbØ7=#ÍeS¦MƒD‘M0…]Ò{Êâ՚1’HÉ+÷W§ü•´ØUõ1GRöHCFT(ן'˜qGqh žÒc5Á… ’hSÿB.Û´(aVln«Õå"«?à"{öNÅC?àù¯òû˜Oùu¦„RÑ;ƒM½ß§U6ފp–87wÕ ,02þҒB>LãµP!}Ì4”D%ñ˜éàDƒkœ»U FÓ&X4-þ#ÂAO]QíFçÎYiDa'T̯˜r -MYM™²£2¦œ—uš]Še°ÎL~Y®§ ¨ƒ…a%¿EÉFpD~¢”ïN‘aP”VCZϦ¡ãƒ†Ì©IÆ!x# ççÕÔ§šW“§ª Ì,™·zыš‹ôÞOp1Æ:•¨Ù6ËÆÙüc‘?MÍex¤Gqà,Y/ëÒS•9ôm Ÿ$´u ÍþÖûC°+óªÛäù=Ssy{T {ì¨p·Ç¼y˜ÚäA¨¸´É>Ò½º=ÿå]9ì lÕ¢6=ÕX» °Ëh¨Ïw#g'w‚?{øÛ§EÕBT^m<ü«-°0Éå[èQ-؂£B[€³j¶ÎË6 ‚¨ZúLþa…è&fË -õTcÍ”PUú¶Séâf[›ÀP~A»O!°ÁøŒM„à¬á°FË6ѧš· Oebãcžvõž?$JLÀ„6,YVª§kuh'Rð¡ZߝšC®Ý»ap:di›7ØљþOñ/;CRVl°ƒ°°–7ù˜ªêî¶ -ËlŠµÍ{$䢢K¹ÍI)ϵGJml¶R“`AÃDv ógì48÷<ƒ©„2†$»hü«˜ÉB¢ÄSj9åYÑÚa“¸Âÿ}îȲ|ø$í¤c«ª{àlbkÐý ŸEÕi=‚}ޟõ?Ó:»…œÕ}$Ò³XðªEâ´ljlmÒSc´¯ÛiµÃ䜚ƒ¨?קc¥¥;.RӔ­euo ›3༝à~m©lnN‡Û`÷šsòqWà=™ºã£Ch}å½í»Ç£Ù-ùyi_óF¤;¨ |7mÛ|0{OlnÍéÏ-èÇNëé¡('áÁªC3—XTûœWóðE!+ 9»_=ªørT8­ôi¼†€ò»âØÿìr!ê¢F»@v¤Òé@v ÓUzoŒ0”t鎱HøOñ¯ÛwݏzV-” ª°´CUÝ=–± xseB‘PÑxʨtP-„2 §B¥‡6Mã¡ :¹Yš>?<‘Øà}–=6lAküGf6Ї=±]•}'½¬h>þ šL6­¾Õ‚ò•^Ã/§üx.ëypZ”܁ÓHô48 dßÝ&<¨w;“à°碛p:`àB硌?Œà }õ¨Í³`È$GúÐaeíËù§CYlŠ¶<ãxVàÝ´–¥réÓè;Åš˜×]áÌNL¾ó—.«õç2ê*ÎҩϚŠDaâ(5¨Uy99žJé §¨:㚀±˜„Iä¼¾ÓßϘˆ(é>„m:@@ºü¾r÷uÕÜÝ!ÚÑM°– èÄÅ/³FÎTH’«FÞ§š7rOenĜö‡ìÞ}cƒ€ý×õ&Ý<ä¿®5~}˜ÏÝ @!"ö‹4‘!&„L„FW.>ª¿GÓ+ õTã•÷‹ÆàwØÅR¿¥‚%DZ-(ÄÊã€ÕW >3«·m}ý Ë·é©lñþ€~ÇDúé3ü«Ö%QpI"d³.it™™ÐåW§qhfÒ/ŸaÁ€Vv£³7F1{ë…÷¸ýüôzêRÃǎyl'¶ °P -áòcìQ-££BwUüç㑍0ÒE«eùžj<!îBÐ,℠gðÎÌ@gŶè¤zW1têÅE°O?·,0°Hu9ΩNS›Ûºaá3¯Zì÷*[ÊVÝP ¦£§ÝtGª|­H· p á!Þ¾úçK}}€»ÛH†1ä±iñI!a†ãÆ™=zÀ×ÀXìOóÀ„5}J_ñÓ£öè ӌ!Áú€ÏŒùi±Îü@gî=‰_Y{!g“cfv™ÙМq}íéX-˜¨Jà,²+Ÿd{DóêˆôTÒ²ýû\ޙç¥ôiëì‹Gãä`‚¶:É»À -‹=(µ€ÍÑÞbç jo„ú][ú5ìzF¨zKÞ+XŠ ¶²Œ½M™#î™7Bˆ1óÑ k€ºiJ²,´§ œê¶5@}ÜÃLJc)C·îíKöæUé¸t>¡è Ùwµ#Ô ëêȝ4+ä(Žx¢¸Òd‡ aë :}X^®€qw Ó? -øÚbüîΘ˜¾Í> endobj -708 0 obj << -/D [706 0 R /XYZ 56.6929 794.5015 null] ->> endobj -705 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F77 703 0 R /F14 608 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F79 711 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -714 0 obj << -/Length 3636 -/Filter /FlateDecode ->> -stream -xÚ­ZmÛ6þ¾¿Âè—óµÂwQ—OIšä¶‡K{Iš¢o8hm­-D–¶–œíÞáþûÍpH½Ø´½@‹…(rć3Ï Íg þøÌê„ÉLÍÒL%šq=[n¯Øl co¯¸§Y¢Å˜êåÇ«goŒ˜eIf„™}¼Íef-Ÿ}\ý2õ·ß|ýþz!4›Ëäz¡ ›¿{ñ×Ôó†´ž -¯¾{÷ææíï_\§jþñæ»w׋”e -¾¼üíwß¿¾ûpýÛÇo¯^ìW1^)g—ðûÕ/¿±Ù -üíKdfõì^X³L̶WJËD+)COuõáêŸý„£Q÷iLs0œng  †Ë(g -t¨RЯâ‰PLôúÕv¤_Π­Ì¬§Býv»|Y®•Ë,±Rf³ñ„Ç|Õ1_%Ç|•J,×bÊø¦^Û¢îhºMA¶Ø})v-½¬ŠÛýz]Ökz­Š/EEÍÛGz6u‘-!(%å,±ÙEÍ Tgç‰&z{ö&ÍF´R'Öh ó# {(Zª“¡)-‰6Õ­e‰±ÌNdûPtmT£pÔü/õÚ5ôÌkzÜWå²ô»ô%¯ögô ҀYƒþÎ+|LvZã=.«nâƪy’ÚŒ_਎9OªM’¦LMYÿ¿4ÊÎèM£—°æ’ÞFdgô¨Pø»jßnNñó|û#~Ä7~Ä'Œß ã⠊[æËÍ9“â …æê’jFdgT¨zÕÔù6v’Á„µ™?Ɂh"`‹7~AÀ@u,àT‡™N¸0Æu¸.¿þp:Á\ëÎùÓfû§õ­maZ‰ ú“ÖwO…«i»¼Û·GŒ8M°à<ã@uÌøà³$̈́rþ¦l陼T,ˆáÚÍvl @-¡Õh^G^e×EX(‘àæ5ψ¨Y’J+§’üç“Žpԅ7ÊSŒîOý,_ÓÞ>lÊåÆ7'Ç3¯Úæà€úí荨Ž‰ª!L¥F×ªIt–Iú°³Éë:@¢m³*¼Õ æ¡ÖØì^€Ï´c7weSc'ŸcÏ5€E¯hìHK«û}_z—P\ÎÁΗQ8 ÃOаöu¹ì'í”݆Z䰁*„Nì Lò= ×~ŠzB2÷%®„MwjU®Ë.ÇõJR¬kˆ:$*DJ`”w4JÝîˆB?Š„½9½¶›Ü¯ÈOUøÔ©Ã=–Æû|7á°Å@è¼<놆òGêè|Ç=yß/åÊ$’#&4Ò¸¹ƒØõt½„HƒB*\ožÚm^[¿ Rmw”¡7)÷]Õ,ûÔü®ÙQ÷åØ A¸Ddê‚Û‰e&ø¦ˆ\ÊËEí²¥9t:®O¤‰Ô= |VtËgÈ-Ùî",-¤îֈþ4҉À ™ÚÉí×­²>áÊ+v`÷H¼ÕÔ}Þ}±,Qzg0à÷AeƒÆ& ҕ`Á%-¢'X%J±à‘š{ä{ÆÙüæn˜ü T1a´W'´§H:îš}½ŠÅÔ>$ÐìÐç &*AȇҝnƽkÃVÕ4Ÿ©œÙD©J´áæhK?±`ÉRë©eš¡eâäpl -tÇ, Xp©‚Õ´-šËªÜEæ7ü·æa9yK“¯ -Ôeí¼ã…Ð[䧠áâ ³/xKŒ†09˜·û²BÛ@_•»`zŒ¯`96X1áåñB8hÛ šÚ =¥¦½ž¼!xOÌ×E]ìȁb·+äÀswmçûºö€ë0ð(ÍÒÿêrí2!øz‘Gd\…SH‹G•¶Ë]y[¬¼ÖR™dBYÌö › q*Àçhp·žQãýúÅøƒ<š—ŠËáÔC2š¨X%IÆ'òDKIŽê’G³¹¬€Td@ù\ñ¢É®œ÷–ƹè-i$åCFyë4‘(€TÁ*À…Vx¶å¶¬òÿ¼!BŠHØÓÜÅ|™†#¬8¥é«SYgx¾ì€`!ä|qú -¸SHqojŒÉ´ÄýÎ[ øFÉM6=c˜SºZf‹AÙ¤'¢@ýŒñ‰[m#¢JdÁDZãlCI´Ca†¥éS'ñ`'" ƒøšéKVe}¸ðùol.M…-t†¡¬ ªEWšÆð El`ð` -´ò¶m–%†J‚’°h+ÏON²OÌÔØ×҈CDø$ÒtTƒ†^Q±åá´uüHƒlð²-òÚO&½ ì{ ‡ž–gþeãúWa!e:fª #\rˆ3üÓ!À]ғ úcÔ&aótfôe£„ìTö›Ü˼39ß8ߚၥ5ôº¬ò}[´zô4¬ÁCÀÅIC4€Øyƒ†ØÇæ;¤D¢!é9€£qã†À3,;̊‰RlZ•¤V’˜|Óã0›÷,™HLŠ÷=ãí=©þ,3½tùg—W@ƓÓcÓ¸r´|‘‹¹ÃÒH²ZùT$|ã^×{¿£Øã² -hὧ÷ÖÈ¥?+˜aù< ø z aëÖӁ_îò%…}xuu#”®‰8öEXÝÄË.ÚX5cvb¿x ”žzœç¬h„(t±*”¨·*ý•ÒQIïáRñ4 ÷ʬ8Ø­OÝ×nµ¯çP⯟gÁw¿€²óߎ·ÉçLÙ#¦Vã¾Lõ=⫃ZðÌc–‰Uˆ>`œ*Y"UzäbÊR¸´O<7i¢… ¼‡”Ư‚T ÷9u5ô$Ù+or.Õ£Àj{¾›f_yM±Ö€Àèř*<ÉTá¤J ÁU$r^¸QýmT¨Hn”6õǜÅyº]_}ñUӘªB»yBèæ¦÷ìÓÝÂ` àX  î|ˆài_Û;iœ©XxÐCӎ¯y0ôpCÆ}RËç3Vý-oDžà0V*/eý™ÉÂæRℓj8} 4qŽ¬È$Ìp5ƗqEg™4½Û(æ7áÒ°}¿÷‡·Ì"-ži®֊äÂDV“K}ªòay’âç6«÷r0”aS·šØ ¨$7Bz`0éƒÇ&ÞGOŠæâ•0ü¼wð¦ÛÞï?­/& FVç¯ÑG©ã(ÂûKÍÛ¼-ÆOZÔËfâ-)\°aZWQb!ï-í¥/°)uĸ%’ã–¼NNÝtá}Œ ¡ïo%;pÜOÒþ¶ìÄq³‰Í´ŒKäéA–Ém;dYáF€]=˜üã±8¬ÂœDBàL_*vQHðqT†Ä'F!Á|ú„„Ó±å -¾H2¤Oø+2c³XHŸÔl:ÀÐQ˜fÎF±á|6Î&ՀhYŸ t‰–©ó%…ŦiáÆ÷œg#e,?¡0X3 ò“ EŠ~:Z,,ŒÄ%×tè~_‘†B#4ü6¥¾9 I(R_ØK)%Åw™Øãëê©_âypƒt9è¦ôEX#,ÚƓu ü:ò{ŒHΕ‰êó©ê%Y–èc¸ Bÿã;Ü~sæTv÷x|Œ8M¬Ç@°±ú °ZåLtäs¦‘G‰ÏøÌS"’Bö']ý}rìˆóí}å?ܖu¹Í«S·NÐÙ_6Œ=´Òa‡fRl`ˆ/1±½U. cNÿêßþ㤶6=¸+ €£ü*D¢¯žÇb™õDº”ïo…®oÞ~ÚßÊOuþêåöVÞ¬úð²ûéGµþ©þÄnÞòÍÏoXÿ¼ÍoÞ¾^¯D†c÷Ó/¢2ý÷y a†òÞéñX5ΑcÁŽÁ~ê×ÑR'ø“æÈ5ü{)þô/§‡”#ʲöÄÁ$3ä{½P¸*.%אÉk+҈èÿíµ´Wendstream -endobj -713 0 obj << -/Type /Page -/Contents 714 0 R -/Resources 712 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 716 0 R ] ->> endobj -716 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [120.1376 425.576 176.3563 434.7914] -/Subtype /Link -/A << /S /GoTo /D (controls_statement_definition_and_usage) >> ->> endobj -715 0 obj << -/D [713 0 R /XYZ 85.0394 794.5015 null] ->> endobj -712 0 obj << -/Font << /F62 634 0 R /F58 627 0 R /F43 600 0 R /F79 711 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -721 0 obj << -/Length 1521 -/Filter /FlateDecode ->> -stream -xÚÝXKoÛF¾ëWðЃ„ë}?š“k8‰ÄIc¥(#ÒŠtEÊ®Qä¿wöEQ]©Q…ÚåÎÎÎ~ó̓$ †I„DÒP“(ÑÀD$‹Õ'W°örB‚L…Ò¡ÔOóÉÑ IƒŒ¤2™_ti„µ&É<ÿ8eˆ¡hÀÓóã7§³” -<½8}?bú ü¹ùÛw§ïgŠOçgoÏ/f©Â†OO^¿›G‰‡uœ¼=qöòÃVÏìÓüõätÞßbxS‚™½Â“Ÿp’Ã…_O0bF‹ä&ch²špÁàŒÅ'Õäbòs¯p°ê¶Ž"G0¢ P:„N¨t„ĵ‰IF™Ã./.³MÕ¥_Š;¸$Çxº®óÅï0}no—¤Ô ­8¶!¨ÛõÕ-½àlpÞ -[™ù²l=n¿aL«â™Ÿ”—á¿n»¬ªŠÜO³ÖkÜ5cd0‰Æ£¢[YóТ©/G,Ð I-IÞ6›*RUÍ­vËÂÍj•Õù#ǧD Zr)dÕNïATy‰ŒR2lMœ¥ÒbYTM–Xš† A±rûºLRLªëbÑùI|H¨B~ÄO¯›u0‚ùÜ"ìÏ6mv/àÎVaÔë›b½«|=#zêlµ iâ½duþÓî¦Þ;¤jYåhƒwù²Ê˲ˆßþ8?[ÏôtS×e}VËnéG—uW¿¨tncS^ºbUÔ];æ½=:ºín«uÌ_ÎJ®¦XíÚ -vv^h¹öøíîÏÝwÙ´Ýs?ÿêÿ xÚ¹mHy±Z{Ǔ‡CËÐ;ÚÆPçÿ—Y$xr@¥´ÎpSÜCÄ"Â뱨ӐP(%C6ï%:ª%bÔè¢QM•ê(2ö£‰.í5¦C•‡YŒjƒÑr{²µÑ^ðµ[þ(ä3*Dí†Þûž‚F9>{m;¥G*ŒPImº*ꑣ%CTé(|íy{µÎVþ„Û²²®1ÒÒò¦¨KpIuç×>:ÀQ^"sC¤s_N„š¤Do¶OÅþ ë}wÂ]³°gØfÙC«¶ñx1&§d/Hò²½®2k1¡!þ ƒË¬½ñíuSçÏC ‘@dìé£òÐp¦¡J™(8d®;2ëü™`¼T®–À#—ÕàI–oŒ`ÈCª"ÍmŠËïÑ ¥ áG&9üŽ«®X×YWÞà;(¯Pq—\â ¨n«&//ïFNӐT ]RD¥Œ¢Y×WqԃÖ# 5•c‚˜àR&!XöÝ!¥ÐK@GW^ÕÙ(Ûl†åÈpÂݦ“bÝe¥Ã›L?œŸýêGmØڗYxº  ¥…Ò.7~G—}‰«×Å¢´.ü<[teS·Ï¼\Öú§yÑ.Öågß#AQ®÷NÛ©Výçª@cõw¾,Úà©ÁTüWûÚ°iûÊ;ž °”÷üÅf´‘¬‘`˜÷Ñîz-´_N •s)† 7)&̵Øb¯œ|Û®hÆ´{-ðû0è -øc¯žÅ+¥œC0¦ûr¶¢¡Hi¥É:]O¾‹³—¯>¼Û‰(HBR°d¨ñßÙ«±r׋;fžXþ·{íô–ö¸OB¡ åcI˜0È\}C6ˆgۻgY[ЍCƒCˆyB ™aHa@n_Ôþ? fйIL`0ô ‚K ïÕoî§ð@å“QøÀÌq -í|4…USe_I#‹?Ëî~Ž=ÙM¿;Ž‘§äÅоHñÇ DÃHäØÙùü~Š 4>Ŭ§ØÐÌÿ€bOvÓï…bŽ‘ГA³¨v?||ƒWU¤ f¶íSHx-ùN†“3ãc¿Êm?VBçÌ´fã|€@hM ]ž„|4Œßï¢ØÀø¿,ôgendstream -endobj -720 0 obj << -/Type /Page -/Contents 721 0 R -/Resources 719 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R ->> endobj -722 0 obj << -/D [720 0 R /XYZ 56.6929 794.5015 null] ->> endobj -126 0 obj << -/D [720 0 R /XYZ 56.6929 526.4445 null] ->> endobj -723 0 obj << -/D [720 0 R /XYZ 56.6929 499.14 null] ->> endobj -724 0 obj << -/D [720 0 R /XYZ 56.6929 469.6226 null] ->> endobj -725 0 obj << -/D [720 0 R /XYZ 56.6929 457.6675 null] ->> endobj -719 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -728 0 obj << -/Length 2277 -/Filter /FlateDecode ->> -stream -xڍXK“Ü6¾ûWô-š*·V"%JÚ[Öɤ¼o•=[[©x‰=­X-õêáÉä× @êÑ{K$’x|"øâCž†‘,’CV$aÅ顼¼‰O0ö˛˜y’T†i"%;£ÇTæaš‹ìp\ -ùÇÛ¿Ý'â ¢P)‘N~-•Á„Lf‡‡ê·àÝY_GÓßEÉÝþIӒ0˳§E°„ -ãTXþ«¯º-ME~úð‰÷FSo/ NB™(ÁTÆBÄV4ïŽqEÁ‡n¬O/×MC­òlÊ/ëÍÆíޚ[õȧFíÕŸˆJ:Æ*ƒÝ‚ß²²Èî´.øjZhuüû¡rêIiíH³| t[½å‰'úƒ…]O[µYŽÞ®4öºN¤‡Ð›2ÄÏì”QÜw=5.턨º=uýEv/Ø¡»iܳb -GIö=+Ê"”‘Ìö–„ZMcÃ*•ʾ¾ÎëZ'eŽ=ŠÂ,ŽÝêík)MzêòëÙßüü0ÃU‡ ÐÈU˜ç©D8¢Áþé@ üòüÇ寕ßÈŽ|2弊0¬ÚnÉCär…oé·7âp4ɒ°y+øxN’²oBMqÞ؇ÖX1±Ç%‰SꎍTæI’°òu3tÇW Þ¤ -éÜäÖ8`pԄÛü·ãùË ·:¹•»2•“Ýl)ÇT±ÚЍi˜ç{›ØHÂ-XˆÍƒ‡]÷‡,§²,ù?4K"ÅlWBб+»†Nfa L8\MYŽ"éÑ›T)h%Wë,P3<}¼G¸(TøJ愵“Lpâœ8ziõ¥.iö¿¯âØ÷²¨Ÿ¢ -7Ŷíæá¯éw1ã¹CW΢à„ØfǪªnŸ9 殍.¡Æ_e3ú^b, +^Æ~±œË<ÐæÌcۏ/´H„qÐV$èz\çU>҄տnˆ@ü¥VwÚ+3 26úFYßðSôès‡c†ÂÂ.¿ñ;˜µ°u†Zº盍ÑE,Õnfq†’R -ÛTòÈuú±A±HX䃿¦ÂÉññåH°‚=z¨L©´Jµ’Ú²™H§vîêHpÃ8U3ê@uœ^s5%Crù¡ßM5¡Ê… "’t¼vM]îáØQQ˜¨H®C§lôäï4ºŸÙÒ 5ê¶oõq» -Ä”nOÃ[º@)Af9æoÈ8²°<6rØ%¹„Ä` á쏴].¢>Gi„=LNƒŸùéçw0ÓЩãrÉS WFQöw´`|üøéý/4L -Ã@uÝ ëR'@bF¥MMj#-ÉÙ"ڟ‰i찔)Á ˜™†ŸLkz=Z‡N'‰“[>4ŠçS£¼–þ]ÛÔ-³º<˜_ÌË]ǧ‡*Úȹëë?µË”Û³¸è§wqçjA[Ði—Ž0Bë§ï,Tso‚^3“ùã -Z3&øó@›=—vê¡Ûíł¯ÄúXd˜í Í/ ó±\fójÅ«U×Ï÷Ñyo.P‹ÙÊ«ºÔÆQ€2²î ++ßheæœÉëV÷/ßÈÊù›šÊ_êx–S[UNÅÝN֛|¤nò-í\e‹ò#s÷[•Ùr›Z]Yj´û&rõõȓã? ‘TÓåŠÆtÅW3l”Ýå -呧Z°­½+º¥­˜É7+"Xç*'BOí&ºÄ¶$oœîÙ‚¢ ÿ¤2hT$‡.à–x#¶§+bHT™Á˜Ñå™ù}®:±wQ(4LɹFøæ­g¶|tƒ]G’sQÜbûnBqÔ0=¡Q8}.^á?« zâ0ÿ›@¿ÍœL`ï[¨6µ} dB@ª£­åA!«_œ<¥vú[#À?Né©Û 2§•*©R¢pT9Öiö¬4ç\ JœEœc‰–>ËeÈH_‚^p„šWðuDøç¤Q÷¬emŠwR¦ˆo8OcÕ=³ÀŽË^g{&[uÛ1 õ—€a]¦‹œ„t¡Xk)Ÿ]íz‚^ÛACÊUr{¯f.ü֊;;xÏú²PO:ù÷MnÆí“zÁ@¼s‰v½kwj˜^<¬Y<ƒp÷  ±cuéþíc“«B|ñ…áό¬ÍöFá.?õ¥Æ8±Ä³þàÁuÀm@°ê¦;Î2ԙw þR·Œ¸p°™ð0Œ¿r¿‚‚úÎ ÝK €n°O^œZ:HÁÓ¤A9£!q½hLµÕ‡p ã²³F®\-é•P,Ë |!…Ä‘&@9°”y_@@ÉÊ`@«åój Ç_æÆH²Â³skŸ–@šŸ– Y?ۉ…GÑe:u÷Sö‰jùNpûŒjm<•­7˜ÔßA¹´wM ¸ÀèۊWƒêñº÷”"B)£Â-Û· ÷´&¡à•û¯tŽå8óì¼E*ÌE‘9A¸Àõkς·Ëýi~­Tendstream -endobj -727 0 obj << -/Type /Page -/Contents 728 0 R -/Resources 726 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 732 0 R 733 0 R ] ->> endobj -732 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [470.3398 483.0796 539.579 495.1392] -/Subtype /Link -/A << /S /GoTo /D (boolean_options) >> ->> endobj -733 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [316.7164 471.1244 385.3363 483.1841] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -729 0 obj << -/D [727 0 R /XYZ 85.0394 794.5015 null] ->> endobj -130 0 obj << -/D [727 0 R /XYZ 85.0394 769.5949 null] ->> endobj -730 0 obj << -/D [727 0 R /XYZ 85.0394 582.1251 null] ->> endobj -134 0 obj << -/D [727 0 R /XYZ 85.0394 582.1251 null] ->> endobj -731 0 obj << -/D [727 0 R /XYZ 85.0394 543.5676 null] ->> endobj -138 0 obj << -/D [727 0 R /XYZ 85.0394 445.615 null] ->> endobj -734 0 obj << -/D [727 0 R /XYZ 85.0394 406.7709 null] ->> endobj -142 0 obj << -/D [727 0 R /XYZ 85.0394 289.0425 null] ->> endobj -735 0 obj << -/D [727 0 R /XYZ 85.0394 261.2074 null] ->> endobj -726 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -740 0 obj << -/Length 3604 -/Filter /FlateDecode ->> -stream -xÚ¥ZYsÛF~ׯÐ[¨*‹¹päM±åR‰ã•´»©™XƒM€¢å_¿} Šr”J…9zzzzº¿î™¡:áO»(ˆRžÇ© \¨Üy¾9 Ï?@ß?ϔÐ,=ÑrLõÍÝÙ?ÞFú< ÒHGçw#^I&‰:¿[ý²° .€C¸¸~÷úæꇫww±]\~±Ô.\üüã»+.ÝÝ\¾»}{usËÕ_C^ÿôö¾êbib«¯¿½|wuÃýV¸^¾ùυRjqùîõÕîzóNx¼½ºÄ¹îþ}su{ñÛÝwgWwý¢Æ W¡Á}:ûå·ð|ëÿî, Lš¸óTÂ@¥©>ߜYggñ-ÕÙíÙ¿z†£^:«HڀÒN5i͜&]DFÒäõ¬*‰O͞ ëì±ÀR²ènÙd .åë¬þP´\ñÝS¯žêlSæÜö¥© ?¸ÞgUõDê|mi´èÖ2ÃCSUÍ¡¬?0ívw¡’E“«=•„Å¡¬*)5»_þ%nñ¦l³ûªÀ -,• -Rç4-©—Ä„éb¿]eŠlTH"c# €–»ö-ŠÜ@icóS(7I˜yïê•0~Øŗ‚GÄéXÍ`œÊ(@30Ûñ^h¤h LVgAwë²eæ¼d”+«ZšU²i‹ñ"€§øªåI\<–EIUìgù_]͉`wVˆ~ C]É Y½"ý.­Jƒ$ÌTϬZ uZ„q -ö»íŠ72/X\¤ìâjUvG´¢ý)¥[Üì뙍ÐÊ.Õfº0v_?»QØ¶"¬Ò~ƒÉD€+k»j²Ë*BkñÕñ -z]ÁŽÆëuŀÅì–EMFK828 TÄLƒ~á -¶Î‚Oƒ€`Þ6ĚóØw±TaØWç»bSÔ]V î±Û!î‘¿í²º}(ví øê¦ÑI+Ñ4wì¤á¢„YØôüLIØ;8(F&áö)Àb‹8u×䍌-[™qõ=qá¡&m%Åb÷È À©nœNÙԕ0è·‰AŸÙ«9x(k°PÜVíÜ¢Aøs¢Ã´Ñ4Ð6š[IÐ Z({x‚TX®Ñ±è ÚP\:Z>Œ§åCO»-ò Ÿ$Ǝš;n޾戎8G‹Û¢8Ž5`1`·"«ƒØ¦„úܹûp΅›Q˜èé—ã§aâ”/jí—÷¼mÓ¢Ž§ê½íÀ2"^µ¿ ­BØÐÄç‘ Wf6¢õTË1Ù©¨§ÜMY¼Œ9L€[ ÒŖúþ».@ËÆÚE–w´ãTnåËÁ0ò°L”,¾¹~÷†»Rþ´ûí¶Ùu2ŒwKdÂXèÖ '.¢}áa]xËa")ÔE^´m¶{ª;æ. ]³† Óm²®lpI±=@³Ç¬¬h0› š% ƒ$u^íWRé±Z RÂðMV‚£—5tÝ?ñwˆ«@ԃ?t öQAû™ßŒÔ֌Ö!¹(—¸Z«EsïgÆfœ¿¨à€‹o $ Ð'RdF>~iØG¢`ê~D¢bãƒçãÁÆÉ1Yc9Ieìb[ìp7Œ#<ƒæ‡=¥+Æz„®”@;‚䥀ä+nÀ0¼‰8DLŒ͂rHð < l°kK&p2<­™åç²¾åîÙ,WÀ* TQçE;Rt —úÑ­¸•«C=ÝÕ¶è8Èxr"’ŒC¬ƒlG;áô4;z)`hŸñd&H¬ÓއÝ؇S=øpªØ‡±?´­ \ °,î ­)ÓJz…Ô]Wl¶W(öÃwOÞtâØØTWà¡\¦<zK©Ÿ·U™—nÖWœš®ÀbcØ'²Xlß4âü/ù² Èî›}ÇEæÇf&hóŠ{Ú¢àÛÒm¾+· -pB1“TևIêwfW|Úm·$K9Ý"˜KýåUFŠzy: }Æ!}†=`¸RÎ[kÛ¾`Ê1›Að‹ˆlês#+¹‘•Üèö¤Nn/¦;·E'¶(±ßòwðÚ¸ºãæDz8   VÓæR[[ޗ0gÒ1¢ìe¤‡"±Ðn³\ÚÈì4Æ€¬3,㑠-“Šâsw¡}O,¹dÛTœÑPùî[ÆÄ ãQ°. ZÎu´Y0þbdïÆY4œÖ²/^±@<¯Xkƒ$îói†ý“˜Paê'œk¨ ƒÕPv =ܑµM݊x5w°}Èêò‹÷h=4ûjń‡¬î¦+cd‚ÜTü–0ñQM*Hž&úêÖ¥ä͘ âž½ZG ŏñ±YäÍfCÅcù¹ƒ t´ÞÊ°•Š)ëÀ*_0 ÑÄ® 7Š±‘49–] ××åJDø–çËÜ/|ÍÆ@‡ƒf3g.8,oÄËÄpø©Jð‚–+ ˜eÍE¶o(\ÓôE‡G¹Øw{KÙ6iY÷œFĂà±À0|![ê֔Ÿàdò­›Ž©Y3c® $#À`Dâ`.€_Ž9qI(Ló)h¨ŠìcËEc&â/¤O\‚"ŒëeƕR™a Ç pUĄÔçˆHñ9Ûl«B]™7­L×fOÏí¯,ÿœe³ÁVsò:셚rŒÉk9N-€{ž¸T…PóMÖ?7d0GÀáø²ödìz/0ÑÔ  ½:/0Ž½ÀgOQ/F6†èÁ!7\õ9Ô3¼Dâ¦B±vˆ7F-“uëLÀÍ÷ź¬W³*ÆK‰Ž1vd¥Ø<ÓÐUª±kõX“-Pc¼[‰{¼bvêÞìWM¾Çxçigçñ—ƒ—Œ¢7°=£À#ç|Ö ÈUñé(`N­‰o¡°t_x+ñöÒ5ž†·ÁQ6.7=Ä°=í»–Ñ -9íz³œrÙk¿d¢´³FøíYœÜ0 HÂX““9£û1;Ä聟b‘×™_›ÆXɛœD¦¨-ù>5õ.Å#ÉüRÌ[8¨bjéRMn´£qï \9”ÝšKS¿Áo«X‹ï§w*1#ïõ{¹tŠwD,ò‰ -üõQk«bƒY[¶+¿øÉäØ!Û7?üÌç´„hŶ(n‹|Ú#£“…¿òöžuG†ëOðÏ8Ævo)ë:²×Áºà0ø¬u© Š­7L¡(L9U2:™¤¦é( € -g¯)’²Ôãž)BÉ°ؽ†`‡¾"ü$ïõѺ¿V‚20/õôvŒÈD1œÎry,s@%MÁÞ,ÌR"Í×v،.,q=ö7ïPòbÙF9ÄiJñó~Å3ažó2JúÞ¼ØáEÃ>û–rôwÃÅÄf²1òQz4cA=qUÍ@±·Î¿¼×5‡ÎÌW”®…²yø|‘£N«²]ûG‹’ò í†G˜Aë0@ŽæÐL‰;=ÍleìA˜B¼“Ðù -ZÐ~ü(º0¦•”³ó ³áeå^ºYÁI˜ì¯‹YOI8Æ«”À"Wâ…cèJ)äÓM6BÒp-.°”C}E·Þwú§/‰»tÛÍ=÷Y+èèBtÅodë2_ËÃ+c”\F~"”š±9btl`}ÐeÕÇ) Ý7„Ùˆv ¤vjM¥g5E»²>26@ØYÓb·t_ƒZÿ$`\â·šï…8ojLÜ>ìûs.¶ò³NŒ9èA.§™AæÇÚ»’î Mbt -ºzzs±_š¢ÈC(†HôbŸ"nb‚(‰ü‘úÕ Ç¥u*Ýñí:r֏s¨X™‰¤¿Ÿ-¨V%iÏsiãÐ?x1×IÆ6փþC܏˜ãvYobµ6Ýj~(õFƒ°èÀÄ.šµ\€«tŒlXëÙb…m KŒÙX"ô*ºÂ“wB‹6ÎìF'*l˜·ðØÀª$ú;Z?劏ýFÏêZ´‘@fÃ#zf>ºM~g:Ø4Œþª‰KB>k460f¢œ?aâ²T­t ŒµGr‘â=à|Ô¿ÄAZÆ ýeåDHµmÅx™Q›>wš_Ÿ‚¢rxyÄÑkcÕàÓÇÌÐÇÌÉ]!Ô|ø‹Fà•Í¾•¥Þ¢%‰£G±‘{œB¦–ü ¿xý,G;LÏ( A¡GŞ֐|ü¸“zÁ¹2:RŠ÷ąQ*.‰ E1c䝊/ ´’&…=?àwBÇQª™xíP6ÜGJJZû[*¨PBßÎ3é'Ŋ—’8pôA!‰>:éSYšÿˆ9ÅeJçåš ÚPHyÒ99r<È[ø¬ñüª¤S2Þ¹‹vD©²/Ùl‡êO9xŽÖã_[PZùa‹N4臯jaýS$/öZhÚ='0|#èK]kºÃ&Öo.i§Œð%ärGvÎjfC~X`ÂçNÔԕîïp8¼ çŠÒ—ôª\êaö¡Û¾À3}ˆL2:ªË‹!'¦¿l1á褤¢Eýð“dœ&œÑØó+Woú—Ã,Ø|ö/rÐ×9;µÊ® )°V½¤H¯ü„÷8á ÊvAdÕèNDÏýϸB7óKø—Uüí_ê ¿g´ &‰žÿɂŽ“À&ÀD„BáUt"¹ÿIß©èÿ‚bàòendstream -endobj -739 0 obj << -/Type /Page -/Contents 740 0 R -/Resources 738 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 743 0 R 744 0 R ] ->> endobj -743 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [464.1993 638.9439 511.2325 651.0035] -/Subtype /Link -/A << /S /GoTo /D (proposed_standards) >> ->> endobj -744 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [55.6967 628.0049 105.4 639.0483] -/Subtype /Link -/A << /S /GoTo /D (proposed_standards) >> ->> endobj -741 0 obj << -/D [739 0 R /XYZ 56.6929 794.5015 null] ->> endobj -146 0 obj << -/D [739 0 R /XYZ 56.6929 704.5459 null] ->> endobj -742 0 obj << -/D [739 0 R /XYZ 56.6929 671.1703 null] ->> endobj -150 0 obj << -/D [739 0 R /XYZ 56.6929 515.8828 null] ->> endobj -745 0 obj << -/D [739 0 R /XYZ 56.6929 480.2977 null] ->> endobj -738 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F79 711 0 R /F57 624 0 R /F58 627 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -749 0 obj << -/Length 2227 -/Filter /FlateDecode ->> -stream -xÚå]oã6ò=¿ÂؗÊEŐ¢>¨æ)ífoS´A»›kè8EfbÝ*’kÉñ¦Eÿû 9¤LÉ´öpOE€h4Î÷ ‡4›Qøc3‘Êóx–å1I(Kfåã=À·œ1CZ¢Ð¥úêöìüMÍr’§Q:»½wx B…`³ÛÅÏÁ×o/¿¿½z7£„1™‡IJƒË×?ÎcÁåÍ×W¯ñÓë›÷¼¹ºœgqpûÏwW€a"N¬³+ßÿíõínÅ/·ßœ]ÝšºÖ0ʕš¿žýü -À¨oÎ(á¹Hf[x¡„åy4{<‹N’˜s‹©Ïޟý00t¾ê¥>ï$\DD™Ç=1÷¹'ÉIÊ#®ÝsÝÌC± X,ª¾j›/à•‹ _J…§ÁjsWW¥²óüM’9ÜÀ<ÊrÐAñéª^2$ åBE†ªhV%4e£ˆÈOÅ㪖¤l=L‰`Ürý­md‡ftËvS/Põeñ$ v%˪¨ýÝ¿¹ž3ȲÕυYß/‹^ œ…QÊx–ÏBÆHž$‘U¶M_TೈÇÁ¶ªeë†hBÿýùgð`H²'D!WmÕôUó€kú±Úå -¸+: üºl»¾ƒÜã4 n—U‡ØÊpj¤\ȅY&ËbÓI$Ÿz¹n”ÉêÓcQ¨“ë'¹î´‰tlÚBé‘DAÓö ÿT4Ï´ äÁmaq÷êɃºm?¢Q€Ü¬ v‹@o¸/d]=YF/çsö¡à#k‚fdüÀÒà§y’U¿D¹è7¥‘Ž‘Ø &±ø«Ø,§ƒ2T12НùfµV f];Y¿ ¼(u€í²*—–E3,2Ð}»ÞîRUOËÉÊqÝA­;¬•ÉE.´•ošŸuHiEšŠ2ÌïÍÇÁ`7‘,õûìKOñ*ñ9É8Ç,ú\ëq’«þÇHóÍÍüÒèaã­IÝ`”鸎šâÑàmg´U9™ -ó6Jgoåý°‘ëJmD‘à†ƒµ1í\Éìð£1>hÄjµÝÖi4êË3>т=ŽFoÕlrª7Xþu§Ld•m F™Ð«¡·:Ëúý®(?šÆ²9ä÷Á“#G·Í©.êïr*›#Ø -œlV¯h(ƒ:ÖZ³Ô¤µ†Z|bZ+h5×S@´¨ä2;Š¸ëf -ëJ6½aeœÂ›¡{í&µ`?CªD‡çÙtÓÔ—'\À‡“MÛÔϾù''"UC!v¥9h¬˜´(ŽÅ~h_”ð&ô–Kíè¡+OXz÷¨»IYÊæ#RÚÔxª -+®–e_=Jå›Ô5ƒ'Lwõ‡ßì_,° ['LÑY…ìÛI“‘N³qÞ÷?K2ÂãÌNµW¸%™üº)}S’?ì0j÷ÝqŸÙ¥Ï¸Ááx´s`qg·è¾ýòÐé"I``fâøQÉ!ÒG;*ç -¾ã¤ÿ@Y6•¨í<³£"¢=™“¡à8ÉüfF4FjGM:ê”ڝ»ôðFxBàtÆOF"Â3‘=Œ@mñ$‹ÿäiŒKÝÓ9;ЁBó=<‡êHô,Õéð“êÄo*Ö@Wìÿ3‚ÄmhÓÃlJX–Š„’By’¥-ýE ÓUs$,@¤'éP ¤¥:ÈcR@NÅúéŠ}y ÷:õµö©ìú*ÎSBcq¢c¹T‡}5PôÕQ©;_í‰õúj$öêS¹,šÏÁ±_úºÿåÍk{sÑ+Ùª®bî@š¦ãÓÍÛÝT|Ðë‡æ´m%qªî^8‡êHd,ÕéÈ“êDf*ÖWìßoC‰cèÆäËñ:TG"h©NGð˜T'‚S±þºbO×D<ò¢(&‰.{QÓ?½—üÅ(ÎBsšç“b7ç>°(‹ñŠžúþž»ûxêS˜àqŒÏìeb¦.üz] n ê?›®Gh!»r]ÝéY]‰ºkŸ¤ø nÚ^ZVEo!«”}êóÉX£Ðw±1è¨CZ>jÄÅäðá|7½¥“í±rrºBäs»1Œ~DŸ3¤½ì뤜¦tÌ1@²ðXïøqý0Cà“Ü}è.ØOî}¾ÊïÕÈZÅ ÛÓ&…¾“•Ù«/KtB[ü\ý›óßõhcšÊǾ=pÛC\)EnEYã-žÝï:|ýÝÜñe _Jà?=â ƒÌRæ"ÿ¸°icoùFìí¾9foî -ÂjՅm¸”ky€níJ‘<܋ÊÑ™âKâh¼Y WU¾+C¥ÜÆpç爱Qiîڍoîå½µk¤Š×!8]øÈÿðjZÔu» ûuÑt÷*%‡7PV;êØ1 3ýIÁ>귑¦µn’ú7;q)ޏ¸²‡ »˜¤„£O}Ö²ë×UÙã›ÃPÝ -wÝaÙkYn֝®Ò#ò•¼L”·câqñ‰ 'Y9–["Øé”ÄWxfr6¥W»TãсH=BÊØi^J†;¾œ~^ÖøÓ¼²Œ_=žï+tq¤€ÜÒ2L¸]´6 a“°4)ôµ’®ŠLMBŒ82÷·»ŒÜñìGu8¤ghxæ¾*ùKiz0ñ¼5çÉ»“ Œ¬ê—bώA‡ˆþÏ?H;#eF¸‘ïá4%"‚ÁÆ(¥ŒÜ'‡_®÷Uÿ/“Õendstream -endobj -748 0 obj << -/Type /Page -/Contents 749 0 R -/Resources 747 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 751 0 R ] ->> endobj -751 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [417.8476 408.3291 466.5943 420.3887] -/Subtype /Link -/A << /S /GoTo /D (sample_configuration) >> ->> endobj -750 0 obj << -/D [748 0 R /XYZ 85.0394 794.5015 null] ->> endobj -747 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -754 0 obj << -/Length 767 -/Filter /FlateDecode ->> -stream -xÚ½W[OÛ0~ϯˆxJâø–Ûxê lCb4Û ‚ •r)q¸”‰ÿ>;ICÚ:¥P˜*µÎÉñwŽ¿Ï>ÇE:¤;.pè^@‘£Ç©õkñkîdu½¾†š}àb=‹]=w°|}éáÕ©A¦@€ÆèøçÐ´°ý£‘i!Ÿ:¾±÷}pOjûÜu°ÿÇDƒ£½á~gŠ ¦Gð÷Épdž‡‡Ú0l3í®A"Ó¼ÕNÏ¡~%u¨A@ßÑÄ(°žjÔ!À¡„Ì-‰6Ò~µ€·ÕT%;L«ô8žŠ'.Á¤¢çyW®AY˜€AZYŸòŒ™– ¡±Ã'%À=Fé4a ÎӝúÅ_A Áb`ÛµWÍ8‰î›a%C ÇYփZr6íNi“™;KŸñ$i“±WÓQÎI#^²‚·©Êäa€\ ¾Énmy^š[ç4΋‡¨¸Zžþ¬ %Iþ`ÝÞ±b¶à=ÉDü,JxŠ=.>¯C+‹(ãcV¬l,%­©ŠÀ³•tjf_*µ—"¨'lÆ4zÓÛ3«$+‰%êã² ±xƒ€úÀz^ß·û?C“ÿ&‰}@I§Ö‰PD”LJ¼Êg؜¾º‚ŸA^ -Š&yVnr^ -#Zªôœ÷219Žóì B|ý¥¶PX—‚Eq¢daEhcÚ,ÒèÔ5ª7[ ߖ”øfaÖdÊ­ëܺa끫‹B>•îüÕ -P‰Øc^£m&ËKFÂnOQaHé²¼ œJ´-j…¢*[ÔïäS0^“¸¬Ÿ:€Q3Îû—^°ø®àÕ{c|L{㿀n¢Ä¢n[Ô3ô íoÕVÆy®êýëŏ²ÙGµˆžn¾UÏPqüÑm£‡·þ®ey)JÈESU.d¥¼H£Ù%Û}Ï­¨_´µ¯* º¨ÈÛµâZ [ⷾĿü¡ ¾ÛûùBÏž¨/@š¤dæÈ_É|~Û_Mýˇpendstream -endobj -753 0 obj << -/Type /Page -/Contents 754 0 R -/Resources 752 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R ->> endobj -755 0 obj << -/D [753 0 R /XYZ 56.6929 794.5015 null] ->> endobj -752 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -758 0 obj << -/Length 2227 -/Filter /FlateDecode ->> -stream -xÚ¥X[wÛ6~÷¯Ð#u1Á ˜ž>¨¶“¸mÒl¬Ý—¦IILxQx±«ýõ;ƒR¤L7Û]ës0ƒ™o. X8ð åێŒ¼Ey¶ïWÎbïÞ^ –YõB«±ÔO›«WowÙQà‹Ín´–²¥Äb“ün]¿[ÜÜ~Z®\ß±<{¹òÇZßük)„°Ö®ooèÕ͇{"ÞÜ®—¡gmþùé9pžÏ37÷wo—l~¾ºÝ úÏ ‰Ê}»úýg‘ÀQ~¾rl)ñÇQä.Š+ϗ¶ïIÙsò«û« ŽÞš©s6ñ¥²}å†3FñäœQddû¾£Ü•tÖöâa^½ñÃÑ7´#ßS°ÊÖiSåv\•;’,(Ûõ<Á²Ÿß©jZ;ýÖe:O˸‚xÕh_CluÓf=÷P5(ë48áõŒb«(s©h±’.œÊóͦMªëø°\ŽcÙ¶ó@•p -ß5"¥.Ò&­ҚÄDèÚ"°á¿û÷ÄåT\|GÜc‹¹ áÙÒ´Â)`¶c#ifƒó–+á8gl]˜䥰•_£üæ5`¯ °ú§¦Gs¨êIßÚwY’·­ømÚ¶Y¹§Aw¤çf à®uÙè˜ÝLТÔmW/…²RÞÝbÔ{˜à¼4á].iÒ¸«³öĚ2÷§»76‘wíœå“´‰ël‹ÛJá[ñA—û~€'1Oy[•ŸÇÝwµ¦‘‰œœ4Ï|Lóü‚sÐíÌšM¢ÅD$ÄÝ!¾‘H²òw)½.y½]z¶ÝË9´deœw ¹b -G3©ŠÓ¦á`ÙÑ3¦Õt{ž3±60¾¦'ž¤Ë„ˆ®y^¼ÉöSï1kD‘“Xs×±H0Fs|"¡ºf…®³üDæ;{¸RŒ ßØÊpt m†p"vÎ,Š®ÌbãJÀˆT~õ0`£]a‰WeʋáÑА±_K¹VYµÙîdÒûË9ˆ‘…”Ãþ˜6ÙCJ¬o]ZŸˆ„n4Tña}2Y0­zÛC_qNƒg™>š³‰rp -–5~TNo> =ºß7ϊ¬¥…±&†‚ÆhÅ¡™gÝÄö—Ò*²ý¡%r›2 r,Q]“hrÉ ’Y³Ä1ÑmŠ¾pÏJN¶ÕÓLcŸës/fê­9ƒè˳-¸@¿MË´Fcš5îºN9Ûþ2$à]ßÿÜê˜êGÕӔþ¢°™/õ.ô®‘G¥bNJbFŸKŽS. Xr$ƒø{VÅL½„'†>Š].³MÛÇ4-ÙöÁ¸t¡?‘ŽË–žLÌhë‚ýè‰'+a¨ÑBîÜBÂöCÕ¯d:mi­KRS×Û Ò<æB©#»®éùcX?-_\èá] à³ëzæ8+£‹cLpÂáè¦bJí€Tљ¬‰ kzQ¶›A¨¯®Ûª¯¤¸Çc?{…É€±eë®­ -(ƒ1- Ãâý]ÀÐBÌÆy^=RºCl˜wvCHíÏx)qƒ¬pÁìD`ó'fžÚ”;@}÷~}½zãÓ;2®Ôгïæ’ÖÛêÁ”“0²~­ ëªçÒ#÷2¡:wc8´¶£:ïsŠ‡7¦ï¥6B=7;ÕM֋P¢¸þë5‚’ñ¡jY¸5Í!QÌ*ôŸYÑÃDÀåfo| 4u*‘å —ÎÚæ¬F.)5sԜŒÀ€ÒÃåH·}Of<5‚]’AKÒöYçܳ‘pr5é&“.晚ä]\1kÏpÇf‰qê« x™Î‚®*IÙ@îYÁ @ÝuVšž‡BÇ«"ñ™»å›îf,þî·û OEá3À÷4ÆQœ@{G‚®Q@ðàiE‰$”„¡¢ü2Và…ðÃþÙÐà<Ì×KWi(€âœ¦<)6Š³ÝÃMe›³šÐã4½‚½Ê¤áK¬¢Ã8î⠏í‹Èb»˜UàñݺŒ«¤GAÓÖC«?Ž{bz›«­>˜"”}é‡âõz.+K;ÂÏΐ9ù>Òµeú'äçx@厠W\$ÊþbvqKégéf‚Óq±2ã¡æÍ~ah %£)^ÍÁ Ú~Õ¯nýë/o£ß^TøòÍÑî—dýãÿ-ò.ÌüŒ]}h”ì-ö7öž´ñëÀwMýÔ^çBô¬Åæ*ÐJD¾z¾œ«D.W¢÷ºìtþ¿–!Nu’Á¤sÁ÷&"ŸG1ÀÓô€‹]b0d¦ÁŬŒyQÓD,Öo’?6€GŒMmë{¾ø„ÖúþúîŽ6>mxã¡`ÀàAçY2—³Ïq(Õt>–IÝ4]A0‘}ù€WC¡\(úsBeéò6;擳)‹×§8A~IæQ¬˜aÆ`]Œ;s)•jzD -j¶PSMTRc×̜râ¨9 9wJCçyq!¥0\çM…j„‚>U…Öײz,‰ -hÚ³ <륲:æµÊ+Ýþ0wíQ®-ƒ¨ï4‹‚ 1ƒUR/‚ÔtëAØ+@ÌrͼɕȨPÑsÔ7á0è‘H™\z¶‚"qñK·Ú~î²ômüð;óÅ×î(ÿ÷÷åóu/´¥Rîü§cé¶r£°W -•Ñ¥æÇ觪ÿ¿ü+#endstream -endobj -757 0 obj << -/Type /Page -/Contents 758 0 R -/Resources 756 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R ->> endobj -759 0 obj << -/D [757 0 R /XYZ 85.0394 794.5015 null] ->> endobj -154 0 obj << -/D [757 0 R /XYZ 85.0394 638.3105 null] ->> endobj -760 0 obj << -/D [757 0 R /XYZ 85.0394 600.2421 null] ->> endobj -158 0 obj << -/D [757 0 R /XYZ 85.0394 433.5475 null] ->> endobj -761 0 obj << -/D [757 0 R /XYZ 85.0394 403.0897 null] ->> endobj -162 0 obj << -/D [757 0 R /XYZ 85.0394 351.2066 null] ->> endobj -762 0 obj << -/D [757 0 R /XYZ 85.0394 325.7421 null] ->> endobj -166 0 obj << -/D [757 0 R /XYZ 85.0394 166.6305 null] ->> endobj -763 0 obj << -/D [757 0 R /XYZ 85.0394 141.1659 null] ->> endobj -756 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F58 627 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -767 0 obj << -/Length 2286 -/Filter /FlateDecode ->> -stream -xÚ¥YY“Û¸~Ÿ_¡ÚK‹ƒà×>ŒÇcg6»ŽãѦ*µÙJ„$:)“”e%µÿ= 4@‘æp¶¦j„£Ñht7úëل›ȈD)O'qI™œ,·Wt²†¹wWÌÒŽ(R½ž_}ÿ6ⓔ¤&óՀWBh’°É<ÿu - È 8ÐéüþîÝ,àŒ§tzó—ëóۏЕHàúÍ?fŒ±éõû›Û78õæý=6ÞÞ^Ïâp:ÿåãíýì·ùW·ó^¾áZ¸ÏW¿þF'9åÇ+JDšÈÉ:”°4å“íU(‘¡n¤¼º¿ú{Ïp0k–zuÂ(áΩ”O#©”|¤™’HpÑk…ÏF)è¢Þ‹jçì6 -÷›¬Q¹m«e£:KPãïëºÛ`ëçl¹)*ÕjµÀæb`: xD$èÜì:ß-¬I¢)þÊéBë*Ç1ÜÛe½S8V¯ðì@pòZµÜ73–L-a7cÓ&«Ú]Ýt8²UËMVíÖ.ØÔû2w»âؾU9° Y܋&§KGõtƒÍàŒúT¨_ô°·ó3pªéKTGÛnl«S¥ÚmêJÙ¾ê–Ä*id!à'Ó8ém#¬mîªUÝl=ÖQÍÕ´Ø1JÎþU_Ì$(»·_‹¶SÕR=m¡»m¶["¡Œ„ a$ÂhºMÝvÌ·„F©´T˜ö’K‰±pB1¹ÈQîøõòEï€-*,)\s§…U]–õ¡×]aµ‘å¹ókçË -Œ5ïLkt8¨0À¦©`c¹¶Õv±-ʬ±aÈL;ì"&œJf9¼n8®ê)ñbHV£ðÉ86Š /ú¼ÒÆ[ï!)/ê -û mڒšÓ{6f°±ü¶Èíöø#ìÀpБÔÁ”=¦CÖocliô½®¬U¸ Rã‘_ŽoŽÏ%<›X|Ó±½ÉH8eÐe$mdŸÑl:ƒoAYë¼òÚ$uؾàØÔåc)z¢®ß´rԈ{pDN=v²‹Q‚Â7#ó䃚zT0³®ÊFaÀ˜¨ -×7?a#Wzº*´›Y&ý“E8|YÔèIAwîBK  ‡‡•‡S ‘(´ó`ãæèã’BúÑ'Ÿ<\À®¼éô«×ʕŒ#>`AÎÒð>A(©.€Ò± îw9„ǐ°Ø…ŵǰ1‰X/ÚBÍóŒa¡Þd¦y»I^uK}ílU¬ ŒAui­ÕCÖù°4mÝt[æ¡}ûÑcºˆÇ%XÁØÁ>ì™q.W€ä*÷j†‘8eñ%f×¥<^ÿEÚÊC¶Ý9ðv¯v™ÃzãTVõfÄS^»3Lð%zgiԘé g{äuéÕó^uúŒÝ]Y-ñòðb‰ÜõëtÕ炅MÐ|ióEyîêƒj `öœ‡k7í«!T}°«Ëbé+9#@ú’!ècòyöC¾¤)D X'8Mõ—œkÖl||šèɃ=~™#œq5Õ¯ööÚ^‰ê ¢çò„âL,á<Hz¢Ç¥¸àÕc£ïD—ñìG{ýßN߻˜ˆ$á~É!ç%aL¬PZpN/$w߉.Eÿ²âöendstream -endobj -766 0 obj << -/Type /Page -/Contents 767 0 R -/Resources 765 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R -/Annots [ 773 0 R ] ->> endobj -773 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [389.9997 61.5153 458.6717 73.5749] -/Subtype /Link -/A << /S /GoTo /D (dynamic_update_policies) >> ->> endobj -768 0 obj << -/D [766 0 R /XYZ 56.6929 794.5015 null] ->> endobj -170 0 obj << -/D [766 0 R /XYZ 56.6929 769.5949 null] ->> endobj -769 0 obj << -/D [766 0 R /XYZ 56.6929 748.9393 null] ->> endobj -174 0 obj << -/D [766 0 R /XYZ 56.6929 700.6394 null] ->> endobj -770 0 obj << -/D [766 0 R /XYZ 56.6929 671.7552 null] ->> endobj -178 0 obj << -/D [766 0 R /XYZ 56.6929 470.7895 null] ->> endobj -771 0 obj << -/D [766 0 R /XYZ 56.6929 441.9053 null] ->> endobj -182 0 obj << -/D [766 0 R /XYZ 56.6929 233.8866 null] ->> endobj -772 0 obj << -/D [766 0 R /XYZ 56.6929 205.0024 null] ->> endobj -765 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -777 0 obj << -/Length 3193 -/Filter /FlateDecode ->> -stream -xÚ¥Zݓ۶¿¿BoÕÍX üw:s¶Ï‰Ó‰“ÚJ;$”„;±¡H… î|ýë»_à×Ñvf:z°‹Åb÷· Â•‚_¸ÊL ¢<^¥yšÕþt¥V÷Ð÷íU(c6~Ðf<êÕö꛷‰^åAžèdµ½ñÊ•eáj{øeýú»›Ÿ¶·®7Ú¨u\oL¢Ö7oþy†áúæýëÛ7ÜõæýG®¼½½¹Nãõöç·HQ9Œ‹ƒDfnÿ~ûïë߶ß_Ýn{ùÆ{U„ÂýqõËoju€­|¥‚(ÏÌê*ó\¯NW±‰G‘§TW¯þÑ3õÒÔ%˜( L¦Ó¥Äz†AnŒžhÅäA鈴3‚äz*¥Ö·mÛ´7S£‘>Õj£“@ç&¡9Û£½ÞDQ¼>·×a¶nöÖ¹²¾gZs‡¥Yo?¾û–)®¼¯íë'ZÜ[Ç­}Qs…øXw©:n—53qöÁ¶EÅDÛòr­£#ÐëwwÜQÈàçë7YÎÙZøw O)p³¸½^M°½º©7,½Î’uñX°tÜt¶‘Ð.^!GDûã‡n?|àÆcYU\ÛÉ4fÑ]ZP&‚ÊöÒÛ§ÜgLê¦ãÊ¥>ØÖuE}˜Ícöû†ÊC°´«íÕ £lí˂‹±î±ˆå©tû¦þU)}®ï/mѕM²Ça/; c ÒË¥ëÓÅ ·ôÚOçªÜ—]õÄma |iùƒ0k<¯ú0Rλø”';ä ޟ9^^âeÁ…;Û}‰ î¥Ýã ¬,ÈLœ+²,M«c!¶¬Ó±5`‡ß3Öå lù@æíg§#[ÔÙ`¤Pß=ɸšËKý{Ý<Ö<ëwûDž 4Å¢f¤Ëq›Ú K6bh=£%-±<–ݍ?–PñWUÁ)u y¾Dápḹo–‡9Û ‹†ËW7oТ¼Søn†|7U¿D8Ñ 4{ B}¦ÁHñìp|›ÃÑŠ%+ÀÝ¥_Cá5)P^•® qVr§ôPTå¡è,êY+QŠz¦gå/$öí„Ò뙨"˜J&²m 4 ô±f¡S4 ¨Ù…C#=Çõ nŠã„”÷jcÇfP1Ôg*f*††ì$6Ü *OÒÕ\:W|ãŽKÞ/¯ªæ‘6 “Ú¢¾'µ&9XØ×TÉ:2ÞëEâ:Gn{Q0ì·czÏ0V1ÒG*Æ&«‡‘ñ"‰ )uûî‡ÛÜÍÎ52~¿y$­\¬[tÁ‹ÃÀ ’4™^;\+‹Ä‘"¾[Ïu -‹8z'wÙcŒ½»Tä>Jî̂³ßÄ`8ïjî(ê'žKnœ×ø:ë(ú„Ãòrðq#iDYÀ¥tKÇÆ*yÙ÷?nїÞü¼ý.üÐ#À ´ˆ8‚VjtxÈáQM˜ŽHZ‰xühÔ–è<ˆLœÃhDaMÐ:‚}íE]ºSïÈ€^\ºæ±l_°2¡ïÞÖÃBÂdw,†àdg÷ƹg»Gkkîì¦×!@‰Tˆ@©Ç(ÙЈzhƒêÝøL´ü+Ì9ÁI8¬à©åx¨Ï•eâ@©05|FW ÎPe± 3ŽqlQpñ‚HÁ(DÒ.”¢+Ò -Ôò„Âñ5Ek4éúÕ»÷ox@.ÓOçʞ9ßԕ0nj;Þ`|ÄÎy:s€bÅ0ŽT‚n%ÔÞÑh/ïP·t%6ßÙª:Ñò;À!öĽ%³õ«†\ íÚy±†:×ÿ¸”½j™U<ÈÚ–EÀr"s1mŒn~UFUwl.÷äèÐs–€¿7–¦x8Ç(1Z’{ ­< ;‹ß!LŒÓs×á`@š0àµe>3½(Lƒ8Ò/ÛX7¤%™ % 4,æ닳Ï@†’ ¥M Â'äµ£!Hè|m!H…úŽ®x5[,–@@e«~ç5Ø7Äú3×NÇ&H•¿ºwpÏfâ£rö0ùÌÃd3“ûk -5 ¸!T%Û¥ƒd)Þ$5x…’e±Ç–Hjš ûƒdRÅIüÕí%aæϟ¥DÔ]9‰ ;Áã"ï(fle;é(‚à¹W„ˆ+š€Z)屐±bÈesqäT€Ö{)F÷›PGA’À½”?ä± çªm Óýš;M•‰—L:2ì-©¬Ë®do‰Mü ÃZh3R#ŽÊ¬ùáD«œ_s‡2?…ë¢ÔŸ’ßnj?.¶•µðN@rW]dE !¤à›h²À$É,LgÙþ¹Å­¢cNÑå9¼YÜ"ø -eÁɔëõf TÃt’”mLÊCÃÐCõ/[ÈôBrü;îEó T¶qœ0`%ƒÉÒЮ ×o‰L²èÏ^ƒê¢Îg^Ze+¨1@CÊ\oØ Ñ -ÁƒÎ“õÍ]G^LaòGŽCe}C·ôä ÏE ˜¦<bq((ì³µ„ –5 ¡åò=ô Ñ'¡É¹ÜÐöTúÝÂÉ}Åv__b #í§b/Pcêø‰û,Ûy€eæ3…¹UgyeæO`ã!N8ò¯£4pᇪÑf²iàKk®f1ÇõçâÅ:ñb|M¼ÌdÑH¼ˆÝ“Ï!¸hX32A²·‚ƒ0 ãÂÆC0||@ÔEX -ÛäVf“¿"Yé!¥žªalj_Fû± ýTÐþ8æ.?32êg÷, 24"ÁÚiaí@u—ó¹iÉÜ¡óÍûo_sÏdêí u`‰%™Yh¦Ï¢pÒç‹È¼¡£”IÞ¾f‚6‘aßk AŸÎ£pñím*Oé„CǵóeW•ûoÀ <°÷š{.,PBÖ6ܑKcŠç`â) ›½DŸ<$§Æw­bBéײ-Þ~:oð¿ä÷|.ˆWœsY°Çš|†v7À®¡´/},.ÊÊö(£ÜÃ9t>Ê7­Guéi»¢ -Míc¿íâJ rÎÞíØdä¢Gü, ž~f “ç„Ñ+1v0ŽŽÇO$ôT‹»›æü±Ï_€Æx:eäÂînòŒ‹ô£…䱏¤­E"8·líß ûÓÀe1Ǹør¦§þ%–p‰ŒJk9]gOçY_5lZ4 >|ãÏÆ?-¿ö-œÂLé((/žë—'À×%¤…›ÉÃíöõO2‡mØ'1¦ÒÍ6"Àßp·^V9+ÚlSyÀYžÏÞÐ,,.jùwzH)B,ïÑsœbíÒ-¥NQè,ô8­†ÍžŸ»E.ÊôyƢǷ°œ¿³dâyÅ;~Õç¾nŸÎ]·ô|,÷ŒCF®‡½'Ðès#ßÊòd+˜à¸<7Ε»Êr«Ìvd×Ĉ$÷/yy20ûh÷—¶ìž¸…jfÁ”ô—'°ã>õà nvåÒ÷+xH½}ô]ÀúÚdSoGïˆvâ(¼„³x±ù7MÙm¦äñy­0­j$ZûÔ௠â¤A÷‚o_Ý,qjì‘Ìß¾Æb@’åò‰E„pÏGr¬Û·åÎJŸ`„d-ˆ ð#S#NđB/¼é]‰ù(9“0PIœMݾ¸E×ð®æçÁƄé?Å"™?,árfBÁÍ~y³½îZlx¼÷ãÂ |cé¿ÐæÖÙ³ÁìLåg $î„ß]ÃÏۈ*SÿȅòEß .Æsí¿ 4UJîÈM?Q$S¡9kƱeí–2e§eû½ðé” ~{ƒ$‡Y%=«S3P¿(ûï°OÌÐh§™œZŠÏûK;íߕ‡‡~¸¬é؅ŁŽsŸmŽ  ÞÌä±GÇÍY\IbTpR“pX‡_¹V•ôx”ð‡g^´ o¡WXcÖï -_‰ñÞ<ñQ9,‹ˆ|X½¡ñ -ý$D> endobj -778 0 obj << -/D [776 0 R /XYZ 85.0394 794.5015 null] ->> endobj -186 0 obj << -/D [776 0 R /XYZ 85.0394 769.5949 null] ->> endobj -779 0 obj << -/D [776 0 R /XYZ 85.0394 751.9762 null] ->> endobj -190 0 obj << -/D [776 0 R /XYZ 85.0394 588.2109 null] ->> endobj -780 0 obj << -/D [776 0 R /XYZ 85.0394 552.101 null] ->> endobj -194 0 obj << -/D [776 0 R /XYZ 85.0394 373.7735 null] ->> endobj -781 0 obj << -/D [776 0 R /XYZ 85.0394 339.0798 null] ->> endobj -198 0 obj << -/D [776 0 R /XYZ 85.0394 207.963 null] ->> endobj -782 0 obj << -/D [776 0 R /XYZ 85.0394 174.5031 null] ->> endobj -775 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 785 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -788 0 obj << -/Length 2920 -/Filter /FlateDecode ->> -stream -xÚ­ZYsãÆ~ׯÐCª*‹ã9p:OòJk¯È‰$§*>@”PK4J¡}º§{†9Zٕ”Ðì¹zzúøzFê\Ÿ:OR‘º8ϊX$R%ç‹õ™<„¶oÎ÷™¹N³q¯¯ξüêóB©NÏ–£¹r!ó\?T?G±ÈÅÌ £ëÛûû›÷3U$‰‰Þ{õ‡›»‹™N$t¢.W×ÿºPJEW·ïo®© Fñáæê"‹£‡ïnî/~}øîìæÁK8ޅ’Åûíìç_åy›ùîL -SäÉù üB…>_ŸÅ‰IlŒã¬ÎîÏþé'µÚ¡A­()´ œª%6!µ$…H6V-OõöBåQ›K£õ®J¢rÕwěsÛ¢[¯wm³(‡¦k©ÓK3×Gô嚩ÖSA)vHxxnÜP †ý†)ØÅ©U¦¹(dž±ýôÃíMÀu!Œ.\8¼¤é ùÁ»jÎ+ízιK-ØÒ·'bÌx2>òHkϹñç»^×mUóÃSÉÝøp€beÚŘU’zÒ0ÇäàÛýf@ÿÙ<5 ì®Á¼;ȬOkúYÕhy|†¹"•ÿ­ã5ìqÁžXÖÕàÛ¬7«°±æ® DW{V@¼yøðW"Áj\ -^¹ž®[×:n2`¼Îçïî¯î¿½RÂ÷9ôƒ }Ënµê^|àBÒ%ÞÙN‚EIŸ,͉˜7ÃdÅ£X½ôÓõJTZÀÆr $]o<è¯xÒ|Ô "5o.Ó鶧Ñt–B¸™•ôõ²[朾v‹–Á½­á[j"§û‰Æ/ -Ð(fjSb6;›le„)tU÷Ô@*G -}¿Ò«Ý¢®¾ -¨O¥R¸)äû©\_H™|¡´‰ç@0Y*2#5dz@!@àqúÚäN&É Bè©)Vßl›g4 €2ÆÐâRØ/2‘/ÔnŒŒì DZ@a0ï㐠ۉebøµô±ˆÄP>¬ -‹ŸD‘éOÚéˆÆ€ÈkøLf珲örOâ*Tçv#!sWBó†¬=dE¹ižêƒrâ¶l–LœÙÕ -L +ÄzuIE jÈÑÔÿ~ð<ÉIº7ÖÃBŒ×l+êMڀî¤C䔏¬ÀŊã©! x|Œ‡Lì"re_ó!@€ŠœÝØîR€‹ÓÑꕨ¢òLd±ŒYqŸ±¿D‚“& £- $,iOK3€Âõ:úŽb"ü¢¤ÀɾÇÔ§3N}ÚoÜÎn¾‚ÄBh߀ˆi’ž”y-ý_œ1 Å$q; û7àÍXªÐæ‚èÐÇêÉ~ˆGƒ3¸Äl7‘%"IғPÉ eùXKY1‚ëÛr¹Ìé X n€ÅñoSo‡=[Q5ó¤Îáx‚’U³ÄQËzTȎWäˆ`JÂ`bS—<K‘û2xg¡d‹Ùòõ kréŽÜ҄F À†þ©Ûá=rçܳbuký²u]®ØÛr‡ˆ‘ò! ‡ï݀ÅjWÙTîF6ÂÈļa5™H‹<˜MO«ìz\á ÆHúñ—·ïÿöãu$žƒŒ•É|ªH,.-Hêÿhñ¥¹øºSõÆ×t?1:ú¿•`过'Í2À$¾ã怨pzö«"Q‹£2¬Ý‡²³ü¤]@«‡€ ¾<)Š“3•|;†›ý¦k«Ë‘¤`‡ßq!ƒñ¹ßÍmñ­Θ%³T£˜1|ê/4±KҀ½hÊAé#«½x8Ýî O¬Ì-ÞCÃ_fÒä³è4œÆ%€»»ûß„Ô§E¦b¼ê±%@|(a«ÇîžEC<,¹—”@•}HÒÈ"yãÖ)ƒË]xÕØ­jü# À 7ËÀrx‘{˜êݬz÷ª]Y×ð|ý¦^Ø|PWxÀJEC+¤ ”YòÏ®`} Ž!yiyŒ°:®6Fxßgºæûœ»;ð…>P†Ðãê<‘‡«Yéõd[ûíÜÕAUåš ììÅ^«&é¸âŸ¾âÂè=‘ô‹ÌÙPlІúÝڏĪË~{êh¡*ü.éãS.²ÕU0Ä€êGå”x«S2Iᝠ-?$ø5Ãâ.D÷£B ª—ån5\²â\]9¹Ùc}¿@åÍ×¹|ë‘Þ·ßç²Yñ¥½æuèp\p–ãC}ëæk -ÜD –”ÁÒ§ª»@UH¬?¤Ó£5~ÀyŒ®PDÚ(Òxæø}³:„óM2ï৲‚«`”)Dlüý·½¦r×ñÇ⸀ôœy¤QÁµkå0g"Î<,Á*ŠaÕ,ÖJÄyjŽ.jºvùÜ-û#‡oZ«LB×$}82øD| f<ÿg "ˆ’¤p—g|­’gî -¨Ñ9r}8›‹.Ò0ßxžO㣠eDètQ?š¬Z= ÄÀ­mfîݺÞwòœ|‡`>ï`úxƒÂo„ϐ°›ª&©ǏIºp.e:?¥ÙLOiF:,o^+z4¨>3‰³èëÛûïoþºl!µ.#±d°Ç̃¨üëü8p;5O¨õ4捬¬c•…×\vñ’5áTM×'¹±:„MÊu¯¦*Pçv?z@šF¸Wì8§ § Ãé÷þUǃê{~mzNÿØ®šO¶b2Ñ×oñm9‹£ü’j(Ç1QA UGá¤,,2—{bNC3ñì³ô[ueÅÓZÊü¥/4r2ÉÜ­rF·Êx_µë3÷r9Z«ŽX(Fà²üup‚ANޖd£G?ç}¯ÞÌbá‹.•Ž£Ú5w[Êø•8£·_`“3v\òò¥;ð瓂Úsj°"Šï, r–³Èïú@T41š’ÐÖ¬«Ù§ðXR-µ+C|ÕwÉÁ°E‘ÆEà9ƾö‹m3wº^ÁØí±Ú¯Ä‹Ýºæ§ÕÐ?1˜Dàþå@zOùŸÿÁáð?àLžëðÿ.€‚!ÇÁ$,nZëÉÝBœŠþ_2ç;endstream -endobj -787 0 obj << -/Type /Page -/Contents 788 0 R -/Resources 786 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R ->> endobj -789 0 obj << -/D [787 0 R /XYZ 56.6929 794.5015 null] ->> endobj -202 0 obj << -/D [787 0 R /XYZ 56.6929 684.186 null] ->> endobj -790 0 obj << -/D [787 0 R /XYZ 56.6929 655.2772 null] ->> endobj -206 0 obj << -/D [787 0 R /XYZ 56.6929 387.8252 null] ->> endobj -791 0 obj << -/D [787 0 R /XYZ 56.6929 356.2664 null] ->> endobj -210 0 obj << -/D [787 0 R /XYZ 56.6929 153.01 null] ->> endobj -792 0 obj << -/D [787 0 R /XYZ 56.6929 124.1011 null] ->> endobj -786 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F58 627 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -795 0 obj << -/Length 2016 -/Filter /FlateDecode ->> -stream -xÚ¥X_w£¶÷§ðÃ}ÀçĪ„@@ÞÜÝl›ž{²iÖÛûÐöØrLƒ 8îöÓwF3`Àlúp“¤Ñh4YÍ%ü«y -©“`%¥ -ç›ÃLÎ_`퇙bžeË´ìs}¿ž}÷ÁøóD$Æ7óõ®'+2ŽÕ|½ýÕ{÷ãêq}÷´Xú¡ô±X†Fz«÷¿,”RÞêáÝÝ{Zzÿð‰îV‹(ð֟Ÿî€¢”‘ö%¼óþñC|Ÿ>?>~|ZèÈ[áþ¾ßß?°Ìdñûú§Ùݺ³¤o­’Íøsöëïr¾£šI¡“8œŸa"…J~˜¡a uKÉgŸf?w{«në”÷B‹0ö£ ÷þ\Bàƾÿ„†¡ó˜^MmM?eÕÐ$+&Íáº9_ú±0Q¢Tf–0»Ïî”ç_qh¼š¤×´æ9 6§ªZ¨Ø³ECœ‘·µ¿IévË2ÊêP“ŒrG$ÖFEz°4jJ–¼Ý’Àš7¥Åvrå²å"$/Ë/§c-ÐT4N)‘„¡ïŒ»gϜ3§;ŒÒ¼.itª-gKçÍÞi¶&RÃ܇ô ³ÿy²UÖ.Ÿ÷–^-bïTYñBó’éi1>e“Ó眥Õ_ëÆ.ÊG"Ñ~ì”ÿPVÀê€7Ï©S ½¢:“o`æma9¡O/lÀ\.H@_ÁÑÈÊMIBÁwK iµÞ[Z&×À’ V†æ£}DÌø ­=òzÚ¸D€ñ3ýôáÝ0> Z}ƒ‡Gò$ô§ ê.·ƒ> êÐ@`g›+ ²O`”Ð'cÒðP¾ZޞnZs tà)#ðGïÇòl_m…Ô*yjöe•5i“½Ú©„ãs}Š|8OaTÛ -„Õۊ˜.YìÇìÜkѭܛ)S)`˜á›=r¡± X8·sÇÁŒN@æ1ßÀ:˜¯L[O£THÔ«£Úâ2í6t´¥¥^­ÝÆÇHXîÕ -)÷€ Úo³&+‹4§•ß ÒŠìêGĄ(—6´%³%ªKA±·„¾¡é¡¯Ž•ý8SЂìhDZÓ œÖ!0úÌ·-à$ŠÃ2ÈP£x€ :4ÞÙbfáˆ(Y…„2ß^Ò9Ö㊽ÖVF4=m³¢™RÖÝzz -T‘ñv9ŸÐÝf+%œqÐ{]ÑÍÏY‘V̗§Ï6'ß»ep€Ãrçë8¢Ë—¢> endobj -798 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [377.8384 566.941 436.8266 577.7254] -/Subtype /Link -/A << /S /GoTo /D (ipv6addresses) >> ->> endobj -796 0 obj << -/D [794 0 R /XYZ 85.0394 794.5015 null] ->> endobj -214 0 obj << -/D [794 0 R /XYZ 85.0394 769.5949 null] ->> endobj -797 0 obj << -/D [794 0 R /XYZ 85.0394 745.0977 null] ->> endobj -218 0 obj << -/D [794 0 R /XYZ 85.0394 552.7519 null] ->> endobj -799 0 obj << -/D [794 0 R /XYZ 85.0394 524.1722 null] ->> endobj -222 0 obj << -/D [794 0 R /XYZ 85.0394 397.0585 null] ->> endobj -800 0 obj << -/D [794 0 R /XYZ 85.0394 368.4788 null] ->> endobj -793 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -804 0 obj << -/Length 69 -/Filter /FlateDecode ->> -stream -xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream -endobj -803 0 obj << -/Type /Page -/Contents 804 0 R -/Resources 802 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R ->> endobj -805 0 obj << -/D [803 0 R /XYZ 56.6929 794.5015 null] ->> endobj -802 0 obj << -/ProcSet [ /PDF ] ->> endobj -808 0 obj << -/Length 1920 -/Filter /FlateDecode ->> -stream -xڍXO“Û¶¿çSø¨‰‘ÔßcÒm;yÓf:íöÔô@Kôš™ô3¥õÛoÿ‚”%¯Üfvf à Ù&ƒ?¶©‹4M¾©š<-2VlÚã»ló ²Ÿß± “"-r!àeEº-D5¯6Û¹‘OOï>ü”ó ÏÒ²äÅæi?}«¬ê´y³yêþJ~8ÈÓ Î[^dIñð÷ÓhYžVuÅpYŸ(ÒªÉj¿àé HùÓç/D5ôøE?†‹ÂÿÄø]9Û¿€ñh•å©ÈK¬–"­ÊŒÜ(Rö°eY–]íß7Ä»³<¿ÛbÓ¤MÉË`š×iY5‚~h²ä,;=hkd߿‡š2‘§S¯[‰LGœƒ|QHUÉN)C¼^›oª#ú¢‡É%1Ü0îˆ:?°:™Ü£…äž×rK”éÜ|M;ž¦ï–Éã—?hÁGuÖÊáæp;Œ¥MQp¿ÁÒþ%=zÛʞÈV¶mžéÅÈcˆ£SgôªÊ“t²WA@Å ½Ï¿½”[_·¦UHU‰6ƒ÷Îvc‹»G©Q¶öxêÕÿôðJP¶$ŠXS8F /ñNd±UνØB9'nl´P:ÒÙÛ¾·¿d Žµ© ª¦[‹Ê㗏¿þûåuŒ«õÏ?Æ÷ë@\%NÇ~FÙÑтÞÚo㉤vO<ˆJNÔ´åY]vè”KÁ¯ŒCÙÚñù@ò£uÃҜ ³à­ì₁Àœ¾!Š>t´/ª{?É\H­$)½è­£7Ž‰>ž¬sz×­X>ý8*Ζ6‹ª®ç%‘/õ«C¡Ôï•qƒ’è±(ó€"gˆøµð¢;åˆó¦b€‡…«Û¨á‹,ç±à‘Õö6䣣ºR±=Wƒ˜I–ôKfƒ<òc»–œxºE.®§×ø -A®¤Ç ÓIÈ !íÙ9ˆêu2¼ )Špšæ;É* -®¨kÄI§ˆ =ŽÁ,0¦X O‹­0ڊÏ>n–üùøÛv'sÞ4ѽÁ¶¶Çô±àʾrž÷sTÆõ7»ÎÜ.¡Å„(׎žvƒ6í@ò=­:’Œb -¹,ƒ ³Š‰±gìÇ>¬‡R$æÞ¤w:Qž¥¼uèDÐýþrV®[Ù¦€(f j68+éAe‹ÙÚ搬ºÕ2koZu1k¾fÉßgÔ{)oýe¢JŒHsWÜåU*ê*(¹Ž  ؖ•0<åL,ìÓ+¶2éÔ^BÛðͤ¾™PN’TŒ¢Xæ%Ë gÂ|¹h_¼°ò(¿)âÁ霯…¹À Ž”<’_¿Wƞ…f­=­bØN¶ßpÂhæ=Œ_3!Bü1xaĶ†ž'{ˆj8KñÈ -ÕVµ2,Û è_ç³î:ù¯ke—U)¯Å5¡.Þf2g)¯ò2*j£Â‡u(碚Û)/òYrÔFý¸$ج—x¬ÆÉ 6ó§éiøkÝÆÃ@]´£v›yo‘!ëBWéG!¥?È{˜m&kk-öf"C3wÑ®(¡oÕíDÍï ] ½¶+hwњ -jSlïíùn°+¼²±œ Ç9hÉÞY¢Zy’þ–hJ“60;Kƒ(±šßŽúÔ|žVü¶¨å8XcpQó‰‰Ø‡Û­5kW wR­Æ|ªîæZRÿhð †–Ç°0T݀†€ÉÎÃ+!@íüM˜­ÕHišñ+VÈj‘æ‚GÃÒèîå®Ä­§‰æÕÇÌÞ>1‘ÓcIç¼Z/­=«rþïÐÎf±ºëLÀ"Æk‡¬›8H!®ð&ùHÌ0 F }Àû ¥ÆYdad‘³2'lõúþZ„#¤×åLÖÜ^_¼‡2Üÿ¶a‹š¤F^LXnä+eUâf¼ø®™”Ý¥Ó­üm’ ªr:ßÿXE“VUQÏg•w?>M?ÆE‘âϋk?.F•íU‡~Y\œŒ p;ñâökÓï”o?÷øh˜‡endstream -endobj -807 0 obj << -/Type /Page -/Contents 808 0 R -/Resources 806 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 813 0 R ->> endobj -809 0 obj << -/D [807 0 R /XYZ 85.0394 794.5015 null] ->> endobj -226 0 obj << -/D [807 0 R /XYZ 85.0394 769.5949 null] ->> endobj -810 0 obj << -/D [807 0 R /XYZ 85.0394 576.7004 null] ->> endobj -230 0 obj << -/D [807 0 R /XYZ 85.0394 576.7004 null] ->> endobj -811 0 obj << -/D [807 0 R /XYZ 85.0394 544.8207 null] ->> endobj -234 0 obj << -/D [807 0 R /XYZ 85.0394 403.9445 null] ->> endobj -812 0 obj << -/D [807 0 R /XYZ 85.0394 368.2811 null] ->> endobj -806 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -816 0 obj << -/Length 69 -/Filter /FlateDecode ->> -stream -xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream -endobj -815 0 obj << -/Type /Page -/Contents 816 0 R -/Resources 814 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 813 0 R ->> endobj -817 0 obj << -/D [815 0 R /XYZ 56.6929 794.5015 null] ->> endobj -814 0 obj << -/ProcSet [ /PDF ] ->> endobj -820 0 obj << -/Length 3052 -/Filter /FlateDecode ->> -stream -xÚÍ˒ã¶ñ>_¡‹+ÚÔƛàæä×&냓Ø{³]ŠâŒXK‘²HíxòõéF)Q£MF©rél6ºý†Ä‚ÃO,œa\ez‘fš.Ì¢ØÞñÅ#¼ûë0Ú(f´Rð0ó61Ê1ãdºHÆH¾þp÷å;-’3k¥Y|xö²©c™ÒÙâÃúçå7›|חû7‰4|ißüúá{úL³Ô¥?㰅aiƝÿàë÷?|KÐ ß´Í/œËÇÃ>﫶¡Åˇr_6E0ªEÆ2+m@hªÔÈ1Be=BŠ Â7bÙÐzÕѸڿnÙæëú™ºj[ÕùžúG3Bëþ£ËMûT~VS½¼Ç7nÙoJ«$À|ò@ÃCùDøš Py ¦}˜£º¹GƑU!Xf«Ý¡Ø´3Kÿ5ŒŸªò©co-l¤Vc”  G,{˜Œá5¾«Ë€¨Û´‡zMó§vÿ1̪~CÀÄî\Ãq{×UCãqû œi¬ö â™a¬h·»ºü-?•ncő@€X•4B”A¹&(zˆcSiZ=„W›ò9¼Ì›1q$ͯ–ø€$UÙôuøªB·°÷:tUó8åFxn`'Òb:s˜<”y =º°Òš5M« ó#Ë`ÚLMN-G.5* - -Îtl þ?³ ôT/´ÌòL¢óÿíîç_ùb ±âû;ÎTæÌâ 8lï´ÌXÊSW껟îþù?~é@!*– ®.S@ßqÀ¦ñ‹)ª$ò”(璹lˆhå„/™RÊ,4×LjžúãˋúTFB -æ¬ÊŽ€Ÿ!$É2çÜ<³É€1£œ!©3à&$¢M̙Š,(˜ÁÔÅ3÷3T9%@›[M%sN»ðu¾^ïË®;…²š T—[I""¼"eS&ì© À?›3³”YínIcÄx…HÍ!/Q á"½ÅŸŸ–%ÍxÅÝÑ ­K4Ý}>®žéÀÐî£SL•‹n/(îÉ6àK…'©¸ïvØ©ø &!ç[Œçuöˆ–¯8ˆ÷ÿaâSMg¯˜¸r°‡âê%ÝòÔ¤7¿ÚÌ#ÆdŒr†L gd•˜’9«Ý]jØñvDFŒ×ˆt’I•Ú)‘´ÛZf©æWo p!öá ‘›2Lö4Ž³ÄÓýA¥ã1—¨vg†Ì:qÃó0^J Ä.ÎÕlÎð½FëÀÆý §Ž¹c6sΧ†¢,3ÜގÏã>5Ҏ5à„Ïݾ|¨~ŸáTrC<ºÈ© -!A?eՁÛ7PœÞŽÕˆñ«|¯Å‰ç¨Ösq7øÕÈfb¡Þk÷3ìb.¶¦§Îx&åïTŠfnLŒ|5ãÆdŒòœq™j‹fÁ^H9 VèÁ"c"{OygW–gjR&1èI —ûÇM~õ&øsšOí/ÒóSY3bHô!Õ?U/8#R1¡ç¬C2@]¡âÛPÌØQèºm€Õ· °P.¹ÔÉkր*Çëv›WÍYàRþg6¯[_rD8Y%ÈØL軔>sË8¦˜C̒Ú.;@}ÝR¹ Ô¯¾²Ófù´©|?–Ÿ*_ -â/³a%Ôq:ôj4u„`øö‡Ÿhɸ§µ 8)Ï·É\‡d«¹_¤Ô3žê ¡xtµÛg֗]ώ'q«S×l4\Äù‚šŽàœ -˜A ~MM•d†giPÔö¢¢FتêåKÊ:¡²,ªm^_×Ø¿c2¥Dê{: l2íi¥júò±Üw´þ)¯¾Â€7<|rl6Œ4†Þtå.ßç=ÁÛP‘¤(»nNQá†ÿ‹ý ãu-±ÒÍ1J%gb5죚eZeÓDb‚0O#ÙØ\´(nm€Šz‚G`]nbræ2†Eõ%|F‚:d½`A#ÝüãZÌã&½ZIqÇLz]ÕN_l– €·k–ŒQ¾Ð,™x! ?i–|i,‰åû|Òaê¿ô=Û.¬P?¦=uá{ÃþYšŸÛyþ±škµœØ̼«`J»pDVkñú0bLÆ(gR@¨ü‡,b{Ùiª‹½¦¥Vãe{kÚ­ìahï~>Îá“K!ö}(›zÁ"¤ÓM³`ö¢AD¸ÛÙÃã æ0¦ïó­A+Æ`qfƶn]»èÖý»9·ŽDf@BÀ(9o×+÷ö-l¥çšéԉÁ—&Àáhÿ®hw‚ª<^gAvõL­)ŠW Ú`lÃk œmòO%ÎÜ2ß®ªÇCÕ?Ó ¬´¬ö4õ;ð¿±M!–=m]@·š½ÌZWa§ ©÷Aªì»Ò¸ÛQ¸Ýí«/åJZ÷ùÙûoéKò8:´ý«]:àdænŸŠ „ëÂßÉj¡(áã1-`:Šãº¬«mÕӅ&ʛóåûžÞU²]OfóX?Ó -ɶh·àãÖĞ¿Cš‘dÀ*Èlș¡Šâ*¦¿-Bz7©~«¡Õæ°-÷UAËÕØ­°7 -Y h Ò™¿8C@jͦÍk5íµ.Œ>=‡‘øZù£Äçüeze{îúr{z‰¯Wpˆ|,éâÕ-ÿÖ>%s'1º-V(Ì -ï³!†ññÅ1>VMKc×ç͚î‰×´²!rNՂ‡ó&è¿ ÂäØÛ_ÏIb,@ôY —¥Ëâ°'ŠÂ…g–Á©ãÌÓÙãþ!Ô7붮šö™=ŠáôÂåðp嚁h»]‹w’H GÒ¶Tg(¨LÒ·‰×„„/WeÿT–Íœü²ý–$?Ajýáò¼ó¥Wæ:ÞðÞƎIÝyPŒR‚sŸ'!·ÆEŸ÷P:þn¶)!'"BõR©!SW©b…¥¼ïóbã“phO'4㉭eƨ؟jJ>2jE„{Úca‚Î[y/D+Û¶ëCiâí´£‡ñQáóè¨JªT’¸ÕDKòú)—¯&­Ç@!€®PÒäñî¾)‡ÛږÆU¼uGË©Ð8ÅxeÚ2ʅ‚ðÿ œá‹‹™„șkM $ÈT¸ k! %ÓG¸W§Bc2F9C¡pÌaGnBáÅdæ©Çdhæ2Â⟡ҡG¯Ï³w¨…3·ãuÀx…WPLã=ûçð:iàÎö¬§ñL~«´b’ky;NŒW8UÚÂ÷ŸÉh( ®ÕêcMñíQ§Ìɗî¡ÏPÆ/.Ùc -ï­6×ÌQ¤PïY{Õ#Ü Íq„ò%sSˆ)Àg™#D ¬Mh<~5ÙÂH–ò¡­¹äªÜ_½¢b3ˆ2¼t4WñdlØ̧s@å×kz ­|¿ 'ý6X"”¹u ¨º³i ƃÐF™ÍWeÝ⶙àRÓbÿ¼« úLC„4¼ FvèâG>K÷ˆp¨LŠcÜ> endobj -826 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [356.2946 363.7923 412.5133 376.6291] -/Subtype /Link -/A << /S /GoTo /D (address_match_lists) >> ->> endobj -821 0 obj << -/D [819 0 R /XYZ 85.0394 794.5015 null] ->> endobj -238 0 obj << -/D [819 0 R /XYZ 85.0394 769.5949 null] ->> endobj -822 0 obj << -/D [819 0 R /XYZ 85.0394 576.7004 null] ->> endobj -242 0 obj << -/D [819 0 R /XYZ 85.0394 479.565 null] ->> endobj -823 0 obj << -/D [819 0 R /XYZ 85.0394 441.8891 null] ->> endobj -824 0 obj << -/D [819 0 R /XYZ 85.0394 424.9629 null] ->> endobj -825 0 obj << -/D [819 0 R /XYZ 85.0394 413.0077 null] ->> endobj -818 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -830 0 obj << -/Length 3528 -/Filter /FlateDecode ->> -stream -xÚÍÛr·õ]_Á>…ʘî—dúà$rê4qRG™>$gE®ä“KywiYiûï=¸rw ®”J™éxl€XàààÜÏLfþ™HjfÊp$0³åæÏ®áÛ×'$ÌYÄI‹þ¬/.NÎ^H:3ÈH*gW=Xa­Éìbõó\"‚Nžùý«/¿þéõóSÅç/¿uº Ï_¼üöÜ÷ο=ÿîüÕŏð 33ÿòoϸ8í¿É䋗¯¾ò#Æ7G ¾>qþúü՗秿^|sr~‘Ó?0Á̞äýÉÏ¿âÙ -ÎýÍ FÌh1»…cèlsÂC‚3GÖ'?žü#ì}uKsäœ I›-´DTIq|[¿†mCW¤”У]R#I°å ֈÒ=K„ê±Dqd´š)"eŽ#Õ͘&Z!ÁŒÙO{Q(Ö:O’E¸èC<ÄÎ`$è½›¦¼ª>ZÏ^p֛M(ô³›ØyÏëÓcxþòh©™×ew»mÞùÁö¦\V¿`L˕ÿZ´þCQ{È<ÓHs.äC1E¶ç|2 -%ˆ÷ˆµÕ¥ŠÕªÉPˆ2d¬Lûc<ƒƒ&\m×ëí)™ß:R .ï)jÞá® d–µßaû'³1Ì4L›0ó¶êÞZ;ž$[R°‹$r˜ -1 ;‚¶Â›!A ÿ QDCøŒæHÄ)(¤2=<‘FxFÕPtˆ‚Ƈûæøbú›FòàiòÃe<é/Ïí |PQ>ÐX_¸…²¬ì¹›Ç90PÄ LŠ³õpqÅ1Ÿ(5GŒp5饢 -É݁ߕwã#ðëD‰ý¼ÇZˆpч˜ñŠ ƒVçøU«¬G:€ˆE˜smqE£`¯¶›¢ªl!ðž3¥žî¤ â=G¥ -УR ÏZ›2o›ÀF]qž ¼ñM[֝õ -æÐ9Ûqp Ç'²#…oÚ·…_·ò¿-ó !ÖcRÎlë‡/ƒÕSÀ¡ÈÐèíZ·Ú9ØÆwº¦¨ÛbÙUÛÚ´år×T~\¥úÒú8ëJ’À+ÌÙ´N)Àê{u*Î{:êAœÐ©>~ëªí¢U-q?Ùõ¬01&æÛº o7[/U5´¬Æ,Zã a“ऄy:Ê$ˆ÷†Y÷¦H›¼½ ͟¢u¦)¿)š¢óá%á¥ÞTËíz[·~<8^Ð"FO3ðe½ò - j³woEÔ£jB‡zÒùT:ñ™–⏸º¸â¨QȟÀžÔ!AfðÅÙBOgxÁH>7=)j^oëE]^]õ¡ô#Œú‚pߩꮼ¶!ºýacû -•È²R;û蠄 Þ­ƒà®´a¾ý}Y‰‡&(ǍTÔ ŽKØj¹Þµ€ŠÍlYýK› 0 -@–Ëò¦+.×Q*çŠõ®ôŸ6ÕõÛΏ^í°çy”¬+ˆ†£1¶Òçl±sÐYná¼;ÿ£ -†ùömµ "VÅO­o­]Ÿ³'jøƒ1’TO×$‘ˆ(ìixStol5ÄÄX›&>ÚV€‹>ÄCü¦ˆkØ -ÑÝÓ©çïw[oŽ ßv3,LªÈv;|[­×¾wYúÖ;tÛsµÛúÆÒÆîn…Ú¨y»‹0`Þ¡¥éÄïà%Ú3ˆÑ»²9ÛÜ¡®l;´ÃƧ‘` W÷Fá}?•¹³vœä‘í´ä˜$r i'%Ӂ¸0ãá¶ú½<&‰iâ“Ibâ„$1¼)—‘D—ŸyK -!賑]ºõÁBp³õ‚‚¤InvWGw¸§`HÝ+øXÈ)}ÀV›Q¦bL½*¯ŠÝ:q‚4O¥7´¯X<°Æϳ6 He…ý‰\Ð,ÇE€üu&40sýøp(B\ôAfÂ!°ðŒkºßy‚çT#NÈ0%y¿oýÑF'sê² ™c“LŬ©Qá`S|¬6» ÌÅ}(ªµw™îçf»«;p¬J˜|öÇ Â›­ƒÈ’ÝÖ©5#b&@ƒ8óG“=A\ôA’sŽ4ó”¦M‘]!mxR¶lƒ@BäD Õ/“8^DÝ(Bï¶h‡±Á•×–eTWãèS[6Êf´¼íŠ¦ ¡ÃØ dYâHS’q4Ìc¶0•$lY¸@ÌÌ·76Ë,Öë;ÿÛ91h]±×WzíhøêÂ:p…Ëbí}¡ ‰ê¶ù,c(áÖþDKö÷ Và Äå¸Èµm2àC‹x‚whúãdÄ\6Í4Ÿ¿«ÖÛË;ð—Ï2@%åiÍwG€Ê(ø@ló`Ä6_Äœ˜}EqlÄ©Ðú×O€áõƒ1¼®R-’!ˆ)FlÚ£ÏKA‘N@Jßu¢-¸@î&R×ý4ýfþ Îù4ý“S€P¥m¶‰ÉºWóVÉÞ§ÐÝì\ꍕs9(þ„4>¹àͶ~…ä ŸùÀЮn«ëÚ)–)Ê a³"›ê`êjA ¬5ќKÅ9VLa{.I\–CÄA–óæ?µá -c\ðÂÊLò!¾]"M°Üי=G¥­©Q>™¦Ë²Mv-fBÛ` Š+Kù`ÁºA‚í é͉³”¾>v]Ž£˜ãi?Ò{dôøgV±8¤Í”é*—)ÁÚ$¹› “µ)FŒÍ3Å:†Á]S-}Á‡ËFøÖ®‹¥rµëv—¾çʈ¦¯gTžª,½Îvïû8X£°½ûßV¥;i8‘Vàø $ ñ¼ÿ®îà}UÚê¨}We9¡ö=N“¶÷ž(2NDò&=Q$ ÎãùóÕ -D%8ÄïŠ.^|[Ù¢Îá3 l«Sº•€ýx™ÉÇ|‘¸¿ªð›¾ÙØýÞø›F[¢ù«o?¿)×åÒÿýsçé£]Hþñ¥Ÿûµ¡øök°œÜ³Èí.ì— -Xða{S6…=!˜«=6ä½Ëåð=$i4mowJæEêkh*Õ4G4×(Ì½=Y/²A·ázŠè>Ù*¹­vÛtGîóG”é¬íŠÎI°?¯ð!¾E:Hv Q¼"TÄRµíªn×ÅÇSCîÒÀ]¯NZ bS¡ÑUeLÏ]%ÏgìQ´BîíÞªôp_Ó«êëώ½e& h¡%Ÿ~¼ÝŸåL#áýÈ’(&{°|!„¨ñ¦ -àM§7“7zt>|å`ÓHû°×Qf@fá­ÌË>ðáuŒÈ¨ìY"Ašˆ)&÷©7k‚HqÖ½DšÚtO¤ñ¦y"õ7)Ô¬Áú¸§R¬iÿvöIH涝SöIBÙ[/ÁÔ=„ê͚ Tœu/¡¦6Ýj¼ižPýMC…ËyG°¯FYïÊ[ùÜ‚ŒÑqE >äg¬WªÊ&ƒsŒÞÖj­Ø4¹{“ŽS;NºØS;&Zw̒º¿ã¾bàßÝõlY”ÖUÞì#¬½mqdÿ(ÏJ9xÜTX!Ç[ æ¡<‘1z©ØÏ9Α0ç>†Ll—ø1Ú.ˎÞvE| ܦ·1£~Y/×Ûô¸1ZË¦XBS8-ý0üqŠ¾ýmö”‡iMó´H¹@@Ê=Ö˜ Q¤Ôÿ ½¬Vâendstream -endobj -829 0 obj << -/Type /Page -/Contents 830 0 R -/Resources 828 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 813 0 R ->> endobj -831 0 obj << -/D [829 0 R /XYZ 56.6929 794.5015 null] ->> endobj -246 0 obj << -/D [829 0 R /XYZ 56.6929 363.2968 null] ->> endobj -827 0 obj << -/D [829 0 R /XYZ 56.6929 335.217 null] ->> endobj -250 0 obj << -/D [829 0 R /XYZ 56.6929 335.217 null] ->> endobj -832 0 obj << -/D [829 0 R /XYZ 56.6929 306.9099 null] ->> endobj -254 0 obj << -/D [829 0 R /XYZ 56.6929 226.5017 null] ->> endobj -833 0 obj << -/D [829 0 R /XYZ 56.6929 197.9796 null] ->> endobj -828 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -836 0 obj << -/Length 2750 -/Filter /FlateDecode ->> -stream -xÚ­]sÛ6òݿ{(G4Hð³}j\»u§u{‰2w3Mg&!‰cŠTI*Žþýíb %ÓIgÚс]`±‹ý†‚s¿à<‹}!óè<Í#?A|^lÏÄùp?œ¼fa-¦«Þ,Ï®n“ð<÷ó$LΗ« ­ÌYœ/Ëß½ë¿ûmyóöbÆÂKü‹EœïÍÝý÷ÉésýëýíÝïß~w‘FÞòî×{¿½¹½y{s}S û¦ð†ۻŸohtóóÍ/7÷Ëw,:»Y:a¦B¢$žýþ‡8/AîŸÎ„/ó,>‚‰ðƒ<Ï·gQ,ý8’ÒBê³wgÿv'X³uîc™ùq¦37ɹŒs?‘¡47xSë­n†ä’Ò+TCƒßÐkôZ º$àS5lh¤èSkUV͚&úSQ«­ª¶¡½[Õ=ꃈÅÿ¾ú>Ák„$žj˜æ°Ñ4€S¯«~ Q£¶º'jÂ0RÍ?†Fj MÛh&à:AàçqÙQ·…ª7m?ðÆ(äÃeŒ =ô8!°ê.‚ÌÓ4ÙѤÔ„]‚‰¤ÀÙ/í¸HxU³j;+;î²ßŽfB, Í5ãàq«voyªÜN='S©û¢«v|Ë`ŠíŠ¾t‘0PEMƒ~Õ¡r}G(óÓ< ¡%­‡Û(ËʒK˜\lÉ%Þ£>д»ï¸U¥>Y‡âMI$€ªzõ‡fPÅP´G“Í1®ÝjXi¬h²YÑÒmÕ7° CGDµÇ™×WM1{5½.ö]5 »©D¾ñtØGF²QÃÄ( 5´ù¨êª„Û"¨* -Ý÷„A›o÷MHåk²Š>hj„1°­§Öx’.K"Ò÷`H2Þ=X0\b #¦çô:ènK#ã -#!Zÿ!úY3ΪޚCU³eð«1TÚýš¥œZRÙ{T”±ëY#úÏF£¹JâË0÷ÖÕG ¹û@Gœ"/ìYèWŸƒ¬"¦h·;v’0xˆ˜=îˆ( X|Ä¡ø`+2ÊI £…s1tê£îÌEpã˜C݂ÅÍXؾ;„»ÉÃH˜Om9Oˆ š¢„= ÀUºci a¯±õœlÝî&L©wº){‚ÛåO4”Ž€¤$€r°ÄcxýÃEàir(˜±®a!jÎÀœµƒÆ‹¶È ê×l÷Ø?é"u³°Ñg×vCÏKÁ£Á1N±ÝÁV‰6lz£8S››ÄX¢˜/NCŸ³AÐ6‰Š#Üg¾Œ±2Êc iíݓ U.ó!ÀZ’ªëö©?!kŽ²g3 ·tN„—º© ÌXQÃ$N½»ڣɏ.Ñ@$논ÜÚFæc9rãÖI:­dšË S¡Pn˜€aZe…‰ôEœk†#”uÑ´Cµ:ðâiA'~¥)/~=C.ñ…p ˆÚŸ{ÝÍ‹} {¿@+9¢>Üô+òÕr `Y–|†Þ"Š&ÇZ0”÷;“fèB!Èø3tc? -epÄ'Q[€>©ÎTLÏ A %c9Ê೑±ª-ÁR)­–jU&˜èj›¤ß“"'°ãлmíêOj»«õlñEҞx.Õ?ôåU}‹A8÷¾‚Pf'ývÆ'¡“inC•(¡t[pŽ—Ž(ª‹Ì=§ƒç3‹À’j®€°ºeÓBŒ£êL„¦än¸Â¦$\ÓÈ{óÔóàXµuÛ>îwh ÒT0ˆ&¼"Øxf`•Hw'Ö5Þ=5" ÌÌ{ߏ!ð(¬PÂȆÀ¯hõx•ÆÆí盦~$6曺ÒØ:²ÈNqÕÙ>Àýêá@ˆúHUN0Ñ5h«ÃHäÇóã£­£ ‘i0éß5i¶¶V¶oÇڇ{Eì¸èY¹Å“*Ýw÷æxY¡ÕÊ Ò£$Îð!#¼XBïºÝŽõÔ;ìÃ>ÍÜ?D«žô†©{JIè)%E œ´nDÎ lY„p2“q5ƒ™àÒÝN«ŽÛ¼æð4V8ˆeMBðÀÀ~§ -n÷£#™ôYTâÊã·"A~´Šõ¾³ºI2c'µÆn býò"½–怚vRòI­õ¬;’u=)½d¬\¾Oà˜ƒf`ÅìpŽJ½ë×ü½¼4¤B¯mJzh뫝î\Û@qž»Z QPdŒVâl'SӈӗMãÊ°ûyšbá䧑Œ â•AØëŸ –æ ÔÞáWчô‚#gUkW7ô½&Â5E̜ÉÌLàWì·"Æãè8_]Ý¿Í×åå\†ÿ×?C‘-ßßßý—FFז680ªÿ‹ê¶aá{nëÆåú²÷½Zë/Ljë‰o ë•bâ•â™s ç܂œÛ¹õ N:Éña÷¹#ã³;òŒR®Æ+¸ûqœc‡ÔªAï›Ò¾J"hxâF«Ø¨NƒñyD\½"8>möµêm†äð“VQSˆ£4˜žñêŠ †ìâ'.C "Ó¸e®jœÂb@¤“WK‘W -0/u u;õ£0e.„yGèí'âk." o;òôf)(zᗻmAÁ‘åš&mcÏVôÁ§z2 7Ñj(͏Ÿ(u̬ìí¾ª]íêíŸ]>§ùðHóС¡DTÄf|ïî©D”Br‰PW"ÂÌ>yxÕbÒãp깑®#j^-}[÷Ë`$¼TÎ=FþæƒÐsè~Zlpß@“WWß̇ñ£ ø„qs¼‰JäB8D½N‚ äÏIôœ ¿Pš˜öŒ¢;íˆæ"Hý\†'ýæŒtñKÒÅ/%©Æä¢í:Ӄ0dìíÎMè‹VcÌà%Ñ¥ˆü,N²f¦Ùkª›… „ŸÉ(úÒ­áS~ë¶YcI9Í"¦~ÆM(¤B ò×séI*€B<õƒ( Ká§ø†b|íòÒy[”O½ fl$8d ¶ï³f€qÖlšÄYœc¶Æï4Îr6DҔ²—9|ªÙ[²íÉ9Ú®35Û³ÛúŜV…2-Sb¢ Fd™a…|  "86¡aÌDISUPÕHZ2‰]8ÏÏ豗L"~ôN°3áµmú]{Ƹ "gĘ ˜ü"«Õøǁ ¼Û½ 'üŸÏ$Ú•àÛ¯ªLҚ»·6tsìü楿Jeìãÿ›3l -×âüí¿QÇ?™£Ô—YÎÿC - ÑÏÂ<µL¡ a~ʹû¿õ9ëÿ×kendstream -endobj -835 0 obj << -/Type /Page -/Contents 836 0 R -/Resources 834 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 813 0 R ->> endobj -837 0 obj << -/D [835 0 R /XYZ 85.0394 794.5015 null] ->> endobj -258 0 obj << -/D [835 0 R /XYZ 85.0394 497.0473 null] ->> endobj -838 0 obj << -/D [835 0 R /XYZ 85.0394 468.4726 null] ->> endobj -262 0 obj << -/D [835 0 R /XYZ 85.0394 408.9221 null] ->> endobj -839 0 obj << -/D [835 0 R /XYZ 85.0394 382.8699 null] ->> endobj -266 0 obj << -/D [835 0 R /XYZ 85.0394 310.3501 null] ->> endobj -840 0 obj << -/D [835 0 R /XYZ 85.0394 283.0525 null] ->> endobj -834 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -844 0 obj << -/Length 2301 -/Filter /FlateDecode ->> -stream -xÚÍZmoã6þž_! j£k._DRì}J³I.E7í%.‡¶À)2 •%W’“fý ßd9Vì¤ñÁ+¾ ‡ä gž‡tH„ቸ@BQI#Ž ²ÅŽî ïüˆx™Išô¥¾›}<4RH *¢émOW‚p’h:ûe$EcЀG'?^ž]œÿ|u<–ñhzñãåxB9]üpêJçWǟ?_'$ádtòÏ㟦§W®Kxß]\~r-Ê}žQzuzvzuzyr:þmúýÑé´ÛK¿3³‘?Ž~ù G3Øö÷G1•ðè*¥h´8Š9CäíÜ ³Ë¶²ó´N³V×n¥.g”¢X°–lVúÕÀf€ãÌÊËÕâF×~æü®ô«‚)Ór–W¶y¹rž0†‘‚æMƒ·UPÐv4w†ßèYÎã9W3G惟°qß¼ôáøÍ7®ìƒ:WK¤•væ³`{ýgºXúÛÃtCo˜¿7HÖ¿-¾zC e9®0Jlæ%iŽP¤‡Ó,4¡H*?¯ËÃ ËÈMUk8á€BƲˆpî;sÜF‚"&‰ˆ¸”&bk¢÷"„‹˜AÃ%"Ç`:º²ÿ2ºèÊttþÔV0 –p09cN›µUôXA‘f1Bý²ÝýÚ*¶áãłDŸ*ØcÔÛfP<ék¶ÛLâÞA°)˜ŸÄ0së?cƒ÷!ÅXŒ²´,«Ö•Wv{$L¡Ñ‹<«ŠªtU“!þû¯]Rˆ%¶égLàôÚäÆV~(Č)¼òÔÏ玕—YesßÛ¸ïã˜Úµ à3Qµ* ‘0Û´À83zMõ˘ðQ¡fk¿bL!!C“wI\`šžÞŽÌ輜AÈ´ºq½m³ùʘ(1 ~H~F÷ÝÊm»Íƒ"Øn«'C>E±Pˆ&*‰úçômGßWÎþš.¼-0ûÑ$‘À2ºh¢‰‹í“ ³+̕ -ì ²"†TrÒÍÌr³¼ðp^§‹EZ?ƒµ L¬Xˆ> -a扔”ûd[ú3MÞX ;ðµn -è -u‡jVG• ‹åèú‰œrƒÍP¯1¨þÈÉÐî@0åX͎ ¸ŠÇxsª!£Û’.tOº§­×’–^Ár©ÓڕÍJ«••0ç9+ª&/ï\ß m÷ŠÕèsZzý=ë düi@ãÔ}nŠ*û}ٛÕÍd­ÈƒùÃ<ώ !£.\[çmæ~êAz@2Ž8gÉ2®ÁŽæ´W3½×ƒ^®ÙH—Ží°Yo=‡2Zˆ‹Ãå*˜RČï1•ˆ$>ü®÷¬Yê,7²6Ø«Á½„¤³èhv9ÈôXrlZrߓ®à˜ÃU8ëH -tÂuVƒt°Î¿ôXЪéjz}q¾Ã]=K*KÜ] -’1ºÇ]˜!*c-pg½3&xË˜FaÙ”Qb 0„úÞæ|h½–{ÄáåÂÑú¯ÇYY§`(“ÞÁ½aÔ¸†À€¦¤õÁ]}KÖ]d@“QB鞔DaOLÄUŠ‡Zþ-ÉÂÊ6@ÆV< Xàh¶ZfÀ€/e€‡¨Ä“F[ÊZ_hü×|À£ùÝÜ÷<èuÙ/§*ì11-³T/ íSVb^²˜Üt³¹ò,lCdx8³F\>hL:À3×æ'¦çŒ÷àOŠÐ=ù˜rŽbû[OÚµo^Å%wü1îø#´E¶bX¢“p$š, -6îBn«®¿iW7^eé55Ez?ø&÷Å> ˜dÜMféO‘}³¼ßh' -t琉˜ß\r®–©^ï0“A\ÝՍ}Óߥehß¾ªƒ@˜ÆJ¸l­L6·w6èŸéÛtU<½”ºãuÞ{{|}çÛᲞ5Þ-ë§8F¸ÿ†9è1ó6Øð¨dm½Mu¸gº^_곡‡šµwLeóú¿t€:é\l.i“ï2üzOPÙŒDq$dâ¸z[¯ cÌ&À$_•ëìu©'#;ÜÕ?]^_Ÿž¸²Ñ÷¼1û }¿Ö`%Lˆ=ÖL’”¹¨¾ÏõÃk­è¤ªèŽÛb=‡5ÚCŸØjBö -‘I‘ôÐë¯Í Ýa°ÞZe°—¿Qÿ?ÞՈ"(–‚E ý…ðÛúÖoìT&(NH+HµDÄý•¶b1JºWÉ¡‡˜SªÀŸ½1 Ä[–i€qPã’y™ç› ”`Òåÿ'¯¢‹ô1ä÷"”²l µÌô:ß!ų¿2`‚Œ ýåŽö&š—þÄúw -¸U°$¡ÃþéÜèe ÁðÖÊÃTl/ýòÿ-Îendstream -endobj -843 0 obj << -/Type /Page -/Contents 844 0 R -/Resources 842 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 813 0 R ->> endobj -841 0 obj << -/Type /XObject -/Subtype /Form -/FormType 1 -/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf) -/PTEX.PageNumber 1 -/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000] -/BBox [0.00000000 0.00000000 31.00000000 31.00000000] -/Resources << -/ProcSet [ /PDF ] ->> -/Length 557 -/Filter [/FlateDecode] ->> -stream -xÚm”In1 EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5 oʯÅésÀóÎ®¯ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F Ø PÈùYÌÀ¹dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀE#@x˜oL Û¹[ƒ±ñðù -ä -6\>RgÈbÏWÖ¹j[†› -WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½t•‹ùD„™Â²]°Ä(‡;„ ·åŽ°Š­r²ÂÙÄLûˆ T¥Í¡誋ŠŽt’¹w_ =Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRԚÚ'^ m" ^˜h±ÎW9AVªy­Â©/fýÆ"•œãûFy-Sng \Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&Øíþ²C¶O–ÃVç X×9g¹E{îÇ< •ãóP)!ÍZÜşLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream -endobj -845 0 obj << -/D [843 0 R /XYZ 56.6929 794.5015 null] ->> endobj -270 0 obj << -/D [843 0 R /XYZ 56.6929 486.3415 null] ->> endobj -849 0 obj << -/D [843 0 R /XYZ 56.6929 454.4975 null] ->> endobj -850 0 obj << -/D [843 0 R /XYZ 56.6929 395.7282 null] ->> endobj -851 0 obj << -/D [843 0 R /XYZ 56.6929 383.773 null] ->> endobj -842 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F84 848 0 R /F42 597 0 R >> -/XObject << /Im1 841 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -854 0 obj << -/Length 3138 -/Filter /FlateDecode ->> -stream -xÚÅZKsãƾëWð*µÏƒÝ“,k¹ÖëÍ®|²].ˆ„$dI@! ••Äÿ=ÝÓ3x %[J¥xÀ¼ÐÓÓϯ3?1s†q•éYšif¸0³ÅúˆÏ®aîÛ#Ö$qQ2\õõÅÑWo­œe,³ÒÎ.®´ãΉÙÅò§ùéßN>\œ}ð SÆ­q݁ä#ú¦ø™sY•mYW4’WKjüØä×EØFí?éÅMÑñÒ/Âe°8Jc—0LX×4Æ´™çMS^WMèУyX_Ö«rA=’*¶Ú:,«ÂDy,ÜĉvîeJs(X°mÅÝüæÆ}n€Ed®0Pí}½ùL²j‹ÍU¾(ŽÅ<¾Pu‘gËÚyš‡RèÕ dò<9÷ªÀá$ØÜÓIÆ7öªN[+Õ£æÎSfuW]…‰üɪ™ö‘Ê= !¢)š!¥ú™ =I§8×é ‡¯âüýM‰ÉxÕà©fJ{79*W(B/Böz˜"37ÿT{,+ˆHC˖5 VuK[‚ -_À\Êex#§Ç}þ@&Ã{˶Y—%z¦ÄÀ¤¤D}ªÿFVED®Û›†úވq5@Í`ôн‡]b~^Ñ\sçñ$.a`‘7Å«) cMRuÒ­ƒ°jõ0@]1âuŽy‡fà}ŒØŠæýÃà ÂlŸ§p/6X·SC^÷DÍDۈŒö{íОçb½×öEÔÿYˆL2n¤ApƲ,Ãjn§ªSÜÂi2¨ê´JY -J}¤ªSYÆ´tº+‚T(‚ˆ§ëUó'J;ËT -žžJ_ÑE 8²:ð­–!X§Vyû«·+ßù½Ë˜,ÔJ‰`©V”ŠþJSÚ`ñ>GÂë·õ¦í¨RǏ{”¹ C»Å%MüJÜÁŽøÿ\<4c202zù ½JŒ#HxÆ؛ÉRV.e –”²Ó¢~Šÿd=ëÕkÔ³˜1© ÎÚ±0éՒ«ÝšVÙ BîbŠ,°Òp–Xáá’ÅM^UÅ*Lca‹£¾âg¨x`æòFB^ñcùÂ9hg“·õ¦¡ùHa¼QJ±Ï+Årf,·[ó¶*$C›RŒ·.Lõ1 5Åæ M©žcx·åׄ¹Ñ¦øZ:œîë!˜¢£a 7ÛUFÉuð¦Z.&”†&T Ê»¶\•íQ÷wžï*ì·¨Áï«e`ª e£‚ФtŸHD¨DFåb»)‹/E„ÏUòÍûOÃéænËõÁ5Údx…¤ˆÈm ؎±p¶t5uRM]±€ÏÇáÞß&Jkh:¡†vÛ)Dvæ†7/Ì©{qúúM½øŒÎŒmôþ¢¢âÖäa8àëm±(ÑA›S™Ü2Ãu¼ò)o·“( üL;ð7ÃRxé J ›Î4IG0PÜ•Êe­l·/²çCê„q Æ3Ïà]äé€PɝÐ{ dFÂ~/%€ŽàahHžF@ -Àgªi¨ˆ[)0¯÷ ó ä­dèoo¤¤Û)é. -û¡h‚ÄÏaĆ5=óàQîó¼íÍÒ½R•:ƒ*OXpEwÏkG1’Ü•«4 ~ ñª[vH°ŠI¬€x¼9ÜÅ" RΕÜÅ -[¤`í†À¼ÛPy`}ëc. -:L+¶VÌü¾\-ýUÙX+oHûWªbù¢ ™^pàÓȱ ) 5Ž.ñ™/Å-q=ïKΛ†˜?„±+zgРŒ‡7”Ø |:»Sj@ìž_gÒ×;΄È5Þ¨#LÎÙí㎠£±gtãݵƭRj×3À©˜Y„ÍuqólcŒ“!Å][ÄÏE>û}›bf»2fŸ)ÚLÇPöúõTö rˆ%N¢5T‡W$ŇúŽÁ, ê´¬»Tß>z"}4ùkÑA0¯ê,Z64b­E9f¯0®à]2å´ñÊúö2_|¦Þø<¨ß‹€¢mtb!S®ÀÄ£Æl6SÖS¥ -Œ ë¶àÙë×SôbÂ…‚‹²‚„;€}Še¼­ÞÄÊø·r}·Žxdq·AÌ$„$ékœ29¿_R2Üu_m¯ÉŒ/FÈèCÈÏRê)«ƒ„nœ!ê½а,À>Xå)úm ѵ ^ÄýÖ½H&lO0áºÐ¼*u. å°¨}>t‰“Å è’J¼73ݾ  hΉL¯¨¾6&UcÅúÏ*»¿ èY:õå –Msæ{øŒ½a,-½éŒJӃNO‰n7±Ü @õ¢¥:ÇP“š}Åx„©î3£/|'"B†ª‹H1üdÅjT¯/}'i–Zo¡˜»ó¹†`@m#ÅևÚÓAfãRTïžÔ&ǁ“òÁ7#5¿Å »–Ò%t/ó`²’¢œQ{Ä$SpÕîvì‚«Vªpî°zzì)&C’ìïkÒ~c䒾Hn£cˆ¦6õbÿ¼êr.¬Øý“Àè+rgxÉÄå -°]÷å³é›x ò0…›5`}+²Þèw3`nS̼ÂIý¸9L§`3‡XfL·¯¹Ëiˆá2QH±ò×-A8ñÛû´W@x…"_<âì#}At @¥`ovK“>û³Lfêå8Œs¨9Ø¥pbÄá>‡°8mD:£ïàåu¾ö/c>RP)i3•¤Íÿ½€N~×Þԛò_Ý]U6_@ËfM÷9tuësæóUèt±:Þ/Ã҉\ƒ~˜uÁÂY4ø½T P€(üêùÁ)L'4ÈLJÐD\õäЄ€,í>XÅ+»¼¬‚$rzЕ/¶b!0Ú?Qx­cµ§¾ .™ÔÚͬß{¾€:zIOpâ‹!7 Feã®{c ¤!Þý ÅאÚÍÏòÅÔ[”œÅ„NŽ.,¼ÔY#½Ãg…¸iD?zV!ñ^Ìv·‡XÓØ}øÁAEuÀðÁøÐÕKµ£wð¨R &E*‡GÝgõ)¬0ÝUiC‡ÁÃ'P<|MÏâ7¨~ڂ:ƒÛa輍’‚Fº…ßð Š)Á|>žÿF¢ )5õOF>{ô_$Oýßdÿ§R Bpnðǵu­î?²¦PNJì|“Œ°Üeý¿ª9€endstream -endobj -853 0 obj << -/Type /Page -/Contents 854 0 R -/Resources 852 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 861 0 R ->> endobj -855 0 obj << -/D [853 0 R /XYZ 85.0394 794.5015 null] ->> endobj -274 0 obj << -/D [853 0 R /XYZ 85.0394 769.5949 null] ->> endobj -856 0 obj << -/D [853 0 R /XYZ 85.0394 752.4085 null] ->> endobj -278 0 obj << -/D [853 0 R /XYZ 85.0394 683.64 null] ->> endobj -857 0 obj << -/D [853 0 R /XYZ 85.0394 653.5261 null] ->> endobj -858 0 obj << -/D [853 0 R /XYZ 85.0394 576.1881 null] ->> endobj -859 0 obj << -/D [853 0 R /XYZ 85.0394 564.2329 null] ->> endobj -282 0 obj << -/D [853 0 R /XYZ 85.0394 420.3273 null] ->> endobj -860 0 obj << -/D [853 0 R /XYZ 85.0394 391.7481 null] ->> endobj -286 0 obj << -/D [853 0 R /XYZ 85.0394 295.8129 null] ->> endobj -718 0 obj << -/D [853 0 R /XYZ 85.0394 264.2689 null] ->> endobj -852 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -864 0 obj << -/Length 3271 -/Filter /FlateDecode ->> -stream -xÚµZݓ۶¿¿Bº‹Á7ÀøÉqÎ“ž/3í8™O¤$Ž%R)Ÿ¯þïÝÅ)ò>ÚLGåb±Øßâ3?>Ó&1©Hg6U‰f\ϖ» 6[ÃØû h‘hѧúîöâ›wFÌÒ$5ÂÌnW=^.aÎñÙmþin‘\6ûó‡w×ï½ysiÕüöúç— ¡ÙüÝõWÔzó槟ÞÜ\.¸Ó|þöOo~¹½º¡!x|wýá{êIéñӛ«wW7WÞ^]þ~ûÃÅÕm·–þz9“¸\|úÍrXö,‘©Ó³{xa OS1Û](-­¤Œ=ۋéöFý§SúëhR%æG*=¬gÔ¸™Ô·N#…ìô­ä”¾#êûÓM±«ÛÔ`ÅüC¶ó-9ÿ>ƒîŠzßÖU{¸än^oi0Ûï·å2k˺úý\aBëD:-g}YF+쨞Yhjg|(sYf5i¢¹àƒYŸÐXGÿÜü#¾8ÿÇb‰k'íÈD&<çIÉ%Õ3z訞‘cÌ åøiNB¬êmMYAs—ÄËîêcKc˺ú1±>ÊjM£Ÿ‹‡%X•XÅÕlÁy’j-zšaú~ ÜÙV€$‡*_¢æX¢¬ 4 Í‹0†r—8˝»^(\Ï«zb*!À‡¬ l–hˆõ¶™˜N:`­y lÚ¬-vEÕ벡çÞ[qÑÀÀ«‰ÉRžXm¢ÌøB>5l·„8FT÷åvK̛"ÌvÜÓ3£G^¬²ã6Œ-®„›¬ªŠð²-›¶¨hsàÕo!<ÛMÆëz—-?“6!ꁼúlDz<«„EK§æ\؄Áã+øn•SÙ‚ë_¾[ÖǪ-ûìÐÒзßr¤–óùuE$í¦ Ÿ-³¦xu¹PܞxfÛ¦&ºûMQQJ?Öµ;æF¿`gJ¥Ìxgý"‚õÊý”uº \ÒÛoP Pó»chäu6!ÐìB×&ûRP+›²yÁ—ÊhôÑo΍^&Â(µÍŽ¨£‰Õ Hx/04!: -††âµ }º­iÛ:ËCÏ&,cYïv~güKggðÒÓW+²ÅÝéKŠœ×¸thY;¶a/µíëÆ@,w¼œa¼"Íp“t Œ±eȋ¯¨ÀoŠv2´@ÜÀbdýXXǗâ0ÁX£töÖ<4`r«¼¨x½X–¥Î\*/×e›WJ—ëª[Yf} -À1 -ÖÐÑ95övN/;ˆøÙ:~ØÑ´›cèòÒa——ò<ùTR61JñgBžJXzŠã>䁩+È×-1ßeŸI,\Gˆ×r-í³x]7My·Å ’†öNÚù± YEÏâ+äIʒ06ú=N0'   -ÁË”OüÒúâ:Žjt]主2%%âLç£/Æ=W€) = ŠDℍ_>‡¥ÆÈ ,áʝ9{C°\½e“+“hÃãLO ¾Æ¬éOí}xzuÀ3¨Cë†pє»ýöúøZ,AûðJîh˜ãØ" ƒsHáÿ]pIù)ה­— ÅLa×Bî·IÊ!° ‘kCk(+€ Ûm‘S|bøô±¬–ÞÄ § B”À²‹w½!ÆìÜòсZ~Æq8¶jU— -ž€÷iÊcAAñ„F5 ¾g ùØ^fUè\.©¼Ã0ÒâÆéëhÉ¢=ÂH^4å)ñùºG‡¸*&!—— A)̀a¨¢†µ‚®À€ž? | Uðn°mq¬c ™šg%ÙFª®:ô¹%ÎÐÁm¿TlTEÄäícÐz²ØP°÷en¨\W—.°ÑͱU¶ô$%×þ À"àöR䡬¢'ÚDiq–µ2JZ}.šEˆÖÉYY5±¿ FÔ¿Æb¤É;„#l‡˜¬ã¶LæÂ[Ï͘ù¯®ÿJ­áq…±ˆtÁ8B% ïíÃ>|ä½Êt Êƒ‡Ï@Jq:šã~_¢›€Æ¦˜w,jîX˜‹â+Ôb¿çð¼+h¦,ÏÉãN) ;ÍòXfuìe1x§ö‹„Æg”N¥”£}U–D€÷á‘žÙ¾ÎÂ7ýÓ(œýTSÀ[Fˆj¬WtŒQ,tžŠ¹N4׉åCMÒM.ž´‰& %;„£&DIÁz¶õzýTê -W ËË&Xtß -OšÅÚäUg aòŠžx‚1e.vµ÷S~d¹çÇBßNÁc<4é$O®å¹ -¾8y¾Û…§×S,Q)3ýÒسè6 -{©EbSÊšñþC_.8cˆ]—Ûc4÷±gExùqÈ@ÛS' ·±IƒÑ&µWå¶À„ôzJ"6–ļ@’ï 4Ë*–Ò~“ƒüêÁéX;g"ÞNbÅrª¨¢–`°LUG¿R#ü/EÈx -áQ`§òPϳöŒz_—‘Ý=&ÂÍ#g›àŒ²:Œó¿J„.ªp,K®ÒO̸¡?ªH-_"ŽE׳â8;_eKÄ Ð瘉Р-Ãí®¬ "ï• ÙÀى(梲¢ðu%<=ÂkCaÙgSh7R(‚×Y.=C"÷‡² ¸Å„‚¶»öˆŸ™e©×cg8фs<еvþÎWÐ[|Í  .<ì2íD3L•þ™>9 öïåBð!1 -Q–,|››šˆÚgBwàV3R]?Seã“qÀcP«¦cτ§Ûàét6üâg`ˆÓßñÈ ÛÿòkT—â%ê0/m×5lÚfG”`G°E¯§*8,ÁöŸ“-&ùþû±ˆ€Ú+.Ü=³ðÿWxP)Ñ»P˜¾DÓVN™:À÷^0´–z f“E@ï]ÝJïT%BÃ_bÃçfl„êZ·¯ßS +Ÿ¦(F·›Pãk@µ "Óî¹û֎~Ñÿ`âžsÄwpߊ)HgÒ(aÍ´H3¾UTÏÈ0ævºkE¢Þ(¤®ô…+…šÊá¡1ž®_ÀlÑ)–VB‚s†—ÞP—<­ÓŽ~Ñÿ`¼ž1ßá¶ÿ»à•‘<+£òŒ´ÚQ='ň[Ôj¼8à,±F>vq0Ìh.±ÀçIߣºk~6cŠJilÔË%¤`3 cN!Ž·õžz¶Å¿wH¿©‰ œÀ/{@"eú&Û™N Œ‹úR÷ÓÇíPµêóU%x¡çÆ3z?C^„? z{Sã͊À -çáx—¸_ÐR'Î4l"Á1žÓxªØHã q'•C×ið„¸3@ã©uàâ©SqMž,ž˜"1ýåø ×1¥]añ€Êªý“À鉄óyV¬õ01=âÐÜÊ@10µxΛ#ñâD=v¢3Ž/ôc 2§ÏNœÇ^ižœþœSï?(0ùî؄”yPHÌP±ðlÏð -9–huÉcÿ½’:Á?CMÈͺÔþ‡ÿ—uú•²x-ùCu‰rÀ$…*£?ÿh0‹þo'àßendstream -endobj -863 0 obj << -/Type /Page -/Contents 864 0 R -/Resources 862 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 861 0 R -/Annots [ 866 0 R 867 0 R 872 0 R 873 0 R 874 0 R ] ->> endobj -866 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [55.6967 755.8266 256.3816 767.8862] -/Subtype /Link -/A << /S /GoTo /D (rndc) >> ->> endobj -867 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [268.5158 755.8266 332.4306 767.8862] -/Subtype /Link -/A << /S /GoTo /D (admin_tools) >> ->> endobj -872 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [378.2799 116.2526 428.5017 128.3123] -/Subtype /Link -/A << /S /GoTo /D (tsig) >> ->> endobj -873 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [112.234 104.965 168.4527 116.3571] -/Subtype /Link -/A << /S /GoTo /D (controls_statement_definition_and_usage) >> ->> endobj -874 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [75.273 61.5153 131.4917 73.5749] -/Subtype /Link -/A << /S /GoTo /D (controls_statement_definition_and_usage) >> ->> endobj -865 0 obj << -/D [863 0 R /XYZ 56.6929 794.5015 null] ->> endobj -290 0 obj << -/D [863 0 R /XYZ 56.6929 441.8384 null] ->> endobj -868 0 obj << -/D [863 0 R /XYZ 56.6929 416.1193 null] ->> endobj -294 0 obj << -/D [863 0 R /XYZ 56.6929 378.9792 null] ->> endobj -869 0 obj << -/D [863 0 R /XYZ 56.6929 348.5817 null] ->> endobj -298 0 obj << -/D [863 0 R /XYZ 56.6929 276.8275 null] ->> endobj -870 0 obj << -/D [863 0 R /XYZ 56.6929 248.1435 null] ->> endobj -302 0 obj << -/D [863 0 R /XYZ 56.6929 167.2435 null] ->> endobj -871 0 obj << -/D [863 0 R /XYZ 56.6929 135.7502 null] ->> endobj -862 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -878 0 obj << -/Length 2414 -/Filter /FlateDecode ->> -stream -xÚ¥ْÛ6ò}¾Bš*‹&^ñ“㌽“ÚØÙñ¤ò`»\ Ò°Ìc"RV´›üûv£!qâ©réA@hô}€bÃOÌò$ŠU¡gY¡£$ÉlY_ij ¬½¹¼gá7-Æ»~¼½xþ:•³"*R™În×#\y繘ݮ>Ì_ýë寷W7— ™Äó4º\$i<ÿñúíO)èïÕ»·¯¯ßüvóò2ÓóÛëwo |sõúêæêí««Ë…Èç%cxäÀëë_ÑèÍÍË_~yysùéö狫ہ—1¿"VÈÈ>ų°ýóE©"Of{˜Ä‘( -9«/t¢¢D+å!ÕÅû‹ÿ G«îè”ü•GI.³ j5%À¤ˆR%•àí½E&ž¿Î²ÑV‘G…J3À{¾ØÃ)£BJ¸)MÈžÀªŒŠ<ϧ] c”Ž‹4™DºHNØ(WÄEÀ°Q‘$’¹xšSbnª®…‘Ìæ_švßÐÐtô߃4h X†A:oLmÝI9/y“¡•U[›’Ïã.íšò­4+W¶éËõ¡l6t(¸@1ƒS±œ_÷^ÆxçñuÖ±j–‘B‚¤˜-Ç7nWh"öe¨D•Ä³ßÙíW»’Š£Xx!u½ém DÚE¥ è ÐöRäs Ú@; #¢aT6˶&•Áž†aýÞ|µ´vgmC°33°n@ÖG’YͳÁÊ -°®jÓnAíç é?öÌVç’ë£a˜ÖÙ?yuåR&¬êá¢3ßǒIV̲\Mù÷û¶Ç¸£œðíTFRCܶ=îÛ ØX3/(G%R”·`YýÖ A¤VuvY~Œci;Úfn—;Äá¹Ù{‚¿.M_¶ côRÂÌgN²n¡mÐÉš± g‹BF*¶ۃH]MïŽi5ïví¶G£Á)Òr~ûþú ÁΰꤑŒ'AµY¦RÇ}m–‹z•LÈMg`±ìÈT^Ó{† c4]¤š&"ÒÊo$£!âv¶Æ( RH)Y4P£ÄóªÝl(òŠ÷£0ÕÌÖÔµÙN „|›hvÅI -ÿçDê*”<1÷´cyošÆVÁä3åÊ> ø'1mZ—o0è!8r(ð¬TQuV ¾b{^ÓÑ숰ÙÕw˜’püòQ( ûïhºkª².A1g>…¡8`¶+ÿkÏFrÆ'“Ì2Ý¡ùŽÇŸ×fYVš¦2€?Õ¯ìv;E×_žßª:òñbL‡˜fÄbZ„KÁ-a -A¨ -„·¶¡÷fÛ Öáooá¤õ ¼;Q¦DÈKÙ¬ÛàØÊÞíSUU•—e°õæP.Ç,Ž%^0ú~Ô/ ¸ZðUf÷`Ù`ô'q²F;Ã¥FØK:DóÐcݐa×ÒMp§ ÚS±ð5†OçìQ®Ïrjøá~k¨ÛÀ¤ØµËøî¨{kwýÚö÷íª{FÕ?^^8r ŸS™Ç5œ¹xÂ[ö奘S"\þU±oéT͈á»Æ5Ïh£+°¸ ‘,&‰òÂI¬VПĒî»Æ+-øùGˆÚŽ…8ÆM˜œ‰®³€nadAwUÙ9Ò°wÁG^lò¼m=Š!o¸7|{˜ˆ;fÛ9 ƦÕq*sÝkŽœá›VO+{ÃtH-6ÀÜ,wíÐ3d: I´^lùžÜb©&r\±÷wlüN‚æâµoď[ û,‰´'Îèt‚Q½Ùöœöô|÷€2H°¯¢ÆYQ£^½6$VæîÐôæO[êðÛ-Áw*üçDª&” -«ƒRa¼iùDœÔƒsM9 G9î‘lœz|L5·’žLnG×'Q壔z"TàÓLZä^_‹Í7ß[""êa’|›{|YEf坎ÒãªÂGm•J·Hpñvë©:MœüJéñ›ÅÙK]Ûå(õåŒ7­ÏŠ^˜mcC)×-;-É+ Þ§ð @,Â"¨›òƒ*Ÿý^âC»c¾ Ë­6_løNÀ™n”ËA‡u¸gÀƒ Í×Íy‰$AпBli6ešú$ë+`X®w]Oke³¬vXf"Øøýx˜9n‡¢ƒžŽSÿ‡ÐÎ:‚A0ty•p‹Üä* ®¾"€«MqÀ‘ç4æ)ÏçLøßó¿{ŠMÙßÜÛª×\°fuW™-Í}CŽã¡÷/Ò£ãä;x ô6¸nìmn¿úԌÂ/«˜¬ÊnÉX\ìÓÝ@ˆñÈG'0$üR4ñ‰(\ó»?H¿Öiˆóy.§¿5©8rYdž(TR§”_®ÎIÿ?í ;«endstream -endobj -877 0 obj << -/Type /Page -/Contents 878 0 R -/Resources 876 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 861 0 R ->> endobj -879 0 obj << -/D [877 0 R /XYZ 85.0394 794.5015 null] ->> endobj -306 0 obj << -/D [877 0 R /XYZ 85.0394 662.5434 null] ->> endobj -880 0 obj << -/D [877 0 R /XYZ 85.0394 634.6304 null] ->> endobj -310 0 obj << -/D [877 0 R /XYZ 85.0394 376.1585 null] ->> endobj -881 0 obj << -/D [877 0 R /XYZ 85.0394 345.4362 null] ->> endobj -314 0 obj << -/D [877 0 R /XYZ 85.0394 136.7105 null] ->> endobj -882 0 obj << -/D [877 0 R /XYZ 85.0394 113.7908 null] ->> endobj -876 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F57 624 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -885 0 obj << -/Length 4116 -/Filter /FlateDecode ->> -stream -xÚ­]sã¶ñݿ“—È3C|‘`ïéšÞ¥×6—öê>tÒN†–(™=‰TEʊÛéï.v’dûڌ.@`±»ØOH\§ð×&K²B×y¡“ -s½Ø^¥×kèûîJð˜¹4úõÝÕ7ï3y]$E&³ë»Õh.›¤ÖŠë»å³,‘É ̐ξýáãûßýåÓۛ\Ïî>üðñf.M:{ÿáï¨õݧ·ßÿöÓÍ\X#fßþöíïÞ}¢®Œçøõ‡¿!HA “~z÷þݧw¿}wó÷»ß]½» {ïW¤ -7òÏ«ÿž^/aÛ¿»JUXs}„—4E!¯·WÚ¨Äh¥ú…«rñÀß:= 3ym/nÂ¥ ”É2*'0kOíjFÇ''Ýr.9™J”Õ^rÂþÎeGƒ:^ÃnÚ5Mp…•H摊։zYΉ6æEÕ©’|PçLIXD²/ÝфùhB³`÷åâóaGл¿Õ@×h³œ€I™':'ê’táhÂøÔñ|‹­mHC0d HP[¨Ù{wê\ý -~ãÄK€ZY””¢.h[Ç£”žŸ«jG½Š§Þ,é}´¥”%0õŠ%“£oò1I  i–{Êo€òû.A>ž“OˆàX:wföC×Së¾BåFê ßk†ãqÃ'Ijz?TրO""å(Ê[?yà -+ômd¥,Mr)# ÉØB`”à±·‘ÙÀˍ<Ÿ,ýŸ°&’9•MÏxt/0@ëWmº8–¤ÜΧ•:)´Ê_#™LŒ2z´'™çSN Î •¤Ff¯$Þ{8Rª³¿ÞrFŠ-'c‚®|Š)6øÞæêT±¹/³9QÝ3WYž€°''Skö‘´ Ž´ö -`Ía{Þ$Ýј_9!ÇÁégèŽú•9ðA^`ºú_1#¶~*Ò¹4¥c¬Xv]»¨ÉÕDø±FsŠ=Œ¨fý Ò·¡»¡Ö‰¾ “öš kJQ˜$Íì‰ã³lçªf¬±Å^m.:©÷•›Á¬$\»úyQUËîäúYÖ ïòQKÀ£©ŽÔ€ -šV‘_ؕ. •óz‡•%‹*|ßÆ$ã—ÜšWÐ[$²bBp”B™ãÌn…m;^wYö%G\Ô<=±Æ䃪”¼y|¢\õNñߦRŽ°A§ ‡¦¯ùË®Ýro{èçíj~OTÀ¶Â¨ªî¶ôJ˜mº°çù÷7¦DUØ]ZÑãBÂLcÊfªÞ‚CÇAgùs½=l½sÊU¯zçLÒ÷ÕCùXû˜öbòÀÈqÜëšk9ó8îòcDS¾#šÆ8Uu2ǹ´ø}™|٘Ú -ÞÑ©JVæܓˆžrPdS©ë~q„æ"π ÚN÷"ë,ÅtËO8ü4ÿÛQH*ˆÆR5åçªF"á ¯øSô®¾"Р22 -+ðAüÀ–L·ob2²Û×M?§(Ç=U]ÔTÒ¸!m5;¢ûŸ7´ßÀ>k$ np÷ÔÅ}U†¥rKr”[’Ót8o$Çy#Éy£Q/¬Ý»@ÚèÉÞ =š}ð³pbâ°å¼)8×¾'oÆU¹¨75¨K—|@IÁ?áüQqšÁt±.\¶ -Ÿñ³›$Ӆ~‘`2‘&óqÀ¶ä9wpâ0““f³ß7푡„n_;MïނDØ¥MR¨p‚>Wû&žLOC¯©GŸH!1ËäÈÂ×XÄDÓ»ŽoÀKwØíÚ=0ðJÆ5|œbp¿/9ÃáÎ`vÎPªÙo)¯ZÍseŠÁu{ξÛô$M k€Å^n½q}H„úgZñùÀ)vð”s0³ÙI É{w½bgW¯7ôŒ_,ŠÜ¨Év’EÛ¬"{2 ¥˜˜`œ™M0Ö¥\>Ô®Ô½\= Ax¢.J/¨#ɸ„yDËÌ&¶È§ -þ9É&”¬ƒbÉ2檣­ eÇ„T¾vaRŸs-Þgq’êق~õºá’ó=ƒ3MñʼÊë™PڍÔ&FxÃ0`efÇvÿ™ÅsSŽz<‰¿ÒQøº£éÿ&¥‹×î"À·[êÀ¼Ï®§¶ç¯Ë°<Œò´(t @÷Œ2%¤°ÏUEÂB­ÇEÑ!‡CyÇL'EnÕiÂg_Öë\]$-ðDAW£<€@¹Š¿öàpƒÖ¡ãùÏ\W››¡så27jöý {` e1NØøÀ¡üÜTeÇMá*%`t;ͤÛÐ\׏ïeȍ¹03+tLÁ»@žå¸Ú@àC¬x¦ZýÆW¨Ã®F1ø¿Úûù’˜@$y4ëèÑÚþæÈÅb¦I6áðå¡Ò¶¤+Ðî_êÏ5UsZ ®k@"l6œÔçµ¹IT,Ôp|h~¢†Û—;ÚÝ?è«ý¶nxGw °Tlú]éÁ÷]Ù¡â$EìUZŸÕë(wX?¸:¼ ’¤Êõ¨$©Skâi(Ÿ+*æëq¡_ì ¾Qâ -†Žî  8vG¥"©•/EK:Åàóy×b!S¤CD¸ƚ4\s¸?ô„™Ä86g£_hp¦R3µfë¸TA ‘ÛPž¡$Çrß ÃÇhXؐÔ!oTÇSȉ‘J¿N˜ô8>óIE÷b°)Gg;ðl"ôĚLõ›€LçÏ_¯‚Ðܪ ò½R¼¾—zS/ªø¥(pÙ1Çö°aÓà’|¬·½"ŸšŸñålZU?³B¼ÝÆm˗UÈÀ§ -Ûé—Õ~!’Ò2&ÿL1òœŠ“ä_°+Æ÷´Ø©0ÅÐÛU{Wý|Í_v=œ¾IFƒ;Üøž¿éi­r‹N‚²°Ir'‹Yx6½«rN[*OT;Ùh+ùv¨v¾…b}nÒʀ¶ÝÜ+ X? UpWÞ²”Ž„‡¿ÌÁ5Àƒ» -Ÿíè}¼¾¥°.`P…äü §›×Ã:ô͆¦f}ؗóXùsQ8‚ãMäYr êÜðKµ@½®~äñc<àÜ~’ÀáövqdHZÿïd÷vY¹è• -£Cž Gɦ¯7í}‰âd3¶^Ð w7JŒÊ¸ -[•=q0÷¾*tý‹´[ë8ªö6ŸÒ¯¹ä)Ø°psg›ãt™šá¥*åUë¯ Ž·UÒcׂù©¹8Ž§¨½4³23_–÷_ŽŽa$–àÀ(=D8t6öÍr×W€€û2j\µN¬åQwgF1gá«ÀÙ<œÍ‡ÞÐä5€&Õl±éøêmé9–>ëoKæv"|ðʇWû¦âA`‘šî[C÷ÄÝí¡g¨¡ - \ U5$B¨ûÚdg±Íâ(•oå@-Íì-ŠbztìبYKšÀzÅoíH³>ûb-é8;œŽÏÜ1µL(è‘Rd,/¸&õÐP¥&oˆ÷pRêËzãÍl{èw‡žë·ß’ùò)”|évÕ¢^ùK*#*ç…/ùjãxN1»=‰YÿÇʜé3åMB¡^üäÖù‰¥ðõÎUÛ~-D Žã]¸’ç›KÿëP&Á?cDþ…‘^ûåÿïÿ| ˆÑy­ŒÿCb’œmnIé3ÌýŸCÎQÿ/›iendstream -endobj -884 0 obj << -/Type /Page -/Contents 885 0 R -/Resources 883 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 861 0 R ->> endobj -886 0 obj << -/D [884 0 R /XYZ 56.6929 794.5015 null] ->> endobj -883 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -889 0 obj << -/Length 2466 -/Filter /FlateDecode ->> -stream -xÚÍMsÛ6öî_¡é%ôL„àƒ Áô”¦vâÎ6ÙuÝSÛÙ¡%Hæ,Eº$­v§ÿ½ïá)#q:{ÙñAàðð¾¿,þÄÂhÆU‘.ò"eš ½Xí.øb {ï.„?³ ‡–ÓSßÝ]¼ºÎä¢`E&³ÅÝf‚Ë0nŒXÜ­IÞ¾ó÷»«ÛË¥Ô<ÉØåRg<ùîæÃ÷)èçíÇ×7ï~¾}s™§ÉÝÍǾ½º¾º½úðöêr)Œp_z Ÿ¹p}ó·+Z½»}óãon/»ûáâênäeʯà -ùýâ—ßøb lÿpÁ™*Œ^àƒ3Qr±»Hµb:U*@ꋟ.þ1"œìº«1ùie˜62Pç1ê‚eJ*'À?¾E^]§jr’/–J³"/´;s¨êú "Ùځk{¿ßn«f‹Ÿ½TŸÈ™¬ÐZ:Îè1£’mÝޗH­IgÈaËñv‘ ‘¼}(›ÆÖ=íªáÁKoj¨’sÆy®á1|c}lÊ]µŠˆ9ULåõðLW GB½ï-3RÄù¢§½ъˆ&p<@‡Öq½”ø”ä:pO㶃ívUcɦå@«ˆ­Üڞ¾‰û}ìªf`AŒ2eÐ:D7›ˆ -Æs%“þÑ®ª_9— ¸SŠÊRf2ÎM²Œ“C È1ý±Â#„(ÁTšþ؊L…¥‹ä~ïTkœ'Iƒí˺>ð±þÈWp¯¯š•!2ÃR9²ú•„”uß^'ƞž$Ðë @¤3¡ Áá”RqË)g*ó™vV€gÛvÇ=YÆòL$àğ¦pÃåÜ'(~ü¾·ý`×(<#‚¥At!ªsŒ¯¹/ yø;n{¢KÞð|ï·Éðhí¬~¶Æ(£L–\WÓ€ˆãHI“ƒJ%3˜f¦rãHD)˅™ÈˆoüŽM ‹“…ˆK!§¡ -¾B¸¥ ýBœNŽrÀŸF`uï!Á—i‘%w1›“ª`JféŒÇo²€„[i‡ªmzODyœ? ÁuM+—ODÈCXµ»{>Þ~éC'½Òř—:[U:(We`ç‡òØÔ)`Ž\ëâcøKV»›¶®ÛƒK4o)gÙî5ЕsT2's &°Q CËáYòޒýú=5eCïÙ—»ÇÚo&g‘úzž …×9Šª—Êô³šù²8× f”r¤kˆæ5ݞ-P݀þ±:œ&i–×ö~ ™–_.3Ρ_sýZ?dŠ [ÛØ®¬A–øxÒ´Cµ²á«Û7 Ê=ZúLº›H)S‚3 êÛw~$ðÚbœ§LÐÕX,à遲ë‰ò¶ˆ+ŸžØ¿d²àA|PJÀùHÈň¨2êEO(×vSîë@g#[Cúð(š`æ“šä}{ 0˜è‘nb½/(&Mªç¾àYðeþ®m¿êªûܜ×É"OY&eºÐêLˆyX±Òf·]ÐâvRâŽç—Ó ®Ä‰á)^$ð'»B£ M‚„HÁä9Iš™âÂÌHzRk§ž!ä)6$„Å \h )“glÙëñŸ>ã:؝J¤bf€™B¦Ç֥ݵͷ`÷ - ÿÕ+÷®°ºsw -çtž:5 Ϧ\UµÏ6ÀÀü¨<+lñBÕlÚ'Ô´M}<§ âI;¿£FΨ)Ãå‡j‹ŽKD)L êŒê{œ»;¦Ÿ—º/­?+tB¸©0²â¡oœ“2ˆ1ß §P­œ8=Kv.øñtàôy>]qèÚî_Χ½U†îK óN'\ýН¬È5Õë|™è€ -¨\ǒ¨¶Í†¿ôtµ9£>´4Sú¡ì»þ×vÍ1½Xn^xš\~aQ{{ôÝÙE„Q;Bõ‹þy5­ö]g›!XÓhET1ESFóK!a¢Ä/…w ¹ÌŸ˜ccDïÿožüÕÂjöu=‘È!&ãÀdŠ!?ŔŸ¡íû@Ñqx}­õê[l)9Ïâž7=š@ה¡4ÆÐçF2i¨K¢“èhB’ÿyêUºˆw"WL¤Ð~~ŐJ²Â`ãQ-GŒË)Jʉó¶M° ïÇˆLô‹HE#™VÜÌ»Yšñ¸ ÊsßgÄ5٥ߦj¬}´kQ\ۆ^Œ7ª d§“ÓëýÊö~/ ³àüÁµ~*´~î­Ù Æéр‹“îå„1WsøiZ"5mó*-[,¾On†°ÓíBk~òÐé ¦¤,6k))Ð3•‰iÍèÌS)cíaL¨.+_#ù期A!å¸B¯¢òÒ5"dÙ9¸˜Ôóšæ€PËZ."à¡({h ^RCRÇ=¢¿BUaU¤Š™BV—ûA)tÄ!r(¡×ÛQ5Á -í3A¶àÓ¢£º·n¦:6Cψ<—EðR¯ÄÙk+/ê‘$´VšåÐy>3Ú 6Ú<à|ÀÈçzÅ´6b6~Ó¹s9šRà¸Æp¼e˜¤±‚ü|óýKZùù¡nÚÍv‚ ˜Ñ©L­q§ÑǪ:Í@Ú,5Eþ—Èó-WGx;5Éþы¯”P›Ï£46Þ~TƒF ·¨Itß4¦ñÆÚ¶ÈI®ü %?èW~äìæÊH]¹½c»§Ec­ÇI~Wåã°»Á\ù<[$/7™á'»}?Léóèh씎îŠë0œŽŽ¼]øˆ{ÄiŠ–Û¯u(ÍOž£y0î½û(|`à€—A°æ@Ñv_ˆu>¸€ÆeªÅ<¸|ę¥ó¼Rd§”0r-Œ-ºófÊ_ÁÙÖ¯Ýð¦ÿJoà˜*Å1ÕÞã"­Ì.ãê{‘tôåÃàÜWõ°tñ/œ&pè$›qæћŸàc€Åªô²Þµëjs< ݧÞ_óIï÷þ¨›úŽP?bªB² ÿ ˜Ð:}ü¡ü4>4 -è3ÿ ƒÂÿ…é§ùhKÿóÊNÿFLs¦Œ‘ñÆÒ 3‚Š' -E«ô9åã¿Ôž’þ' µ[Bendstream -endobj -888 0 obj << -/Type /Page -/Contents 889 0 R -/Resources 887 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 861 0 R -/Annots [ 891 0 R ] ->> endobj -891 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [173.6261 554.783 242.2981 564.1926] -/Subtype /Link -/A << /S /GoTo /D (the_category_phrase) >> ->> endobj -890 0 obj << -/D [888 0 R /XYZ 85.0394 794.5015 null] ->> endobj -887 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -895 0 obj << -/Length 2361 -/Filter /FlateDecode ->> -stream -xÚÍZÝoÛ8Ï_aìK æñ[Òõ)ÛMzY\Ò^Ö÷°·»(d›Ž…Ê’×”“õ-ö¿’²%G¶Ók -i8’¿ù¦Ìþ±ÒD§<Ä©$Š25˜,ÎèàÆޝ±À3l˜†m®ïGg»Ò|’Ts=ÍZ²B“„ FÓ_"M89 4zûþöêúÝ¿ï.Îc®ßߞ¹¢ÑÕõ?/ýÓ»»‹››‹»ó!K‹ÞþãâÃèòÎé ãûëÛ<%õ½»¼º¼»¼}{yþÛèdzËÑö,íó2*𠿟ýòLáØ?žQ"ÒD á…–¦|°8“J%…h(ÅÙOgÿÚ -lº©½ø1J¸¬ž({T)т‹-€8`¡”F£¹ñGœdµ¹¯Vÿöa¾Ê¬ÁӂLђIC.I*™tÒ`úêœ%ie»—$ZdåƓƒìÜØ×çC)Td+?°©Öžw’•žbM9õ¤z„Õ½õ¤ÀGYYû§ºòCÖîÇfGð÷鬰Ç¼žWëˆGbŒ¤Jqw$”—÷CªÃÒ¼Ù)’¦Uùªö4”†$e]Ïüh`‹wl:²K3ÉgOςàÜ!U˜9™gei -ëßfժÿÕc,‚3ê*=lÓ³-ŒµÙ½ {ÎËîù¼Õó ±ãIK傧IQxúØx -è"p:”‚:ñ6Ѷ3&IR6똚Y¶.ê㊀Á{®öâ lÕÖ&›¢[JíÐDª×¬ÐDÚM¤gžÖ¬èhO ’I³o"a$a°ÕŽÊgUQT^ë`ü¿r.·"‘^î ¹õ×ÖLÿîªâ®—°˜¤°·½³jJw»Å—?;´vcA™oºÄ©¯Ú_o8eJ’$NÝrè.\EΧ¸ŽÌÙbY‡…Œ -S¿²~Àfπ֍cÉ«\yÛrÌf²^åu˜îUÖALÚù×_)åÛÕÆëzo‰¬°¿YLGŸŒY†e×©eEû -[ºß*klæÙCîÌG0ý|žò¨Z¿šzŽÿÁKÝÄ»­Îê/öúó¾é5°Ø|l øØøÓí• ’2*÷ ,/Œgú®=Éß½ésR‹áˁ“òrVy¶a¯ø¿ÞôÁÔµºúîÕ/Ýs¾^ñû&{„%pßXëO­ºíD#§Õà¹ø\tœaì‡VD?-Ãð^Ž ¡¡×:žÆ7ΉE‡ÈU®a±§ÛåŒ40ÀÖgYpþ˜PÖµ°Ž®þ˜™ÕÓS;Dಝ p\ßeU»c“p<Œ\µ¢"•»ÜŽ/ލúåE6.ÎY3´Kö:>Œ6óSc'«|YçU¸ªYG°ˆêÍÒìù4è«E†Ó·³6aõª¬³¼$}ÝTÛ#ìŒ!ole‘mšˆŒf:5Ó®ÍÖõº-cW?zja j²d¿Jd4% þHN‰–‰~Ny‹Ä4Þ«ÿ¿YÍFÈÁ‰Vêðü< -²Âc3£+j¸=ÔP$’ĉ`ýU(ï‘`ï’q\ùp…õl¬dãi®8•"Þ¥L)ZµPÂ|S¢ñµöSô.I µjL _°¶ê±(-ÎÕ¬cøþ¸«r¥F×òd:põI˜V•øv¿^ÓDâ<³}~lLÙþÓ'f#UL$KãAà/SšԎI‡Ågˆlf¶MIƒŽÚˆ5œJ*ý)Í*+žg ,uÑe2B¸'Xã²èÆ58RÏAÝÖ?ÛÚ³ø–«€"³Öi )y‰L>ì3]óââB9Ýf‹Í^ú1ÍØzéÿ6–sD¹-Ô¾Lûʕ/ª\¡Q7ò„r‡†T†ôŸÕÙ¸¿ìj÷f›´…RM(‚¤‚ŒDWcª¦>Tr+_ -N•B@SŸ›áÄÛq%Չڏ [ã>ƒ®Ëvd¦ž_ä³T…¯ØtaRšzâcú·u™ 8Cs65P×/ò²!ÏÃkèúÒ'ªK$iT¹ï@ÔSAÂã<Ç|´ºõý -G2ëéØâ#Á  ç«€¥cN÷›Ç¾KAN˜Ði`‚ž½è¯QÏ_‰R?ˆ¶o -wT. Ò­‹Ì}™!ü ®Ñ!¾¹›W&ˆÐ·ˆC™ º3&Ó¤¹¦<ä -<&±ˆÕþ—¼5Å+v¨aFó܆/*±»2‡î"…nÏBH(^ð«R§% ¹Æ(™mªV$9} ìæ§f劕׾ÅoüÀî».æ¶ÿ«^ã±Mk׸e©øÜ«Þîßö©/óÓ¯I™N¡¡£'")‹a±ö‘´4õcµútÒñoŸ¡Pðº&åH´lïåN> ö«…LO@¦ᜅh¹œ‚cœî66óIs“„sŽÁÕÚÇ· —T/a¿Çá’)áZ‹\ïu¿´ñy¼}†/ÃERèG bF¨)áRÇ}?õ ƒ“ŠxîKv¿º‘1IÒª7»¡?=€ú^ B?ùÙKó ”ÀÕÚúÿ5‰¨Dendstream -endobj -894 0 obj << -/Type /Page -/Contents 895 0 R -/Resources 893 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 861 0 R ->> endobj -896 0 obj << -/D [894 0 R /XYZ 56.6929 794.5015 null] ->> endobj -318 0 obj << -/D [894 0 R /XYZ 56.6929 769.5949 null] ->> endobj -892 0 obj << -/D [894 0 R /XYZ 56.6929 749.9737 null] ->> endobj -897 0 obj << -/D [894 0 R /XYZ 56.6929 433.0023 null] ->> endobj -898 0 obj << -/D [894 0 R /XYZ 56.6929 421.0471 null] ->> endobj -893 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -901 0 obj << -/Length 2759 -/Filter /FlateDecode ->> -stream -xÚ¥koã6ò{~…ûp -zæŠ/‰Ú~J7Ù½»Ù^’´E¡ØŒ#T–\KNš;Ü¿)K¶7M()r83œçáðI ÿøÄhËLMÒL1s=™-OâÉö>p3 @Ó>Ôw·'ï>&b’±,Éäö¾‡Ë°Ø>¹ÿ}øçÙ·קS¡ã(a§SÄÑw—W紒ÑðáëÕÇËO?^Ÿ¦*º½üzEË×/®/®>\œN¹ÑÎ áÀ—Ÿ/höéúì˗³ëÓ_n¿?¹¸íîÒ¿/%^ä÷“Ÿ~‰'s¸ö÷'1“™Ñ“'øˆÏ21Yž(-™VR†•òäæä_ÂÞ®;:&?sƅ–¸gOÍaºD#º~ʵfŠ§»t§\¦Lé´’pÁ´‘i§Õ× -W’)õ$ÕK¤N-¿o캰 Šàe“j•„»YÙYqÿL2}z°ëSn"KŸ‡ûhêM9§ù(ëÅÂúµ¶fH ÐN9È@ká🵰mDÔ´ùºÝ¬þ_YÔ ÕŸãXT Ún¥áÑ,oí¢^?{ÆÕ1ә0žóÃ7” ÓÚ¸§¢,‰H^65Q±ÕÔ1 úJ×<2ß•ÀŽ’$‚gšâe ä?6Ui›fŒI!XÊEÚcòNŽp©4š{¸zÕuE¸ò†&wÖVžÍ$…s`žMr½NŠv>*û['ÔԄ[àyq[µat¾ª×mC m88+ €û»_¾üÆ¼5šÏ½©ð¨qûY”Wó16ñéTŠ8ª6Ë;°0ðhôrXpâŽçÐåK f"%’Ï7®"n7iŸW֝æÑ¥Gëô: LòÜKÂì»E‡”.‰«×v¶Y7Nüøyn›‚NÎ $,ó…ǐ{Tmiòs¬ãoÆ®]܃T²!ñ:qMi6LTÕmX¸‡º8¿º¡uG̝¨èĦ±´€D/ð }Öë>f5<@baŽP£[‹*¸0b½A¬ŒÌU§=sݑ-YÆé4‰ã̝Åðÿ-G0yæ!b¯Ó÷£ÔŸž˜ý#_®JËfõ’°\^ÑxÿÑ웛‹±Ó}ÒïßÑô%¢|heÛCD§D´S•4P؈ßøºKe˜„ :™ - #V¯ÀI'äဏKR)Œ$VLp/žyѬòvöp4bœ{@÷ -)¢úžÆ¢]úU­òÙoÖ=(°ÕÖ~t† “Æ®Ñq¾¬ç›’ò=C$8î#U>X®‡aiå6ë¼ÐþeÕf_Jo“üV™Áà^a þº‡•™&QŒ8¢Lm€H¬ )³‚«ÏŽ«òêææ⃗hå_Û›ËO9¶õ¬.÷$ Š~A´=žß&‡­h¥f&Ñú(ÉâU13ZK¬t<¨,q2+!\ãwGê:¨•öE|íӆLXšàÆ͐c—Å÷ òëL& 豚Cj\ݏÐHI@1X”öýF¬t7ؕ€êQ -ÓãÜ¥ºÿu†.2fLš ͼ,šÖ¢wH7«_s¬ûÜ•u~yûñ­OÄÿ$,Œ1èߎ=…}"HœýŠÂùv<üåkH`ûÏëe^TîȐ½±—y!ÁTóºõâ£j– ¦;R$†Å®ÕÇè ݳwqÔÞÏ­ë—ۏM¾°ÆÆ [Ä ;WGÌŒ?bß®1'Ùf,h•Êk˜T;9Î e˜þ¸žŒ›Í<¾ÜcÈi(‹ÅCûdñÿýò ¬C Akhï¹µ»³†‹|l„NXSG›ëń&×½G¬ƒŸöÐ#ÖÍ>^×V³3ßaR˜£ Í«ø„(µË'gMe µ†R,Q:ŽÔ´¶ÏÝ>6dL\ñ ¢+£€™eŽÅ•I©Ž‚Óh A¾€²y´Ý%!hqüYLÈhÇ~¢³5 ʁä@é3Tºp:ù&À?í-ϋû®·ÕZ¢ÕNºãïüʗ4+»n!‘ÚöÑܓ™¾ì81ÏÂÅ»÷r¤Ñ'Y*G\òm¯ée(Ú¡óIѽOŠB¿ -»†–°]Cm1€s].ê᥂¸Ñºð‡kEÔ«™ÝA(ö½L{Q&õ·óÚ„¼tžCMRÑ<4ŠqžÏfvåe¡ €„µ¡v0…Ât:º¼§…ª¦Ñw aVxÐ^«]\$=˜Lp¢€7®ì`öR@L= ±ôtY´­#µ-`ç®QN=å^ρn:iá‰î:c1í~ü¶Æ3†õg¼ ‡#>¦ÿd$÷02º+ªyCSζ_.ÿ1§ â”G}'”{N(;Å;ÄõEm¢({RÔᄠƆ&<” -¬ÝNü*Ÿa3XH¹Þ½3h4máŒÜÒÄóµ‚rÙ(¸/éã΃Á;Ó´ëSmf¤)ç«j\¸ÂÙ2¯*êQQù#È[p¨êõ2÷Øé2°ºìîè¶Aæ]p$—pʄk†ÇÜÛªêlU mUFaykRÆ¡ º°÷¹+dž¤³p -½ÂùNæ›é¸×‘ì"AŸù£êc–מ|^Œ]ÓCºî¨ŽøU».‹Ð‘رó²ýs•uy5åy#?üpqnä­ÊPö¯œ#yÙ­;³UÙ¡¼p&‰o#]¤ç.taámgïÖγeý™†øÍCeô[ÁeK¼û öXÌ­¿eNœÕ÷äf2D©ØÉ÷)¯ÛCiô^Ÿ5_­l5ßþà×K(‰=œóêaÍãû¯S¹àAì”uæ™ÉøX½¥|¹§‡ -‡ub\¿ ð,Uɛ(зÑÞ¿¤q!Iãß­y¿•6þNTÒÂËSÀ»~ݔø‹p›¡®‹åf ÈT~ƒ9õopê\q]E9‰JwôL h4´ë³|Þgœu™€¶‹p/œË=ûåÿ°äOZ-ëú·ÍŠ–ï¬ïTÙCµŸkcyÃ]孟ٲË54;ôW»+ú`7»ŠîÍa°ýó …݃~§ð„®Šg -o-Ó½2G¦HGXÿ? º€_endstream -endobj -900 0 obj << -/Type /Page -/Contents 901 0 R -/Resources 899 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 907 0 R -/Annots [ 905 0 R 906 0 R ] ->> endobj -905 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [519.8432 252.798 539.579 264.8576] -/Subtype /Link -/A << /S /GoTo /D (lwresd) >> ->> endobj -906 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [84.0431 240.8428 118.7265 252.9024] -/Subtype /Link -/A << /S /GoTo /D (lwresd) >> ->> endobj -902 0 obj << -/D [900 0 R /XYZ 85.0394 794.5015 null] ->> endobj -322 0 obj << -/D [900 0 R /XYZ 85.0394 451.0558 null] ->> endobj -903 0 obj << -/D [900 0 R /XYZ 85.0394 423.9067 null] ->> endobj -326 0 obj << -/D [900 0 R /XYZ 85.0394 301.4703 null] ->> endobj -904 0 obj << -/D [900 0 R /XYZ 85.0394 271.3564 null] ->> endobj -899 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -910 0 obj << -/Length 1238 -/Filter /FlateDecode ->> -stream -xÚ¥Xßs›8~÷_Ácò Uü†»§4uré\Ó;×}j;„­ ŠDbß]ÿ÷“,aƒC<™LFBì~ÚýV»¬l[HþٖÀ vb+Œ=è#Û·’b‚¬•|w;± h…@Wêý|òî&p¬ƁXó¬ƒAE¶5O¿]Ё—]\¾¿¹»ý:»º ½‹ùÝçûKàøèâæîÏ©žÝή>}ºš];òí‹ë?®þšOgúU`0ÞßÝÐ+±^Mo¦³éýõôòÇüãd:ßûÒõ×F®räçäÛd¥ÒíÝ8ò­'ù€ ǎUL<߅¾çºíJ>ù2ù{Øy»SäÏFÐq%WÏ ô˶aìûNA?†ë¸{mW²‚º(0¤æÚË/ RRþj\¸V.¿»ñÃNdÜPš‰ââ$ˆ%.ˆžU¬zF«Åáá_=|G>Ò3£¾È)7"ÿíÕpšÖ'ÑÈöh"m=û]B=ùÕ.ï<êS%]ò"è»N| ÉAÒò!§¤‚²R¯à2Փ¯¯È~¯{ŽýHRÚeO ºAɱëŁTPrŠcÎsö¤§«ÍšV­%œ#Y¦Çž#‚éqIôH0§ùVÏNŒK³R4¹ Und¹h–GÞò?š·ÿ°’p8Ä2h]ný0Œdû†lV)*GœÈU{Nƒâ|M B;Šµ1ne0zĨ·ÏeÛô|Ï7h-T#d‡FŽ÷¦åѽT -]ˆB/6ª*yR˜°2Ø%p ­5êØåä·HàÄúq(Y–¸¡íõÌ7I(õ,'†QÊB¼‘”{”'dw˜•œyXpQÓrµËŵ–×y͸8$}û4¬¡wख¸€¦ZE?.hzJ'¥5I«M’WX¬jŸA“d-#œï`“‘zŒ´Øá³SҞ¿hŽ–_wKÕâÀ˜zø¯›¢Íɳ -R¨£'ËMø-m\EÓÑ;œ¯UT-=­²%|ÁêEÉ-XƒrÓ%ø%ÃQ1‘YX ȆŠQZçMe¸›/tŠ •áèφ´ê4xFD²«¼!£¤ó†¯Á®l*øº){*ǐµÆR%OA’SYqø˜ÝTŠŽÉ  -(ðÆ|í›bIêAË -ZÒç &¼’u‡ŒÚ¨ý̀D¨Q*%4;J¯ ›*§ ƒfÊ*Ñt -Þé½ê,q\±­ˆ=FA~Hecù˜hª/ä? ›¬KÌGŸ´äœ$€”x™Ÿ£3ö ?ú)éV1=u##ŽËdÍêîÛA« \¡T–2Û£˜¯ä«Ÿp7‡¬Ì·½`f´nÛDÕéÂÚ÷¤²å´‘ e·iÜ)ýö¹‘G[fDòô÷‹Ÿ×ôjb¯vËg´Â'ßA–’5‘Öwòì¸%ïY`ú»ÎJ›Ø‡Ý’þ²6Ló¾G«’Õä•@î]ÐÍpC¤"ƒp¾(°¬³›Ãp°4L§xŸ‰Ò5FÔ¸äûFá @G…ç Ž5Uª¾}æÔËêͶ=€oKÙ±rÊϺ»>T×ف{,Úß Þ|k>ü¤àÉ F9‡ q·ƒvBÙÐGÄ¥v£g–·×ëç¦ÿÀÄ Ïendstream -endobj -909 0 obj << -/Type /Page -/Contents 910 0 R -/Resources 908 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 907 0 R ->> endobj -911 0 obj << -/D [909 0 R /XYZ 56.6929 794.5015 null] ->> endobj -330 0 obj << -/D [909 0 R /XYZ 56.6929 769.5949 null] ->> endobj -912 0 obj << -/D [909 0 R /XYZ 56.6929 752.2028 null] ->> endobj -334 0 obj << -/D [909 0 R /XYZ 56.6929 693.9224 null] ->> endobj -913 0 obj << -/D [909 0 R /XYZ 56.6929 663.1642 null] ->> endobj -338 0 obj << -/D [909 0 R /XYZ 56.6929 628.9495 null] ->> endobj -914 0 obj << -/D [909 0 R /XYZ 56.6929 601.0964 null] ->> endobj -908 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -917 0 obj << -/Length 1160 -/Filter /FlateDecode ->> -stream -xÚµX[sâ6~çWø1tFª.–/Ó§lJÒìt³-¥OÛF±EPklVìÒvÿ{eËÆ6<8Èçûtî:vùÃNÀ ¢¡ëø¡ Ẩ优w\ɀZ4¥ÞLßß{Ä aèϙÌ\DA€Iüáæî§Û_&£ñ†n<8ÌC7oŸ~´+¡}ܽº|ø}|;ôݛÉãû'»<ݏƣ§»Ñà€aƒ'à ÀýãÏ#ûßÃøöÝ»Ûñðãäí`4ÙÚÒ´#Zòiðá#rbcöÛ‚4 ˜óÙü@‡!q—QÈ\Jë•dðÛà×-aãm mó£dñ[Èü†1vaH|êø,„%´ôàs£¿æY"†ÀCèæûàq¬DžO\Gói"sm׿þP˜löÐ1Rrðu&c°vÁ*^‚e¦t¾GV¬ôåð®ã°ÙP¼)ÈRPR¬¼\Nírý*#·äFÉÿƒÿÓJ¨ ȳ•ŠDÅSXÔˆ¡ífÅûãߒ‹ - õCC }—º%ãwå«ÚA† -9¿gÂÿnÙòc #!=ÉOŽù ´µPF çûl?\M‹wN½Àh‚!ö‘W)ÅN)žÍhr ÓhA#²æÿ´âi> -h¹@¦–®ÏBµæÆ1([é>FÉ8¹|«Ô½•Eéh ¢DŠ´.Ûµ”ˆV*—kÑaÙs¡$O€Íŵ¸!Åy• -õ«ú6Õyþ­‡f™2å}˜LY*€ø,¶ùZ><ÝTë»üƝäeÌÊÂèÒ+Ý+X[饱 Íû[[w§ÚZ¹tª{>¤>q[ZƒaÑZ;EK/mÔö)¤n¶›Ýì!;Õ¼cÕÌùL͎-]ªæµ×óÕB Iyüîg‰—¹mGóšºùxˆžÕí¬ë -!ÁìdT½k¢jÍÐC÷ƒºÊMíœòÞFäÓLMÓ¬5OÓLËÙ¦Ÿ»ƒ.öÉëºÛÃfLsƒ­Îçè.Ó_ÏÑØ!%‡ç/Oò Xíöf­½£ö$±mJ=e‹„°}=yòÈ/3’ìäòoÑë¬úÓ¸55­~(þ›æKµ¶Ê(3ÓűlÓ]»Ä\óË3™Ô‡N·¸U)×f¿l‡(<•é‹9´PkžœõÕ\p¥Ÿ×} V¯RpÆ#ÑcŠ6稌òþ-3òÍU •M®íd®¿•Ê…™Šë3»b)WöÂas¸e}—äÁé¯n†7­“^Ã[ñh~N|W -ý¥sùLhd,õ¦5PÙº)PYÖcl+:yQЭ»#­—*[˸ub”4ãZ®{È׃LQ‘<ù’*ª•f‹™É¨y9÷õ–‰ËE°ænڌ»—€Ê½zƒ¬‚G=»ýë<6©"³¢ÑÎT¶|¥çý}wˆ.µ¼Š2OcƒŠÅZÖ[r=Ÿ¦¼¶òLIt÷Ö¶ j¦JÛ®[ÐöÛï›/wv7_®™ƒ€lïm\Ú¸·¡Èƒ ýZ©Â6j¾½:Vý?ßÏF#endstream -endobj -916 0 obj << -/Type /Page -/Contents 917 0 R -/Resources 915 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 907 0 R ->> endobj -918 0 obj << -/D [916 0 R /XYZ 85.0394 794.5015 null] ->> endobj -915 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -921 0 obj << -/Length 3325 -/Filter /FlateDecode ->> -stream -xÚ¥]“ã4ò}~EÞÈDkI–-O ; Ç.· uuçÄJâZDZ³³ÃÿýºÕ’?'Å̃äVKÝjõ§>‹àŸÏTÂ#Ì,51SW³Õî&šm`ì«îqi1ÄúâáæÅëDÌ 3‰HfëÁZšEZóÙCþÓÁQ ˜e?®Êcî—ø¯_)ÛÙ²hZúúÃcNòñÛÑžÊzs"úœœ‘M¶,í"+7õ¡h·;/ϼÞeE5â£CùܳpøƒH,„aZ§f¼k|ñ:³Ž5²k–$io#<å"X®Þ£xÒãÚ¬µ;[µôùÊþE¢*ƒ Y•SçÇ&ÛXOKt -H Œ8N©‡­íꑸfƘ'pp¾˜ë‘Ry¼fÀœ”óƶ õŽ{j7e½ÌJê÷ۂ¶Æ6ž/­ŸÐ؜zË'jÑÐu¶…ŸvBp—yd´ìàé8µ¢ÞÊÒÉ(…ló±à9Ë$™gؤóU]¡l7ÇCFÒÅ1„”øH”™ß¯ Øníá–ë¹¥‰È‚Aá&›h¦áÏK6….˜þ‰d?ƒµ‚S&Z‘ಬWï©ûúH6[m F¸Ô‡£¡a<Š¶ñJ%L+cNìî³cé•î±(Kê¹ã‚‹yVÎRΓ™ç%9ìjÚÒbˆåa<I:,2ڃ]µõá锲IA¿µ¾N9 MPžèJ$ƤÑjR¨ùc}x_Tú†œ¬Ú[>G¾´^Sۆ9=|ø„A ´þeåQ+pƒÙ²©Ëcëq÷Y»EχG,bÒÑáZçZ -@ÒRžœE2JÆÇI'(c28ƒfïmE ¬¡–öRºRM#­3@ìõ;ÆírÎݖ ÷BŒ 9¸(h`†Öõ:»ºi©çDÂóõ±Ýýmª *²lÃÈpF1óij£ðrv8V6‘Rám ì)²à¨Ûg¤¦÷à :Í㍫ê–ÍÞ® -܍ÍњN3jÓMZž„é™rÇí&¤ ÑÏ$‘ñ{c»_ÄT[A3 -PŸ SvSB›S>„‰æk©w„ð¸-ÐÇàM‚Ž×qGrÀ6;´è)€´!ApG¾§1“lëc™Ó’K?ý kƒÑLe=`BS¬9ãBÉëÎiˆuÙ9uXHõ½}Z\tPœ§L¥ñuêi‚úÈAÁ)*£#òÿÚ:sæÑ|o`h;¯VpœO`Ŋû '€½ J!ñ Zϳ &ž°û>'çŸd äé‚IÈòåÜ°²ï1yr5 «PbJ—¶ÊZ+¯‘*(,žO¡ë\»J¡T- Ðl3òZ~2lУnleQ‡ršá -‰su’t¤‰BøðíÝ¿'I¤t—‚¸õ}`ÂйK²4Rãs_•ùc“ú<júÆ%>ÆÏ<á(MY ÉÜu†$$ÃZ³´W6¬(û*ZZÝU‘HØ¥§Ðz€ö)@z$pÎmSôR…ï. G©® § o>œ¤J`餁ÞS%JL9ۄ0b¬2‰Öw®UýÐèa€"ª«`Éhièg!â‰,‹AeÒà5©à5‰ ÀµñO;!pÈG˜F†É8Ÿ^§+™€àg˜ß ‰D±Tu®d>ŀ҇'q:å[¬Ö‹O]ª(øw)}"$»¡h,H@}%Êõ½,%sl/퉃,“NH…0FámíGÝTl|!~V…rˆڌåÄ>%..Ñxÿ9Æ#9BmÌ1îø” 6 Nª*ÝÐA¯²Æ¥‰Â õÜD¡$ ö@Œ8©O0#˜H’ w]æ?H™¨ÒèÃ"Ã'þ’,øIì#‹C˜˜I_¤Ëñ" õrÞ¢¹MgP× wHç”åyþ4&íkªtþŠò_—v.¾¶e¹£RI“@Ç ¥‡´avW½Š+  C“äÎêÑÕ␻h5—S 3ùR°È€EŒ ô皃®å®$h¡)Žs±þk1 &©Áº}ÕÊC–P§rÁbê9™ÀHYg¹‡„%Bµã&¸»X†Â¡^TÐëÊhrýR¡.鱁uÕ*sPêNù»ZÅ©ýT­‚U×½ŸvÙX]ä[Ñæ¶ÝÚ×- -?¥ÏX\tÅâ<’ó%ÇÝ~ÑßzMŽ3Åãë”;¤sÒc/œ°3ã!mÊÎd2*|4–I"áê˜j ¼ uE%âà>š“yP gK8.®©}¤4 -zEÕ´‡[=?®(i åµ'&M's°i¦MŸ<ÏTùÊëp•//xi•ˆA‚‡Ê¶öjP{}ßwôht­\4Ì7é°n9=b!>çî Â(nþÌ#ž`P{êé'¼E·âb¸äùûœä°LlLO9h#›X̡ҕ|x)7e$°_,ž)d†X—ͤÃrÑÚîð%¡hÚbÕ\2™0‰‰ÀU.:¬ 6F&[†â5óán4°üB›Á¶ ÃÁf@>pÒàÿEëœ#ôasty¨ñA¿\·ß°_§öÄ*jíÇ¢ÅɈ“êjR]z'‚rLž&ãOŸ#‰ï?CufþT¦ò> 1^,ì’Â(ÅâD>“È ±®(LÀr…G‘_P›Z^'&H®nÀÿ$&“~˜¾x!¿šö÷2½_\ÖôN5ítÄÝý´þ:Èßj¬lã÷¯Âí¦½© ›} ¢O¦§÷öIԓë9è²êüÜcð(Rwï~/B‰ânàO.=>d‡‡cõ‚´Žàù‚}¯ˆ¼])9<7÷MW0qÈù”WEÌþzÇã´Û¬¥±Ç¬ò=º­Á']z^ŽçM±©²²{CÀ·#HU…©‰/k=»go3hqéøI,†ü@¶_à,Ó3,I»çéÑf5žX5YS ‘ -“ü‹CS¼sqI1vï‹R|ØÁæ{Ôì A‘”’4k8êŸI¡· ÐÄÖV~ápÎSÕɪ'zêÿÞËåxð…[£G¿º –’¿]ýÁ¿°¤ó7uëÇܙN/MMÒ¹£iÁa ŸÊ‚*Á’54BŠ¤74Æþ£—‰¡çséócÓ¿ ¯ëð„€à"¼Ic‚’ö˜þn0$¶Z•un×CŽœ×GÊסÿÛ$Ñ\tŸiÊD -ÕæUï9@ºì<Rx³¿i±‚S:½J¿C:g`\ j–@ q@.4Š‡.¾jÿfنá΅Fqì\(¾nî÷`øþ!sP݌šZŸ’â“çIJ:@Ê}Ûø·K* 'rR™²(>½¤œT&ÄÄTÀŒc¦”¸ÅDqÿCð‹³Ç®Üˆpi6|¯Nä…'üóq ¿ÄOn?MC§Ÿ˜t·wò´Â±ñ{Tr፷åº3õk6Țñ'h -u?;úÛ¿t눏 Z‹iÕ©f±†E> endobj -922 0 obj << -/D [920 0 R /XYZ 56.6929 794.5015 null] ->> endobj -342 0 obj << -/D [920 0 R /XYZ 56.6929 659.6382 null] ->> endobj -923 0 obj << -/D [920 0 R /XYZ 56.6929 628.8211 null] ->> endobj -919 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -926 0 obj << -/Length 3376 -/Filter /FlateDecode ->> -stream -xÚ¥ZÝsÛ6÷_¡é“<1¿NžÜØé¥×Ø=[¹iû@‘Ä Eª"iǽ¹ÿýv± Š¤(å:—̘ °‹ß~BbæÂ1S¡ãúq0“qà„®géîʝm`ì‡+Á4 K´èS}¿¼zû!òf±G^4[®{s)ÇUJ̖Ù/ó÷¹ùyy÷x½ðBw9׋0rçß¼¿¥ž˜ïî?|üáóã͵ æˏ÷Ôýx÷áîñîþýÝõB¨PÀ÷Ïp惺£Ö7Ÿ>Ý<^ÿ¶üñênÙí¥¿_áú¸‘߯~ù͝e°í¯\ǏU8{×qìÍvWAè;aàû¶§¸zºú[7aoÔ|:%¿ÐWN¨<9!ÀÀï P¸Ð¢™ c'ò=ßp]vIC›ªÖôl¶š¿º®Wp;¯é™é:=ä+qw9– -'vE|\¸¡ÁÃfFÇûý¢ÿÁ)û§ó"ÿO:mòª´ð9BŽyj'Œ@Dý%Né@傄¾ë¾'¦áê:nð[H/v<Ð‘ÝI¸Z*äv_š1o€G…*šõç;Yµ£šXvxÈÊQ~×]â‰ú®š¾ýùíòýÏôb¸–œ—ín¥ÔÛXÚZžmg[ëšH0Ôu¸j®S?ç冺’2³Ÿ–Y×{{ÿDŸîÍ'US¥UÁk’5ö!ÐRн@†WÑL€E¸s8ö0¤}dz´…«dDª9¨Ìæ{ð%uÉyµ· PsÛ·Kò²xå¾² ü%lØ#I£ë¶ðÞ"1ON ÚÚì»y”ä‰c‘çl¶Iiù4ûrí–È‚½äEAè-+Öë\²²Ê×TôL«Ý®-ó4ixà%o¶#¥ÝÕ*á)AôΉbüF2DIuä}ªó ï¨pG€Aµ[dú9Oõ Úᴄð£ËËwTëЂ/ˆƒxȀA»ˆÝy]µr)¿£Ã§.‚âþ•:P¾ø\1!À=ãKÑÍI¿¨ó ãn<ŸûC¾KyÁݥ֙Õ p@Owï .üŽTë|Sj&þ£*uêƬT†rÏò½NóÅÐÄ1ê²1"`[ ´} ]cD Ÿ< ôz_“(wôö²ÍÍfá#gFì3±,à²(Qß퉸¿Äïm~ 6Zç¼K8Ø$çÖËV£ÞKÁš){îÚ[<=]]‹¹¶¤úë6iëFghÑ$m©É4H»‘pö{B;»èÙF {NŠ–W‚­Ëo?„²§8~  -×là-œÏ[Ò["hY¤œ¼¢ËÇkN+Bˆ(‚p¬2£sõ‚ØJZä4xˆæ õŒb£ØQËØϗ¼Ö(7¶>ad}<}g9;±;£mH× Ã€‰;«5É,6µqGk*è=k †Œ*–ã«(n;/ó&·†7­J<¥MKȢ΢J8j²×џ@»IM»gkžï¬(³azZ‘ yÀN_·«d‚¥w"ÂEë³N T.;>Õy'ÐQ™Hç ×úpÐÙbƒH<ñ.ÆrêòúÕC/:JùbȁÑ0=•Ápp¤ÈQÕ¸óuϽðjš¸oàczYÛ¡şè]ÞðL1t®ù|ˆÈÆ0´!¥Œ1¡žŽ—$Ë؜‚ÕubPþ¡‰AYpÕý˜×í =àü¯ýó¯÷`، —<#Eñ] uDV€ØpƒuÒ<Ë´Ã$/ÁR3©BèÞ?Üß¡˜Î£-ðí2ÚzTÐf©ŒêWUŠ_èQ·E…‘ÞsÒ$ !ÂE.:ª 6˜S+„±ò±¼Æàá`ìJHŠ ÷`D¤zGډƒksmsþrùÓmM=l$Ù;UÏb<559’Ä®¿gÔXI߉„? -¨õ×´h3>CÔ§óo`ôeªûÊƛueí³†hèÐ/÷K‹0»/k¥Š×#T´³aHþêyÁíþ}ÃÃÐüé:öæu~~¿#«ˆ]Ÿ>?Ý}þ„­}#wçSº£ñö#ˆdþMن¥óÔP:“°2ur£Ìã»L÷Ž›Ås×l뮹ƒ¸²ÝÙ×ÿ¼£ƒ-M,Òà”¡Ó®û “ݧ:¯D•I®ò3ŽERlª€iWŸªë(W^fÁM°0P :¬ö‡[â“.Ž½È™pá°Ù öØ5cÆ·âÓ@Và_¾5#DÇÆH†bþ £µÅx–Àó‡°ØSÑ‚Xp|1-̑ ”r 1ôùc ¦ô*)`‚Òx3rµÝŠ%I ö×fVjór"ásR…^7ÔÅsó/š÷Ñb.‰å£†r¸ > endobj -928 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [250.9056 758.4766 324.559 767.8862] -/Subtype /Link -/A << /S /GoTo /D (statsfile) >> ->> endobj -927 0 obj << -/D [925 0 R /XYZ 85.0394 794.5015 null] ->> endobj -346 0 obj << -/D [925 0 R /XYZ 85.0394 227.5287 null] ->> endobj -736 0 obj << -/D [925 0 R /XYZ 85.0394 201.8676 null] ->> endobj -924 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -932 0 obj << -/Length 3418 -/Filter /FlateDecode ->> -stream -xÚÍ]sã¶ñÝ¿Bo•gŽñE‚—Äwu¦¹4Ž34É-Q‰TEÊ>ç×w» H‰’œô:½ñx¸„–Àb¿°“þäÄ&"ÉT6I3#l,íd¶¾Š'ðÛû+É8Q@ŠúX_Þ_}ñ.Q“Ld‰J&÷‹Þ\NÄÎÉÉýüçi"”¸†âéWß}xwûþÇ»·×©™Þß~÷á:R6ž¾»ýÛ AïïÞ~ûíÛ»ëH:+§_ýõíßïoî规çøòöÃ×4’ÑãĤw7ïnîn>|usýëý7W7÷Ý^úû•±Æüûêç_ãɶýÍU,tæìä^b!³LMÖWÆjaÖaduõÃÕ÷݄½_ý§£ü“±PxuÌ@£{ tRØ,³“Ôf"ÑJ{‹k馋bÖ6ב–fšÏfõÇæeõHCmMÏßëªà‘— Cy5GÀNgu5+ªv›·ÏÔ.‹ÃïÖyYµE•* 4uÀÍ[‚J~æ«Ë|³)*ž³¬hµ9ۏ¤™µÊï¥YÖÛ%¤¦¸Ìö)_½¡×Ú/ˆPñTl_ðc`N_»¤4Â(•Âœ8ղȷíC‘·Q˜‰¿0T gMŸxNàËzS,v«Õ ½Îw[ÏI„=Kˆ f°O{J¦·L{¾B®(PÒf·ÙxYM\Å-GÔ_¥©>Øz½.H7ë=y©xZÕÛ5ïáßyÝx( ¿Í½*üÇjæ)Š§÷aŽy±Èw«–^ʆxa]*Ñ"Mó¢ªGØè%AÛQ©©Ö ¼2™à¸ðˆŒ@oËx‚y™¯v›‘u´΀žZ½iË´Fe62ɲÀbz(èÙlŠY‰{/æ4PV„ÚŽ“b0‰‹<•Åó%ʂp¶§ £›rÚiÆñ™ì:‰ƒr6-ÙŒ­yCr -´>/Ëْȟå ï -Ÿ5h> -8bÆ»v™¡mË9šï@WõC§ÿ}ÒS˜!5é+ä¡7”K_Æ(«Cé߂ -›˜)@€Ô!Ð=ÿÌé±Î°ÎC$ø® -еœòhfpŸKô.4Šf‹P½ksøîþöÝO“þ{W4Œƒ.Ñã†y:Z›UþĶzàž~‰m̆ K ÚîIÛ Ý×n…Þ4Ak,‘Zÿâi¶ˆl¦D£F¸Ú­êlYÌ~£é¼«ìí)#I!ÏR?•ìèaØû^Ä¿®ttÄÜip ~f×S^̏Õôî— 4@“íñö ”wU̇JG0¹ZƞŠC/ÕíÐ’È›ŽŒÁv(€&c÷ï/êÁsÎr¦áaO[K,\­¼ÓÀßF–L -Æªó-²aÄN H’‹ÞBÛÔpcÑÉùL&”íÌ3øÛ V1΋sÅ©$œO°Xòœ€gŽÙÉF LðϦÝ=ì¿Â7±lƒƒ9ƒ"Lè'ìqÐðãn•óW¿(eö”³!üšžsðŠˆÁ¸ â4A4¦Æ ^sɚœ¤S0ïmé½¼Ði@]ùƒ M±]ÀYJ/@$CϼÓôÄQ¡¤^þPdaDM(>nJ¦–Ö)y½|>/Ù6põšžèÑÐYÜ F„j¨ô}MﹶFtœêéÆ»²òÞEe}•ç4 -Ð(´FÃ\–bÍyô…ž»† :dš -•˜Ë–‘Îš\°ÉâÄ$„p× aw¯A«òÇʱÕ!¨v]üF«óé¨]"ÒL'C¾mò¦¿3fkBp+(4qG—‘{º`8ÐE¿PmâÀÏÿHþÛì9$¤N‰ xl¯ð°¶;„·ð)~v¼‘£«þŽdvL#ŽÒ>" ù°™Á7þ¬À1¿k?#ñèäǝa⠙Bã榍Öuáß«Ì-ê>lºgxoøÜ NyÀ\k…sYˆKÏ(‰Zët¨$8í¿v Ÿ2ó²ÉV!ë‡îGœÁÁ![Åa:šAòh“dbAúJËWå£:…€TÚl˜þ¹¯=ß{’ú.†¹ _ §ŠÂž"«à|K9žìfœ³„KQ)ªçhWÎØólÖ±Ô¤EªÑ ,™êôkïÏúB1©áLÿ'` 2ßÈÔüO¸ GV=&«1&«XdqšœÉýŒ2hþA q³rvú‚ZïbH€a†s"žj”y{²>cÞÅ2pç™;˜FϚ—¢á^fDºä:öì9ƟrªGħe•ü„¬2 îYVA%²,Õ磅!·FÔê ·út|¾ŠeœÆZ{[ΊØ(yáÄ¿¨\§­°OÇgÌ­$ƒ˜ª±g¸•j»$»p†ŸàÖ+\VŸŒÏ˜Y6ÖØ ß$RH-Ó~àüçyvÎ{ä|*¦íKéÿXHfpr9¬¿ ¦WÏ?ªëcª8 -M ÐÙº¾‰aLŜâÕmWLÙÇ#û8§Ÿçý—Cß®Qp¶Ø¡ 7}±(ÁÛ׋"W+E*e2ñRK>Ñø ¤¨u¬´¡)Óaùü?ÿ­ˆJÌ,Ž4 |tJëó‹wX#«ëƒÆ‚‹M2\þ“vz¸ãäÌÔaŠ‘a'ij~ë*×ðkQaZ0§šr½[å-ÉÊY.˜VýÐÔ«Â †¿þð´KA¼ýþǛ»kˆZº–R‚ôØiƉ°*>ȋª‚ê8˜¯Ô!WéÍG•3&’k½£ÂÕ)¸\i.·‡uF¸Ë ·hgËèqµ+Že«D¢À Ÿ]»ÃY| Û8IÜß 5/¨fæöÄ¢Mcañ2Ѥ0̌ȍÖ* Ç4®Ë{Œ’8>6B&¯­­…Y¾k¼Á\bK{59Ç$7ÍÛ¶XoÚ~UÉъ\SJRát6Ô ¢û œÕ;Ì£¡µØ [ór^ý…á%ÕâÂ63êªi·×nº›±Öga„2˜wm8[ÞæÜÔéjÇØÿXpïg@æ¦.ÄXe˜Å8ð…Ï]é·)çÔN Þ0g§˜ó;üžï‹8j/Rٞ4å”HUvÁö±NL‡EY¬wÍ2ÂâjÕUÔ,wí¼~®ŽìÎe—%æ<)Ö-ú þçO1ÿðrGãàÖ„ -ùºªŠïÅÇÒ÷«œï‡5¬(Ÿ¸Ÿ¡§?ܾ¿¿¹ûö ½ñ&éå þºæêvˆä5Ò •:5Ôô¼zác“ ­‡}ŒmÙÍ«:¨ÃÒ>Ceg®gEr褡öꨯ뾎ª˜F« >¹uFÅ–/Ä尋Õ<š­Jì\)–Ò"ÑàAÏÐaP0Ø,L‰„@u@·ÚÒ¤sÌ?ç ¶2„ÁQèˇãoE±aŸ+¹Í+§½=x¤…ïLâ§Oøˆ›æC²wE&§Û3rìùŒÛà„‰XAÊ;싔í’]ý‡) ü…¨ŽÎÿÓÒ6‰;}Áÿö±ÎH;`!¥þÂüGåGª[GxEäPèà/™^ £Ã:&Ä&vk3w@I¬Ì>>˜Æô>‡‰g°iœuGX¤•ä[S†Ü8åZÃ|7ß!É¢5èF‚C$¼.éä6p‚Jlé%§G»Í«”ΆŽÔUÍÝUiRtp‹(1”ÕGёFp[Íè8@ýð+ þ“b¼ r=0Xqd¤ÆïŽÞ fôÂä…rzZ‰P@B=€¡4ǚð¶©!Ñ›âÙocáïK½ AjÐãp‘ƒ›T|×b×>Öû²ÁÑþ±QË{ ý´]3Ú1O µNº~ïf‹—T -Rܑî„Mý.}\ÖuÉN›^é´å$oxeU®óU´ådãØÑ¢q$-Ÿ[¿C:&`x´€˜4Pp»aü.]òŠ#ÝõŽt›†‹ֆü  GЮm(HØd[5„¾Öö<¬ ·@à ¾ecÍpœ1©`oº|ÇûÌÀ‘ØÁm—5Dã8³Vœ‡i9Lµ - £–!alhœ7¨ýI&!²h8ܝ(÷™ ¦›'…xôօ>fU<ú:ˆWzmÁ ðÝg¹Z yE÷ÂÎ&£t‡‘Ž¾ÁuxkŠ/ªìïvÝ e!°‡ùƒ7=„Ô±ÕÿÁ…¢x·yDßãÉÅÒök¯Pïï—¬¼:5n9èa…E¢p£Ž]ßµ>&ý? n}ÿendstream -endobj -931 0 obj << -/Type /Page -/Contents 932 0 R -/Resources 930 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 907 0 R ->> endobj -933 0 obj << -/D [931 0 R /XYZ 56.6929 794.5015 null] ->> endobj -934 0 obj << -/D [931 0 R /XYZ 56.6929 553.585 null] ->> endobj -935 0 obj << -/D [931 0 R /XYZ 56.6929 541.6298 null] ->> endobj -930 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -939 0 obj << -/Length 3586 -/Filter /FlateDecode ->> -stream -xÚ­]sÛ6òÝ¿Bo•g"Ÿ8÷”&Nϝ‹sç¸3½iû@S´Í E*"Ç÷ëo Pü’”»v4#‚Àb±Xì7È ~|auÄd¢&Q‘f\/²Í[<ÂØOÜìЪõãÝÅë÷±X$Q‹xq÷ÐÃe#f-_Ü­[¾ýû›Þ]Ý^®„fË8º\é˜-¼¾yG= =Þ~¼yýÓ/·o.ZÞ]¼¡îÛ«÷W·W7o¯.WÜjó…ÇpdÂûë\Që§Û7>¼¹½üãî狫»n/ýýr&q#_.~ûƒ-Ö°íŸ/X$«ÏðÂ"ž$b±¹PZFZIzʋOÿêöFÝÔ9þ)m#-T¼XpK5Ïe1 \[Å"+¡¸¬f¹ Ë›}ÙÛ2_eUºÉ›ñ®ý:¡}Ô:¨ -dǑ4ÒI¸{*`}¢—õ¶-êŠÚϩ댗û&_SWᇼ@ËH[ÓkZ–õ³oÒc]oRš/qƒÔàŸÒ¯¾'° ßÞ¼ùp…¬¾Ç‘ÆÂy”h-Å»Kn—yV»çè”R:ê¤˯E]¦´ì®èÙ>åÔxwó‰›6­Ö©ÇÒ©¿5M"Aðiùœ¾ø5švWdmùB yõ@$dy3Z„vàš»K»Ü—t´p\~#Äúûº}"©wL‚ç&mÚ|Gíß8ѽ­ÔX¿#‹Œ^öÛuÚæ@ýX[¼HÆ6Ž¸9"ݝÜö¡ŽËm…”Wu[<¼Lĕ‹Èp-O¯ÛAÍ,<Wn¢8‰ãáÊ׸êë÷ÚöAY$´I?‚¼·Gè4‡Yó;ӌŽ ŒÒ:HA¡¿‚k¼”€DÜ|¼»~ÿomÒGwØ0B¢ã14yÕRëù)¯<uü§®<­#M¾ûŠ§ŒE@·oŸê]тì‚V8ᗠZ9~”¹•dr™=¥ƒs (óÉiX0Zœ%‹Ø¨HéŒ& îÔ¸íŸK€_õ'̜Ë/Òõ)ϼÖm`£ÇÔ 6Ç&v@ÍD6:¨34L±!  Å*¶`Ñr"£w`Lô †üA ­·OÝžNC/e -¹&ˆÂﮃģýÁcwÃäÄ8¹“ä‚E‰’v¨þ(ƒù·,ß"%Ró¡:+€íNV ]¬êí‚# {ªÑÔOßPãC0AÊ’¼\ñ֚¬‰›WÓ3­^úË5ôÒm~´)WßH°¡¦eS¯6btxšGFiå5‘¼Näí½aŒÀÕóã*Ÿ€Ë3A›óo۲Ȋvf1e"+˜ñ€°ag¾Wкy a” ì®+´õØr.Ëô؃aÕ؅í}ST3ŒJD6QžÓŒRà…t¡ibG  Žb#µ‡¬êdá|FŒ r{ !Ócâ(AÛ;<֎MšL^ÔyµÞqÝÍJh@,¸ê(<²eÉŒñlÀ¾!*ؤ/Ô@žQë>§g³Í³ƒZøP慕Ç:àü"Î@Ïø ipó¢…6ßÀ–qJŠn…ç§"{¢f–6žž¢¥g ²²¥mNQ³1ù€×´u”4›gWl@_Æ$¢ñòº¥ÉÏõ¾\SÓ ´µŽusž¡‘ܽЫ“sn÷»ÊOyÀ3ðÃ+bwˆ¸ð£…_0K}ÐcM A^Ó!wÂEDv›íÒæéh£,IN‡1}¨ãaLå"É<ÛïÜÈØw -ˆ=TrféjfíêIŒ?bÖ´eñÉ@¢D -{PdçÜ\|˜Š¼90øþeŸ»Ã…&i/t4mCPÞY^u~°"xçT°|Ny.ÊүԂ¸¡ïÂnŠéDü~ øÉs½ûì<&dóAý—}A Ü #ÿ$À«¦Uóì(`Þ×aƒ¶Æ9GÓ(…uƒm'·0tg¦<ӂGǞn§Ð^×Np™³Ž~BI¨Óõ |®\Æӧʓ -Îm,—KrKãØßóQXO­×8xOûÝ`AÒ`³³GtX.ÔÁ1ÂÒKÑ̹ˆÄDR›ÿA´"ŠhnêÖ/Ò>¥n|jÛyg9ª£ô(v½S³Ž ’lcL0ùžëØogKÿŠ~™¼“Özd1³²ç›õòÁÍ©7ôöèɅ—x )S:D'ht'p„?44'K³§üoÞܵ¢Ý'Ð/_åϧ»Ï==šp¯ <å‰Þï"û¤ip ‘6¾Ç.¹Å~Ú9õ}Ù_òe¾+0+„ãƒlÐÓZéœ(6š–ä±dpFÔë’~|V44\0°Æ,’ès!f­œ¬J¬%ä;—†£HHyöà&gÔ õùmȳ\®»^{Q÷ƒe]Þo݆8ƒLÃG .˜sï»XÜâCÞfO«Çr?ç䕍òžÞƒÃ>ꄝ¶ÊžvB}¨ãN¨ƒr:òA:cWíË6Ÿ¤M\éHÆœ^¾ƒšY ß`z¥­ÿ)(‡dÆ{xתgŒH¬"3}:ц\B\Cvº° ¬’“pvÙ -èžX®©E9•™)ø0 ë@ôsu”bãó Î é¸ae’™ÌåªÊ) ÷•´çAøÈàjÖ3¸š1¸:‰ Oø÷åكXòÆx¡NYOÙSZWŵóeOP?!6‹Oà¢y pù&ÍÐ#T«@ä…IdÍ øé‹{„äD@ø!ŸñܾéqCǘ:¸2Ž–â~¼\Å|yÿby5-5Ä à·Ô -|¸øâ˼JIP½¶Ûì ®ãõõF,ÞÕ°¥EWóªÚí˪ÁñÂ- -bAJAå©紌]¾\ -^^ŠÍ¶t¡9ÙyKõ>xúZ*´’Éá+pرŒå¢ÇÞ?w`ÒbEÉÅêPôþsâaW„ƒÄ€çæ„q„å9®Ó¶±ƒBv‚ÅXëÕ¶®Ë‰Hhe²è£ZÆ5]Ô©wš—3 ²9XÞ×ÆAû|‡´úÌÛ9¿LS:îR|æö$Ԗ©]Ösé5„íм~çûzN ²æ¨ÏV‚&gê¿}¨ãçÒA…œy… gD6½·Àʳâ4Ô C¯zhat@‘ô)æB~GŒkúéS²ÝKut—ê¨eV—%A¶íb¼å oPªî&„ȧ†p`µo_•Ô šP´<.Ä›HÂuKÈTœÇ…6TsX"ðõȔqጕ/8CÏ}Ú¾Žyÿ⋛¸êÃË|ìŽ&MAÑ+ŒôÙ!˜ucô[Ƀ§ë×Ig -A6‚àŸ)¾(4`ɸ²%LWäMÐ7¡`;"ƒ\Ç5añúHËÑ­‹óàf™fXúpìÖñтh xƒ .»jÑl\tN¼”ŒTÒù0Œ~µ U"œç… -V\ï7[êFm|«¦1’Gè K êìê‹ÐOFÇjJ‚Ð,Þç1håñÍda4Ǻo±djÇ]¨=œ¢Y¢ÎÝ.„`¡>£ê#œƒ›º‰àl#n¦·ÎçÙ>9S‹€ÎP1Æ5œuF, -Õ挑íA0²ªs~ßÀêObpº äØ'Wî ¦K=èDñpmò|@R¯«–]ßqϗÌzrd”p…œ÷Rï©QåTªõ7ð\Mz_æôrýëûÛápJmº1ޗéŽÞ»ü‰ô5áÅ£ôŠ‚‚ˆA ¼ÌݤA ÏyÃó2IЯí®þZ¬‡5V-PF«âQMÛ_ûŽ¯É8 –`†Zr‰'Ôªƒ_õ'Ì\˜MðΫ–„A0ƒó죟ÈZ:CÄW/8šdõ"’ÂÌØ~/W:øsMðN¸¢"9 ÌÁÆcÆr’%è \'M 7à§MM긩é æ$xhƒ!‘Rž^½ƒšY~`["m¬ß~{ȯ›lWôt¥~˜ÑCH‘éÿG§ºbA“ 6zJÊü™-Oñ~¯îŐóþYÍޙÛ$R1ÎK•È3Ògv暤ƒ¢*®»48"6âÜGïŒtx¨™å‡Ò!#®øpù¿F8ƛ ‡¦Ž -ÃI ÷yJ8ü™Oñ~·p`$øiÆc̹ú^ÙàŽýñÙPHi»ËÓv•Qê‘6«f›fÓOQ@õ,Ö¯ú L…$@ÍÐ1üŽMD6†ì`@ˆÏÕ?xXhÓwlÐðW’Êk=>‡–¥‡ ¾á¹I?ç¾Ç œb‡´;ýPK¯YºÛ食1¸ÌwÌú~B‘Äñ~IBà%ë®Äg$XE‰íîÌç¤NÞèïâ:˜!yºžÒ]š­ü ˆ3£ïOZÿ%CH7 d5ô‘t=»›º’pC)½Òùº¦«—ÂH›Þû[·d{¸ý²áˉxùfE‰Ÿ7ùÉe®ýˆ¡‹ è¤Ô[‡ßp¸ò¤Ð㗛ë_=¹/mæ®LüU•‚äÝW ðö˜Wx1A²àvèNýó掞nkð|÷ñ56î…®ÝìòڃŠ—É+zúOúTG%´Ž?G”Øsç/GƒûÿˆY#z綳ûyí· ‘a ð0]ªx–ŠÝÜNP -Õ_»'¶J@t¤õ(V¯ò粨º/#û¥ *j~Z•¯_¾ ì¼È\M¯x¬jûYêHͿƺº÷Ÿþ>ùðñ¶‚´ÌZqÜ}X‘˜@òGM"V îW[afHÿ/¢Lendstream -endobj -938 0 obj << -/Type /Page -/Contents 939 0 R -/Resources 937 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R -/Annots [ 941 0 R 942 0 R 943 0 R 944 0 R 945 0 R 946 0 R ] ->> endobj -936 0 obj << -/Type /XObject -/Subtype /Form -/FormType 1 -/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf) -/PTEX.PageNumber 1 -/PTEX.InfoDict 948 0 R -/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000] -/BBox [0.00000000 0.00000000 27.00000000 27.00000000] -/Resources << -/ProcSet [ /PDF ] -/ExtGState << -/R4 949 0 R ->>>> -/Length 950 0 R -/Filter /FlateDecode ->> -stream -xœeU9²,GôûeË@@Q ‡!é¡%bd(dèúʤ—÷ÿ(žÑ¯ -’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š”<8Ǘý:\;âúãñ‰üéÆ&ÞЇ h—õ:ÀÀX=&02²oÒCó eD3PMtð1CrZûbœ7³}t€mA£d«·íä'ÐWŠ!è®»½KO(°ƒÔ¤‡tÙKb•^¦Ìì »å*’ÎÕBêFåmY¸™`Uõ´™Õ -¿nܞ í½³`*TûÞ£jg“¾=Ås–A½R?Ô =}³ځ§l -¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\Ê GTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ*êèJE¢]8hÍò¤p0R±ˆ$Á(+Á nÖN¬ -qª„Ñ«ò^ÿï>‹«>÷— .13ׅӃ!¶3¢SËAՔih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7ÙaÆ´Ëdô 6(WðÚºK -г2"ïE9~  -n*Œ1½÷¨¾x¥Æˆpîâ‹&Xîܧ³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9Ê΁r)`˜¢Xh¡Ò& „hb—H°Œe"Ãêʱ„£~ϓa³tŒºìZDß!#Z¶ÚÂk! e'jÝ=§ _tsÙ¬ûÍ&­Nå@‚i¬ˆ3t%kЁE„\H–YZxÿ/U¥Ç™åë—Φ@±¯iW H -þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BқÀÄ5©/¨vp÷o`kA“ôr ±ñœÓ4N.4Žæ&F°ÑTÆG%V½ Î'ÌØR5¬Bԋ`qUžv-UÍ=ëÆåQv2ë_ ”¿­qq‚~èr¯Ú5ÌJ¼ð˜°h»P¡õ‹kÜàéڏýªå>Ò¸D °o»Îi¸CrT]¿MJ¥ ÆÖ¹’°;¿ö‹ûóZ¼¬ å[Ç-œÁ¤ŸBx¿ýpü|üÈÂendstream -endobj -948 0 obj -<< -/Producer (AFPL Ghostscript 6.50) ->> -endobj -949 0 obj -<< -/Type /ExtGState -/Name /R4 -/TR /Identity -/OPM 1 -/SM 0.02 -/SA true ->> -endobj -950 0 obj -1049 -endobj -941 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [182.6146 670.4177 231.8861 682.4773] -/Subtype /Link -/A << /S /GoTo /D (notify) >> ->> endobj -942 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [108.9497 246.9384 182.6031 256.1538] -/Subtype /Link -/A << /S /GoTo /D (statsfile) >> ->> endobj -943 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [293.8042 201.5839 355.0043 213.6435] -/Subtype /Link -/A << /S /GoTo /D (server_statement_definition_and_usage) >> ->> endobj -944 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [395.8905 201.5839 444.6373 213.6435] -/Subtype /Link -/A << /S /GoTo /D (incremental_zone_transfers) >> ->> endobj -945 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [309.3157 170.8346 370.5157 182.8942] -/Subtype /Link -/A << /S /GoTo /D (server_statement_definition_and_usage) >> ->> endobj -946 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [305.9683 140.0853 367.1684 152.1449] -/Subtype /Link -/A << /S /GoTo /D (server_statement_definition_and_usage) >> ->> endobj -940 0 obj << -/D [938 0 R /XYZ 85.0394 794.5015 null] ->> endobj -937 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 848 0 R /F56 618 0 R /F14 608 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -954 0 obj << -/Length 3752 -/Filter /FlateDecode ->> -stream -xÚ¥Ërã6òî¯ð-rUÄŸGÇcg'µ3™µ=µ[•ä@KÅ5E*"ióõÛ/€¤D;µû@ Ñ~Cê<„u'A’ëü<Í£ U|¾Ú…ç0öәœ¥CZŽ±~¼?ûá&Ñçy':9¿ßŒÖʂ0ËÔùýú×EèàVW¿|¾ùøÓ×Ûˋ4ZÜüåóÅRÇáâæã?¯¹õÓíå§O—·K•ÅjqõË/÷×·<”È?~üü!9ÞXôöúæúöúóÕõÅï÷?Ÿ]ßû³ŒÏ«Bƒùãì×ßÃó5ûç³00yŸ¿@' TžëóÝY› ŽŒqêìîì_~ÁÑ(Mã_gA¬£ä|i¢ ƒý繬‚T)@JãµÜÚðԌÜ>ý‡¿"׍ÄÙ¸}¶Mۉ]OÇFۘ ÍòT¬ö¦i¡(XºŸZù üvŽžñ…l[܅xûžÒ‚„÷O À"€â¤hza¿iÍÐy¦œÂC'a¸P!wEYyÒkÛ͐®Œ‚5q´ã.D¿^ÔÍaWT±:t‡  ™i0=•Ñ‹\Ê>_¸¸„?öv؝:f½— -q39€p":”ô”;ó‡ƒÅÂá^DUÄò ß#ù™Tø¾ØªB>@‚⇠§ºy©fŸÉâÑì‡b´Cœ”ž¥¾kÀc›ð/jÀ#¤·KÀ‰‹nµ]îŠýÞ®—˜Ò œ(iP5›,~—tJÅÄs§i` œñq3WVĪbònY¢€ÜèQÂi2J+È©rlâtññËs$‡ä$<4Iã ºgÌÁBᡏщcÈW³,ŸŠ]U¶hB…fŽ¥-žÁnh²- Gu(R `Á#2°Â–D‹ë,‹Çä41›=,,iØe0ê®Ü9r@g6}5gëHDSÚ;YZ܄D ÿ,ëþ7ÛWÐý]KŤ„ /Íá‰[¬1œáSŸ?OöPۊۨ8‚-^Z¤Ì­' âÖýÕnêšË(³¥gXg³ðu™ìq7º‘œH‹-RRЁ «•Ýs z¬¦Jâ%҃óÚfõD9@]m5Æ;eQ£IÃUYâPÌçäÉ]ΝÂÉG’’,µÜĸî±&q†§`Iê$Zä]p¨(+.÷9-ˆ®Ìô=ûÏTr7h°N!d/â3ވGgOûþ°oÜ:ÇU\å’éUÓ aX¿ièt&†Æ»–nŒõ¶©óX¸yù½;ûÂu¹ÁȀëjòb„)›wÉñX3ôLìTœâ S2%Hže ³øÌÛwÜä׏ȽgEfYD&PtŠŸÚ¾p£1¾¨ˆ‹Ö#¤] -zà6+¶FÁ,]ví,ZQ| ÐÂeŸÏy{âJ_"ê–G -`â ?P"Î!Å®Ž#ãÅ^&X»ƒŸæ­v`L)zƒq9 8¥Æ<é{6ÏBÐXu@‡`ÏŝóµlËÁ·žI码]·…”ªoyHȑz=BVEµê«¢sp†ò›ô™ùbHŽŠWT©ÓXÔtEÖê39;ÀS‰ü#¿YI .r5¸(&6~×2ð¿ £\~‚Ž»l‹Ibg¤‡"|€¬­,±*dƒYŸ.gWv£€l.|א´ü”k‹ìƒ"ÑòÄ¢ç\¡ýH$¦°±HÌf?bTˆ²è^±wºª4=´Vº dŒéš[þ¡"€ô®_!‰)WèŒûB…[‹íVX³@”–s\x)הÿ…fÁñ„3Ðð/#&”WðÐ +ˆF]}ù*+ÔÙÙ]Cy´ÁǶýι€Ó}"g[¸6%9=ö!½6¡à{…T)V‘ßÒ:t†¤uØðZ‡®h.@i½Z*”Áí+Ûq>›AO ørL=VÆzØwªÆ´'¥á$.'zz̼:"™›™ûâø"—r>>†þi9aëÄI"Ž¸$IhÈᡬ9¸&+ -"þ,Bp¤Ž—;ÞïÙÞ¶IÒæ1ýnC¥'óLµuɎ·»}s(¥+¡r­ÈþqɐÅknö"2kƒ•dŠ'ªœ¥*wotºùT1⠋žì~]K} ü҇Ïww×Wî·"{°HP…0äº.V¯"H%¿Ö|±„lqöÇNZë 9~ÿçN!\AæpDpI*¿[Ù¨h… |ŵ®+#(Ïò^“½GÇ?QsÇByáóÜùD - K”%Éß)WY‚|ÁÌÞjè—øÛ?~W¥É²7 §N38,"D!áQtª TdÒ3¤ÿÆ Hïendstream -endobj -953 0 obj << -/Type /Page -/Contents 954 0 R -/Resources 952 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R ->> endobj -955 0 obj << -/D [953 0 R /XYZ 56.6929 794.5015 null] ->> endobj -952 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -958 0 obj << -/Length 3405 -/Filter /FlateDecode ->> -stream -xÚ­Ërã6òî¯Ð-rÕƒ_GgY§6άí­Ú­$Z¢dÖP¤#RV¼_¿ÝèDR”|Ø­ÔD`£n4ú «™„ÿÔ,„4™%™‘TÑl¹½’³ Ìýt¥gá‘}¬¯>~õ,Y¬ãÙ㺷W*dšªÙãê·ù§¿Ý|{ür½Ð‘œÇâzÅrþãíÝg‚dôóé×»¯·?ýóþæ:±óÇÛ_ï|ÿåë—û/wŸ¾\/T)X¯y‡3 ¾Þþý ~º¿ù嗛ûë?¾úòÎÒ?¯’òçÕoÈÙ -Žýó•&K£Ù>¤PY¦gÛ+Yc<¤ºz¸úGØ°7ë–NÉÏF©ˆ´g cEÓR–BF µEe"6Ú)ÛI){,”òŸûb÷V5›ñq•Ž…”Q{ŠrÀš mz¤•‘"KãdHûá¥X–ë7»™ž‹î¹Øч㊆ÀÛ¦¬7ôÑ>7ûjEã§í¼íò]W¬Â.5ê|끮ߨl~»Æ“Ž$c”©Ñ j,“ÑA¬6Mç»|Ù¡ ¼-®ÕœqòzE8í[ÝåïÖ­+v]^2åU³¥1LPˆ¡šõ2‰¶v¨–Û¼%ª&v*Z¹Uðd?6<ñùî|‚—¦n=–EùêŽ µ5[ú¢# .ºC³ûî¼q -²cðªXçûª£×Üi1°\6n§•ÓY·WãN"ý(^ìÛ|ƒžfóœ¸ÉˆÕñü+lpªÞ‰V[¯Ý,€Iå6ÊXFûOS#cH„ì uü(Û Ri*²$ó¤ÖyYMR‘°™J‚ëÉÖ5St¢„ÚVùk1±!øf¥eôäüïê)BFh«'8‡}SРö@’EŸ¨!ÀƒÐÊ7ÔôJGÝx.Öúø]Fr‚c¥µˆ¢4cnv¬¦S¾Ü^ï¶`;5"wÙó)±8‚‹ÊQnêf7y™0&Kúr›&t¤Y€Eš(bg‚Ä-T:ß;3%¯4\›¼¢ásÓvlßøù‘0·¨]@~€gÙ$x<9É·>ʦî¿~¢Ai^Y3b˜Jµâ)ænÛ¬Jläëõ1ŠÖÃ@)И iÊ¡(Fn}$SN‰ ‘8y©œËЊ­–^ÏÐj—YÈàtM ›ô}ssC:1Ìüò/°‚²jAÃuÏo;F¯Z&x™ öËîò=÷Ayg-“¹óßÒ»Mܦ„ÿwCsÎùÃÔÝÃ<üzCŠÁ àô6Éܺ;⇠ØÅ+ü%âSæ!ž{¼Ÿ¤4娘æ±2¦ÞÜRn `( –õªÄeå‘óŽ':‚¸Ì¾sú¤_‹]ËÛWMó}ÿÂÖËéÓџ\楨Ç¢{+9‹»½[Ü|þ|/nî¿]gšô -Áßâ)ÐíÝ#úœ)C£™„t·H¥¡<kÈ;À,•”,øcO­8$÷½ -ÞÓÚ-ê…SAK¦o„Ç$˜§Â8ZñrW>àà™ùø\«’Í -ñ ¶BNT´-:e+Àmç,:#øè§}G‡²}î/IœiÐ qœŒJ—ïÔû#¤X¿ò·k¥Æ÷ÈjV¿ž&V³\îw¼¢©«7Ú´©§¼@Ö×+zÈmbèw‘‡çrù<ŠÈ$ÈaIÄÅÜÂöܕ]ÞApcPÍ Åª)ÆèNØÃí9U¡í٨ˮõ•(ðÙâÆƉ€„ûrmÓC:_Úx$—*’ŸçJD‰Ê.R H§di'ø‰’˜].iÀc…’&Só£«ȶÈk¸ýõ¾¢™rMpRFôü Àª²í†’ Ø¾tAË paà¯yµç.à£dPªâY}η.w@a2 KӀõòTdՅd+S!«G¦G9 SŒNlOm&(¥6ôËu|oBCW̺íc_ã±ÝZòÚ)pýx=°$[wW„ãZt4 Ô‚C¨*‚r#Fäp–ì&i¬fÁ*Šjy„²¡§2¸ õL¢ƒ´ÎLÖ(‰m¿Ÿ‚\b…J ˜™y螺8)@ͼ{;òNɶÕÂ&@zàƒ†7rÞ¶%dk™Nß1îÖëöX=óFm[8öûàò.’öH¤‡Í7Ð{ƒÞ§ýdŒB÷6«ÁÂn¿ _­¸ÐoNC(®÷ß -qDêBƒ^\@ 1–«Xx,©Øü”ÉüŒœŽ0/«™îšòJ=›¡ª÷ˆ‡ôÊ'Tñ°À‡0­#Šû8à¬^S"䦚åµÙsfBÐÆãÓÏ å¶ ß„qäm‰Y6œ*j$5í ›ªyr͞ðGþ¸åUÍd½…[ÅÆeC»rµr¶[ŠhÏéÇ5Yœ¸aÎeƄ ™ö‹þ k³'8‰Û¢#ÈK¾ëÊå“>÷}¬6Ëé ÷-ó²*]æ¶æÌ¿îoh€("ð‚N&0yš ‘ÕæÒO¶M ùDï,œMø¼¤ª>øô¥º‰S|Ð3ÈՄÂþØ0Mî63Ü÷l>à/ú Nþt_gôBºpNo*Zh3fb"Ê,0tú0á±Þaãt·Ð×<ÌD¢”ñEé=†‹žÏû¼Z´]¾ä&ÐgÖ* "Ù_ˆ=DG0Rø6£/IñÃgø‘ëpt¨è`•»D ì'›]:”Nݪãþ;æîè Òv §ªØ2Wõ‡f*ä›ù“¯Ì`³Õ¾8öR'ì¾ -Rñ-ÿvÿòâx$ÖEéZ°}µC}Hì-d”c½L£-ðVÖç³am•ˆµz'îc˜Ë¥cáíñê‘ÒX›dÑeփؙ@ÞËtÈÅ všD±dpäk&~Ä} £pãIêtX’¼äWC£Pâ%uñ÷©ñ³tmnw§PŠ¹·¤E¤l:Êw¾¡2 {O Ö¼u©ºuE8$XÇ^~Qbn½!ø A!ÛàvO™<=ƹÝ@›yACoÕk1ØÉøܑ¡€¾¶°ç´<3‚„Ú@Y -ÁÂuµ"í†3œU$^ĄG9Gâ‰FN›(I}&œ…º`Üy¤0˜KÉ ê8%‘°Rû><—@’DZ%i_WxõÔ0_ùJ:Š€¬š_•\”áϞx\‘ËhO…k\•-ÞÒꌑ/›í6”Íɍ»í…ØLynfø*æ[±ááUÎvªí®D’Õk»O‡ƒŸO!vOõÀ,‡ƒ›ž >5u·kª÷›aa×k`Ú||„úƔôÀìOö_î¨}®1¹£¡"Yú’ .“¶ƒLš&œƒ>br((¨„s©²òÖvÅVP_õá4u°©lÆ=r¦üö~!uø‹þ‚‰˜}²ï0uÖ@šBù‰ ¤©NüœxހõÞý+£Dš$Úgpá"‡'ÏÖ -ÿÎàêk‚üðÙ,&NGô‡ V¡á¦µ‹ =>ÜñL•ƒðËGpk!” ‰fl!†{­d3ÀÅ·Iš…”§Þx†¨~r´  ȀE¤õèýÚE›ÔwAa@[âˆ^vÛ)'“¹×Mÿ„4ºÓ÷&£Lž‹ßhwnÃè‰éõšpYó6ñ^i´ÖƽgÚ©> Đ( AÄÏ%ëaé@o‡Ë¼åև™`æ=|³è8¡"ѧ%$)“lB”Ä™?~¨B] -rYp dÇɘuðkqQ¿6)}^DñFƒÞbÂG~èÙÛ Qh~¿5°,sÇW‰™‰õ0‚Ž:L—^}…þ¼¦9F ü˜4ßí±ÀœzÍæ@<ÿÐútÚýñ؊8÷ggñoÅ&Üüã{ýŸÿ$íø÷zP8ƒé3µ¥ŒE -™Šg -j£³áà”õÿÃA'endstream -endobj -957 0 obj << -/Type /Page -/Contents 958 0 R -/Resources 956 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R -/Annots [ 961 0 R 964 0 R ] ->> endobj -961 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [367.5469 342.5455 428.747 354.4457] -/Subtype /Link -/A << /S /GoTo /D (zone_statement_grammar) >> ->> endobj -964 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [483.4431 140.0267 539.579 152.0863] -/Subtype /Link -/A << /S /GoTo /D (address_match_lists) >> ->> endobj -959 0 obj << -/D [957 0 R /XYZ 85.0394 794.5015 null] ->> endobj -350 0 obj << -/D [957 0 R /XYZ 85.0394 576.6195 null] ->> endobj -960 0 obj << -/D [957 0 R /XYZ 85.0394 549.9907 null] ->> endobj -354 0 obj << -/D [957 0 R /XYZ 85.0394 326.4739 null] ->> endobj -962 0 obj << -/D [957 0 R /XYZ 85.0394 302.824 null] ->> endobj -358 0 obj << -/D [957 0 R /XYZ 85.0394 185.8791 null] ->> endobj -963 0 obj << -/D [957 0 R /XYZ 85.0394 162.3886 null] ->> endobj -956 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -968 0 obj << -/Length 3222 -/Filter /FlateDecode ->> -stream -xÚµ]“Û¶ñý~…úT݌…_8yrœsr™ÚqÎ×éC’J¢,Ž%R©»¨þ÷.° ˆ¤(3IÏãáX.‹ý†ø$|¢S–f"›˜L1p=Ylo’É'˜ûî†Î, ͺXß<Þ|õ6“Œe©H'«-Ëkùäqùó4e‚Ý…dúæÇ÷oï¿ûçÃë[£¦÷?¾¿ LßÞÿã¡ï^¿{÷úávÆ­æÓ7ß¿þðx÷€S)Ñøæþý·8’áãч»·wwïßÜÝþúøÃÍÝcÜKw¿<‘n#¿Ýüük2Y¶¸I˜Ì¬ž<ÃKÂx–‰ÉöFiÉ´’2Œln>Þü vfý§còSÚ2-T -’”ÌÊ̌K™3Ã9 •°4å6JYJ9`9)ç›Mý<ûíPìÃs.X"U烱Å#ÖÈê²³:ç†%<•ýå?îŠEùK’ˆ¢ù[;}^—‹µ³éºnZÍ÷·ÜN ÷,Kœikl>ã@íQ—e•ÃŽüÔ·ï?âì²i˺j˜Ûê@:"ÓL¤VÀ®Fä2Ø ‹à)'Üm~$67Mí°'3i-ËîåÃ2­…Gœ»€º5q×K(+|¶ëb„5+€HWûw]#, Å$qš6o‹mQµ¯cI¤¤ à"oˆ›²uO9­ŸŠý¾\ú“¸È · 3Vƅê(~q]f _CY˜d‰¶2 }Àý -­²ª[:’{…#ŽM,‹U~Ø^ÙÐlOÏ‚Ž¿² ù•×–z±ðªÇÎ\ÙYj5³Bg׍±‹uÙ#ÖIéöÅâ°o@¬g)À=¥¯3±F8è¤t×ú©Ò¨2ƒðdJw f¼Äá¹Í?!ªßÓ ÎÀ}±ÆC8|Z#½v]ÒTSìA)‡7.“ &œBx½q+Ê¾ ´ÄjÒc:Zb,j‰!'blÔÀ2ml‡ixé(`£âÀ0)ÎLfrú¾néËvÓŠË²ñ‹”Õ'è¯ã¶”ôM ®*µœ®À»y LJ[¡ep¼­8`‡´ŸÀÈpÀ ¡ÿÙiî ?ha½'Ï 'œ·yø<§¯JZ*ßàùòHÕ`%:@ˆ Ó¿7ýíáQ-òź¸liÑãªã3òµôÌÀ¢Èà–%ø¦=™07ÓÇ0ÓqØ^¥|ÈжÓD -9C 6ÿ¹¥‰ Uñ5‚ÿ‹Í’A¾y…äƒLCEî–cíÒ >QB8»ÂTb†²&c– ݷΰ}´ge¦Ï¥wÊ¢`dWìÒ¶X’ {¼ÍÄ´Fœ¢Êç‹KÜ,P~…ÈÞ«­ŽcrÊ8ãZôs—Qå†} îÀc’hóê$ûõ‹¢u™5¤Û‘-t2™>囃÷E× {AÖÕë\‚)aÿØW&„íÂ1Ðd*Ó'ÛÙÞU ORú¤¤-šÈóˆ/‹úP6£g­—‡)‡ä éòô®P[pé¯Ü¡ƒ‘•Õm,t ºÙAþTÎËMÙÁ;y‡5óÅ¢h„ði‹Llp¬YׇÍa"Ü"•ç²]V&›Äcˆ%V1×"ô‘€äý&G~ -]“h?…[ˆAÅQ9@±10Àp؛ƒûÚNcEÞ‚Ësu…Ï ¡×ò#!Æ8اâ~ÙßwuS„AÜî y4ájÔd—º%}2Y5.Bÿ #÷(a\.IؔOÎ!«^Ò\81íô¦êW7/mÛ|ñ¹ùš²Û¢F içv&²: .²àÜþӁ‡N( -è³.þy$:£êQ±pÉ<²b˜²¢ ‚ÓiÚçå¼d X/° Dégšõy@݇õ·uWÞË¢ÍËÍåŒ\e†©Ä¼Pw±.ç ëäJŸÒYs¬@w S½A -%Â\ç!b0ÑKTʬU}&16šÊ-„Ÿs?˜‚z¶ÑaA©IŽ&&¾zÚlëÚ;7¸‡XRi/™ÕÓ×ðGx5¤øÌ«åàïýR¨œ­R}7ñ‹ª*çÞà“M>/6Åw¤m¦óP©G'¡lÿ2œ“göäDsN{I‰·4ð6Fáç"j”[~]T¡" Dy ê…Ï@‰s »“‰àø²±©ƒžviù„œÅ &­B%Z~ªHËÉe«vž Þa•}=ÒKXܺâ Þ<],œ³Yªú¶‹ÍNÎù””ê§ËÝE—?gycÀ¥Â±«sÂ> -Ë)ښÖ{¼¤¡ç%‘sP& 5QuÙèÝýF¨ñÎÍ” …€oœ:¤LÛLÄûï· .PaÝ»Bi•C<²ÄW(íUªC‚ã çSâG¾PÁ »zï!Rў‰PÏð¨&9ú›ç0zêÝÁKçX|1tÄá9UG}_ -‡°_|́)(ÿ¸óG(4§ØE5««‘Ï"nOÐ獆Hm¿€´’,µÁÙµùg,Â9ÈŸ¸F¾ÁRÖIÔU|š£” ÕÆô*t¨ðôébT×Õ5Ã:ê@m!TË$aÆ@ýd‚eÖÚñë±Y¤8ë’ôN§ÇŸàœÜlDÃXÙBT2©…«9ä_Èd ø“$ -N½Ç¤÷€/›à ´mÄRt2(»ƒP1è +ŽçúKRu¶ÇÙS:֑…\–KÕ« ¨¾ òà€í6E©v¨„VG\‡z¤ëëdФˆ#!ÃP´axBes˧xûÙ¡eéŠj÷wd £+lIOfôטA½WV‹zKúÞutãïêÐÏEŒûOé¨.ýËõ0ÎýÌÀ1~Qï{@ً71ƒT(±Óœ&bÔ[Ù¨|ã.d -þ Rȉ͘\þé Î:ÏC073`÷q݋i‚à ªã¿ŠÃHð:‡€ÂD³‡—r §•†´=j÷\ú9$ÀSµÿ²ÑAlzFçÜ OÉœ^•À›g7Š†æ·.•*>Ùå{×òÇb*͘|paÒԋÏÞÑJº“—îr» ÖÛBњñµïá%i©4ԅˆ,JK‚BbŠˆ­hÁ5‘«w0Šæ¯ÍĵEx¢¢Ÿ+üúÃ=avÞ{Ž\šPÈËÂ&l2ý%ÑI´¯Þ19 Ϗ{¶ˆ·¨+wØà(þÞ)™>¼}ƒRe²{sZ X†û$Àž+ØIŽ?‰ áªCƒŸblÌBdîò ®n¹ kšK?Ž“š©ñ{øOý§8wúU¡2Lº{ÀÑf„0–) Dˆ)w *=o½€iÊTŒ°þ?1øEýendstream -endobj -967 0 obj << -/Type /Page -/Contents 968 0 R -/Resources 966 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R -/Annots [ 970 0 R ] ->> endobj -970 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [369.8158 524.5277 418.5625 536.5873] -/Subtype /Link -/A << /S /GoTo /D (dynamic_update_security) >> ->> endobj -969 0 obj << -/D [967 0 R /XYZ 56.6929 794.5015 null] ->> endobj -362 0 obj << -/D [967 0 R /XYZ 56.6929 355.3526 null] ->> endobj -971 0 obj << -/D [967 0 R /XYZ 56.6929 331.517 null] ->> endobj -966 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -975 0 obj << -/Length 2574 -/Filter /FlateDecode ->> -stream -xÚ­YOwÛ8¿çSxO#ï«Xþ—Øž2mÚͼmÚI=‡Ù™9(¶ëU–\ËN&³o¿û%K¶’v·}9ˆAXL8ü‰IjWNO§™áÂLæë3>¹…¹·g"ðÄ-SÜçúqvöü•ǜ•v2[öd¥Œ§©˜Ì¿E¯þqþavq=¥á‘eÓØXýxyõš(Ž>¯Þ_½¹|ûËõù4ÑÑìòý‘¯/Þ\\_\½º˜Æ"5ÖË á‘o.ÿyA£·×çïޝ_Oÿ˜ýtv1ëÎÒ?¯à -òùì·?ødÇþéŒ3åR3¹‡8ÎÉÉúLŌVª¥”gÏ~îöfýÒ1û•2“ÊdĀZÐ8f•TހÙb±Š4ʛޜ‹.—pÄÄE»Uƒ”GÍC³Ë×D¬«ò¨«¬!RQÍëõ¦ÌwýüÃ%M4ûͦÞ¬·D½üpgŸ!-‰Võ}~—oÑƁÒíy“¯²»©ˆ -¿ EC_â@éÙ:ð‚"p `‹X挑þ`»U¶£»¢­a[kÖñ&Ì)™zÞs8¹QY4;‰¨^e“mwÅ|_f[ú•'ŽžÝò†&çYEƒ¬ljâºÉ‰Òlòyñ;ç2_ÀI•LÀj4s¿*æ«v}“Ó2H¿.ߢ:íòª -¶[µ| i700…HSÏ?åǦÈ3ÜG=ՈÐ;Ù3¢Ð¿·™ÿ.J˜ :Z ¿÷«4’é‚`°È›‚VÁä&Ü%nMÒÎß<I ǽ±wûrW€Óá¸y'4g0r°Éjq]ÅpsÄ܏ cY":æz³+ê*hç¯ÓëÔÙ7ùcDtvü3CßF¢MÒ»„)­ÒVñäTŸØrý›>Yõð’Fÿy9æϧ )¸p$¤Òa“œ‹‹›ôŋçJ¾ßáÈ°Ÿt,Mç÷»/ÊËM”WÙM‰ÉuðL V>üÔù(P½[TCŠQDñž‡Ђ!–`î8–`òwnø}±["6EuÛ*ê-æÁ#ì÷sX(0ĀžU‹N«ƒ’ŽÂ™`>á´÷h¤n8:Ò ™Yp²”ªn }½™pfC‹1¾þ¤©ÁÍépX\ÒŲŸ£S…}¼‘Jዣu¶›¯ ‚F¿íh–±8šMŒjòåuö)?ŽÀp·8ö‡Äyb€€ðõ·0Ö>†#@#q¿2@ªºÊ¿Æé`—ËV눐’¥ðþßqcpÔ~PßhI6rxö™ÜMàa DГaº1“ý¼Ï·Að9ˆC 7¡fN ÝÙPµÇQ½ã(H–uÞT?ìhâSUßñfUsO¼@¬iMFÿ~Þç šã4  Bâ*‹KjzY §ÓcԐà0%M{_^RÜÔûí<9pܱ áp£GֆSÙÐ  ä¾D#ЃA³÷ôm3îû 8QêÔÀ÷1CV}cäéµÌȎ?{ÔÏ aå[ьHïšD–¿éÆÀ€jh%l!Ç×ÅnG¹–VÞ20yôdH„ybÞª$DÓÊ&§6ìzyuþúõI  à ×`”Y.õ×T¸ˆ\£5@ÜIŒû")Á˜?IY* hêØ|r{õëˆù­ÓI8‰Z#•d”Ê&c (¢(*ÎÓ&C\»‚2̘´ÅX#J¨’¤|ÊÓÜÊ'üà™Û¾Héšá{ðxâѐ¸…˜­×4ÞW›mqW”ù­ÏBJÀ†‘Ï‘»AY#ï‰VLÝ9þ]],â;ï›åÅ@êX"uk „‘sLh— ĆKœNìáR·îì“[Z0·á­1GóÛð~…Œ d/wd€àÀ³ôsގ‘Ë|¾ƒü,äÎùv—A¾W'$γCu°Ì ‡Ohm$‹n•¤-X§äö6! áP,X¢•>øΤuáÞD뛓=œ.2Ì%‰é¯¡ TRâ;÷4®žê ;™õä¤71T/q#«¼~¶¿èåc •f¬ýºÎ„TrF£<&©bV+÷¸,ZÇAV¶+Ž®ëÉ.YöñMu6A0à‹¥À%eJQžsÕstcµ¯‡ Žþn@@¦[]Djš)¡™7ƒ'ŸÁ”®UOoìOz°€'<¿\ËÉëÎ3é©•÷û&ö\&Œ'óJ)àRTzù Ñá]òo’–jX¨ã,Æ~19ñ6€‡©'ZiÈ -]?ÂT0"ϜJ Ò°¬¯¼p•ú(ÝõÛ=&²œ*î!ÿ¹©±€ÁÑ/¯?g5¸V.Xj´ÆÉìÕlàèV7x¾!‚oÙè•Üûþ‘i;C¾´é€QDÏ6›Ò'N8×v§ !XtAÂñˆGV=¢I.ï‘1ÃC>„ Bs\JâÒ¤Ø'Á¼—ø’yxa€Ü€¤²Pkҏƒo - bã ~‰Äo|ÀW¨«Åw‘€d­ø_NÚ®x DĞ1ɗ@Dê“.ó=QDrŽn¾?Œô%?#šr‚‘yNçû‘§¡á)@¥óí -j–èÁ¹G‡§a2R¥­=Î^†ä˜JÛäjÞbù%ìWáð‚ÑŠÇ££Áßæ3ß?:†n(LêÆsõ–MË8°õkö$Ôìÿª«-ͦBˆÈßÔ½_®Üé,}›ë|¾Êª¢Y‡ÿ}ëÖ2›ç¡ÊÅ2Ý&Ñ2›S•Åη¡ô—WÅ3uZ ëß&ßÑ , é³u5¨Ÿ}]ï«Àè›ì¸ Î´‹ï¬õò{ú„’TîwMNzÆÃlsY—e}ߥ§ƒ>/¾ ü÷¯ÎðÝÎ'ޘrÆ ÀäñR 5þËVà‰{L»BËä# -B6¦˜9Þv 7ýäÎÓéÖj$Àlb†{¿öíÊÊw#dJÕsݖõMV)üP#‡0K•tzÒÊí±„ö PBû†ÈÔMõk»®†LÛßP€!tC€võ~vùæW¯a‡ì6oB‚P#}Ðõ¼æ~•Wyh pjˆP¶ä͊¨ózó@#òÆö·Ë;—ç¡Ã"¼£RS!MCüøľ $ ÿ£êI9œÕ†~߂8Úõƒý~;]}kè’êóšZXRiOÒÊW»ŽG«¼Ü„¡÷døæU³oÍ*hsþä”ê¸ðCŽk£ØP—0ª`‡]¹bþɇŠ_^ÝQê6B*Z GÌJÌ‘Øu꼪Ô)­K Ã_9G\™wo÷7ÿ˜zÀfÀӔÊñ PܲTBÙ”BÓëäXóîW×SÕÿ ’úžçendstream -endobj -974 0 obj << -/Type /Page -/Contents 975 0 R -/Resources 973 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R ->> endobj -976 0 obj << -/D [974 0 R /XYZ 85.0394 794.5015 null] ->> endobj -366 0 obj << -/D [974 0 R /XYZ 85.0394 532.5775 null] ->> endobj -977 0 obj << -/D [974 0 R /XYZ 85.0394 507.7956 null] ->> endobj -370 0 obj << -/D [974 0 R /XYZ 85.0394 170.1477 null] ->> endobj -737 0 obj << -/D [974 0 R /XYZ 85.0394 148.8279 null] ->> endobj -973 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F84 848 0 R /F86 980 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -983 0 obj << -/Length 3570 -/Filter /FlateDecode ->> -stream -xÚÝZÝoã6Ï_‘·:ÀšÇQ"·Ûl/Åuwo›âp×öA±åX¨-¹–½iÎP_–wÀ…L‘#r8󛥮%üÔµME굿Î|"¬Töz±½’׏0öí•bšy$š÷©¾¾¿úËûT_{áS^߯zs9!S×÷˟f©Ðâf³w?¼¿ûöÇÏoo²dv÷ñÃÍ\[9{÷·[j}ûùí÷ß¿ý|3WΪٻ¿¾ýtû™†Ržãë»ßP§¿3“~¾}ûùöûۛ_î¿»º½o÷Ò߯’7òÛÕO¿Èë%lû»+)Œwöú ¤PÞëëíUb°‰1±gsõÃÕßÛ {£áÕIù))´Y -01=:%¬÷ö:³^¤F› À¼Â=e_ÔÊã2\ lšz^ՇrõÌ´ýY­.…ɈvS6QªgeƒÿjöX~)*îâÿ|bÉL‰,ISžæßuUL¬¥Aª>µLÔòC±-ªÃœÖÎÊ­øTn6´Pý¥ØïËeAO‡u1¹WpJñ†–Ëýr³¢i -^9(Ü÷h7õC¾™Ô‚*iwòä´P™µCÈÁì¬xk!ga@¤-<dÇ É -Z>Þß½ÿ'µ·°ƒü1ìžVõž‡uÎĨðFÉÙýš§Z«ü¸a‚²‰¯ðh±Ýž©ÉìBëgi%È;´Y0¡ûþYJ½ÈŠÝ[@¯Ä‰Ç»Q*½Î¤ZfÙADó>9ˆI©PVÛü÷ùaŸWͪêÊm1/«1#ÊJaÝe>˜f‚ÜÕ6UfÈÇ]õP«%ˆÝ%l؊¬5øhfû7;VUY=Ò𦮁o"]ƒ³ãVÙPk›WÏô涬Ž‡‚» IØzˆëûm9'PexUÙSØÞòU¨PZ2Ðâ’ ššëú¸oHÛÃé@åö¸¥‡/ùæX g֎—ÍŸ{³&ҌV¼ˆ¤4Õ"‰\FRŸê<’ZªI$•ËÍ$’’L8%íeNZª V†h‚Q¯Ü—MªE“¢I!:~%$A-ÿw÷ú1ú:êEO& d©YÊ¢ÐoԌÁÏ .ÅàR#p)ˆqº ê‚+=‡-Õaëÿ- ™Jê_@VGtXLtÞCÕÇé‹J…R^]ä£%:ed«ô$¤=N> +ÌC8~C«+|ì;)|Þ<ØOê২³(BShµŠí¥:ŠB¾Ò‡’‡lPú?©Ÿ²Y†íÓËhêS‡SKuÞOMâ òäÄ¿ÀJK5ÁËÐQ9aŒ1ÓAÊÈ)#åÀSIÕy*hOÿž -^ žJFlÑ»ÁSIÂÖ bˆGØSI‚Wx‹EÂKÁ£ªd0˜äÏá­¬±¨ýÀzT©Bž^ìË|3ÿíXìŸç{Ö ° Êó2L3±þT&Þ@.5`à‡Mþ%f4òò…“iÝ tï€ÅzY.òÍæ™Æ·4¸Í›CpVÐÝ{_ã#ücö¼  Ý„ÎrEìií2ç«ãöç ¸²È+„ìA \ÏÎÏà ÎnóŚú›clEf¡y¤Ó´rú#Õs×l ùs`(+꣤§Û´+Ò.oæY2ûŠg«ŠÃS½ÿ•òjùT.k:üÉ¡EÜßx8‹%„úM¹ çTÈh!èk¹€vàSƒ8#ÑÂ.–xÌÕ*)€Æ÷¦lFsXÑì¼ÜÓºÛ^ð„(¡2HIÈEÐCΰpŒrlo@M&6±µÀ®–&Q?‚+x>ݞïé(Ž»VjB¢Ä¡ÀH šà‘`óÁ¡DÒ9qE‘ÙnïRÅ3  ˜]‹ºZ -:»ÞÓÎ`ÛÒg­¢rÒ­AJpΩ$༷Ée§Ò§:ïTZª‘xqoc¢œH_Xi&xmDš€G¬~‡êÑ>‚S»™Cõs©…c9X¸<ÃûhÑ4:I’0hA*nÀz¤~èéÔ½­úa ¨ú@¹‹ãž t¦aWDïp|SŒ÷üP,àyÒ¸Fƀ'Ùlê§bI#èñ?DMøØÀ )D#õ(òBƒ«d8†Ù+Ö#3ËÒÄqO˚Ös¡ÂÈÙ¡„e×¼^Ü5ŽÃ®§ì¶ÏY= àÄ7GŽGœÇªæT¢ó5•ªõmAé5ªUR§Õ²û¹« Îää÷4•÷î.–€—±»KÐ݁¯ jԉ‡3U6²Ü¶8Óm:W8¨åMÌbBlCEãã±!r­gB™DòÇ|`–dn$3îÄx)Re_(ûô©Î»“–*H§Ÿ¯êý6?Mµ…¹ÌDK5ÁÅ0SÑ,I‡lü+$ ÊÛ~‹ ØxàqÒ¶X)ᥧšKÈ>`'¼¡–”6Ö¼™Š]&Î'1zs`à &˜(H& dÛÖËÁb¦ìB8é5Ó`ÎÍóM……PÓW”!ÙÁé(·˜†Ù2tF—cÜ)aSwâc­ã°–…$„zâېëRB ‹ÉR ¨éY„ƒiÅädœšù¡…øt¹lÄT\¡R\O',éêv(›³ú‚¤Xãõ MC¢ ÛB -L}óáêáZ0õ†{Ù Âዢ߻ '¹¤W¢èil9µ' öü'¯D†‰jkß»|ñ+óž7´b8ÍQí;Õd“Q)é”w­²ï uæü¿«›¦|Ø0)d`5ÓËHLâP çÔkQï„TíõGÉ«oë.;ÍfE°ãP/ùêG›ÙC8d süR]…s ´šãnWïá@ʱ •€ «F1=Gnò„ã ÷UÅ5ây›tê «'ñÜ¡K̵9:n¦ézœø‰)²:Ðâa±.øçå(ÜÇjD J´ Jþº-㙶z&„ädB8LLÙ7!$=cBü݂PY:Š”†Fïžh -8Î4‡&‚o¼_„’sÐÿj¬.‚A“KŽÐŠ—ò4ç -“Í‹5äaÙ÷Ԃ5pmsW™ð*¯D’¥ö2 -ûTçQØR Q#ZuZºÑN$‰Q—¹h©&Ø0£Ï]8 ùàB_¿°]팋'Jv«×ᑾ•ŒEìz`Êì Þß³Ó buppâpEWȟ—!ÿ„¿ø…‘ØÙÖ¡ÏU¾å‡tðСlìy˾*߁ʟ•†Ì ¬#ºo=峅ϲ´Œ|UTiù“¨0„Å8‡J È9׏a«!:°1ããÊGˆŠ+¦F鉘¡¨ZŠƒ1f(ÕÅ qÌÀúëè(:`Å)¥GÑ¡·¤âè€D!µësÓW"+=%žÊp”¿Vˆb­O!Öiþîà QÇÜ:Q>IDñUND±É—ÄDԝ­”'Õ›ö«ÎœNN°þê#ån½'á"o+ZíL®kà|•%£3òÿ,ÕUÊH¤_¸ŽíS]ð‘‘êä<çÖÅé}™†ó ÝE&Zª¸PÚ#$^ÅÅL ´ÌŬ±-z„ë1ÙV=L—ÕÿnŽÉøŽ}&þ³ËjºbòéKB­ûwŸ¨V\ ú|‘²8±Ü¸Q «âÄâ̪8P5Ƒ…óè°tÁšÖý[O§æ~hàdl˜ :1stC™ ÞíW$à™7Ëôôfê¸Kçh›r͊¯,mçÎf?~ó‰z°ðfXÌÊâ~-}S^uM½2qÚ­ /?QÍxç[>ƒÇ*4~Ü-Ár”‡†M­ˆ$~Ÿ(ÇÆH ®„iƒSCOAa:8ü£Ü™Ú üÇÍ&0}1˜A3B›/h›# K“à k¬¹1Ä¥Ö|‚îåF…rŒ6á:n¿ÊüÎÏZ'‹MÝ̇»#àM8âáw¨H‡m^;^Špg5ÞBwªÍ%$ÚãœùnWä{ê Ÿ8hçE€¹¿j&ˋ©°*õíW¨›ú©ûd¢2’‰DêqÉW@Lù6ÜXtOx(Ùæ£ÿõwãÝGõI& G8óy€Î ktXÂ'¦p‰;uñüù)ëÿÉ%#endstream -endobj -982 0 obj << -/Type /Page -/Contents 983 0 R -/Resources 981 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R ->> endobj -984 0 obj << -/D [982 0 R /XYZ 56.6929 794.5015 null] ->> endobj -981 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -987 0 obj << -/Length 3209 -/Filter /FlateDecode ->> -stream -xÚ­Z[sÛ¶~÷¯Ð[噐ÅàcÚ:9î´IŽã>œiû@K´Í‰Dª¢dÅùõÝÅ)A²;=ã —%°Xì~{!ù„ÁŸ83Y¨‰-T®דÙò‚M`îý4Y$ʆT?Ü^|ÿΈI‘F˜Éíý`-—3çøävþûôÇÿ¼ýt{us™ ͦ&¿Ì´aÓ®?üD#ýüøñûë÷¿Ý¼½´jz{ýñ ß\½»º¹úðãÕeƝæð¼+œxàÝõ/WÔzóö×_ßÞ\þyûóÅÕm–áy9“x¿.~ÿ“MæpìŸ/X. §';谜…˜,/”–¹VRƑÅÅç‹ÿö fý£)ùiérí„MPɁ9ƒ¶2«‹ÜH!½7œHÊé·ö’O›Ð¹«êæ›bºY—Mw_­×—ÜM«ù5Óúž[zBL뎺U5«ÿ`LTs¥d ¾Ç~nSnªeÕl葮ڄ d$ ü/\2‘¡ážÑÀ²‘uív=‹Ï ÏhY.á™ûvM”‹íù îÞàƒ“LZ‘;:–qžZ ÿÌÝؓ\Ogeƒ  ö ¤PÏçUúa¾¤î*ðöTW»@°&‚8óÍK gîÊ…â›ÏDT7³ÅvîŎÃeJ ®WüS‰ðœ £Â3û+ €Âj励võæ±nHÑÓW£ln5‹bö'>ÞY(¸>¹a¯»:£#s^>Éu˜-L º[´³/ÄېGߘµ ªÞÃv]nê6ÌâȢʏL•åLŠX¦rÅAe’Ј²!YVš"ՉëɞÌ!ܘÜñ=U‚‘‘‰Ãm[%8¹òéÊeh•]â6´É¹(ø?R/csç” Ï¼¡Õ«¯³jµ¡6)½¿¦°`X D¡˜벚SwÛþ@óúӓ9yyÆJÀY¦Ï_ސêôåõTxr±ÉN`|{p|íÎó‰|ŒïàHrÌÈ[k‘¡j݀ñb×ì/ÇO"sÈ嬢>¢3þzÃ@rYÔÝ…ì©š„nsc¬û§cd|侬]`º™§À`½PÑè·]•¡´ s…Ôc@z5öKۃIÔ ¼Ì‘úDOh„Ë•,Š×øié|ØáÒ~šºÉÜÀb§×¢ç¬šñ‰ñRYä.ÓJå|u饂ة_Áô 4:<ö‡`´Qœ®¥ˆ‚ùx™>½…ÿbzu$XK -PV~Ãj¯«“¿&ÐQ覧´ýa÷Bðß_/Å䧎4ž*®œ —öçrjhŽèpP€ýZKfp-Øôùþµ[ìðé¼¥Á¦ÝÐÀ®îiˆ4†¼Ý &Lƒñà$(à¨Ô¥°ZeÐ+¢+߅U@Iç ºÇv» g$zg§acEŽÊN -\Àîð°WjlDÅ‹„‹\hA¶\­Öí -¸†0¡†C- ‚P‚¬ xäÅù-MD6±íe…yµªš0¸]µ Ù_¿U`›¢ì‡j³!@¶ÃÿÓt(½]8„»+gxˆ/ÔC!ú_ï~ žxÝm¨³®î×^vþÚú[@ñòM V€JÒÈÉÀ$þ‘I+¢gûÈúßA@&Š'A×r)%?ã“Àx‘3 xÖ%*yÎ%¥b -x BêOz¥@” ©^əÜX+Ǽ W– ½v÷^ {C¯$,§œÁÆp @#z%l§½s9ç}\Z Ü;Œ‚”{&ÏxÚ3PZfž‰¬B"C‚¥ÆÆ|&F8d4‚yÄ|É3ŘEY zî^l†T§µ¨§:F óÁ ^=#ç™é©܌©}SŽ#v~ëP\ WŒT -Ç÷*“{•êhº k9b™öžg0)é’}¤ フf7”ŸÂÔ¼º/·‹Mx -àëXC2° ùÔXš6q鐬qu©…ó­Á=…p·Áñ`GÍÒ;r&s+Š˜F=W]j/ qŒŠ40Í(õÕÃbˆ‹IÒréÑ]½¨7Ï@ÊO+¡8˜”p@uF #ÉkSß?ŸR;ւyÿÙí{ªöç\ApzžÃ¬FæR›˜ Í+PÉeÝ ÒaEc÷XÏ0Î`z -Éh¹ ÑQSå|Nz×uo0§w䠑´]azZ.Ðscÿ·Ÿ>Ñ3«v½ Ä»z¾«‚oFMв8 -)pUCþ;ï×¥±Óo¯ßýF—ÀGùPu`&ÆÈP•Á‰Ÿr‹>ÚO­VU¹¦6&Û¸&EV¸Í¢|ŠÍjý„&jÕô»Tb)M™e.K€ûuJ±’%¤8¨ ƒ·VúÀìf‹rKUÀ/ÕÀæSn²he{ù·»ŒT!Á‹'lˆi/,iIKZ°Í°¤…]*iéâD݄K;ô¦ìuj(rQÆÕ,<›¯fA#T³2½¯[á ¯[a#ê „þ¹€]Ç1Ý°š% –õåÞJêŽkV8ñýx‚Ê\8ŠYHƒÅ,³°›*f -( xµ(´è€¡Ø}Ü -VâTÁª¹ÒœŸ/4y5c -’ß‘š½¢rõª -Øÿ»r%µÌ{©r5¤: Ï=ÕÑ]¤âK0 Š³ôT F¾Ë€£t܍yø¥þR%˹uîµ:Ð/$צ‚0·E]í]¯ÿ hàÛ1c´ÖlÆ´X™ -Kí!66pÃ!¯Âº†´„Ⱦpà&Ç Y¸ê2”¿¼?ÀÆ'ðÔúBd˜˜R -PSÉ¡ØS[ϳ'•mç« ýG -W!•–²/§ƒ_ˆï­áQ¶aYóŠe£~ûÈÊ ¯àF -Šìi ½§š -$è¦Â¡!:84hG?»y,ÃäqÌg±81 # ›òÂùz'üBÆþ ®gǺú¡! ->ÎV`6rS¼.ދ'ž}¨Ç“q¬¯RËýy»°©Äé Ì5å2²sïçÚ%MÌÛ6<¬Öûûž âá¹P‹1Ϛ¤F3%ý삁ˆ\— 8¢‚« à†Ég\яødݟ`þ&§·>¸Þ/i{xpÌCLÛmh *Ód·=Ž3.BÜ3:-¼žÒ¾Z³«BH»£rF°WjÚÚzX›”᳤ÁÁà?‚3-7}©ûsTN|7YÅzYÿ²NZàP¥_Fd~h‹`FMo‹¢€@¬yôqkh(¥Z0Lq4îÂ* d*¼æ“ÓÏ{m‚™§r±í“/ì`ÈET„Ѿr¤N”EJéXÂ-1àÐ˜é;ÿ¶ ¬±úZ.W‹êM2ü’9×}ÊߧR)ƒÁR 4è% ìuö á6´êDV†H4•º‰\Ú"怜YiwB¥¢M|Éb´éCyX¶‡T씃SÓQñýîMàî¡~(ïž7UÒA.A4;xß¹mÂ=&˜Â×|¼¯‡Ð%€ÖÄI=x–º]å_‡´FÂÛe šöµ^n—Ô)ŸÊzQÞ-Â\¹l·Í&Å2ĵeõymȖSyƒÊ çô¾pÓì„FcehíÊ@V‡ê§T*×FDÊÿ=V1TÛÃème 6å:˜Û®ªƒ‡æU7[׫}¸—Ô!˜€´µ!»úÛQŒq“³NøÒ¹Ó¾¦–)P`§*™ýŠÙpÉãèrd¸»ß8†©X"p,}†Xst -&”avt -š\?„— 7ƒð²§Oð8R£uqÿÏÕl/x“ó£‚3 ¶àªqsâöT/ðp¼ò¥Óç˜eI­õÉ¥íCÌ ŸcÈP:ðz«ü;‡0ºw$ø¡EDshC'>IÐwXï?Ãðà ýA³a”šB>íøÜFº= ô&v°ºàÄtÞ6ß!|aµ]Q€‚ã_ [Èá×;'¤ó0çD(=¸ð[¦§›°€2|‹ö,R\y؄Á]¹nèë -ìPqÅqÂu‡ß¯t[ìØì—8ζ ŒÇ·Õ\0±ëâ l´üSŸ€6@¨ýÂ{¢3"ïªÚu•‚9“ö_œÙ¶':Þwä…ÁϑÆ÷ŸìAáY‰¸FARLu‡/þçÛå*@äí ç£D=˜h;Žob̋ŽA½©>ÌO}¯%uŽY%$ÃúW®ÿú[®ý‡nàW¥s'òaÉTD )d\‡œ÷}³þ7XKĺendstream -endobj -986 0 obj << -/Type /Page -/Contents 987 0 R -/Resources 985 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 992 0 R -/Annots [ 991 0 R ] ->> endobj -991 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [389.4645 148.047 438.2112 160.1067] -/Subtype /Link -/A << /S /GoTo /D (configuration_file_elements) >> ->> endobj -988 0 obj << -/D [986 0 R /XYZ 85.0394 794.5015 null] ->> endobj -374 0 obj << -/D [986 0 R /XYZ 85.0394 332.07 null] ->> endobj -989 0 obj << -/D [986 0 R /XYZ 85.0394 307.6688 null] ->> endobj -378 0 obj << -/D [986 0 R /XYZ 85.0394 231.2958 null] ->> endobj -990 0 obj << -/D [986 0 R /XYZ 85.0394 204.4238 null] ->> endobj -985 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 848 0 R /F86 980 0 R /F57 624 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -995 0 obj << -/Length 3216 -/Filter /FlateDecode ->> -stream -xÚ¥]sã¶ñÝ¿Bo•g" œ>].¾Ô™ä’úÔö!ÉDQ{©ˆ”}ê¯ï.vÁ‰’{Óñx¸À.ö ə€?9Óq§a:KÒ(ÐBêY¶»³gûáN2ÎÂ#-†Xß-ï¾ý‡³4Hã0ž-7ƒµL Œ‘³åú·y„Á=¬ æïùøáñ‡<½»O¢ùòñ—÷‹P‹ù‡ÇŸúáéÝÏ?¿{º_H£åüýßÞýº|x¢¡˜×øîñã÷ԓÒçÊ¢Ož>¾¸ÿcùãÝòãeȯ -ùóî·?Äl lÿx'•={…†dš†³Ý]¤U #¥|Oy÷éîï݂ƒQ7uêü"mFñl¡¢ÀÀþÓ§,ƒDJ@JtÄ*TÝ)G“§ì±ð”׶µMñŸüœÝTI¬’Ùpɋ=ÒÄÆj°1H5‰´o¼Üæp⩜ïì—bwÜQÃîêcÕ\oð+‰ŒšïêÉàÖÏoòÃK~ðkñè±ÉAð‘ -û}ÖùÆK^»háo?èd@§RÀOšh`Î Opˆ#†"˜HIÆs)Ø,2Kà 1 é )ƒTëС;^ô|k÷ÒÌ×Ô*‹]ÑXWôíùŠŒk`Í>;æ"=ÜPÆp’žÛ¶Íwû{8ª†±j(Ë:³-O®]ðÞù—,oxVÝíÁ|‰1?ŽôoîJ$žŽØoQ3ñüµ(K‚6¶(¶™¿n‹lK½,¸˜)ˆçíñÀP™Û^µ[¾g3ž+»*=BMß}~Øԇ5¾ÿø©ŸUdpv#.¤WG'æ¹/ÒÊç¸^¨8œ×{baßw !æå‰Ú v›c‰°š[ƱôyµŒƒç‰_wnEõL-ǚCg ¢zñkÚ`¢=ˆ³'DÃǸ U:_QÉÚ}ãyf+p±œ@Ú!wœ€}°Eÿ†#¶D>b4§”†Ø^rŽÅ{ýÆE·–!g/ -õ²füuj‚ôœhŒ0@‰Qß'Ø<ÕG@)hYƒúªå(‡¿/v9偾ÎÇ@§SnèëŒú˜è]Î¦ŽT&ˆÛ££º\°Ý Q©÷àê™Í¶ù»Ü3ǒ@¤P2et[­'֔&H#˜E8‡<;šâ%_°Ï1*0R«±vge‘Wm3±£ -¥MÄ«‘Ž7 -‹ -dj×ÁE$äpë$ˆô[1iˆu=&uXHÅïB„eޜï›hH! zÜÜ×#Mì;dۈ 2*ïK¡B%ƒê¸[9_°Søz -]£õÓ:¯ä–p -lÀÏ¿ð0˜LEPVW 5rU ÎCJ9w*®{"úxéx•¨ ÂøKÂ;VNÛóõ„˜5F6£ºˆuM¤a™¼%ÒÖ ‘z,ç‰Z›}žÌ3’ †˜y{g4±óI) –B·¦}î¥ -Î ì¤ -_G$ãz Ëǽ|Ýbǚ¼% ¤U £¢¾Ö¯àüè_x"ÐqÈÁキ4ǝ½nË{pð¥MòŠ#wæâ# U›*ˆ('jƒ7Ÿ“҅жõ0ìW)Â0øáLü®•Á%§ ěF5ĺnT–'ŗãzQÖϋ)“ÔF*Šn“ÑaMÐ121e‚H‚⎡ÔW¥ªO’RN’°oÕÔeÞæ…œ5Ž\ê1¶Y–ï['4lUk~®8ã¯è*‡8†:²z·q¬Š²h;_š€ï]rZ„÷P#Ïq¦õÒ¤” ”‡Aûß`/ IWö Œîü0'ŸE-ëØCiY¥6Ç*ãÜØÅYúöWTsU—"#ƒ(Õém]b]×¥ë—çj$ôx¤ ΕH@ðSð)wþ‚¥Oç¯U—Jb7é¹ÅÛBL85(6Ӭ߅眠ïMD"G¬ÐàáyFÀӀ©ÿ ®.×%®XÒHZ„Nù‚£16ß>Yô çkQ:Šq¿Ð‰˜ÿk›3)䋯ŸHaïSJ+#ëÙ;ã¬1›E±éˆ— ÙçYK9ÓÕÚ ïSì Þ1–»Ü §Õå:oZšÑlÕØÌGE+¡÷„Cƒî—­rZÁÛz^!s`âÆGÎeW¿äë¯àR@Þ¦ö¿f^á[™W)‹Œ”~ðX7 ÛcáŽÛºiÙ´E‡Ñ,Àª.l;ÍMbs›ˆk‚Š‘uG˜49&ã±¢J;9ðÚæJx{mi…oùÑ°2¤ú4<¸$9Þb!y(2êÄúPtKÖô]å´Øgˆ8®„Î?Ö-©y Z®Ïµ¼ØíË|k¹+ᤳN¯ÊT¸ýA‚~[¦C¬ë2í°Æ—¾ÁÅnì­!„™PÞ&¡Ãš aì¯ã@Å*1•WË^Lü†ËÖVy}l‹l™ ¤²®?÷Í(Ӓ£¤ŒkHõå@¡a1Ҍ|•om‰d®'‚ â3Cù Ål˜¡Ñ›+õA©RÈy¤¿,c^=að¥RDƒâ çß噥Z,N ¡Á9¸d²£Ž†aFC¥Á-Ô±*Ú!W]m³¬MÓŒŒ!UÒLä½ -]8Õ!ñ”•¤+.v‡‚ÚŸ‹²^Ú¼AsUÚÏKæ/¶<ú%6Ô5]‘sF_T,®W%’ª0U%h+wï½è^]hÜسâö:Ïè\-•Ê)>Š0†{Q¬ÎŒÝHãu¬Ý²>²G^)µ¼fíp‹”1oXû놵{,'©lÕÎD‰íÍÍ;¬‰ÝÇ÷gÄ&Ñã헾è:pÇñÀÇìŽãs;‡žN™^¾ÿ•;ëªÊ}h§²®mGÞdTàíkÇtUX– ¾%ù<m"ÝÛò„Ê$HánùVì“8˜ ܔüëºä;¬ézáHø!zcH£oîßaM0â5Lƒ$4ñ˜ºôGfŒG}œí#‚¯Qø³ÈÈPuÊÙ#_€žót9NÑË$Š²=èsž|h ‰'¯¼ŠÓÈÒ†F,¾´ÃtürMK÷}IÕpÛÈnƒRÚ0–\ý}µk¬û©–b}Ÿ´Ô-Hž¾[0cËK¹d¾ù—}á+ØÞsFjÛc÷ª0‘·68= ½Õ„þ),$"ñ½‡ZŽtøV5ãá«N¾¦tWJÉB÷@nj«¾¸&{B€À¨qÑb_ò6/EþŠá “ñÞ¼ÝïKJ½Ü²{{°­{"qÄväO>Y°401tš_¾ç„ßýƒjÂ¥Rìï¬Ó¡²•F__*E}”ø>`+ªx í+P]È;û²4ö$Ëg‰ M՚zçWb4b›üxa™ª³ZEUr½ñÕY'I§FËåOÀz¥ºê®dš@"oÞ¨! ±®»«Ëª²ð¼Züy̏5˜|îM -:¬ ÆY©¦êˆvXX€DB&jàZˆaßnC1=n¯?èÜ\ -€]Q±Ë£â:Ï}܌Z -WŠC•—7Çý¾>¸r'³>C ÅÅs°‹ix9æëwë21l…a„~‹½Òú„4į’ÙýBV[R®’Ƕõ+;[rA˜±û LKZ¦‚ï҆3*È$Ýù­©¯¨¦œ’ç>„ ©Ù[W[ðÕò'6\p®€»eÂVþá•FVy7ooz‘“ì=àë3—,ü}f£ –ôvèT»H1Aä¥Ý†LLQÒ̄3rïžëɪ;DÕTÄÉtÑ]rÑý×üPÔkw#E#uù£mø‰áËӐD7×ìÔ¤A¨ä·ÇÒu+õHôH®lQðþ—V -á® ·öï. Pg7&‰ïC -œÙEŠÞãñÙù@M’ B}iÛzàÔÖC|ÅðOˆv፵w¸‘¿½Dîá;ÛúÕ!†Ÿ¦ÊÀA"äëÀÝÁù‡ÖÈä¬^08ÔóÚ\Š¿ò '8—#§6 WžT2È[±ál¾± ï•9}j +L ¯mO®Gº²(Ü}ÃñºT'ä_®­#ô×ùœójgŒðßзª»ëù@íý¹_âë îø”\û©8xü}ԄþÁ?úÿý3¬þ7jQ€³»ò¶&_Œ•' -䲶¬¥=ÇûØéÿDʬendstream -endobj -994 0 obj << -/Type /Page -/Contents 995 0 R -/Resources 993 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 992 0 R -/Annots [ 998 0 R ] ->> endobj -998 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [329.7108 477.6902 386.7943 489.7498] -/Subtype /Link -/A << /S /GoTo /D (journal) >> ->> endobj -996 0 obj << -/D [994 0 R /XYZ 56.6929 794.5015 null] ->> endobj -382 0 obj << -/D [994 0 R /XYZ 56.6929 607.7231 null] ->> endobj -997 0 obj << -/D [994 0 R /XYZ 56.6929 584.5979 null] ->> endobj -386 0 obj << -/D [994 0 R /XYZ 56.6929 145.2693 null] ->> endobj -999 0 obj << -/D [994 0 R /XYZ 56.6929 119.4941 null] ->> endobj -993 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1002 0 obj << -/Length 2505 -/Filter /FlateDecode ->> -stream -xÚ­Y_sÛ8ϧð½)3•Ê¿’8}ÊvÓ^vnÓ»\îiw›Ž5•¥ÔRšfwî»@2eËioÚé¤"AÈ@€æ ÿø¢Ô“F- -£2͸^,·glqcïϸçISsýt{öú].&3¹È·ëHV™±²ä‹ÛÕoÉÛ¿_üóöòæ<š%yvžêœ%?]]ÿLCŸ·®ß]½ÿÏÍÅy¡’Û«×D¾¹|wysyýöò<å¥æ0_x '&¼»úÇ%µÞß\üúëÅÍù·¿œ]ގ¶Äör&ѐOg¿ýÁ+0û—3–ISêÅtXƍ‹í™Ò2ÓJÊ@iÎþ}ö¯Q`4ê¦ÎíŸÒe¦…Ê©V™Ê >¿Ë,cv--´¤Rã.«Ù]\¸Ë[í†;[ iÝv÷¹j çyžÉR–‹Xú‘#׌2R‚<“¹æS-n7öÚ‘« >Ø*)‹L©€m¨Þª®šÇÏ[“OVèÒÀðÌh-ÿÓƶÖÙ!‹26u-“Œ[ìèöËC½;çÐ蛹Ѵ 8´²ë걨fçŒúÛº}Æ97¶ê»¶ºküTÿh{jW$ž¦ƒ¤NG_NäUõŒ†¥Þò¾ß¸«R°¤(tXˆ–•eAªº¡êK½}Üb'§Å‰ŽZ#I”Ô‡u<E+&Å Ùyrµ&ÆÞĂ*#½‚o)’¶#:AGb(L¬¡qh@ç6¶·ÔôxÀ&! [Ýrù¸ÃȐù¿w²¼YεyÙc®Óž8r¡Žëji_ðD ìêeӌ -?Ì!²-§:Щj3ú¡È÷»ÔeÕRkŒ­žºÝGâM ±¦îj¡3<Ïø™ b É½ŸÍoÁæ%ϸž¹÷)K§>ž>‚ªÎÜrô*nr‡Oü¢Wáw/IAáÈÞÜÞñt„7~ Þ؊àÉõðFÙoqðÆÂÅ;xCxªÏy²ßIÁoëö~ÎSýñ”&éÚæ—0vDŒEÔ¢3ƒÆ²kgLÜ?îZš‚”Æ38߅oÓU+»µ•(“‹õ`w’P/PZ2ÑtpñQ·;{_û•¶MçüM„“Ôä°Øøôhwµ‹gR%¨+«ö™­}j|sU÷Ëƈ·"ڈ§žúx4Ž£û\¯ˆK¡æ^Æ>^b§iº§ éÎs „°Ãë¢,3¡à'PzAÛ¹#ðN ?8DË+ŠHU»: RýÐ=P‹Vr»æ¢WKßØnŠzÕ@­Mõه¿{Š¸Â\œóÓ1O : ñr̋¹NǼ‘ Íî0·êeÿbÐc2ÿŠ#׌‡añâ@ëj‹‡å®=*‡ýàȝçnºû{‡hŸ -qÜhÈïDX',>Žq,—ú(È©Rú$í“ŠxlQþä3Œœ…Ï¢k:áÚFèøîچ¯¿¶5›\Û(`zmƒlwm#<­›»¶áË<”Û.àw¿±Sdßy-hcðÈldÃZ•˜ž}SŽþ5E9Ÿ„Cü„4g¹>-‹æ1å›aÆTT´KU‘g…„# 8ž - ‚ë,ªXh©¡” ›÷:BÎwŒp9J¡< ->@¾Ç“[ø_$—G;2¥€kQ–™B¹[ñi8R6ÊqEmgì~áõÕV,~îÀ¤ElUœÆ¢Y¥Šq80%C ÐŌ÷¬Î¥peò|.Xb}§Þ>4vkÿ+Ohé‹å9:veŠ,—¹\Äû}g)l–(ãÒ}õõ}Hš?¸£|9*™CE—»]Âê”çpÛ3¸Ko]8î:ðƒç™ð¨P ”UO®ÄÁp=aÙÃí}Oä;ën$ÛOU&¦Ì€˜-qŽå—›®ë­QѧuG÷œÜù9Òð®~&ҚnÙm4[ø|Ð)º&Š“7“ôS Ó !@=]Ýv #H¤7Ž¸»Œ(•g®mc½„ûü™†– 6„qÏ?ô¶YcQ¥ÆDòðšgmŒwÈáô)‡E|v¿$wÕG뵫ڙu›P뿯V”*¥JÈ| 9MÿV;Û÷sRám npç}S¤à¿/¢ÛILc‘Çðæ\dŠƒÃlåæHIŲ¼dâ*$~MI5RnøTIÏã³äÆN£uaA9–GäÐ{ÚÆð›#î±Û?Øeíª~è쓭T<¹¬`cÜÀ)m ‹hh.9 Ø&ÀEû¥ª¾¯ï[ë•ñ A<` œ`0弜ºÖuצ­½¯\컂x” !úc4’+ê‘D¼«ú0ÍåâÂåýõŽH]_SAn€JN*(YE–®(SmÁ 'ÏÜ <®Y÷sѹ°,ý *ï¢a¤A’+G-rñoº+n&R"Ó¥…‘˜û OÖ¶ÄRûU<*¢e||t/ pÐ:¹ ú~ë;XtŸ\J¬”檼è¼Å¸L”Æ!5>+…àɌ©bë0móû31Þ^JÚ°ïtōSA«ÕÊ¿`yno y Âf¤™|ÚÔ¸qþ¹~ÜÑeæë—6TCÏ!—Œ`J!jy@ÖO[§ƼŸØ¾ ¯GöK…™Ë+Šº˜^É27S”Ó»!Íá>ÿË-dfðåxb:g¯Ë7s{ò7I|-ԛ98üE‚ç5ÏßPG¢$×ú/ÍIgW¤ÁãŒ"V?Ôí<ºs©ïofz‡sõ&÷@ÐጾþA@$ÛÎy¾¬»PT#ÕøÝËa' È¤–!0º­ú4Eháp`12·—„¥"±J&•RŒ64L*CÃ~YÚÿ6œDUôC‘Då•Ôœª ŒAM§j¨ïqu}˜S{Ùû=¯365¶ -€ï|áN6²F§9}ãUg¢ÞïŽA½ÇÏ ÐvŸ¦ƒü -·çMÔûû "ç~Oá -öLˆoûA’ c´z±–üÿ­åpÆA&±ÿáŠec§J9¨ˆ -^B*#LÆ ÿ!¥ÈTX>• -–)~\!䦑à™2 - V`¶$𡄏r6•ùäe#3ãÅ4žˆ„d¸”<0vÁ¯ü/øm»o) ©õByÕ÷>âL|>þöêð«Ø”° ¹™}¾b‹Û¿ûWÅ=rVˆå‰w0Éò¬ -,:f -žñÖjYfº{¶Hùÿ#v`endstream -endobj -1001 0 obj << -/Type /Page -/Contents 1002 0 R -/Resources 1000 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 992 0 R ->> endobj -1003 0 obj << -/D [1001 0 R /XYZ 85.0394 794.5015 null] ->> endobj -390 0 obj << -/D [1001 0 R /XYZ 85.0394 452.263 null] ->> endobj -1004 0 obj << -/D [1001 0 R /XYZ 85.0394 426.0265 null] ->> endobj -1000 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F84 848 0 R /F57 624 0 R /F86 980 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1007 0 obj << -/Length 3047 -/Filter /FlateDecode ->> -stream -xÚµ]sã6î=¿Âo§Ì¬µü%jú´ÝfÛtÚ´ÍææÚ>(¶œhjK©%ov§sÿý”(YÞäšíd2IA_²\ø“ “Æi®òE–'±Ò,V»3±¸ƒ¹oÏ$ã,=Ò2Äúúæìõ»T-ò8OUº¸Ù´l,¬•‹›õ¯Q«ø(ˆèíOWï.¿ý÷õ›ó,‰n.º:_*#¢w—?\ôíõ›|s}¾”ÖÈèíwo~¾¹¸¦©”i|}yõ äԜ z}ñîâúâêíÅùï7ߟ]Üôg Ï+…ƃüyöëïb±†c&b[³x„Žˆež«Åî,1:6‰Ö~d{öþ엞`0ë–ÎÊOŠXiÕ±“Yš–Íž OTƀÆJ©·í•Ë‘¾'ÏJÉ$NÓÜ,2ª*d‚ -N“û»×Á‹èñ—áz!Çt‘÷媫šš˜ñï#9âɚ8JŽx:z›=ÖSœQcñ£©ÍpŸè\ʜ—Úëƽ²T9<ö¸‚E :¤àêEfžô¸Œ¿ ÌyÜ)ݱÇƼÇUÇz­àæ º ·˜ñ¸Œõ'Gԏ«“$º(@m隶p¹[ÚDšÕgoL& G¹4Ï2R'qwh=ý®-·ҚD5‘¤c'†¦\gÊE{aùña[­ªn†4‰@ý¼‘.›æ‹TêX•¼ø…ö—!Éã*!?1™É†Oši³Øj0ˆ_ŽIOñ)&s[eõ˜ÉSf2Ö¬w·Ó]5uI—…t åÖ)ºÌ43ý!"=*E€ägŒx¼¯VLÚåQÜòJÒ ]þLZ$‚<™D{ƒ³ª!pËLŽË\ËVùø8Ayóö(ÑAȝ Ú ]ÛAØp¬‘J‰Øhó„cÓRÅ©VS!c•ƒ¿Üi0ÅeHrÎi˜8͒aãӎ Œn®3ûyôŸâ1Iã\¥é˜ÉS™Ä:39˛"wajKgürÆ6~ÄTÒi!t0˜Ãvu_®þ Û¦dV"O'êuWTµ/)tC¥!H¸1T”\ö®ðõuWqdWPC×âÀŠ lšC½ž ô~r©„N8A äF'jÌ "8…+˜D¾/é¶tQ@Žro%…œ|¼X±x“Þ·8‚ˆºw(7ÞÞÅ̸­ÇLÌV7TÂk ÒYuÌ´Ä|ªÚU]õ¡¤î`G¤à”‡™sêôtFò‘r")IñÐökjÁ…£÷ۜ\_Ïåht÷*ŸV•TNY ´»æÃd¤_t[ÞUuMI„"-͇DÑý ]NqB¯Hí±-¨áRYHü‘¹ð¶üՓ:J÷˜ôl7îDgë±,YuœÏw$àÌ ÓF-Y^€ -;@ ž%B?•H€ƒ|ca´ŠÁ~›/H0ÅeHr.‘б̀Lö™LÂÅD™/ÇdOñ &Ñ)H-õ˜Éә„I”ec¸èniΊXH¥ŸÞH¦á=Ö²¥_v8»‘‰!û¬1ƲɬéÀ“'„žEÛVwµËöS2²Ð¬á”Õap°^á/Œl8R«©e 9}Ç0EqÑiWÕÕ۳bÂøêýîÍiËaÄÈÌy•±9 ¢t‰·f-?76ÍòwGQÛ Bîb÷°ÅÚX¢4U¿ ýCåòú¾Ð±*+ǵ#BuµõúUÎ̈́›MŠhHìç¾q^ NL%f„îÊnÎâ„'o©,<”ܸö‚…äI«Ç}ùl¨í Ò®LµåY0l5¸waXñ.ÁHîÿp…!ȸ®ÊáíÜ9%àƒŠf„0”Ú°³^Î]ü˜Ya#_ÓåÚ§dŽ©¦åk•Ðs„¦Z¦¬×€Xl:ª°Z_òܲⲣ°C9ՓTLÒRu0˜Ñý oF§ý3wS£óÔó5Poï›ÇšÀ[ Gq‡VÈQË(”UhÊÛýÒ+&àO°ń^A k˜¦ -®£î”(Œ¤9w\m2¯“s}.æ"8UyCw¨]™Ó…)&“u¡†¯‚"0¾GÔùV3½ÊO¼|fÔi–ɧÒ2£g<$<,- ¬kaÆò~÷„w÷ÉÒ Š™2HÓ^„ÖDŽCzÆÂÌY˜3—1}ËhëÞ V{×Õ¸†-F/ë«¡Ä^¿ƒ¤}ü]pµ‡ï‰©Ñ_Ž'™ ~&qöa8»òû -ß"~š|ýšf.ßá7\Á–»Ç%ÐI| œ¦ ¬·_!¥4 }óÝÅA›jï™ÝT  „RÞx†ғð }ãé;ž—ãÈÄÜõ0£¡ö~5ÒÃЏ[*e±ËóYʞË\ÍIØxµ-Б#øv²~NØòs;¥vVއ–/3–¯XÚ{P“¾~Ryþy¹©ÊM=[nê¹rSS¹É¿-7ùÉM¿PnúÙrÓϕ›~Jnê%rS/“Ûdƒäx3Þ ‹åw„dr$Ãg~ؓ¯ «Vt½Ušó€žßYIÐäÌOCÆŸÕ POC#ˆ]Ž›©Ã¿‡èÎ(â|·mêâÖãݖ÷ŇÊWŽ"ßм0Bœ¨ÐPK }wH§¾F_w:šqߘ•.;ú*ë¿×¶Õ®Ú{tõã™3#æñûñf2=©€¥Îyò÷àšFüO•Ò(‰óø#sqñ¸Œ?#ô¹ÒêC–SYd‰^Žúد=4„=Å·À ¥.š‹ˆ:hŒE‹#AÝ00ÍÒð8KÇpj‡” -:aœJ\Ì\—ÿ‰€ÕýÝ[Åß®é@ÐLTÂp†ˆ:¬©€F]ŽÜ$¸‚!ÚIùôF¨VPÅ,HŒïÐ꣤v|.†V>†cžÂ/ß·ÁºÊõß ÔRgF'OjÓà*°rbÖXŸ@^ÎnH“s¿·Ó&ÆÉÍ|„¦ðâßâ ?TÄÏyÖª30Óˆ0Sȹ9ú˜Ùÿhï˜õÿ·>%endstream -endobj -1006 0 obj << -/Type /Page -/Contents 1007 0 R -/Resources 1005 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 992 0 R -/Annots [ 1010 0 R 1011 0 R ] ->> endobj -1010 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [213.6732 702.2957 286.8984 714.3554] -/Subtype /Link -/A << /S /GoTo /D (rrset_ordering) >> ->> endobj -1011 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [209.702 621.4019 283.4678 633.4615] -/Subtype /Link -/A << /S /GoTo /D (topology) >> ->> endobj -1008 0 obj << -/D [1006 0 R /XYZ 56.6929 794.5015 null] ->> endobj -394 0 obj << -/D [1006 0 R /XYZ 56.6929 769.5949 null] ->> endobj -1009 0 obj << -/D [1006 0 R /XYZ 56.6929 750.9506 null] ->> endobj -1005 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1014 0 obj << -/Length 2676 -/Filter /FlateDecode ->> -stream -xÚÅZmoÇþ®_AøY„›}I>)¶ì*häVfQIPœÉ“tÈñŽá-«Eÿ{gwvw䑒›…ßr_fgfgfŸ™›PøÇ&V*œœ'‰¢LM–ë :¹‡±w,Ι§Ióþ¬ï_¿Õ|âˆÓ\Ow=Z–PkÙd±úqúú—^\ÝÎæ\Ñ©&³¹ÒtúÝõÍìqøyýþæíõ»¿Þ^Όœ.®ßß`÷íÕÛ«Û«›×W³9³ŠÁz)œXðöúOWØzw{ù×·³Ÿß_\-:Yúò2*¼ ¿^üø3¬@ìï/(ΪÉ#ü „9Ç'ë ©QRˆÔS^|¸øKG°7–ŽéO K”åfDrTÊ-¸ -ô23M˜P -:¹mòe|¿]åÛ¢º÷B)Ñ#E's.‰“L"{È+X£Õt½+ÛbSæþ—žngÌNóe¾«§dØ۟Ñî¶U¾Âá¢Â‘,R̪æ1ßƱÇÖÙv|ŒdvM~·+±¯­ñ»¬«Ÿ(å÷»þ~íCŽ£‘'¤¬§õ]\üp‚uЁ—š1â”âAêM™-×R×a[)#èB -ͦ®šÌJP;]À*³.L0•¶@ߓÝnáæµWþˆæ%Êpç6mÖæë¼jqËM¾]mƒŒìåÏÚ¢®pF¾—üA‡uGSÆTÈåÎ$• ;†ÃÓÉðÓ³ø5¤ÓïÛ+‰Ñé‡<ÎÏʦÆV;®7kÀ7¤Jº¨·mY4íˆÒ„$”óC}uè½BI¢šF‰±4¸Žmï'ظíù]š>ïÏG·l~HÕ3ñ!_ÆC q }P2$¹&B(;àèÈÿ»YÏ0rLÍsBð<…#t¢03Ä ˆ&~ð²Ó»öqÄDuv†Úgœq?üD;N¬4ö%‘g­ƒóŽâ¼Oò8È1îà¬å~ãpä›|9bœIUò»¢ÁÓXåÞm0y+ŒÝwuY֏Í7HG™¹¦D2n“îpÓe™5°VCP ÍTÙ,›qèhŸ69ùV›~äÕª^gE_…CѬ5nèr¨ÿ°¢>°ÁX‰Õ -Œ5ñk¯ÁՅrÓªö_›Xö]ŌMcÓk¯ð:ÉW_AQÔ/Xåwøx\Ҍ \NÚ$%_Þü}ü ´“É¢’Cæld΁¦€¥MÞíOòæú¼Ù¼A$ïÈ9ÞôyÞðÔö¾!8 Ëôðʲ›B[4»È®ÿ‘lñ'ÎåãÔÂ!¾@¦þ0¶ɄŒ<™èçŒ "¨0C[]$.Êü>+±ù)+wygüÛ6¬ -JôÁ¸õAl1®»´"øæ(hC¤2r¢€0åì%1CHK 5èé¿[•øðàFǨ<Í®£@+6q…8 -[I&€• Õ'–ÄBpž(àLqÄUÞR>C :Ö¨VP£·Œ%icIvˆ±`8\Ó2Lé£!ì:"4ŒŒ°è€ -þ³®ò1 äW•99ºÝ ¿¯šß¦n°´ì~ÿ—“L+NŸ ‚kZ)ùÜ *K¢äÛ¬‚(þ…ç§újï0Rw~Šv0«©×inÚûÄäåŒÖQõÛUôûj]R£xNëÐ0V㽶|Z–ÅòwS{֛PïªÕ[ÓøK 'Ùÿêöiâÿ#r2íˆ0YB¶Cƒ½‡Wp« :¦Š:"­aã¸5å­ÒÌ2J‡³{[oQÙùçl )Æ.óaÐ cê(± -xé_!X%¼;Y=ðv}³GjغÄOª=ÔMK"'dY¯_õ6ÑA¿†Ç#‡†ûm¼ªÇû÷·ãé8(Üi¨ý±(KÌb—dÆ)Ÿ~êg¶˜r…”Ü„ëÓã £o]žÌàu—¢G%ù¦W’§Ô>d1GÈ>ER{38]–àá -GÄtŠhÙ-dQ´ÈD†Ÿfwç¹ —§GY†ùš@De€, •@V>fO1||Öûτڐ¿^–@Õp1nÇRß/‹61˜ˆ,‡Fî‘é õ>†mÒA¶)_\nÐÞ÷Rç$Áf“g—=š}®ª#®…s…(™$„4(,*NõX"mRyCNÕÚ|æ -ˆÖ½¨ØÆ Étp…Ÿ~Æ­õ—?\q„Dº¢&×Th9yçÐ`ӐŠ3Ë&€Ä ÄU<ěÞI8bˆù‰<Ä{ˆlº€ÿùôêP3>N2’, $áÂ֓_'ŒPéœÀI½vu¯ƒÐñõõšOÞÔ Ñ¤'T"<ïSBY9ÈÁ È6ǝ†Náº#ˆeu? -ø˜Þ3ÆSS4ȧÓÎ(ôÜùv¤&ÇľÁä|ãÉÓÉÃ1½Û•åSœè_ç­1tTøÅê±o9_ ¦¦ßƒŸån;ǀb$ZØaŒÞU¿ 7à«u²ÆF'€F³Ûl|ÀõÐ{|( áj&€×UŒl0¯æË¢÷ÇHíÁö“¾ý6³õ¢À¨/@çjè ýôtqšsE$©ƒâ´ŠÅéŌq7ÝU1ËDJ¨?òEA*(iˆ“æýY§yéfy^J¸íçm[—ºÀ‚%hòìÎݬ‘­ÅÀu$îF÷þcQ—ÕnýÓ5+¶üfYW˜ -,ƒCç2[âîG)nÁÛO‰HQ­Še¨Çb5ÅþUÑdËÎú‰*ºx("{£ea¡ÍºÐuó~1V ’T‘`&OŠ÷æu•¯ìÆð–}sP.9Æ ð“6m ðj¬ºCu†ÑxÕ®Í¿c¼ØÈ>ëݺW9·»qdG™Ùñí5‘”õvc»Ÿ2u陬xÆÔ{³Î˜zšåYgŸçU°›Qƒ–$wîüþݬ¯@Þß,fÌÚ۔6°Ú-sü]åíc½ýÅÿ¼¹Í:°·Äq€gØ(ª%®Íš¸t“oꮳ*ъîdzžñ¹­#FNރ_|Êyÿ…pä@™s ²h%†6|¬ÍäÔÍ:K ®Ä…ÒZa+x2|ñaޏ¹ô„£=òôHÓÂÍƒÏ -~]üZˆïyxÓib_”U7žöŠúè%†pýUk‰‰ñ˜Ž¥DÓ4õ÷7Ûǃ—èÇ©îùfÔÛѶ«ƒ:›à‚]÷\ÔKà5¸6êÝvïw‡î7•üË8Oþ½Ìª„ d­Ëa°™š¨¯˜ƒ˜`Á˜®ø§¯ØAÅô®—¬4E™ ‡Óۙ…K‚yÚm|G‹h{Õe;E̺7ß43–8)‘ aïdDPw×3wooҙ7ê8)©ùt4 -q–Û³{w“ÎoÎ ÛˆÍÎï~xƜçlgU˜±}J³wSß[¤Šú$t=>ˇAÄöîé¸Yw•«®`[TÙ6žº7áMÝ>R…kk|;u1,Ük‹³O]ö˜ç¿ì·ê™Òø%•²3À3bôŠ “g«…/ý+‰=ƔþÕÅò/±©à™òªPG®ÝŸS³þ‹åL’endstream -endobj -1013 0 obj << -/Type /Page -/Contents 1014 0 R -/Resources 1012 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 992 0 R -/Annots [ 1016 0 R ] ->> endobj -1016 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [353.6787 706.9749 427.332 719.0345] -/Subtype /Link -/A << /S /GoTo /D (the_sortlist_statement) >> ->> endobj -1015 0 obj << -/D [1013 0 R /XYZ 85.0394 794.5015 null] ->> endobj -398 0 obj << -/D [1013 0 R /XYZ 85.0394 769.5949 null] ->> endobj -696 0 obj << -/D [1013 0 R /XYZ 85.0394 749.9737 null] ->> endobj -1017 0 obj << -/D [1013 0 R /XYZ 85.0394 600.3746 null] ->> endobj -1018 0 obj << -/D [1013 0 R /XYZ 85.0394 588.4195 null] ->> endobj -402 0 obj << -/D [1013 0 R /XYZ 85.0394 240.5427 null] ->> endobj -1019 0 obj << -/D [1013 0 R /XYZ 85.0394 215.3468 null] ->> endobj -1012 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 848 0 R /F86 980 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1022 0 obj << -/Length 3569 -/Filter /FlateDecode ->> -stream -xÚ¥Z[sÛ¶~÷¯Ðۑg*†¸Ó§4qRwN“Ç휙¶”DY<•(U$íª¿þìbŠ¤(¹N áÐ d{N@ÚÓtºÍþ C+8Mh/*z²”žÇ<;„&Üd¡5tpç¼*\0. (V;pÏ;Ø%ž„´;P­‹í@YS.v%Ä1ˆŁòÚ¯$+ Ú@g/8e™Sa½kTšçxŠ“^¬‡£<.šµ—áü¥)øRôî^¨¨@J\!nŠmAЌmÛ]G!~Ãov‹ß¨Xý–¿Ü:~~8G¤SB'Êju»R—á°•j¹\¾:äÕz†ËûŠ&û<Úì¥ëÃñ\66žEò–jy} ­ÔÈz¤±8aoàEl s`\ï1UÀ=jâcjð[‹âe·À@§ÿª³Îâ!›çëì¹ð[+ŽKz’[¬⭋ò‰Ú3züI^&$!›c<ƒ” žr_>¿¥Âb•OyEHຊêöeû¬Øx¯‚r}ÈÊjüÉbª¦?V (£X@E¸Ü‘X µŒ>€+*Ó¤\d²ÐV¥¬ ¨4U¾üŠ°hÞÔÔVÓ Çì¼g}`úÖù±}‰ -Û¬‚csª0îSñLë…Îj“=¹¸i~è嬿4ݹ¨À,õŽH7†a]ob@wýÁ‡"GA_NRòQ²/Æ»®&´8¹šÐ2¶Ó¹ŒmËÎtBߎžÞ^†êm2ãÛÊehmÑVŸùÜ@´uj‘8´O^ÀìpRL÷¹i†ûŒ¡,eÛô\ùfEÞ(ùôi³›{ïb°IÞçl4Ø+§½‡Š'\T$?ƒBÜX”-—¤ ª›95ᤪ >tC˜l²í~Ý#d“kCáÌZ…Ëe·×[+âzÕövĪåiá]rð‹H-9ð #Øu¤îJ]FêVÊoݲ¬fÍr?«Š?ÏP–qàn†¹ëê[©Wô#ƒ°%½26k™—‹‰(x¸Gãöq áV•·$ÔbIO|ÿ5͛n͊Â\MQRð‚Ÿnbœw%xë5ª 5jªªwô”©Ó„ò้0B÷Ãa:Ž&R6Ý5uU,sªÔë"4¥‰†Uƒ™l¨2’@sY¹.ÿ×°-[º#"Ýé²8x½åQl5ᄇï4U“…´Ø¬‚óh$|ˆ ¥qj¤B™Áöù~FЕQµôT ê4;X_Mõ8A)B½ª!% ~ ±Ž¤åÑհϪز&nžÖÔ5§úoy9Xy´Ú@ÜlÁâõî84®ÙS› C}Ÿ-~#>òßЙʺïßAGø4<ëxTž‚Õkïœ1"+©‹Ç>Ö!…—=.ÕàwBà}nï+™†¿[¼K§ß4Ŧžù<^HŠ¿ú)aW!Uót<@ŽD!Ø¢7å¦ËÜíi0aÁ4dògpñ*ôî¶Anoö«fC‚Ë"{*wUí³7;˜6ôwÞȨ½Ía¡ÉçÐ6o‡5š¿hÊ%Ȏl>¤ܧʛånVïö³MþœofKH[‹r,ù<ÑÊ؀Bó ÿÜHo‹˜B~J %Ð¥ÁÎq—p“©wß¾ýüed@c£œSr2exK`ü¸daOŽåW—j*yS ݈ՎŠæeߍpUåù¥ëfÈ £ˆB_ɜۋö®ü9å>µ—7sæ¼svv$AŽ©œ°½éœIQê•YœvJq>©‚§7ýÈ. -°oõ+ÛR–µ—ƒ/ëb±¦aý51C - -›5)9ÿ–ú蜃B îX¡]k§ÈӋSä©M$ønÐ~ÿi,o¼0’‘¯[Łî„<yG$>’ñ6:…² œè¦i'jm;4Y{ãMà ÞöœÏ™¥,±ÜÆpó,x泝±{h›cŒ²Ëi(ý}&²ýÞ'.ÎDÊ`O‰…¥èÁ3Q‰éýŠÚŽ»† -«<ßôÒ3-sâáޞˢÊæ›ÞÈÄ tš0aœ 2P¡-ærN?H”Ã|’ ç¥Á/±i¼.|$2h9îǎL©!\D©Çÿ>Ž!Eñ«pùȁ ÉA^„K‰= ÑM¢y{0cÎêx EP8Ñp¨xî Ï:ö¾·¡Z»eXiù ”}ù÷âaD…lÐeÿÊ_âŒMøÓšÁV=xs¾*%`0b“àB–·È«ŠnS:wmz‹®S\Ig™¸Á2W°+u9[)œëheô͑oȯhn¥FT|Cè¦0Ôú4 _«cs‡XŽq¸Þ‹Cè£8„BxÄ8„¢7twÌKqhY"ŽYsœÐ¥@´iÒÆlCT2†@®!ž ‘\æÿ•x»^>€>³ÔýíÐÃ!}`)Ä^¨áíŸtC+;[ƒ54g¯{›-ÖEّõ.Þ9½÷˙W¨ InÈ“™$1H„»±äo)•Â7NiwHæ—ñ— -­Øf‡ ¿oû]z(ÜTdQP -ñF•"<éÒIN.”5àµFúÙ' s -I×~Ð[YUeR§ß!hºdÀg¶¨›pYŒ5Ÿ·R@õHßG4;A„§ W¡ŒÃéo-o¦q˾?\ Ó--‹]›»„¬™s{aêB´X76}àÚ(×ú¶Ï~ð³_æK.¸ øUoGM¡/|Pêê þ¬ -_ýIæ›ü¡M£‡åºÒÿ(nj|ßG: ñ¹Oœi£í ã†Y DRêbàcáæÍD4èžË9à«´—~ºÖ^Ma®%Æ 4m#ö{yº/“&”¸ô;ð-ia0)œ¸’ç‡Pšp˜‘©ÿc5Èhendstream -endobj -1021 0 obj << -/Type /Page -/Contents 1022 0 R -/Resources 1020 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 992 0 R -/Annots [ 1024 0 R 1026 0 R ] ->> endobj -1024 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [297.8955 586.6375 347.2449 598.6972] -/Subtype /Link -/A << /S /GoTo /D (dynamic_update) >> ->> endobj -1026 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [55.6967 306.9508 116.59 319.0104] -/Subtype /Link -/A << /S /GoTo /D (view_statement_grammar) >> ->> endobj -1023 0 obj << -/D [1021 0 R /XYZ 56.6929 794.5015 null] ->> endobj -406 0 obj << -/D [1021 0 R /XYZ 56.6929 374.8758 null] ->> endobj -1025 0 obj << -/D [1021 0 R /XYZ 56.6929 352.4787 null] ->> endobj -1020 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 848 0 R /F57 624 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1030 0 obj << -/Length 2589 -/Filter /FlateDecode ->> -stream -xÚÍZëoÛFÿî¿BåKÅ㾗×Onâä4Νã4A@‹”MœDª$åG¯ýßofg—¤dÊV›®0 îsvçõÛÙY±I lbU‹DNL"#35™¯ŽâÉ5ô½9b~Ì, š Gýpyô×ךO’(Ñ\O.Z6Š­e“Ëì§éË¿ŸüãòôâxÆU<ÕÑñLéxúÃÙù+jIèóòýùë³7/NŽœ^ž½?§æ‹Óק§ç/OgÌ*󹧰gÂë³O©ôæâäÝ»“‹ãϗoN/;^†ü²X #?ýô9ždÀöÛ£8‰U“;¨ÄK>YI%"%…-Ë£GÿìzÝÔ1ù)a#e¹  J"-¸pDž™Ž˜Äq<½¼É‰ÃmÚM[ÌÏ{±Ì‘] *DãɌË(‘L:rÝôfgú§8æKßw—y¶yFÕ«ú>R[áç6ŪX¦5êâ;?eÓR¡¬|¡ÈòVK—~D[ùïMÚ¸ª?䈙(Üö ¾ÍÖ³ÍjM¥«üº(}ë]ÑÞP© —E$7T³<ÒÆZX×yñâ ÿ°³Î«nnȧXʼnà ‰L ÂFÃL™˜KOÄ"„ÞÝäõ1³Ó|gåfu=®\”N3¶',ã %J‘Ç­S"PÂÜ&G ¯)LSª‚¨ÊŒÆeÔò±,îgMûàL¶Å*‡Q«5ªË¨é*O› Î<)OºÉçU™…JQÎ=…·i¹Iëjgž K€kàú_WËeuW”םRÜ1á­BrR”Ø4 ‚Áæ”Úš¼.ÐT-ú uÃÎÚ´(q‘á¬yµ)[”&¶µëw'IÛnÓåƯ¨v}a²7v˜V­Û¢*ÓåòÁo”þR•~J™®`‰6A 0"I¶I$֑€æÛ"¿£’ÁI¥½ àÀ(t£UWÎç³lOßïJK0]§Bìî$ -×Ëê*]Ry `ࢪ©ƒ¤tf?{‹/²APË-‰ñZè鏴UÁU瀙ÄÚ–Üv±‡8À&ä›JnXð>¡§×Åm^R[?¡£Ñ“Eoô“ú‘z@ºð[«VE넃ݸިe:ûVÓ,_¤›eK¤êüœ!ÇB)¯%èڒ¥––°''·ÑA&Xòäå>PâŠG‚ÉÄ£Æ'Î MÜ: þÊ/#c‚%X€Ç1ëa‰ë-X -»t$c8Ðà<ÛQÀªáÑÁÿ.úû#gkN¹ÓéðÛ{±"¼Þ9 -Ìöá¶è°eô¬ó.ìk½@ep‘gۍ˜0‘TFN42+ØAуPÞìDlVØp-Mdylöï€æÅ@ËÌmR³Ž)« $b±M˜‘BMt öo6óyÞ4#fŽQÒx+¢3à ;Æ ŒÈ*àLðD›%µÿ¼ñ Ž•Ušù©h2îK´T™uhe õ4¹žPËp-¬ãZTt– -ß,ÇP¨tiý17™@qSÌoÆ` ©ÝÔlpaŒÃçüýéÅÅ{ ‚ -iP³®Ê&§nïý8¾¥ïN[_$àƾ²¹g÷â"ÚµU ±¤Ñžµúu–‚6) ®‡xRDɓÁó#’aÆ~ã“1¢ŽxÆø”¶$q]狼®P2>Éxg|XFã“LôƆ¤XWôZ€GCÀD¥¾Ç¯íhPËlô tjnžÐπñ¯æÿV?páÉsÚ -Œ ¡¼¯ë&o„k{h€²ƒïtÖí`q[;؂ÚÁÁÕFÜdèxú½ç¹{ -}³´MŸÐV'†o«+ù-u%Lò«NNå}VáÑw˜º8Ä7ý­(F†o§.¬xuaq[]bØ¥’ŠçÿzõþÝÉÙù³*Û¯–!Çb'’ÚFR'ρœ´2ŠáÇ"-–›:?Ћ”pjÙ:G‚ªs$5€9¡:˜ÃöGRsؓR•6n¤ê°#?ªÚ›ÎÁ]® èªÐŸ^U·ùˆêÏìjÂ_eŸF©`nÍ7u·½}M³Þ×´¿åB[ïkP ¾ÅyºièŠ…Pɕ]è kŠègc~wŸé‰Ôv¼žW”?èÔ\õ‰¤2ۉà]cþ}$ãn‡{ ` Ùoe}Šîÿµ3Hq;ŠÁ|¶R…R†"Ö„%f‚U²711’2„ÿHKC~xš:÷†k›Z1Ýâ™Ã9£Î«úR@ C‚•`ã]±\RÉ ÈïÓy»ôÓèz­Ýa=rO5  î yÿ5AˆˆY%ºËæcBe<ó%£Ÿ%²mû£ˆa&KÜѧTpK4jßK씒 -;gÅ0±“ÉÛþ‚ƒpuoð¼«<8蜴½‚;wž}¼. W\ŸYM³¬¤ðbLº®;¢VvÖñô”÷yAŽ}Æm€{öuëv´@ààLCÉFրÿtÙñïPÎgÇ=ÿP§«Uêe¯ÌN~\G*‘f˜¹ši W¬¿€ˆ|å?'yYk’m´¼ª®7 zț/Uý£I¬~?®ëºº-²|VÜ/êCfù»eÎÜ´Ï¢µò¬ü;kk€æ…KŒà˜pììÝS?Ãóï®8“LT„˜y¬wõ_é³JËßÞtSXXÆ}>íîßùCtá>M[»ŸÈøã6üDQD…ß`}ÖT›S؁•b-Vð«›Ë´A(‡€ÁuTPý×>oŒž Ú{æÖUÝv–ÕWh?3ˆ)ÔÓ®f·z¸1ýxcpXÏoLí٘ú]㜁Åz[`¿}?æ¦ UCУ;÷´Ï»ç+ʹ84ÚA«Mz½ï]k෗£pŒt’¥}ÂhNáÀÖ: Z³½· -¹Ã›´†S‚¯ABqÑÒ¦©æEÿ–Õß3ÓaXµªÚþt¹h—«¤Î)Å -aƒhkI++žfÎy»"1l„]#à(©PÍÜ©˜ú> -ç\.nM-Ëü6_úñ‹­A_Prכ:õz…Æî™gxòEÙ™§œŽ°%œ%J„‡8—ÁÌœLVÙG\a:Þ$Ó³Å~ú˜8ˆlŒýÐÂ÷¯cb.ƌń'g>DÂfÇ)4¬ªþÍäÑe!Æcíåqˆ w—oÜ)ŸÀ’t–Ûþ²e¦ézݵVÔä#s‹p¹¾=øAÕzF&„JTdY² Q=ìĢϣ‹XN‹ëÒóšaÖÄNn ¸Å€{ŠJ/6gԈ|ŒÁ×Xu€|tbù˜|3Ä.²ÅÛîZLFÜJþGב]Ê\s3x½U Û6:ÿªô8ÙÑEú*ŸŒüÎ î€ø«ÕÐÿäCÂIg-¿}t·¿)d@©Ýw?x¼õÿŠÕ“™endstream -endobj -1029 0 obj << -/Type /Page -/Contents 1030 0 R -/Resources 1028 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1035 0 R ->> endobj -1031 0 obj << -/D [1029 0 R /XYZ 85.0394 794.5015 null] ->> endobj -410 0 obj << -/D [1029 0 R /XYZ 85.0394 769.5949 null] ->> endobj -929 0 obj << -/D [1029 0 R /XYZ 85.0394 752.4444 null] ->> endobj -1032 0 obj << -/D [1029 0 R /XYZ 85.0394 624.285 null] ->> endobj -1033 0 obj << -/D [1029 0 R /XYZ 85.0394 612.3298 null] ->> endobj -414 0 obj << -/D [1029 0 R /XYZ 85.0394 362.0579 null] ->> endobj -1034 0 obj << -/D [1029 0 R /XYZ 85.0394 336.0649 null] ->> endobj -418 0 obj << -/D [1029 0 R /XYZ 85.0394 167.8903 null] ->> endobj -951 0 obj << -/D [1029 0 R /XYZ 85.0394 136.123 null] ->> endobj -1028 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1038 0 obj << -/Length 3695 -/Filter /FlateDecode ->> -stream -xÚ­]sã¶ñݿòÌ %¾H`òäÜùÒË´—ôìLÛIò@I´Í9‰TDʎÛéï.vÁ/Ñg_Óу€°Ø]ì'@yžÀOžÛT¤^ùóÌaiÏ×»³äüƾ;“]þõ¯—Ÿ.–ÒY¹xûçËo®>ÑPÊ8¾ýðñA<ý=ƒôÓÕû«OWß^]üzóýÙÕMÇː_™hdä·³ŸMÎ7Àö÷g‰ÐÞÙóGè$Bz¯ÎwgÆjaÖ²=»>û[‡p0–ÎÊO&BiÕ©ž õ"ÕJ~¸½XjcOõ‘›²Yףzí}Þb+]ä8\H·(vu[P¿)Ý䲡ÿ»ò¡¬î¨]yý*ßðy›¿fê»üð¹›Y¶ôŸ3–U}wäæc¹ÝRkOû?£½=Ú{ ¤±”RxkU`í·cq(‹†Ž¬­é¿lᬵL7÷A6Åm~ܶÔyÈ·G†×·ˆd8TBiœ°.É`/܂h¤iCQk8Ì4³ÊfœÔŽgTõ àZš§ˆÀâtDx—Yh9á¥É 2sº…J„1 4„`¨ÊM±,¿=Ììf±ÔÆÝÖÛüØàgԂ€åbWV(M=ÞAê¡Óއ‰n±­×ù–`¬`5pÔĝ¯[:i ' ówyÓ&ÉxÎ0…Ž¹ÙöuµáMËöžT$ŒÌ‹…8:ö²Z³’‚’z’tñ¯º*¨Õòª¹ ´'©~Ï@{#l¤ìÐq¥¥FðmþP H%¼t¯i *g²Œl- iyÏzæÔ´KD–y>ˆ§bN¿¤Þè8‡wž2D¤½™BïJ2"·Ù AešÅ®2µX!3 ú²á9 ¨â!®Ø×MS®¶… ƒDÆC<³Œ)wJÌëuþ bs‹œÈÓÙ wkþ¦ Ûϋè9˜f˜×{T´L—²e¦¬­aeûf(‹Ú -£õmOÌg4ª Z/›K퉶ö’Ý·‘Z€tõÄ7ÅÀÌ:Œ¡ø@ÿ#¬ÓaèDÆÏ  Ã¤¥¯×Öÿx)¡67f@ÞFHö u(?Âá “¤qÞq¿¯<Ú#fUX~lë]ޖ Û'¼%W­Uì{ (5oPɑ¾ÛšþñHu0êÏ¥CA0ڣ߅·¨Š €Ð˜ŽUÇH Dó2¨¸Æh_®ï©9`Þ 9ô‡74>XW“Bk·¯Ûo e¢û†¡îxa¸ÏÊpõ\*f4d,ÞÛ/Êe7k$‹æ¾>n‘JHBóícþÔPû±>|FËISζ? Üq'HêŸsçN HÖí«Ý¹ÉTLQj³ŽÒšÎˆ^¶¸Ìû‘Ÿd¾Jþ'ïρ!²îÀ%GôneÒ -°™ll¡P"ä4ÕÅӃFç•)äu:­‚™Óœoá¬UÙÂØi…6é4‚÷¥™ÀI¹ãÍjí4:%Å_¹¸­Kñ{¾ÃÔ1ÒX2E䀱qÛ?c*½–Êêxw÷Фbײ>äÍ},1¢—ZׇÅ[÷-`ÅC-fZ,œ‰Ãúºꌌ¾¸ØTsꯌÈL§]R/Ý(tj™ 2z¤\ 1£XWèA›ót˜·m±Û·¼¬¦Þ$[\½ûxÍ+(ÏغÞíŽ8½x)@Õ꬟eû¡t‹a¡ßGÁ/Öt³å—L3‘(i¾"͎˜*Ó@îä âö9§îÕEì V<ÖæbÄéa1‚†GPo`&‹Ì ø—$Q‡”|&¥Îðn]‰x—€ð±˜õJØLÙ>µ62dz íÒÑDgÈišüŽ¡{®±¡Ò€Œ0“ãÃâr­>†Æ:xÉÐ5Ũàm“Žc#…Ÿ²j3&‚Ò35wD©¦ó·3Ú:Ä|ØW‰ù2‰“ÅCŸˆ‰yO ÄMò™cÊt-2kÇ~óeVÀ÷öw!8î8ÂcOAÀÇ*ĺ„týž\ïXp2-\… ÏUýX0Po¸üþ±Úm]oþDp¾ˆgü=ĉßF.¦ïóv}Ëfa¤èI)SÃR=/þNl :UÆ⟨?ÒÀ:¯¨Ñì‹uyûDN*ÂýA°jߓEߍ °‘3’h—ˆƒoÜs‰®dT<‹ÎJAöKÀ IÛ\ªÑ­±Oy*.Ê3‰ Ö7É×m–)‘8¥Ê¢O¹': 1T“b.Ì3Œ:ž÷ì<؈H@-B -æ÷Ë4X¶1£š`öþ,ÚwòoÚ¼ åm¢_n$B§™›Ùª˜Ô “ðÚc§tð™Z¹¡Mf]i‘I¾H WޅD*‹Ñ -Õq·¢ËÉu¦ÕúȾ¯âeµªÁš kD9®“Q8Ød$\6Ž‰0ƒT‚,³2RÎj²L93ъgÄ£u⦕ù ©+â(šG™ g È×Ñ%Su>¸ÀW,¥’AîÛѼܳ:ÏjYf„2áEC%ͲR$ÞËW^³J«¢¼>OÏdb6IÕ43›o@HF Aò9KÕÂô´Â&Ó§•À¹z°#ÁBñ9àJxçÜüÓòø¢¤w…1ÿàÂ]šö;cÙÌ%TJ¸þ˜6r]×aØu˜çj+-Nۉ¦BNÐ7¸ t|]öaÁ“c‹bnŠƒwBxU€¦{-¡”hŸøBÌÂ^M.Ä~Ilrsýá»7ÓSqN¤6‘ç&AÒ¤D ÒØáO9qúr8ÿô%ç+Òp]Dº]AÕNI‘:YšÚ-'IݬH8ÅÆrD'ü.]´ù–yð‚²æJn³ñ»KÇþ+SÉâïŒ( ¼[Á7pšo-iiÕ~y|Mh4¼B '뀏L§“›N˜lýdO4å]•·Ç˜›iÛE– þ8€n¨{lH 6>™À"ÔcB8 -¤è®rB/¤[¡±ßÕ&Nj‘£Jߧ¥ËTg‹Ë¹úv|‰J×ò®¬ò¶ó¶ƒpóŠ -läÄéÌö/!%çúc?£4J2Ž­žâ~ÊGJ¹˜-Œ/·ÿï •%$"±qwÈw»ü@Œ¼qt.ÔyÐb›¾à»­HäÉ4bÍ·Ûú±¡vp"ØØAåYî·<qb±¥¦åp^OE£N ¦R£²|±Me,H …¢ÞÉIš9H+¶,E®>¿öVA*¥æ2B,ÖÅ\…È¢¼{éKK™=wùÎ †Œ -õìäJ žcQ L¼3è‡ ¸@  ”— ‹?œ²ÙpUÈ8©DJ¹D²ƒwé!Tjiƙ&ōÄtϋvô¼hb¡pz^4“7E;}StÝÓ'ºó‡bõi „½¯ùÝ2”F€øEȯ9Ŋ¹ZÇB0qéWù²[5VÂ@–¢wDüx5üÄBe‹kÈú¶ùÙBÒ ›ΧõšÏ !#¶Ôä×>ÖJS‘ô–ý5çûŒÿ Á‘ìbΘ@¾ä&©Á €Sm^n›7Ñ}»)šõ¡Œo%Ï~…`-Ô=Ö|µ™fݚçÍÔfúš’:¢¦çaê¡}& - -6«’ô…4¨›¿.8MBNñŽ!ú´G ٔ$“jHE¥‘t’ u³^ ä[wa$Ü)¾H$@tæ<¤äVw2I±” «Ã±¿½ ñ(°qݗÀá[&q¿ÍÆÅ­J…vÚñ1¥€ûßAY•†HL®\›öœ«×/µ‡ó¿ h­ðY–þ?±†?!¸,S^8( Æ^ø?ßÌÉö6i;ùªäµò}G•IÙëQwåÿS¸=µNðþ…wo¼¯HNgæÂÖ ¥ºÛ™Á%ˆrIW;5Ô}÷ñúúê-µ©fiŸ¨G‰\Ýâµ2æÙe‘¡×Y…4 Á'l4è·q¬…4ò%îæ/‡ fìæï؀#Ü 5ªûDÙ5§¶g½Dà 6²Ýt]F‘.ã- -¸ºÄ§c ìä­e'oêÑ£«–ºJwï@0ÀŸr±?®¶åšÚ!Ľhiºr†?üd%?BÖ û嘘otÒíî}ë°åëaB4«"a+^”%( -£ÓR¡^AÀ¢]bžE셤 Mo¨U”ñýó§u|iJé»>É_Êø¡­¥F/2ìq.­zãÙçý=Úx]ÜéXQq!æû¡Z‡‚)¡OÆR,Y܇ïÓ,Ê(”žáI¯Âó»;v¥Œæ p^NÝ6¼ú5mŽµK¸~`9p„«Z•·ctIx­Ä qÁ}ør2Ðå‘$ñ«r3X\ñ¤øéVQ¹–ü²{údßG¶]AÇo{ì!;¿A_IâÞ}’ävÛMž>}–U¬JV›z:Õt Îð댁ó²½óÏ}h«->¸ÏÙÒƒ?ünÿ…²ÉÀÃ;5ïHTæð«&‰ByÛô„òøµî)éÿÊ[¨-endstream -endobj -1037 0 obj << -/Type /Page -/Contents 1038 0 R -/Resources 1036 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1035 0 R -/Annots [ 1040 0 R 1041 0 R 1044 0 R ] ->> endobj -1040 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [87.6538 396.2754 137.7628 408.335] -/Subtype /Link -/A << /S /GoTo /D (tsig) >> ->> endobj -1041 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [396.1961 286.7149 464.8681 298.7746] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1044 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [432.8521 109.336 481.8988 121.3956] -/Subtype /Link -/A << /S /GoTo /D (DNSSEC) >> ->> endobj -1039 0 obj << -/D [1037 0 R /XYZ 56.6929 794.5015 null] ->> endobj -422 0 obj << -/D [1037 0 R /XYZ 56.6929 270.2232 null] ->> endobj -1042 0 obj << -/D [1037 0 R /XYZ 56.6929 241.4762 null] ->> endobj -426 0 obj << -/D [1037 0 R /XYZ 56.6929 160.4328 null] ->> endobj -1043 0 obj << -/D [1037 0 R /XYZ 56.6929 128.8764 null] ->> endobj -1036 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1047 0 obj << -/Length 3050 -/Filter /FlateDecode ->> -stream -xÚ­Z[oë6~ϯ0úR8֑x‘Hô)msÚÛ´{šîÛŠLÇ‘%ג“fýï;Ãʒ#×)ZøAˆÃá77ÊÉ,†_23:Š¥U³ÌªHljž›‹xöc_]$¿»xû.3ÙT¤³»Õ€—‰bc’ÙÝò§ù__}wýþr!tmiî²ÙôËÔùƽA‰A5Yd2¡g‹$‰¬ÖÂËúsËüÁ¯gºÝ]&fÞtMÑTܕWÍ®ì֛Ю—DÐÊ@Üç­[¤Šž#>®…Ýä]ÙÔ4æe¾I»b™wyÔB/ß -ºi$V^Z„§H«qÏK÷D¯ÿ0P8"s—o6ùŽøélpNÀNhÄmž8¤ÌëêÊ«JêȤúHSE•·-ÍþŸŸ‡q²ÃMÞëEQ• G?Ï?òårçÚöƒŸñ¡‚c¤þßéñ٘›p[:ºESWÏ4ýÙµšÝ‡º¾­#›eéx^MÍåùŒæFQ4µÖ›Ú}èíàhîB%‘Q2¿òûg' L$U¬çð¥X‹º<@¯Gímþà&,ø'}Bš%›¹_þ%'`“ÈD½ô2Næe‹O‡šÛæÉíVûŠ:kÜv¯\ÞíɄh-È­c¥Žn3çÊucÞ;£u»G·£Þ¼nŸˆî'~yûµÝ»Ý3ŸŠL||BËr…2­‰Vwˆ™ªùÒm]½ô¾ ›¨t|>­$4í:òö#L‚“j1¿éƃÛ|וžÊwí¾u¤ W͎ˆrNÚ/×n«’yÑV°Ïuûm;e¦Oà˚=e?’GE¯Ôfæ{†ÍÀIë Çöxf"­g{žú%b„‚ ¥Ï|½L"@µÊ•”$þÈ —”GF’OÅRABçßnó‚û)@=•UESîy¬u®&êþy´N»¿MŽWb§¨¬ž_1^0ž¦öØc–d’&#烻ÀFŽ3¼ƒð& rEceǓچL7€í›ïùep}]Zzsĺ †;òûBgQ"d0JöžÇ©‹4*Jc™ÎT¦ ¿’â5ɋˆ¬1f:uYôC–>/É'Mi+ÔaåÞa ©uq¹ßß&dÏñŒJ$QœÂ!„ô±gÔi”eI@~³:œŽ'ÀŸ¶‰Y–ƆߣÅ"‚„ÌLal*'“r½4HÑÜ "ØP0@Âc ‰Aœ¥›Ÿ:vô`ÃÆ ° F÷+Ÿ›ŒdJT©l‚úÿ:ؘãbÈr -lQ¥ƒ…ÿk)ê,ûûdì9ž‘üadðôFBžÂZøµÉkápr¬¶ ŽùLmâo‰Ìkµ'#%cñ‡Ú`*¥õŸÑžÁWDï‰ò°ÑªåÍuùÇ©ts!-  l”Áœ¨Aa«©V~OëKGŸXQQ÷X.Ñ R9Ï9?Û¸b×e»¥X’-zBGڟ3 ¶®rEè }>bÅܧv $~*g)È(,I{FꞅXBH§Tvw¾¢™@/T &„,c³4èGd ¨!Çê -IJ’D·/Ž°ÆK » ]n;~qE:Þ0Ç` žU_â%_ý¤Á²ÞnXÔÑ.ʕ±ö¥ ”özÞø5—˜Íû択ÝdébMd`ôL&ª"ôÍG‰hK|K~¶åCí µ£®Ÿ…ȐR>³ƒŽ>óz ,ê`uï†SÚ¦zDøÅêÃf‡3ˆé2 ‰N#‘óÏCé ‰›±*«ŒJ4aý=uxø û8Ôúú»êžò°£Ë7A ‚¿ƒ0ö¢Æ¥)a믪¨9÷<ô‚»|؂ç$;ÔûfêêÄ»aėû-ÇZ—ïÝÀÆT 6°«ó -é£{ ìû8>¸Äm¸ áj–Êf_‚5#U¸P6Õ·ÆKõm^û»:É·x2˜tlù~ -A@–õaâÀU%Z L&òxÈ¥˜À8òæ`*û`*é4à Ùג¨`k~ޔ(Ú@–‰óî@÷‰X/‡?Âï¶9P -é„8ºDÉ·[Y¬ 1¨§µWPWHP‡.¼–)}}‹3a/H™à o ”Îæÿî™á…^˜°èmÁyµwD–ÌÜޛÁ…Âñ¼z -°'Î -@•ÚóÇ câ²LXÅb©p’Öçô¤'¢¸o%æW7#Ù\aÊœ–Ó$Öù£± †ß*Ïå%^~wz» -¡îIíËûÒ³‘exMÊ×ã-G°—‡—å$2[µÏ—÷®pKWÜ×ø‹?âÚ®ÁLï|/TuJ¼Ê0ãäEºÀñPš35ˆÿºÔï|Px8§<\rbƒ/ؑ.8a×2ŠÒãøxø"ýIHö?~sžü2ýö-M¹óƇT»nöՒh®ÙÄ/*ž¼©U»î©Ù}l£?÷Y;‰#ÿ{køûîïýgg؛w8’îû_Aacw¸PIù eYp£k¦„I€asRZæ‹.?l¿^¦œj;ü1€×\±xkbF^û`G0¸c¡Âjö«=}&|Ãwí˜ÿxېµuíÉOì •$C´Lý-„ÿ¥™øMÜvÿËÙ9üŸIe‘4FLÿGƐA -ð—,îJgǒ÷ÿíy)úÿÓ±µendstream -endobj -1046 0 obj << -/Type /Page -/Contents 1047 0 R -/Resources 1045 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1035 0 R ->> endobj -1048 0 obj << -/D [1046 0 R /XYZ 85.0394 794.5015 null] ->> endobj -430 0 obj << -/D [1046 0 R /XYZ 85.0394 728.7887 null] ->> endobj -1027 0 obj << -/D [1046 0 R /XYZ 85.0394 703.8893 null] ->> endobj -434 0 obj << -/D [1046 0 R /XYZ 85.0394 574.0702 null] ->> endobj -1049 0 obj << -/D [1046 0 R /XYZ 85.0394 543.3965 null] ->> endobj -1045 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1052 0 obj << -/Length 1252 -/Filter /FlateDecode ->> -stream -xÚ­XKoÛ8¾ûW9Ù ˆ)Qô”flŠMÚu½§naȒœÕÃ)'nœÿ¾”H=-%jø`’ÎÌ÷qfø€ŠÆPÁ&0ä(–c¬A¬xÑDSnù·Ë ”2j)¤6¥>.'§&Rà˜ÈT–›†.h¶ •¥ÿmjf\ƒ6=ÿ|squùïâlfÓåÕ盙Š°6½¸ú{.Z—‹³ëë³ÅL…6†Óó¿Î¾,ç ñɔ:>^Ýü)Fñ7 t1¿˜/æ7çóÙ÷å§É|Yai⅚žù9ùö]S|ûÓDºccåžw4)ÑÄÀ:À†®—#áäëäŸJaãk1µ—?¨¤s®Ž ÄVƒ@ˆl` {‡`êH/dûm0SMM›F.eAú!ÇÄ«cTmH(…N‚7چJb.»!ð×'bŽªc`›·§>õ„͏Üҁ5£ݑྲ&¬œˆþc!Þ«êôTˆ\»Ì»M7 Eà I3*:qÂJ¼\2ðEg½ÿìNݦÁŽ$™œ”»ú˜)”¨-Òz¼ÿ Z]”zËáE°É¨4š^–R²“]¤;âÉKÄII Z¯oR[—ÀŸõãKšìˆ/¹¥?”¥Äc%KõÊ$›_2.€—DbàW}^•ö¼$f.‰I|+5Æ¡\ƒm¶‰Wö\Ï (%ë2ï:€·°ØŠÒܛVè ضå´Cçµ)P®D#:úG§À酁”jÎ&7nX<—-½*sHç¥K+‰-êÐWæ² âë/+\êF‘› -}­Ôϗ¨c½CTÞZÅn”ÑäRÚâKJ OÍ×֚̉öAFo薁,GîHÌÚ",[·6Izï¦~kÌÂàÖe<ŽÕ:F¸e(Z‚\ Ë2ÛÔòüOîUžïd³o§¦ïóȦ«"yW!¡Ò«§¦ÆÎú e?³ }/],ucº)I{•º&Îlëóhx³oBºMx -¶‘Š/+ñe•fe>ÆB–Êå*W©ÿ&ì4é[b²]åêdAIRV ×^ž!/[a-&=õÂäŠ÷CÍŠÖ±ƇK¹“4èÆnG‡OÜ0ÛÊØ/Ú«d˪2ÞKCoŽìºJÒUœa{qƒß•É£ -×÷®Áo0ùcDÏ+„VÝ^ÞüæQ?ñ+nÛ¨zÎ0ôƝY60l®D:•ãÃö‘çåãȱëÿQví}endstream -endobj -1051 0 obj << -/Type /Page -/Contents 1052 0 R -/Resources 1050 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1035 0 R ->> endobj -1053 0 obj << -/D [1051 0 R /XYZ 56.6929 794.5015 null] ->> endobj -438 0 obj << -/D [1051 0 R /XYZ 56.6929 516.9892 null] ->> endobj -965 0 obj << -/D [1051 0 R /XYZ 56.6929 489.6463 null] ->> endobj -1050 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1056 0 obj << -/Length 2937 -/Filter /FlateDecode ->> -stream -xÚ¥ÙrÛ8òÝ_¡GºjŀÁ£ò”ÃÎzj㙵=/;3•‚EÊâEjEʊ§jÿ}ûEÉtŽM¥\h6º@£O(ÑLÁ¿h–ÙP™<ž¥yZÙÙb}¦f0÷á,š¹'š©Þޝ½ºLô,óD'³»åHVª,‹fwÅoÁ»¿¿ùåîâæ|®­ -’ð|n¼½º~Ϙœ‡w?__^}øõæÍywW?_3úæâòâæâúÝÅù<ÊlüZ$¼Àpyõ †>ܼùøñÍÍùw?]Ü gŸ7RòŸ³ßþP³Žýә -MžÙÙ>T幞­ÏbkBã1õÙíÙ?£YbÒŸ5Yh3N(Ц#FQæ:5³Ôæab´! ®w÷®+Ïç‰RA×o«æá×x:XbEan­&òuÕÌ·år[v«y_­…­Ù­ïËí—ØÜçïc‹F«õÛ§ï_ë{™vu_Í×®ë=ÙSÙ}j·Ÿšö ûû³|šÕ¶\ôíö‰é6®_}jܺd†¹ÎÃ,KsL˜G*&¾ÿÒä«ËXφM,Qxœ†*±¡9êlSØ¿Ú¦dÓ»í]_®Ë¦çÏ÷åïJé¦ê«¶aŒk -~íÜC9,t0XGƒ)ÄQ¢¥é8 V®c¤ãÁ[!‹vóÄTí’1½žËSËv{2'æ‚2É€h_Õ5£îýÔ}]NùBßòýo¶çQ´U!ávýªÝV`€Õ£G5ݾÜvüÁû êÃS›±* u}¬Ý»1´ ©Œ ²@ù]F /1*̒ì«F`Ò0ɵ%Åuµ{,¿joÎçFY!0‘ÛBdÕñèx  (7uµpL‰F0š÷–â…@úŠÓ„¬ì¹ÛëHCâÔ² fí&v 'ʕJ„®®º^6¼)D€)¦£˜È–‘ƒŒÆuËÇÀ¯(¸ú…±®(Ýue' Kaðö0ûIǼýÊõŒfCÇyÖ"‚‹¶éÝ¢a`Ħ½Û€× }–‘v ˆe)ï0,¯TqWçQ°.V BeMñØKs ®îZ†Èá@<¦…nj[´n -ëÃÂxð4î‡ð¸Vû0¹Þ>1AQ.$­¿¡è8è·à‰ËÁ *'QäÀ€^²G¯¿i·=㭑õ›©,GÚ0CÐê^ãF  ÉZ!´Ð‘DB¬\óPŒ¤¨€€Ã„ÓÃ¥ϓ Ѽ–OT~†8Ð&'Tæ3º‰ ,»lÌD±l&Äx"ǁÍIŽÌthtNK´ ŽI7%QÎ}Ȧ]G‡Gª¥þga”Õ¦xÍøÈä±ÎÌTð*X¸7§o¤ÂèK£gœ`Ñ´ãBè^È -"í«~5uÏ’EÁÝíÕ† –Ám¥JWKF9Ðçë’a:5ìü -Ð^ÌJo˜†wÀqøç 俟Ì<{H.=ŠÑÅ( ¥Vì 1~#ïa¹’S(ҒæCâ”g[$?ђÍ{«[ð‚Y瘼Kå‡=hE†‚8ǟCN”\tï¶=ú­ÂjÌs-¸€¢EÇ܋v q¥à½kp¿ªYˆŒªg†v‰êš¸k¸Ÿ²@i&9ì aÜÑ|·á/Öe]A­ ¡QX ©Á\ñË{Š€4Ag€ñ$ì«¢_…SZ»nûÒ3Fn„$¨ æõ ìÏü®¬ªš?€“Ê´±Ú5âQ…ŸYz¦v×ÁÞ:½qMœ“½ /–;ìd¹×´~`@m#Ç»Œ· ;k캒'ø½LÔ`£5ã úKpƒ%«r-,¨‘‰K†ô1XÀ”B(#Ùà’2,& Ïn½©K4“<£»¤ÏŒzÈr©ÑNs—G%Ž¶6Ì èâ2@–%óËܑJì:'ՄÆ"ÙøÚg]=¬Pu dŸÚ¡5›$—+N2_ -“9çTÄW ):aý&• ¼€¼>¶§Òy -…³Ò“ ò™¨Jƒî ¼}ÝñÇ}¹’j5 À”ž„¤n÷µÀՒǧvÇÀf×3=t•ŒQàÛÑr·¹)G… ÷PK³­6Fj·£( -Bïߓ­Æ¸†ÿ±¾`Ôj$&T‘I¿G¦gy±ÙHÀm¥×0Z‡qžK¯Ñïî¿¥ÕÐPº-@ÆÀqª9üŠéƒR®6œšâ!„ˆŒ”†r0éE¹é™P*rÍ1ÇQÎçl¸¶A+aúɼ}‹éÄ yFN_±äÞ|݁ŽPÕÖÇâ5ÖP _È]Í-ëF,uðîÓ°Ü´ý±ŽzH3L_ðÄÆmE´í÷ÀûëÛ×¢éU)*9”ê¡ËÒõ»1~(·Ç5H¦7Ï ÍVï°;¡ -s2K³Lo ZoŠ0®ÄøãwH&ìˆ8…u(ÊÁ4Ij£’b`‰ËC¥U¤ÉóS¾ÎNOÛ]dàãž:»MÂØ Ý7 -+BH†Ë _·y˜¦6R¬Ýµ†ÞŸKônÌ=ÈN*Y—S¦F•ÄÇG:);±Ä”öMGx¯{ÆÀvÐv[2ªŽâB$Å$ÌËû;°äŒèvlã:Fríj}T@ÌK¯“(@+ëi3ð±w÷ي®Fˊů2ÜNûظqoœhöÊ$òòdž…ß>(·ë]Q/7wP“A›øyèÂÉC¿_bg@¼XUµØCÃsœÅ­/”Mìc”…£ÈÂôºtäB‰õ©µÏô'™³]KpX8nr1zƒ“"Ýîê‚ãÉCé£j˜PÔE -¿oòBáÉEâ|õ…‡虇–àq[½ô-x.쉏}ž>ÓgoüCã®3ò]g -uà|2/úVTûß#𤮈l5Ê$CâóÅÁRÐÙ›mõÈoµÚ4?Û?yf× ¢n.ßEy6Ùá2.‘Ç_BŸÀ+ÃñÔË¡!öXºªŽ‘Ò°Ÿv›¾›ät©°j渉ºMIrۍ›j©sD]¦Iä2MêŸgøò¤DÔ7å¶q5cEÏfôàJÌòÆ#ÕñpåàAí›áÖeó²Ÿ# ?÷H€™àË?þŒlžbmB­èÈ tEšƒ<ým\ ?¯þð/ñ‡ÿ¦C‹•ezh֎> endobj -1057 0 obj << -/D [1055 0 R /XYZ 85.0394 794.5015 null] ->> endobj -442 0 obj << -/D [1055 0 R /XYZ 85.0394 636.8504 null] ->> endobj -1058 0 obj << -/D [1055 0 R /XYZ 85.0394 606.7365 null] ->> endobj -446 0 obj << -/D [1055 0 R /XYZ 85.0394 606.7365 null] ->> endobj -1059 0 obj << -/D [1055 0 R /XYZ 85.0394 582.3251 null] ->> endobj -1060 0 obj << -/D [1055 0 R /XYZ 85.0394 582.3251 null] ->> endobj -1061 0 obj << -/D [1055 0 R /XYZ 85.0394 570.37 null] ->> endobj -1054 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1064 0 obj << -/Length 3269 -/Filter /FlateDecode ->> -stream -xÚ­ZKsã6¾ûWèºj„àE¨=93ž§2vÖvj·6Ɂ–(‹Y‰TDʎòë· R|IrvR.ÁFh4¾~bf¬´“ÈjrNfë >y†¾OÂóLk¦i›ë»Ç‹o?9±Ìi&‹Ö\1ãq,&óŸÃ$»„xðþîöãͧŸî¯.#<ÞÜÝ^Neȃ7?\SëÓý՗/W÷—S‡"xÿùêÇÇë{ê2~Žïnn?ÅÒãȤ÷ׯï¯oß__þúøýÅõc³—ö~W¸‘ß/~þ•Oæ°íï/8S6'¯ð™°VNÖ:T,ÔJՔÕÅÃÅ?› [½nè˜þ´TÌÈPM¦BÆCyb]ZƒÃº¾)„ea(¢ÞºÓv"8ŠÑ1Ó8ëC £Ö¡XÉlM¢Ð2£`a<“E±}M¶sÔÍ·µjqGS -Η;¾+Pfă_¤Ô4äRÄÁœˆyŠô–•ôLèñšì©Qôœù/œË睛"%bkÎ,&Z‘w&Ú¤®:/ÖI–£À ÚTfÃP:Ÿ’2+Ö*—vÔ%(£ Úoґâck•W­Lº“E¶Y’Ó䠘 -wæVHF¦7ãÚÚ³ÓO%rZ!ºêIòù·Åvd^z‰b՝7ݖ#S‡š)!e_;ïÀ$¹ ^—Ùl ò‡ÐÌV+l‰ ÙlV{""ðùû.Ýf—"H˚¹Zú#Z¢ó°¡j–;Ô'à8[ÐjûbG„×Ä3 -PeW¦µD™圉£ ¢zý0§wv¡£«öÙ2ɟQYJz­)'°L^2§t ;•ÕwËàyU<%«10¨c!Î:eY fÝÑMý yµL*Z1+ñxC5„# a04=…qaë06]8Ñ©ã@F °¹"_íîˆl -x_²YJ”ÀGâ{Ÿv~:è7 -¢ÐéԎ)%¸1`•éç¤#ñÏ2­¨AZ™x(ˆâ!Áƒž…?Ulx_]É&ýg³qk¶‡Ïw?ýðaLÛ»G -àO>¨ã*Y? X¥É‚Zîœa´ƒìžÊσÚjàVu¹¶D„œÐiàóaÓ;ªŸÏ\»tC¨ !—¶¦~oS_¾ù»õÁ[²––M—88žÃ=̹‹ñ¨w±óÿªPÊÆ&íÒb!ÚBƒ‹!AÒ£æ´QLðX7ÞMÝ¬i(^´nîÕ°¼œ -e®‹$#`àx1À¸ê) Kpû¦¤6Åcl­ñÞ”âc6KïOžaQ¬VÅ+bÂQ}oBk™)Æò~5³zU4?l´‚7º0^í¡)(:lÑCãpÃ*Õ.]fSGwæ³\ÖuôM^¥Û<K5uÄbɣÄâ¡ -" w¯ÖϚò Ü­Ó9£¢Õ{Œ7ý³b덬jý^𒔾oüV{Hx+¼Ë˜%¥wÎIĀï$ëÊ·»ehò°VÍ2-³âH±Ç­ª drJjJá‰x™S“ -}h$¹çÁø¸öî ˜û¸ŠÌ±7Nß¾Ü<~ã§ü‘:~sÚ@ ÞúB–}Su °Œ-Jv!Ä.“V†1³ÖêÞÉ´Esç‰¢ę—d›®¢G@îK¨õKê™'Uò„ŠÆ”œCž¾ÃÛ.7Üs€4[ê…ʍö±ÛÔì›m†Ðò3»tǔ=‹Üe‚‚ )ÿM÷¯Å¡j> hKŸÆ,@ƒãöµOHªX­îó"߯{#,0_¦ûñD]åuzªÜÁa‚iú’®Š ݃a[ žï?_Ý=€=¡A«Ø-Ô®ni]ˆU1+VÔ5k…uš)'V² ¬³9¸‹ˆ£‡QIý‡"3ôà3mGWDÀ{Ö±Kcoaݺ˜ò¬p¨ðý!¯Uë69f@’©(6mb#—/S!CÇÆ@ôÂ;äXµ»òŽÝo$º;\Uu¾h@".À'J-!–@ý‚㙦m®ãq¦ár)ºü)œ?^Tôàn…ïxrõ†kdùrqxÑÜYþ!M{~qž–³mæ/¡¼Cª×FŒK]ŸUý«Rpªù@×Òí}Ê8dëö¨sû<¡Æ};°×ügv<œ—¶<;lñ Ó}‘Tˆ€–gœ É5˜ éƒ× t€‘@:bΠ£æ:(/÷GÀ!!¹Ó­ãàð\#«wÁ*Œê.ÿw¢£ÙD®‡Â +êìó$8<ÿ™ç};8´e‘ò´ê%~¨•Ö¼"LÄôñò8:®ƒb«-‹t;ˆäà¡þnÏ<HÍ5"@ èNM_‚¿ í}ô7¦ó­e€´Ã(Ô¶³ÕiøÏlz8ïÛ1b ˜P0ÛIí7\ç̆‚°cÑJ„œA!y&Zµ¹N ®æ:œÔnIA:tHp¨ÜèÓ«7\#Ëwñ&ðÎ)ê®ÿФ˜ -ñ¸þ> -%D°,ÊÊS“æC8¾ÔE2¹« –»§µKc ýa9w6#†·D¥M–D¥Ô¨k¨Rßö— -`覮  nª6ŽeÿZ¡¾Ü4¶ùšïD÷yšûïù‡%|ÈæÝ{wSd·KwIeƒÛ¢J‰ê±x¥þ@?Ì]˜hω^ÿ€Ì¤0ðÑe…[tðuóãèMÐ|î?»ö*¯,/ә¿qûGý gˆˆÌ‘ŒÑIÌ°è> endobj -1068 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [284.2769 238.6772 352.9489 250.7369] -/Subtype /Link -/A << /S /GoTo /D (access_control) >> ->> endobj -1069 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [282.0654 208.0269 350.7374 220.0865] -/Subtype /Link -/A << /S /GoTo /D (access_control) >> ->> endobj -1070 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [299.7586 177.3766 368.4306 189.4362] -/Subtype /Link -/A << /S /GoTo /D (access_control) >> ->> endobj -1071 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [184.7318 124.0912 233.4785 134.8756] -/Subtype /Link -/A << /S /GoTo /D (dynamic_update_security) >> ->> endobj -1072 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [330.7921 92.1656 399.4641 104.2252] -/Subtype /Link -/A << /S /GoTo /D (dynamic_update_policies) >> ->> endobj -1073 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [401.5962 61.5153 470.2682 73.5749] -/Subtype /Link -/A << /S /GoTo /D (access_control) >> ->> endobj -1065 0 obj << -/D [1063 0 R /XYZ 56.6929 794.5015 null] ->> endobj -450 0 obj << -/D [1063 0 R /XYZ 56.6929 446.1352 null] ->> endobj -1066 0 obj << -/D [1063 0 R /XYZ 56.6929 419.8946 null] ->> endobj -454 0 obj << -/D [1063 0 R /XYZ 56.6929 296.3851 null] ->> endobj -1067 0 obj << -/D [1063 0 R /XYZ 56.6929 270.5629 null] ->> endobj -1062 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1076 0 obj << -/Length 3397 -/Filter /FlateDecode ->> -stream -xÚµ]oã6ò=¿"èË9@͊%R¸§ínÒKqÍö’w‡¶Š-'jdɵäÍú~ýÍpHZ_–Z´E˜93ä|Kü2€?~©#„‰¼T‰dQÀ£ËÕö"¸|†¹o.¸ÅY:¤eëëNj¯nbq™°$ñå㦵—fÖüòqýãâý?Þ}ÿx}µQ°ˆÙÕ2ŠƒÅ×·w’ÐÏûw7·ßüpÿîJÉÅãíÇ;ß_ß\ß_ß½¿¾ZrqX/ìgÜÜþóšFßÜ¿ûî»w÷W??~{qýèeiË˃ùõâǟƒË5ˆýíEÀÂDG—oð0ž$âr{!£E2 ¤¸x¸ø—ß°5k–ŽŸŒ4‹„Œ/—€,%ÆO9`A§¶T’3‘ÈП²=e‡…§œuµ,«&ßûóP"¿lo; î±F¨‡-ê–Mú™€Fƒp]¶oÒÜR^W[KrYµe¨ôþG )»öFþÃxZ˜Uðd¿ªìºk3°쪲vx-÷¿&Èƀª-=‘ˆ0(³æ­Ú¿š¬D“Š!ødðð)Ý瞁ժ2;­Así^•‘$èZ9H£™Ç]fUøÖM+ŽYÀ¹sVö‘8#XnÑ¢Ëè©~ß0F"·b\œÝc“æÅ!Q1á-wzžu<éОºH!܎$S!¦Xçoé¾#é™'Îϙ~AOÅɌ鷰&Lßa!ÅuÚ¤Oi ì^H¦!­ž¦ì±FHwî+sÑ¥ý€ÑÌDéL8LŒòˆŒ38ñHóAŸ,–õÒzcD©›jOÊî7–K`7417pöƒkNK6UQToF ‡1D״ϳóÁåË^³ã›µK "ù;ü-Á˜vä(s%ídJ?&hdÎÞ^òJºÊ–ë¬È·¹]ªŽ -¥r ’&ÐMíÝ>=^ÖYÙäK›[Z¾;ÎÂ$Dh‰²6ƒÓE0\ä— ïE˜I¸pPžêìא¡gÏ¥Å#ùéa—ÖæŽÍDáù°…Õ4;vú)s~ƒSäñÍoJ?o©Ò> [Y§PõÃ‰²w§Ž¨fa¨mÜCÉ[¾œ/‰tÛáBÆç&¾Ø?5_Œ—/ZûòåKÜ/t•/ìœü ¢aMã2µ5 R,—Ûl[íôH‡°^>)d =:N­`¦ÞQ6r‹Ž´*st u2Z”¨eu/koÒW{Fûì–"oñÑ慡„ðV(¼…'MÁ‰]U×ùS‘ÑT¾!($¬9æiAð¶?‘‹õ>·¥L½`80à§,+ Väå+Åd‰jRÔú+iKl -˜ÌÕvTÅêt»+œ‚8¢'Ù3§s«â°vHi|W·rtUOʔc—§–ÙȖN€¶J?;aìlà‘ªšÏž6ÖùÀ㱌£Ìáwƒ°Ã%8U%¦éz¬°.Zc‹¤Cù!˱¼^íóÝéD«±B¢X ¤³®ÿä'Œ}«’ƶˆ" „OTGDšÜ?_Òà¾%¬ÇŸv¸/ »:‰…Í,3Þg \>ãQ2sêk†‘án“©„š+ µžÑ°ք†9,sCY‘=§(ý²ÂnQ_Õ¢2Ádš¾C¡ßQ´f±®é0ðèÚ*ÂôÙvJLãÊT¾»]AYzøú%/›VÌD<ª-äjK©ÕâÖv\L§Éî0Œàša,]ÒqÌê±°ÁY$.M«è·_\HÛv•aêhـ -9wȒD÷šP6~¤>¨¦Öë¡w6¿½²˜6n…Ýþ=ú˜z*¸Ï+W°8 ¢åjaM(—Ã2…Hµ‡Œ~=L›9‹¨ü$a5B¹›6Ç,Š  鐦ÖgFv„‰N‚ÛØù”WB`« ”ÒñoR.ü¤m>@ “FuGj§»Œ¾ä¬jXÒh®\Ýcb5Ñ\¥[îÊ‹EU½š."ò]Ѥ«òÀù%œq,¢º=œ©µ…=ØMž.·þ\áp’RP˜|ΚÆ/)+¦eýFA³&c>]Œg±Ö®2t9ôÈ)˜î¼¯þªCaé§X[XžRVû-æ&rÇad«æ L(Á ,ÏÖg Œ 4Ös…cë¼x¬–àùŽ´ÿ507IÚ!î7ÿ5âÚ?P9ÀmR]Ȧö9v¥ ôŨN‘éÃc†YTOæ¬ÖU†åAbü*Næv¡qK\Û :ý`ƒQFJ¶âiR!4¢Ja”0uj´˜3ÇYzS‚ T¢Ö öà¬R›Õ!nQ=Ó ¾Gù¥:ì¡Ð¡!Äf$ašûFàúò•ev‘u10«0R=wk\'T6·ÿ¹¹g4y ˜ü@ ýäÏee;› Šß×E ßmŠف^VMɏ cD§)¾°ž“'LIƒv»¬´j? !GÞ¤I!X%¼ÝyC«²ÐŽUýRŽ6¤zÂ¥V†Ìx7À -cÛÍ{£IrÖp8‹ ~& §uÞpŽm- «P`òË?e{zaŸžHšb°ëü¹Lí·øbQ†º[þ7‡SWCPK?Ü=<\¿§1îaxÒ-Ã7ó.G`bGºf{7éÚ­;}ï…Oë¼~5oÙ¹;C&v®r¨ë&HÀÍñÄLzbúÌ÷èaÄð#ò‘‹‡ÛýùÃߪŸ>䗊A-&ÎXJ3-å˜ÂSÖ…šEZ¨Öÿ¶Nœ¯endstream -endobj -1075 0 obj << -/Type /Page -/Contents 1076 0 R -/Resources 1074 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1084 0 R -/Annots [ 1078 0 R 1079 0 R 1080 0 R 1081 0 R 1082 0 R 1083 0 R ] ->> endobj -1078 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [259.4835 478.4263 328.1555 490.4859] -/Subtype /Link -/A << /S /GoTo /D (boolean_options) >> ->> endobj -1079 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [387.5019 224.9363 456.1739 236.9959] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1080 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [381.9629 194.6431 450.6349 206.7028] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1081 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [398.5803 164.35 467.2523 176.4096] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1082 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [393.0412 134.0568 461.7132 146.1164] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1083 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [255.0796 103.7636 323.7516 115.8233] -/Subtype /Link -/A << /S /GoTo /D (boolean_options) >> ->> endobj -1077 0 obj << -/D [1075 0 R /XYZ 85.0394 794.5015 null] ->> endobj -1074 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1087 0 obj << -/Length 2798 -/Filter /FlateDecode ->> -stream -xÚµZK“Û6¾Ï¯ÐQS"x`öä8cï¤6N2žÔ’ Ò°,‘ -IÍX©ýñÛ`ƒ)¾”ʸ\c’à§F?>4؂Â?¶P! #-t$‰¢L-VûºØ»÷7Ìc‚´Qß>Þ|ý.䋈D!›–,C¨1lñ¸þuNnA]¾ýñûû÷¿<¼¹Õrùxÿã‡Û€+º|wÿŸ;¼{ÿðæ‡Þ<ÜÌ(¶|ûï7?=Þ=à«ÐËøöþÃwØáeDèÃÝ»»‡»oïnüþæî±±¥m/£Âòçͯ¿ÓÅÌþþ†µxJXñÅþF*A”¢nÙÝ|¼ù¹Øz[ýtÐŒ.ÀW}JÑr aDE‘Zh‘PpQ90KѤ]¯ñ.NýM²M³ü–™¥-°¡|²x“Ê$KIÏzF4cáBsC”alD[m*;íå”ý+KmP”q™e²*.ûgœ2=­@ƒРí.Æ1ÐÒÑà~ã:ýú2-$¸“ Òâd „t…i ^c¾º ÕޟQ¸,lþls¼Iv;¼ûdíÁ¿¯MŽý«$Ýdù>vQÀxěò))ðÎ9«êÈ,_ž’Õ¶®bÿ‹?|ßëãþ`×Nep#†Rç#F"¥x¥l™£†µãÄ5‘&TÞ°sl‚ß(å;;à -`ŸTÍ/ÖÖS[s.½ Z㚆vÅ(ïB£ˆÒÒLó®ç]ƒªÌJ¶Ás¼KÖIy -’´ —ì“à - ¼šT£A èÑ!ŒâDÂíèñÑÚ ÷¬m±Ê“ƒ'‚óÑf H‘&”˨Ҙ5*DÒJ$ý¯ 2 ÈMFKږàË|»À›‡–é ~Æô¾\´}u¶Ò¥}¦.u’0h•˜¡B šÑ£'Ë©1N>¹Òð ùZ¨ òÕ¨jüåqZll•‰ƒ";æ+ÛO|€×zF‰5 E7ñED© -þõêÄ7b˅&;­&ˆG qÄ:æN¯ÆÏޗ;F<ÝSIKb8dµÉÀ¤KƒF¨b|†,—šË²Ô¨Ïa/ÂÉT¸h÷ÐçKP¤Ã) 8Ñ]E¾_¼9—µ$œ‰ ʘ̹`‹§(Sãglï˽š2’r(Ö¸š‚P”èˆ6”™)ªTä¦ &¦)Ó œ²ñ® ®É1²ƒÚ²ÝÅg:´M˜ GƒŸ±¹/÷úö\Ä´ïÕàTvmv‘¡Â.œY/5¨žk‹_J ¬.Ú¢ê (Сˆ+ÿ`½ÚÕà PdxÒ`¿bã,œŠLÇÖ©$RãgÌî˽ž%FÃÔ‰i÷7¨9EzÒ&×èRhPJÉεPœ«Q®Ç}’¹Ýä¶x -Êdï¾»9'ìãσͺÌO}lÝد&¤ÕPN›Ð lèÖ!^w¨hË"O[wÓ¡­kèSLB—,d¦£ØÅüŒŠ}¹Š9eF?)¨s¸›™§ã]£f4éK›æ Ý_Ìp¬…šàXª†÷ç ›<Ûëdã Ð°éÊö?…Àjøå¤: j@ŸnÑ ™I©°«ÐëÔM³f]Öݚ˜É²[@]N»†O–Ý?ゾÜя’ýo’Læ.[NÅ¢AÍ(җ6IGWïÑP̔amÔ8”ëñ“=A´rp@–Ÿ†Ê0¥åtï5h ÷nƉR0ÇvºòõŒ¸,Ã`½ ™™(àŒŒ¶ “e˜ÇÏØܗ;¶¡oòBj1íyAažêÚ"LH õ2›Yâ5¨jB<îÊ$ØÇE +¡9èÈå¢-w€5Ð}—°áP*wúz\ZqÉæRg‡‰H¨CÕ1tŠ5~Æä¾Ü«s‘€hÁß´ëkЌ=YM"ºp*ÐvdÚJ£óÞ=—DÂlN)]~wJã}²Bý9¬ãÒGî§l—¬’Áɀ‚lWSܪôû÷2¬öïáR‡,/ݎ¨TËò%ÃfX§Û<ËäÙbÃޖOÙºÀ FuÝÂJ¾LnÙ2ÝbÃj—Ø´ô($ÜäÉö©ômvt°¹ÛŸÅÆuc<+»Š6Ô©v_i½ízÞëö¥á*KÝ&éöˆ»ñ~«ôÓÔ¾,s³CHMóik—½ØûÈr“ÊzVu'$FmÈ,þsG%*8¸Ø fN·gÖ,`qç֛ãÏ_ŸíîtËCÞ@4ÝÞ_ԃÞh„åü㰁°ÚêJóª4^ï¬vñ±°¸ÿ’埊Ön¼»)â}ý6>áMì1n{ZÐpy@ž“ìèß<Û¼p›Óøä(䮎oïK¼V¬ò°-؟âmÍ­Ê jªŒïìÃי صOŠ¢ëõý±5fâôÔvö -r¬›Ì×¥•Åƒû¤áçlPŒûb¯爤<º bYa€kj_|ƒÓKðz„CK„<­ânüÏöþÜ ->ჟà9hƒ!UV˜l‡‚3[ûÆ6¢pw“ã‹V€ 5ˤ-Áw’Iwʦ‚! qΡMˆ@1mQâKP¬ˆ·þmâ•,’-F–.Ä»0‚IáSTRÖÃaµ;®ëóOgOÃØÁËãÇû÷~PùÐຠð‚®ý«‹AæpêÏ󧾏çw\úoêšÒ5uÄëÓOµP7®Z|s !°PÍ&L@5yþÖ=?°µduaô†„Ÿ§ÍüÈí*“oº;aóÞÆi’n7Ç>#UÝ ¬Ç*¸“íX#B¶üï“Mqx2m`>SQ?˜õƒ¦êzË"¡Úǝìbç¨zºézv(à…³5Rȧ"ÆÇóÄ^å‚F›cbÊñÍ6c‘á’’¦ŸÝ'²AÝqkG«Ê…Â@ ïŽû–aÎçZLÊNÙß(t¤£½4¯ù ÅÒ~ŽÍ lÇÁÍÍàpà ¶ÅøèsÁ¿ÚÉÄý"ÃBje¯×Þ®‰ï#ÍJÏ'.`^‹x—Oø£}Ž;†¦ÈÄ'Žúú”½t²G+Óú$\r.âwYö©øÆ8Ôݲ·^¸¹Ž\¾¹ B¨¡«ü·ÿà d–ÞaBrwçtãž\2/O{~ºug$!ÿ@c1vÂUÀÜ-¿dÀŸwÒ?>ýz>,5Æð‘õ wi@ˆWªZ\ðþL¶¯úÿࠎendstream -endobj -1086 0 obj << -/Type /Page -/Contents 1087 0 R -/Resources 1085 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1084 0 R -/Annots [ 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R 1095 0 R 1096 0 R 1097 0 R 1098 0 R 1099 0 R 1100 0 R ] ->> endobj -1089 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [352.879 681.7691 426.5323 693.8287] -/Subtype /Link -/A << /S /GoTo /D (tuning) >> ->> endobj -1090 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [307.1508 650.7179 375.8228 662.7776] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1091 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [334.8268 619.6668 403.4988 631.7264] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1092 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [337.0185 588.6156 405.6905 600.6752] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1093 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [364.6945 557.5644 433.3665 569.6241] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1094 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [374.6372 526.5133 443.3092 538.5729] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1095 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [292.0276 495.4621 360.6996 507.5217] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1096 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [319.7036 464.4109 388.3756 476.4706] -/Subtype /Link -/A << /S /GoTo /D (zone_transfers) >> ->> endobj -1097 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [460.1655 433.3598 533.2211 445.4194] -/Subtype /Link -/A << /S /GoTo /D (tuning) >> ->> endobj -1098 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [362.144 402.3086 430.816 414.3682] -/Subtype /Link -/A << /S /GoTo /D (boolean_options) >> ->> endobj -1099 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [293.1435 371.2574 354.3435 383.3171] -/Subtype /Link -/A << /S /GoTo /D (options) >> ->> endobj -1100 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [288.6803 340.2063 357.3523 352.2659] -/Subtype /Link -/A << /S /GoTo /D (boolean_options) >> ->> endobj -1088 0 obj << -/D [1086 0 R /XYZ 56.6929 794.5015 null] ->> endobj -458 0 obj << -/D [1086 0 R /XYZ 56.6929 323.2894 null] ->> endobj -774 0 obj << -/D [1086 0 R /XYZ 56.6929 296.7987 null] ->> endobj -1085 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1103 0 obj << -/Length 3157 -/Filter /FlateDecode ->> -stream -xÚÅÙr#·ñ]_ÁG*%ŽqÎá·õZ»V’Ò&]‰¯‡á'&9\ÎpåÍקݘƒ.×^W¥T¥ÐhôI9ð''©„ÎÌ$ÉLd…´“bs%&Ï0ööJ2Î, ÍúXß̯¾z«Ie±Š'ó§­4i*'óåOÓ×ß½úÇüöáz¦¬˜ÆÑõÌÆbúÍÝý·ÉèóúÝý›»·ß?¼ºNÌt~÷îžÀ·onnï_ß^Ϥ6VÍ$~|wKHoîþ~{ýËü¯W·óvËýcI¡q¿ï¯~úEL–pº¿^‰Hg©¼@GD2ËÔdse¬Ž¬Ñ:@ÖWWÿl öFýÔ16YF6UÉŸŒã“Í¢X+íùt›+8OO÷×éô°vÔyÞçÛ¦¦vµÇo2]ºmé¶Û—ʵ{v5ðEÛtún[ðԜ>W×ù³£©«œçՇ¢€§Ãzý‘ñò¦X¹å`.oåz‰˜6+¦\íÜ>oÊjKDËÙ<˜IeÖ* r³qË2oœ_ Íè(~4¥³ÐŸeIí|ˍmEߧÃÖÜÓ ÞK͸ûk™NuÜoù¦Üº%°À¨xúŠ ¡SÖD¥;%_VnK-:4êòy +Žœ‡f"“0¾I§% )›þYåÖËk‘¶ùÆBH;ž´ãi @àrKÀ¼(*ÜeN— c/e³¡Ò|Ü )ñVµƒ3Ñ㤹ð†x´ºZ1gX½sEé©/ à·yŒL-ÞDÔ®D™V©_{>Ƭρ´·³,'¤Ža^Ž’S÷¥\/ ’eÇ{|RLï«ý&Gy—RNoh^³*™t9¼•Á"OGCóÇ»·Ãõð³°BÀ?9&=¿:8ŸÙôP#ß°ÕT´-9† }´[Âá6 úûƒ«”oáy±Å±œ>ó¿Ýþ@-÷[±Ê·Ï<Õ¿v\bá®åÔO‚ÎÑà[Ðí’L¶^ñ+[òF#67g…IÑ»Pì!óðÛȚ>Yž^óØs;Ç߶òúˆÜ…Õˆñ¦=6ŽULêX0· ƒ÷gyŽŽ\cà/܄ÊÂM(©ýLÀÿêM’ô4}&ÁZT¼F ;õˆ“` iˈÝÊÃ7 u€‰:  À¢X+9-B*yN}XüÇ Äóã÷ÛûG=&¥áœ»|[ƒ†§›žI'Ñ*r£FB± -†AöM—Bªkjå»Yå/•gmë¦ÜlfNI†ÌX¯N9 -›‹2¥“Ë,µ"2*•',õ+× m¸¨¶Mîn“>­MTÓ÷Ø.€åt NëÁвÚàDÏ›H[™ßiž3šïôd2‹dœd¼ßV™LK©Oú–Ì;4 }>äkÐ_Û_-•‘ÖFõVYI¯Ñ{"¤›2&ÊR䄬ãÊñ¦un¡ºD*¬Å¹{*I”*‘´”üAÙ¾‘Tp-: ¨µ[?],)f€‘Ÿ•2¯îÀ„ N†dA:².3ž‰ö|ØæßPïeUúêN†Ò„÷•Á=¸˜•ÝSo1jÆÙîcR9¢œì}Õ¸¹ÎNzSHäÓüœ o·Ù5ÃÄö&_r>Û¿‹/k×0ŒdRÎ7‡ŠCÍëº*J¨|ž=”ò.ÍÞ¦Ô] ÔVlLW±QêÀÖâ× ÓO!àrTóiY7mx?Ü`WrˆøÑ)°Üàðƒ.ƒW+W±¦X"$ð›„Ó½ÝóõÃríº©û~*¸°q"³05’<¹“ā‡üàêê°/\èÁ—u— ò N÷Rß×<¬ÕfDq`âÇD™‘¦çWj›ÛòS4a¤ñtM<~vôv³é¢Ú{Hõ⣛NŸ¨¿¡ñ‡7¯ Q a"KWûrA–kˆ .ex¾TA`N]:8R.û¡wAˆ/éáÁWGhâxA -•h4_¶h½ÌG{Y@XÉc˜ÎÇzøÀ¥/‹!”v v‡Åû>ŠÁ¿cøґ¡Ž¬ ²ƒ§¸ÇÀá[÷B$x©UþÉ/\Ø9 ¬^F^n{ßåf·v·mÎ–Ë „ŒZ²ÐÕ7½)ª«0–[v²> "*¹ðî嵕ØqѼ(l¯P뤭Á6»j"é󠦱œQª¥óµ*Íeí¤9‚zí+?@Ðߑ*h R-·OXÀ ò®TP«8èÕ?6Œú*}ÑØýÌWìõÒâРʑ[«LÝâìO÷4"öI#úúìò}S|“¾âpÙ¸Šj³«ê@ ¬_;˜É)‰Bˆpr>îó+Ã*9ÚbaÆ ²W*ô5¼†á<¾­€eH™`¡Dv‘\(¶è ®î˜_nÿ!Ô \ê ’‚š -F÷õ …sÃë¬ -û÷ÿ‘ Cv¢.\Ž åRð Ðw é€j0½–Ô՞MGof¯ôPÏ+Å æaWXób-&þ"a‡?œ9IÐûg­yçöõÅÇ»w.ß/™ØIíE(ºïË að÷¾ZŒ·ñèÜqœAÄ5[H%¢D_Q Áýó„}w:àÏúNýéSºxÞGW4m2)Žþ“ØEjpٕìéıo±.ìÄÀ ¦åp'ltËj &^ØÏeE‹i'tϲÂïɊ$ÒO|’-օœRkë\p¥"p?Óa¨0ïRÚ ¡¶§Ií¼ïï5Ù–ž_Æfìë³Uµ4‰b™Æ<¬ìø¡"ƒ¯Lm<Æ3Ѻw_ü{°î7q؛¦ê̋(ˆÒò†ùDöÛŽ1Voëÿißendstream -endobj -1102 0 obj << -/Type /Page -/Contents 1103 0 R -/Resources 1101 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1084 0 R -/Annots [ 1109 0 R 1110 0 R ] ->> endobj -1109 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [341.1654 116.9088 414.8187 128.9684] -/Subtype /Link -/A << /S /GoTo /D (the_sortlist_statement) >> ->> endobj -1110 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [434.6742 116.9088 508.3275 128.9684] -/Subtype /Link -/A << /S /GoTo /D (rrset_ordering) >> ->> endobj -1104 0 obj << -/D [1102 0 R /XYZ 85.0394 794.5015 null] ->> endobj -1105 0 obj << -/D [1102 0 R /XYZ 85.0394 626.5613 null] ->> endobj -1106 0 obj << -/D [1102 0 R /XYZ 85.0394 614.6062 null] ->> endobj -462 0 obj << -/D [1102 0 R /XYZ 85.0394 327.2191 null] ->> endobj -1107 0 obj << -/D [1102 0 R /XYZ 85.0394 295.1135 null] ->> endobj -466 0 obj << -/D [1102 0 R /XYZ 85.0394 295.1135 null] ->> endobj -643 0 obj << -/D [1102 0 R /XYZ 85.0394 265.2577 null] ->> endobj -470 0 obj << -/D [1102 0 R /XYZ 85.0394 208.5998 null] ->> endobj -1108 0 obj << -/D [1102 0 R /XYZ 85.0394 186.2886 null] ->> endobj -1111 0 obj << -/D [1102 0 R /XYZ 85.0394 99.9723 null] ->> endobj -1112 0 obj << -/D [1102 0 R /XYZ 85.0394 88.0171 null] ->> endobj -1101 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F57 624 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1115 0 obj << -/Length 3081 -/Filter /FlateDecode ->> -stream -xÚÍ[_sÛ6÷§Ð#=S±øðÞ\ÇNݦŽOVgr×öé˜Yԉ´Ü§¿],HQ¶I&µ2çvZ v»¿]À|Âà_>Ñ&6‰H&6Q±f\O·lòúÞð0fÚ švGý4?øñԈI'F˜Éüº3—‹™s|2ÏþˆL,ãC˜Eÿ~~r8šE§gï Æ¥Ò":þùèb~2£†þtvþ†( ÇïÏOÏÞþ>;:´*šŸ½?'òìäôdvr~|rø×ü—ƒ“y»äî¶8“¸Þÿüñ›d°»_X,§'Ð`1O1¹=PZÆZIÙP–—ÿl'ìôúOŸc“b<æBËÉTªØÁïÍÏJåbËlÏϲɔó8Ñz`.úŽÁ\¡Ú|±;Ք³$æð?£²±±–·bT²#FÎu¬œXÍca¤õb,Vù†˜¾Jos¨¹ÄFõMN´¬¼M‹ÕN?Ônàî¢ÐlGς¸‹ŠÊëòn•Åe¨´O`!å¾ŒÈl ª9™ -'ƒŠñdÊæ‹~®ÂkŒáªLp Úsµþ²–et”÷¤PQ¾Z”YžaCGÜñª¨©rŸ.ïrê«oÒ@¬Öù¢ø“1‘WDðŒöcüüH*¯u‘`¦Èô‰“Ä­V×pmUyçÇ,‚ÐèƒEéË!iuØð2Ön¥ -à³ß0eóE¯´ŒÕq¢ÌØ€~ƒ82Ÿ¿aé$h2,-ª‹[_K¢º$ʲ¸}žåØÓ žÍbªÌoPó±ÏKm™™ˆ.J©O -j’ð±Uçñb/œ¶^ÑÝ­Š–´~XV ¹UVý-Å@Ù2"aØzSܦ›bù…šwU\ -I¿*—÷ù&|§›ÖÐ)²ø°_üÈðh‘.ü‘‡êlVá敀Í’g'V²¼ZlŠ+Ô^lޔXaѲ\}$RÚLÒÌ»¢ÊU¾»Ú¾ÿٌ´ö*¿.»6y‰euSÞ-Û1ÁˆÕ"%õμ«9/ÓÆïjŽŒ1“zÄccm-™£Å2­@F*EöHʎ=’ŠìI%¡ÒØ#‰–åUS£ÈòU½µI02¥bíù[Öå¢\ÒÐëôõ®W™ËàvŠUU§«Æy½†2¥¢;í€ä:,ٗi¢j¯’q„‘œ’1H˜4{CÈÿwt8U‰ ¦^1Ӟݭ=WLGYZ§p$­ut$‘gåEˆ_!‡±¬o: ­†ïòîk2ÍШ x“ۍeðø^Óà#NcãÁÂëpe_Âۂ¹¿Ó^î¸(î”ÈÆÌî¢Ê'èRXr—ÀWÃXl”ëяúj'bp_†\W½®Ëå²|(¼aÅãl#0ýÇS»Æá’¬¼*Úù1à°܄QÍ¡«Pd Ô«þñX¤­¦k4>fú? €}—ã«ñ`*!†¯Ö0dˆ|ƒk¬2ÞF‚‡¼)+4£ -Œf–…ËÞS;­h  -rvN¢À½KƒGÖC  RIÖ -)¦dº¡ëìâ™ßÀókÕ3ç÷MðÑYcŒƒxO©Ñýg·Ë’}Ýrì1.ҒÇƍÅEv*lˆ‹Žà0Š#CïM8U;b“œ³Ï93À¾ÎºöÁ&œÑú¦l¾èeŸJ`Zƒaöd%ÐpÌPý~æñ—½ÛHW]ÈÆ[÷Ÿnê"]>™€yçÍÝ5v¡«ù¼u?‡qºUÿ (VYb º(ñjA¨_7Ç*üb­üJ˜ºÖVSË Ý vV\=ö>ƒ´ õäÝÝ+‰IPñL‚2„×>l8ù¼Îë:K—ÔÕM]„¯I7¡"ð£W7»B™"}WL¥,ðó£ ÿÅJKRÍÓË7?ÁÑ#‘EJBN“›sG‘ÑUZåD®ò IÀ]Åíc†#iËðe{l 8Àª~!tv÷Ší«Ÿ—豘[Lµ‰`_/ HÔ`k¶£ýDYU îc=ïØ`SúÌ°äbˆËåïË ‡ìž‚ɃÚ0—5µ ßñÉì"ú¹eVíÄWYñ±¨»È7ÛÁ¡ÈG0»a®ÐÒ 0·³êWœäSBÅ,a#>NÉ$6R!9>?ú큙JÅÅéCRÔ&h¶ËU±ðL†fÈ¢B͛éÍ:´\§Þ5&f‡í6!¶C‰ -Ýk[†¡Zwƒ¯8}'­‰…IƔJ+‚ bÐNE³|½L^˜Å%õR€z›È†zÔ¶֌E}C5Z}ãSã;_0èúe™ð*å'ŸYIdt·þÁûš(÷åAÆ}Žù8éEîƒ6ßZÑ7¨J-ÄzuwUS;§\$.ží^™lVÎ0›œú$ 7iØÃlB†¦a¬gÙ ÜÉ SZQýBHG ažò™´]=¶×áàPSe H cE¿rwµf_©»ï`ÁÁTDVvX¹%DÏ ãddÞ^¼0¢àµËîuÀC?.˫ƈ¯Ëª@Hì÷åÝã¦Ê³6uú…Êwï8ÚYê+6ÛR±X15’R“:dv‘£?ŸŸ¾GÀæÄc³-œBDÇ¿S…‚¨  pHH¢Ås‡Pñ½ÇÞ»ê =^¡ì±ßü+ìww§ûÍqîW ÜÄ*Q#PPʐ°Å}Ÿ]¾9,Èts`… / sn< ¤áFtcŽŽS$Oâ $í–w7ùŠóÍ"嘹a>ÿJ€ñד!,Q×á~ÅK€ÑE뻫e± ú'•´ªÊE 1£vð¢ÚÑW_RÝQL÷G,B‘î~_ñÆÅÆÊ›%œŠ¦áׇSÃ!Xzd° Ù(HPÉ?/À£ûëDl^—¡B¹C¬‘0Œh…¡vñ¦Í%ä³fj+ !ـ0:»ÜoèºW—,´‰-¸‚aø ¦È^ß„3¢Í5wXxXÚÜûۋËÄ\—_'´¦á‚ËnX/‡;KÅÙC!Xì´±B—Aªçðo î:áüÉu#§ëFÀ]R­Ñwjy‰`…ònR0ûdCó5]wòæºS4)‡kÊìMû•?÷•˜‹onHõ™¼eùàoð Ý¢!ù*¯ë|Cù;¤Ó  …ØGÑBnLm |Þ3€ºÅ}Ĭ5\øJuK¬úá›ý]!î+ø=N3ø2—X=¢k\@©H¢çGó^vÊî §ô®¾#]i@5¾ÑØà-ì7äE®§<àjg¹ûM<í5½ÇðYŒ9,Æb-bêåÑðÔ:Ó$šVyýPn>s™oî‹æÆ?],¶©?äs‡³O¬¦e·+Ýeï7„Ù+JãVq@ܹX[éw ˜&Çd’V]ÓÚ¿RBR“gòÜÞÝ{D`Yƒ’í×­‰”0çNæ‰õ ±‹†mGgƒûM<™}&žÞâ#JÎ!,6FX>ÿ0÷@@†Pû·\TȺ<9¦:^&i–à[-zªáó?4:+0ÙJýôòOûeUIcçÐVxÄ© 8%±«s"%¥“»)ÑD;Šû·g›{L =+Ã,eM•üsQՏç{Æ%ý·\ù{.Cá2V¶{ÃÖ½j„>ö’ž@Õ¶¯<½ý|ºŸšJ¿¨és™¯ƒ5Ðö+|ápLÑU‹ý> -Û¯a&‰º9„­N 2"Þëi#Šu4>ŽPIIe›EӀ·±Dö È-xÙ¦WqX_,¥A £Ž|Ú¯À/yƒÐÙú+ú¬…Ù†ø5‘‚ÞŽ\`ȺÙ<»,Œ^ÒY€}ë5hzhÌ|Ès…éÏ€ê„ -¥¯€ò!VŒÚnâ¤íŽn²$-¿bÁh ¬gcoò’˜ âß /áÃ;|VG*Å¢¦„ø­*W5£×@(®|^]5>X5)\Å:>˜5wËçåÙûÏÞã3˜Ëêìÿe,íŠ-Dý°R3eåsKÁ&£øôkÿrcû×+`p¥ë áÃó:‰ñÌþxE=ùÃÎb!h‡uÿ?³Y¦tendstream -endobj -1114 0 obj << -/Type /Page -/Contents 1115 0 R -/Resources 1113 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1084 0 R ->> endobj -1116 0 obj << -/D [1114 0 R /XYZ 56.6929 794.5015 null] ->> endobj -1117 0 obj << -/D [1114 0 R /XYZ 56.6929 579.9063 null] ->> endobj -1118 0 obj << -/D [1114 0 R /XYZ 56.6929 567.9511 null] ->> endobj -1113 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1121 0 obj << -/Length 3408 -/Filter /FlateDecode ->> -stream -xÚÍZYsã6~÷¯Ð[èªCÝ§ÉŒqOÖÖnR›ä"a‰ŠTDÊç×o7ºAQ2eÍî8µ)W™@ãjöù5(1 àOLí* 'qú:z’¯Î‚Éƾ>ÕQà}uuý–()=Þ¼¿¾¼úúŸ7¯ÏãЛ]½¿&òÍÅåÅÍÅõ›‹ó©P¡–°â-þýþú‚&]^}wqþë웳‹YÏòðµD ßßÏ~þ5˜ðvߜ¾J=y€Nà‹4•“ÕY¨•¯C¥¥:»=ûG¿á`Ô.S_H­&ÓHú*Ù=–ŽàXn*í'‘Ö§Â[Ç~¨c½’¾PZõ¢Õ@ô"T~¢”žÄ:õ#%••ý͹Š½Ù9°“Þæ\$^³íÌ´[r{± F‰7/뢬Ô¹k6ÔX6m×b3õºå¹ð²Ž:ECãuÓñÄìÞP«[šrC³š‡•2‰C?Õ_E`CZƊÒr`rØ!T©÷P†Z dÐ ¯6ÝC³ùÀCEAƒmkZ°‚$Ž½‹k³)W¦î²Ê’ﭙڃƒý#Û|SÎMA&SÖl_—o¨!D†u`D!XQŒjÊþóô©ÂÄWà“©T~ú¬e>ÙÒ­8n"AâK©OYìo•X©Ü^} ©÷K ƒ_¤ ÛrQgݖ$`BAìå ˆ¹¬[ì%^‘uµ²-è½îÊ<ëPÀHBã¨Ñšœ÷¡®(MýDG!©ëýkPW¨´ÿ%¤A5‰ZƑ×vÙ¦#ZsG¤Œ4µ9Õ5›²{<Bx }•D{҇9VúðDéèŽÂ<¼ê3¾ë˪$|Q•Dá©ÅÚOÈ^üöæ\kï_˜”¢dás•ueBS èl!›‘÷`ªŠˆjŒŽ–ØG8¤·fs_æ¨PB$—YWR:ΏßÞ¢—~ªóĉ|FU¼”ªœ¡|ú–î펫 -6ÃTžR•–4»ÙO3T“^g>v$ ÎC}˜V”8-ÂÖ>àíóÞ÷ϵv `NÁæ'D€æ‚ÈYˆPÆjßÒµRÎÒ±ù°,ó%7­Ñc‹›½ÑcÇý«ãöÝnq;|ÖÒóöûÙçB¦Þ+êwˌšÑ£hV™S[»]¯›Mç”û®l;ˆy9"†£*È毜C‚Àpw*åG"òE(üIjLù:fÛ_3¨B EÚ ehD(µ÷“Ó‘²Ãb@~‚ÅTx€ÅŽgyó9PløÆ/¥˜¤?U#àš8ˆj„ÿm•cDD©¯”Ä~ï×Oj D~"Óx2Õ±ò…Gtï - ­µ/ES´d|×TUó€äü奎+#¨˜Ò$„ãpI^e¨bš·w‚L}©€šgEOۆÀ^nF£,{*ãAÛtHݺ«‰tŸU偑tî*þíÐFz·Ð±´Žÿ_T/˜ñ´L ” NùºV’˜ÀÉÔёÒÑNóWug6àÊÇ=lxÎKe¯0£ þøçVG˜¾ŒÓSÙK‹Ô•Hù."_š(¼”x R€ì¡……Ça$½ï^_cCy›®É›Š(9—¥¶ÀA¦\óýՌh¢ø´&ŠUYLGA‘ƁMH°Ç {‚5ü(ö¶­ ŽÐâZ<öJªÄcoÙ'/꯷›uÓLƒ±ôæێȴáþF{E1ÙÞÃ|aá&®-«nZZ\JYÙlhäÔJ[G@¾ž†òŒ¿ð_q‰‡áA@xŠSG`³ÖS^˜öƒ{2Ákˆ±@ÃЇ6:n¸C‹ø<+Û®+ã_ð"' C?'‹Œ0ÉA’y¨ ’xì½3 ŵ„^f ³d_?H`HEÂܛªYS5—xóGz‚á~ÑRó2÷ßð:æ¨Á¾Æ?ÃË7™xWXÒH° ´©Øb‘Ò5Di—}x·÷LHöhÇî³MÙly§ö±ŽYjgVœ6ðÞažµÖ Ý‚CàfãF|Õµv„õ¦ÄèrPͦmèÉ&:n`ͽÔ5Ð_{H “Ÿ†=B”q¢Òç±pã';à¡d€·‚6ª@³ÎVL$+‚Á»ÎÔLZ­«2/1@+•x› ¬×ÔçIhRöÚ;ŽˆÚ]l0s•Õc‰Ä7úÅH´¤DÛs7uVÙ ƒÈµ:rCólDê2k—DiaBâmswéÖöðú%/œ¼ÎróSÅ& Ä|I̼¹áMà­aË;êÔMaÁ:Ø°ÕȈ›X:Ñ}p(`/|J+ʖH;äbxõц˜½4Y£tkËp¨Rr{6ûŽîq—¸¼ä“ò¦n!ã*¤> &dXV{n/²GS0®dóʌ)‘ì™»yKßðßkæg¯¨ÄWëÚ Zã ¬C¿ýØ8 ž’*F1Wù={±Ÿ¢Kíü¸Y™Œ4¡øÒ‰dÂ@éÅÞVu¬;áÕÏ.W<½*WeGDÊä`…͏5t -e¤ Þ±Ÿg¿‚L8:w“tïX•KVƒðÖ †&ÇûdEF»¤¡e dƒ]΍ô–²ªÐ‡[¼v·ÌÕr’†»=²â¸„A«RŽ¸tï j=`¬äÜ»ÛF9¹ º(k@³­eMz?.ËqGiAøè‰@®[jY“ÀÆÜГfBjÃ'2¼*ÿ0nAŽò³¸%u‹»M 5…/Ë9¡ß'ûp`¬)(»ÒðLë‘ðtõΘ®ÍÆ¢’:g”Òn Ó2,!淪iyšP˓—ͶbÔ3çaB7Ò%éqÅK¹Kr’ ‰Gޅô8\‘’à=vðœÅ\‘wÅk3z@´¯£*#‡•)s…òîÀ`×X¼`n wXʖ'‹H¦Å6'd—"p"^Syƒm˜™Á`:°ì•uÊóG"Û goRåØ«Ø}_`5D¢î^Àf­»OšgùžÆ®t‘•ms].lŸ\†ìÇp:üx|–QÀ.…-›z#—°—TˆÔÂ&qÎÀy6WG°g›MI…cڈ®5q¬YÍÑqyÑï‚ÔÍ#Ó¡`ÝšwêoDa"‰Öó‰þ¢`xj§\Úplü};¸µÙöšpp?"®BÝØÞ×NCÈÎ!ûã÷=>—†Ã_óJù È\ð×—çSH¿i™ÝÖËÞzcږ„7HÛ¨‚§u'l.ɊHÓÇt«§TD'w¨öíSJM8¡WL*&L%:kI]åLÇ'X¾R¹…קùÛ ôåÀÁžTìóµm·ŒE3iÙñºe¹XÒ]Dꁻj,¨ÃüCn| ^GP¨ ~ÉôŒŒYã ¿Q°?ৃIŽ€ŸØ ‘‚6-a_J2ç_#°îËâðPºDŽíšð՘}cô xw•á&D©*ÛPǯ þKmH³`ž« ¢ÏGàeùÂÎCÆ Ì6‡ë†¹ ?J`yp‡2Kø¡´Ä»Ù¤O0@ïQdåC ÊvLTkcؔÚ[5˜Ñ$M,ҁ¥Àϯ©iýBîp¢HeˆT•µÃÐHˆŒ~;ÈkYo]H‚e8µ¥æà P[®7¯øØmK2wõ‹‰¶}.âªþë64)ö)g&ʞŒ-é-,¶£\{Ž®´Å 6®x$£}܎ -òâÂþôÛe·LƒÁ*«? x@9œŽœ\ò€ø¶ˆFÇ c㪅ƒ ؒ/ Bë®ByR°·ßÓÕ -E9þ@ürKM§«ÃÈÎ¥8çØj[¸ NX_ádE6/«Ýïö4Gµÿå.½¢o“‘Cƒ„Nq,ÅÏãD¯J‹À†S¥¼b•‘8ßÆ=¤Ùz’÷¼;XIE>4Þì&õ q3jm[s°pU›US—ù¨ý¾îsô¼¹·Î¹h9}ZÏ8÷Ú -2Ôñ]ÓË}ˆˆ7lqm‡ï - -˜÷wÁÄNoˆœÝ7¥ã -Âb‹ªÙÃ'àl-Ch4Qõ·»ßw†±¯’äȏ*úë?fÊ".}ȹV‰¯°þœ|Sendstream -endobj -1120 0 obj << -/Type /Page -/Contents 1121 0 R -/Resources 1119 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1084 0 R ->> endobj -1122 0 obj << -/D [1120 0 R /XYZ 85.0394 794.5015 null] ->> endobj -1123 0 obj << -/D [1120 0 R /XYZ 85.0394 552.4093 null] ->> endobj -1124 0 obj << -/D [1120 0 R /XYZ 85.0394 540.4542 null] ->> endobj -474 0 obj << -/D [1120 0 R /XYZ 85.0394 225.1659 null] ->> endobj -1125 0 obj << -/D [1120 0 R /XYZ 85.0394 200.3885 null] ->> endobj -1119 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1128 0 obj << -/Length 2798 -/Filter /FlateDecode ->> -stream -xÚÍZ[sÛ¶~÷¯Ð£<ãà~雛8­:“ã¸g2§éMÑ6§©CRqüï»À%Q¶“8s2ž1@\‹o‹€Ø„›(M´ãnbœ$Š25ɗGtru¿±Øæ$5:¶úùòè_¯5Ÿ8â4דËë,K¨µlr9ÿsª‰ Ç Nÿûöüìø„+:}=ûrLHŧ/=}wyv:6ýyvþ -K&/ߞ¿žýòÇÅ鱑ÓËÙÛs,¾8{}vqvþòìø¯ËߎÎ.{•‡ÓbTx}ÿwôç_t2‡ÙývD‰pVMîàƒæŸ,¤DI!RÉâèýÑ¿{ƒÚÐu&F É>NRŒá¤т‹€ÓåmsÒrÚ3;-Úz2y,g]†¹ºÁôâ‚áÿbQ[ä]YW±Ý5¦]|qi†#àÇMù©ˆÖmYÝ`ö諭[ó›â€¨î~UæÙb¨ð*ê]T]”‹,'Œ§s¼ºƒÝPdü´HßÔ'¸ M_§¦Åçl¹Z/ðë.ö[–7·fÛÛúnGêÅE‹™â1Úr"(—m€µfÀo Zç1â–8*ñÃÈ Æü=Ekb4ՏyŠA¤ÁX؃ƒê Ò` ”$–*ù˜w( ƒ [kㆦCT8 ÂÍaTãýÀkFrb‡…*1ͪXµÍµ|QϵüÇÝm™ßb6¯«¶l»(Ê3'Ÿf(iü¼*;ÌTëåUÑ`þº^,ê;ÏVB“ûAOàõ2+ãhU¶,È¿ºL(›Ï#kwѺ-¶XPÛeÕa¤I³wd{[f‘tuu$X5нbá<¤a’H¼º¢©ŠnOîó3qe»Eý64/–·åç~V‰–ÝmÔì®Þ™rÒ¹ÈòØ&ðÙ@Q“DF#Æ>ï1nG™éûrY.²fq˜‘Å›„#‘BN”D*mŸ¶ÀÜW-0÷0™ä‚8F¿$pb±3ҜÂÁGI}0ö+B©Sŵ?¢¯~ø@~ùž¼™]ö\qםg硔1„‚ã°V¡ŒùÂÿI¹# ÄVˆ”û¶ùzdŸw£è”SŽ‰Çâ̌Á}âå¯p†¦Æ¨Ÿö`êÉ%§Qø­;‡ûòãù›GìWìÒ0˜|dçðÇf™zb„êƒÐ Ø›0ê­²kb–0YØ~K1+ˆ¶šÇæ/E¸’çåµ×âº@eª¨òEƒ0HßÄCµ"–9o_øûL—9Ü{¸×«²Í×m‹÷ ƒ!ývâo‘×ͼÑÝÇ IœdxF8õ{¥æÓyÑæMy6@ {ïUýÉû…ÛDf_Þͧ¢‰}Ú®N·¾®¬p“ê³Ø.ëû–E, -[3”íß·øZ,ÍQú¼ z°ð°7îü#Á+îŒÞè‚;@²Êš®Ì×°}Äï²< ðAº5…Ðõª^{{ š¤¤;Èö[äý–…¹TÑHI‚Ȩĺ]g Ø·ÄMï1BM¯P4t®c&[Üe÷0ß­)áUž‘‰émÝv0ƒ0#‰< -ÊÛÒ¯…Ö3ˆE ‹=UðÝmYýE<Ɠ@1å?½žþ;Kiìx¿ ->%«¬l°EˆpäÃmjÞû -Ô"$>ˆæ (›FIHp”ë¡ùŧ,¬.àÖKšT@ çXØ»_üŽ4Ä×ÔÁƒPzk†ë2)Ât°fÛÔPX¤·ÅbÅÜ·]±l£ -ð¨eYÅîw·Eê3™ÄE¼UMÑj8©Qê˜0øÀŽócam(‚+“@.˜W  -êV̋øis_Á^`œ…¿åU"zŽo.7}®]‰Š¼üH)O#cú‘Rómõb£¤%&«¦¬›²‹ƒ{aíL½ÃH©uØ>Q;(Ȓz8Ïë»Ô0*ø<|¢LÝ (̳x|ÛÛf˜{Õsïӆ%7ŽâÏ°ÈF&’\Ø©°iÁÌ'@¦³\\ܗ :Î)Cÿ½¹†¼G…æ­_>+dŒa6Æ_lPÆî9Ä IvÚÚõ2†™­ñ-D™(8Åð0vSLúèæ6ȏ£^cÛÇðU]ÍËêÆëëxœ†•SÝ·ë@9hÕtø™ÝàVhýÊ]Ä6×æà–åÇ~uL“Ȫøe,P‘›ø|U¯tœ¿dtú®w!ßíÔbóy=jÊŽ!¨áY”sN|EÙU[/Ö]_Ë"«ðÞÚ|äÜ`1hšš÷@Aƒ¸Õuµˆ ˆþ`› ÷­@^ƒÙ°¿÷¢AÂWâ ?˜ÚÅå56ɸØ8‹M ιJ¦è­úW -Ÿ +EÅ·ŸYžbb(­1Mkn»aX{*Ûç®Ò°¸1–Gf]äizÀ]„“„ú;<$^Ëuۍ0 7À×ulï`˜ qŸ°„úSà¶K·m—Y—,N‡a{î|Y4´;?}s¶çÑy<#]ÚçcA^{AøÒ¢qýéÍúƒ,Ã/'»ó5OHH…ôª[Ÿ6INRLÛýøѪ>ƒið«½Æqðøòt¨ÕP ¼þ»h0P7þÚ&aؑh—?PMï>-oªzãyVÁ^œ…ÈLÓc“u)º8:"dË­°C‰‹ýÝÄSŸ_ ö¾ E{¥ÑÂü݈S@Ùªö7-›qF–ÜÕýÎSY°ÒÞK†s©±vÂÂÕº'½ŸrG”aæËuã½¾ÇÓWšÓ ³p¨³ÂŒŸµ µ•ôS÷×Ïgã9äõ2<~皝{ÖI]¼>¤6<ù Ùê²{ -wp - ‡š|Ûä<ŒÌþìx,$1ܪwØòVI8ÁZ"X\O»è¸„Žèð'ÀÃÜd8òóâÞ͉1B>††Ó³rî>|ˆñÔc½"usó:ƒq`ïQ”Xfù#«MI"©Äiýyß,9®àmð©pùÇC4ü†HXbµx!ɉ”N÷í¬!ØÝ€ˆ†h3øs!ôô‹Àï±gøg©Tþ‹` O¹ v„I¦¾tŠ¼nô7*?Ñ«7H8œø8g‰,@y ög?üÄ |÷šP1¨–‰~*ìLôgWª#ÔèLþˆPÿÀi¹M,Øß7¦âgQÅ ö§aWô"žE"ûòg[ð:Æ·ÙI¯«¢Œç­Çš:½]µë> endobj -1129 0 obj << -/D [1127 0 R /XYZ 56.6929 794.5015 null] ->> endobj -1130 0 obj << -/D [1127 0 R /XYZ 56.6929 726.9349 null] ->> endobj -1131 0 obj << -/D [1127 0 R /XYZ 56.6929 714.9798 null] ->> endobj -1132 0 obj << -/D [1127 0 R /XYZ 56.6929 546.8104 null] ->> endobj -1133 0 obj << -/D [1127 0 R /XYZ 56.6929 534.8553 null] ->> endobj -478 0 obj << -/D [1127 0 R /XYZ 56.6929 435.1867 null] ->> endobj -1134 0 obj << -/D [1127 0 R /XYZ 56.6929 410.8471 null] ->> endobj -1135 0 obj << -/D [1127 0 R /XYZ 56.6929 210.9925 null] ->> endobj -1136 0 obj << -/D [1127 0 R /XYZ 56.6929 199.0374 null] ->> endobj -1126 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1139 0 obj << -/Length 2707 -/Filter /FlateDecode ->> -stream -xÚÍY_sÛ6÷§ÐÃ=P3! - ö-Mìœ:­SÔ¹›æò@‹°ÅŠTD*Žûéo P¤LÅé%7½ñŒ- `±~ Š‡?1ӊq™Å³4‹™âBÍÖÛ >»‡±7Âñ„ž)rý´ºøá*‰f˒(™­î²4ãZ‹Ùªx¼úûË·«Ëå<Œ6UƒŸׯ‰’Qóêæújñæ·åËy«ÅÍ5‘——W—ËËëW—óPÈXE @:¿ß\_ÓÕâ—Ëù‡ÕÏ—«~ËÃc .q¿/Þà³N÷óg2Ójö?8YͶ±’LÅRzJuñîâ½ÀÁ¨:¥&%5S:J'ôG3!X¦T4R”ÊX"#i…G“pNÎyðÎt]YßÓùV«_Z<H‘móYÅ,‹El§¯6ؓ4èÊ­ï5ÔVå'Giî܈g^.©ý7瑩 -úQ¶Øê §Ÿ2¢ö¶ìÜxݙ{³§û¹ÐÙQÓòRjjuÙµãå[³nê¢}¿RäuAë•s¸¥wûr›ïËêÑÉhA*¨Ýë}kÇ¥ÛDÛTŸÌ¾%ÒÃÆÔԃÃ:¶u¾¦ƒK8x †$cí'QÏÔ)L»Þ—·ÆIÚ4Ô©{%Ð˽/×-uk žv×Ðþè7iQí¦9T=Ïøtä:EÙ®s;µ0îVp·[°Š»¦ªš‡ÞHº ­áF»ÇÝ>t­ÒɌ¨“÷»ëÞ~֝U6¬²mÏ^!Π揦v³Ð\*ÃN½N0H•Æ³$S,©ú¿“™d)OOüå7ŠŒS¦#žžßÍã ËuýŒ±¨°?T˜Gš%úèÕC‘`RJ5KtÊ¢Xgößݼœ‡<„¿¹8¨òM@Ɂ×ÁRvì|v*R¬?*éGâ 6÷yGN­È؜X#fÄ´Úøyàl½ä¦ji M .Qdm#§rf®TÐÀŠ{ê¶fï|K%ÁCYUDöݺ ÛÃzÍ6§³(8 â×ÿz}óëËÅ5ôQ·îšº5í”áßÑn·dlÍM9ï -Ûüs¹=8nþ¬‡ì©3Tª‹;Õò@R.¹o½‰+.7¸é'f®¸fQ©ohßfdhÎr&Ätɲ/f¬'"ýŒóv Z'ê9»•‹#MÊý› ðS’že¤MF)D&ºÃ5©óŽÚŽ¸1û숂ȼŠ#Ø£8Bèða¬ _ ûAê=,ÚºUϛqaîòC՝¿Þ( ˜³ xK‡NÊ  żvgÖ%ns}"¨5Ý c ño»ÅSÈ¿§a¨ Ì MÄs†!S"¥€æ•eQ äïT—àQЍ FÊ%DèlrëvÐË©!ýáï–Z -j‘r €úÇÀ?Êú„s¹DäAڔ~e’píc´;o”Óá>Øñc°ãÃ`ÇÝY\àðéÕwÊ/ÁP»ßËŽèó¯H«"L§€WáÞOÇ0ø –<X—ViÄâ,;cg + 9IξÄ딙 è‘E¨òÖ‰L‰…ÈèÜÜ25Äá0'’h¾`ÎØÆ¢æp¿9at×8ëÖ-e>ïªr]Zl„ô>˜ÂJJ( àùœow•yAP]¥c¨>4>±‘|;è£ ‚¸·\ÌqŒ*‡Ðó„R1!xҗ±+5š®3Ï_óÝî˜ëœ/Þ~ŠŸ¯'–ÆɑdГªÔÙiº²©i#w·± 8JÒ1øë>¯Û*w|0rLë8kñ–¨yQ8¡- ØK„\ÔýŒ2µe‡ì [+ˆŠR·Ö"]8ù(]Erþ*Ê:´ëCÕÉòý.ŸÐ ~"S‘»n¤N©p‘: Þ®–ÔqY‘rXFñàRi3–¦²Y)µYÂÉìðh>%ÂÀ6/ÌXReP†]n–òB¿çªjËûšRY^c’Ó஺°«cP“§Åò‚8*sgy%U“@ٗ÷ˆzaÌS1J­Ç¨(z·kÚ²3D>.d½,Ç ÕZþH´ -lVaœècÝã‡öW¶bÁÙû² § bgjfQ ìô€v)9ev4‹Q\F©ŸÈ6Ú;óŒNÍ3rö…B$‹°d·\1.çeýJ`GÈ[?¢E?¹øÈY}¿Ðđ$¬),~: Dõ°_{I*=–š@u»jNk¼øÛ»öÁvֆ†Ç&Mœ›¦uÃEÞåD3ÚájÿÐ0Ú Õ£Úûç)ö\‹µO2LÉÑ¢0”Ø[BU[þå®rè0Ð9ñD"–wÔÒ® cƒâ×ÛäŽs{,Ù-?YìÁsâyдd\YH9ÌvcàžSé‘Ã{ÇÍÖÍö‘Èç<[UK¬ª%þªÚåë!Ÿq„JkfYF©³¡«ê µ­Nn–‹7‹ëy¨„äÁØ!ú8> ʆ«}Û Ž ì¡”T°TÅésJI“± DˆD:u ^ˆsÖ°s×4l`mç«[UOåü¿ V ãB|±F ×4ãȁ±Éä«ÞEIJLÅg},N'úϔ~ƉRûgx(s×r„§ 1ã,0=‚xøC[ë¸@•ÄÂÚgJF±ƒ67`-®áÎãì%1 úö¬GX‹m4{ÝÀ‰fƒCyÁáP²=”ŽG&€á(Å%qÒ?Ùcé!ƃ[Øèåcñ eÆ1Ó - 4ñUu„,ë#„´3¿"r,ùÞ ÝáÕ<Ø훹PÁ§’²<’°¥éÝޞná–¬<'Ž¦®Cœ€òÑT? µuÓ¹ŽYLœÂ&ìã9R¡0HÃ>ž [»¸\w¤¨hó{ƒûGÜ*«ÝãjöÄØÁø §Ïò”áÆ,—jzЖ€{Öy究X ž# ”àf´Ôî –ŸæPPœÈìçVeK_ ß¸Ãߗõ“8g)Kd"gCÿù6—DçWY’ý™8÷å€1ôò˜%:Nžùˆ$ ö±T®¼9>hüÞ¿Ü_••ë½.÷ô~wîãR ¾Uƒ§V­¡ Uï©ïDf´µ7 -Ô ¡4^yٕ£#öG€XÛ{²£4uyõŠ‚KE=ú¤µCcÀÔn[óñà¿QÀЭ±_w g>ȧï#Xtþsƒ»š°ÉxõGi£?‚}ÔiMu7~ ^WyÛú:º0;\³öO…ôÎ'@çӏ(ÓËo­vkƟmú}·¹ض{9>‰k(Úej9-üõðµ¶ßÕº:¦cDZ ¦ŽÏVásd#>#ȨÄ÷bB -¤´¸~õËo¯/§Jì-ø(‰ôU"Á'$@A/Ó~î°13J ™e±G‚MúèL8è¿ôøqäÏûÁ»ÇºË?ÿ8±/‰O¤ÉdÎIÓ'JKF¯ ¡-Žž.ž,‹cï'¤ȯlÄÐn‹69qS‚bé}8÷±ÎKŠŠ§ÐˆÏ¼/}ó—ôc€‹S&µŽ¦_û×C¿+{éì꿹Olþ?8¥àÑendstream -endobj -1138 0 obj << -/Type /Page -/Contents 1139 0 R -/Resources 1137 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1149 0 R ->> endobj -1140 0 obj << -/D [1138 0 R /XYZ 85.0394 794.5015 null] ->> endobj -482 0 obj << -/D [1138 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1141 0 obj << -/D [1138 0 R /XYZ 85.0394 749.4437 null] ->> endobj -1142 0 obj << -/D [1138 0 R /XYZ 85.0394 707.9711 null] ->> endobj -1143 0 obj << -/D [1138 0 R /XYZ 85.0394 696.016 null] ->> endobj -486 0 obj << -/D [1138 0 R /XYZ 85.0394 527.3014 null] ->> endobj -1144 0 obj << -/D [1138 0 R /XYZ 85.0394 497.312 null] ->> endobj -1145 0 obj << -/D [1138 0 R /XYZ 85.0394 408.0188 null] ->> endobj -1146 0 obj << -/D [1138 0 R /XYZ 85.0394 396.0636 null] ->> endobj -490 0 obj << -/D [1138 0 R /XYZ 85.0394 202.1472 null] ->> endobj -1147 0 obj << -/D [1138 0 R /XYZ 85.0394 177.8748 null] ->> endobj -494 0 obj << -/D [1138 0 R /XYZ 85.0394 109.157 null] ->> endobj -1148 0 obj << -/D [1138 0 R /XYZ 85.0394 83.1291 null] ->> endobj -1137 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F84 848 0 R /F86 980 0 R /F77 703 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1152 0 obj << -/Length 2290 -/Filter /FlateDecode ->> -stream -xÚµYÝoÛ8Ï_á‡<ÈÀš¿ô±XàMܞ‰Ós¼ÛÅuû Øt,À¶Knšýëo†CÊR¬¦)z‹å˜ g†3?Î0¼Â?ÞÓ‹R‘öâT1rݛoÎÂÞ=¬½;ãŽgà™M®_ggoÞF¢—²4Qo¶lÈJX˜$¼7[| "&Y$„Áo&£þ@è0x;¾ŠK¥EpñïáûÙhJ ‘cýu<¹¤™”†‹›ÉÛñ»ß§Ã~¬‚ÙøfBÓÓÑÛÑt4¹õ?Í~;Íj•›fñP¢¾g?…½X÷ÛYÈdšèÞ#üOSÑۜ)-™VRú™õÙíÙjUûi§›xȄ—œúIuúI§,’BZ?ßLÇïÆ4Øeƒ]ÅL -ÃÈWšªDãyP­ ‹b“å[¤E°Í6Æ/gQùzMԝ!®l·3ۅY8΂ÆlûDÄaûpÈÖù_a(ˆGû>O3/ì¸(áœ$—Á‡•qûfôåßÅÖmŸ;-QȾ¬Ð®ÞÀ›2àœ¥Z k‰Îp#®kŒ`-¸é’ÆÌ.Ë ßìÖù<¯œ¿šîå\3'©sX˱œ7‚;¾_ˆCÇ Ž˜Å*ñžGÛÖ¿§¢ : ê¥ãüW‡V-Q¬ã˜5S:õÊÌVÎîùaOnØv™ªKâZê !d-ulµ+A€þ.j¿“‡]TÙs“ðH·®Ü™y#HB:;QÆ©²QÊxœFßV‚„ ¯mfÍ¿?lдËҍþwIã¶pÙ]Y¬•a' -DL¥< -P*Òª¥Í -ÃÀ|É º ›+4iÙýáÃÿ8/&ÃkD²èëáx2¸Mÿ0;5*lïçu6‡üs¶®mƒS8Õ¹þVûíÙèÏáõû«»¸¹f¤´S%jkÒf<=“ϖéHÔX­™ƒÐ8ŠAPê|<¹¸úýҁ÷e¾7ó*ÿlº­šq¦Ý>m«ìËÏûJÍ4”¿eŒ›¶k †K Ë\Ug`;}˜9÷ø±C”†X;†bŸßSt?“š%èibûD6w‰ƒhÚ§„Ê昢­hæ,Q’×òl> ÉY¨DÜŠ) Lå,;ýÅܔ%­Pzy·6ÑÂ!TµRÉ«\Ɠ=2·ƒM/ØÚ¦ü~<â0®nçëòl-ltèe—³Ê/æNø®€Oðò£`¼ì @¨„üæ1…à@™6! Ä7‰.œP±D§ÏnœÊGv­lF.÷¸ö˜W«Î‹NQÖHõZDƒ¼Nv—™›(8˜Ÿˆ.ð|ÌKsÄTK¼|#ðN?Vß«“7þ63‡ùq ÕLø ( TâOÆÒ®ÊGJ[JڕºFÚÕ(@Ïg³w\Ö#G9 9¤$™0ùD³«Ìí·ÛçP‘œ|ځ7gqüm¼içàR>®ŠíÜ´ÄBDÁý‘@ØŽ¨f ­2çÌ;c܅èKöµ:Uó”)®õ« -U.XšÂytªÁ©dBDé×eÑw!Èr¤ÿ¢-êX÷+!TDÇzVöjóáfPpñٜKšA§#Åmt†LCè¼{×fð¿N*xƀJ'L¤2Á­{=ÄÍ4•ÄÔ ­­G؉7ãè]`Q¯a”j_'5Mj4¾”Ò@`átܳqU¼¼šVÇЎ\`ß¾®³Òâ¾}2Ë}y1úR™m xò3¾Á4 -Ãów£Éh:D—ÎFÿ\F´v9 æê÷Pú+¾q6ëUÙUo –„âµÉѝa¿{äxì@è“iM¯°èðòrʆÓ÷èÌ¡—ç7`/½ru¼ÈA³å„` ¹ÃΧ9w‚3÷Æ  arK#=Ž×¯cmQ¼[1‘ç'/nç,|éÍOÿÀ›ypê‚.£øWŒ/Èa]‚Ä‹‚øK‚ž!¾ož¹\¼R¨xPҔ±nDüZçWöëjçáÊÄ¿uü‘(¬‹þ“T£˜Ž™LÑìÎ÷Yœ0¨ˆ¤WÊÖɉæþoW§ªÿÛ°ËDendstream -endobj -1151 0 obj << -/Type /Page -/Contents 1152 0 R -/Resources 1150 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1149 0 R ->> endobj -1153 0 obj << -/D [1151 0 R /XYZ 56.6929 794.5015 null] ->> endobj -498 0 obj << -/D [1151 0 R /XYZ 56.6929 653.8847 null] ->> endobj -1154 0 obj << -/D [1151 0 R /XYZ 56.6929 627.8019 null] ->> endobj -502 0 obj << -/D [1151 0 R /XYZ 56.6929 405.3123 null] ->> endobj -1155 0 obj << -/D [1151 0 R /XYZ 56.6929 382.8411 null] ->> endobj -506 0 obj << -/D [1151 0 R /XYZ 56.6929 301.1931 null] ->> endobj -1156 0 obj << -/D [1151 0 R /XYZ 56.6929 273.8371 null] ->> endobj -1150 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F11 785 0 R /F57 624 0 R /F77 703 0 R /F84 848 0 R /F86 980 0 R >> -/XObject << /Im2 936 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1159 0 obj << -/Length 2375 -/Filter /FlateDecode ->> -stream -xÚÕYKsÛȾëWð X%bçAnZ/íhË+od¦*ǐET@€!@Ëò¯ßîé¤@ÉíV*ҍÁLÏt÷ׯ!1øç#«c&S5JRkÆõh±¾`£{øöî‚û9“0iҟõãì⇷FŒÒ85ŒfË/3kùh–ŠÞüõú×Ùôn<šE&O´aя7·?ÑHJ7nßÞ¼ûûÝõ8QÑìæÃ- ßMßN醴o¦ã —J ` =‹~¸Ò¤·7ï§ãϳŸ/¦³ý‘ûbq&ñ¼ÿ¹øô™rîç ËÔêѼ°˜§©­/”–±VR†‘êâãÅßö {_ÝÒ!5)!c#´M¤Š­ß±­Leœ°ädÛÿnU8 ƒh8ÖçO@ëðòdXqÌj¹ŠS ñA¼Ä»7¾êŸ K)õ(Ñ<F&ÎúÛ¬¾/Ð80[öf'ÈTã&8k¶*[°¥±Ñ"«‰˜ôljG$Q³¤î¡!bÙl×í_Æ kµ]¶í&m×lüª-=ã?´]±èH#£›Àjå7ùcbÛvxNÔçx8ᎆ»À*.#<">wm‘#¥p}McÈüxV[tDt =9▱躪h¢µpÆ+ E‘8šÕ~“ëõ®õ<çÅñQÉÓ6M[vå—">uÍ,X\µoÁסñ'ÁÇáZNJ'âwðÜ/9 5ml,Uj^‚׸ YªZê —ÆQO!— -`iS¹¼hÛr^ ¹´‡ÍC]l‰¬³uDSéä0k;æ6*ÚfçˆÅÑè¢qÏÀG€Óˆ4}æØ­FÀ=gQ»›wÛlѵô*={H‡7ou0Œ…X!NM´Øm £5ø‰HEhôf¢Í0ÛÒ8•\©tWùYKã½æÅ¢\gaüvsèõ劆7Yž;?zïs8­Yù¦>lD„„>ט@¾de•Í«‚>…ü€´+3‘ì%6?œP£³k6äÐ}@¬—XÅ@§”„È løql1ç˜CeÆq´à­c-SÞãMü\i‰{¬Š¯ˆR’â±Â&ï(%‘ˆJ;…€ -LìñùuÐïŠþ˜Û!5ñز½$ÿÌ,{wwÕ=i·ÙàÌ(Z”Y( xäp¦Hˌ@/‡ðï®X8MÀþj§ ØvYõç/Euˆ4(œk^”:‡%‹S¦Ógë6W|`ù}l閺éºéˆÈæmSíºâŠ^Ésèûú-1{ïãÌ击›w7·C²AÕËE@~Ø=“Öäϸgs²7–ä¡j6+˜°Çîý–:¿$Z4ëM֕ó²*»Gò®T‘m«²ð3¿ † |mêa4`Û`‚F/‡2Ðöó´/ -ðm»[=$Ccp_—ßœl0–Ñ£¬ór‘u¡ðµ`rcí@]è´CÊ•½\ÒÃÅȾª(†ïû-Ö+û¶C3ø'Ü:h¬­â/´‚Z§è,N_]º1ZhG dÂà¿Ií"¹‹ -h8®@>H¸»‡þ—û¢Æ‚ÏÙRŒ _$á>¾Ó•£²n±"ûbÒ `NJŽot凙&œŒ¾ôOŸœB¾è¹Ô«¡lþŸ ÜÇÈe!ãôÙËò',ÊóP†ô™0+_€²² ¹{ܼ|a|í.Bh-¨p}‡ä¡#‡/Mý+µP&6ێ.mÇ¿¥/ûzǝÝ]Ñð›Ûë_¦W4úӞ†Fájè‚øþ|v®½Yo?>c·žB^§äÞ¬?ÎïÈä~Åy»'Z¾”u•Q@¤þ®°Ú<6œÓøª=vb_ÖäÍ: A…žk=oN\žlÞ,Š¶ ~Ԗkh߶îÆ¢W6BùûŒ!z¾NkC~ú_üêÃS裼òilm’ö¤zòctæ±`º‰‚¦A“l-~ÔSÜ4ØÚÿ`S ‡Hn’}©ünz;½sÝõl:Ôùʘ±ýýu^úT‚¿` Âãð›añµ+j,ØOünߺl²­§šåIyÔB”“ãûU‡|ƒy¤ò4¶ýYç{ ‹ý—îª>…çN|8 ø-N{({NKs“Io³Ùû9Þ¼¿þøñp¤¢ÊŸâ8˜‚º’„âS³Ñ‹á{ý<üŒm›íÇsyÔ}zL…S¡žLúÄ¥µÉÐá©Fëendstream -endobj -1158 0 obj << -/Type /Page -/Contents 1159 0 R -/Resources 1157 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1149 0 R ->> endobj -1160 0 obj << -/D [1158 0 R /XYZ 85.0394 794.5015 null] ->> endobj -1161 0 obj << -/D [1158 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1162 0 obj << -/D [1158 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1157 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1165 0 obj << -/Length 69 -/Filter /FlateDecode ->> -stream -xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream -endobj -1164 0 obj << -/Type /Page -/Contents 1165 0 R -/Resources 1163 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1149 0 R ->> endobj -1166 0 obj << -/D [1164 0 R /XYZ 56.6929 794.5015 null] ->> endobj -1163 0 obj << -/ProcSet [ /PDF ] ->> endobj -1169 0 obj << -/Length 1537 -/Filter /FlateDecode ->> -stream -xڕXÝoÛ6÷_!äÉ*Z¤¾Ûa@š¶[»bؚô©íƒ,Ó¶YÔô7ö¿ïŽGʲ­¶ ‚@Gòøãñ¾iîxðǝ$džŸNœ,ôxèäû™çlaí—7ëò­•G˜n—u´þ¨zšÊ³ŠˆVš¥¾6˜ÕšˆªÈï«loŽÚ¨†ø6}׏eè[Cՠ“{sÎÒ0úâYYªƒ[©®ØÏՂÏÇ^ sêV½ùagv“ÏáÖýé Ãg| ¨V6¸;ôM"~(ºê;Sö¤”/wæaäÆ.P¹ªPÚ-,¥ ]Ä%j×o%QCÜxsµ¡ïÛ?è; -7Ù2{:©”û-Èè‡þ¼h雑­Âhd+‘2-ÈV[¥ÖfÏZfS®ÂY’Æ֍ÑȬ£ ´hɏSŠ\BÔ2åãÔ¢Å1ŠGš˜£(œ9ª- ¦‰öE§}/7û—›5½z$·ƒ€áQpj0#&]Rh5]aaRØB–ƈ5©ûAVM´µRÚõŒ5M²òæ¯Ô­™é:;™m³¢j»s_ôĈ¿Êc~ó´)é(U_³}]ÊSÙ©:RÉU-›ÒT›¬®-‰6{n<#>+! yk9–K0ƒ‡U«#}¿( -~‡ 5‘W+µíÛJvíMPòGêP”%Q«Rå÷D~xsÃSžÐ ­³\>› -++ËaW`Aƒß\í÷ªÂ»i[+IQYP¥6ڋ´ìd6uH–[ùìhø}<¦ÿ–É ó³±8_Oqþ—"°,Ð,“o™.Pcȕ‘žâb„Ä£„ùï‹Ó;ð'-‡Tku®éâ}™1Š¬¡xHk@«iJW4g™a’Ò¾ÐïW²ù‚íy'úýÊôßQ[ÃÿƕMH×Ô@,ä°9Q c“B}cz\ÜÇRZÑ¿k…óbþ€ï -u¬écÄÁ]¿+“…tϔCÈÓbü­*sԕÉ; Âíꇪîk³oŸµP,'Á7…½ÇÕ~9†ñ{dÕãéµÝI‰hq¢+Ö úë;íé>÷‡.iJÆڒØ}àJ¡ë0û< ˜À‰¡½¡<¼§ÑÀ2T!ôUI…íô0tœÚefm%eEGÙºT`ãÓ·˜ûpz]´î¤êVè“ýÂêªù|¯Ž5G@ê„v{¯ß%´L_aë 7uFØî›Û¦h‰ÛÔɼ£[ùYƒK­4'£†.[_@õێ^¼½yýa=ÿÝTóÞ+¶u]?­jé`(EzçãFTƒ ІŸcöúnx5‚{°(ððŒ™ˆ#N/KZ½w,õÛè•i7¸£ú‘yRm/puLtõsòâú´^²gÙXÖ·¹l:¦š-Ð˺_-ÍÔÒ^wyýÞ]¸!–Ž4Eݱ5=1Ç7 DĒ0ž*B‹ù×ìÓÏYÃßÍ<æ§Iè`à1ÀÎ~&àY$v\Îng/>à¹GÀË{ãŒú2Ä÷Z«KáÀŽqœò‘pïùçüÀûž#á?Ÿg_üð÷ƒ©Ó,‹{䡟ÆÞç{ ‘ÆH¿Ûù…OÙ".ûí¨BLendstream -endobj -1168 0 obj << -/Type /Page -/Contents 1169 0 R -/Resources 1167 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1149 0 R -/Annots [ 1173 0 R 1174 0 R ] ->> endobj -1173 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [513.6761 73.4705 539.579 85.5301] -/Subtype/Link/A<> ->> endobj -1174 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 62.7606 448.7754 72.9224] -/Subtype/Link/A<> ->> endobj -1170 0 obj << -/D [1168 0 R /XYZ 85.0394 794.5015 null] ->> endobj -510 0 obj << -/D [1168 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1171 0 obj << -/D [1168 0 R /XYZ 85.0394 565.4467 null] ->> endobj -514 0 obj << -/D [1168 0 R /XYZ 85.0394 565.4467 null] ->> endobj -1172 0 obj << -/D [1168 0 R /XYZ 85.0394 528.8591 null] ->> endobj -1167 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F11 785 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1177 0 obj << -/Length 3185 -/Filter /FlateDecode ->> -stream -xÚ¥˒Û6ò>_¡ÛJU‡$@ܛ“ÉÁN<ò #qM‘ -£(_¿ÝèEJœ²«Ö>h4èF¿5Á‡ÿÁ"Š½8 ÓE’J/òƒh‘îüÅÖ~¸ gíÖc¬ï6w÷ïãp‘ziƋÍóˆ–ò|¥‚Å&ÿm™x¡·úcóÓýûÔᆾ…È#Î÷?~úøqCXŠRy2P!£½ýðnŽRì…"Œóô°ùüønŽThcýîGþûŸVë0ò—Ÿ?<þ‡FOŸVQ´ü×ç'ÀV°AÂåÞþ¼y`ÜÄ[4üåwp IÝÖï?zÜüJ³ï?~xz|÷ðéí*‘ËÍ#ÌðFw›A¦c¹¾@þy÷Ûþ"ñÿtç{"UÑâß Ò4\îd$¼H -á åÝÓÝ/ÁѪÝ:ûŽB±Ü>¤ ô„„ÅñKF©ª$t/¹Z¾ï/³}S×±ª«œ­éú‚Ç(ß纹–okšÓ´V¶ö…¤½¿X‡Ê‹“TØã>V¸)¶nûš[úë¶-¶¥¡YWÓ·Y©eϔܣÁ†hºFõ)ž’0&U^WZ¿&Ÿ¹´í‹dÀȦz)½:˜Š/ˆÂàc…ŒC°€(¸G ê+Ò˜B¬. -õ홅s4Yñ|.ª `ϒø= %³™Œè)åEñ`ZënæÈ ðÒ(r(ŽÎb-%î-r¸\»¢®ÐÍ=€r±ž C@v`HÄl—|–…pj «a•µ°9kÅ°TäÜ €%Ë"À8Ê2Y>‡‹s‘ó@˜®øp®JFøPÌ7EgÐyùÑòCÝQ幈ÿ©›¤t' %í𝗄Ê4Må×-„šu¢hL½¥ïD­CAµ%À5ã]Ֆi/®7L©¡`j0ªlÊ´¶†iQ y©é õB>…¯‡M$Ú®)²ÎU9à;a)˜JêX7];íoŒ¬þ¶ÃA„±xäöÆuû|€ô½0Š=‹`¿òî ò-2î sÝñ1O®íóÕ¶à[6)Ûº©©›C‰rG'=ÓÇñ³Î@ÓW˜'pŸi_÷eNã-#‘¨Êó¨E„ ®#ˆËÜjœ\œa¢2îO%—{Õ%&ם’““©àtR.óšç{JbA¬h«[J>™T*]+–?@ç9¿:o¢\W8L¹Üה­:õøUŽæc4’Ö"æoù’e1 ²Z¿rôL §ô‹˜Ž*¶0‚‚`ð5Ð9üE@êͪW¬¢•'“ÔuH•êӚ_z¶.P*vNþonã©K³R€O¡f%‚¦Û×9_ƒa¡nºŽ @ 6færG‹Ýք⦁'º2 ñ=C¶xå«x_?؄Z~~‡¢¨[³/”'©áZF·…MaüL•øÎ*«bù¶lkwÝ WՎÄóäò =áô҆±ò¥^˜âVók/#Rt‘C,þÊˬô™zýWìªTšÐea0•,¬Šã}ÚR¿0êà»ÂK cD­3 íІ'J©9ñQ< -Nˆû„.W:hȁ›9­Ï¨±È<‹ÅÀi?€u×áÛæ´¸eh;dà‘³q€^Tƒ}}äì–ë74v¬Â:‡Žx¤%úùd†sÃûmТkç&'&à³Nù׆u”îg’ËË¡þ¥¾<Ž~'°ñ‡k¼UÝó„óLŸý½måøV}Z[œ'ìpt ~ý[ô !ÿ§žÉÎƀ»¨Ã,Q²]Кl™z֜]½kôqïê;\Ö=ܠ’¯3LhËgŒ®æ]&ª` ù+Ô$­ÎØ0blù瑱UÜ&o›§Ç¸ Žh²xX,¬ÊƯe@A{òò‹××}j f>,ãb*Ž±‚ 6öхà~ûbÎ4¨VØi^Ë%]3rú]+xËPN•nF· k—ëBŒÂŒÏAŠ1¦åßޖ p ÆâÅÀý‚ p•Ø “˜HͤÙ2õüX¸ -‹Ä´>Öe‘çËÆ(ñµ´¬!ð`k†æqîÿLÅPýO['OõÁ8 èèᱍ[×-ƒ­åÀ÷‹1GZÕÖþÄ~Œ]èâ9¡½ûðÄhºÓ4²a8¦_ºðÄ~ u±.X©˜åÜ@BK~ /À*Çøë9—ÁD„â¤>µGìfuC¤`†ÁÚ#Ká ˜˜/¹§~×؍;®K/yÙK£¬®:8Î!ÉD)Ð6æÏî© Q”¶ ×;€Õ6qÅÐÛ»bðØoK—ãžÌöêgr`¿œüî”ÍýâT ¿¬£òã¼¹åÍú‚ë½ö'ø˱sàmÿûÏ.#"!ÝW*¼üeÁ´žVžT@„/e˃ðææîïn¯þ?ºgendstream -endobj -1176 0 obj << -/Type /Page -/Contents 1177 0 R -/Resources 1175 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1149 0 R ->> endobj -1178 0 obj << -/D [1176 0 R /XYZ 56.6929 794.5015 null] ->> endobj -518 0 obj << -/D [1176 0 R /XYZ 56.6929 769.5949 null] ->> endobj -1182 0 obj << -/D [1176 0 R /XYZ 56.6929 747.0488 null] ->> endobj -522 0 obj << -/D [1176 0 R /XYZ 56.6929 613.0366 null] ->> endobj -1183 0 obj << -/D [1176 0 R /XYZ 56.6929 586.6546 null] ->> endobj -526 0 obj << -/D [1176 0 R /XYZ 56.6929 473.2336 null] ->> endobj -1184 0 obj << -/D [1176 0 R /XYZ 56.6929 445.9291 null] ->> endobj -530 0 obj << -/D [1176 0 R /XYZ 56.6929 376.148 null] ->> endobj -972 0 obj << -/D [1176 0 R /XYZ 56.6929 340.4845 null] ->> endobj -1175 0 obj << -/Font << /F62 634 0 R /F90 1181 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F77 703 0 R /F58 627 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1187 0 obj << -/Length 1975 -/Filter /FlateDecode ->> -stream -xÚ¥ے«Æñý|…ÞÌVY,Ã'ÇÞÛ—].Ÿ­J99yÁH" Œ ƒ”õק{ºÄ‰S•Ý5}Ÿ¾MƒØð/6yâQo²"ö“@$›²}l@ûö`ž8‰ü$Ž"xX¡n“(÷“<Ì6Û¥’¯_Þ=~‡›0ðÓ4L6/ûÉVšå~ÅÅæ¥ú‡÷t”'£ú‡m˜^þðϗ¿’Xìgy&P,‰ŸAn^„^¯Ç]£†£Ö¦î“˜ˆý(NCK#?K²“ûâa+‚ ðžtÛêŽ þÔkPÓ³áIâDà|&r§`Rñl>{Ho %6\tÿ -ÞüžŽúB@)ÙÚ3ý| ‚ð0öŠžô褏òJí¥×ÝáKö,Ú~‘†);á)bS@Ž )Š…·Sƒ!hÐÍhj<$>=aÏ,ûPwÀ,<Ù4ræ”]E@©;örA­‡aTƒƒ¯uùÊ^œú‘{ê¬:²gƶJ#QXr÷†GÃÃL1‡Ã Ê؄nÃ,óÆþ¦^£‡ ‰~5¨);µ×¤õ¾û ¹( ,w'“±ƒú\WÌ& ?hr°d´ÞþXw†ÍÙø ®îÀn˱AŠä‰² ÀN]PØŽƒª(¿ºE9ØS¬”CNWÖ}x$—–å¶ÔûoFY3ŸkÞÿDÓā¦‘«ùÐU|Wöª'ê;ÃÐÁÝaBO¦>¨¾– Á?Žíz|½”sè±"²öþ®;¬—(„: é(^g¥"H(¤ük´hæقù7¢1c÷sTÒ° îVL÷±4Ú¦'¥O KAeL´„²Å>-}X«j®ŽÐÙæUVhU üÁ -e„æ|#¼­Å0äèˏP¿Àß?¼ÿóÏ>‘¾"<{s%î΃¸£<+Âî”êg`‚P&ÉÖ ÖN3å#Lt„€_Âï (u{j`´Ô²³­”ºZ€dÉ €ÉáÔÕp1ߔdRå¸`²ª˜©Þó¯!éKÝ4„ÁɌÓ!¶Óám²Ü­µ¨é‘!ÈÈür¶Œžš4ÈÙ5 ê¦"ÀÕ,Â|˜,ö0+E -fqd"‰½ -pTÀ4 pјéß©ù^5+“³K™›-“ç9Ì©ª.±ð?]”00%ýüf»¡£àÒh½S}žÔQ|gÖd -Ç '\ÞÝ0 ™YhíŸ#:GqڐNªçÉ5…q¸ŽíÿOºùEºX€BÁÝ Ðe[f€¡ßt¢Èª"B(â,Σ4Έð1H‚ðc(‚Hl<ˆ[Šs¿Ûñ¹KFËꆓ»L¸mB`†^™8Ì{2Øø!ƒ:¬…›j»҈û?vC*ò:u! ›hž)эû"¢ÙhÙÜUeXó‘ŧš[˜ã} 7=é";FÕæšy§ØÅa2ec¶:¯éçî<Ⱥûß™ˆ™¿•Û¼ŸnöòoWéwª9}ùûÛʋ»ž;h°Ž"”yôÞ\®æò“îݛzlé‹êù×^!{äÞóTÏm‡Û›¢b =¬Xjâ¥+a<@)_Ý|ë’Y偼°‹_t_ƒ¯Ÿ|¿fzRïýwO?!”ð,pöÃ^û îɖ£-¿¶+ðòjÓÚÃ"aòæí βnäw‡q¶•, ¤ºîÊf¬Ô°¢Oµr“SÅ¡ÑF r÷졗í€åCԇ®Æe¹¤RöªJ=RÌàÑΑY¸KG¡¸`z¨D嬓ñ‘Í$éØ¥K¿©Êi«á亯Í!È ìcãvƒ_ï{Þ¨ -­Ýv?v•ÕšÁ>¦ð­ÎÌspÿ -/o“¥9”,‰Ãà«qP¢ßÐý'À_U$ò‘¦Á€aJ"۟˹–G¨“,_偹kÈëÊq©‰+b~êÝë>ì)-=ÙH!Àï:Ê®ƒÔ•®æe÷tÔD¥©í‹Ú!ßñ%ÊëÙ°‚f`þk¯\Šm­àlS]¿Ù6aáÝÜXîkFõ…œ‰­ºq°×vJ‰„¶w͛¤Ü¼Éä¹]g2|[7²4DÂWÓ?ƒ&Ÿ¶Uþ6"ÄbŽ*?IÒ œAþˆ,ïþò2}҉âiœoDúY’Óg¢¾nôýü hØ.$ì $[ؽӋÖ[F±pûpëÌt¿yqíÏÍg¨‰é·«³ßéBþ´2ì\…(8F.ðçz¨9Ð|¥¶i0µÛ(Ï}‘‰øº¶/jÇËõÝ*W²’$~’‰OåDÄp‡%aàçAøûI™$¶K‘û¬Ük¶‹…1§//—‹ÏYytmùÈÕ÷xW7iu†7>Þ$jâº÷ë*÷Úþ[ªðÃ"…Îm’Ôí’Û°å—7ÿÖi÷U2J|üƹæ±cÙÎ<ôysé\C~™S„®dÑ­µécé½¹ÿq ‹endstream -endobj -1186 0 obj << -/Type /Page -/Contents 1187 0 R -/Resources 1185 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1196 0 R -/Annots [ 1194 0 R 1195 0 R ] ->> endobj -1194 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [348.3486 128.9523 463.9152 141.0119] -/Subtype/Link/A<> ->> endobj -1195 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [147.3629 116.9971 364.5484 129.0567] -/Subtype/Link/A<> ->> endobj -1188 0 obj << -/D [1186 0 R /XYZ 85.0394 794.5015 null] ->> endobj -534 0 obj << -/D [1186 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1189 0 obj << -/D [1186 0 R /XYZ 85.0394 576.7004 null] ->> endobj -538 0 obj << -/D [1186 0 R /XYZ 85.0394 576.7004 null] ->> endobj -1190 0 obj << -/D [1186 0 R /XYZ 85.0394 548.3785 null] ->> endobj -542 0 obj << -/D [1186 0 R /XYZ 85.0394 548.3785 null] ->> endobj -1191 0 obj << -/D [1186 0 R /XYZ 85.0394 518.5228 null] ->> endobj -546 0 obj << -/D [1186 0 R /XYZ 85.0394 460.6968 null] ->> endobj -1192 0 obj << -/D [1186 0 R /XYZ 85.0394 425.0333 null] ->> endobj -550 0 obj << -/D [1186 0 R /XYZ 85.0394 260.2468 null] ->> endobj -1193 0 obj << -/D [1186 0 R /XYZ 85.0394 224.698 null] ->> endobj -1185 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F11 785 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1199 0 obj << -/Length 69 -/Filter /FlateDecode ->> -stream -xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream -endobj -1198 0 obj << -/Type /Page -/Contents 1199 0 R -/Resources 1197 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1196 0 R ->> endobj -1200 0 obj << -/D [1198 0 R /XYZ 56.6929 794.5015 null] ->> endobj -1197 0 obj << -/ProcSet [ /PDF ] ->> endobj -1203 0 obj << -/Length 2607 -/Filter /FlateDecode ->> -stream -xÚ}ÉrÛ8öž¯ð­éªH! R¤æfËYœ´=.˙®šé9@$,aB‘ AÚQý¼ ”ì°S:x ððv@ÑY¿è,Oç¡Z&gÙ2™§a”žû7áÙpßDB“¤jž&JÁd;KU>Oó8;›.rùðæ݇$>‹Ãùb§gã^‹l1Oãì¡üOpѶ¦.íóYœ†ÁÅù>3_2Ïò,B¾öÈçÑ"KN9 -ãFâ(™«d ñb1T–2ñ<:ŸEaKßêæ¹2åvoêþ„7š/ÓÔóª6R‘ç=r³|—5<üd]ßtž4ìw†W·kèºÖëÛ+ÙT-çËE¼=ã|ž(ÐíYõ»fØî€G-e9üÇ ìåÁŸaVWaÜæ< -ÌÖÖµ­· !iNÙ¯š½¶5oõ^ ëƒëÍ^XŠbè:ÜÀ ¼*<}´Ìe£gÛ¿–«6•-to›zÜΈ§õ -§ºÿ°B%$Á2ßòH4•EÃÛâL‰"G´ -jóÌç¥à³v ,+:»!™N2dVúÍJódª¦%G¡%X°”´7Ý7¡®Ÿ,¡ÆC€]‹(¸E'@4™qBÐg3:Q’ϝí{Só„Í òU·32µ‚G›ò¨ßéžGû¦´hž–½Mg!ÒPò8Ƀ²)â¯w !G¡ÅÁ­Û*Œv϶ožÌ˜~^ûÎF;ÜP-aŸš¿´1PC¬ûeŽâ™ -T“¥‡RD¡J@ʼnJ([øG†¼›­šº0-JŠ0R >èÂV¶·Æ!›¬ ØüÅòéÛ)Õ¿ØL-d³ë}[™7T*•Edݚ‚ô˙ƒS"ŽfDúƒ!rd÷±€4¬ ºðšØKÇ ¡…§œeg‹dçªz•¯í ÁSTl[cÊÂPßT¸äÊôÀI+£$ݹž'£épRúL ãš31ŒœéžàèYPvYÆI-#6¹Þ@H ðÔ×Sñé”|ZÍ8yeÁæÀß;=Ðaóà¦)¾éÖô×u Ã1á“c´2¡ ¼_1à³]Ó:ÐöºØÙÚ8¦«01$(ºR_=ðµ¶plgûƒ¬þÈëfšNö\éʂtµÕ¿‰¬×5Ì÷£XÀPØٔ¥M]$Éx\oû¡#bZþº^Í®×לd‘FR¬wÍdœˆAð( Œõ›8Ä­ÏY¼ô©8Xd;nËÍn¯W¸Ñœ).ø3z8ÀÄ(w«ˆ”õƒG^ÅoOCà—¦ûf*sà™¯!<㪏£1V©™HCìKXi5¸ÆÖÈÒäe½ '®id¤éœ*Z’—hʋ¶œû†i2²3~· ÖN—eI¸~();ÒL÷ü•.^øËé:G9e\¼PH uÉÂfÐm;] éãXùOv̂¯kþ^™Iÿz4µC‡ -Á¢å“oC -!mg8iP¦üoð?SP­ (®ÐDŽñ04ȕï!¼¿Àzÿ:"èòà윓BiòàK}%õ;QóVöLæù\ñð¤@ =`ò@= |ÞÙHTö>«­š};ˆcgÒ=JD¾:/ ?MÎ1 Wëûlc6K&…'Å~LÅà«Ã¶ò™ŽRé:¦Ø«¥¬$MÛ@mm†*6×üV–vOô…¼°*tš·"Àõw»Ç{WUYÂÆXçú]S•Œ¾Óôªó¦Ü û‡² áxÚ/zQS¯‚à/XÂË+^t‚ø¤ñ¦! Ԍ‘BñW¨ÔÂwÕöwólÝdÑ\í:|æjý³Öt´êq7lMõöUÜQÂt¿ˆ6¹á´“AHJñ3’³À\Ý\3¾G!Ž - FÏæé{*úú§3/ő÷‚Ÿ¨Ï(ˆòލpà® Ûjáò­Ìô­¢‡ÂþNŠ<´û½¿O3¹:M30;V¤¶G(F4µÔó’ç;ýd˜hc(„&EÄ ”m}'*C87,08Þ p¶~Ñ< êù;ßîz;`þ3ó3 Jáê8´„zo ¿O¤cý(ÉxxŸZ¯Håxåa£ÉÐ:\¸hf£öQÑ©2aIm6¼ô'¼*&k³wLó Oݧ¯3øÉîÉ~> endobj -1204 0 obj << -/D [1202 0 R /XYZ 85.0394 794.5015 null] ->> endobj -554 0 obj << -/D [1202 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1205 0 obj << -/D [1202 0 R /XYZ 85.0394 572.1453 null] ->> endobj -558 0 obj << -/D [1202 0 R /XYZ 85.0394 572.1453 null] ->> endobj -1206 0 obj << -/D [1202 0 R /XYZ 85.0394 536.5761 null] ->> endobj -562 0 obj << -/D [1202 0 R /XYZ 85.0394 536.5761 null] ->> endobj -1207 0 obj << -/D [1202 0 R /XYZ 85.0394 506.7869 null] ->> endobj -1201 0 obj << -/Font << /F42 597 0 R /F43 600 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1210 0 obj << -/Length 3135 -/Filter /FlateDecode ->> -stream -xÚÍZëoã6ÿž¿ÂßÎÖZ¾$‘é]l^M»—æb½C[àd[‰…•%ג“øþú›áz$v²½Mq»‹À|g~3ä ‡âÿù Œ‚È3ˆ -BÆÃÁlyÀwÐwqÀݘ‘4êŽú09x‰ L$¢Áä¶CKLk>˜Ì28 -løáòÃÇË/nŽ¯¿û×áH„lø+ ÙñÕ)UÆ?]\œ'g®zsv|zyuCøá(Ž __Ÿ]^þ“ú‘*kZOÎƇ¿M¾?8›4lwEãL"Ï¿üòÌAÂïX Pa7F –*”A¨¤ô-ùÁøà ÁN¯º*Î!–çX)1à* -:»`…&:,q8â ĺH‹tä$ëéÕ؁’ަ봘¥T½,nËõ2©³²@ái ˜0´K°ÁH² Š¹öÄîÈ_^ßGD#™Ï×iU¥UG%ðÏâN4eGÅ@R¨À(®,IGFǖÌ!×COJëaB ÔυM³šz²yZÔÙ!‡Õ˜H×n<ÈBc³¢N׷ɬ!TÌ©£JëŠJå­£ÔÙláŠi»¾h«å|3Kç~ê«)ŠŠÂ5èp„zl†uI¿°N–guR§T¯fIžLsW»DVŠ´¦-¶©³â Ušx8Y´ Á€¤[©TóÕíÊ -E+(ïâ{Dš £Žf¤ŠÐlR ó?Ù,©ê*”<ˆe3îBÄ´ i†Ôâ„­ 8#k˜È=F´»Mñab"R±V%ßìàR‹@j)ÜâÇÅv“Æ©“2’–I\­Ï$¶XÓÁÅ=?¨, |=¦ªo Á -<ßÁ×a ¥ˆÝºßäõ^M b.߂C‚W± ŒyÜ·Á–o´"ΆߵF»õÁýÎÓj¶Î¦®†öl wy9õgˆ7ˆfÓ;k¢†j¶H—©[ãÜnDh]–ÝŲö´yçf¥®ëæü„ -BÆ*h6S)èð™xž’»;"z—Ônóü!N‰ǑkKš¾©Ö'GBqwüL×L#°$xE›VŽà‡3Yâ^|¨¡AiОŸª´r8ՍŽãa¤Y8º«ç¨‚›‰·|¡PÐ.Û3æMaǬÝ—aB­µ±0_ã?1ùxìü-Ä&\…‚“1n•8^uû„ab8î¶Ä´\úMÜ´ïE’˜T_5’!„wZÅ¢A’ó’& ¸db‚+ÑîÿëŽ4bםŸ¿ -ã!t½™æٌʓC#†åªÌË»­ QüXK³·8çQ®I;ªß>ZDa ¸–ƒ® _ ˆ -'¾né(ÐfÊD̃Ð(¨0pj:ú<ÆY>WÒh‡^¢¨;ñÛ½ößaóë…<œ‘‘ލ¥Œ¡ÆzA(¤zK½ÓþŸý ì•-'½R¾Ž5ÉaÞìö^ôÿð®B@¯a -®( -Çý Ú³‹šý€«“À>DÎ*4f·gðz…}ÆäAnbù'èj¸oI BìÃ8øÛϹt²0ˆ"ñ±Ø=ëψ4¼LpÝê=@i¼8D˜"†5‰¿á*Æ1¶l·k û±½}2Æý峋¬‚Ð\› ípñe‚!„"RTÊHÌ9Ä/C¥ “!÷â†8V fît}LïS#w¢h¼ý??'öÁ×åìë…Oó€+¾Ÿ†p^º›¨ É Ìn`»I«t}o/ûtop…M½é^k6Uº¬o -K°"¥z¬‚tŠÆz1k†QÙUúX¿‘™u˜úzÍ,Œ7 W‹ (Š°ëG÷: v ½v¶¾^ìÖòè„Ù‘¡€òòjrvs~ÛñÉY ¢â²5À—"Ÿ½pµœ¼ZŸÇü¾››8€p¿„¨\òόbÆ@®^Žb¤Á#Óe›'”÷|š3@'â.~l®b‘?Ä9oîbÏ#Ú´.CŸÜ³É˜µ¢Tè}6·G1´L·ôKy*ØB›UEÙÙ4Y>›´¦–Òý^Ž¯¹06qi3nŽ(†.éz·È·ôn€³rí2H«C྘;¾lV·åBb2[íÀcwˆne?1W¤õC¹þ´+1¨p‡8ªtF›ôL¹\æòsØÐKnaÃ:)î0 'ŒÜ§¥à†«<Èté¯)' á:®»ÊÁY¤4p¶-7Ô>KÏÕfJ9mË·ŸV­`‹¢˜.76ãޕ«J–”Q DC„ª^bÉhGsäT§E5i–Þc& -Iz¼mkV òl¿P]RÕ‹Ø L‘ÇMê»sÖØEŸœ5O¯kpÚ°¸Ÿö"맪ÔVÙVDžçyž9o’Üå{…4„yý|zÖ?ÿ¼ÛH\–4»O]‹ÃÃelÑø> ÃaV/ÜÉy}½{–Bõ¯<Ó4/t›-.}z·ó”õuR/ü}³^$nÝe2[dEZ>F·W 6);‰^ÑW.ÖgÉ*™âûɖêv7íߐ dO {‹‚–Nj ™>f”4ÚsE¥úUu„Æ`v0âf妩ïY¯³t¾ë1¨ÜÔ}•ÐcÊM1O`^õÎé "1º y»1(sŸlû¹ë“<©ª¼Is[ã<-—‰§vCIí=éäòô•ôµ :Z`QÏ¡²ði*,76Õ¥©›²)²ß7n¼•ÚÀPj .âÃ]Š¶âŠÐ±€p$â(“Ð0ÀÚN+ª6·ËX€RVí҂'bz=Á!+¢'ïØSöFÄö­q]5óÚ7¨N·µ5{ Dԙ· —ºùCûb'zï(¥ä˜“Qçççgøk›Ò(žð™'¯±÷X؆¢Þ.ÇCAgЕ—)½§ÀfÈî -«Ø5u“%CÁ®ïY2¶¥lÐX”›|N­NDìw“får•ƒ§M—`jé< g¯ãÞ!ԓʽ$za¤ÔÇuV×H+¸CP)èÛ¦y9ûTQ¹JW V]عö Ä 5ÌÀ%öŽQ¸€}yšÌívÂÿ!'X:‚öѦ¡v-jY¢Ûõ£å[ê¼y+}¢°ô1Hң捾÷žÞ=<Á‹ò£ùT ø5G cPºEÞnnS͏ÄTŠÝÏòÝÝïŽTóôùÌpðÜéÌé“Ê k, †äÙ§4ßR‡ÝE•ZÔtáòÐ a€èH[óÆMDbúÊÑ ³jV?RCtä&/’{כ³|C±"´'»\ãáomн­bi…»ÝÒ1 °âÒÚ_è7ÎË 9o-ƒšñDý÷ÑÑ_(nÄ4:lÉnÊHøMAÒÓv‚ÖUYUÎ!AÁA= hëØ‘Iê]"ͼƒEÝÔÞs.yÑôNÛ¤ÅÜû£|ëK³´ïü¬ÞÙÐ|(Ò~‹¼(5ûOvÜg"@¶¬¼['«Å¶õ< [ãÍBáY¹¡=ÕùtäÙç(p¥ÑÊ4ùÏQnRð8þÉ·ÉԜ”KmIí,Sö¾áÀš»„Ô%Ø µT°ÙwxgÎNé ‰MKãôjüŽÈ¶GËTµ°§~Ïáx€£«¦ÑîC€§ϒa Vˆs(´a­‘m©R L¨l5ø…]·À'öœªEYÛ¯ Bév‰W'ÔX?ã¦ãfªÒüޓk¥ƒÊÜfq +T§Ûý²°ÌP;+î ¢Lië`4kóIõ‰ºÏ)œ¹¹(ãåÙäÜÉȌ;әWg/҇†qÝ­]¸[ãªK|A¡•%‡îrYvWJp¬7À@g -~ÏI‹ƒ|ò¬p÷YB…ó >,s5Đ -nëÕÑû÷(wUYÎ7ï³bdUó?®°ö—…Î5“É ÷oj;6…ÿƒÆõc½ëÅ(YûTÕ˳0Z¢0pá£|õ~øÒÝ4Š›0êÌ°)‰°+À3º¸zEþo9$Þgå®oðØàÕl×ç~ñ×¾úÁÕQê}™Â& ã˜BIâèçþÓÀç¬ÿ”÷xendstream -endobj -1209 0 obj << -/Type /Page -/Contents 1210 0 R -/Resources 1208 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1196 0 R -/Annots [ 1218 0 R 1219 0 R ] ->> endobj -1218 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [401.6435 61.5153 511.2325 73.5749] -/Subtype/Link/A<> ->> endobj -1219 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [55.6967 30.8502 511.2325 44.7979] -/Subtype/Link/A<> ->> endobj -1211 0 obj << -/D [1209 0 R /XYZ 56.6929 794.5015 null] ->> endobj -566 0 obj << -/D [1209 0 R /XYZ 56.6929 769.5949 null] ->> endobj -1212 0 obj << -/D [1209 0 R /XYZ 56.6929 748.2826 null] ->> endobj -570 0 obj << -/D [1209 0 R /XYZ 56.6929 748.2826 null] ->> endobj -801 0 obj << -/D [1209 0 R /XYZ 56.6929 720.3635 null] ->> endobj -1213 0 obj << -/D [1209 0 R /XYZ 56.6929 647.0664 null] ->> endobj -1214 0 obj << -/D [1209 0 R /XYZ 56.6929 635.1112 null] ->> endobj -1215 0 obj << -/D [1209 0 R /XYZ 56.6929 529.3677 null] ->> endobj -1216 0 obj << -/D [1209 0 R /XYZ 56.6929 517.4125 null] ->> endobj -574 0 obj << -/D [1209 0 R /XYZ 56.6929 180.3481 null] ->> endobj -1217 0 obj << -/D [1209 0 R /XYZ 56.6929 143.7717 null] ->> endobj -578 0 obj << -/D [1209 0 R /XYZ 56.6929 143.7717 null] ->> endobj -644 0 obj << -/D [1209 0 R /XYZ 56.6929 116.6563 null] ->> endobj -1208 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 785 0 R /F77 703 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1222 0 obj << -/Length 2590 -/Filter /FlateDecode ->> -stream -xÚ­Z[s£8~ϯð£]µV„lmm•c;wwÜ;½³³=ó@Û$¦Úà\æ×ï’@`{j·ò!tÄùÎå“dü¶W/qؚï—Q@†Ñ7õ^!WÛ° ò}‡«åþ£ s|än9ü} [ 'ÑoœcÔp’ó™ÅvEqü»XÄ`ìŠ<Æ 21Fc¤¸¾~}}EqT<¡4{¾Îž6ç¾!êaÊÜåÈãwû’–›b¾t6[Ÿ/qÄ]_[)2À.¢.äcðJˆ/¾<ÔõJÙUôeQ²‰òú%ýÉO0ߘr„}ˆ6!¼.ÂdfÛ¼/%xbjì{¶3¥Ên|ÊÙ\BóWpHÈ5îïggEÁvՕԹnæ™gà’ ÞP>KaœÈ¼¸ `*™> á²5MÁ€ÇBõƒdã6ÜÄû¸ˆ+Û6¢Ÿ;ˆyÜW˜ýM¾ò0Â$¢É²ï>Ý|Q‘Ź’Z¦/‘ eñ^ÂQ/"àɜùô"†”-e Â,ˆØTˆ´u÷ b*¿ˆÈâpÜG‡()Â"N“.ëc´‰s²‘£]‰àgUjj‚#þ9 Ç»@L) DZJCp[ÌØ4µU÷ d꾇ò ˜Dz*â久AY'DÄrýžÑ¡+XP 7šxL•õ ,¿}ŽTÿ‡09…Ù{ezuå¶1!. -|·™â²ô˜æ‘ö”K AžÀܽðL©~ì*©*¼‚À^VÕ5xgº»Ák(_$YõËR8þ'Md# “üI;¸Fp¶\wÁçb„=ßmÂw¯àû¼+BÕ59=ŸòBx½1ÃD/Øݐ²Ø]Kv÷,v·©6ìÞÖÝcwSùD&ÚìÂ$Îòñ)UF~(AIÇBç˜ÂLceŸàuM´¦0×sg "„« Ö$ÇØ0~‹£¿Œä‡µãcHYðÑR‚© ›jŸ¶î|Lå³÷$<Äà´~9nÃBTêù¥ÿ‹NI¡¡Óšh‹ -%Åú0=Ž±WcA^c!f1±ƒkÕÿ¸Kyš¨Þ_ËØTC«èû®€实±Ì¿bè’L·RÜ`º7é)Ùj̏™Nåys9ìËî‡Üªº†üLw7ä åÓ}˜A¦ˆF‘¶«ä½ä˜yàQ°çh„Ý -U ùÿæ”ïdk¾ÿS¶ÓþýG0æ0¤,Hh© - êø$lª $Úº{0•/£g0é‹ÎjáfW± -ô*~>EYí†í9&é.E“d+ ß«æq÷rÿ»ÙUv÷ûíDÂeÀRìv7¤,v×R•Ý}×B¬ª »·u÷ØÝT¾ŽyŸ²áÇè]6jnT¢”Š¤ˆ«¢’²‚AC qÚñ¸^TçKg•‰"ÇgØ@ ^ªK<@:t‡ñUu¢Áð³º;m¿r™ õ‡352ób,_¥¢‘øöáw]ëhùÕ: VÄõF¹Š<ßØïÁ ©§ôŸÄqœnÖ Û>ŸºøÇX§zŒ÷*I¶šqÍ¢—hŸCëóGêäòK$ɔê÷ÇJª"I¾o)ÂVÕµ?žéîödžò*ÈçoE”äçI9?i¦XÊâAþ‰²¼"I^Wbœð֖o­ÐVE¶å zòÓ)†²®Iì,Ú4¶~ëÍÔ¥( —h’)eAHKUöb„lª „Úº{2•kîãGq—`Í}Ê^È)§,.Þåˆd.¾ƒ¸Ï fäz´ èòUhˆYHQ9â강zJ¤Dcªä?†§§C˜¨YôFQ2!­¨‘¬…–bŠ\ £à3¤,ði)ƒår |6Õ|mÝ=ð™ÊKpÔ¡o{‡.á4öêRBóâ2G•¼¸“ãb䒀5#l¦bH!ٝ}»8èù~"˜xðÔú¹ØéP\D^•äw9ý·ôT´(Dë©Ç@Q_8^3¥ú= ’ªR,³¯YU×p¦»ÛÊaʈkD©xR»Ïo{ºè(ƒËQLôLÓLz"¢ï—Äa\ì̧m´W³Ï¢ã>}×ï—(”KHŸŠWu:|Šz qêC, Ã¹ÚÜT£¾ _ä‚uÕþ¼)R3_Óހ'8s¹—à6¤,pk)nKEµª6ànëîÛT>MIÕ°fh'¨08—¨¦Y.ed!„õéù9‚|°•ý·ñ[÷&°I¾©[Þ]ŠI>ž¡Þ« -²öÉÙR˜y¯:§ªsÊ<.¹œž·sã$c&ÆÏm2§Ëû=0¬jŸü×\û‚ õ—0¥ú]¢’ªO¢|ÒïVÕµKœéîv‰†ò5ìŸôÁßòT³™ äƒÝ!zßy¡ÉsÏw¶Õ6¶e}s«k;`:Ëô˜{ˆr¯ut»Šòô”mT}ZE›4ÛêËÀ¾£Þc\ØŠKÛ ÖB•P… ö©A‹^À–âü ÍËè¾SÎÐX­TG$'’¸è£[Ž‹<1MaIŸnÅvÉ9æ/òšzfE)€‡ŸÔÐDý¿%+Ks%°R_ö{ˆÛDÍ+]ºëX/›·)’›éU5¼¤NoŠ›fâÛá­eúÑU2¸Ü±dl‹ÒۖÖnh µ?Y®'ÚӅߗ§ ßÀ.'ୋ½§½dίjt˜NÓ=ìwÞ éöŸsD¸‡/ü¦ê7¿ª÷ Üb›Þ€¶ânLÍ┞ðá}–;Oâ©ó 蛿%WÉsiGü”VG! ±H@øPuxò愨“cѨè6 *º ½½'ÇÔÁˆCã¨Ë2)& _ä•$ôÕ1F§É’*éiT„ÉO}%µ«æB×Ôxó=NòŠGµîÝ,×”!ñ{Ÿdœ*ÑÿÏ?+2Ûú=×oÔñ º®%¾›ó³£èߝ/ý¿‚¨¦endstream -endobj -1221 0 obj << -/Type /Page -/Contents 1222 0 R -/Resources 1220 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1196 0 R -/Annots [ 1223 0 R 1225 0 R 1226 0 R 1227 0 R ] ->> endobj -1223 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 793.5053 539.579 807.4529] -/Subtype/Link/A<> ->> endobj -1225 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 756.4942 140.332 767.8862] -/Subtype/Link/A<> ->> endobj -1226 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [507.6985 756.4942 539.579 767.8862] -/Subtype/Link/A<> ->> endobj -1227 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 745.1168 199.6097 755.2785] -/Subtype/Link/A<> ->> endobj -1224 0 obj << -/D [1221 0 R /XYZ 85.0394 794.5015 null] ->> endobj -1228 0 obj << -/D [1221 0 R /XYZ 85.0394 694.0474 null] ->> endobj -1229 0 obj << -/D [1221 0 R /XYZ 85.0394 694.0474 null] ->> endobj -1230 0 obj << -/D [1221 0 R /XYZ 85.0394 660.6469 null] ->> endobj -1231 0 obj << -/D [1221 0 R /XYZ 85.0394 660.6469 null] ->> endobj -1232 0 obj << -/D [1221 0 R /XYZ 85.0394 660.6469 null] ->> endobj -1233 0 obj << -/D [1221 0 R /XYZ 85.0394 654.2654 null] ->> endobj -1234 0 obj << -/D [1221 0 R /XYZ 85.0394 639.5008 null] ->> endobj -1235 0 obj << -/D [1221 0 R /XYZ 85.0394 635.7135 null] ->> endobj -1236 0 obj << -/D [1221 0 R /XYZ 85.0394 620.9489 null] ->> endobj -1237 0 obj << -/D [1221 0 R /XYZ 85.0394 617.1617 null] ->> endobj -1238 0 obj << -/D [1221 0 R /XYZ 85.0394 557.6417 null] ->> endobj -746 0 obj << -/D [1221 0 R /XYZ 85.0394 557.6417 null] ->> endobj -1239 0 obj << -/D [1221 0 R /XYZ 85.0394 557.6417 null] ->> endobj -1240 0 obj << -/D [1221 0 R /XYZ 85.0394 554.1294 null] ->> endobj -1241 0 obj << -/D [1221 0 R /XYZ 85.0394 539.3648 null] ->> endobj -1242 0 obj << -/D [1221 0 R /XYZ 85.0394 535.5776 null] ->> endobj -1243 0 obj << -/D [1221 0 R /XYZ 85.0394 520.813 null] ->> endobj -1244 0 obj << -/D [1221 0 R /XYZ 85.0394 517.0257 null] ->> endobj -1245 0 obj << -/D [1221 0 R /XYZ 85.0394 490.306 null] ->> endobj -1246 0 obj << -/D [1221 0 R /XYZ 85.0394 486.5187 null] ->> endobj -1247 0 obj << -/D [1221 0 R /XYZ 85.0394 471.7541 null] ->> endobj -1248 0 obj << -/D [1221 0 R /XYZ 85.0394 467.9669 null] ->> endobj -1249 0 obj << -/D [1221 0 R /XYZ 85.0394 453.2621 null] ->> endobj -1250 0 obj << -/D [1221 0 R /XYZ 85.0394 449.415 null] ->> endobj -1251 0 obj << -/D [1221 0 R /XYZ 85.0394 377.9399 null] ->> endobj -1252 0 obj << -/D [1221 0 R /XYZ 85.0394 377.9399 null] ->> endobj -1253 0 obj << -/D [1221 0 R /XYZ 85.0394 377.9399 null] ->> endobj -1254 0 obj << -/D [1221 0 R /XYZ 85.0394 374.4276 null] ->> endobj -1255 0 obj << -/D [1221 0 R /XYZ 85.0394 359.7228 null] ->> endobj -1256 0 obj << -/D [1221 0 R /XYZ 85.0394 355.8757 null] ->> endobj -1257 0 obj << -/D [1221 0 R /XYZ 85.0394 331.806 null] ->> endobj -1258 0 obj << -/D [1221 0 R /XYZ 85.0394 325.3687 null] ->> endobj -1259 0 obj << -/D [1221 0 R /XYZ 85.0394 265.8487 null] ->> endobj -1260 0 obj << -/D [1221 0 R /XYZ 85.0394 265.8487 null] ->> endobj -1261 0 obj << -/D [1221 0 R /XYZ 85.0394 265.8487 null] ->> endobj -1262 0 obj << -/D [1221 0 R /XYZ 85.0394 262.3364 null] ->> endobj -1263 0 obj << -/D [1221 0 R /XYZ 85.0394 236.8919 null] ->> endobj -1264 0 obj << -/D [1221 0 R /XYZ 85.0394 231.8294 null] ->> endobj -1265 0 obj << -/D [1221 0 R /XYZ 85.0394 205.1097 null] ->> endobj -1266 0 obj << -/D [1221 0 R /XYZ 85.0394 201.3224 null] ->> endobj -1267 0 obj << -/D [1221 0 R /XYZ 85.0394 141.7069 null] ->> endobj -1268 0 obj << -/D [1221 0 R /XYZ 85.0394 141.7069 null] ->> endobj -1269 0 obj << -/D [1221 0 R /XYZ 85.0394 141.7069 null] ->> endobj -1270 0 obj << -/D [1221 0 R /XYZ 85.0394 138.2901 null] ->> endobj -1271 0 obj << -/D [1221 0 R /XYZ 85.0394 114.2204 null] ->> endobj -1272 0 obj << -/D [1221 0 R /XYZ 85.0394 107.7831 null] ->> endobj -1273 0 obj << -/D [1221 0 R /XYZ 85.0394 93.0186 null] ->> endobj -1274 0 obj << -/D [1221 0 R /XYZ 85.0394 89.2313 null] ->> endobj -1220 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F11 785 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1277 0 obj << -/Length 2680 -/Filter /FlateDecode ->> -stream -xÚ¥Z[“Ú:~Ÿ_Á#T¯%ßÉÀÉÉ\–™œs¶’<£WŒMl3Éì¯ß–uA6²È©-Ð¥¥OîOÝjµF.üÐ(0ÁÉ(J|'pQ0J÷Wîh }Ë+$d¦RhªK½¾ú×MˆG‰“„8=¿hsŎÇhô¼ù2ž9ž3ÜñûÛ÷Ÿn–«Ùã‡ÿL¦8pÇ_ÝÀÝÏyåéór¹xz^ˆêj1›ßÞ/AM¦Q˜¸ãÙããâ~~û7Y]Õz½xš|{þxµxVËÖ ¹[ó«/ßÜÑžðã•ëxIŒ~BÅuP’àÑþÊ<'ð=O¶äWOWÿVj½íP“ª”ÌÔóð/(4HœÐÞR¨ï™*¥˜B¿¬n®±àoýçEtôIÏ •Ô9vjØGN€£.öl2õP0žß?±‚?^­xÃKYñÂӁ¦ÙË[Vly½ÙQ.ù©LI“•o._„8­^³”Ö{–ÞÃc7q‡1,›A¿ƒjig#—Ç|]‘bSӂ@™÷_9³÷.³ßQ7˛³øO^±þb¶TeÛ]ó/Y^QjtO(íRO7­hN*o®+üK£ÄN¸.5L¸’R^û0áVèágØFÂ;Ø2ïåú"ïå*tdÜ -Y« Yëó!4.EGSÊ’õͪuÖT­«ã½•B˜5"afô¨pº¹ºCõ`N¶Ø,«²¦Åš÷¢ýŽ¼‰ü¥ÕO_Ÿtì]Šöu) RJÑ!ËÌ -­ÑØÇ6Ó¨c Bʼo §„®Û­9Ï÷mPbß8gŽtÉ{"ӈ÷å+Ýë–7ÎM`ñI|AϚ”EÏRê¤çÄf.6hMÏ}l³žul¥Ny5íjûSI62ÈI‘¨Ûó!vè瓞™““ñC•ÕiiÊ-ÀÕkPá®ë øRVO—²(\J$ß7X¡5…÷±Í -×±Åé\r©Ù:;ÛåÆËî,ÏåSäàA9èr𠢂Éq»#ÅÐÆήâ±·E6¾.5̃’:Ýcý`˜+ô‰‡3l#lu&„¾Ì´±"㸤x; ðҊ%Éè+pgJ#`ǏãHóø‰×¦ØÈ?rZÀÙÔ¶be¬ç/FN™¿ˆj KÑÿ°…ûöú­õˆb¸:.fÿ¼~‚ä@Àx!ÎÓ¥,tJ©¶—˜VhÎ>¶™N{¦î=¯ì=‡Œ¼n¤A‰° gzzŠµ6[žñd‡3Æý®­1¶.ä<ö&«t#»u]æ´é'³>Ùþ·¹Iç-~Á}$c-òÙV«ÁÀűƒ.ùUMh˜)¤… úm¸'öûÀFòu`~†áPOªcñb þ—´ÜVä°ËÒV5ÐòÉâECìÄAè/´ÐøÚáo¿BÓ<=mÀ!*LwÇü¿T´> ùǜfMAÕÕº8‰Ð72p°nÊ"{'ìYâwìy J9ÛEìK¯ŸÀbkàɹn?u=¯ÈKcÚà.³A'öSk£â@Ž‚²ß~ìq;¯ù¬“¨ì+Txº,aºacx#»^qŽ`ü¦L2ÅóOØ?Iý]äEñ¥•ðw ¤þ΅oJñÆ4ë#èÝQî%Ý®6ŁߍÇí!Eìõ5-Rޚð{´‡ªŸß& p[ Ûg¿@cݐm{†@¹ýFnè+ÍË{>XQ˜ ñ­4[–ƒie”¾ØÀ”´ïu™M³jÁ2-tÙ} îòøÈ-Ÿm*ØdÀ/´î,òÆ2÷™Á‘Åv`,ÝHÔޏ޸T½+¹hmQYaMùÿcÉÝ ¶îÚÒL4ù­~ZÄBLÖ~(óF_¨ ‘9fòiZî§&~ìµ1›¹ãõÿç; -$sž®’¤Q"Bø´ ¡ò"=¶çj^m— ÿœEð âÓ‡Éñ.®D(ìÈ«˜„ð¿<{¡5,×ÚÝ -ÿuö‹öeÑìÄXØïr‰?ÁõìL*Vè+nÓÝÌç Ç®TÆʇÍéf¿~S/T3á`ûìJ‘W2ԁþb2¸_W¹‘ÿûƒ*-U9^> endobj -1278 0 obj << -/D [1276 0 R /XYZ 56.6929 794.5015 null] ->> endobj -1279 0 obj << -/D [1276 0 R /XYZ 56.6929 769.5949 null] ->> endobj -1280 0 obj << -/D [1276 0 R /XYZ 56.6929 771.5874 null] ->> endobj -1281 0 obj << -/D [1276 0 R /XYZ 56.6929 747.5177 null] ->> endobj -1282 0 obj << -/D [1276 0 R /XYZ 56.6929 741.0838 null] ->> endobj -1283 0 obj << -/D [1276 0 R /XYZ 56.6929 714.364 null] ->> endobj -1284 0 obj << -/D [1276 0 R /XYZ 56.6929 710.5801 null] ->> endobj -1285 0 obj << -/D [1276 0 R /XYZ 56.6929 683.8604 null] ->> endobj -1286 0 obj << -/D [1276 0 R /XYZ 56.6929 680.0765 null] ->> endobj -1287 0 obj << -/D [1276 0 R /XYZ 56.6929 623.4385 null] ->> endobj -1288 0 obj << -/D [1276 0 R /XYZ 56.6929 623.4385 null] ->> endobj -1289 0 obj << -/D [1276 0 R /XYZ 56.6929 623.4385 null] ->> endobj -1290 0 obj << -/D [1276 0 R /XYZ 56.6929 617.0603 null] ->> endobj -1291 0 obj << -/D [1276 0 R /XYZ 56.6929 602.2957 null] ->> endobj -1292 0 obj << -/D [1276 0 R /XYZ 56.6929 598.5118 null] ->> endobj -1293 0 obj << -/D [1276 0 R /XYZ 56.6929 583.8071 null] ->> endobj -1294 0 obj << -/D [1276 0 R /XYZ 56.6929 579.9633 null] ->> endobj -1295 0 obj << -/D [1276 0 R /XYZ 56.6929 565.2586 null] ->> endobj -1296 0 obj << -/D [1276 0 R /XYZ 56.6929 561.4149 null] ->> endobj -1297 0 obj << -/D [1276 0 R /XYZ 56.6929 501.9076 null] ->> endobj -1298 0 obj << -/D [1276 0 R /XYZ 56.6929 501.9076 null] ->> endobj -1299 0 obj << -/D [1276 0 R /XYZ 56.6929 501.9076 null] ->> endobj -1300 0 obj << -/D [1276 0 R /XYZ 56.6929 498.3987 null] ->> endobj -1301 0 obj << -/D [1276 0 R /XYZ 56.6929 483.694 null] ->> endobj -1302 0 obj << -/D [1276 0 R /XYZ 56.6929 479.8502 null] ->> endobj -1303 0 obj << -/D [1276 0 R /XYZ 56.6929 465.0856 null] ->> endobj -1304 0 obj << -/D [1276 0 R /XYZ 56.6929 461.3017 null] ->> endobj -1305 0 obj << -/D [1276 0 R /XYZ 56.6929 446.5371 null] ->> endobj -1306 0 obj << -/D [1276 0 R /XYZ 56.6929 442.7532 null] ->> endobj -1307 0 obj << -/D [1276 0 R /XYZ 56.6929 386.1153 null] ->> endobj -1308 0 obj << -/D [1276 0 R /XYZ 56.6929 386.1153 null] ->> endobj -1309 0 obj << -/D [1276 0 R /XYZ 56.6929 386.1153 null] ->> endobj -1310 0 obj << -/D [1276 0 R /XYZ 56.6929 379.7371 null] ->> endobj -1311 0 obj << -/D [1276 0 R /XYZ 56.6929 355.6674 null] ->> endobj -1312 0 obj << -/D [1276 0 R /XYZ 56.6929 349.2334 null] ->> endobj -1313 0 obj << -/D [1276 0 R /XYZ 56.6929 334.5287 null] ->> endobj -1314 0 obj << -/D [1276 0 R /XYZ 56.6929 330.6849 null] ->> endobj -1315 0 obj << -/D [1276 0 R /XYZ 56.6929 315.9203 null] ->> endobj -1316 0 obj << -/D [1276 0 R /XYZ 56.6929 312.1364 null] ->> endobj -1317 0 obj << -/D [1276 0 R /XYZ 56.6929 297.3719 null] ->> endobj -1318 0 obj << -/D [1276 0 R /XYZ 56.6929 293.5879 null] ->> endobj -1319 0 obj << -/D [1276 0 R /XYZ 56.6929 269.5182 null] ->> endobj -1320 0 obj << -/D [1276 0 R /XYZ 56.6929 263.0843 null] ->> endobj -1321 0 obj << -/D [1276 0 R /XYZ 56.6929 203.5771 null] ->> endobj -1322 0 obj << -/D [1276 0 R /XYZ 56.6929 203.5771 null] ->> endobj -1323 0 obj << -/D [1276 0 R /XYZ 56.6929 203.5771 null] ->> endobj -1324 0 obj << -/D [1276 0 R /XYZ 56.6929 200.0681 null] ->> endobj -582 0 obj << -/D [1276 0 R /XYZ 56.6929 159.3692 null] ->> endobj -1325 0 obj << -/D [1276 0 R /XYZ 56.6929 131.475 null] ->> endobj -1275 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1328 0 obj << -/Length 550 -/Filter /FlateDecode ->> -stream -xÚ¥S]oÚ0}ϯðۂ´xן±÷ cT0ȤM”i-4 šº_?;†4´t{˜òbû~œsÏ=!ÌG˜æ(Ô ¥;Н‰IŠ4֒J”Üvz) J”l—~4›Å“áø[/ ü÷pzċ^Jm̆$øýqÿz<Í£Ùçï®èD“¡»,¾ŽFñ"‰×y Ǔ‘I!½UråÅIK»;f9ÿô–+@[3ᕘi%Ð/sL´¦hçqÁ°àŒ^ -oá}iv¢Mé%©SX(^ЊSDÖBÐ3±„Æ’QæÄ2*°^@ÀH4­ï³½rX¦‡]öPWG7å¡vÇþØèbævÝ9f\6Ý °&ºi;Ïn³}öf՛˜ÿÇöŸ“Ü@¬³|Â4¦¡Pm+ ¼$«—ˆDVš’¿B¶I¯0…ìb -UÈÄæpb®(*6yýû¬“ðû<ý‘Õ.ã:?Ø*ÂýAùø´Ïïîk‹‚Hh,À¹²6p‹M>áü€bc}ã”Nލ1̪„b¥\5•ã³È6ëª.Ë¢abF]dúnžåEñÔ02V±Xª5 i㦲~ªª2Í×uVá·üÁ¶Æ¿°+hMýßÿ׳Óxˆ™Rô²ÓH¬¨îHÊÎê—ÌÛñ5õ?Zo¢endstream -endobj -1327 0 obj << -/Type /Page -/Contents 1328 0 R -/Resources 1326 0 R -/MediaBox [0 0 595.2756 841.8898] -/Parent 1335 0 R ->> endobj -1329 0 obj << -/D [1327 0 R /XYZ 85.0394 794.5015 null] ->> endobj -586 0 obj << -/D [1327 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1330 0 obj << -/D [1327 0 R /XYZ 85.0394 752.4085 null] ->> endobj -1331 0 obj << -/D [1327 0 R /XYZ 85.0394 717.7086 null] ->> endobj -1332 0 obj << -/D [1327 0 R /XYZ 85.0394 717.7086 null] ->> endobj -1333 0 obj << -/D [1327 0 R /XYZ 85.0394 717.7086 null] ->> endobj -1334 0 obj << -/D [1327 0 R /XYZ 85.0394 717.7086 null] ->> endobj -1326 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -875 0 obj -[590 0 R /Fit] -endobj -1336 0 obj << -/Type /Encoding -/Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis] ->> endobj -1180 0 obj << -/Length1 1628 -/Length2 8040 -/Length3 532 -/Length 8905 -/Filter /FlateDecode ->> -stream -xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä0 00Ì ÝÝÝÝ’‚R"‚´t Òȋ>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü -¬‡¹rðpr‹ t´P(ÐW琅C­fL9g0ЇÉ]Á¢#°5@ ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññà …;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜ ˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y {‚ÀN¿!v€ØÙââòø €¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$ӆ»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ êõ'þÇëŸ ®.`¨ '&ïcNëcn[ “ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ -Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.=me#¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 -0Üú÷äè¹a֏ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì a.ÌÁAb¡ö™9Y® Ä£ò/z{xœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n öA™ºÓÁߋ(üèX>ã.3v±ms™W`gÅúϨ¯"› -rn­ê蚗ߡRŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ -b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ êt›œ(†Ì%³LǏî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý %õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇƋJ¯³nöùU»Ïm›Þ‰D3 -~"ÅVöè=”Žòíí`õ§ï3t;k‡–Bf?õ[¼„Y®¤¾ša£„+gl’ft]ÎB‚²w3ë‹,£ªˆôkêyô’­úÅ>¡ï„móW¯µrÅý¼0ϔdË#»§BŠ¸ÝUJàžuÕñÆIÍôaòÔã·×¸§ ™ žL¦€Ädô<­cË-8àҗ£t‰Äº4ú£|©D„¡¹šŒ]¸ãÏßE¯¡>ÓR·9xyôöŽ[Ìï`º~ͲûDœ¨'ˆº5e[-0GMÓ=KÊÊJþ&â&’PøS¤8ëãin,õ 2PU«r`ZÅÄí¢v8Q—ÁèÍ ×ë¯oã»o[2ÝO2Ó¾Ðm/Ÿß×Y¿üìvV¹"_=5ӛ靶è áa֙7þv|g “y×&"YæЖ(¾+ÐMoûÁ|°>›à¦± vZÎI ÏW´Ä%^‘›üˆ¯­Ú]Ö%½ZÆÁ_Ï@ÄRdçÒÄ9詂†õ‘kãC¾¥HzõOlnÕžÝÍà™>{óbÙ7U^|ä-)G? -8òÞ¼x“mì¾%ÿjã=!•š[žž;[#Ɗ™ éJ©/A%Ñv–µû`éióöí؜njP~^z•çQ•7˜¿\扯â ÈÛ.|âùúÁèéᙪ9 x°¶`÷V¶v™öÉݐçñ–%®¨eßùbU€|;0}õd¯ºGŠŸ¡*ºS{…Oi,ڟ‹í–0M¾U_jL¬@qª?Ôªuo›`ö@è­Åû-€›-0Múp_ðà*Kþ*š´ll´8ðc©ïÑJ+cCôcr÷®4$G¡ŒÕ<;i¨Wi Ùªµ‡ý^gµ£¾ÕN!Î*{¶£ô…ÆW5'xs ^ÅÍ&o`Cð¸OïŠPÑ©4e¼BÃ9jÝ’N7t’2_M´Ô¢äÔ¸/\ä_‰¢{\”ñw“Ï‘qú\®û7«X­”ƒÞAÁ¥}Æ -¸È÷»Œq„z`²\F棖ûEœ!~õT¦¾\Ž'4/ýCîe– 7,î9tãÒ¾Â1 ¦’·IM^y/¢˜kIm;˜¨½}O«•oÐH╡Ç6—]í7ôh`† J­TÂcweófœkÔ­—ÕRÐÓ(9%Ö¯c -Ó·_܀¡èüêr_7ýGmÔ&œÐ‰lÞƎ -Kê#Tðֆ§øñÞ ¿šûDE&ñžËœ^QH¶!’Þ»¸>àáÉà̹ç$ÚxþF`Š×Í4IŽ@N@ÒÖ>_9²J¾ÃEúOêá˜/kIÉu~~¦r–æw0§øF¼Öë!ÅÞ͝<-Ñ:yLj]óC&üwÏöäŸƒ!•“®²h!¶‘6òÕÝýOÒÑéÃVwc1Ì{õX/MHÕ¼“øÍT(¯m­)5~Þ÷ú?É6nðýYº³`æj¶]`.Ò’·Ã‹imzdëøjXJ[”˜OX8wâê^ÞÔGÓö†^& ÌèWZGÅï] ðÍ}Ù ¦L5«ûrkÎw¯C3íñTS‡n‡a†’Í|­ïDÔR”ˆŸÆþÚgòý·¯0,‚…þ«dñ6›ô@‡Úò ‹6~ƒ -uÿ'¢µ?s_¯Ð‡öÿŠ˜'u -BêH—‚?ý -$OíœàŀDÈåìصö„÷¥½O%©4žñ­¢¯‘ÔðQ±¡8M”¬|â ãhƒÂ!ãëaž!ÉÇ86e}YÐ7IÏWë]¶Ž`…ÏÜ&ÂcD×rZ‹µöíòj—«§ÐŒô6ZÑóÉÎõ»§ ÉDdßÆçxãT  4ã¥éÐ|ùw%h± V–¾tf°‹ðÃ/ùäanЇhµ•]ªU•²ÆfÑhª¥Hm9Ôaêëô¦É’T›À…á/‰¡øOõ£èî.êš;{?W›¥~#ÂÝGÂÚM†ÑÐuEh 7m[E†lûÌì’ãÍcT±ˆU,ͧ˜¤÷ք½wú°aV.¯4žg®r ¯R«©*˜"‚¶±ºž¾<«0ÛÍʝõòÂh„Û‚†½z«Ã÷îîÛ²±žˆ©Ë_>)FMÁ¿EIÕú®´ËRÉs¡bÌo™ç-:ƒÒìXÖS¢ªÈœ‡(2³Ü{Y¥1³$Ê&?ÎIX>µWÑЃšÍçnPÊÉLÇ@¼¦‡2—­eýS¬+‹†^WD£gu¦í÷ùBü]8¸ïOԝ5mVl³Õé”VË(¼ÛmN^nml ÷’ s ÊõÙ±…- ™x³àiΛ*µ a1ןáu«+@Nñsâ),#Gu-/JÕ¥[òmš¬»º_ä>TÂåg?âD"gCó5®™,ý’ «gº%q\Éw&á٤ۇø=rM±‰©þAÓǯ{Êò¾fņWÛ²%§›s¶J¡üêí;7¥ÒÂ"¡äÉU’wlQ-OfÌÚSá\Ð*¡BI:àà¬e’,Ϗ—¨xF)f‘ý\0l±÷„½Ý…ÇvãûÁ‚„@>:ûY´ÈÃ÷µ[e|&.$UÎ;M“íj¹ª_¸=*Þ äSó«—M¾¾rµøds‚ïP‚Ò*’÷Öåß `2¬„ šêÁT^£„J’¢¶¦ž¦Ÿ+õ¦ÐÛc8ΏÍ(¢•ÉÆOûX™rZu"Â&U =oöE±êPy*2ßî"VåÖTú•¼Ðc&úø¼-ÿ{ÄAÊ+jV•f³þ¥œÃš°8ãö©Ÿ· \b,>Æܗ(hwÌ©¹û†}ÞwW#3?¸šn/fƒ´Ûǜ¥Ÿ— ˆ¯¼ø–HՋ ÷S+AL—£vÊÑQ†¿«l0v^£žÁJIL”½}ÓÎß>ÏØ&é(üôãIßv0Ûu îò'+¢gôô÷Fvˆû§BôYO ­g©qq¯Ë+ä(ÖGb›‚±›Ì¿xê!±ùҋ§G ->C{(©¼Ê°nwð,K ?EÚ7þBq&‚´”jɏ¸ˆ·?è¦ú-ŸCØüƒ%¥uXcýøââBïÅ ´;ÁµÜ3höŬ ¶÷Ét(‡„šœì :î´cØ¢>:ƒ‚¯úò‚#ÑǤ_VItSÏ$ëŽ`ø~"ÔܲÜr$ŒU–Y7÷“ø?¢ê¹iâ¯ÉqÅõãÏ؝ISª5ñ4…èÑb“EÝêÑÑn›p³ú†-.ä‰ìošå•Hû~B»Îî‚T§Z§Ï_)©OqÓzèߐ÷>ë˜Ê;­dpI¡rr1ÛA -öÝPî2Pw]¶u¢èúä»(£ý/Ž¾ªˆ§þßÜ¿~&æ[1¸Aé-KžÚEО5JÃ÷.føzßwi°h“bLñB³ß6ˆ^ñ*£–—qº'À°´TÈ8‰ÂWÏõ—„ãŽly&V¬AÕ²Kò^ˆâ½þÅY;/Vwúí}<÷Gc…R“#]›gùDÏ råV¥k¿½p¾Õ¼¥}ÃvGšAÐg•†7PöŠ²S -ÃÐÙ²¶©HÈ  9^©;¢Ìœp»Ãm%{r7E•€ÏŒµÂE±…ʨ*o,„ó QÞúʭ䦀(ô$íªy{Çgk9©‘5Â1ª0ۘF3ŒÛ!s0¸4XàŠú#r¥Æ2á\8nqå°Ãs}䮀„s–è5)q…i¹C9ad¼¿`u ^<‰2@´ÄR­×$âƳ—xº>áÈwdª‡}Té†×ÎÂËõ€Èøt\1Ü~‚9 ÿ½8ia D9©ì"Ð!gÑßqÝ ùA“ׯøŠ‰§j_dI*¡ -»]‚čÙªAÓ8ﯙÎd@Iî?_ɽŽbÎJÊ8&1ߒbçy·ÌJü®J_ƒ|¡iïÂC®¡L;¡Æ–=x8"ÆÝù\šGd'—®®ðÖ/B¿ÝÞpRÆ'µsñX'MÂÁd;ŸäÕEûtGmý«†g¾ ¿¨öùWí},¾Ï†Ä›tÓk„fªõžÑ »›&oô/L¿ÇGìü²•âBZmÎOw݉Úñ¼>–¶ü^ÝvšÉŽHk6Œ´­¶DM0¦›}Öda'¨šßo·é˾xWp¼311ïçdϘ9óÅ­Ô§?¯jò>*§¨¦‰Ð:’-+X}7¿$ÏL\œö¦nD™ð쐡ÉX˜vWŠñ=mç¡|'M}„ç‹çÄ_’øÏ£÷rci%Åës܃ ¨ÄÏ,n±±ˆ" 5Ù½6ìÉ6úQèÒõmŽ¬öó–à+q®Æ¾ùÃ$ô|Òî]¾öÒñÕäË&æèñ²€Õ„KfVº”DfƒŒåZóbúä`#öZ·<Ò_Ç÷-¦ªÏôª -_˜lg˜¨Î>«ŠTÂ70¡ðW~—ÛC!_ŽÎr¦x‰|„ŠúNx‡<7M–/&×gaÅj[²Ë±‹4—À¤ÀÖO–|¾1_JSw{ðÐıDÃP~ÜFY­Yy³]ˆ:¬aÔ_|žjÓM+ý­‚0@îhÅtÙl¿Êgšê…µAbD巏Ôw¿þ}ûYÕ×iîBÕ*jòýZö˦ÏN’FéT/Hn±úÁ֓4ÑOEì؜z~Ÿ Þ88‡á ‹w|q£ªšîFªãÆÇ -TT>/5—䬽%‰”dðqÚnCÃ%Î4ÃXDmeß:#ƒU¹Ø•l1~à 4±GL§%ÕëEЈ®ìÒ\;ãÛ8Å+§êJZdº×d¡K©¡ZÅIŽf3zV#W•c[Û¡*_-ßˆ¯Þ­—¶5k ª€º—,ìd¿»Ìë÷S/úò¢×Ž Nâ)uóÒY~ ]ßjÑ×٘fšuž²K,tʍ÷“\'gy¿÷5­<TÏ4CUMà£Ægÿ3Q£8Nð²Ã‰ËzN5\/MØr®]SÝé}pæ§VD@™:]¬ÔË7>1ÌÈéC•'ÛEƌ!…Ù7aVì:ASQ×µ{|ãÇj9YÈ4Ö|m Î·*_íw4ø!D1 ñX¿Ù¤X•³ç -t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐ oQo+†â1)©w†¦ÜèådîI½ÈZ¿V͝­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ ¤Hvk։Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ° gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êړ†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd -ÞyŠGÝ ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’ ¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:ґÁ¨2G9¡Cê{ɕ<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý @¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š” ™v_Å [ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y ê<‹ý¹uÓ Z/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§ ؅šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O -üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇݛÁ¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í; ¯åä²fùOî{&*‰äyÒ¯9ۏB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç Žð=Ï añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGx d½DŽ…*~ÂJSÛ/ *ûÎÔF‹µëújQ‹jw Ý]_-Òq;Œ,1t³õ2ߥƐíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;Ðu˛÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{卢’zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô .óYäg:¯jԁn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßۘìÑ˝r6½õx§ç±2ú]úS¹‘ p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íល1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔߍ ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎۅ0ìŽ ñâSPÓKD³—dOj nÌó®|KHtޑÑ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“ _7T,Q1çTiHøBÕWL8­¡¾  ,œ²£.±ß u2†)¶=–Oš ¹ÿêÚ´­Ùê², Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêޛÔ;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê {>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6덶¡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㏣…¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ǁT#î¡ÍM© Æ$֞åÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³ ”ØT7%JÈOïä,Á!؞È+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã ©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc -@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜ …@ƒi/_ A®ÉéÙêr«0áFx<×Er;¾zÇ´UϚøSÂö²Ù„.¥mô÷Œhâæ¨É2ؒç/{I;õŠjÑm÷¬ -*s"}Y ;҉¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûԍ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tΏ¼‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿAõ¨endstream -endobj -1181 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 67 -/LastChar 85 -/Widths 1337 0 R -/BaseFont /SPHEIW+URWPalladioL-Bold-Slant_167 -/FontDescriptor 1179 0 R ->> endobj -1179 0 obj << -/Ascent 708 -/CapHeight 672 -/Descent -266 -/FontName /SPHEIW+URWPalladioL-Bold-Slant_167 -/ItalicAngle -9 -/StemV 123 -/XHeight 471 -/FontBBox [-152 -301 1000 935] -/Flags 4 -/CharSet (/C/D/E/H/I/O/R/S/T/U) -/FontFile 1180 0 R ->> endobj -1337 0 obj -[722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ] -endobj -979 0 obj << -/Length1 1608 -/Length2 6751 -/Length3 532 -/Length 7596 -/Filter /FlateDecode ->> -stream -xÚítuTÔíÖ6Ò’J Cw·ô€  -3 383´t‡ ”´„ÒÝ ÒÒ-%)!)ˆä‡>ï9ç]Ïwþzßó×·¾YkÖúí¸¯}í}íûfg1ñ+A6Pu$Ã’èÁmœÑ k„¿2Ü8ňØÙUPPk ‰PµÆ@¥¦P@ - €RRRD줓; -fgp™™róòòýËó;`ãþÈÍI4Ìà¸ùpÂ‘NŽPæâ|…0öP€- ¨è<ÖÒÓpiè™4 (Ê0p¶ÃÀŠ@C¹¶Hþ—#ØïÖÐ7XJh€5íÃnŽAÝÀP§ß!>€åC£o¾04ÀeÀÜ̃À`¸3ä7¿-ò!'ò&Ãñ&vf€DcÐ`Ì ¸©j ªþOŒ½5æwm4ì& @ÚÞdB`çß-ý‰ÝÀÜD1Ö0€ºa~ײ 0´ÜÚý¦ö ˜ -ö‡†3†°û> -jg‚À¡hô Ì öïéü«OÀëÞÚÉ îþç4òOÖ?9À0h(ÜV€(|SŒ¹©mC þ^-„-úËqvúGÌŠú3 ®ß;Ã}C‚DÀݨ-‘ sSÀõ?SYà?'ò@âÿˆÀÿyÿwâþ]£ÿv‰ÿ·÷ùïÐêÎp¸žµãÍüõÀn^4@ðûù¿r­ap÷“ý÷DSè_ ÿˆÆúf J»)„„þrÂÐê07(ĆÛl­á73úã7A@ (8 ½ÑòÏü@1±¿ÅŒíaàçˆßC—ú‚" g~#ÏނjJ:ZÚ¼MÿdܨŽ1vwº!ö_}è"!ÿ4~c(+#ݞü@ ¿ˆÄÍeH‰Jyý›z€€ÿ²u­1(˜àÉMÓBÀ?­ÿ×ÿ_–åß`Ô`$ä÷ž€0ÖÈÍjýÓñ; vF¡nýsÛoZþ‡ýgÉ¡P7(˜hf – tHLI”ѾëP}ÒÞ -Äé -rÊ­4~Ÿå[‚lñI ]’*|vQ$P5(}Uï>±åt¹ªÍ³ÖÓJçlI€îf2x±q·eݝçø(Á»æ/h•Kš´mé¹7®³ˆk..ôhí뀡‘UÎãàGÁÞOn_6—,_ª'Nw¼Áo+¢©É«°(ʲ·¶9b¿ý<áììíîúÔrp»m•ž7=š]Æ—”#Â÷E:½‚¹I¡ç+›`lgI\kp› —ÈüôMõ¢À|ƒ°²<ë¹]­Aùù{jž[}ùŽù¡ÕMÿ“—hÈì‡x@Ã,ýÊùÛxÛ¤ «?l?G)xGµkiïú.Ï{hæÓ×ïh .—‰&nõ}~ž*Օw¸’Ž÷±ÌzH Ã7[àl¸öõۇÕr¥„1TÐ6® ¢~ -œ…›±Ø§Ï«Fc³}m½}ä®V‡6Gr\> "KªYIó½1Ÿ·²Ÿ÷9Qg††1„K¬”(æ33óÞ5±§Kí9uæêMæŶ¯’–÷O÷‘™÷Å㣛RðsZ1ƌ^&}ÐùQ íívRæXnúv†e ^êÛ¤J³T×_+'wßsšßÚ&ŽŸjUH§¹ÿ0Ä~QzNÂí#(êyžJéêAB¢]±\ꞚǼû¼Å‰#¢»WwÀnãa`a%th¶0R2Äüýsh{ŒV-ý"þ¬¶ø£1Ffz÷¾î.;M|Jþ­å´òÿ·ÊÆoNz5˜zó£À¤hÝ¢û(fbaUឩŒZC5…°ŸXٞQÀ]ùþ錬˜Iً0b®“øtî"Ý/n9¡21¨AÑ Š<ž…Öš¥•8"•pÂÈ¡–O·Uëõ‹.Ó<–’‡ÁêSFA× Gß÷mŒvÓù pʞUÅ]¦a%2]½·¾Ú›ZMo„âF½cÈٗGµ¤î>|>dšŒCýIP6³±=˜¬-£þ<\¢D°„l\—åi{)ÚgX$ŸÔx‚M¡ˆÏ`k¹JKzv_OòQйRÖ´Yh9Uz² ¼êˆ°j¹!+òàt€†®K|$îÊçìÐy¨š¨rõî¢ý„ÑŸ3LIÏÊa´ÍÒrÖðG¶šl<ïÓü’v)9²†NÊôÖ0ˆ ³Z¾|ˆØ£Ð w)ƒÄ¡ÓnAzy—_;ÛtYûLlã|î×?£Åë~¸–6|(HÏàþõÄ?Úèʊs4ø‚_¿”ÑR鱢ápÖD|’Xnó.}­ŒdŽÎõ”fF5¤÷%"62;0}ÛfPËOÏM¤€)%j‚éý±Á:*3_¦ÆŒߜ=9y°ÿ“–¦eÍø!Fdtz(dtC•2۳ܜUاuÔøÙÞ•F}¸â\bù°z[`”ÉàcY쯧‚ÚW.‘ª‘vé_§;6Csg>ª"žƒ×p걞̖3Ôu™ä²Ûر~"Ÿ\VþJÀj0ºÚ@_"PºV‘.p¤`G´”Â#pñú”e+üjmË]'ïà|ë¢~bĵ4ª<3¯ñœŒ|ˉeï2g÷s#ZNe*bÝpÈÖ[*B‰Ç.yXì¼qH8›­¸<ҙÁà[иXYV†kàŒOëÒ{Êð¥=0=yÐl2¬>Õð °€–çõ[âr(33Rθ-W|hµš½˜úÃM -»øã}y{ꔣx$ó™¹•Ä7ì) –/ˆ„³Îé4»×c§zœïÈjYÔRy°©ûJæ—V‹V¦wß“ó ÚÞÆdêˆô÷Ô·³0øò…i°sOí?¡Ðd˜¹ò@ÏéÞcxL -çړ9q93š¹“Ù10Îd6NޔQáW}Þi¢ioRŠäqY"㿛 &ً²'IU{ö+º#Phq"!Ô}q§t°<>J*KIý s]/wûW3´¡Îú㌜LgŒq~2Ê΃U.{òªÄþ²Ô²LPšPPn -%5èëÖ,»;e9øüNŠ Y‘ vŗ/<<vǨqA%EªŠ·Yv—ÇLß9‚äÔ^Ç$n<$.Œ -GáÊCÚÅ*¼ä7/*§Åín‹+¤½oèg¼cèÿ jÇ7^96Ü@xÕÙf}¡ñÂSµË¸õh‚AF—G̑ÿZÙx~åӋú®2OBëðғͦ´z+! v2gÅ܋†‡´©h³+®,:®1wJ:ŒéÜʏéxK‰ûžq³¾êüX¢'ßV IUm;³ª€‡HS@ž=T_ê ÙöHWçËm_åè˜#hcWÂWF– ©R8O°rD›ö -­¯Àäzú~ø£<)¸4<~v -é‘X܅AÉ/½3Jȅ–ÆÊ¥íƄ›€ˆÅèažÜ‹[òú6!C“KZvââ‰Ê¨\ïFfþÌIòÅê ”×½]’À"ÒÖ0ìª:ðžD¢Â“P•7vîÙú¶ß‘Øݬ¢š³›Å1]»õ¢[Æ0áë¥z‹Þ°3éØ)ÏuµO"n`·¥(m螞MШ%m³©óºKà:Ô®L1"éNZ'Þtª“WG™>qè6ˆaïiÚoßÙ¨’^¸*§e°yŽU<<’wÎ%oJÃQuªô@âMJOۈwÐñ^ÏÁ¨RÜkZ(LQúaïSäy·ÊÅ3ÍäG«Þ™3µF‘ 0ëî-êÈ-ªäid—ÖBj‘åÅúEZp“Þ8W—0Ü/c-<þ1P§ºÚDÿ3 }oî -hY$7U3~ñ4päáÕLÔ -U¿ÍChùLð(+G ÞNÒ±˜¸å yB{v€SÐjñpÅʦDÀú´ÐFˆå¬ÞõËþݍýKxŠ|¢[ô‘tU¯™ÞUgkÿ*C‰wt{® Áå;»ïöøͪÍ%ç‚Ý'×k®DzÓ ±ri;Ìi/[ˆ?–¡zí¾ï‡÷$ƵèÜi“¤Ï+õÎqM­ÆJ:¯V£#NWßÕ}èõ˜{¤lŽ­.NPGIÀ}5ÙéŸ8rè“2–î±"`ÅîpMûspÏ~ɟr Õ[âÜ+\øv»•èkIʦEæÑØ./îœN3ÅEÒlÜ9‡f²Aʓ!ü¢µö›¹Jjÿ˜¸{…öÚ1U÷¼05§lî¸:—ŠÕ­¸”ä&öƒÝ]Ôßû%gÀŠ%ÉëO¶LK¹]ŠT”I¹eÓõ–FAh]A·Ã/@Ú>Pw"d:¹.ë”19M¦àÑ£ðs?Ù¢––~§wøÆÌ°£_ÙV ŽÏ^¯ÓåÝ_ì#ê97¸›6!”UñuŠÞE(ÚÃkj't…×É¿è9ÑSLy¥Ïyîqk·s»ùµ¾Á’yˆFQù¤ [Üëĉåûæ‘>s\N«:òܵ„Ø™³=7ZQØ··B¿gð*ù&¯½Œ}^&¾óDžgçµ|ÿODKoââÕ¯Oþƒ¤£j¤óÅʬ~Ö³Œ_ñådNT_/üd¥×’ÙH*$hç¤2/û-0Òó)Ëÿ ¸’(4æd‰nÿœLõIÊ=·ŠQª¢|kA89Ç»=¯°ãá>kŠv3ROn&Àñ‰ô9DÖ<}£º‚P³Õœ2~„û¸¶wÑ·Q±@HfÝÑ=RUˆ`¹”~k+³x˜’x·Š}Ì;a—r‘­2`å-Å0{ªÎ817™†Ý€)2hô»}hïë õÔÚ+W/5¼zæÖm(³ìxÿ›tŽú9B*«tË[p{•¾ò3\>ŽJï,ä6>à•ð좒D O±Áø¾¯F Þ8ýe–¡C»ÃǞ;õp§r^ƒ),"F±P¦ç@ÿ£)g -É7)¬G»ýØѱ†ùÛ#3/éµåhÈM -Z²Û¢: äL²%T1ãͨ—¥^‹?BAI_ì¹øŠ\3& …§Í-0ÙySŠ¨W³4¬«·;çæ±û«ˆk U,~уûáNp¾÷Uê¶]RÏìŒ{g|õóÒî8,-’-ë÷síKiØíÒ_zQP¢Y§Ï>3Y«ËÍgAg(æ)„ºkß-µE¤çÂuŠ¨émº.?}&í;!æ&B)ž(;H…uz\J.‡”é²ìQ·óˬŸÑËM:Û{gjÜt|ï¦Öz½ڌyfE.:ð“+ÿŠ~z=ŽóJñ¼Á@ÔHÈ:Âû¬º,À:¶ìâ5ôê ¾]؏‡ðI[í2ñêá×n­Þ/5mêÉ«¸¿-Êä’8\ëã“ãÌȺ)ÓIsN ~{ØE§Ÿ)n[,÷Úix„Ci?éÍÿ)ãTâëu|SÃ5^¦V²…÷èû ü¨HÖ°GîxWÖ"/‹Uí®lF³“ƒ™¨Îý@ÝZ{¤ë;!‘› ±À]¾dOɛñ«²àýa0ØÇ««â}£@Ýä§oºtÍJF:ܺ²8Ê^œ1‘ûl§ªæEéRûošD?÷®=¼»=ÓX#ô9OR”ÿAÜnU±1bTþLò¥Hy¥\ 2¾Žÿ¾{…O¶q£LñW‹Î"ö]åGÄ"16äA™ô×zGL>.ms›,ì„~.’FT%ò— C¶|zÔ îÞÚ%ߤ¹M&ÜiPÇSœ÷‡åcª™lÛ-1ÝÔúÌíõn³ÇØ3e·x€_ëSqö›k% !Œ:kdi¼—)¢öõRG¿®-©%ȗü}µè‹Xi"¹[4Á£³KÁ¯â¥x5˜nH=|NâY`ù -]‹gkh ¢.@3‰\§NýVró²C#Ô?Ö¿`죋žÚªJò‘‰æt·×}sæ/Šq=ztÔQîiÖÄïŸp…ÿÐX'0¥Wq-Ö°?ß^z®µŸ(U/V~‘ ~[žw˜ËC(Ϭ²ï%7¿ Øž©AâîÇ>6ŽÖ:¶Ì^Žî„¯äýèz‘"=*†eöX8mìº6NՖšÕQtפÌËð9»7U…°4ޙ?”'Y¿Æú%Δ`a–73”dØÄd) ğÀé1}n½|€–t¶ö“TaXÎRâ¤C"Ûc~Ðå7ut$spÛ=€ñæZs“>†‚Îñ­AfLÂõáH²€à™’Á‰5n/–ðÇᩔËïœßýàŽ‚Ïåšô´_K‚m2·Áï9ÇÊ8üšýU”„=됳¶2ì®øX_Â.ØÂÒô³£³‚ýųïë–~+·¶ó϶Ìs¾z´aðû ›ÀÛë¥[Úý y¸t—6Fa9kcpیװÂMu×c÷ä5Ípû¼Õ°ÙËÄ£ãP&WIºU~_]îX_vªéâûåÄ]œØ{A]³}'ŠÚ³.¶üvÂÜ&êVò>=ÇS׈ü5ÝÉ¢<ñ–üÌI{ÏÕc}™6¾LÿhýĘOŸQòI7KD,uÅÚ6¬uÛ0¥¬ç>Y¦ÇÌôN=cöý =|1 ëÞï ÑoÊõ Hë³Ù ç2×Á֍}*Ä3ßN˜õÞ71]›<Ý×h;°)8¥ ¹WJ§(°+çKl)mČ(¶å>ÂJV(rokȅú]+Ñènd´ì§óÌoNæVÔ殊 ²R®yºn3àôØ"¯JÜe›ÔH O¦ÌÒ"ŸÈ‚¯bj—Fù)û¬7†‡Æ §§»ƒ˜fˆ%HÛk8qû'ì3X„ßh;‘׍®KMïßG ?‚$õ¿i-T@/h³HyØVò™é¬¨ˆcCÛ܂œONp?·ÎË?b¹ƒkÖrbs¶å›¥úÎïº9ãúrrçÐׁšY9/3ÐC×[ëݹouíÜ'_ôYy«o–4'¹^Hˆ~Hº9¬S•®ò.áîÀmñûqÓC‡±á‰>mU»2ýxLæó¹R¹Oí‚ÈLh ejQs"ð2îã9šÜ&ü‡á°¤— #ö¼KÈ9Ú– -꧛qÚüw…£·ñb -Ðj¥×‰"̨"Œ 'ËÑ7úׯ‡Ø:W¼¤Fü¤H®b¹j†CV¿UÜLzßìՇOSS\W$?KÍX uçP(îVš#ÒîøÇÌv¶×{ª'Z‰=ìx©oïUë*^„Í›Ú\^OiJdXÜÛÖoQy>lÞ)ˆöó(ÏXäãè÷[nÔGы®ÝWèq±Îÿ͋³n/²1EÅlæqéF0Ÿ‚õ—¦ìk#BÕibÅӉh>ªÓ™^IùÛGôÆ­d•³þÌcòZ3ƒ¯´Š:‹\0s¿ŽpK{>aÙQ«*-ô/~»XѼÒå|¢ñ­üHŒtÅ,CÍ¢ˆú0”ÜIU1Xi(Ró­»û1[ù…K¿P+—D&B⺖p1¤7»+÷yŒØ«Aú^Å[Á8—JCV­ñUϓ_XÍ8ò“Ffh†ÏuðTy -ʃsdLðén4r¼™¼ Á=äÖ<º<@Úúšg×ʶÉƑ*<ã# bowP›$ÖÌç»ÂËlöh¼ŸrevVMRMН8t=jÀhqí»±¼bG P¹Cú•32°AöÍf»ïQ)‰•5W¤¹¶ÙŽà×¾€ ½>î‚ÒäÔC.ýR÷f‰9sï,çë„ : ~±+2ö$5è)ª8vM_wç¾Äè>ÉJˆûNn‚”ëäkƒãÀb6²F=kJÿÃÉ%1%c”oYfðkxÒ¶ZzhÛ~¡bÈÚô‘­’ó͈7VÒ®Óìç¢j0·Š«qW;éKsF‡·ÚZ;25߆o›2܍KÉMšyh|µµÞ ˜{JæÀT\]·B/âfÇ@xP™‡ò|d1£z†Žî›Seå]MtÞSø:WRÊ*ʎØ[cñŽð"àPE?îk'ÚÓÆêù²ŒHûÀ#²²£×G®–®/5¿âiËÑÓP [ñ¹Û?1ðßÁm“·»×@ks)j[Q¡1bD"¯‹[kbî%֔àbéÞ¾ÄLwðžî–“écʽ¾ÍÝÉÈQî"å$×3Ѓuq²wžõ$GM³þßviJ¾ÔË×d=5g»S–¦þÃsÒ;êiYŽÃý…Rnä®&nÇô;\·ªLÙqÄü˜²Ir™˜íµ½5e¶f""Áµj£èÓÒãdÂFÆט)ûó§¸ïôeQ™²ÏºùH{u׎ÈzÝsš…0æ=q<¨œ\¤Z©ÇûR‡\¾óc;™)‚ƒpt`õV«c‚pãøf“€60±‚]%]çtv…~ýͨ‚¢$ÙÔpœSõÃÐÍéóÂ7mgíq‚2ì¹yßÚ±œL“­ªr ªÁ~y³Û †o¼ú îå~ácìðdùÊöæÕ«“B¨U/‡¬S¬è =g×´Fµ‰Æ#…Æܤ]gì¯_»}§Žý¸j¥Á%Ùù,Xξb ûIçñq཈PúxÉ~S©g'Ñ/¡·*gTžµƒó%•øf˜Úø šñÈy”U³^$­dxgGeߑ gËkT]S·7j*,˜ï–µü MæÀê™áú“¦Ç…ظD¸‹Éÿn»†-°ü¹ZvñɅöÜSe’XkW¸)\&,ÎyêÞq_^–dQ(ÒýáÈÍRL†¢¡®V¸²ó`¼0ÏýÕKSí™ôYuæ–(,•{ƒý^E†G±©Zøõ}m5Ž'´{Z .µ^÷E?Ñë½,Û¯&§ ‘<-Aðâ]căýéâ>»; ©¡3! ÝÖ£tÓì{ݨ1”m­°>cbâï]NÏí­ ñj÷ªU²šÚ½‡M;ÄØFïf[¢žÖ½ß¿ðÇn\,–òù©}ËiÝZY} ›Š+8:¦N-¥?ù®÷²G1|®})Xz‹÷„ÆÑðÕ+štön©c¡p Õ;H¼\p“eÖpù% -v -Åõn`ÑSd)-Š…ÕY¤Ch§ÕÍt%-‡ÃÊ -ãFaàÁHœ1a™ŒƒÍ°.Ç®üØí*¹Ô0y‰FÝ -Ï6Ý_Uô]#ó±ä -ŠŽt39‡nßh˜ã ÀÑ0½1¢| =FL§d’æsÙ_Ù£“-"¦‹Ï*³8/©h…—¨ÃçäLrÏ¢·rb¥{›±\&®¼ jÌ I_¾l‰Ï¯ÔB² 2Ýݪ'Þô\E–j“Ðò͈?Kåd—¡·–Î#·È÷!t%)G¬”–Ò¼çF–ß?ϸˆ¼'ùY3{Ä&v(£ÑÅòÌïPA¨¦,‹vä@)!~®RìõôÉ7ЙF®è”{¸ûäº2™ vFéä9"¹nqx§Ä 4þ5;G\tHê!2ìM)­Ä‚E,vµæ-ô¿üý€ÿ'Àp¨5 -ƒt´F='ú?ö-žKendstream -endobj -980 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 36 -/LastChar 121 -/Widths 1338 0 R -/BaseFont /GEALIJ+NimbusSanL-Bold -/FontDescriptor 978 0 R ->> endobj -978 0 obj << -/Ascent 722 -/CapHeight 722 -/Descent -217 -/FontName /GEALIJ+NimbusSanL-Bold -/ItalicAngle 0 -/StemV 141 -/XHeight 532 -/FontBBox [-173 -307 1003 949] -/Flags 4 -/CharSet (/dollar/hyphen/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/i/l/n/o/p/q/r/s/t/u/y) -/FontFile 979 0 R ->> endobj -1338 0 obj -[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 0 278 0 0 278 0 611 611 611 611 389 556 333 611 0 0 0 556 ] -endobj -847 0 obj << -/Length1 1166 -/Length2 7568 -/Length3 544 -/Length 8381 -/Filter /FlateDecode ->> -stream -xÚízU\›Ûömq§Å‚+(îZ(ÅŠ $8Å -îÖâîRÜ݊(ZŠC ”â.åÒ½ÿûì{ö9÷é¾ÝßM¾µæ˜ß˜sŽ5ÖÛÇʨ©Ã- v´„ PDLï~ |úW¢#B  ‰€:8z4!. -¿‡­\ pW''ֆ ]V¤Àú¾³ÿ¬ -wtòD@ml]ìzÚ\\OþŽð‰ŠŠ,=ÿB -$Ôx|¿pƒÀ~Wº§P‚À!ˆû¦Á¿s5­AŠ`¨Ëïqì¶..Nb¼¼NÖ È}Œi͇¸ðrÜ7ªË;:ü&@âþÖLŠ€XÝåÉûOÝìáŽîpïÿ[Cáà?F»:ñêÁ¡Î®ç -ÿ“|Âý;fqù¢@~Äñ°²åý]R×Ó òÈ÷; ‚ƒ}¼Ö ⵆÜ?p½‘ 7Àá -ññþ߁ßáòñÀP+€%Äæþþf¿C¬ÿÜ«\PÀK Èþþÿkez `G8ÌóïtuÀ«¯*§¢®ÅõÏÙÿ•%'çxOÉÍ',àæ¼wÊ=£¨àÓ2þK‹¿tø#ª ‚þOŸÀ¿)ŸÃ­¢Žs¯ã_#¹AÈ{oØÿ°1àßùÕ] VûßÖ1 -ï]sÿàû¯–ú7ü¿ëŸ5ž¹Â`¨Âþ§€{=UÀoE` Ĥƒ 0ÏÿòÂ? ºÿÿÀó܃ZÉÂm`ÿ’ Š|õ€€5¡.V¶Úå/•ÁÜCˆ¦#úû&¸ùùþéÚB­ìá$òþ,þ€ pð?J*­ÁP¸ @Çåޕ ø_ß°•+q/Ïtÿî_{kè}ƒˆÄ -w~ÆÑJüµÝ‡×­U²4îܛcO{„ôÎî\p#a(ë<¨Ýê”öÅ4Ù§"‰é -šÃ¶R/ÑÔÐPBbh#…ÝíEåÚx°ˆI‚‰Q•C©wyj$ÔÅð°Ùǁ=Ô±”É™ÛòžýÊûŒ¥gF¬Rò£Ä:!Žd~tÆß·œ50ièKsËq4¶f8Dɯ÷4”a¾Zb˜SCí -@»À7Éx*õ—l*Æxõ»ç$åmÄÓ3½r‚~S!J¸.,iŒŠ…ÅÚG;ø¯lKZ¬¯ª†œrUžš:-<éË„×ÏÚ~¯‹˜oå²÷%Œï+Š´ÅCÄ,S%­7 VH0“"ü/:æúñdõ´l¨2ÔڔOOkžÑ÷¨¸‘>_©QÓë ×F™3LÀɛl´¨WuÎõڎ dc×{¾j‡Cëš}Ú$<<® åß5‰r:x °¶ ø'Ç|î†Ô0ˆ“jj?sSª\ Ow“®ØhF §‰èÙî½ì0Ôíö8\Q2±ؒúüTñqø&/_]4ç –@”·¯ÎÔ[Þúxù¶’-_å³-ËÜ.CYK.$çɨ›ž8úó|,—„±„NãCž8ï”e.¡^´‰+úÌ×¢ÇIjCïðK×†°€ É%oÚÈ ®3R \2dßÜD}'ä{Ÿ&x¡¢ôWiW Þz7òL -Ÿw?P®œӏ3ñbO©µtª•‰•R"½ …zK¶Mç”|²²z”®¢æbÓÀ^:*ÌÑ)ª!v×¥^x4ÆðÔ\ý¯ ³[¹i½ZJ¬ïÐÄ𠩞ñVóàãœëÇ  =£›çf¶=Vtg@ù4I,Ô¬}®.ôéEkÚBÎ>¨<>§I®8Ô›jßhC&˜¶)#tð͍åm†ßÛSõ—]sÔæ­NÐ@M?Û¬ëK*¼ò@ւ㝕ü—­J{¢ÖþôOæéá+k›¿|Yß^JJ©ó§}cšP«xµ¦_dâåËÅ~{sR˜ƒýÑ| ?SÔÅåŽøëÔu‚9¼ç?žºø»i÷äŽl¨ÝŠt9U’Ížö¢õç¹2úŠOBZ\$jIw¼šŽ|M’gVy˜ çŽõ¸›Gõé¥B†ÃÌEæ„EÇߋÝîWd^JøÏ_ã=Åîþ慨g!ÚyÍÛg8è>u¥ühO²/áz8hËïb.ï®Â&f‚‚1¼OŒx‘³¨r|T@æqîP$‰‘*-Ú ^Æ¡1ç]Åûо$£$"…‹íÇƛ‹ÙJ»‚òEXé×>=û5à.*省iV¯¨É•ªëÛmrÐ3{¡µ’Ü׺œ0™ÏúúÔ¼·.t!îu›¹ -%;³}«Õ!ù˜R"ÑãM䓴ޥO,7-32ŠGbG#á–ôüΖX‚C]´ŒÖ#iý?uŒ£ž -Ìxª1”)‘>Æc¢ˆ2¤ ¯ Qž¸õ ©4mO¸6u˜¸9[؟Tq®@۪РMMØi#r™±§žÉ!ЁrtèõGÓŧvsíõ>8­¡ gGÅP0Ynˆb쟣z]¢xÍ"ÍH´äX<öLfòú"Uγ",,Dø¶ÊúUåÉδæÎt š˜¼:Þuß½‘°¸[®]æ±Ž  çÒ0@ˆFÚ<‹ëŒœ^PéxѼ¹²±k°0íî|È–&, &£$ô'ÙfÒ§m2WHéfÜßùVGºH8Ci¦cZW‹/)R#ĵ¤1ôíA›ì:žþ\4wmIεGcØh‚çôÖ8(ôòã|¿DÍp)B:[™LjÔ¡pkTÀFÕUNšÍéü†Î –kP‘U '#Ëz9b„œ/E7[èۋ(VÚÅ%ÑH‘R'Gj½ÞXsÇ=io"I&ñ£”8`ÅFјúϋÖ±(Aé3úè:ȂýÖä†9kévˆØ8Í+{U˜NEsS9¬)ÓUâ•/´›vU`c¦jVb¬+64¡…#ò†å®m§gôXj0F§ÎNÑvÚï«Jí8?|ü Ñl[]טf~@Í­RÐdíyS²øÂç€êÍòc©‡Î¬K“ë(œ¾¶´¯§ôI{ˆ¶w5¼[§ù±å6þ«(Û¿õ—¹Zӹ̂ÝDîmrýÀrÚ¸’¥ÒêbÅħÚT?ÒÁٓǶKJõ¡,´¶øýd'$Þ~ f7Ϫôs¿>æ¿FaßjÃ~ÔU8xži†êzkùØicçÓ„—æk'RkŽ^©=Jæ„kyGmЃ—ó„;Ìà£T/ՈÞmàÚÐÁÂ"»­lÍ̈́g$²m«ù4£_ 8 !ʄc²{_bÉk·j8u»֏¢UÇ[léÁŸ`¢ÝÀ‚â›,aüJ;Ӏ¶0´I–œ(¬P݂4ٛ›“+û`°ªùBÎÇòEBm¬`WòÒ;ó¤#j.‡8;PÌbòÚvQC^Må·ðÆC‘îSâÒù2¤ì4:,i;‚¢Çïô59«‡÷|öu\íÆV9‰•/ËKaӁÖ/™N4KŸlæÔ¬zÇ-Œ¤ê´¥”ÂÞÈt꺠ÎÃÈZ?¢Ýó“¸Rr±öäÐ6™§­g¸Š2·UÛ,Õ´’ƒñaz™/¾LÉ"túsŒ]bŒÛìRöœ?(ö‚>1dÑ=›òNóòŒh.* —™uÖ~åȓzu“F»åiM·rÞ1úŽ˜~†ÙH ×LYÖ,ù½èJqw.m€f²ÅÞýنo®ÌÐ:#¨ñ×®£eHÍÅä‰Èߙµâ{íHé ¡´èkµ…}ú#4͊fi›š¤V‰«?DÆÙ4kãÏ8aϓ°¼Ÿ$%¹Z`˜“NtµóŽ}¥/ýJ’{cZ#ÖjÕp¸CEY{ÆÄVd ¿NŠ´Ýß½±U×ë_R'$óݙPå‚WËL»j¤…Nœ¥PFÍkìGËÜr° öÆØΩäså•3r;é«Çqi¤Ú^¨‹ò]êÓ2s8ÄjÒ0£•/&ßr=&e.û‚¤æ±cwä,4Ÿí>ÆÍ[-çaÝ~¬\yüð ŠV”ì#Qқˆߺ!b’¥µ|‚uf -•0ž²Ü™÷.U:„{&û¤?xJ›ZTHHô\¼2Q¼y¹EÆPԉãÓþʘ¥éµX²›æ(m -7sïTîT Ò­_2æ%~Ä©kÖÜ3Œ: ZGíޕ–sœ ±óéš(cœe¬2X.3¹qo"â}-ÂßȃϬò…¸`%v—ºþB’´ªL0Նçöõ7¼ /Áó²ª0–ÜçŸiq.ítðŅº1w¢s:ÜÍLË »D\h1qYÇэ‹ ÚÞ4€k¾—!7_S ϘV?“¼#p}í>ãß)BO&´ƒrƒË7Ÿ)¡&Ô&²Ëõåuv/ÑÅÅkéWŒeoG2¤(RôºlÛ¿²Ø2Kn¥*ƒ9Õ Bžõ¼×¶©x¤ŸßUû=œ•p#úŸN&“p÷Iƒ;ï»Dk Cá!aºÝÍ$ŠÞó5Í(BIÉñÏ8¾·ä¨¶Ëy}'œúÊi"º¬Z>‡+Øv®Ç¯‚ÊEM­Ñ±¹EEª¬%Ŋ†Q¢ UÊÒҋèӅ^%T‹ç¾Ð¨fýf¨³Œ1ùVGA«@`ÇJ–‹ßÓE T²‡äzR…¨ro-nùŸwódË͠擕¼“Õ-ˆ–÷Œ¼F“TåŒ{*éöFA×r GœWçÐÛ2 ¹xiaq :Oê.« .ì©Ç'2_ÖE,œpRGTÉ%]‹1Ÿ™ä ‘zÏ/Yaz -ʉŸ¸Ã¾ÌܳBÑ'ŒVÞ¥‚½ þ¾øECÉunŠ”|Q!RsÍÅ~bP˜œ¢ÊÁ]UQÿî Ãý^-“@E ÐÉËwÆ%R£1ù³*õͨ”²u)ˉ}šˆÐ"u0”iJ%JÓqc^GÝrTâÅ£YTìo­N½æBµ'¦Àүʶ­®4ïü˜ÔД’Ÿ¡_(ó¥ƒIòœÖüŸú¾[ ‹O³(Áûc3‚á(&™a—`.qÓm·]ðS\ÞÁãlòX'Æ0eSË« ¿µÜúŒE¤›UU˪£¨ãvǔAVÍ÷¦ÈS´3ðÕÃAÃYuhƒ^/ÞùÁü˜T—·J5#eÄî†Sfÿº‡LNc#ˆȋöɔ#§)-ÞcU¬í(†ãd{¿ÿ}Q?L6£jn?4"Уªü•AìioˆÏPˆŒŸQþ[„ÿS~çoqYåÁ«{¦åôxßeoØ[)]i òÑË:qCQ&§%²CRäæa:òpoÞo˜Ù,,¼<]Kœä>§:F´pë¨ •’¤!_{G®U'þ­‡£–£ØÞ3î8ƒbzØÌچÇe²Gf¥ã5vEƒ?{XT±´0l9kE8eqê¯ð^,6ÌmK|ÇfSKyiéqښƒ@-zJWó…e^ V‘Ì“ÚǙ|Ðwè­€Ñ]­Ñ;;=DZ•Ew¥àòv¶|°¡}luô1øQڗ=¥•jì0÷Ž¯8Ÿ=I2r(IVžÖòDt-r6¹? ¦FsU‡•°¿à! }1óÍ~s÷EÆ·igZxHeÝ՘h=šQíì lìÅ£UÌc —ø_Y‘œ,2õ†à¡{]Åé;BÕfX¥­IŠjiªd}ê¹ ‹3A°¼ìLy])qc&#<ýÏ?ªŽ4Û§{i QìœåêøvN~¦ ×EöE6·¤CZLËö6X§xiOt`~炇’˜ hHvqÝ]'t¸+giC… w¤:XËù4˜•y«„}äA›éûäû{m¤äM!èû•»sZk¢6I™œc¬yÈU‚9ÉdÞ«G“y$h³íÔþ–z<2øìJ.‘è}.›vQ‰RÙ<Êc¯Æ#f+-Z%žºFÓ]±ä ®¡nìMçЎ–·íÂÓû²Õ$=‚›ètz8 8c"©AöÄJÌ- )Ù±·’^Tr¶«Äb*?†%£Þ¤þ Ó ŽçºûÆ{:ù¶˜¼GxÁ2îêPJõy82ñu¥ýâfÏŧy•t.p«L6lšÝíOUÛ´cŝ”|¢1yïšgÎÌrwÌF£|ÊÕ7çÑ·1¿m7˜M>ߝa[Çʼ¢f)ÑU*aþ©‹Nw22ã_xYÞ.Íì¡[ò̓ö}ø>I‹V^úerèó-!‚°Æ.±è«cÞ£¸Í÷(J¹„Y ÀªÏ­m’=Q÷°òöƒ#Ë'Ž~¥¦žÌ†‰tu<§ ÂBȃºr)Šo<¬ÆЬò•¬¨ü³IúÑ*/õþ.µÞ.s{±\%ÆLg__¦n£Š.¼§z˜{sê>»”.µnපÖL›5e Õ!jóÑ\°€ïëØ2´W—¢9dKuÜr×áá!­Ÿm˜iüû™3áîÕò¡ -'ÞÁÝ%·TœnKMõòw-Vקª¯ß‰”s[¶Û½åÕµý9܊Æ2v‡z¸iˆŠ?²úÎQ^îAÿ±Ž»Ç°'îK6.W±¿~ –VöyÚõӞW vÏ\ЌT+obÿ‹õãükžï»ïk“¯áM¡$–^WÑòB`·µñ¼a°ˆ‰Ù鮇/›„·®wʼn§”Üìˤ÷ãe¢kÛÁN¯hc~i5ŸO%àɨ¶žP§¥ -؝F”oýBtM®',ql|J -S&WÑ-‹Qc”É°¯ˆ"㱍¨¬:¹ïÁ2ØV·l°!r!¼Ô™ÖG§¡d7çâ"Ù1$–õDÇ\[ÓjøQxg]õ^áˆZ=fÑJ¹£ Qð${÷­û"Ýз+ü„VpH҂ûìbäÿÊCÔVpÒz~)oôã\<£vö¥›ŒKwB;€æôöF]®×mHVíà7H°?–ŠÒÿU–ãk¨ -ü•èÚz0B_­,èPÏ?þL@Ê -шèA*aÑaö蹋¢£”<±àOUv;Œxé9¯Ûû¬Eïсè%¢®h”ƒ­gÞ|‡aV 28„Za”äJœŸÞÜ-bëÝݞAvþ”|#ï³eVCØŒƒ´:dâŸÊZ Ö@©WvŸVnS›ègÍlÙÐ0p»¦^iÍ^¦¢ •]äœïC@¶/œýiì•zZ§>¦8ÑxÔåb*“³íh-ö0Bcåipù¸Nœæ¾ tLç&D•¿iÀ¿‘ª‡[øBttj°t’>®µJy7$áò\+KҐÕn0úƒ$E˜ÏEÿ)V!€¿,¬íԞ?Œ]­×_ëÔ£2Ôëúp—±‰<M0–XÎ ‹ ‘ÿFƒ3®Y“t#%e(Î~¹Ùÿ%xÈ^/^2ª|ŽjƒåZiA¸ªðLÍÝf®”è5ÅÁïj“ö—daEx¦Ò8è5˜ñ^aà÷5DÁ¯TK—Eӆ˜3öíµQ×Ýҋ7»Ã¤À7/¿¡ÌdÄ(°mjõvk0× -kEtº›‹bȓ¥ ·Ä‰O­©c“°JT’Ò× -r“ƒá?ÄwÍÏŠo>ò¯”))A¢t¢åÜõã#k¿ÊéŠƒ¿ ¼*ëðÖæëtï sÇ4nՕDꏄÐõoÑ+%¹WZ4^mÔ/¡„IÑo¡¾DwÕ­Ã2Üþ:6[lÎÒcžªÁ¨œ"|Wt—Á7µ¢î”šÂÀaMjL‰"SfB9áY­ %Ï?®æІ3?eÖ&ïøàîìH cá«m‰Œ:2äz阜yñ%‘Á˜àPÀ˜‰;V,L¨×¯~¶B×4ÄõÒ©uÖ.°’úÃѧ™ÖäúYâ‹ï³Ê+r~sÁ€WŽfۅâ%9:ã™gîÔîG…d~X×b—PåKÚiJ’£«GX>Þ`qN×>Wpœ¶Ô‡=¨k ›EF|1J6S†Z<é¢áÖõ¥ -]ª>úÀ”¤þÛE1Ûyô½Iåjë$aÐDx!}2ŠÍrÇ`úZL’F—­àí¯–0±—t?{G ˆ¦õ^ðª¢Þ¡ P|1; p]cÔ£_¼þ~ÌKÞ~幒%^§Èüq„ñ3¸Ä´³Æ…Ï­VÅo£õ‰Áƒ—8H˜-ߥ5ZۑÎٚ#žü]“n4˜t=‹ “ôÁ[Jï((ñ˜|Õî~úÔ&¶µ=Oèå wx°üOßTû>zÚƘÆñTņÊí‡Ç ÏÎ_„ŒleÏlbqì3ÚXó6ƒ¥p€„f)M_gú"/:'ÃÏguû…ҙÂNߟn¡cMrj‘ÉYtœì|1Z:[ÞY[&/@ގ×Q.I|Ûdt#ôÌ ðÇׁëŒj~}ÿƒÓª1Î^¥Æø@)­++Íî37hk€¨W¾!2ñçšuuå¢ðœ¶ŠN )±Ï¾^U ¾öyÅː•%€¢~‚À#[‰ÎÍëŠ]D¾ÅÛõg}o+­°ÉEIRÞä=äŒÐF+± Éí£Ï1¾mOiÄBx°¤]gyŸ^E7!¤¤öV*¨,ÇýSÁ†ÌuOw7Ìèë‚;ý6÷2ƒRDza$E%‰¢…9Cv;b¿®çMO=€ï‡wˇíGE¬?´¾&‚°DIPR­oY¹Õÿ)^™6¤eøˆ²Wq„‰Urò-©õ~aAEh³~2ŒNre6b.ㄝr*Ÿ¥Ï²ÓL[CÊ®(µô\¾G[†ŒÌ.•t»Ù$e¢X¿&Vì”­ÑZ07ÐgfËvçë脱rºÖ&üÂ\8J/ßô>,N¯aAnÍkØSÇlÔ@1éÛxw{%IÔE³¦/—½LŽàuþE'¡!FÖË0“>Û?Ãì¶/ŽlÆÁsr7Ù8YH•N™ìÒ>ÞðÊ0?©dÂq«ltVª­:ŒÙ¡2o~…/ŒÌû,bÂf6fÝÒKÝƒT›7Cê7¿½szRÀŸ·cç:àµÞnE"m{ÀŸ76b˜èlŸ— b¿^KÎǃáÐYwïLš¾ ®¢¯Å¬›Ñ«9í&Š¢ƒJ[Îd»—úvIè~ žŽôÏm—m]ŸÔç»~¡ø$¬ØPHËúàjP'­ÅzyoA´º”ìÐX̯è°šÔ¬zQ57BAsk]´¦hk$žÃe|¤¡ÉœWüÒ>š ›.?`ñ¹\'Šó>ºƒ¼zÏd.k³+áµÄt~+ÄÓðêÃqªæ;-ãœø Uҝ6¬è¢ŽVE†ìPªÊ³"&=>Æ£l©5QAƳ¬¬4—•ºéT³þå?´3Ø[íÅÌ'Ì>åÚ¨É*OYdSm=~êẖÀ ñ¬€ó²Yj w½Éxπÿ`ËË#盬|Lü¿üáþ‚ÿ'¬`ÂÅÑ„°ÇõF@.Žˆß_àþ/>’¤endstream -endobj -848 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 2 -/LastChar 148 -/Widths 1339 0 R -/BaseFont /VLBJNQ+NimbusSanL-Regu -/FontDescriptor 846 0 R ->> endobj -846 0 obj << -/Ascent 712 -/CapHeight 712 -/Descent -213 -/FontName /VLBJNQ+NimbusSanL-Regu -/ItalicAngle 0 -/StemV 85 -/XHeight 523 -/FontBBox [-174 -285 1001 953] -/Flags 4 -/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/three/five/nine/semicolon/B/C/D/F/I/N/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright) -/FontFile 847 0 R ->> endobj -1339 0 obj -[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 0 556 0 556 0 0 0 556 0 278 0 0 0 0 0 0 667 722 722 0 611 0 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ] -endobj -784 0 obj << -/Length1 771 -/Length2 1151 -/Length3 532 -/Length 1712 -/Filter /FlateDecode ->> -stream -xÚíRkTSW‘ª¡¬òRIÕzX%2yj   b,Þ/‰¹7ä–ä^z¹¤D|PIU–EltÉST” -«Š@} Ô«0|‘V†°©Z_sÁººJÎüš5çü9ûÛßÙû;ßÙ4HCaáP %&G‚¥R ‡ È3›M¡Ñ‚qXN "'`!à>`µV ¸+›/ä­òøÆ2ô8’¦"€W0}’Ä" Œ# -9 -¤rBkÈ -¹È0z&©Õ`ýäL°΄ñ,bR8! -l„Ó”šÔ$A•࿅!mÆ»TŒg’¢€×”L: EBªÖVRXk1²LjùoȚ^?—ëxÓOQðG¿9osþ9îT:ñ Ròú©§E9fƒŒµ­×ÙìèF¯Ü/›õP1œ”2ãry{Ûšƒ;îY[3š¼þìùìnÖyûú5÷9ü*êHÑÌÚ[7_=ÉKßÔÙoqøò*¥$—ŸY³ŽùçÝâ«°jÌRsy~Òþg®¯-Ô¶;=é·Mc¹Ôî†Éÿå6]§è¤p¤/¶Ä• V˄³ú\©0›ý=Lq-ÍÒ_gvÓƒ¦÷{$¹¥á±’èÑÇ*]µ Ôþa5T[¸¡-¡U€^,´6¬+pIoèâú—p2šöÒÖ§Ž¿¢ý¶dç̧É/^ô=c¤¶>T{^ú ýTmn9â³(Ï~h˂ô]ÌQË ¾¿Ú¨KÕwù֝4ÿ8oÙ>(*‡±n_úñڈÚíýcÁœ½Ç 8v9瞊šP–ãÅ Þ+bÓ³åôvچ+u §âÈU©L<>ðlkŠ£Öã†,îÙO6ðü’Ò^÷Y¨Æ°{ÓÃÇ·V.Ú±"tèP3ğ—æ½Ù:Ú¦up7w$ZÐ{ÇLw~ìGƒ[ÎrÖzúÇ}³4 •Zác«Ö1¸ÎÊ([ï]d;0AƒZª4un4ÈÍz9Hžæeq7K]¿—̱*!*[*9­^n3ãÎ̱'¥îÖgøæƒ×Âù» Àە‘ £•þw»'´ù®WFŠ:9³Bª”¾I”íM¯ÌÖëºæe7w—-pªÐ3¼¶žùÄð%÷«ÓƦÍ6óðµ’Hè;[UÇöë®WÃc5œ-±÷ùѸλ÷s‹VS©Ÿ¡Æ¥õcºýõáeÖþ£;/eGXh¾ëã^&.}mS?Ôa[žt˜+tiR45÷\¬*qü8FŒ—E(Úo§lY=,­o<±Ûaç*§¤{naˬ…;7ÿìöxY–¬ò넀óü‚¬˜s¡¼þÀ9ß{..VPJîÉ¡bqÍÁ´{âÞðœç?|½g2ºäIìYSQá «ªïŒoE‰døJ—èVÛZ]·º¹¦¬ptn­Ë†÷œw\^sòßÝQÒÁû¬}œºŒxù:ñÔr·oõ©Åœ㣰Ö5Ùz¤ q\Û×äÒÈÌÏ•ußØ5¢Jiì¼^žÿ -k¤N´WïŸÃ‰Îg´Ï ìfÝÿèjüçߥÖðÇ.ˆ[“¯õ~9ºn'ÿ¥%™EO.fȉU=¼y–O³#TSëØÿá¢ü¿ÀÿD…–㦑ã锚ŒÉendstream -endobj -785 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1340 0 R -/FirstChar 60 -/LastChar 62 -/Widths 1341 0 R -/BaseFont /XEZXWS+CMMI10 -/FontDescriptor 783 0 R ->> endobj -783 0 obj << -/Ascent 694 -/CapHeight 683 -/Descent -194 -/FontName /XEZXWS+CMMI10 -/ItalicAngle -14.04 -/StemV 72 -/XHeight 431 -/FontBBox [-32 -250 1048 750] -/Flags 4 -/CharSet (/less/greater) -/FontFile 784 0 R ->> endobj -1341 0 obj -[778 0 778 ] -endobj -1340 0 obj << -/Type /Encoding -/Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef] ->> endobj -710 0 obj << -/Length1 1624 -/Length2 5655 -/Length3 532 -/Length 6501 -/Filter /FlateDecode ->> -stream -xÚíWgP“붦ˆH•Þ…€é½ÒA¤W„$$¡ƒô^¤)*½Ez¯ -"]št¥H“"Üè¾ûì3ûž_÷œ_wnf’ùÞ÷YëYåYߚ »¾‘€aQGÀ1"‚²]¨‹Z( Œ€õì`P æâRAA€(® -Ä@df0@ˆŠDdddˆ¹*¤ -êàˆÜ114ãåç¿û×Í/€×ŸÖ u€¸±îéc°ÿkG#€q„ì¡0@EOÿ‘–®àŽ†® @‡ €0€¾¶à!£!¼{ -ûã!à`è¯ÒЂX.%4@#! (Ö â ‚ AwHÊŠFcŸP4À„c°=À P8æþ•öÞñ;!$ -µpÁbX2}ƒ¡ H U_Uý<1Ž@̯Øh( 챖`ÈíWI¿1, Å¡p4ñÄüŠe€¡h$ 腍%C¢ ¿ÓpCCáep€‚8Q`ÆÒ`¹uç¯:ÿT=‰„yýöFü¶úGP ³$ÅÆa°± pb¡_â·GD„ÿ¸»!ÿÄÜ!¨ß ºókfx±IÁ8Ì †Ø é"0ؐ€;ÿ;•ÿs"ÿ$þü‘÷ß÷ïýÓKüï¾Ï§VwƒÁt.ØøcÉ°[xøµg¿«äø] 0¯áõwC3È™þ"û;¦…bÛ¡wÀJ" "*(üÇ5­õ„€õ¡#ÀÃvë÷½  AÁ pVÕß Å: ÿ 3v„‚œá¿Ú/ñƒÿž;V¨ß™ )««+i=äÿW»õ·¥>v0Æ^Hà¿Ã˜é Àÿ8üâQVFx|$E¢RÒiqa€´”ˆß¿ˆø›F䯳ƒ‚z,………EØß?¿ÿF B€͌cÇì¿` -…U÷÷›-úÏó@§÷ªeg»~o(²°Öøe~@¢Í?=bQ¦Ôö¢2T°nXöò­×Äòç—|«ýít0ž¶TÈN‹ßmގ|Êyî&)þÕ !ëB²Œm³ŸÝ®YH -›®.½30´.¸¸~k¸I uc÷„7à¶{~ ç1’ü (­æ)m3EUՋ­m“cžî¾Þž¶}‚Ž/Ìüϟqɹ_#ãŽp}άhaRêÉ© 60DIb•¤4Ì1ëCö$Ò]—mVÜ ÷ˆr´˜V‘šµHM¨@a5¨w§µ_“ù‡s‘h0á«1î¶ ¼üòeï>÷©¦ýýØèùÚâÝç¼þ©Pëd¼dâÍO>v<*YTòÓv zE}qZÇ -ä÷wvÇ«éRèJV¡e’ìr¼9ùₜô0˜"Än%Ÿ•MsÒºYìÎUBu¨9‡çͪ¸qæÍì}ÍlÓ} |e±ŸrºE©?G‚ü¯’ÍóEK0&•’O®&œ¾TÒ3©¢—]™7F=«Æo¬ÌS†åZ‘<%jÏâ¥g¾à§¿UÅiyÜ*.ìTÏh-ž‘2(’Tä¸ñW­BÌišùþp[MSÛ-²èu3»XwQÏGA¶4 ³ë´ÊöaVqªºUCKFXŠ£µ:¿[?pÈÞ©“’ªk,› .32.½ÑöL‚eýu-Õ +ˤ¹i0ªøØ>ÿgWcrBlñ§buSx‡p':Í=r÷ÌÔ×À09øóì[ˆê÷"çǵ¬Cú• ³ã¶Þ£ -8O,llH?I76µTèXD œö³Sè.NwiçD8T¥2u¼ÁÏÔ ÈCiÂUЛAJéTH®gÜöI”1MëM`*o•æ¾ÐbÔõô©¹,V-u4ý†ýCÝÑUOKz‚—âÛë—ëÄä5~%šct]­§h¤²ÛNå¹öÿ Ûö’ñ?‰·ÏÊ*åI“y[qo.oZqO—f4!OòìC'=[b°ëL‡ \ö¬WK+õîI¢œx–Í+ ·ÉÐÖ¨¬§ýÊîzMŠ|’þª»Y-ú¥ÊéŽCå@Õ5#JW_Ùû^¤k÷öcžs£–=å™Äfë¥7ƒ"ݐ5[k jΛrA{\“²òb¯5ÎøÄϓ¡_ލp~³3”Úš°)îx'¨Æ{¦è!go±°Gm)«¡‡d°\>²õÉo '¸µ±… -0…Ødgç•771ô|Ÿ¢‹y¾ÌõºbÓü–u0Æ_røªvùMc®ç¹ÃBÅ\n}HòýÇHyðîµ³p%Èuë@k+…–ß×ÏÔ\|©bû¬ç´ËOª?XçsË,[Õ©EWJaoD’ןڪق(eT"Œµ6¼AhÒ7Y*¿é½|8 ÍÒäÒx5Ámê#)ѹ å€n_7¯Ë,f™·­ž³ö-ü捝S17É1I©wŠ—&ÍÄ°}ðnñô«ù\ t§kôaLs(‹‰Ó³ÅÇ?=1òJ8¹¬_Ãkvy˪7—‹´nK°°=içé0Â!O³v£þ@ë¬QueniÊ<¾³ÕµÑ”ÒÂIm¶ŽìQ#wœïa8ú<z/gÈlŠår¢g4t&*ÀD‘@(-=V›HÑü"§KÀF§kìqDœ4F—î>á‹ ï¶ù´eöä—ñsç•2´9µrœ%´5“Å%:ø”rBSÛԆÇàš¶/BÄ)¯o½ÑäNÜèÖ|ÂvthùL—XÿUš^ðöá÷FŽyÎö&•'i¹ÛuTL'oAÀqKR‚µ8R€A¨ØŒG­–•äÉÖ …ŠB‰£Fú²žÖŽF„»@óÄôdRÐqœLR9IRaû= -ÀÛËϛë"±¦­\E‚ñ<\þìa#®0G£Í¾ìў÷š¶˜œ ƧW3K2aؕÊ/Õn$¦y½–î•Þç ùÊ1(µVÓ"bªùº©:¢OÃOò†Ÿ–Å°.(±Šb}ç”i¢Â˜¬ÿqî‡É{+_V®¸Ä´$¥¢P_[QeYjçWZo—¡ÀŠæUYþÇ»®i):q #ÏÙ@öN­³…sèw^—”ŠÖ¬®I)kæ¤Å‘s˲QMµd9^bU·ü½çw£ -÷oŽCÒ^ï'‰¶>ù -ßX?zóä½ãÁÊñF—òû\šµæ–­ÎÆ:Û}|í.Mœ“îL#Ø*ê>~CÊ<Ɠ¸R芧æx ê2¾D0ùܚãæ­Üh—gIè0ۄ^áÒ% ÃéRÃ~îïQñE¸È~R<™¯—ÆksRÜx¦õ4«œßg‰½V?^ `ÚÖݪ3G6PøAb+aDoU¯ïN—íhø h.Ó FPïÉÃàFñä"}†ü»Š— á º 㜒žêHÿG¯2‡Ä *e&è°Ôóå[CVÆk´ø“ìtùʜo$ô‡ÄÓ¯­ûÐ< ¯Z ÁéEºð.œd¤˜]KȮ۰ūe«úž\¤Ã£ó.¥õ—ïæ :@Ú55,g|ßæö7úh;6XÄ/>¶"ynö#®¼QóÀ<³{5”–SÐ/8*У‹‹GO JøL©‚¼EzÆÄǪµR¥xÂ]åÁ½œÎ+ñ6ý§ƒ÷ÎÆ`bINÇQˆƒ›§ôý6†„øågÑåîp&Ã8”ËöaKÚdagØ[Ä~¢ÇS/e:¯|¯ñÞ昮¡»œY¶šÄÐŒLnc¶{ÂÏzõ/+åæ_9@irø˜crûó—?VpK[´Áúùp÷ã̐Wâi{m¶ÝšÍš^¯ƒkBlïøôô¾ ™™úN‰¼·9˜¶Ë8ƒØdX'E?Šª!6œi<Á· -MwY}6ŽûV¶Œ—n:÷ymO}€KQNUÁÆ®2¾)õ¼‘A”ɼÆÅ­…H?òês9úóؑ)ª¦Ïý¥¼O8⭉`ù£4ýÌÍͽ"/㬂ìÂ>ÂÇfSgL,D Ï\¤¶â2íÓ8MÇÇB3£[~„ûðü¡í)9ú{N»\˜"¯¬ê9AäÍÜBvLœ¿xa1ýÐه?¦•J§®2ˆÄ‹"]¥ø4wLôn´¼lûÚ¡ï§.|‚ ³®2èEs^Þ=ÒNQã·;\Ð2>“»ÕWlª”› -ÉZI²L%g}W f±½‘¸»=ñLù’óZۉ׎¬fž6‡û|vØz½¨ê¤Ù›«™œç«R};·C:)†æ½Qßțx» ¾ˆhQ ¤Ç¹Z&âþ±þ6(Նi”U·À·³•>ÖõðpÉúP9w1Oêë@Œ#Ú¢Ð\H´èÅ“ˆ²]WúÔùýÁ—¨£ÐtGÓÑ{£ˆÜ «ìîë*Õj€¨ø61õ&¿<+Ç«Õ\Ô²Hº|ý¦ûì¬uáñ¾ªR+;Að¬·kü©è÷Ì[5g"P -/%É =Þ0g肞•/Š ³=K%äØï˜méð©_8êZr1OIE¯}}FºæÙ÷Qí0 -ÓKd÷5>£FÇíêN^)+&yä¬>Ki?bKÃþÂ5Ih\ðpX1„¦ ;ñ OÁµýËw•¢:ÙÔãoŽgX÷‘5XË2R²‹£ŸöŒ¼Ôö· ¾9ëȶÇ@‹këtۍ 6~lŠlÖúʛ§29BÍÊS$ÔÑд¢Ý!œ_4ÿ’‹Ó§GÂXH×rcbé>U&tã”%…àJ6ì dÌ$V{ -ßѦ@¤í¯,*ŽÈžÙÁc]ÆÞ͵T¶…†F?œ¸ØÇâMÌË4ú¦&:º³^vL%ƒƒq„¯/š¶åÖYœòæx†)ÈöþIŒnÐÏÞQa&/WÅé¹ôó”ÕVz©àîMö¶l?¹úsèkEòƒÁ4#Tå(í`¿<1 oz/÷Û/q¿Çkñ.ö‰ïÏã}ź„]Âñ"ÌM Œ‹ô¸º¦²Iˆ'(Þ´ôâœÝ¿,6%8ÛΪ¨¿…Ç2¸zϝ’oËKÄæŽF»èC^ûÊb”ŠDÒ}õQÇ1—C‘„Öܔ©øRÍð_qqKy¸”5g‘](@ñFž7ãæŒ #“R:¾©„w”_+åZ5°yùrØ¥:‰Må<8… ²Ž2ž\ØÞLþ*lh.É%Չ?‹³È*˜ |0ϛ•!qd #åfn脟úÃ/¦<½–özšù«ÙwFäÐM§%«ùÇcÙo´‰?¼h¢`R\˜°äoTì<9›¶gô^l¾ø Ÿ>ÌÏÿ¸Þ󲺭I‚Ø”$|MbIþRZ7z®@¿… cõ«*ú’æ•rG½ªü9N<ïÇ{L -o>‡…~¼GYøüÈuQâ*³AٟK ¾ôµ‹«ñ–Åad|KtY;…Ü©_–èe 5͟ˆ¾#¾ïE’Ô{Éq;_þZˆ1ÔQ;—›ÎªD=!avhzìâ°l#<~á>Y×w<öì[oçü*֏s·ìûä(î·Æk*gÉç:]¢'‰!%y]¦Zd TŸšnS Uß\&xyu%S–9²îƒ'"šÇ†\ááº*ùx8"Üé÷žäæG»éÊB;âÊ(â',aò>ÌæY$–¹ý”27SxÊWpènK[çÄ1l 豬y¤i¦º·É ·öîáÅ,ïo²ÓØv®‹w’ÄE‹¿¶«>¨•–|߬±*ý( <ùi+~R.EF&-¯ÌóÕpzF>ç”ÁyOwÑU™sl 9FLlÌTiqÝéV‘éù)§jÍ«ëÜbÁ¼ϋ…Ý ck-¿Z Çê0e%ÔÒÓhÿ¹ÌØFˆõ¾iòzwsªYÞÚîÑÈNYø‚.»sçÞÚE!58ÎìJ:Û;5`¤ŒTƒC¹¥ó§}á`­4…¶­€"Ì{>EÖôùń٫Ìi¶X©6Ýh=㒋¼íîËgÊ»·µV®Ýï¤ÌˆÚ?éÜ;õI/ˆ¿ˆ|×Br\jUôÄÛ>‰,2Þ÷þˆL!‘ñôF-íԅNi™ÓS -¥~-1ßÊ·Sí·ÃÔ:Ö©—JZFߍ”-¦ âJ²FDDµ©›¹â1ËîÓHâÌäÅÖӏ~ì†Þr·ÂCÅS#\iŸ5뫃OË=iåw—3v0|¯†FHFú®Q…k<Œ"X1˔vuÔ4–¼¶uèSŒöÀîÛ -Ú#ÎÝÅ)šjÀMs¤ârruRb&l^5!Í¢W#j !}Þ5ÒÊ@.ÌLж¨VJ=aAø|‘jž\íN[㔠¦…‡%cՑŽ¼ÁàCޔr;c¶Šb=vTA¢E1ÆUçCݽ0=ã$ÕÚ±qʾ ª‰Œ8!ÖM}šÀ ±šË̏'─ÎE—º4ÎýZ&÷ï.9¼>vI†ÄûÔ®×ô/èÜÇ~à£jh¶ÌBW˜J±ý±2´*T¹Beß9dK.j^¤"{R;–®®´¿!|xӚgm¢5uFcXx£Ãßä1“­’¯ÕnÄOÀ)6dQ×·¬³°W¼¡Ì¬ZÚZ+ ×Û3yíUèŽËþ˜"Ë©k±.—þ Ç·N(´¢ÿïz“-ܺŒ¨OóB%7g³¹I¹ûa¤ÆQØÿáh³0u^ѕ Œ!7 A¥\ÇínT`£¯;þ{€|“é =Ï15zÍu–¼Ý­ÕÖO7ïQ$…ý(1•¬| Þq”XÄð.]®>ʝS’kM<óK`ö…dí‹*y’u#qµÑ#ôÊa6E§¾Œ!σ Øq›ÇokkQúæżtyî{+Zþ¢ ÝuWEœwGý˜óù í[„+«92\8嗃dbDËËÐ1ê™=*®esyƒU£fǭ㌍§[ƀ^J7{بÍ|rÌÝ\Ó7¼åâ/MZ„î«|–œŠã~®n§‘Eˆ.£> ­6)ğS5Së,ªÓ/Ä´$ӗݞ%¿ £]‚(óö~õǙÐŽã—TØ-Ý]Rf¥òíÜ»f0é~Ç7 Ú¼>žéçöåtKà}Ì9‚ÖUÜ©å±/¤à×û05ºÄ[¾ -¼RK·=Ž–ùóoú©G–c£m¨fk•óæo_s^^ž3XO¼ò1ˆ -³Ÿ“öÐ^£²P¶yWmnÏÄĝT‹Ë^­ZïÚ]:Ê>9mTl´ô£i¥OäáàÑýlú ±Ê(À•ªûjÊ,µrAAx-fLjpŒ >¬ŽÐþÐ3ú¾3êÔèû ŽTõvõZ¼c ”ì5¤uQԔYN¨pL…2ÌæôçV‹Ë@>‘ÈÞ N_"ˆ`†ù¦z§—¥„¯ -yîoÜlŒà㹶_ µ'Õ ÍO.׸µ6}¾Â£×˜^N!Ý´’»ÒvµA±çþð kOg -Ówí2ëƒ'Î`p+p ¬ã™CÏ?dÃÉ!¸äëõé)§»Å8Ë÷Ó»nübçG®ú•u™€ùw¾jaŸKè\¨§*A䦢3$ڈåúŸád‡9ðÖB¶€Á5 ³m({ôTá{~·sF'[‹»zèêæ±Hží:¼“þ"2Éaʍøàý´ƒ¸Kðҋ,—‚aQú²¤þ+¿9PáÝÄúÈMU:‰b2Ù œÂ áƖ€œÉ§mle,sm&,Võ£r—“Gf—nÇßí ¥ú2ÑÅu´SEȌÀKG9é ìT\?µì/8—ù -—Ä:ê÷ðÝ åë„ a ø«}V+ -IÃ%¢§¸ÁMÏ­W[öÉ%ä¢*¿gš]T›®æÅÖX=„~íuÊÌ»Ñi©Xp ÓYÂaE´=pÃõ{ó­›óŽ¾™É"ö÷¥ F84ÒL”ÆٞÌ[;ô鋝åŽ~ ¼ãl¸jä!@šjUâŸs5ÌÃO ‘Å7o­\)ÄȒ±0øzi*‘ƒu[ä Ùxm3È!5œˆ £ x‚ɤ‚ówzç ‡®ÛjñE÷0URRïHOn!XU¸|ð¯øjiì¾ òŒrٗã¥|ÁÆÝmÜ iV+O´Û–‡1îvaº—òⸯTÉöàŘëÃô§þ.0Íg ËÆ JæÂ]µZIbQ*g61·É5{áóCüÿÿ'@0…A¸QÎÄÿû߄Wendstream -endobj -711 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 46 -/LastChar 122 -/Widths 1342 0 R -/BaseFont /BFFAIL+NimbusMonL-BoldObli -/FontDescriptor 709 0 R ->> endobj -709 0 obj << -/Ascent 624 -/CapHeight 552 -/Descent -126 -/FontName /BFFAIL+NimbusMonL-BoldObli -/ItalicAngle -12 -/StemV 103 -/XHeight 439 -/FontBBox [-61 -278 840 871] -/Flags 4 -/CharSet (/period/a/c/e/i/l/m/n/o/s/v/w/z) -/FontFile 710 0 R ->> endobj -1342 0 obj -[600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 600 0 0 0 600 0 0 600 600 600 600 0 0 0 600 0 0 600 600 0 0 600 ] -endobj -702 0 obj << -/Length1 1630 -/Length2 8144 -/Length3 532 -/Length 9011 -/Filter /FlateDecode ->> -stream -xÚíwePœí²-î®Á Npww‡à>ÀÀƒw×à$¸;$¸w×à„@\.ÉwöÞ§¾»³ݺS5SïÓ«{u÷³úíª¡¥TÓd·t4Ê8:¸²°³² T@öæn.ʎJ,@k7Us0ðp£ÐÒJ:Í\AŽRf®@À[ %@ -hàà°óóó£Ð$!žÎ kW½¶Æ[&&æY~»Ì=ÿ¼Dº€¬¯_܁`Gˆ=ÐÁõ…⨠\m€+TUӓW‘Ð˪hd@g30@Íí¥ €ÈèàdX9:ÀŽ– ß­¹°¾p‰»Ì. è% èa„ü†˜ ³=ÈÅåårX;›9¸¾Ü«#ä`v³ü]À‹ÝÊñOAgÇûì…LÍÑÅÕÅÂq¼dU“’ù«NW3×ß¹]@/0ÀÑêÅÓÒÑÂíwK°šÔÕ äàpz¸þÎeX‚\ `3ϗÜ/dgП2Ü\@Öÿª€à ´6s¶]\^h^¸ßοúü·îÍ °çŸhÇ?^ÿ¬äê[±¢°s¼ä´p}Ém r@yó{Xä¬ìlÙ-Ý ÿÀ܁Î.ˆþ÷Ì0¼aféèöX­PÞ¨8º¾¤ÐÿÏTfýωüø?"ðDÞÿ¸×追ÄÿÛ÷ùïÔ2n`°Š™ýËüµd/[Æ ø½gÀf΀߻ÆÉ ø…™ÙƒÀžÿ&ðïŽoû_|‡å]Í^.EÜÁúEvV¶¿Ì ÐR äja°2¿ÜÙ»¶ƒ%Ð r¾hûçZ_‚ØØþ†iـ,ì~‹Àýt°ü{ù/rý)þ†¢–®œÓ¿Û°<Õ^&ÁUËüWš·ÊŽ–ÿ<ü摐pôx³ð°X88y¼¼\>vvß“ñ û¿ÎÊf®Î €+;àå÷ߝŒþF#í`áhù{r4]Í,_†íŸ†ß°…›³ó‹ÆÞÿ—¦ÿqþ3ö@ ÐeyÁÑB0Ä6=+õ–0w`LÊ ·›v RÒ U˜PíØ埱É_aúPÊÚ8!ðÔâ9yÜU`Üê&Óu¥?’úR3ôäc}ÝÆË´ôƸ=ãÇÛï“9¥ 8}6½­1u ãⲉ6Ng¤“k†j÷ü<š+†ŸEZ}<~;V#NmÁá×I߯¯è¾ ôwÁ÷ì’0åÄ#Ó -ºÃ¡¿ŽpÊ!Õ×®ðŽdځ©Û£ˆëIÌå1ñ:–¹M !LŸ+ÏS·×Ö:çñkÏñù È [œÒ¡±Tlü+Û¿-ë•øET×—mÚjËl ò>õ _ԋvý,8èáÏ D›[©ºœÛ[3zoÃC±)·úˆyH cpeØhS‹GéZuk€ÉaëCkú–J†H‚O—ÕVf.~†÷þ䄺¥u5\càÞ91f&ê~ºLØéÂÌe_|Ÿr“7K5¸S¿iÊl–œiýæ£q­]%Ã['ßê‹t{YÎ(”o¢E -jEÅÖ*|Ýʏ|™w{›·þÃMѶ¦šx7Zmû ÉJgÜó]w2Ðύ"|&&WŸÜ~±8Æjt -ݖ”èíC›ÇO/äÊBEQwÚüEšm˜§/ÞôRų#m ¨ŠçöØ -oJªb¯-ûÏ¥š¯:ÜÒmSÂcòªÄòGµ›½d–ÝÒ±çfÐ ‡ï*7? Œø¹éݦÕáˆú»2œ; ä!X25#ÐjÓ¯*™Zðg‰æ²M¦Û&=N„¡#‰ñô¤—l.gýiŽõŒ'S"œ+€êæíFý=õ1¸nWQ5’F”ÕØ#Äù4]P³sÀ‚Y~ך4Á†Ç®~„ír ݯ¨¨è&K‹F¶òmis–rùÐe'¶“ná}%’,Rñ|ë,ã>aL¦CÁ!0Y1'Ü¥çýüªPXXÊH<–êĨŸer¥¹ãyPå`C—@Gr›Ô!à–Áa•NºÎÄ{eBÀ…P}jlî'qþ z#„y ڬȧ¯úc ArÅþÃqf§7ÅFù{ÂÎ;x’›¨ÇOǙœØνC;óA%‰|ó;ڌHö“IÁi²Š1€À+,lÙFl¥ÁxI¢ŠØcØ,ûœÐ×­o±©yÞ<œ_4Žø&Ñ337c†u¯ëКuÞp¥Ò+¥ÖU´vûŒ±³Æ¡ŠyT$Aø<)^Ô1&‘»¿¶Ã †ídD™.w2ž¯œ$à°î„!ðØÌÎfíàUœÚ¾Qbӓ›Û™¾ù*¹»$‚ññ8Ÿ°íBŒaº¹?'‡emj#§„böm«]²x.+„ä¨ð.]Ã8$Goÿ“1Ÿjϑ¯G…%Z%½3WÈs&¾CÏñ= é>4Méݲk×]GÕªßMÓN~|ð‰,ï0Jž±öf˔Äzž²"Ö,¨Àå¼A -/–Tª1KÄ"} žŒ"Ô,®ÿØmo¸Ny\ém< -~ǀŸFš[pcù¢3yŠ˜…Š\ØrJn‚Kµ ú‹ÙváçÔN_1oÞAM¤œ“*‘~à0sæQ@ÚtíÁ~Ȧ.ìó?–µç㒻ÿ˜ûnW¿ mC­åÚł¯•Rî“CùW&ބÙ-’ˆ»[—CxþѧgT`&1|ÑJã—1`~ PVƒs ÙDŽ Ú)a4»ZÇ[X€ÆF¹”2‡;mS¢ª&ä GÅ*‚b˜Xõê¬ÌyÏë:°íMhÛÔÑÜ-¨‚Þ¦!anPÏǔdíFÚüÚI·«³J 95ò«‹iYïIôÉúqËñú“=ŸÑÒ~±úMuk°¿„‡dbMTß\4 6ê:Úq-u.Á -fežÜrßCï£Üvµ~~1«e¥#Zç»×ÍÀ n®hÆÎJ/_Rîd{!ÏԺǤò3ìóðæ÷`¹’„¾%1íc-qlÇقiW¶tc L{þÄkIcl1‡E5Ã6Ѭ 3€wXGZ´/dÖýÞ=“?Â5¨r!>Æh~X ¾2 -×IÙ.Ch’Ŭø^AQ¾f!2¥ý+RS¢°k¾R•]ÍmËç ëDuÙ˸‡è™¨tÓv-º'÷W¿6ÐØW#ŽÛBÐô6Qº9É&˜7`~b8Ìêa²Èé’gΧñu NvA —’ÕW”Ÿm´ifø!:ú4$¹ ÷p_£¬eæš÷ײ‚®LO„yÆ0Ž6O Û—‡œjæýgWp„å^eÖTiDÞ6}Óû—FrV=+ì s¶ÔÈ·Þ:Û;§)^O¯©ótoibçWÒóÑ©„#þ²])Š2ã°À7 -ZC¨JBöjüÈ+>ō”æ½Ö^ƒ6iDõíݳâ‚<¼èLRX6Ž†šÙÏÛU®`¸ My“ïµ#.“O&އÃü‹A©ˆóºÓb~öSÛ´¬Ô¹ZZy„Ɗƒœ§Üy1=!µRÚ4)Ôm$UÃVAۗtÃ72?"P„t¹á„~F£¦ì±žÅ}e—9!©ÛFè÷çœÆ£ŠõN°Ð—ßC¼­õæ«Õ€nǓÙ,q÷|‰óÖ!šžŸ¶|Í+ø³fÖÏ· -|҇ b9¢Ý—B”Óeß¡#Ï^+X¤½š^Ԁã„R|ÿVöàÕâÞ¼ÒDNètúÁQµd¢L¤–²ž3TKâ³°Ñ.ëÚÑՍSÜO3†<—7?¿t—Æ<ôÆè¶?„^K”½û‰ßè€wºÌyՅO=ÑaÔ]:»4aNÚYW¦$ñX“S  «Ÿtq†(D=d¾qêN‚Cw#¢që£`"“AýÊ=×4}Æýn– Y“ª2<¨Ú÷åqñø'-¨iaŒ½¯©5GåsFHñ’]&à~ÿYkÚC¡ ϋ…v^-¶ʺ%eö>¡pý"³ê+åß_5rÎÌð–rbaú‰%&ù -sÆ@es‘Xü>¹eéN!I±rÝ<¥ImÓávL^Vc°èé4%ÐvcŒ~ŽuŸÚ:æšÐ(^V©FšÉFʄ5¦@w:¤ªO!¸Ò:¨M„Páüòonñ=¹/ )‰=D¬™‘x™( ;o•94‡Í‚¹m.Ïÿ&yj:f•… -ã¯ç´½y5âC̆7’gj óÄâ|ÈÂÚÔ¤à¤ò„[ZÓôÁûòúêFù³‚V"vÏ[´¯'›0¡'Øüˆu‡Haq>文›äã#‚wk¸WS½Ê9¤_,-Vˆ:´'ٙªÎSË^eæD¤‰0 -[ê©úɱշÆ#]ðN«³¼6m¥‰8\mm×–æO*Ídœà?Ôd&ùãͼbÀ`›ÂQ EÑöý¸R>™üý‡Âk<7½¢ŸhTª*ñ!þ™ï¹ûXâ%|‰ddu:Ò_'r䕯w–Möaª4¸Í(#在žÜköÓ?% sö)Y~;=N³2€†»F -ØŸ;Â[·^[VÕG ô…›Ë5a¯Õþ·«Ê/qhÃP៻AxàIèŽòÔ*a‰íŸñýi"ñ”΁èa¦J‚ãU«¿hè6[é¹Î]¶ú£^þ Wœ ­„úž@Ô úØÁq‚'QÞG«Á.·C—‡¬ö™Õš#ñÕY”…ý !A¦S3çìºâÆe²OÙð<è4ËՐhB\ÎÛ/f–Ѿ39ó6©ÇfžÝ†ÒanÂÁÏ×áá–>πV=Æ]‘ïÈ|zˆ•T°¹ÝH’“=æö+•ÜА~áâ>è?¥ðR­M :Öª”¬¯¤1ÕUÓ2jmƒ<ì &oŕM<Ã,Aí‹KoLÇ/ ݞKÅ7™ ¡„<¾Cšì+Í5Êhk£JVY+x°ÀBú€ÛH¬æó§˜W+°}_…{½FpÓV?aÐ:Š&2ìå;t‘Á(Ò#8UXÊÈÚèhÝk 'gY;ê8?çèX¯^a’öþOw£RêOé}O`)Ž}yªÔí*°¢ÑSK2qLØ,V¯`¢~ՂÍà6ÛÊ¢o&߬þÁñ÷©â¨)m[z2{i¤o‘ê&ÂÑÚ\Œ4æ™m’íõ;v¶,ÃT¼ó&æ·ñJö6yŸÎ4ôk¬`äÌrâœîL C¶ -ڏn3!©E:qg^˜½“ çEÉHûK뵋Ùãi¬r°"×$n{G4.ö5b -C'75¾caÁ¢ãmƒž•å ûZ *œ®ÉÙ @œË¼,A¾‚úqhîA¨øy#³ -1j ÚlÑ&³¤=mÒ;HW3ßF]-˜b:¼a²-m½Í¸×8%3,Z¼RåØ;*…0â+1wf ž¡¸rA7DZ Ž»µ‡Á8ʜ”ÎR”Ä<¬¨ÅòBu%Ô_`î”Eû1B–Y«æ;7¢rœ–õôú[¦uÍ꫑âa® -Øcîmë5+ ¨38…y-5*6Ó¼'G†I¡s*ɞš<ªf'&Â÷ç)7+9Si|пŠ·ÖC7¿¦´kEª3¡1/`@;ý‚·ÕØ%T¿h¿÷m UBÉg€Kj2ç3gžE>Én+p×úˆlJ<2A1ƒÊÆø4œ/¥Epz¬&ôìÜ­ÿH\tõœÓ%±_~MgþD õ*ÖÆÇûÔ³ K½?€÷£–ò>#¹끁lY–ýaIø -•ªÿ­^²~wå0§÷>¬­i¡”Ðer;á2\ŸS2ûkÿÚÙJ=ñ8ªÓ;åȲ¦p«.©I*ΪoFãÄjèŸ*˜®$rرpVxO)ß-.LòV"ëàÁËð:¾ßOw(ʽ +X£ÏÕ½ÞÀ ¶aøz·#  OÈ.oðâ›7Õ̹Ήé.­² -B–y´S,¯K.Œ¾ÄJ'7Z¤Ýiõ•®G@QÀn•?—‰†Í_#ppړúëslg°ˆ!PB0ŽÇ0!)ô j«ïY:FŒ›|ƒY Þ +[#’¯f•YÞifýP!`9†„øQ1º*˜¹’οçÿ1›†•Ò»=Iù NeõÉ #˜' g€"C-†óçþ9#Èï³Æ<4Wkë]i¤ê/£lŒ$%~î S,…@õŸ’Ñ– hŒµ£Nó+G“} ՑÜi­álNͯmÎ#ý#¾tK§·¢žZí%ᆠÕU©„#àš?,âŠãµ Ê…Å_gd4°‘½ÙÇTK°$:áِO"LÁØнݳg¿Ò/՘Hh¨1ÊõòþQD„ÒðügßÞ[2g¦¦.åy*)­½[Ö}vDÈ\ºpw3êÛÌ@Ĥ΄˜S_8]_÷á°Ô ®EØ6ä8—×w‡lʃ\²i©Tu^Oª±O§ µýä†ÉBâp;>'óV(œe6W¡¨ÀÙYÜ6fâ¢SÓz«ýPy çjÒ\ló”µ5”Ñ{mî0r\™\Ùp†?ㇱ9ŽìµFÚзæM(j -bvÑCª¶<áVÅák…î 4ÛFüÀãó´[Oݭɛþ(œ6®°Gɹ|ðzCà"å:.B*´ -ÌÇý¦”ït†ˆQF'£•W”‚Jî‹ö¨RZ»å>Õ;v×òu"Bä—,IÆ÷ -?tBVå äÓÒ·&Ÿõað͐Ñ3ã?ì‰ðˆz)ýþŠË¬MÜöõÇÈR‹[uY­Êâ™xŽ(ä©rLx¹d0©Ù¹9›—€¹`eîWœŠjÍ`« rëáeÕ0Eg—¬ÀpÛco:,Cú‰–èÓT` T콈l×ÓkŽÊ]5Ɂ_oÖÏFSPÁÈl`«@Y`…# Œ‹H…ÝÄN›Ëo¸¸˜D·è‘Í[ÏZ{¦ãg¹ù8|ü,1i•€Â~6Ûn„DQ¥ßæÊR¶ð‹š-΂ÈV÷²a~ªŸ´Hqef±ÐkçO;l§©ñ÷’É0ÒªÃê»ì™p细ÖKL8þoòÌ¥;»\Ç‚ÅæYq½ÉšŸ ëi_×ñ mÞÑ ‹MÙv{ëø– ÓŽÓÁp³*•âú½W±ÀCqJÞ}‰É‰ Vþ`õ¤›Ðòåâh"*f!)|÷Y² ªS]-×FÝåߧ˜Á'VnŸ Å7H­z2wt_›^9§ïqŠ;II+pÐÇ÷óÊé¥ôv$Á‘ƃèÙnô°ù.ûû˜'¶‹ò¢¹ùž)ײ°„Ã\f+5ôeP„œÅhQ¯5F-1á :Ýۊ«ëm&5£‚Êñ@Š"œ¥JdIrù’ÔW®VéTÿ]ìò‡¢ªÏ§Çñ¶ÛÑûÎQó×pàûŸVŸ¦«ãobXÆ[)íz;J}$ã%!ša˜¡(¤<¡Ú»álÀ¼ìHÅ­p$Èkßã:­xkuÂUö–È£×=#˜ôŠ»küÁV"‡´ÙCz{XgBSý¾ïĨf¸ùU&Ò´|-–â¡àÓïº :œ÷^NÈ0ˆnµKÃîòÜãwv5n¤_‹—b¶$‚Ò™‰§¹?<ßúÂ]^8y,»1!Œ¬y]¡ñùÂ׌óÒ&(YÑ÷³ÆLô››7“«uí’Î>ÔnžOÒ!œJµ=Ód&Ýhi%Âq³Û=xTR ¬ˆ'ï -¿Ø„× óF¶?0PA–ßâeP¼šxoyT×]ƒ ߯ q‚éWëÆóªVüš'ƒ³DŠgªš­µ©’((_«¿ª²*ÉêjÂÉÀhýìÀß,[Rz<™ð<ËXs×;åäÚg&Úö7· lj¥*j¼}Å3®³â=Bºê„YSÏë -¢…~/Œ%뺋 Í_g>êµÓ~ãYbŠ5| -ËÐÿÁÓ6æ›.æÏcÖ(‰…4Sü4ºÖ. ³îñ à“ò<¯¬ˆ.76Ÿ?õ#»Â oyù£ðc ™2ô2Íû>Úé \‘ðc"l誤çoIk§†²ÇݑÏs§§+Û¤ßȄÊMðʪìW¯> ÕŊJ~à‹“ç—=6óÎ/QP<Ž}%´5*¦²ÍÌà‹r][¸„ìWMfRA¾.¼Ôã·v’ówØøÍÄVn®q»7OçÙ`°W¹(ã#ðmL¢mÚ¬61$"㔒OãÙ¿ -F ]bI“•C·v0ô]ïsŠ×V*à&Æ:-H3Ÿº?éU#™”@¬dn -ö;)Ó5†90öê8’ÊøïSÏ]m/‚ƒÐ _èìûD"6ÅÐ -ó/ ¤¤IÝn×ャÃH£J©´Á×í£\^"^?m¸î#ÜÓã­¡]?Âǫ̀ôÍÄ?õ}ŸÔ½ºCCv‰ ØÕÅóØôɋŽcÄqÙÅÄ 1ȂÓÏAK–&ÇqJáw‡í¥óðq-²º5{ܝ9cúxsœ…vtàtf>Ø.V/èàl)]ÆüjEÞ)â06¦±/ˆÅˆÅðŸ—Â>¦O9L:»åcþ‘o†, 1ÜÊ È6dðdrx·±+ -þuch`’WZԁ6¿©Rì2oŒ`¨ÍÍj“( FM›c¢JÝ«Ê<^=¢fÎ(V«¯|^z‹D­Þ»©ÚǍ«×4úóeÍQCf¼5-LØñè‹9¤ÓlêÏÈßiÚNŽKš.¨¿’ò+sÈî/ ÙXй'ŠÝSu÷ _g““X® d–²žÃ2ÈÄÀÅtÑ"ÝF2”Ðq×,aGÑ*ِ¾¿~}õÏ'Èzž@öýÆÊȐ5Têr]Àü)÷„Vݾ¿û‚{²î}v/G•wæ[;)¨nåj7cŒ7|íÛé¿,ø¯:!öUKÌSDßØeåÐbÜn ]`EŸñ;¸`“eŸ¶ØÉ`<6,¸“c΀Že^ðe£Þ”gœãÈÕ­&)׬H1ì¶SdrvëOËx0P(îée¬-ÒM`¢!03ðÜW‰M^®#YâX$››ú4 ºÂûgG/lPŠêÛΣ›îXßl’ìr„”Úå¨è$IãÔÒÅóJÔ¿ýä  {Ø蟉©U³ ´¨©O²Q×FÞ2ÐÒ{ïÛ#ÔQÍÁ@W®Zædˆ}óº-ÅÉæiW²…k¬6$ØÌ<ÝòÔá·º7_´UsÁՈ=·¯(!Ä ‚¥mÊ3ýÅÿ4Çà§í†+é–nævÎi©ÿdˆÍTOwˆ -.„²5ÚþÈÖñ^ž/|†Saï½ ô»ØIvê -Ý»ê}­€‘D=Tÿéâö·½‡žëÑG]#ÂâuöñçP2ÀÂ,NÈËpߣ¶ÓñuþE+ë¼íà0 Hû"C«™»‘ïìºúŒÛ[rzaD%ƽ¯ÅSØ×¹Òøç7 Á‡;"ó%O,Gaes:εç2g‘ÇÞtR%>”¥I æ7iÚµ;Øù,Β`kõK%hDЈßXˆ“maîÝÇì’ …¥âœa ųáb•Ž-%ÎhÈà¨ñÔÀI• °{‘ÓÌÕ7g[{H"Ó·°G×(RJÖĤ®PgŒHºX­ó~ø6hv÷bĄ)Nà‘o\jr¼ki´Û¥Z²ŽâÃ‹Ö -ï:/ÿ©Aàéžµ@vô®ž å—þA·žÈFàQ=á'ê²_Z»ÔÙÄη+YS1¹Êƒ”ÞTRcÖì`Qœú}V› v1g1ÒŒŠ$| OIq @Ýsêç?ú¾óã°!¾,»Ö.qðŠ×þeˊ”l~a;$gõ…<¾9K„‹DüÆ©8®À¶IÁI3ýSȝ±$FïßûBßP5åqÏ' KÇ|µˆ€€‰¥ÿî`Ëf_>´« Í@MãSì7nDAðùg·u{<úzoáiC&‘RÊVçÇTA¿Wb-ΐŸØ]2PəÐ.8ÙËÍÙ.ò¯j|ƒz]÷ÞkZlü!½989Ÿðd¶aw¨É¾ ŽµQ 1ŸŒ¸9ŸTv2@&* •šíùAùÿÿOX€fގöfÎv(ÿgbjendstream -endobj -703 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 40 -/LastChar 122 -/Widths 1343 0 R -/BaseFont /RKTXHV+NimbusMonL-ReguObli -/FontDescriptor 701 0 R ->> endobj -701 0 obj << -/Ascent 625 -/CapHeight 557 -/Descent -147 -/FontName /RKTXHV+NimbusMonL-ReguObli -/ItalicAngle -12 -/StemV 43 -/XHeight 426 -/FontBBox [-61 -237 774 811] -/Flags 4 -/CharSet (/parenleft/parenright/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z) -/FontFile 702 0 R ->> endobj -1343 0 obj -[600 600 0 0 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ] -endobj -633 0 obj << -/Length1 1630 -/Length2 15731 -/Length3 532 -/Length 16611 -/Filter /FlateDecode ->> -stream -xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞ΅ž™‰ ¦¬¡hdccd -´—¥W¶·5ü5³Ã‘“‹8™¹ííD\Ìxf¦Q3 €™››Ž bïàá´°tPýå ¦¥¥ûOË?.cGþF:-ì~˜ÙØ;ؚٹü¥ø¿T13¸Xš́6fE-)y •„¼@ÂÌÎÌÉÈ èjl4ÈMÌìœÍ¨æöN›[LìíLÿl͙á/—3Ààì`füfænbæðDp0s²:;ÿ}NFv.{àbڙظšþSÀ_»¹ý¿ -rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“Ûø؛ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; ø璱ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgÔTURÕ¢ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈٛþÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4ևeCٛjvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ -±ªVõ¶ý^Nc_ñõiܐ¬æ§•Q¿ÑŠÔ+«ñïPYŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøҊuwßùöüh¨ÁŽ7n- ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­IZR » ˜Yâu#1¯› t,’‹¤×CMMW•M¬îӖ$IÁ]•Ð}}™ß×(+X{—üÓHï=s]Ԑ½í<›Øáb57U‘Ct¸¹# ¹@ ²KCúFúØì¸5Ö0ë#‚OXíg½FC'ØÐÀ"¤¹ú,ï6çš#±VEÿú4Í ÙTÙ ƒ˜êççX}×¹F; yh ȱ½ýx˜!:Á<œ?-p©yó>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“ -È ú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ ÷(ù)I¡É’!Ë[í¿7O’0 ™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í -ivPS“ ÙL+¥6º:]ø¹à s¡†U²;nü[Þþ¥ºÈ…\F˜+6ØU«Iæ´ÿµ´*mg_^ú3Q;.~ÄHB/׌0w=>>b¦u¨„Ê>D_×$,?z^ŽÄ'dð1QèQïþ®Ä‡:RdDc]ØSanWùì72§`Üð“!â£àúz¦ÓÁ‘,£¸º!6ãã -d-ãµ!2AnXî}uM#Ek}ÚÛÀ£>ñ´0¥š¥b˜)£9Ëà_dö%ÐþÄd'~}?ý›¤þ Տձ9.ß Ô¤ŽJ·Mµ`òÝïTî%–äS#£ÊÁ7v,\<6Ós^»9¿Œý$ÔkŸ‘)Ïh3§‰+¢Žò\ËÎjx.] íé„`lfÃÊET“»ë£Ï4—S»/ÎDüCÞS[ћ'UË«£g¢ªÉ7fàzÀXŒ -<$Œ^ƒ™yJŠ³Þ·|f¯¡_XÍé65È‹‡xȳT#¢Ê›c˜Fn²äjvb¡"£Dñuô‰ŽÔ7pô¨Þ3kµ¢ÃgnI\Hý•ŽxÅaÙvè#Ýü½ä®ªª Å9ñD“‹.š¾S2Àôõî”a½)m¾Úò~€ûó …â#_ôI\§êë•/»šžÇ¬"ñI4/á°ø¹;øë3  ËÍÄõ?X"M4Óþ0ÿԞóë:i·áèÿ„X µOTª—‚ wgÞZ%•ùÂkéúq¬4Ò7&Võ1;»:牦¯NªÞºŠÃ™5ÛUÆTŠ1 þäX›V­!ó™!*N4 3cÅß^uu”ûZ¹b«îÖÀì䱇R©ù)sÈ3:ð¸$®ÃÜ}þUœEc—Ìuø­ÅlŒúÞGéÂìSŽÀ>eñkk©s‰÷ŽÍ¤JÖuèaGÞvÔ3ò'ڋ¨ôteÊ'þã20ÂZ„ù+-v ¡s_±ҸҖ]§È흉¸%D48_‹2U4óô¥Á‹„äm7«ÚT#¿ü”©Ï,8dÂbI¬B淗΢¸e”ªø“›øç}F?|o÷,º<a[#†h›h‹©ŽÚٜ¢ÇÑ¡™>J úDhŸéÉèl†Ìév¨À |1׊,=EªÀ1ž£›÷›,ŒzJ ‰†~ÈK^Hü#5kÃØ´ä*~ÎxÓ!® Eجͱ‰ÆP¼ŒG+ÄhF ,Z bzÄíWÂ̈•b9ہ „N“˜_ùQ‹òèÉ4¦3廤ËB(‘;šŽ»uí°Éû1|È>ʺ>´`¶Ò6»A2ª çO9…J–_Œcñj`øê•iɸE‘œȒDü9Îè)υóeü¦õsÄt¶û)ƒØó]øƒÜ &të¨*é5–ö0⊁?ˆ÷©Tqâ·DýJhž`h¨sp~ -ÌŠÚ ø,Å@Hˆ¹´z$¦“¢Rõ„¾®û£6pzñŸZTyûÈ2(†4–²7h®GœÅ‰Ý?5ëˀ 7m›TÞQ¤‚+̇ßG.¬¿sŸ‘7¢ÉnYFV³œÜÛQ$yÄE%û²±Q´…P”‡¹°ÝÜžb ÿ _0}}rÅZ¥¶ š¦K.…¢ÌUkÎÖ »iÖý MÒwÎûÃä˜ ‚ÊPÁ„Ð’'è4ä²¼=€¨†_¦ÈzÕy¿É..ZôuͳPä_ÃA¥ n텎Ç´/®| J/´aGÀó«b“" óö&~èùIªÀßþÑ*1Ö¤ó´÷‹‹Ó€w“ú7¶ÉŸ—0S¿^Ë1š·)_¾Khñ/Z‡m¬^#ÍÁÍ ’ #§ƒvÛm8£Ý#¬XeތÜË2à¿Ëƒzs_Õ¯“mC`ïZ2r8É_'¹Fväf2ÍÍgÊ0Äs -ÒÀ^Ò6¾©Þ°´äÀÏqTÑíö® çŸ$@ÆOo‰…¿§ dêVMäáêh‘´B -ODµóš\ÕåQÝ¥Út‰f»G û*NèlÂò;Ö× y<n‘G£4°»HÆßy ᆣ§…‘ÙÊF -x/þ %³ znj·<Ÿè„­÷ô í ‰ª šR˜*¯xM®Ì6`C¨€qÑÂzýÖóçÑú;þ¨#f\ꊝ³pÉôâˆ9£ö…¿4ðÕ«är ã%MKÂê·³©3[¯ïm©ð–J)”úகç'ï”oéa} “S\±Š£zÿGtÀàؓ[å#.´4šù¢%0Ó-[XF°cY?EÁ?UH.R-Ê £ˆ}¥‚çר_³V4 =µ˜Œ™±q¯x™Ó˜uTú>Jpœ²4.Ã@ñ„ïÁ°»Š÷”¬õ0“éd1‘•{/v°xqÝè°ZŽiÝ&r/ÖQ‡B|'„ñjŠ6!ÔæY"žbx=>ÛyòÁPD=áJÚ Å¾ oDãÖ"ÒB¿3hõ\¼­wxLÏAYj þzçð˜_6€Ûèm -µùœw¡ƒ Ì´ç+;ž"¶ë¦Ñ?doû‘ööb"!äMeßÙ°°XƒÛ "b ±-`OX‹1Տû_µ²F„ «WaŸï£˜@p+ëakqۀŸÐˆnYôbôóºL¨RÌaóå Çfh#-!”„pe·EŸ¥ìªäÂh-lS–Úq•—;`âB=)vÎ?{wÙh`U“m1Q2X—Y˜õœj‡ú[µ®æ4öZ$DT›ß°Ó5'B~´)2Ï#*pãŠCñ}t¬Akª#òô%ä`)~¨ä½{ZXܱÄÃǒ@K'‚Ú3Œ…¯QÄüäYÁE›kÔïœրw»îTð³'aH»xÙ^ôÃÛ²ö³›úRƎæl帘k%Ǧ‹ÀŽ¬ßkN¶óš×„~Yy¬Öåwã;™¾ex±xª}Ώ fֆ'ñg%·”Kkø“ -ü…ä”÷FT‹K¨âŸ‚øŠRʲŽ[ Ž_n™N>ßÎ2rWìÐc”r…£ã‘mµ%Ç}6 Z_æ6?ë¦VS¡|Y=!j­¬å ÎÿùPÔ¶ÌÅì€Íˆëb޸ʮòu[É¢Ü%f)0ÅÊE6¾7ô§N«E[.©ß<¼ÆÓ, -ë®o|:o•ÚœÅSŠ%)Õ}ø=™)WÜÔµÑ;¦Í“Øø捓úm±a εVsJvö@K£áûç(BÂ^àwðg®Ð‰'cÃfBÇ…¼"(Q¦î†÷´sø¬kÿåõƒk¤3N}óx=©ZÍg´¼˜ù?¯…šÉ€—\E¢ŒíoAËLՇõ©Û¹FCcËo÷³¸Ïá€Ò‘îÚ~ÿü…On4G!>Ü-[·,3!E‚VQ¥H¤HÿÇ° -+¢±'£ë(‘gå]h’ v–i`PÚEޅW‰¨¹úmõ'>Më³&#kÃ^z’0†i¹"Qrå>+o ’BP,ºðü R¥ ¯0˜÷—Ü]ý°ùc‡’_´6iY"ëf¶á=µŽpe îìI‹vfê".Ÿ£ËæDáišó„TýL-k,I•:ðkÃæ&ïJŽáóÆfø ”fŠ×Mž- æ,Eˆ,‹bù8#^à0T§L’‡Tvn轸ÿT,5 ÷S> +‹o7ëX¾õ±“¸K«¶CÕTå)#«:½š%÷"Ì* -W£Ì8DB¡ÏUÿ,”…œ'‡n#íÀ‹ªUI“ƒè®œB  -ÎÓq$Mö—YêqH$ÅýuQóë®_¡Eë´½ó: `$ËÄɕ!‹‰@3^[Å¯iF@êU›ÈxcmÄ*kâ\yýqj_¯*]U|ë•ð;š:Ýc¬Qzt/ w5^b€òœÌuŇ 3dOÒap!^#{ÛǛÉöTº0cãAf–ª…5tá,‘Îÿ·Ñ>ú;Úk¨[µìÆÃò©² ¢¬wçíO5:Åâm°Aí@Yi©<¼†bV©A±qaú \c6Ž'dR«€ãæ{7­nZ‹W‚žqꚟØèUWÕ+wׂsëĖ“ñ+ŸlñË-ÓGQØ{š Nîê¾0ÈÍ-ŽÃ%Ð夭m.ιŽ2ût]#ï䤽0ç6+ªÌ#–Ý(æ$†äCfڙ°ß¥zX؜HÓÆ÷è±p2ÞÉðB^ðf#Iïf×x_n&³„Müè7¯tW¦:Ð'BuIÚßdC¢Ÿn%,~úB´ØÏß hQ(žC£Þ†7 ãÇ m/7Q‘¼ŽÑqJÁÁ_« gäÊ%èÎeµ+wØY¾vý‚‚y`hkÒô÷±ÁGv=ò3ÿc‹œÜkç8³ã©h»·:@P]$P·ã¼­Ûj&æ؂ˆ–AóªíI´˜ZQuþ>sÑ¢'îïߎjéZˆJË+֋gÕ/¨R¤þd¿CÀ07ôFâ>V¡êxV#SþF G¦¬{ís$¯º¨Ð6هàe8—Ö߇SµÊ˜. Ѩb;ý}ì¼È |sSŽrÑQr¿q,7¢:`éØÔʒû¼Gß(|ß5ªöÈò×ËV‘ ¾ß+ªÞÜåHùîÙã vFw§d€Ohߦ´y˜µK¥yàu9-™—» ¿¬ÛڈÿfÓ_ÕPû✮’¬ë/°~ë@p½ ö6ݗTÏpb¤£¦ßÿ{YÁbf!ëyk~®Ä^–Š;±½¾´LD°û©úÇAvpJ’Vðä)?X,g/+{de "ôÞP÷ªÖá áp”!`.nv÷¦ÊGNÎF¢­ %韥$o8Ÿ ›¡™Ä&ûk©³=]§¬¨ßîaêÉv)£°®4Ê +pö–fÛ˦ȃâ²o•LdšŽÍV?H%ù¡¬éBi©WO.Gßæ@X¬Ù¬†Ðøҋ@jGxô¾±–rƒŠ%}ê0ÿB"jì 4 -cyÑ=—Ó2ÂÊnüžÚî`Ìëá(å9Úv˜t,‚v¤©©äX?r—ýØJH¸Œ›Ámòƒ 咆ðº£Nk9'~µÕAœ Xs{cÎ®z§O9M‡GÒ§]I-þ3‡Õ6Œ°€ã1bµ9ü»:ˆŸ¡2ßÖ©Á7÷k;m慞ݬ+é'ëT0è^žÌ™h`_x¸²4]‹åw¸iGø$/r·ÛÞîŸÁ\ ®áGy t:a*bóîUw'lµ!«¦¤ƒ‘¨“ŽÕürÐ´`3ò¾ý_¨æ‹[·½| 1¹GŠ}!/óßVcY͞*½?7/k&n¨¤â?kw‹ GÚ ³¨’ZŽ;©9yÔG>]!šQt*à -ÝtÅ çÊzȆ¦ÏÇ3œ—5”Ö<ÝÊU½‰bâånm -l_:¾ -ÃY_ÂK¬ìüvE\aÐNJðÿÞ¹nèbWo@ü7•öÙ58±£–%\É^ -òÌ%_K ì -w½Á-Bõ?ïmif‹:¯ í² ŠÔ|юé.QØ l(è®!mW´»âŸ˜Å>2adQ”ÄpO}UŸN†}¤‹—çäsê2„|97pŸY^½VSz¯‰*ýsŠüä͸Î=¶ù Á ;ݽZ¸k²[lC)Â0ÐÐx·8äý=ÊÕi~°‰Œ÷æ ¦j>ÝÏ cê ^´5»kú¨Û ®¢ð -Õ8§¥rצT~& ¾}÷+Z?/_È࣍w4E+^o:g’,¸’/f‚Ò MüFœ;xóÝ †—Åà`öÇ‘y´ºù‡Ú÷òD€Õð•MU‰¸ÑµEh&¼¤(ÝnVŒè.lX@ÄôÑDvx™ƒïˆß†)~–E ËKNæpר0-Ô§(†3øÚ8»!¹ þÚY‡Lcù°ô4à 7¬wO[(V›âz'O]’ùÌ1ԇãMǑ+¹Ù “}ï`¢7aj?ýÇ˚–x¾1ß÷»0Á3ðy—œbHey‹é¶ß퓣…™âa44•bô|ëi¾«!Öø±w€fïü@åÀuƒwt—œû,a—žeú:o¤Õ”]aXS¹/Yv¶N£oúƒMUG9–П9Xoì̋eó š_•·pI^Ç|B/ôÏpüÊ[®ÒnvÈp×6Ó¼îZ™ ?¼ð`͑‹…U¾£$ƒãéÊŠè"Ÿ¢1¤¢¸éX$Á-Ùÿ*Ò!¢ù9JaY±'FëíR€>4kZVÞÉ ëõŸ„7kuuf¾¬ŒU®:›ôNŸ%ëâˆL "È`ªhyM’M"Ñã -SUŽDŸ˜ƒpj U=y(Ž~{×R'¶7UÔG.!ÜÃe®ÉA+ðÔ±·v0H­7)m(pÍ~û%ƶ*¥â9êÊ<¢¨›]`Òël=šV¾ê5³ÝF2…2ÀG›±‘ƺ»8Öñ‡%…x‚©ÙŒx&rq],`Ïcj!¬¢L›‰‚ꌻxݼ'§x¥V‹–[Pb^ܧ:Û+º]©Ï`%ƒ®CP?A>|&= -—”tšJ°7ͼû ›¹yéÐjA0/Á ³ bHgnÁ¯'Š€•é?d+lDVmË$;6†º—u™ 9>üAZØÁíšw`MíÙÝF:d”ç‚y³ñ\fË_3e4SLÞë‘L»Rzà£Qu“ªº7‰P¤ëaÿy=è¼õ%iqÿ8uëØöÀ—Ú[Ô+Ædµ!‰ µô@ÓÅÌs2{¡¼ˆDî9N”‡½3Bfٜ—p'Nž{õŠ¹þ2þª€³:r‹¢ÁsšC¯SÖI‰iÂî^ì< -CԄ0XWÄQ(8@XKp9ätñHkaìÙ¶[öƒ!ם¿oT_ N1;aµ<2WN¤øùÕBãAqÉBa@PNYocYÍ\Dç™ô’žÓ …¸ßëö ¡^uCGd¹êU¡RÌè>áëLúƒ¡¾\‹û¦_[³$$ËÓ#¿%,8Kú—ËÀ —ºé?ðZ;RÝèŒT@¾ïÝ­;s|ûÃìÓöYÊ[(T©ž™PLýMJÚ§âÐ×:®C:”P¥qg$)¦)šp4 kÖÀ§B´#¶á×çûsVÁ²!ÁÓ÷ú9ÅÂ|5/…}Ù¸W6:mº“Q7Œ£{PØUA%fBë*N`s´B1ÒMO‡b -„v‡‡²˜¯ñ! +^×ÞJ{u¢õˆ8Æðl™GÓÉ`S‡„d9ªsi㼙wnÌäz3ÉÞ}­ì#$ؘŸáÇ´.E‘Û<œÞ]oÀ×}¶À åd“‰CÌ®™§jÈ{ò3¯÷bƱÒÂ$·+6ó(¸ÍÝ%3^E‹Y\~҈v/;˜˜ß%—⏎.’-ZëÊ:‘‰¤ÙºþŠá·¨쑱V&2Ÿ6 |½¥a>þÚiÈG‡-ϘŽµ­DqˆŽÏíëh…k{²÷Ÿ×w=—ù-îÐÖbÇÔm‘@HBa$΀ž\?¨µJªBp§Já#«ÕmfI˜·PŽ*Ál›õ 9êu™•\%¬=xYW:Žì]ÞF#wÇ BG°')ÁA:pôÉèzGu=ó¬”í»ÊŒS€ßGe_p×Î@!؍Ž¾ÒÁ7 -ÐýÛ¹\g|Æ\ѤÇ/1—«ÂzwîP|MF¦‘ƒBXOèȝªUŸâD b³NGd,ŒÛ÷ÒøŽ?q7<ÚÖ¶fÞ>õL„ëï( åAͅ3ÓäD‡Åi÷Bý—›Âör)èø­MC½Ã©ï/‹ûoÂJZìª ¬_?sêe>åÀæÂò×!îÙªŸI à®¿ô{»Û‰ol0ʛÉÁìٕ*I„w;‹ºpœæ+ÕF8»Â”›¢áÖæú¹ù çiHÛÎl1|(ä%3¸?îcî³{d=ðK’~kÁ¶CÏ ˜úÄ«ý¸=q“¼g‡m‰Ô!–¡dϨV´ R©Se†W†HMIsÑÀq…°£ÌPÄ\?þóãLèQŒÒþ× !OáŽ_;„í@Þ¹ÑÙëÁ–‹Ȑ¡a6 ¹¤ô¼ëâqþxÎÐEÀE™ƒ¯ 8JÕÓÇþ{,­A`´aý˘cڍ5ôÀø»Îü¬ÉÚék‘óýÒÅz_ÕXƒæg_¡ÈkÈ;RfxËXcïEHÛ«Ä· ¦ÙR÷¡0}²ÿVÇéêúÎ~GE¬j%ÖïÔÁçèvÚù`ñc¦ ¦HfâB¤Ë¨A˜ûV´y©A\øên¶”/Ú¥•†2LæN’D£^º¶î"sÓZ±‚‘ñ–-¯Ðí-hR¶ÅŸƒþ¤ƒ¬£ ÒVU‹¦ Z‡iuoøsïð ãy¹?÷FŠÏù¸¶\c®aBN/º©yØ,ŽÀ‚^`Ûê;éº$«…õw °§5—½¥äÖ ÷Ž7kœrpJ^.~éî¿ÙPÿÄOÖÛÄX(4xU`úċìó¹ï½Wù4|ÇGÆ7‘cOÂ!Enqµ' ØDv3d«pv³è~~S‰‘<¤†4Ÿ¢¦…FîØ^.Ў;$¶‹ŒímDˆŸNŸÒWߔCgÝ(û¨DcAîæìw8ð“ßðz•ù‰¶h[Oqw¿-§Þ£·@|¿«ª³ø;ïِCÏzlÝ×{e}À‚]±ƒSNu©‹ùIToýYêŠfMo·”8i§;„ºÑ4M ˜É€•@èwrÅÎNêäl=.½[Î{^By¡‹7 %åô?‘ëz|H­ÀTÖ³)zë’ ¼¤WÊ þH‡€NM…BþÚãû$–+¦‹ú‰K=Jtl~mÜÔD‰noy'¾r†](³³‡ÃÕNtjcoû ‚€–7kï.0QèžX´8¶ªöB,Ô༵Ó %•˜ã·xi&µ^Ùhh¯]¿UJ—W? %ßÖ|”ò_¹ît<òsø}¹ä±M¼h]\ÿ›YìÁ -ªõ'M˜CkC ڄàŒìŽŸÊsÚb‹t&oYy•G%œ+šÏs/'KS8°È¿œf‰_­³(V›tŒðI'ìÚ -]RÎîà]­ÄÖÔ6h Rû·@3¹9 ¦–P. áYä ’v7êÀ!çbkú26«&¶Ýs8ðd·XåëGⲶ Í酧îɏݡJ33k©ÂCÛ@ã8ì"õkASÀ’ôLd® Îìs¨>±ÁOsô)úAh#”;,ÿé…ÞWמõémn(7äã@¦Œöˆ@)œ›¶äS7ŒÝ„u6žßàÔnÐRq¤öCÄÊnò:§«ýŐ~FÊr¡Ë NxKéD„x?{o©v^¡ü G¦Ù=Ó)+èŠÇoû·l¼‡^b­ê¼iMìl‹ykÇ©‚j®¾kÑA5ö¼;Âÿù/Qþa¥‰âC@þŸƒª¤èà8à -tþZè -, ,SÄ ³®Û·Q–Ú‡Ý6%€¹·„SCTÛæ0nǽ]r U¸¥Îô ÿ×7u)“q›&Kñáè×D\Oì!Hç‚íÄV¼²¢8‡èä¨ÐM¿Ê-ú o<öž¿þ†îܬ²;¼½:èå9ô“6s:Þ$ùÛ õ}ü9ß[™ÎáÕU=u[h†J ¯ã®`/Ô Å-!¼:G% …R ¾"¯Éç›Ø…¿{føšÃw²rT(Ú<e?jVxf¨Ò‡(m‘ëyL±‹‡ç©nBÀl•­šø‹S³¾¾×‘3Gþ”BâҐ•[5ª¯n†"_-ÑkFV»½Å8Â$Y øRgºëý{ßqÿ–¶úØ'Œ¢J¼ f¶^ª .`Ý*Àݏ5cUO®'¢$ÉpšYh È;¤@ˆD§…²ä²«krºr!ži‰1¬>½åY¬âõÓÆ;Öï·Zq#q¸ÈnQxH%C´quÎbÚ95Ì×ÅgË=C6“œ¬ pŽ®´]Áöeîg˜Ð§# hߊŒé3ÔЅxšS0süÕ2¤x㖖ººÄFþôEgòøæ‹©,»ýR Cþ 2U9BS×û¨þøDáɈ‚œmhºßa¾Eí¬ÇCøw[fÝQ¬ê_1ð¶ -㧣<¡žH4Ðé;7F9y¼Ì§@xcד;çUæõ<+sühUÌ-­F$F=©Åòƒ¼»vQº%‡Óò0j1±dÉpQfVë tFçÔq!›5V(ð¹s¼Q—6 -E WÎ^ÌË#ÅwÂWÊö‰·²mý$ïãœ9ž"ãabH¶Ë'B÷Ô"žiØ¥±AËݧå—F‡(È-'ˆÏÕ)ŸÔ38ÝH—ð¢9p Ï«1略)³Ðûí4&P"tœ{#§ ˆ:’úa@û#¿½ßsÒ¢ñ4:‹â¾%lÊ[PLxUµY¾L‰à'v4ûd)ÿR -·ãt۔I67 ˆ-¿q û1C–g‚–w—¥&"_q¬ŠË×Rì[ø:_ŠV„¬ñ£6 —Öɧ› -ï3º¢\ïLV´m4ó -2c -·î:LH,rÍ̘}”©”ÏmôwqDUp˜¢¦`ï³KÜÂM‘C¸2Ò¨æLëQ{ÐC¬,˕ºõtv@þýï$&|Gh­–yšÔ=•€LÂאþ´9QÞìž/ú¾dÊO -¥$y{o/ºÊ…-â^ ³7˜ÞÌu7î×æÕ]ÞÕÛ 7K–ö Llœ® èBÉ0ä]Fç Ã.Ȇ•O‘J®B$¨QLJ ‘ IxÖ-€I¨9 -ý +î$aÉÚ ¼MÚÄ17œf -µ…¬÷TýMŒpqlî^²²jd»¸m] -ÑL=&†ØÚ稺Y²?·SjJJ}-ôäÀNT ftŸ s %–þ²8—NŒ ÷¢—?³¼B¬ýÐã&~1$*nGTÌ1÷>¬œå4>‹šÁöm¡Jv6õg/Š0¦Î2¤׶j*ž™¥Ißëã¼é¤Tœ´g»ìr¦Âé‡Ô{vÆP>ý$ez.´r™Âòêc>«y.AžXn7ås"p.w¥Y¶üÁVc°rÆúÄǒQN¸ÿ‹)®D?â1œJŽJúwI×9õ €ž´ò3–\æsNçAS*Ö0a gîêv¦EËÕÔªƒ1æt¾ÎuÝ!MºAÊ®ï Þ6 à,‚càŠ1¤þ”qím{ Ǥâ‘8¹únäéß?ØÄ\ ntÊôñ·QæèêpADh$ÅEú½lÉúÄ!#YÅ+•Jr›æ#©¶ÉCEƒ˜ºjӗ؞~¿Ø¡ -ÃÕ³5šQ^­šõÙZfé©4ûå-Ie U“®é -šÉ,‹^Ì*hÞԁ@k-¸¤òˆóÅ`Ìhp್fŽçÅ»­!4ÛC7©”aDNìú!n*IìÄc]= 7=³'|D±€úÕ$X\Ò;§Rùùüš7ž46ÍF´k„ãJWóÝÛ³³öªX -ÙOâî¯4*ÐHÛŠå«<Ԛ>OïYò™ì˜„_ó×Kßž6ÒóՐ¹“äÁ;áfÐ ft°‰]vÁsò¾x¯»?N¶1…þªYGtìmÐp¥Ó¾ÉtZƉâ‚^¬ ·JHëƒÎE[+Í;þ ØÞ_×†ás·ÚW¾}Â]Ϫ'ÅOÍܓË£øЬããêd7 ¦‰0Fªkº‘*äýêLk¬ÔE¦ÜXÚ@Ùà#Œ]ËNƛy³?}/Ø­ÚÝö»µšqÁ§‡šMO×ÒNП -î€þ™Xîél6˜†ý\k˜H‘VB ¾ä•íé‘0ßQV‚mZ¥ß×´I=v˜m^õmù÷ fC÷Rp@][0‹[…B€žÉˆáL~ÄïäA›ª…]úåøïãíç”K*¿ìø«¼“î™b§çcÑ Q´WS¨Ï»:œÑCžÅéÖ ä9OCüW•âB—9ÂÓ:Á£ÿø `¹¿wÁðí`áœ)„^֟ۋáìù*–C€ìë9˜|83/yí¡Mª¼xå“q¿b‰¤°SiHP8?áÀª*?©d cZ“|G>9e¬­'×QÂË_AÌó1I¬ó~/ø–dúI¬Ì¦_^¼HDWRîav^]Vç’åAÐ *\qN|n¬ó´ÕSxùÜøÐú^1ü‘¡u÷F󻈥 ¼6¡ŒGì5éäö•J– W ’_å×iú†²ÕŠó”‘Ñ|˜â/ôåá™ÎMÙBŠË‡šÁz¯¦LCö™± +¬Ë.ê‡}D×Ì M$•€29<󇍕1$5ÖøY MšŒØ#ÅàÈfdØEò†L'›e3 Ž #öԀs*þ7ùÁ è²Pkâö5hʗù0ýD³¶žÅ‡?ªR©=_Ì|ß3j¬ÇóìDE"F…Uå. 1&…•I Ft($ËÒ»¶ -â*áz^.\¥„!Á“{d¿ÜÐ#ü -ïH --|ò0¡÷F¢$ßñGÊÌká{ËâÈÍL–±¨ÀËäýŒÛª‡k[£·3žÐ îF§¦¹äð”Â-kû4•5}Â;²©%Ÿêm&øɈ`r}‹¼ ÇZöŸNp±Q†}É |~+±Ú<¶Ð1öŸm*ÌCÃ!̤A©„=í«(OÈnœ¥cã7äG“dÊ}O²º¼óçžê‹T&Ý&ÚpÎZæ2«æ\Y=9xb• ž/PʹK¾âµm@0zõI:ì›`ßAhÃðæq¾g{o÷ ÖA;{Õ`ÓY£º\zÒUuxVè3óxðۉ¢¢3Ø­Vb&š m¦G3I §¶„¤Ý1Ž`°Êã>(•X‡¡=xô´¸®N×›ì€èLb”ˆC‚yÆ­G‡^ B[5zÜa¨(Ï:R7Ñ ΜHü­b^ÏV.»(…âKY×÷¤M¨¬y0rôYÅOxޜ“Ü‹Z¾ƒ4XÝáJ[K/pêٱ傥‰žeÐh˜8ÎS×R]öVa’ƃ|Qh Ú¡ÿî>†2v£O8xÍՍHØ媚:_øÓ秜ØGÞ8hùõáyQyáíšßål0ÌÃxñ¶ât× ½<•W°Fôä‰Yä)«Ë’%¦H¯ØÑä冰<–ý&͗.!l/C2CɛÿÒiWMvM´a¯à¢¨ ºÛåòÏ’«€G¯M+ëèr(“9Ù 5ØöB/ÏG³8B°‡öšuæÑ麃Uʼn`¶¢LW큣Ç'NÖÄ"Ên!Ë·³ 5béË &Tæ}ûÔáJUÙ°n“ÄZEL_,”ÉÜ 5£ŠOË[Ât¾O7Zî`EÔæ@Dìœ[ºã.èØWۜéИ»ö×NÀœ¼^›bßFQWee{6Ý}®¦ º4èi^J2z¡¢ŒÛ”+Ρ}`Fj9ñÌÌ"¼`³’…2¬ªul당ç­åÆ7æ·׊5^ 䮝ÔϋOûŽáí6å MÜ-UúÞ_…:¥y·”+3͋«œ|Ž(!}LûjSÅß¼¡3XóŠb -÷z¦iB‡®”wufX]¹©ô£~n¼N-ã1JtIà³7–›fãm~|GË×è§õE’N¥h­ÿÁ†‘ÿÜÖ1„ÖZE”BôÎ&ÕaÁðÃ_ç€Õ¶ÇÍX¤kÅÇ Ā%_, Å¥oCÝÃu´Ú[ˆ·Q -ù¹ñmá> ¬$=Þp™i—à -èݎòN½‡©*;€5'®­¾¯lš²^~ÍPó­œ1ý®Ëôƒ¹q[½ zÊhwäºÂêáG: É:JÌ7ƒ…?ݝ٢|³D2˹})ÔÍ4槄ªF?Îaâ[ג©©eÛKúyÛÜÞX]Ÿp w’“?…Z$­ŠîÛÀÖ¬^ù¶ßu›¾3ˆ| ÚãUi`TîjRÑܚZkôúŠW4*™º´Rþ.å -Hǒ#Ñ6aGHÄÖËvx@³öÀþ­ÑȪ/áïba·DI)Rá n®1.ŒxÏS[¾¼m(ߍ¹I$á(Á!Ý{æið¤ÆÙßuuòûk?–ÿ”_;Â2u9ifï› ïéÞ.WË,ß¼I•rôu@ ±äCîŠoãMf_©×íÞ¡µ]–ì5mÀù‘ßgsð=|é.°«»PŽŽ-Mâg»åþÌ>lFGÑ @Z¡ه/M}a}ݑ{.±ž~ó*½?‚ë&æa_³Îé•dï()ê> -·Kæ1š3rÇÖC´žBhŒ/ 7¬-éËíâD™Ø¤Â½3ÇÚô89 ÝÁÁei?ääï‡à)gLÄÐ'ЗDvf¥#|8Ì{êc!¡"M?Æ"Wfßîé5D¤EÕ,˲üŠËÜzät*VõÔ„òp ¥ö7Ñý -º¶ÏŽmná›Á¹àŒ¹ŠF0„éY)Åšá«Pñ‹6œ0`z)ú…Ý«Èg\¬<ÐãFDQIòl¡_¨(¹XÀÄ.̚ú¥ÎÛÏÕèU—æâïJ[èhÜîè{”iÐÍî6®"#çÝcî]©%¡î!û1Bá¿^î:ê'\>•«wz¿Škb0 ç®OøñÍ!¬ªc!@¢ìp((‘åÏPCæàüùËóZü;(º›´Ÿ…pSõ‰Ô:®‚tÝîó7å²¥_!ÅZm¸Šý¶¬Î´ Eý¶5 |JZ®DÊC|63^âaµ'ÐϺ)ÞÉßB Õ]¯žZ$•OAž¥€¥·qàvlàê±xh¯ØŒ¾Æ\O@Á\àqc– $úfX›ŒMÿºÝâ ϗ_~ÿ¥Œ;Ñþ™MN¶í/–ÌlŽöŒó bDTh‰·K,¹#To-—Ô‡ç·ÚÐÃ>¼—‡rùˆÏР$&ú"„Q.4éÎÿÖ¿v¡  QXʽ֟ÿžÍÆZ¦|Ï?õ•òL›ï!u¶øZ†w^ vOT˜ÿáKKîŠj*ìKía·iØÖ+TnÚ˜.PÑoÐV-š°ܶæ.Uä:MP  6J·-hé|î›õJãH”jh·UÜáU4|‡†Í ÈlŠ×=F|•Ž¸Rõ˒ŒTL<“À>ó‡Hk;ÐØú!×½‹~%g E´·P”Úíf×$Aœ¦‘Gþ°u†Wý‡czfb WÔÅXÚ´Ö\ü |+B›·ñS€­)è7RD¬ós:?y‚Ã-r]þ ½^ónv-Ï]/žVcà·~6•ažBÖ eÃH¸ïòYr£ìË$³°^(„*Œ©cÈ=¶1®waÖn÷ >¿ÈžQSÌ«¯UßÍ ™?œù“•—3'nù1^7f|fflPšÖáhÀ•+s鮞!×ÙæSڕg+qº¾v ¡zÊÙËI AYÎ*» -Ó2±_,¬0?$éýœEAíÓ!yyÊ$ð¦Ϝ6{‹1‹'®[+\Á‰3‡ŽŒóàyp)BèÐ ãk3¼Ý(ì08á^,Ánœÿÿ‘^‰{zË0¤v±âú”ü¼bÇÑpƒ¼¾¾9Ù֘T«…ÁØc`6m«vt1K`êSL ‡õHˆ^› 逩L:%–«¹¦};ü\ûÀFB¶ÉÁ _îgì@YïC½˜¸gå4†²ÉMŸ¦ä=’«¢#À›håބ*ß:ïÉ컌Â×à#áå}Ç ØFóG…«SÌ „¥é½§ß£Mܲpݬžo¤ßx¿Ðõà¶ò;‘±­™‹­J2˜´š¹¢'VœÒ&|`!4ûŠ›Ô§‡RËf¥È)žJ¶¥#ýӏ•îîFmÀæ,ßþRQ$B¦ð…dU;ä†B‹yKštÌârG¢xíÈ*,žo8˜:Tœ8”€ù=a$õSD0VE÷Rh“å{°m+d’ k@3-On¨dÅ7§I¨í¢;~¶—¦öìW¼Lk={!%FŽ¥#ބ[€.Îpa7…t˜Õ1š†kvòý󗱚_Á×Z]P’µôú‚¬³4 ^¨!ށR³™îl¹WÃ@à.â•Þ¼§“¶f~B¹ÞZ‰©ZÛVÍã™åük W¼¶Kçj’Ôª©œ0[n?ZÖyzžö]> ­XÐt™Ä;™!„€~ä›,óf$RI51ášcûÍÁ†&ւÅqŒÔ×@ÔÊKq”ÇEò~8gøm•(©°ò~s %Öf×l·]å m‹p†fþp}Ý9{â¾¢î»ÙÃ!ŽEýˆ"; èô!ÿ–¿moVê‰à™ü]•ü”™aŽ} -ªjDÒG@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>֘IÛ»åÆnÕ@ Šœ+7ƒ¥ #xA&¶#A×÷“š k‘ìÚIÍ!]i¿ƒ–A!’ª5•JN¾w¢O’ ˆvš·Ò‘*âô*,¥×¤Q*Þ=£•^¯ÄìP«Üé툘Ífó®U‰{™™®ºû¶®á·Rû™ÁØ aûp"ë¼[÷—– ®k=¡_„ ë¾´6÷g]Þs±ã¢V×/h_ëìË4J#gBó³Ä…¨Ýûí:½ôy­ã~ó•é«©W-ªuuàúàÒã£^N[pa*'õÖÀ+Z“XÁàæකÈ}†J~NZ_?ÿ}þiæxA‚ÂðòÎZÊ6š§Œ u£a£ÊýDAEËÿŒåkd'‡Œ®2Õ؇¯ -V°î2»“u=œÕÏ"¨¡ ¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi GÕzBƒ¤ìò°ôÉy,£–¢€%ÝÞû.îcäG3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\ ”Ë`DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkʀXƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h ö˜85]‰„C¬…ù×UÎu×ÞÃ4]}+7ÄÝ Ú‰-¬ú‹O ›ë}KHE®r¹ çb۟ÉwO0t©„oµÆuZ¶Rèt•qø’.ùã8M“ƽ7·ôº8m [lC)¤ŸÙ¾X<‡ø¢ø¨7¢rLÚIQº¹RоR>„OôºˆzMЃ·:¨ “Päkæ ŽwS´RnBßÆÆ<9Ų|<ø{_À+¾>¡zZL¼³S©6v˜I - ?0 -tâï¯tãq·˜þ?pÿ?Áÿ'Lľœ\ìmœ¬áþ”Þendstream -endobj -634 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 40 -/LastChar 90 -/Widths 1344 0 R -/BaseFont /XTDQTY+URWPalladioL-Roma-Slant_167 -/FontDescriptor 632 0 R ->> endobj -632 0 obj << -/Ascent 715 -/CapHeight 680 -/Descent -282 -/FontName /XTDQTY+URWPalladioL-Roma-Slant_167 -/ItalicAngle -9 -/StemV 84 -/XHeight 469 -/FontBBox [-166 -283 1021 943] -/Flags 4 -/CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z) -/FontFile 633 0 R ->> endobj -1344 0 obj -[333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ] -endobj -626 0 obj << -/Length1 1606 -/Length2 15226 -/Length3 532 -/Length 16089 -/Filter /FlateDecode ->> -stream -xÚí·ePeݲ% -…»;ww(ܽpw6°qwwwww/ (ܽpw—ÂÝáÕwNß¾÷õ¯îûëÅ[+bÍ̜#GæÈ9#ÉwaS;c „­3 #3/@dcìâ$og+Ç bgm -øk䀣 u9ƒìlŌœ¼  )@ h`e°ðððÀQDíì=AæÎj5e ::úÿ´ü0öøÏߝN s[åßW µ½ ÐÖù/ÄÿñF àl˜¬QÅïZÒ -’jI5€$Ðèhd øîbl 2ȁL€¶N@€™#Àúß €‰­)èŸÒœÿb ;ŒNö@Ðßm@w ý?.z€=ÐÑääô÷r˜;Ù:ÿ큳dkbíbú¿v3»²w´ûaó×÷컝“³“‰#ÈÞð7ëw1‰ót¶0rþ'·è¯`gö7ÒÔÎÄ埒þåû ó×ël²u8ݝÿÉe ˜‚œì­<þæþ fïú '­ù2 8͍M­NNaþbÿӝÿ¬ð¿Todooíñ¯ÝvÿŠúŸ@ÎN@k3F8Ö¿9Mœÿæ6ÙÂ1ý3(Ò¶fvæÛM]ìÿÃç -tüWƒ¨ÿ™š¿$ŒLíl­=¦@38&;ç¿)Ôÿg*3þ÷‰üß ñ‹Àÿ-òþ߉û_5ú_ñÿíyþ¯Ð.ÖÖ -F6àß àï cüsÇü¿bl@Öÿ›èÿ¨ü7Ãÿˆ´³Ñß6ۚÿ•‚™‘ùßF“Èhúälb03²þÛ£ÙÕlMŽÖ [à_-ÿÕF 3óñ©Z€L¬lÿi:Ç¿]@[ÓÿÊü¯<ÿâÍ$.)¡,£B÷_oÓE}ÿ«º³ª‡ý_bÿ£y;Óÿ¹øCDÄÎàÅÀÎ``åâpr³¸¹X|þ7ÙþÃòŸky#gG;@çoÉÌ,ÿ*ü¼ÿ¹Òû/0â¶&v¦ÿL‰Š³‘­éßÁúŸ†Ü&.ŽŽõü×Yÿ[ð¬ÿ5â@ ;ÐneÑ΄/Ø2=+ù;ohBL§¯‡b(ľì‡jq¡­]·_zø6O•á[]cÓ$ïÇ/…?öïû2´#=XÖTÝ©À‹2šÞBÔ Êv.ºƒ@&ý2ČSh¯Ëy¹-HmNfõƒ %eýÒ7(ÂÉv6G˜ËG2×B ò{$_“´Æ8Ì”&0´ú¢?§”IǏT£ÃCƒÝ×_{÷ñérã`)ø\!)£ürñµÕª¼"h3Ç&¬±„N™Í»‡¤¹ï°8×ÂYÂù6ª†Ü|.°oŽ Uà‡í”†H\ά={“fzüñÛwšÌ(;InjÚß1$“.]dþ¬²¡ó»ç§c!˜-ÖÅH»FÄäôæǀ;Ãõ=Ä|Û.ہE‘e ë ¼ŒPxÏNV?±W£¶Æx›5VB¹®u%GñèêÍà©Ne„/GçÈƬ÷v^8 %1ÿƒš1KPè½qݤA‰?ÇèñQÚ!©æ6ø$Þqs/ª A{øƒOÅзëðÉx~X¹vÿØïîYÍaWtM=#à„‚&æ¦Çå@ÀЫ®2 å‚+°ƒ~YqWRcŽÏ67H­ŽÓüÛÚá7ªù« Õ0–† ¶_¼Œ¸F?‡ÚŠ‰½Ž ?B¡‰65Ôó½ø® -ñ½¿Ý¡$ý6;›˜ ½S‘F‡‡9Lq®÷#7ùºÞAæOy«Æk™¬0\™òã)àڊ¯Põýè_°ÏÈ𸯪+WX½À4qW%¸3A pǂyçNјŠhÙFƒ´¼òàH«Qûv¡;±0p•]ßt’~xd,Š‹÷xÂÍ6m$ˆ¤bŽè›a»èýa–Qº ÅZCE{˜Í¸V>$zytgC¿ Ëûž~^üZ΢ë—'¿4vÌ¢€œQ(߈¼ÚóE$9>RÛòvJr —Ž!V•Qê-¦  ç]kˆ«#L¹)N[ -Y'L -Ml%£:Tid„‡Í!³ÿ²|Ø=ðНû})ñËHzÕøQ£ð·)k{U“›âí÷T£Â•¼hð-· ÚyX3ïIIìŸÐð¼íˆBÚþ# -†{z¼*†ÆO0RÕ[|+uØ<»×xB–)ûµjÃñáÛTK!ëßP.GJ¦ šïHídÏ·Âó‡8ÍÈÝÑìᣮ¨¹)KÔ«£" [ßáØÓz'f?r÷g‡ÏÁ­õûd„» Ë}áY‘’¡žRÞÃþÛȞiuMÛqÁÞÚÖ:ÏÝu)âì¾ -´mg!™Õ[º±dúrTýÛ·àÑï;¾Sh4+mpæN#{•x9)Âv]²O_ÊÚ"¸g)ˬÀ ó6ÌúäT¤q6`Ü,ÎÄʓÊ.ÆmRúuZ} -u¯Ôeø9‰ùXg©v«½~ô¤™ÎbfÓ@ËZ€'púÎfjûµ+4Šð9µ?çyG Åš2Ã>öá¡ èÓÍõ‹æ©íq½j]F4ÊQc &ÚWÊ¥Œ!¤)Ô¡W;êíˆkúë¥|ÂO!xËl|Ê/"Ë ¥Y8Þg™t‹}1ü¸ê²áüs,écbDŠ‚<ÕÔ&0S™2(Ãmz\Ì#wÔJ$G”ûsuQ#JöõÖ1Œsoæˆ •X1K÷·XøZ°˜©T†f zUàÝô¤˜:%)=ÿ¢NýÌýßáB0$awϬ&8Ž÷SMÕ@: ÿ÷6²±‰ðJe Êq»‘€¿Cø# /ÒT ÚÁû­B2cQ˜ãSŸ_1IãÛóù´P$O´›ä…™±<œBn|\©žêŒ.ymõ¶9ŠLrd¤¼]‰m æâ¥ËN۔ CSÿ¤dá,šýÆWý2è5÷]ËÚló±Z°~ÔS£çDôJݬhö´þÀ†×Îåõ!ï뱲㹦ý’ëÊ ²ŒGL"ÅEàcï/e$£+[>»lÛµ—JH¯V—丵^tú¨±6oðºä,ν«x‰B¡¸LE$Éz2¡8~´"r¨º\pyç³lðÒtR.—Èšqáp40i›­Yچ >þª""*`¦É eã¥R¶!¶; -Ôw(ˆ)¸ôèg¾ÜFþRM–”T–VRƒú¡âÕ€ 9«\æÁ r˜.°ׄZÎAÆØRöuaÓ^z¾A}É €1X•¢Ä<”BÅ2Ý)×BöÔÚó–7L}ƒ.DMZÖËçÒÌ¡sìÕzÇ<ï§PÙpK`Û¶— -d„½-˜vNªÊ:&¬.U~øS}Oi²~FG´ÝÞÓXÒ€1Ó¯,»‡Oœ[ÑH'*‚ÏwÙç Ý;¾òk‰¯Ê¢NN„5S¢í}ùGs½HûzÅZ¨½B@0„¡ÒÒ¶Ðû´~¼øá4‡QYìô oPÇÀÐ1^È'¼þS&J–pa•K—h}%ãgÆ1Œ[g€¡w–¨ü±¦S Zߪü¢Ee} ;ý°Ú÷‡O¿ÿ´™“œV{ï¿4êŸ1;cr§‹ª`*Æ*îòÐ<Àò`*̽ö=­Ë¦“îUn·„ûTÕLéÜkwÆüúWJÌÁ¶u˜²")aAö%ûýº¾6Ê Íkö£ï•·ØÃݾþXD?ãÈÑ ¯«K”бïk²Ÿí-á„Ñï­þL*‡BåÚI×ûöŸ¡½©c×üóFÞéKhØx_Û¸¹Cëw¦Ì|•5ߋ„ãßÏX8p®FyñûɎ ?š¼!ۙû[ кN½ŽZ9ËÊNø⿋ˆƒ·Õš¦Ãˆµ¬£¨é‘æ=à³9$¨Qo©}õ<Õ~'ù9:xö þ­CV´ß?G¤kívÚ6ü|<«ž×XK³ÿ\DŒúWÍ/’Ez©äügå=3p•7M<~¤ ìôŸ-—§æ'?%ʲØUû²æ&ì -S–2¶ò¦,|Uº•¹åÿŒ ²]d§ûHÛ±^'ÓàrꥐÑ'Wží¼IëÛË­lžœ‹¯‡ýôÊ0àU\|¬¹.wÑ`7ÐÛå/—êâY쵚ûU¿ð½@'Ã\Û#ÿ¨tÓ"¥ÍSûã†ÖÑ Ö9X³*¶?"D'Ö ótɑmtåÊù¦âÜÓ^ Ê.ΡÁÕp¾iÏ€>°¹ ã¶i¸Xæªl“£(eUÜ"!÷{d?¼ÍÚVÊ-v+‰o y×ÄO!üÕ²«…ŽÝ›äÐÔ®¤cçÏÑûð1á°¾tùTÇÆ:ƛ’Ûô8™k‡ý½+]Qaÿ±ZYùîԞ/ùZ¨•b<΍ ·Ø!P‰ýl•Ÿ¶ ÙçÄ;S@gû•ÉH¦ƒ¦Õ®e†ìDe7#„ ÂŽpy¦#›±ÁR¹ŒÿƒuãþhËNqšVfà î™q ª†æt݀-« ½Lx:]Úñ ¾¡oD`I¹¼ ˆïÓ2œ&3¤Ÿ“’³ñWzøµö^––©ëLrH¶/±Ò~օDDÏ7öØSb_O)9Á,­¦)ôü±8lÇz¿Ü*–\qßiSgb`ÑÞXpœõ ú~0èu†£ÆBß^ ¨íHßÿó1p}PŠÇ!"ûÀ#š†Töƒvy†.ÁÅþh\Rœ—xF‘k¬^ºÏóômTkºe¡hèy¬$êUǗÿ÷À…é#ôo#^qÚÂ!r$%¡é%2j¯ÓšuQ¨šm²cÁ©âj—¡«„èo6¸óø®†LãÑEP`þÜ°+ ÷/†Cn(€¨³×v¶YÔÚð­‹¥mw4˜ž#¾ÝýpŽ:´B@f¤­P÷ySú6öâˆ'$m K?ëë‚Šú÷ù7—3“ú\X¸>¬V°a;å˜ÔP€”f Jÿ‰(OÍՁ"?-‚+Rûüe9oA[-wõ,NòµkEoãˆtúnɕÃê»y+©2:³š[ 轕µØCNbå’ãi›Õ¤ºè´ò%©ê8»p$4 -ÿ¡QÁ{þ­ -Pä±\7Š‡òÝÐBÞz¾–ܶ< -hÞãBÚ'¡ê{üŸ[gq«JNi9ª J¡ö–”ÍÎBÚ &eš"¡„™Géùý¢à¬äñtºls5 O·±„vãá̇ Õôw«¨@…úÈ;fÊ>Gé„b›žy -0ũ㻢×JïØÄæv/éÏد¹Ci)ïiçOî‹Z%ãM÷ށß÷m”Α¨ûÃMðQº½›š¢tžVᏍvjÚ.mOMè¥×¤ù—©b}‹Bq1җº‡§Çòº -®t·Té„Ã}5§¯kŸ1öÖ¥¼?Pe;ö•Pö‘rû0ï}Bϼ˜\ˆÉ6ù·ÒšÏ¹äçMI9!Èèm)L(ãÌSŠ›öž™{ԈV"X¡…-’?.ESö®žªAÝP! j#HA±}…KXžÌÕ§АÉMŠ[¤ã('©m»Ÿ>¾+­›™Q…ºCTmr9ðn«!dØ}û\>KdÚžïËeš»ùØゝ„À¹b¼ôd *Ç£GhU×¹­9⋠~c»iî' àŸ¿ñ«K¶B˜ËàêÅ©$s÷\ÉÚë>ˆÃzÍ:¡¤¡RÑH-@×_|eß·ˆ{ ->3;J¦@ÝÀ¯ÓrZþ@)%È€Êz¤a¨ädèji|µ€) eãCÊuÙ.ƒæqô~l»JöUþ ŽžØóáxf‘n#©[6ú<—¼FL¨Տ‚¢p¦áâþòþttÁo¬‚¡:ks_V]º¨ž*Yº‚ÖS,"ƒTæ{à':¨²Ãêﳓ+xòä½o»äß(!\Z,ÓræÁÚɟ ð µµV$n« BA†lmº'U'ž½R›~nØõãç":E›çÎy?ž ‡ ?CÑ<,ê‹DÜ(8Óv}å~õ ìòÙ¼ŸêGF¾nƒU„­]¢6¼ óÈ¡@¦]¹:@¾"¹&~žûÔëâÈm!Ê ê½–B¿™—´¢´•®]jØM–ìHUUÃ;ù·‚jŒ[ó·oi´áPä-æÒãµb‰omÈSn,aV&d­ ü _zFö~ð\ñz8¬+Do¸Ü5"ðˆ¬Š›îûRÆ÷Ù €#‡Àž¿nÊ»‰Mï$üÞÐÈ£€3(J±j½ÉR&YK6Î毒ͮÉ$2)¡S{yv¨É/îje1ىñs‰Õð®[;±ÙžI´¢Eç^›6ŠÖn8¶XÅ|ºø|…Œž -]éû.@U¥”¹7n0B¹Tñր•Ü’ü=²Øü;ApÊ|,꺁J CåD…rÿ}œ_PHqÆ»LO…NEt"†‚©ÛAѲ‚÷&¾½&WáõÔ7j§qÝÄ´Öoºêe--Cª±G.y–æQ12Ò7C}Ϥ$)S¢›#qò8R|ﬗT%’„`ԇ>{|ÓÑ(~‰M€ì¡öÔõ| µ÷•Ý Rٟ¿°xðÆÜï$xÂ1 ùê”"B/J#_“ÕK`ô!™"WX¥ž]58 áqA8Rkªk7bfRCèç`…oŽRÈeé'¶ ‚©&#É;°õCd€nzc¦}ϛ«ó~׀#\K"™qø$â~Fێ›–‰K¹Zð®=¿Í<͚QƒT¼hçîuÈÞ Œ&©ò§=&—àÈjóAŸVËpý~‹wåhß\">ÿĺrÁ I~¹8îÖ²Øeçmב[~ _‡Õ)Úùá!¼Gâƪ̣}^jèÍeìGHj{FƒÏDI‰áž>ç;Ž; :«^/lü²ÏÜ!*‚v5Bw®vªz‚/{¿É!Ä)Ý_Ò½,0‡Ä83ËqPA¨ÏÀB¤¬PA$.Z„^™ùà À_q\E¯§nT©E|i¢jHm¯© -mO´ø$ZEZ»ß÷êSùâþqÆtd±ã±ïäœ1·+}pyÉi"¾!¼ÈӋÞBêI†¾y¨‹5Á·n¤l¬ î¹2íib’-þa/mBrZJ¨g“mˆêia1éØæŽÌQt¡ÓÆ˃¨ -¢j)ü™pҊb÷"…í¬LÅí^²0Ôô{k>— ¹§ ‚ˆàêÒ|% ýˆëã_d;lEO㷳ߗœ×Rfå -ZcÁ²Z!å5Zn;£°¤Êîž4Üb -“â7+:¿ßå²p€‘ßTbºLJzù:˜cÇZŸQyØCV`ÔÖ .ý\ø£é¬—Ò8~û§v Yg“ÕŒ1…·ÁÅzýãÚWÕºÌÚùYޑG½ µq€¥Žh” G ;èXîÙ7š%›Š K–YtÙ÷¿q;Â*ò¾¤ÈfRʽC@Óz†¾>ÑRKíóðdêZ+%{ SÚ¯‘n¾€ûà3µ¨¯¹|ς·#ø2òJ_×Kà?ew5²ò!msZYÝþ³Ûš6·—O,o|iVð”@DOXå¡gg'\ÔQUáÏ‹wƒ§ tÔи7uû]J8IÓ~«]Õgb+©‚±ë­õúZ÷0©ÝæöœÉgp£è½»Í¾÷QöÅÒ+*A¶3M{#ˆ2¡éŸ‹\®þK§Œæx'wÅw÷q‡Ø™³G›Is%ößÕlÕ×ÙYó$;ƒ"d™ˆÞ›3™×Vc:DŸ!H™ØºASöò;ªÄ‚3:¬§µˆ6· ¿+><Æögn% ãïcªKZ¬ ýÒEÓý°¡©C'We„‹ŒHìE¨¥XÖ{°jæX¬ -oöw¡‰Ç÷ LN(ږÇ•ë|¦ÙV0f†BckÔ/ÖözåÄò«ÎMüPC‘&§¤sâQOŸîì?`øá% F€Ð=dGì¦[Ÿq»ê–Ÿæ5ÎS-ÇBÁ…OeÑÁyÞ'Ör8·w|­¥1Š ×þ3Áòkl/ë²OKMêéòdËÖ0q{mo˜[7+À -u€2DZT‡ÿan<øF¢àƒKƒÒÞxpÂä_µB…•’Ä5$(Z£½X÷˜,Çn=F„I1°Sk€/ô¿Ñû’-Ú%6©`Û/XwܸýŒPä°X{]‹{ÁõIê=/uµJLÒ "nÏÖ9 áTôÍÔ €¿|"= ßäüTËKŸŒ9¿ª>̐…RUC΢•ƒèÉ®#ÃÈm"æ%…gL3:Ö*‹¨þÑß·ŠËgó6¾OžÐZÔ_Å­iÃõҚ=ÛACز†é™ÑàØׂ‰Ëíþ¾¨?T -ÊnQu}±”ÇËÂo¾ÀxÂO¦ßi“Ÿž„Z”ž¬ùáXßâjøLƒMw®ÝÉ¡þ‰à0߉òÐaàð1͈o®ŒKÔ2û%걓ºîöC·wՋÞ«WI±á‰šæN&`­†[Ë~©à}ã‘ë!–{«-ƒÐKÜQ>µÓ™ÚHh[“+ÊäŠw˜Œ~š ‘o;UK䊋íó¢/¯sö6†>ûþøM7f“wcå wÛƒS^‡ãIԈ·œ­‘‘O¡"è£á²N´(*–ñYaZÿnŽš -/ †¿oy7¤‰¾Ž¯‡öۓHlžI-Z“ß]IFØõÖ`/qæÑÍÓÆ_àä87 £Œ êliC9Úî |Lsñ€ÖãÓçjPO´ LÔOër‰ñ­w°D¸ [¼Àºê{½mYübbžšÜ“sX¥Ïqf#<<Eq|ÑE§;¸¡Få¹úÒ5ơ̂܀@ I³ÛÏX:B|Œ.É;¦®ËhˆÞ_ñ4cúHC[}\ Mg÷jT?) ߋ zYVÄzô.Ž»f6Ä!v³ó£¹tÒÛ°§*•$}»Êãæ“Ve*"v1pu'„Q°›·°jw(»ß–tJŠî±˜Ysé–葈çÿÌÙI8ï2ò͑¿Ã,RB¤¯)mE+:’­'¯Íƒ¨D®QŸíóºåïÆw¥M0$.„¨eǬýÃu ‚ýý.òÑ -¯)$QF!ËêbVqâ!Š–i× ÛÔáZ4 z³2„«#µùjÆa0Ž¢”½¦wÝ̳ Mx¹c"ve·yäÒ0Ëdao† ˜’|¨äÊÎ |ýªm¯;°”`È$ùúgH÷ôT¼‰K6lºæð°1I§Áü°¯Ì~δ¨ñ¬ &d‰tñ‚Üè>øŒº§ðT͔­µq¥|rüꆸ´åxùòr¿jÖÑy„æOä¬-d‘Òä[ºz@z6>"Ò(K)+è¸ Ê]‚éÉëß-Z¿¹ùÁßP£«•O ?.Ÿ7©`ñ §„nºn´ˆ©AÅ -®K·¶M“‹PÐ-øeóù(,•ÐqšW×,׃ññ£™”¦£W…á觇²H•ª£ën“¼ºUÕq/ßíÇ%–Þqÿ J†tù›á8îe p©SíÊw¥N¶oéÑ!í3ày<Áév…‡~ñ¦g‰ûÓGÃPûŕ'ëyçÅÙö°ê"б2¦¯ge&ü¿ˆh8#u­÷$å†7 ~g¤ ̝Ój7#)¸"ãbø=ËÈÓF7mõÏx|)Ê ¦R+ËY'¢Æ‹f¯µ"­'›é *œCêþôêYßFÐÍ̐{4rO‘GÕÇ•-ŠÜŽf>>Ù£kïSë0N^6I”Ššwu~}Nè]Ä1â&ŽV—… -é0;êÈÞ šGû)¼ÕÝÛ•qòG­‚}¢v7~ýUÌØ{/ª//¶£@¢’BxP ?×㺽v/Ò"¢³¬É–²7~õ¥-°ú¾Yâb²4GáY±Þ\ÛêùÑò:u|?í¥LTj/Ïäœän”…xÞN[³Ö´Yg$×p‰¡ín,:ÆèÅ`¶é¶ËPÿ–ØUƒÙh|oätƒYGê9 -GZläÞ¢Åë6}oÛ,“Nxúœ½™§~ãIf7Ù,’y®KuT§Ä‹óˆÞˆ:‘¼ '³é~”*=Ï¥aæ½L šá(ˆ#}AÀ·å֕INø™Õqy»±ýQÐBþtSè³í¸ÇZ[ÕáZ”DPà†&´xf ;áÿ´ÜU:óŽ|wS ¢‘°µÃ;\¬¶W:[“e¹—Å4R{¤Ï5P‚OxfIˆõ$žˆÖÙyÏÅ+;S!ïuI‡b¨{ -Oùl_t>»ˆ„Q@·z×À!»Qqf¢Y Îë"Ìãì]/©¦pš¶¢þz¨´ «E¹f‘Sє,Y¸!µx·?q¼ÀRœh·×ÚâOÐ`8 Ž÷PÚÑ¡lŽ~ñ¢ª ”HÓV߁Qk6˜qØ `?'7Àw1²£;Äk§ÕùI…²­™e£šÀØà£ésÕYìÔ÷æÚÝÃv­ë\Z-þþªÐšPH‰›¡¶i)Pžs\Â,­!iӤʷüö%O»í»úI‡+mLcÛ3‚½¸/Pqñ¦Éz½¸s†EНMšl¬,ÉTvߚøNŒü€a+˜<òšO’ādäҔ×3T §6Åw’cü]·yôZZGš-%(s‚š¸½€(ì5üýb›&‚Ÿ#)ïü{ë!ëúcàÙ¶±°M¨ØUO -ÁʁýŠ{Eoa’¥VÖôJŠD¢VØ+çòêqgkSÃúæœÖJ!¾íѹ ‚§š@.¯¡?4÷k¯ÆpHmÉK HÆ`ÅÀgç»C~\þëÔƱ )m®ðrô©:ã.ӌ±þ(pôs° ¶†Yi†u1`kîxÍræN6Ór§‘Ó¾‡‡8êaì%ª?áXhu*‹e²ö×VÒôbÝMcÚí .ä Ü SߟýŠw×ë±AV‚,“gBsEû&·9Ó3÷–òÎöÀ¥[Œ»ÆT*UD-.ô€]¨ô€–'OWsá€TO›¦õ`¡Š»Ù†ÖáÂuþ¾ñFl ©>ØNRȘa»CSԗŸ¶†ËÆÁdõÜBx½oÌ«·†)ԛ.hþ¬ng¬ûÛöVhNÁ4ýÔ¦zçŒi=÷·ZÁ¸ö‰ÝbáÂóû=™‰¡-í§ç)Cm=Úy«ôÇœSwCðï—9C$~™¤9Ï …Û‡_ÚóWs¸ ù0.n ' ’8_JùïMæ­üÝRÄbI’OîÚë;Ãwh¯“J¬J ´Š^kû³ÅJŽm™ªó‘'i‹lÛüŠßGÀCÿçù#K‰}¢orL-–cƒ9MºNöÊ^âæYj—aíLY&.þˆf$Qžþjõ0Cñɇ\›€®ì³¼kÔ42uR0Ӆµöµ©k)¶¡)–—Í …‚‚Tuº—Æ6°…5ÚÅ(˳«mÀšÇÊõ™¶Ôî^H™¯Ì¯ò,µêiÝò¸: -Sþŕù°?UÆh´Û Æ~‹Ü­³µ´FŽ ̽¨ ÷`2±Í¾ ø_ÑÛ¥¥†%º%B\aáPbs–’´¯xۊ͏Pßí"2¸'\sïa øçÑõ؍ê -ùôÀ®ß`&„jsJ·ÝqüÚy»©N¨ªÊ‚a '±ð¾•ìýʤhö\êøÔ<{,üág`™ÁZ±Mãêà7G¤¢œ‚ñ¹ÍÃ5¼tȊµΔࢼ'}ÍȞ›¹cU{œœ”ñ’£Ñ8þ» *\þ:X)8ìÆäG4k·D«S ½ MÑy“àJjYՎËýZ1“¼iy4‘€sÛK¹|(b:9½”—î“úÍ4$~<@‘KŠ3ZˆÑ,CΎ$&35hECª·µž,6÷ ÇϤm’V-,¬ägigiNwtÎ5Βؘák‘¡½M€ØîÍ{ýÐh®ŒòéZë…å‚+S¶-; -Ûfãu¡ÀÐZKÏ¢ÊôG„“ ?î]¢ozNS¥•oNüÖA797mÄÚ¥âFËëŠò–M<§„+¶<ÿÁÑVxpÄ4éåq<òú4ßï,‘û’. yQÅbˆ½¦k_<¸þì…Aã%y!'^êsÿûÎo&dQ;φÇ0ç6æ1¸Üv„Rô2¼Ÿ£O´ªýe¾/—Ȇ9”\ý²±±©æ»ßd$ºcƒð -!üÂlŠÏY™V߂-#õÛ"òæ)ê§4|÷4û•¦Ç\£Ù.,u˜XÞçAO¯é8h‘$?³DUŽ$ÐN—ýÀôZO¾h¹)8’]íPlÒó!ÌÖ¦¾óí3„@ÍÿBkjû"qJº„‡›áûÛ>Ä£c¤ùÄþâÂnÆmp¥Z[ÆóžC|ø{}Í°†¡P®¦é§ -@ᖟŽšó‘ŸqJB¬Í×H¬íÅ]¦mš_-Áµd‰[…©ÝG}kÂ'†¹ZñEïJ/2Ž¿I¢Û¼Œ;ÀJ?ЗXÒ²se¥[ñԆص–3—ñ>(ìí,¡’Ó7¿­o­Øc›ŒÆrOã·¨Ó½¹`­Ò^¼>¼aˆË;hŒ¹ÿÙÿå`@HZ a½¥×¶9‘àÕâ¡[Ü ·Å’Øß©UøgéQuz`@ÝD7… 6˜^³&s %qߝձ%zs‹É«I)Œ—þ[~x4ir:ÿ•Ä5¿‡¼c@'dPí¼+Ê-ußvxØ€F½h 뼜Ž'éøbP¾DGÛR%F.ö¤Ä˜MXêÂ‚Û R¾’jÏú#ôF²X²¥;mIBuÁé[ï’r-v½Ç”À0[›{Ïf+zpl©‰`[B±P¯º—$I¦þ«ËOÔ4‹£¨mі-¾±F¡mqšˆÁ†E°Xì´ïRbˆ¼mʜ˜O6J„Gq?í5øÝã„É[Šóù‡1eÅìM÷jà…^*¶±*DƒÂû —8¢¦Ã¡-ÁMw¡ui8mB†ÆÇ»'¥Òö·$!Ù4Pz5¯¸"©óvhh Ø@}T¯ G[´Ÿ )k')$…=‹E¬Ÿçr[ý«›f^A½ïÌ÷L(T*ÇY𖮠ùm]L•Ÿòõݎyؽmôßñ»»%8dP¨?Êt ÷–ôóԂ¿Å4ôýá$uþŒðÍÆ÷µUCö7*æzü˜*,Õ¡/pz÷Ì°sÉyaKr›—ðö¨c'ô 2}T¥>>U@pÌÅÙ½îou)ˆn©E{⪛{0HÅdh¦m6™ä3¥_ O$h›ôV…DoˆÊcºMëÂðbì¬ó[u¥“Zö¦®Wº c‘ »f‘¬A¡é?ÞyÄ)»ØN¹³«_×<Éo|։CÀ)qf`Óí à ©[è—äÚrF^¾¼MUqz~CoÉގT@G÷ûž®çªós8Ã/‚wé˛>Ÿ=¬züÀíµFô{»Gë§ò}¦+Øo  u¥šd¢C¢"ÖËþµÑgÃü²™ø )|òžª°cØQ¤ôš}(]u¡dë¯:$훻‡Ÿú979¹ý#LòÔ# a™Gãzç-ï c_[rC!Ð4æ{½ŸyÏŽ§«Íö'çUº]ùò\°dêü6ßcҒvúµ¤cÈ4ÑkºãN4Ò©æãó0/L—|“Y´ ó©Ãü­Ä¼«+baý[|¬ÞYóR‡ø}.œ·ÚÞ ’†¾¬¤_®Iu•ÀÛmÖÕÉ xÜJǤ›R3C¼ÒÝú2ʾµ³´–ŽŠ”%^mÙ¯]À¯UfDjøôB¾ˆë᪻`â?;‚w¸3‰×™?·NK~îöåÌ&Ð×aÇ5Õ6ŠtÎooõš¢lAr‘êǼéz:ž¼¨È“Åø¤Æl—5Ûï8G‘Ö_~EbÂc|Óy }Ð×vÚ3ÀàoC¸D{¯YÎÞßÂù·™.Eá›eÌ&ù°bÌÇk(ñxsØm*š<7ªÂæÔ0؍ZÒ«­pR±4RÔ_³¢yC",Ì$6䮄Åx={R³T{\^²“)âl\É<óè ‰Axèw±D53®óå¾õ%7a™ -‹˜>cîՇ¬òš¢úcÓÕVAcB8‰à–à3†(¿Ÿ->2$§‰#ϲf~µÉOR¢}Ì^Ô*ëT¦9Ï^°Q¦òÌ0Ò@§…×õ™Û¡f}O†kލÜ9ìFÄ«òwÛÍbµËØq„ÂL™§ÇÙ宕NÔuKJL:˜Ü õښöÀÎßMS“cãs~qÐeÅXYŒMੳAªeU BEãöíOWN¸’€9tê´«TÏ ›¡ùñd2ñ²ëó6ýmP_;¥Ò?n³ s;}\E¿×|ؘщ`‡Z§œ˜²®@r[éëó ¿‰ÊúR…Kðþ¢B‰|Ɨ;*g–ýI´U’yÊл¯•D\ÄR­½›œ¨ŽGPlÀÿÒ³ïŒlÒ×6ïX®Ýe<”0D´ËŠBÖEžõ!ûŽ¶QËVnG±~ñTËóS\|Á â­1–ZœFyÒâXývЩVéÅ_Òö”>§ò¤9AÜ%'–Fÿq>£f.ίN7^š"Á(ßxZê”Þä:§íw^üçúCgRNKܼvØKƒ»ª7håu7¬cîœ3úª³$!gÌÚÙ£h‚ŽMàBµÌú.ôÛ{ª±\+ƒ½íüTqhGÉWÈx§Ý?X¿ ---˜TÎÁ?åשּׁ~Ig.äs#IR³1Þdà0säÐl„ë¤)w܏ÔC‚5ZêD¡˜A|aK]¾öQŒ)ŠÑßÛ¥fÜ-6wâœÌn¿Ô‘ëZ¬×ñÂe²€KQÊÉ!qäl†ä Ã;¼Â` ¯ˆ«Ýjƒ"àFd’(ñ¹%Ð¥å Ÿ¤­:ìKÐÙ֐»ûúj?ã0GLÝå/—‡ÕsÉmtèŠ7@F.°vš\õ`òƒ_¨à@ó+ß­'9/þ´îQöñ;*œî~¿ˆ\݂°¥ù"@Ãw¥>£âÎ9sÄK’èe—©p¦ÑÌuqzžî-/”íÞÇyCO’V¶u˜n¼ø‘LȘãmí]…’aÛþ­FP´¶ՅØÚ7æwźôˆ%=³ÁÆ’m±UŧØÌýԆÇæ™Yne[BcÚ£´ºê« €šAB¶N —ýRÖµ`0¨¾Ö¬§Üx±±Õ\e äêò&½£Êixá>*ñ>:¡»_ /P-Báé57# Ck¨ym¯”KO=áÒ[-9o${ ÅÊQ™Uߛ³ôQßü³¿iyÜÇ Ê `è“ÚP’ž{EÔ¦+çéÛo}ÙCC=эÒqÉu¯b¬Çæî¼@T``¥Ùݼ¼8ԕz—Ó“Ênº¥OJðËOÔ5¨)!?ax}qç“,Šc¬éHbè¨éÇ­î7?ß ƒ[~Ãõ…žQf¬dÜ;i |›PjPJ­ô±n9øwÅ÷÷|·Õ+ÑíԘKdž˜„KŒÍ ^§s|ÔS°@Ã?å݊ãeÙù֍™õC©¢70c5ò¥Ò5Ÿ¼irù:ÂçXJ&d8݉²ý:ͨƒ]À„¯W"é&Õ3Kß/ͽìü1˜5Î#bŸfÌØ7ñ$ú#ב¾_öfÌfÍś-”í=ò{Óqó/ êsTDõùù¢ïÆÖ_ÍÏPHŸÍVÜÓ ûŨãú{Úë ì†4Ó Ç}K«bٓ¾ 'Ï+Ó¬;=A÷ßéZq<ª_6§VsL{Óë£?$£\ëY 1XHB« Å8Ç÷ÏD¥)ńëù¨àAb ’¦„ê7­È‚F8Âhï[ž±wœèßsÃ|H{ÒÊ6kô¡gKE÷ÂU‚?ÍâÍÁì«o¹mHl8‰bÆ©Dú£ð8p]áâzÒ#y\²JØÃ÷@yÊŃeŽYIi1ù°Íù×û=°ÕØÁN0Vn#֊{qšpX²dãûÁÐuƒû®§tD‰ëš½¤&â4Nü8ë»&\uþf«ÑOì_õbÊ8Ûb0pÏòkÃÀwȍJ±£ßÀ·¹$±ñk'o gà©È½£ÿ™Nù|:ŽÕ€¨Ö2ß,ßÆX@§¶ò‹@¯‘“<; aQ§*¢êŒmš' Ò -«ñh²°þ;f&õÏý tYPXÉ(Äїîÿ*ìRâ͋MI.riAۏ³eBapX,&L˜”FÄqOÕi/zÌ-JîَX!|½ôÔ{/¥Êl“”2êL¦›$ôéy¶r×òèt A3È׸„–MT•˹#“Ÿ_«ê±C˜Ä%3(ØBN®fMݱd[ï0i®§¬Þe˜nùÃ,2†•³>Q~Eó“l¤Ñ‡d¥K -È ¿X¤ô á€S¥M†kh_v.ÊZ°XY–×~dŠZ£þq z3„=pÔÍ*SÈᣍ.rYÎ8xz¡ªm:è«íƒÂfkl®õ3V°yÇݪ"|pA´q+K¯ìñÄ5ÄÆòX”ñ3³S“K¸8”Xgúy6VœOÉÒÀn‹|@aµ»§Õÿþ\1-óò$jô½·Yâ6IÞåQˆÿ¨Û.†î†!ÿ" Žíë½#kÒŸ@nüšÂ.MV5âҞpɾT “L$*jsK€kU3P"¢÷Çǂ“\e,Ѷ™ßUeÅATIˆ¼Š#DRÏãþfž‡ïDŒ4ùä;¬«"_u´©+E¸8崕È.a«Mçeə¸m»ÝbîBß_S¨—,ò5žL(Áœ½¼«lè„OÞÐë³,­ÜV"éˆeÛæŗ¶‡~,¡¸ŸÆü€¾µ¦gq8¿¯Z‹—Å}á/Å'laÿ†SÙq³t‡º¶^H·âœNwÌútaES«¬¾lfœêð~,¯±Ni`—…ύg Cž@2|§ãÓ>ú6.ûW˜ï>µ½Ø“M¿+Ÿ $g;µÆñGïޗÆøE×®Ú§qkERãÒÆc{…ŽZ²ÊZd;_Pº· t‡Èû/QOûIàÏg»–%E:)‰7‰‹zz÷Ÿt¸ZúŠ -É9û×ÖN¨Ó©Þ¶Gn‚‰å”÷,Œó¹ñ:Ÿ5Å=©x¹=Z©¥…»Qò‚Gc]qŒð_¿³—«º'í(åDZþ´î€J®­‚Iç'«_ßÂ:ŸÇHjDõlÝå„,©qØ` G¾¬†\È@éø¦‚œ—éܪðX¢ÈQ<Ñi8ºÄ|#ñ°Åò­õ›O(m£mŸ8½7¸r¯já—"Tày¨ Zì|AúßPqéí [ÈÃù3Vìlî¾ ™VÉlb¼¤.۞F ûoŸJ¶ôËñdË&æfƒicÕÆð+wŸzH_e«ï?ž†éw¿*¦‡½þbž_’‰OÁiϑ+nRÛLžy‹TÏ}ƒö¿‡§#k=|œµÉ?£òønž:¯ž;]ÚâõPÐ2™¬ ÓxØêì4ÕLGõFöŽv2ÄШó$œ²í«!¿¯û[¦9Ó}ÝhHç8E7õÙÖË];#tø³;ڍçQ¤ÉTà¹BKÈhH˜¦}3è¨.F˜Q8)IO ‡ùÿòûÿþ?`b 4rt¶³1r´‚ûÃdzendstream -endobj -627 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 34 -/LastChar 125 -/Widths 1345 0 R -/BaseFont /EGFRJS+NimbusMonL-Bold -/FontDescriptor 625 0 R ->> endobj -625 0 obj << -/Ascent 624 -/CapHeight 552 -/Descent -126 -/FontName /EGFRJS+NimbusMonL-Bold -/ItalicAngle 0 -/StemV 101 -/XHeight 439 -/FontBBox [-43 -278 681 871] -/Flags 4 -/CharSet (/quotedbl/hyphen/period/slash/zero/one/two/five/six/seven/eight/semicolon/A/B/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright) -/FontFile 626 0 R ->> endobj -1345 0 obj -[600 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 0 0 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 0 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ] -endobj -623 0 obj << -/Length1 1612 -/Length2 18185 -/Length3 532 -/Length 19104 -/Filter /FlateDecode ->> -stream -xÚ¬·eT^ÝÒ%Š» øƒ»www÷÷w‚»»w‚»»w‚ww½yÏéî¯Ç¹}ÿôý~ì1öªª5kVÍZkìMA¢¤Ê læ`”p°wa`adæ(Xٙ¸‚äìåT€®€¿Fv - -Qg ±‹•ƒ½˜±   4ˆM¬¬nnn -€¨ƒ£§³•…¥ €Z]E“†ŽŽþ¿,ÿ„L<ÿ§çïN•…=€òï‹ÐÖÁÑhïòâÿz£*p±Ì­lQE%miIµ¤‚:@ht6¶(¹šØZ™ä¬Lö ÀÜÁ`ûïÀÔÁÞÌêŸÒ@Œ±„AcÈhjõwÐÃèø‹àt¶³þ¾¬@ gc{—¿=pqXٛںšýCà¯ÝÜá_„þFØýõýSr¹€L­]³*‰Iü›§‹¥±Ë?¹AVÝó¿‘f¦®ÿ”ô/ß_˜¿^c+{ÀèáòO. ÀÌ -ähkìù7÷_0Gg«ÑpYÙ[üz€3ÐÂØÙÌý…ù‹ýOwþ«NÀÿV½±££­ç¿v;ü+êq°rmÍXXÿæ4uù›ÛÂʁéŸA‘¶7w°0ÿÛnæêø?}n@ç5ˆúŸ™¡ùKÂØÌÁÞÖ`4G`Rppù›@ý§2ãŸÈÿ ÿ·üß"ïÿ?qÿS£ÿíÿÿ=Ïÿ -ájk«`l÷wþ}ÁþÞ09À?wŒ­±óÿ+ÜØÎÊÖóÿ°á?5ÿ&ùÿ#íbü·Âöafdþ·Ñ -$aå4S²r1µ˜ÛþíÔ¿ìêöf@g[+{à_EÿÕL 3óøÔ,­Lmìÿi=û¿]@{³ÿ$ÿW¤Qg’PPW—¥ûÏ;õ_QJµwQótüKì”"ï`ö¿ÿ`ˆˆ8x¼þž@ÖoœŽ¿ ¹XX|ÿÙþÃò_kycg+€îߒ™YþUøÿxþk¥ÿ0âö¦fÿ̊ª‹±½Ùßñú_†ܦ®ÎÎUý׉ÿ[ðÿ\ÿkЁ@ )Âꒃ)o°uzV†K-ΏáI1Ýþ^ÈáÇÒµ¢‚€Ÿ=þéáÛܕFo5!ŒS<mž‹'Žï{2´û£½Ø¶T=©À‹|_2š¾ô ÊNºýïL¥È§šÑޗ r[P:Ìû&•U JÞ`§:¾9Ã]>Ґ¹|!pDñ3M«ÃêDkè-<9¥L:z| 깆îÛçˍƒ§àuƒB¦Œ -pÊÅÔQ¯ôŽ ÉhB¿n¿ü Öìö6È£ Ç#´“{Q²È_³o—{K†ÎhäK’w–jÝ«Ò¾š›ŠâNšâžýñ¹îJ!Âák"øÔ3cC4[O4|qEÝ -÷®µûIû҇òc~dZ¹³´Þ½f‚™a$µ -E´ÕD᥷,"k |+Ë ·K|XÐ4áï蝵©9•3û¡ï\›õU‰ñ¤9ì븉£Ð¸ñZlà—ÜpPӕŽÂ„Yñ©²g‡ßE”[?>yB¹ÜK”–.buúSc©zg‹Ü¼Úcòhwqj›%þbpŽ8¹wR8y< -¶É|öx˜îçÉÀa¦Ç¦=Fzåq ×q¨ë 6)ÂÌ|!0à‚‰§"ŸÜVØN«hˆ©ƒ²â¶ùQë[M,Oy*ILM±ÓëÈø*ÊTv8_ v´AhÇ *‚^ƒ=;ÃÞxÞÓ<©¿ó´Í«î¸Íó0 -¤Š˜B _g&î­çxL¢±rd´« Þ’ÄÅ\I¡?YÔLÆ$ëhø0¸á´ðæ(#©Í/’ëII*É/%Ž`åÍÞMJ͘]£í…ø½Í,ŽJáñã*ds÷wtð¤¦%? 5fÎçÈB*²?³†´OWl¤Ó5ëN‘¿ˆ÷·§³šãæpï>?¸-¶«­cúR?éuº¤ŸÅѝ' :­E7™À2BWæ¿¡/õj -jýÊDAD›oʺ´Ædü˔zj.ÃZ8^KïJ9xí–j-`Ûcõ1ΐzÉÀ¨cw]Û ¶mžÇ£HB²‘¼{™™Û -Ç¡¢ßÇ -Ÿ¯‚T¾ÒK©M^ o…Å+e‡»kñ'æj BÔÌ[ÒôÁÓùGv¬Åië'fMçÜÔ­µ¦4/íûOÂeu ÷yIýC‹F~Œ—hYÇiJÚ«ÞtB$HÎDÈ89ÆÞ¾J»Æ1.rÑ©¾j‡~Žïb -@ì œËîّSÊÞW4^vF­ñ Å›`ã¢Q–wëÙdæÍ_DqWÕFv´±.ä ¦xû˜e5eËl!•ð_Ü)_öSNðâ +¿CUFøؑP²I'£X}Ճ›žR1^T{o£Ù5O§ÁX?—2ïL @Ë­²&µ”UD­¿|ïÊD 2z3ôx!ìn\ӄó>4¥ž;Txé)7xr>om&ä؜q$#z“T·²ŽË &QQ2_`ôÍbo~kh̾Õòœù -B1â+$ê .7f˜Ïv󎋸ì\¦ÞòÖÌ&†±Ê½€‚q9ÝS…ÆyðX¤¨«•IÝÜûz®üa=‘-Éc'µ6ðx(\¹ËÕÆŠè"†L`ªP®‘Åí“/đ ‡1ÍÌ *Ç@_ªD)´(f'yÜ_L{qŸ›v‘ø‚ߍ ÜÏ/5>EÃ.5“Ü ûà4™­t6?#(ºÖN!  ÿ„È,pLÊ^¬ù@|7=›âïFUCñ“£2^^ƒ ãwضr롗9ÔÿÞ$ɾ٩ÅRqÐ Ui -þSÙR÷ex±$z¹„Äg\Ïpuã÷[áÅYUEã ӜGÆÝ}À¼;Lŕ\tUÇ’Óâ3íAà’àÙ:Ƃ¸©ØÞ൐#.ùz]^¡¯¦ÔT¼½ OB¥Ì%KoÉÍd1Ø»[Mq 7u¨£<“KRÀ1¥j-²Ÿ”LxÔ;Î'Š¬ŽºbîU^¤óÛ§Uq72 q€yОô‡r2-î@˜­<š=Ñ×¹îåIÁ/³íõ3é SúÔ»&ŒvÊô«Òî¯ÓkQÓðêF¬6}» Š„üíÞÈÕ¼û£í>d ;ˆ›¶j¨š)æñ1š}16§¢rzsµ™i\—áˆ(6½iLÚö¼«ÜˆK,ÓCƒåP"ÓjŸŽ@S½þìډ°øߤ3i¿¤ å:‹û0$ý`U1¡…í-µ.„S |èUD)ÿ ›fOxëÑ¡[§¤aE{z)¹ŠJf^–ánÎðD¬sŸs4…zÀl òŸ\Ì¢&<ÔêÙGkÙ+^®Ÿ~§í‹Ú‘žÄªd =ˆ[÷ê옧€‰Éf‰®ºùH«Ûq†¼÷€¹–Ws³—Üéu»Oç’Æ —`,*öóN B“#ýbƒ…E͆þ¶+ÝÒåÏUûZ·"zŠþõÚÈ-w5XV²¬`.o‡D”a­ n°D¿ÙXrcr†¾†ïíuMmŒ OM§QŽõ©T,Î:¼“ôéÇ*¨|Ó'~Â줪ӐØ`Ú,&£»Gs] odˆ¿|-5Ë -ðóOÈ̀ºö3ÊòsFdÐàÏêþÀ öïÎtº[ëqõŒQ v$yÖÙbw -_Õ'ÙW/t¥)³Bkl@ÒuoY‘$žÆybP¤ÉˆÑinµdè—ô{Uþ6ÕËôÁ½¸ðLǼ«‰ð¯™ÄmÐFZ¯Ôçt5ìÁÉjqTWeec±²¯nB=´ŽÚÍkV7pê¬IÄu=ø€}~ µ}–ò%UUz&á꬯ræ^…+"£‹8ízƶ õìù4އºq’ÎŽqÈêA1jäáŠU  Ai<)釭“ïÓÉ3ëÂSU#ìœdÅçsÄò17ÛbÉøÙ÷ 5°®;ºì’L•z]õ»ð…)}—Ä4FÛ 8bV”a0cÃ˟VB–_]Ýh…ÓT?؞l V‰\ hHЯ™õÜ¡½17kOËb"É×[“À‹øY]¹5¸·ã#„ ÁßÃüû ?ô='9«Ê³4$Sƒ¨ØáNr4r[b’BœÍû–ÇÈ-2R5u*¢÷ý^¨Âu¼%=MùP.J2:Uò…bíÎùg°CÏ&Î!SkÈ..ï%Ë~/»ð×>A -3_^ ‡¶š. ’‚…)Éç Šá£ùbK§„pNšÿ ˜®Øø±md»›0 Ñ¥Fa¦ÿOVèsÜ/$ùT~©I–ß¿@:À»R(¸¯“µ ð=Kì Å]A0Àµ‹µùµë­†+â#ëàîIFQŒÃêBúBO—ï" %Òe׈Ub©¯œcªm½yFš ¤åJòm -9’þ!î8IћC r-ÿs[{œP–óe›&~b«I¨/÷­cG@X«â}Q%´ÚkV{=¼{°Ð$á#ú®gìÖ艇ä…»Õµs8_0.ÃÕuáDœ>üfœ#RêEu`5¿)Q‡Ù1D{›pcª¶ÄÌÙâÎ#ö°Ô?§9lS£j|+/ŽTa*ŸláB™%奱û©67×"ãÑŽ[,èà¹*q5UáAa‰«1Ÿl;`8]‘iñ1vlð &›\)Gü-æ~)G c€é§Ç²éä$béeà C‰5Ô!Wõüs>l-Ã7&“OA&ü¯p§ßï M¦ú3¢9/I<˳!XÑo¿Žo¬}£qysàuŠ‹â¥UD |(’*ø“zÖÖdÃ14õòc‰‰»íúMSÞ—ä•4`­ÌãQ¸fšºƒ³Ql‹9þˆƒZ›Ož°¾[c—œ·G.&"фÿ´beM*Då¤ïýJf\f‹`ˆp·•>ƒìñ…Û]®»ÐˆSÀ{H÷0ü "ahâx‘[Z0EvøæzÍÀ¯ qi#Q&û¬i$€?Á^,rP-j&b’ŠÊ‚q ؕ¡1à03œÏÞ7ñbäzI¬|â·Öß­G÷?ï=´÷B`Øm€ŸDÇ6}0i:ÆeÃùUpgŒ-}-§¼~`[ ç=BbW;’«š)FâuÆ,D9ýÂ4ZÅæÈúü±ËêŠ_5¾ó¥£74ª™ö4M¯w#íçNW51ª-?îÅò†Ÿ£+ߎ!±iëêxÐIUñôvdBYB½‰”× -,°ãzy—øg;Šy¹}ÂÿÌø±UûF¥’­k'Ú¤#È3¾^*üLçÐ9$¬¬=Tð›6‹|Ö|üÓe$}ær€~ø᫒Ê]=ï¼þ‚ÙÙðÇiߧ_‰´@€+ʏ~Ž ±sè3Ú¤5yÖ^í8ÅÏ,ˆßVω;ú IK1ÿÉÍ+:0Ç6-˜úv[6©Oì{)®+vÕ,¿ûi4 ‘¼[”aýÁ—+QÏ8yç3ÓZ¨Í]Îñ0!8¡bÓ) ©uqc™fT& ‡ë²,•kçâۋ¡„»e~]Xß¡c঻äÛ§ÂȊ_­òYÁ;Ï6ÔÜ]Qb›g{Cæb0äxc{vFy×T"ïÌÉS -•W½Š1W\ÁMÞ7ì’)ҔÈã=߁›¥Ùµ ·`º¬e  ŠAÿú‡g¬µ¥ê˜'(¯Æ¨¼H¿ V€zà´a€|³É*g¥)Lè÷`{º3ZYhâ 㛠0ÛB嗁Šá§ ÉYŠÓ÷k;ÜÔjܓE×n,KËÔ.¤E͘Þç»)©…Hå´ç8v¶\~ä/É2Yˆ"Ým/™üËGø钙]8¼)²;<#…}âbW–lüݥНœINì¬IÔ²yDV’Ô±UqVV/Ü2åvÏތ‡CGG²EúèR7!'ƒ…¯-mÝ~¶_[OëýŽ$¥§X^¾‹DHžkÈãL/K… ù>Õ£áKyBýñâÌÉÚY„iÿå Sɔ› þ§X »¨ÿµò&É7 ¸†oәþºŽƒE5î<× ÷‹¶ÖÄô'ÑíÀgå\¹<2Yü’˜Oü»dO®õç¹xØAychIx?ó°¥h༲„Ý6šEÕìÞ¢ªµ ÏOej{C%„=|à~쏰®ÂW⢎t>jœîµï -R*F/qY ¶Ã÷¼ ö"A±yjat_ȧÅfTEJ}Œ;íUýÊe„s—Dà¾Átµ -Lþ#ú%L4VWm.„½dlŒ‡`uÜ~¬;K|ìWwºˆ¿B¢ýàqŸÉL,Õà¹ê2âÛDOä¤Ï…ŠªÜï?FôÅ6ɘª$37T:΄M”Ü|û*Fċ#b Î-Âç{ýۅ#CˆÂmbË:V÷Ê`ÏMFSNó|N2y]"cPiY -w.LKuûzrsàv YõLkôÊx¼Í! ðgÞzW 7)QâM¦°Ü8i¥ÔaëJn ’ÓóÌ -<ః>LUÆ4  ¤fpÚZ6½M®'{6üÝühÎv¾sñ–7`ô>â'Ec©ËçÔ8Œ)ŒvND–·;Ó1µ¬Ðô«€1 lœiL‡?FßÞìj`ŒÓ/DX*›úMH•|ª¶xíK:"ñœœ†ýúH™J$¾‘ËV­d|¼’{‡äZ©¬ÐðSÿ;Ü®Ý9îÒc)»âÁ|Qžn^KLæBuîû¬£Ò0ü,¤Ðï‚›¹ŸòJÍ^½¬} ÁÅL"wEV+*…–:óohåZ—àøÛ;Òl„Éñ£½zŸY åŒ¼«}ѡ疉¨O†xBùQŽºÏÅ*‡Ö+µ÷—¯žX"þ›B©Oi¬a -«UìúªAŒßDÌü(Ç€5QR«ÒÛ™^ý-5vò×Ëb„º`§[î¢JÎêKÛm-o“%Saã¿sáÐÿÞZÃö¡|œ^ŠþÊã9ŒR´k%¨X³i‰ºpó›åö WÌXÈô‘›¦£5~ôHá(•VnWïç½~ÎمCî_Fh6“ŠüУD;0OW~½ ¥0^wyr÷Oü­U>?ò»ÌICÔ„üôjC{p“tÿÐôDIåö­Q‚—ê!J¹iBÒ”„–—0)òÊ4w}QjL!=;Îi5”§Ìô>%÷³|jÊ)ÍY%Úß}Vñvï‰ !sfƒÁñ½ýÐùDҏ-(œOw™ ÆöúèÞ]m(ïâ<଩ªeÝ_ ~k§~¤ùLÇGxø_w™£×B‹'ØÁT“ íY2%‚ÏÔG@ßçRÏ;üݶ²“¥4Ԋ/he_q -.6Š¯AýoƁ%ßð‘+‘©gœˆÀÛ²ØÅ4%f­æËP1÷m¥[5êʍžŠÕÍ5ik’VÔ©°¼G^jpo]äZ, -½ÉA=ł¤Ë‰x4EkêÐ36_Ãʚ½¬CH¹¼ ÆÑÞû1•öÎ4+W@Êå`Š0\ђ¯7GŸ”À0Äô×òä&$‚zT½j¨ÂsùsYX‘ý†FÿçRsØ|Ië•)Û¨æ¨þ²À–·º1‹çƒUÇÛžÏtqêÄs;ä%S´‰NRÅàèŒ>vÂ)Áàw× Ž>ïöH¨ˆ®&¼è?Ä©ÈÇðæmß#Dåp NW½Z^ΕCrÐB©„(JµîLÑ3¤š4á¦}¼™™NÜt-÷s꧋ - sE]©‰`ò6™=>î8é%ÂÐs>N´žô08òî~ÿµûcUð¤¾Á.5ƏÄ*¬ó8/¤zWt÷Ɯ~×>uöRméÞ¨£a?±U~"rNÄzë`~³†¸}Òþ–9Ys0d}H v?’bœž¤±Îc¶3$,c÷Ž±6ù9CÀɔ‡—;k˜Ú‹Á²Ë¢\¥ÓEÓ.ƒmPè¶wµ~Ž”­ðþböõÃË}rû.“¸#jdFTèS(<†þQz_´%„àË#˜fô¹bÂõ‘”^Ó?œÐå‡ÍÇ0›JƊÉEÀ&I™¶{)Ó8]#ÃLìÁ£qÔDƒÈ„Ì™úؙ8Ö0ê!7ûy•y4wZl}»›p‚ÃËf·ê -}r/öewÿ¬É¶וqk鿾ä**'âqùypaˆ'-K?¯ÙÀ–ƒÁØwMA»+²ÒA)u…uô1¬Ÿn…0ĉ»)¾TZ• §^ÐõbØJVíbsÑ`®¢•óäµ>–`$I(qÌø÷Ï¥CÍÝbÊ¥§Å.öBŽð¶/Øיբß(²-aþ -¹—¥Ž²*?ŒO,âî N¿$Ý#ˆ&9ôôù³–”–ÄmûIÿ¼¥×W©3L%‡ù’Pa+Ò²Ûѐd-†{=*?4`\‡öÞó\1‘q¤¡lkø³`³IƒG×øõ‡Λgºe)¨˜xÎï>PFS¯y’¢>l„" QÅQIåáÕT{5û³&ì™wá/yٚŸ|ž~S`ëð+á“>òθf53·P 3ĭʺ¥uOJÌre¯0ßÆ-pÑVvÑ8hs )§Zõ­1ß{d˜Ü àÁ˜^=ƒ«zu âhV¼Ýh|{õr‚‡€}$6'2Œ;K§¯;¡ÂoµeÕ¶í\ô4ŸŸ1Ãxæ£ÇóXT»V4ʛªiÔт“æ®›'Áº73þ*onœͪRρ\ET/¸ OkÒ]0EJ[JD%()gŸ¾“’<$úíGˆù¶—gûGõ9N­¤Ë,©ˆBú媧§ÂBÙCÛ¢1‘#)ÌpäæÙªÕžP+ -Û{Í6˜«¾·í'ÍÇ°8ÿšŠèKOå¬eŠ3«Ñ[s …¡Áà<‰–Ï´œt`Húýëu¯ÜØʁ_kŠ Ñaöç{­ ²\óJ$¢ÀmáþùKÒÁ†×~×ïâ¬H,ã§d.ý‘Þê÷ÉË%ú¤™s Öµû+uJõšÐÓ@×^#;¸r„ TԅšÝ¸?†sˆ«2ã`ñIÏIŠêܯ^va‚¸pMEçÙîܺýCÖ& -J½Èðo˜Ðæy‰‚áˆÛ¡9dõváïv¸ü:²Ã¾ ÊISc…öQ1}¤u¢Ш¤×©õ©º¾Ô,#mõp<>ÞGìaF™c›ßß* ‚¿ØÁVÙh4gÅçÃj·¥FÂtšöމá¿+ÑÚ0§Ï~Ì»ž&±k²àæ‘éoÌø–Öæ(?ÝãäjÍÞè)܏æ!,^š -ÎjªN§Ì‚¡êZ/(âiÓiÍmáú‡E´r•¿Þ`]© «Ô†-UuܼMøIA ÔæDr)|ò¥9Zvw¢¾2lÕÈ¥⨡gÍfs2ëéÅV|gÐØìÓo³’›ÌŠÎ}Žk:åwéf—FÞ´{çªÙÂ@Vžf#ÙUÞúµ¬Šˆj+·[i!ÊÁG1-¶5\{”ôã0Ò­…ü¦ôÝÖæêëùd”­Hæ Ò ·)Õjëy#ñj5¸ôŸ’LÒèÎQÚA£ug㞥iE7^å‰òæØo¡Hã…B€úÙÚë¥éëуk’)Iï>Á2CeN£©e¾hwLñ‹WI$5>íU£n2úé+çLR'CßF¾] ¬¼ÍªŽ”ùÀø¸ -ÓÇr„>›jì‚é‰é‡f´¸ñ°ëí –Í„Z‰uk&0¯NRÒXÃã'c¤­û~­?…ÖÛ½2q´ûº 7E)‡þ¸ÖjƒéÞ$YêƒkՔ —äJAŸM)9€ÅíñÍ jd.ÇöÓ>±8‘~« kÏP¬ío­ÎP‚»+læY"áñ·8pó -”±v“²Žk@9â¡i"›¾8üäs5q|±µ¸ ,´£êú5X_Ǹò õA²‹‘ŠâðpøQÛ+é[¢ëù³ªüÈqêõBo> ‘îðŽ„©u§¼^ F¹èó«z[( ]Ú&øK<ä„æpðW+xO*c.SÒa”}“œ‘þþF)J~)m‚P^1Þk Tù1¿{_ ];‰‘5¨Sù‹Üâããjð[â™cûMË·têÌ! ªpÓz Sª3y<0âß-iÔ|ò–œ%_oU°~7¥XíÎ,ÊǏÚvS_}Ü]LçŽ °½¿zÈ=®ûêšmjæj³'ø‰²•ždZí|ø.²$Õ@=‰ù喈ÌwÁr8 3<ëUu)‘VkŒ4Š®]7¤JS‹ - ØÚÝ®-ñX¿?¾‘}ÑEµÞÄ)¦…‡!Ö †Žü™³&Âù-èo.‰ånUbÒHV›rjúx¥ÒP´^1,´àõd%%3ƽ.|<ԍçgÓI˜Û+<§0ƒ 5ÛVЗu™¨¡t?ÿ2ö‡Qü!‰@ú,cq!e¸èX:¿6°^ŠÌ¹¾e%eG&Ù&4.³Ž{[Š8u^Þ¼ÿcÉöI¬1¾‰Sã+&wTwe®Fa…ÿJC`‡üjtË ¦zÄétø·^â¹ ãX­.mP®ÆÏ°àòÑ×IÓΏ$þq[M¥%;fH)Þ&•Ž7¥fjúV½Iо2K0^AloH€k9Ùõ.œZÀȻ褴{¤?\„*&¥¢Ñ¡cò#{ďuÈsuÑ`©Ïœø‰3£¼iÉÓ®™CÁÀ¥³o[ ;Š,mÍ1é?)r·ä£_0žžž~M¦ÔDþòŒoP"XúI‚ø<ªŽÄš¶•4Qr±Ñ—YW7¯ Zä*Ÿ?5T†¸EÉ¥+ÓÙV%Ù@ØdÅeÑ-M7êë®D¾¾$ÁÿE_h/Sìžul<8E¢]'0JüzzÌj:йf\ÖÐøpu”V!ùäT?î—ûò!Öî)êaäùÁîÇát3{íüÐþI»äÙ3¥eµ{^l&vãIÊ>Á«£v“ÖýÃ^–¾M_.@«˜*ƀáM*DJwˆ}¯8þ”I»A¼¥Aî;­Ü(áT¢#¾¥. ª\bÌJ±¬ô‰d"7NÅ8뿹÷³…ìE$m_8Tâoݨ±ZvQÆ&MŸˆ6cqlê›NU°¸}™µ¥+H§ýðŒxHÄ„GJ¤JT…Ýξ©Ml}@=ÁV&rP‰’Ë™bäN_Ê-€}xŠñYpèŸÔEWÇ8í]eE³-dmÏh C†ýÛj=ÿè(3®–>é¦K #NJ¾Oy½‰s)¼àèÉL¦!JÂ|?$°Ë h‘`G0oä´ÖÈ9Èý•í¢o†yI€û¥œ^i0+V+z¾'0óT*) )ôòzßy×„fË£R>• -ßìàÝ'­³ÝBû¢ÉEyc;8ÂVl®?'Å|T¼GÒp´˜´e ååD×Ò÷4îˆ-JG‚…L†ëAù¦ÌáUe~­æŸwƉÙ”4Ønf‡ª×& ‚êډ„ÑÌ Ó4m!Dbô£û ¡šX𰚴߃¨E¼½Çü²ƒ1PVQycáÿü`J¼°i¾"ïSZ¢î`ƒ|LðBú•Q¥f°ZæØ2o¿;øéžK•½x8ÊÙ_v6^¥5R{C0ã&¨Sæ§,YHt=­z!§­:|aÿ°JüÅၒès]¬ä¾rcÒH²axGFW;Äîðþ{á -¤òøïlÑ×ù>Tq­@»È:…~Öõ2Ry”ά­Ù÷A”µs¿oÍ8¿™Õ)w€C pÜÓ t“ûηwÉÜQáÄè-Äl)áŒyO7¥væÏö±0âª2/‰O–ßù†ô¥¢–¿¹dՅ*\Vȉ\‰H*´Ëœ‡Ã‰D²¿ ™9\Qš‘ƒÖ碴›ö¶MÚ [éӐumMU[ú©î²Þ~ p:LDË~bŒãŽ¦²§OäYC餤2¼ ¡böC„í¡Ñ ÐçYT9´Å3Wx«Žbhø“79 ˆˆ"x|:ø€ØàO7—_Ö ×´ -/9mö'z´H¤ò «xMö+­qÊ×C15{‡)äxŽ!£/ñókÅPºÜ_RáÖ݁ÁÉMYTA?¢-=?ƉPßó{¥¸DZÕmëM9Ä+1¾´Æêõw0û,š£D›BhL‡T)ó˜Öº’wMŠ»pê/æp…;ÙuË×q(*È¡âµÁ àÙòyÃEË# Càž4°Bíø"pèT^Óèœt¤©§²«TãÃI;†ö–à“5ö … •8?¨Puãgs¶yXOt7ï€Þ’tÙåñÅ&%l‹Ç{õÅOІ”óù²”®'Ø9ðùW#R㥍V+SlF¡zEi¡8š¨é¦vF"qIø|ÒpÜ7:O•ZöN›Wö¤R1O´±ÂA—Š˜òÃr»U>µvXW^Ë9·ô"d‚õe›Ö‚´®–ÎWO+©ÃU1{´–à/íw¶[¯ìKô¤Ú”ªÛ&¤ñnœ7úv_˜n rŠæ+¦”Þæb"éÆg6Ï “öÝñ¬Kà-'Fšá£K·šès§ñ¥7x\,S¥¦1ERÍçŠ}-j9V®ùu©‰I÷ÝßDó¦!=dt·PìKÆg(ÿ€þF‚%'ɤ^»WñŽI÷´¢ÂÓV" áÁu»¦T ­ ný‚kpqƒOr“\é*9Õé=–ø»}ô”ÔȅjÝâ3Ö×»"›`~Ÿ®u àÙÇ䏿¶ICNè1ÌÂT8¡'Ž–¯½Ú–äæŒ`ê§ùNj“[–ÁÉ0Ããgá÷IJ6†RÒ-;8sµ±x‘?¶Jœ Lü¾°ß -`ž·»IÃ^6ìì F!Z§éý&Ø­Ï:6 ’—(ü²6ي¯pÖól’²^Zgié^íèéÓ_ÉfñýI lnŒ´«ˆ7T^®O¦–ÝX7Bˆ|ý.k¯cò®õ -5, u\âuºS˜©G -¦3\磈[°élµ(GÏã©Sø#Bgñyn©>³}?źæ9gœ©¬‹Ýªµ;Vö¦PìöîxÀӌw.éWÕØrÅEYÞS&¶p;N~銤€4·§jòN -|ÓØÍ Q Þl£ªŠQ]gó+ҕ‹9ñí÷øÊïŽ7æ Ÿ¼ˆRYoîɧ|ÓVéiñy³ÛnÙx=§|“3/Ôm=ÿ¢S«ÊRVj¨_«WØàÙRÛ҂E9[DÚI’ù¤Žq­ø0išŽÅ/ ròoK’'câÛKáï͕mTdl]M+OšSu·àŽ›Ì¬‰Ó·^ñ‚J”uÚ³ˆªÁå!žôÚ[í¤DÚ=#% ©OÔ8À̼Âì$HՍeÝgÐ)¨ÆÎv¤¥ºL!Ý A^zV7¨E¯L§"KÙGç‰.ìvpÃW´Ç Ùn[Âð|¿€Ž%Ë[ßN€T2".É+®U hu%äë›ç¡’ÎJʳâúB½Ö- ûJp‡Z÷6Þ´æT† Ëû<G×Ã~ñŸÁιf²â8œò犍ŠšâÄâ鈦èŒXk.VIŠ åE¹.„µÐX¾ôp§Šæ AÁ¥“2TOkӑ˜?Կ¹y3˜R‹ke,Ìl.­jaˆXáÜÐÝ`ü|D#id“ê¹J×@ýÈ0ðÏԔ½ÇrUêMK‘µ6%(¸•—²2ÇÜ/¯Q`³~¼—•¢ëPYì”LJ±››¦—ñ@?9óñ‡YxÀ›CÔÊ^Œáb©o\"è„ææÓ¡‰-:(_NUù&Ç^ ñ‰'gD8]¤“¿™c782‡ƒr¡û ¥3 ÈßyàÜØôõ¨c76)áypRæ“\óJÁAØÀÔºîȾŠõâå0’R†›Ð$Öþ94Ý׊¤jxÈc®¤,÷X„~]ðöÂ_ÞI$¤h)M ‚ûê;¸WN¹È¨½v ™äGizøÂÙóÄ֌"ï¹¢ «,=Ónù{MQÇ19"oÉð¹åLâÐ%2 NŽ¢ Ígšw%CÿŸ,¦iô蕴«Í«ÇC¾Ù¡b™8‘¸'?D¥&äg½Q_™ŸÎ•!b¨ Y×ÈÓ;6i¢škfQ7œ¯á÷£Fáç6ÂEç瞮gx^­bq´ýŽÐA˜I &±Äþö¢±”–Ù<ÿ«Çåt=äÊi]Hf+ô£ÖkGA¬Ð ÷û»J1’“´¦lB0ÅHRʕê["—£O"ِYs[g&-Âs´è“Û,;Ì6¸îÙV»,ŒŸPÜþ&Fâ¼e½Dt-É ”o1½GæÖL[]I¶±®¹Ñ…v•]ƒ4ÓgV²AQG¿KÎޔØì¿Í¸ÀÍu}…Jfûê s²(X6:É¿y•®Õ€œm -çK±le‡MD¥ú¦—ƒG!úÇu5Wå’,:µöùҏÉk6ßx %LÑ·'ëœt/ÄCç䜏¿râ!•Ò-Á—:–ío£3mg±F8E<>pÂkÜâHn[yր‚Œ=«zÅÙ©êg=:$bÛ&°§Œ.•·{ÌsL7 è;MKæ\°Ç”l’9yÝÆL†/:’ -3•˜pÑܲWö‡0ÃüÂÌì£VäZÏ^„Ì΄|¸œÅ¡§` ô/_ò,fwµ«¿]îÄ·ú…àüû0 ¶pc9쮶|Ú[5ðX*Œ‘tUJ¯¶ÍkÖć¾ob–3ÎYEÎ{Çç¼ ‹†ã„7ÉtíX¥0ՎmÐÂxՆö÷Ó Ü¢Â[Ö7`ÌC¬³i¯Ù‰Úµ·õ¢ÎRœÌd×X­­ßuMké°êäQzF–·\h…õmŒ_¸N©ßUÞôæÃl ~kçË]Í¢ù¾ -ÏY‹}ÿà¯ÈCÚ5¢8¥>$Þ uh©@[ÿ8­•®êLíjûÐþîbømWò,_ÁÿöÜ×·•&#û%k_º¥êÏ©–$¶6Ôcä®Ä“ÊQ†)w€aÐ)ü֖èóŃ5:•°Hf(NÙva‚ð/byÒóé|ýï'§°˜ýæLyk¦ÅÌßô4M(2™Ë:ó"÷–D&› ©š‘½Ù}~e&œòU•[Ö4ɂ92åôBG(¬2ÁÙ;°4¸‚Jp¶6 6Ӟ¹X¨Ã€Un[кCaÐNdÆ4£ËüÇI”¬~fä½\¤†øö×æxò¥ÞÓñb,Šó7:ܘ‚Î/ó„¤ÉÁ:_¸|hfp”ëÞO³ÿ~î:··Gû_<–âé䧷—Rr”¿œ 'æ+Ð8ÿ Z"ÖÕ+À¾Fz‘@\æCȃyèȹì ïŠd[…=ßõCÓb ®™Ø@<¸ºñ;*͒Ug ›.h"+DÜýJ -¿®îÁùª]=þð>+û§ tEŒ%üQ8v$3 ;øüñÍ¡0 Ÿ(%ã¨ÑóGßõ#~ˆ?ef ò½Óù=EoGKñ=™ÆQ\ëFöA¸w¨Ÿåаӈßü-3ªBò‹°çl¸yV–ˆŒ…_èˇ¹Þ6i=íÓqŒt¦pTD1C…ƒõF—ë ôl™Áak•Ÿs»å¿ð]z5g§]?T^ë#žoa>›‡‰á²y °ob£p"dŠ^‰Å­ëô›6“±ŽÂÍó]hX-nõš^¼Ë‚ ²g6«iím?w`?Œû[Ae¥´¦0C-Q́RÈp\ëŽòž½fÜÊîJGõ؛h¿½r•§£ªh(£ˆìøÝßEÏhÜ×»4Íb¹ã.Õñ 5wÚÌ_ížD°½Eß-Èuà £hÚY˜d¦on-¨£q{5Gíg!AԞÊü©ú×(ÓN½%°U„ üö‘‰³°)¸7ÈÑ!/Þ¨rF¶8»)¡ØdétlR Œ›× F¾1Î*K$vº²•»¬;2mæÎæßK~×  Õ¢Ûœœ#=¦o(þ¼‘rŽ´‹{K™ÅK¹)`áuqç]M,P¦È,½*a¡øÍÂ1¾4ø{ɱ¾¢µ©¹K: ÀùƖ˜pHv3Ó{NË3)€]â쥝jÇÊêMs\ɔu²žÇ½m9‚!h)㪩!R¤Ä珒«êAu/ ¬„oÁûl’&§AðdÙÞ.Ðè¢Ç.QèBÊáÁcƒ²$‡ÜS§DP¦(½ö¼Û×C@/¼.Œ|Òfɵ\’£¾µd€‹¡Ât²Îí ’ˆ†"}ÑJôb­"j'‘ړæ‚0f»‡Ì8¢ŒgÇZǬoنU.BV½|Z¯èœ… x2`’ãÍȧäe™!OñÑ}Õ`VmÐ9ïŽònxètIçӀÂÄiz¬‚¥Múù)³y¡ñ(7w÷’«<ß5îƒ=c6.Re™íõœï˜Xր]ƒ£˜rœ«ýfôxëh)ÉR"A1¼÷iΜ‹•´ÈNS¬ -¥Bõ&ä"ÝûipÈ[9l{6¨C˜•*ݳ¸wõÙ?hÜææUç Tê#²ðZˆŒlŒÉAÙ_í`GBþ‚+7MyE܍…Ò"J?éÝ%Fiß{AË֓WÁs¯ 6 –¢Gl9—×k—ÖàEùËÆèîѤ’G«[‚Ì£K™Á°ýˆ8·XIíÚöá-õjU"ð*{€»ÛOÓ¼ÕÅÂPÂ\ µj¦8ëîVæ÷Œ<¥ûïwç— -é&»ÜÂoø0]þS*(:‚‰Îüí'mn¡ÝòÕWnÉ |Ur²30£à¼Ä¡tI•ßö›m0l×o§©QLÔR,óècʳ‰/Õ>‡QÉcöYUÛã w‰à;•žöz µ½Ží›'çð¿}©Ÿa8Œò’ŠPQߑ·Ïý4‡Bឧ5nD'­7ÜmݹJÅ«¬Ä¦9cìa„à^”T P)¯ÍNÊê!¶k*H{RwÃ!- -“jÿQ$6]ÂÎ׻،õU…ÙI´Ú ÑLÌÎQEÒýwu’å OËôiwïèc¨ä<^_®•XÌx÷ñoù 6âZiÿMmþ†Ÿùå”áƒ_³ÇšÐ~8¬ëÊ eSœbDƒüÄ¡ð»<¦Ý„¡´ï‹ö|·Û"#ŠR:¨¸ŠŠ´`•HÞ:ë×(¤ =ô!üˆ ímpéçö+ÂzL!â<èÚ¬bÐJÑ8¸NŽPÝ8û‚aðŽ -5{V¼ƒëÁ¤}bªyñEg(+TÍúïA/ö1å Œrâ-ôeÅø<¨YÄ&ú²:¶j´Õ@ß$Å[?z® ²ÇáÅ9í)DÖ a{t:7¾"eÑÜØ¥¬î|<ü‚,þ$²©î»ÜÏv,’"?Ç1èÀ3J."Ì |ý‰ÖO>ü4?m$¨¾™Òêb ‘­åàV¥— ž¯v_¶ÞQÞºÙ,‹y›Lñ2™¶b‰‘´}•VõÆÞÁFBv•¹ý&ò!‡U„Y&ÿV#ŽØ_ €Ús. -ZËNêj̹ØÂF‚ÍÍSxG\â½»¥]!(Qq#–î \zË÷šéB4ŸDö3zëCY»lÁ­«z›b%J }?LDªEÊOǎÌ0ÀÙjöDöí¶Dxכïí­|moÇÇüAjy˜/QÚ0ÊEÔÓùv›¶ß¼É…¨G|×個ÔÙÓ̘’sø{M,®^.škÓöèuœuʽ¤q”’3ˆ=>¯–«˜“Z$œ®9Û¾êNQÓÃì"ô³}œ?Ô҈½ XV'ëæ/¾9;kEséjãLÌ|ßã÷;&Ô[û á®ÂÒ_6B¥E¿Ê®¢wÀ—Õ¼v)£™µWåw‡XO;zpAn…‰Šþ»Ö41ŒO>$,_?¿2’›mÀ4e\Ú¶ÀÝýšSÏa ãåPWbeGWý=‚Ûsõ8ülÁ½]x†V’²“5!Ù1S€‚7+ý‚œ´X¼RUûôˆz¦Þ¶¤8;-½Ç0"ôv »§ïp.‰Ä׍»B¨õNåyÞÃ留óE^É«»ìÅ%çÞèÙ êÊՌâ›çRææ”òïi ¬ML÷É87â诺9ýèî¤NbÝ2t‹WÝsT{´$8˜ë§òüŸ-ÈRÃtGÓh¥ìÈJUSÉU°Kˆ+.´By`Ö-ŠQ3gföÄêüQCp -c21Þ×G0G¬%C iȑÃmr-}o2·©lÆË`Ûù?ègâÝØäû¬¶ÊšKÐ…g=ÃEÝša‚"8ß)ݸ”.ßØ´Õp¬w&>ëŽÞ#û÷ £üàäfᓦ÷HìgüÌïÊLˆHEç3ÏcÎ×/q&^+zÀÚÒ¼ Ö«ïmA,¸5m­  -øJGT˜âÿ§:ÿgÂa8nr®¯YÈMî(ÇHr4)WÈ}¤œsÌ5·±„fî#Ç\sŸ™HjµÜzr$Gî›æ˜„,+Öêyþ‡ç·çõ|þ€÷ŸYGR•Á7í?[ɶ؂À…‰‡`è=†„AÑ+pìßv«ÚeA L¡Í,&&v‚»Ac«; kðð;Ù-ìmø88y%õX½‰Æ€W‡s†)ün¯w±ƒœå'…H‡üƒâ~MW¢¤¿’ŠÔA¼–¦A¿"ßÍÞþz$CžB9;Ž‡í‹jtÙw΃ ¹é“.ÒñíŠÁã9Õ:(ÐO¯âŽ…¢º!cÏÍ÷A­ÖÝW&©!JT fþ’ã”ú±á1G}¡2Pi´¼:ÙÙ«xZÑÔb§§žçè`¬·Ê=Zˆí…‡;·›&Ä^΄2S$vÞ`­ÜœÒ´dñnbïóUdùzô%„ - œÝ£Àá²&<"ê¶v| `PÐr‡•þÉï(*È?$ºÁt÷ùG¦Ò=“®ÿŒ·õ:Ã,]9Π,2wAÛÍýGu¤Vä{ÿɉÝ…NÂRWÒF­¯;ÙߣˆiϤUqÕyymõtÐЌ͘‘F¿}ÑFÀÛÁ‡J¹º’|µÖ¿¸ðZ»l݇\šµr­ü!NTã“LW -wZéðÑwuɾ{Á÷Ü< Ëb¼ÖÅÇ'Iª0÷&´;’~ô|<àú+Y„;Z/§<œ1µüµn¬úUÞc£LyÏ^ý7=¨}ŠV§÷wH>9¼¡ù¾ÚŦ4Û;Xó©HcÀvKä4Ò*ª…ã¹c -?å¶ ÷Ð9ì,ó -Žµa‚BØÇ)“VÝíµl -Cp?zõ ú+¾¬P\þE8v¿DœÇ<ѪñqNš`wÍÑüûkàC¡QP]š°_œ'ðaÛA<è£ykÕ¦ sûÿŒ–Á¿ˆöꮪ={mÃÅyÁc~ÿ¶`ÙséÉø9´œßçÀ©2™uIžµ7ˆ á¶Êu‘ôÜ/c"çí~_OIïk8{µ¢¤:¸Ýô‡²(š÷\QßZå5(²îÿr¿óÒÆÈÄf4¢yÜòNºŽðåjŠãu -Q´Oè!Y腸‰ý©‹øžÌzA4`(õm —R¾_üÞãW6µÇA:1<à#EY’‚vª­ÿŠ“ÆlâÁ[–n&ñÇm̱ QO·K7ÿðÖ&0ËázH»/s»éZÄ -„ 0`I™4#pvXY…ĈA/\ÚKŽpFqfBô†[çN¿ö‰2Ê_Ô¦jÁ†Á/,ÓĎÔkŽi›5?=ÜuôK8$¬tæ³·\íû¡Ü “ü!»Ï ÐMUI‹ñ‚~þ•º |î"’Œ£QÜ3 …éµ/³S°ñLTßàò¡.Vê²­1ä-۞-ýy¢¤„ÐE¿T#ûiU¯D£ùq¬!¹|á†Ô¢w¹;”½öº…û‚frÕÒðµ®ÆStÁ¬Ë=‚ÊK|j€Þd«‹˜oX+j2üÜØ¢ê[8!qÑ%RøV<‹üLjH/Úx÷ì§HÕ§šJ,ýzÉ›´þ«¦ÜË\õ#v¸ÜTÇv¸Is.+áݨ4q•_9!ÏՂ8;¢Ëhe ]52g‡ö—•jOs»E #ToÈÖÐgÁë>““ØÓ‰Šö÷-՝ó[¦n´èìOÌY½¯>âS©I9Hpƒ‘Ä æßx#8%ÃGðÛ¹<ˆ€\~tNæ»d/Ò}# RûœùJàcAÃ÷Ö«5yšÊÁa ÞÖv š­)R<þÌn¥ -Eàf›ù*f®[u÷z‰¾!9ü6ÌÙ -CÒ3ÉwÙ_&'€›ÏìA¿.﫸E ®wð“3e©g±T×Ό!Ý­ÛçC4uº¹už×śý 4Þ7’Õœ±¸2¹¿3½¾„c¶"!4¦ZŸY•›S>Ó¢<€$Lc'occ”÷ÑçgØGwtm†ÉEAË9Ë?,râÃyç…ÁË@ã/€7-PÕYòÄ»¼×HVìçÙ4aý̯ø¼!9²R‡KHàP'áX|Àú[ÅGp!»ù;Ô28ISå\zðA1O©Č} ד7«ât•ì–Û&3Á"Â7´ -]Aîú26ûZSQûuR‡èᲘ¦)95¹¥#²B=S\Ƽõ v·CW×¢)&wÉíâÙY]>Fª¤º0F (Sûu’gD¶GåÍ)ÃÈûïöK– -üòãVaï‚-Â}‘#ԖoÞ>ã·8'…SJ6¨î£’s¹5Bùè,͈®x®*·‘|â¶\T˲PÝ0 œB}±n{ïËPò#í½·/¬o‰.4Vz´cš×ÌÐû_t§ô–¼’ßÉspãMüƒîýlA—Kç?Rˆ¾ß¼zji›©®¬ÙÒ.‰¶ÎQORÇ» V.¨ -Âý,š«»omž§t~®»MzEåQÒZEƒ5tUàÓógó´iN5u}3ïÌì±ONâiZù -or)vúm˜„Æf|!¥œ*¹Ö~’Y]µ|þF¡œV -îêõ´썓&©jåN[N/¸†³ˆ=õÞ~¸kÆ~?Í¢ðH1{Ì)ê++?<rnþ›òË§{Yb€œ¤ 'é0@¨u–-ä¿ øàðDxÃÂ"‚aaÀæíÀiendstream -endobj -624 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 33 -/LastChar 125 -/Widths 1346 0 R -/BaseFont /FNUUJC+NimbusMonL-Regu -/FontDescriptor 622 0 R ->> endobj -622 0 obj << -/Ascent 625 -/CapHeight 557 -/Descent -147 -/FontName /FNUUJC+NimbusMonL-Regu -/ItalicAngle 0 -/StemV 41 -/XHeight 426 -/FontBBox [-12 -237 650 811] -/Flags 4 -/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright) -/FontFile 623 0 R ->> endobj -1346 0 obj -[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ] -endobj -617 0 obj << -/Length1 1620 -/Length2 19156 -/Length3 532 -/Length 20062 -/Filter /FlateDecode ->> -stream -xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5ǜcb¬µö¾xɉ”éM쌀bv¶ÎôÌ L\U%uCkkC ;zIgCkÀ_3,9¹°#ÐÐÙÂÎVÄÐÈPšD€Æ3''',9@ØÎÞÃÑÂÌÜ@õ—ƒš––î?-ÿ¸Œ<þùédaf  øûà -´¶³·Ú:ÿ¥øTÎæ@€©…5 ,¯ ))' —SˆmŽ›Pp1²¶0ÈXm€ÔS;G€õ¿c;[‹ZsbøË%è08ٍ-þ†ݍöÿ@t{ £…“Óßg€…ÀÌÑÐÖùï œí¶ÆÖ.&ÿð×nj÷¯‚ìíþzØüÅþ’)Ø99;;ZØ;þfUûwÎæ†Îÿäv²ø ìLÿzšØ»üÓÒ¿°¿4QgC ['€3ÐÝùŸ\F@€‰…“½µ¡ÇßÜÉì-þU†‹“…­ÙV@pš:šXœþÒüåþg:ÿÙ'àëÞÐÞÞÚã_Ñvÿòú_5X8;­M`™Yþæ4vþ›ÛÌ–ñŸ­"ikj`fú·ÝÄÅþ?0W ã¿DõϞ¡þ[„¡‰­µÀh -Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xF5q5%IÚÿó^ý—ŸÂ_ýU<쁀ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkʞTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ 䴓[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBϕ[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!Aʐ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å -HkÑò¶ xÀΙsTºÜºí F¥$_2à¤ÝéØæú¢úÆ҆êéÓ÷j%ôÜvk†ʜæ%¢d` ;ÝSêdù/áÉ]‘¶S¡¼ÀËÒKa÷Ï ëö³‘#&[K^˜µ+»UTƒdak¦“Ÿ–fUX©u¢¸5ÐJçCL8KÔR®<‚öwm.¦L˂&ØwLCœ¾a!~6]íeîkZ77º?ž†,˜ˆÁóñ0a£%Æà - -\P3ÏØ©®â%ª«Q¶°sy1*õŸƒð3›Wž®õ;7 K³y²mÇZÉh\HÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±ÏO„ª±‹©4äCo¼úfZK|ØþÎ¢¯®Ý¯÷²`&™^Œ!‘‡XcÁuæú§‘üY?Ÿ¯Pû …œó‘¯7 â%@·y°aøò¢®¯3×)ƒ” ÌâΟYèÚó³Ö|}úêv 2Ñ *-SÙ´K3n¯­¡ÇèR;MXL5z–I×M¬SÂQÅp,>»iä斡§ &*ÃÂí>åXÂ8ÒüàíÊ =󠝂S€ä¯ºÏ“þbÝDACëeY‡I÷œÑ•–¬þ©B7Ï*î'Âë¡~QéM³bÔ-ôˆæ±@uQIÆó”jåÄiD5Izlx}Œr-îºÕ±zC)ë_n²~¼Î©½%•¡ýjúcsæà8掉;ºì4}£xe/¨Õõú(”ôeQÄìùdŸD€Ké -É{<D¶¤ }[DY¶¤T­±ê-úcØ'Ÿ[z‘.J(›ôb#Ö¹_{—Újå1ãysœÃ --0ñö® ˆ(É0fö‡óÁ0–\Â9Šüµn3ÿ>J¾™Êöw -Sò¹ °žô9w:%x?RŒ¾÷å9:…œÖÄáöýŠމMb*x:lô -1Y+„ -0ÃÂâҍ -Ú8äWó <'Ɩ©läÍM*iÞ3E2 -r &Õ}Yðù0qLW*€2V:ãJٙ³œ -9O¥Ýò“O.2&ÀŒp&'¼(5­™âo`¾«Ïð¸>‹e ÔB6?c:º(®…‡˜õõ9ø„À©9n}Š-Ól8'H §#‹S$—Íòò^fë³ó—›ê‘3×Dˀ„„¶-bP‘3r$|R\o'3Â6ß|2¯s‡—rΊd„ŽJxéÇx;7©GbîKǖ«dž/ŠŸÔÂ?@E8ïë`N;5Вïx…¾d¯ÿ`¯‰Kšj8'áØVDtÜóÚe’`“X‹PL—§=ù¢xŒ¦ø¨G°v}3N“ySºª5¹ #OH(Âþ£»PîV‹ !sÉlË»ÿX¡å´!VøÛ$Éò9û;x?ZHíèSôŒ¸õåäÖç?°ö°ÇÓÈ}ŒhÇ{š×n„6“rÑB+¥‘™G[?˜öÏJ6vO*G]¶M€ﲆ‚—yåx=S¯j¨·¿øÈd±ù\}¡Uٍ5H8Â$|gji6N*ÄSE ¯†öÞ{{Äó:ÖÏŒ]¸Mñˆˆ×•À×͵Q‰`s™uür9ûqŽêê«Ò<»ş.îüß -r ØàŽ:—UïÃ3;&^ƒ H¾÷Ä¡@\³cöW¥ËĤo9z”ðq£9ÊÂɁ¶Ò]èä´|Í6ّ͸;këá²êäQËÖ˔W¯˜›}M;¦ºù“ -nƒ¡”CÓÓÚëíûDÌuU£–¡b½³i»´lÜUšd¼mîRiSgC¡-kÖ;Uõü§3ƒsèº(sT ØÔw{vUˆ?*?Èñ'f27ØÄbLà×I(~o뜫’°P/>³ŠÖ²,9Cæp6ª%"Sš¼ä¿Õ -ý>Óv¯"žKa†­dLWA¤;a# >ûëöêÍ¢®Ú:¾" )¸-!Ó#Kþ=ñ]õû3¿fö™ † › [ý9‘3Q"mn±`÷Hé-ɦ ‘=]“¤GÇëÎ'*¨j ¦—œ1*\ -Úâ\ô3†JÌtÂD†‚V­¹˜=ŠÛXüh¬‹:L›m8}äœZ¢Z¥UŽâý“kZM<íYáʦ¬b”Žnhuë²fè@–KüT‚GÐ_2žŸ=\kAõÛ;Ÿ¹š@tå|#Žì¸bK]˜ÑÕa1%­• ÓÞÑÑgñ÷½«É®,Ï|ÒKp(À·ê»²“£K ¶z7÷›Xi!P0L#‹ -K™ázŠŽï“ÕOG‚î -é5[¬xv”C°‹S=ßPWâ±Géšæ­iúaҐ~öäÁy o¿ µþ¬ís@q+@ñ›¯0/<ϵº¸gÆ+útÊEQ”§ÎOƒÉ!qÝãɛ¾e“Ø;E†èÏð‘#VÃèlµÃwۇ¥Y¿ÜºDöâã§7™“m­*<„"É Sé0 -$¦äh]™!î;Ö¦xµ;5rÀDW’GT>—0Nzœý¼ èè8FÃñ;Ӂ‚ñ-ßFIüëJvë~-bñ¥=`°Êvýlö¸E‚æ!Äímâ/º=ü1Ÿ/ˆÍX)²Èì†f²¢Ÿ»8.8 D½ TÑÖ²%‰œôð ©ó<8‘`>@žj—ÆÀG •“”»NOzþŽhˆ_qÌáì(ªSŽµ!ì´þÝm>ɨG@`!hJ„à4/Û¬zOšrŒõþA:®á–{–Í®Çw,ð›\í°÷}.åù/H+*Œê»/7í¸ij¬cƒÎ\šV{ ¤ný_ã:̦‚jÈÉ-sktŽVÛo ¼gGÈ$\¨–ËòÁÓIÅËÍ÷hgií…å$v–šñÊœÓKéYjãë¤j¬ožßÀ ƒÓèÖè·¤TÈdáX^I·LfÑ&Ú<~Üm£ÖLÎ"‡Í×í²Šÿº]ŠP(}qkTûÐl‘ÁyüÙ©q Éî¾Ô¥]»¡¤f^XB64Û†|õÏÙdƏÃÔ}'¨Y®©*w„eg¶ó~OÌÃúc¤ÉÄHÝ -À”ö¢+ˆÞ)Á÷Ð?ŽGíL€êd´-1ucÊÅåâzh4${Gg¬Øÿò¾Æʇ­’NÌå¥fdã€U{h%õIí®Ïyö¢˜Iw¯e,á#ooó§–Êù’¬°<ã5quèËîЂsºêJ&ƊÙȅ_+LCi¬Å»oGö"ÑâÕ2þn¿ÆÇjPÁ¸:’¿¶XS0`ÕÔ*‘>ؓ}‹ÏÔ»•…w2øÜÝO1<¡½¹†’Œ8 -+ˆC:S¡€5‡a|°k÷gHƽ´)2t•§©oš5O}ÞÉ({9nŠ5\·iøH@O°·ôŠB‹#"—r;uî?Û܇X©>pŒßú’•SŠÂòq¾Uãt´} õåùb#1,Z±jçX@7¼ •§ÉZ—rc?™”AUäûÖ»+[ä»zÄ+G Ó֝_ÍÎðv_Mól ‰YKW£ð̔‚ 4vÚÖ©.æۙ@ãÄÄý~´¥Ôx+3Ê:`$#Ì'¶*xí‘J,®ò7«rví]í¹]÷›íäô÷NŽ²é„¡(*HâK܎—£} qBßÜÛòÍ@OâVVOs6pÁÓ8֘šªBËts$ㆤ¼ Æ•"4²Dô|<å9wM‘L›ý-§ÌD0¤†bwÓàMÚEoU>¸zݚ¼Q ø?c'=<ÖF–ëä¶x`ù³‚dÕÇ||¿8ù@§lîŽççfÛыEÎûKGxfX®$tÍõ2$g½òÛg´TŒC͊YmÅã}Öð@´9ǵŸ†vÈì7奧œ¯ -Wi7í”rU¾µ;a‘Ÿw³þ @Ÿâ6¤îÂÎkqRç„c}ÌWãÈRùS„ûÞyYØx–Ì¥ð™ ùÛº 6òB/R`ׁ<%©‘ÛF›É ú÷:Ëc`Õì\ÐÛ6m½Å¾ï%œbq·Ùôçµk›ÐÅ¿ÞIՉ"ßvÚJ' -ž¾\’’‡†@™´DÍ_7w[}æ˜ã£1™dªÓfGÑïÙä’e¸¡cî–\‘Aú”÷G¨ùøã¿ÇØs£â‚|cˆ¶zÅr}¿¡5oÅ_¯ÞðP­2þYìŒR TËašÚuAC¼ ñÙEωt¸²ž5ŽèÖä~ì¢ÛœD³ÅD“Ùµ”êR/ÍbÕeŠ%ƚí®*²(D lûUczﲎT““)ëûm?i&lëlëWà<ہZ¸ýd´GS€•/qV N“=ŽÂÚ di¼fÑa2ð ú‰{Š›âÄÊRm!ƒt‘Ùé7p‰œ„—ƒs;ï÷ğ¼Ý¬ÎQÎ2¬fqÇf!>ZSäՋÜq{ àðŠi^ -Âhû'zO`Ícõ¤õ0P±rLYβ›G^¦È¥Þ#©ì­·»…N®r7—eršéA`6?År¾“Do (ߜ-gœòˆ‚ &zvŽd»€TÓåÀw¾úl;‡<;e†DÊ^©ãV ¹°×Џ€všp$ñ¼ c‘ëšïޙîíÆñgpfÂñ ÷bý¼“ø´™—¦ìðÿ­¨ ցú¦NàLØìÍ3ô¡ÁË ÿòsf‡Òl7pL‹`øÖæeÂÈ^|P>n‹©I*E‘ç7ù¹=EÅg=¯]šðÇoL¹áJy±\Gÿ"u¥d­·¼%·%ÕÜqÄþ*E ы>^žÙ9öÎÐ -ºR…ÒBnÖÂϾîÆ¿k<³÷1Ë@ -y5~Psòí>x7ªU•$峀ݪü´vƈ´5@àƒ³ä¡ïý’8JôF~¨FGÃü‰0¯jiô…q°…Ü€õRVË#»“é ¦mV!‹·ä0B0IÅOا$—Á4à¶]ãNáÙv™Ÿ—³#1z l»,¹ ãÄ5#\û‹zQ܋Žïi¬Ö#nÝՖ¯µ(¾U¨“„fp/¡Esªjˆé^©n6 „.ëÖ^+"®ÏeV¾¢ú;“ý—=À¥M¦ðøæGàør9±§v4ŠSr¼XáÕ¼]–ÍÌu5A‘Fw5GdYû÷)e×úeRÊÔC¯®aȹaj°/*ú>ã&}‘v‡¬}áìéȂõâw7Sí݌XªµÎü·˜¿Yë©$ÓÅrˊTø:Ô§ +ÒµªòåP’'m±„ew2„mèi3"ÿÄRj?³¯rs&±†¢™Z}oº’TîÜ ¥Ä5½»ÕüñD[µÔàÏ´âùð¬‘t´Í*Ř£ÏFðb.ƘgI&ª£Pð‹tDr-¨û×Å©Çdâñ«Ê% ¢®¹Œ¨ÅŽ<1 øHˆîueɒXì•`H„÷A†Ì5$D$Å:N‹&'°s~n¬p<ã×ÀÍø -8ðÞaí"Œ}9£tÍ\ÿ*÷Ü^"ªs/ü.Äöì0_ -ØÁ({0/“GÖ-m«Ôá>ñԂÜb¹ýQ»ðÖk¦«Ô«sö28¯âªV–Ñþ$JYÒ3ñî—ðZk‹w½¥·BJ¢?mÁ¢`g?%uÓÂÄ9§‰.‘älʤq+4ìcXä_¶=né£fóя¸5­){_Ё'˚”sO+Ú¢{~Œ¹#Ï\%5ɸ„êdʺÖZ²¾`•[%UP+âóJ¬~g½U8n( ö £ó·( £Hž7á$m¡D¹µhOëHíW„;hKÈß8φóú †H~Â$+·CO‹-yÿB©˜R"g[¹dIP3(EÙKµSÄcm%==„ÕÅ»ÀrpÔÕRÈ q¥6úà +Ú,ë…4|¿‚ ¯Yì-EI—m4’ªiE+D¨ZD2£BÌ%Hݼ³‘ö£~·ã»]bË 'ò|ŸÞtÿ½¢P)¯…¹'ÆÝ ±¿IÒ/)>€j¸u™T-gí’;l´Ë'ÿ(sQÉd#r¹ÀFá3€m°¨^LuRñom×7ÿ\ _+3‘ñ›‘¢Ä1öXá -^õÙ´ bš:®Ý~ì½´›”wã+šÚpðòlª=ܘÅ;°W' ¼ÉGOoʬ‚ÚÎÕÇÌû=5‘ýÀÂ"*Þ§£Ç´¥ê -fÂéN~aŒ?á°¼¦‡·®_"ÎI¨}˜ÇØöµ`u7ñ›9“p°”¿MûKJ¡m -|•ný҈ÚXýyaݯℎºé„J‰ÇI^}m èD„·_GN¢¢óÉRs±ì}o†| -Mö¨Eçe€z§½Ð@ñômú³”ÞÇŨ¶¼+D쇕a<¯‡»A´’– ¦r³S¿ÀóI!/LÕ¯GK^X"âQ¸ê9µ¦›µé‹º -Nl}MI{kIËJß.¿&ëƱʟ˜„èºã«mL²´,\…½´PνᆤyêÑc„MJ/›ÎxÎS,‡ñ4C«uÌJh[Ž0ïoZËëûo=‰XR¯ÒFl0Jøӟ;ýQ -0ª‰ø³»À5F%n{zY„v¶näâk‘†,¡œÊ}¬©©ÂåzŠ”Ý/ð)H\»¿½äY°öŸóµÐ”üK=©4Ø=ÚÑBÎ.óbE7„12úÊA`tBüÔÏî¶]Ôg¡›Å¶ -á ·óGÿ-ãæÄ`öS¢ç¤^wS‹6ÁŸ ù×õÍÔýˆ_h±rà6zó|:èX£«~c&#ôÈîhzó'(Z {+<†r¹P­®ï’8­%·´ "™[n—hsè7ßC'Üo³íV¤æYò›Aè| ÒHnŽµÉ³“&<ÆÔâA—„w#ŒNH -üzdùp»ºÇºû=Ì3j<óòSàìlúÊփÛf|­µæÎ÷eìgûݙ0±H{4Ê - Èo÷mxÖ ¼þ҂âÌ×åB͖9Nhé#Äy»Ò«Ã{ÄÈTŒMmS -î:Ó¯+1³¼+–ý0§ŽÕ’Ä:[”ð‰d覹,J„ŸÒNE‰Ý Ï q5þ&ÃîVwmÌð¾ß;0´Œà0»’Âóüֺĩd¨¦M ; ÛMM;4²¡>š/£û3/r3¬Å#šÙç¼ø•èwW˜Õh)¡ŒòÏæ¼³öFlò„ºWR†é^mLÉŒÂ{ðsLF6¨.ûžŠè,¨êz¬·foFâb!äÜü²/’CbQÝÂ8Ԗòw%[‰‘SØ:™õ﹀ü‹$!ùdókʏ îÝßX'Ž–Œ~ãìä%/<®ÄêzA™\‡âɂŠ´[`ÁÓ þDPñ5­çïLìì:.㊌J~çñù®Ý•3ן|=TiŒB“н -+ý¯Ü—Û¦@¼kn‡–°‰Ë-ÏvCø +W²žkFV옘r ºË^ø¸ábçvœ»š±¨K?u4ŽP ¢+‘ý—ÃT»¸ÇaÁéçytQ8árj”ôH¸ ¥²b®I5íÀù¼Uù¹Á[صuuH´éêìœHjûµ{Ã">gf'y»[8.¢|¿lA˜$‰æ¨èH!K¿»Tl]²Qã­þßI -»y¼¯ÈŸùt:Ùå6 -ðš$3:ÁHªËÖx×ÊÐùŸ'O&©>“ús)pCŠê–¤‚埌Ÿ÷dðqøÌûúçlsËçÆÓðž_pUwôûß;^š”ûÀ¤à<“¤TµzŸÁDEdká6]A=5ìƒË "ûDMOò䃛½%[êӐ×*{=F¹"ï£Ã?âî#H&ʧsÑǁ/ úÙ{½¡«¹ «Ë_\y”9Ӝéxï -‘XE†™xð†Itò ö~›sóUúˆ£©Ç“µäÍC]0𬼕”„€¢ ƒÇ‰?§×N®ÎA Nš±D¢¸Á1ø=Ði!íø'(ßMêá—ï­RbøÚá²áCPþ(¾8Lµ:$PøÍ¥×èX;—݁­1'?¶dUou±K…wõԈ“x4êºÓ»Ÿ*Ä·"+ìiÎUk|º;ÀÄZ2۽̹ºz×óä€ÍÍÄø0]*bí ¹àŁ¼òªìš16}…Ì#^å[}õZRØ-«ç43â1H·ø•ŸSqRìïq‘y7q¡£ºÊ?$H*0±•_<&BL#oœ]ùÄ«æŠÐ%ÎzÞй…¶ ÏGú¶VÂê'éÚæ,*]­Àì$SXq³ÀÁí=fdò½ÈÑêY’fæ@xÕÞÞIS”^Û]+`ê{=Ë­³SW;…xâ1d€<”±~–ö¼>ŽÉ+Xõ}~H&#//tCàCÄ4ݑÚï  ,u Nþþ_®D?‹8¯+¿ž&£l©à"de -¾9¡¶çÜ@Oƒ+'ÔÝ{Us~Íxeoèí×}ÔûhµÙCˆ!AÿqøL•z35G0ÿ3TxY¤ñYS“Ø»äOö–VÆÅ}¦×ºXGˆÈ° vŸ8»úŒgŽŒ‹´ëuZۂì@ˎk¤¨éN“ú|›EILœpöêñïDMfG ÏSk‰úºÀWVú›õˆ< é5§ü”Kù iã“#OiÝcäM²RA+Õ\Òuä8/)ˆ3ôžwû›eÈëDñ9æ7 «³‚Ü1µóL8”(µåD:lU Ùg> ‰>ˆ“9°-A–ãÒÊÓûSş¡3qq¤ -é3ž¬¼·µ9ŸœJ#iy£LCpøWØJñ¬fHêÐCÚ¢ÀVÑ  é^¤Ç‹oCԉbêb΢Bê7A”$qIË5iÔò`ŸØLtuŠ·ÂÍ:Y‘¨:EÖìò¹f셞Ô&Μä? FQÈ -åF¤zÍÜ-E¬%õ@ÄÄ:ƒ}фdœ­v4KÿÈ«Ùø€  ìîrµßõ¦…!Qš7‘¨ˁ® Æp*®½C%D>íÅbê¨S°ÊrÐs¥¬fPß[‡8äî»MÕª?kºŒXÓü|ãw0¨®Ç {uæåªP›–"¢Ä9«qËN‚w7¨‡‡’ÝÞ!ó ùX XžõzÓR5a¤Yi’¾g?®)eY°y9%0<*+LòÑï¸YÆÖ|{JD\§W9îMóߗ]ȋ1‰#¨@˜V]aÏG!ÚvqÑãÒÃƧü&rf_":ãPßfížZȾÄ'´s m:<œº#˜m6¶LÔ±ôh°A6¬“¤£$²9Í0De—½;`Ý8w‚#ÅFû¡¿(OÑYЪ_¼>morÔ«Õ€!ÑáÁkÚYÓZJö ­m;Þv!LÃБvÀ WFè{y¬þl. ,ŠD<Ó¿~µËÊ0y&›}{)ž^|‰  bgî?µlî—"†fAå/¾ÎI×ä½ @ÚgS8óWšãrFÉÕ^yJFvt€„W Q)xhtt@¢ž†Dx® 2ýlÚfŒAsr˜:ª]ã ÚÖN:>INâ$V݋¦\ôå–Tinôrʳ¯ò­×ÃûLJC‡¬*Å¤p[71a†4—9ÉÛf<ðl¶ñتŠ”9; -[‰Wèûáù©>«OæI¾¶C‡KV;%Œä¨ðò%rÚàŠ™"ßj@d+ËÔ5z¢fvrÃÕ¿uõzƑ¼Å–=]çÿ êÌ ikðšv)ÝrrÊJ¸‚0öò}oߑlÝÐoqiqéÌ<  —`"Ù ¤+0;ŠÏr5”Â?š;·±n4!ç -¥¼¢ÏÉyÓ½¼Þ2Ÿeþhê ƒ£»Oðšqù¢I:Žô;KòWUÐDL´a®œ8•Ê -,ÏsË(ÙÁ½Á.(s8…›oAΖ¤*êæî¶}‰ý'·—õ*ÈQðUXëjúé›úŸ8æ!õ5*|÷,ÚÜ­GïËopŒˆz´¾¹øãGRê òù«M³t³”–ŸLæ At,­c…Èc¾7]Aèùù¶£ÉN€ºÉ -(‰ª¢û.tHe-KLt8¿ös¤£#1íގGwíoöº·Œ¶@÷fáך¡×sìØ!^ùï2tW- ÂOD4:ACzêýÅö¾³)PÒSËïzpJL ô¯c×U®Á÷¡&ˆ8YÝ[ËÄÆ֔Ãß¼5gRn~j›o¼yƒ_jvzYÀØaz»q·ê©áêAÝWå!Iò¤2z[5løxõ}øïàÆB-M”4Í?À!è=Ù7"L’սɝi“x·ÎÛ_Á:Ù3ñþÀ ôƒ| +¶LS× Êi %S“­¨Œ¼`IqJü™4~F™\·¡xëêiõŒ[ÀtTdÁ7aïðyfï§~@–-+þÁ‚¢,恳…à?ù±³Šë®^ºÁ¶2^Ÿ«(¦¹°6(ýœ_p%æ°c´á‘…@e:‡ñ'՟¬ŽÀ™X2öFíG“œ¹f;ö¿E:W, ÁÌ'5ö?ÒvhÓÉäåò“\O ÖíÆònoÓLPCÒ}B›DŸgʈˆ‡Ü(°ŒÝN¸`àb:o<ÇÉñMˆ7O‰Œ· GnY PMŒÒ^ÖzØѹE ) ¤`èT0#…È—uæé’óxSX"áÅÿã]œCRølå%­Fh3Óq£Xt0#¯7scEfPwj†(¹P÷M~Gý«¨ø°ßA$°ZCaÅU}¿&ïC–gÑJ=;çÝZ -zºL[ P ¸`Ç`ꩃIî¿Sû ¢ Êøë"&¤Œ7n·³f¾GÃGáÄk†,õ‘±Ö-À ½®™DÜïð;ë:öQ§Óžï±jnMí4ŸÆŽÌ;?ZyÜäW~½$,>zÇA=³5 D‹&}¨3…–¸7T6‘šŸçDÉÎë ô°“ÀáÅ5–c½.¡cȺ_h©ø×&I£Þë_m’nPÒ3 -Žìdh -´D¨1a2(iégµ;x{‚7\©A0‚’yyáóäVv¾ªÙ Dâû:MTƒÔ’í)‘rrê7׋?, {œt˜O3q‡©r¥…Û”çÎÕÂLéÄ*ÝûÌò¦°Ã³·¥À1`äuԛ¹$pÔ…RûmJ -‚¶=ƎÍÉnù-4­0 -7{¢Wk¸»× 7µÇ†»jåË%‡‚óºÉ×E&¦ Ü¦žüâW†gÔ;7ŠÎ[R'P¾¿ÝÈÍèÒO¸L^¾óuYÎ6ûÀj/ÎHÌ5¬¥ØÔ¼ºÇ`jT!I9%f|°‘"XÝJî&3ýÀþz›&ƒ¶q¨ç¬&6ŽäåÙäcŒ˜L16Zó 61GŒÃÛ).1äÔSz‚(ãu—-ø(øi~pçrYܗ6^ õ\𛪗.ü]øš1‡½}l¬]m:¯|¥?D²sWFÇç¤>§Èù›ýtÓáX  ö§È%¦‹òf5T]ĨX;ÝöŠ֖» ¡Ç–Et0ÞÛ8ë%¶Ub.cføřxY:BšðarŠ½)l4[ÈGŠÏ -EU¸ò€d+uQꞥz²™j#™f‰«¶8‰ÏPPiq]3ï͛}êV»æYÒ•¤´Ø™½ß¤éúÆO’Uêí÷-ÙòÍÌϳߔÈ:qN ÔÁBk¤`P|ìÉLƒhYÖÃßx¸’Ïy1Ô¿š2íp¡g o~-“‘t—ǺŠëûéá:™¬TèÑp òÙ¸ÿTüÚî ]¯cíôa¼FÅ Û!g'œAQBK§?µÈeXƒë¬7ÿü„-àZ,sb]g#ùÈ´Š…µr~ ~XȤȼ`2cCÐÀÈõΧ´œ º™·ÝgòQȃQÛì/t^,å~ûæ³ u_å1ùШJÎf@꘎>@˜:’L!íUÁ¸C'þÛÜm„N£tç‡þrÊû°GM¸dùÚÛÃ.hÀùÙÅ/ õ7ðŒ]W"#P¢-½÷Y´¸IÞV¿¼¸³0ºèüo™$S Ðse.ë -ÊË'5lZ)c®wŒë¦éCD(¬G©ãe²µP³´5~PÏi¶L™æd!ɱnO;Ë}i¦$²AbDµ[¶¿o3˜g³!©\#ö³FU¾-Þ¹ÿæí>ú9¤ 2áUÉkûª»¦|óíDIÀÙÞ@ ¡Ä -»_C¶Mãl@â:}j·@Ý´2¥½Ú²•¿…à9SäfƺyJ-gj"ôøÜû4A±ƒÿ!=Ò]¥õ"/ïäl•N»"ïQE¨û]'œÌ¤O™|…KÄeЧXšcõ»³öûDCïJMÁ“„‚b`úÆĦL$ýš­Á­·™³4"Â-c ®'•–äÇvŒZ•RæêêOÍ/Ø5¾¥lÌÂïkiLÄ Ùf°k9rÆü³š#ª¿'•Õ -052BÍ6¸~ëϬ*“Þã“׫BL^x¹bÂ~;ý°^0æè Z±!拵Å=>÷1•/µþÁ…Ÿ9y.כkôÈ ÷=r¼†=Eq‡q·ýçžáБš? ÃMÒ ,:ä§j4rŒ E¸ÅlôÍoÞ¢‡5fBµþFo˜@ÓÒJ1xÚ>véÙ!ùl"Ô> <|qbŠúǔ›_BŒ=÷úÖÏ#ð4Øvg{Ύƒ`#µ“‹ëEB1útȯ _y -ÐV×p™%V ˜5ÞÒîm08ÂDyTø¤—ûAQe(ˆL&·pҘ){ìÝTøÐhĸV #‹ùuQ?‘*á„ÌIMËZjKûx(£ e±ºm}°F0ëX—19i¤Ŋöô$X~×U*Ú±-ߧvœÙQïÖ¸ëç?§?Oç@ÕêÝļ{Š ‰ŸÝÒ 0©EßÎÿtÞðQPN¬ºY2ažEåE$͋‚£ösɆdiIfԅN<¾?ÒÄrd’~ hà>¥QÂÞvâ‰ðdÉrÔÒ¬ûu ÄL6’2/´`ã»÷›ö[Ѥ¬µè’!ð­ÊžVZB¸Ÿð«€*"næì#¤Ð‡ŽâOÛ\距ßk›lU#±æ' øú-SOؘ«-eó2(Ñy•_­¥½lÙkQ€í¯-CÛ-œÚLq`Òºg.v:)m‰F1ep±ìû0¢dcô;ÄpŸqѦB-z¿:ÙýW– ÊW‹;_ºdð° «&µ#h™8†ÊŠ®Išëmw÷ Xg =sSi§ÅÄ5ãÈôÓKB?ӛµTÉÌ]~ð l{ü(Œs`.¦¼o]çè_“3x¼ê_’o9å÷×Z•“ÒêȨd6Ê -$bðê0eN½™•â­ÉŽÓG2f*Um‡}÷WEySV8!#CŠØ§¯é(¥½óÁ9¿;-Z[3ù*³ôVžüzãa¬ïÆPcљ°êz£ ¯vfõpl&³Ý³ý‚Øsû+rF43K0Qž¢Ð„¥*p½§®Òìêœ -‡À/Ђu‚’í|£.襡=͋¼ÉÄ38:¢•¡j-rç· Ã(¬¨ L8;çFû>´P]bð®NX1ZÅy.Ê°>®®ªŠ³F7”åõÒ÷ý!ù†’½²ú®Y ±¨Ñã?S×ü‹žÃÛ¡)ì­(­ý&GÔ‰]¾27t‡{Fn*+i{wBŒE0øÕ¹žà2Ý+y y#ÏnÕ0ÊÑókóôìN¹‘૬¼í4Kã*ìŠÛg§n4L”l¹{6‡Çá7t¬UË>_šS .u á¬r`<>¸ÆÕ>ÛçïWgdØô’Ö³2å˜údG_ÇñœDßzn*q×ZŠÄ ñ%¨ó/F‡Fb‚öÙÀˆž&Ú%5ÄíԝRÍüÊgfêûWže‘ÞéҚÏØtôük{øÙ¿b©½× 춨q¯.Y©¿Â§k qçîW!öÏt£œìçL×ÀkèbmÝÑ:g=G½ÐLk·þçÛ#&Êßnø`‰†Á&·»" -ž°ÍXVë/h$S¶ƒŒ:Añ¾÷TS!Ê!Œ?̐ ¢-®%ÞöjÈ3”\uèD¡v»[M¯ TªõjW,‘@4\2‚¦Ür²€$ðã©Ü“ƒ*íوH%ˆŸŠEgó¨è©~°ëõM(·‘y8ÎÊ΋F;>Ó²swÄv8•ÀÙjAu½\H‡"nF²3y×j•.;r<ÚÄc·ÑøáS4EÔ9qCÛþfúN-nâ©1•[j=Êê?¼™èè²òõS !ñ.Žœò•ý¶1û.ü¥|Ēçg»éq<ŸÂ[€MÐ8c¡ñLÌÔ»6/„9ëÕTÒi&Տ%ƒœã©”§¾F7fVtzÛoÅ1±H“á ®º4'·¡˜ö‹öqÁ=†žú¹·fgO„Š¤La•²Œ®Ì‡hyî ÂÙ³ ô½Tô1 rš„Ïz¾Çž}½Q3R ÓÑèõÌT†O«™àU¶fÙÂ?E!× æö¦‰!ÿ,é» èBVWÞÒ:›âC_ý(ü¹Õq=‚+žì᝱rn€©{¨xþÉ ijƒƒ”Ä¢›zBRjÚµ(aâv¼ÇìË˂·Úùpex–²EÄoš„oaR¯} ›G•¥ó ïF}Ÿ7)WGÚuø8Éë×9Ð΀*ñÈ0íèJÚÈCÛ6„§òU¯j Ï{’{ñǦpøL(¤*ÊïÜ)u"Ôn4»ëýêÅPžf>=ôFJX‹êz¡ÁÀt{& IYè‹/­u˜ƒi‰ê4£±‡ÙƒÖ[føà ñ%5UŸµF@5ôێ –&ø|;>ÃkÊlü01lήÉFox˜-Û¢Ø0vˆY¨6̘A;Ö Æm­÷ì揺ڞ•·ØiY·û§cZɲa£ñÍ£ÞB„î<~–ñ†€ŒüBÀn÷ŠÞ™ÿN3öªBÊ¿#Ön•o„lLæù˜¢h¯Yìzîk -ýqž\Q\²Ã‹±û͗˜lËûâ¸æ­p h]ß,‚Üžúòš¿Â6Í%•¢ð“;‚)¬¼*¡¹ÀÜ'{‡Éõ(ÍÜö\CÈWýÈîƾýÂÓËډ .ã哛)œ ¢ ‹Ý¶Ì½&;}%^ŝ½3›­‹{Z塵ҨøÕáÕLûæ—צ*!¯.‰Ô%މ‰»sw˜K¨¾o:B€oëÊTCꔐTÄ.Ð5ðNã=Nùç9+ħ)®Ûd}[+TN<¯ µt…o¨½CŒ9s½G!ÅJXBçZyùsGë8ÁâîL‚ÉÆÆ(ß1eݽOͤá`ôTFý6€*´btk6§ªÌ®bó¼"†wDÈ ð¸uŒ‹äæô4þ‡)ê1& -†bJ6¾öÕûžõpIËÄZõ¶Ãp%}Eœ7*X§ïcáÄOÊòµúf3`#û¯é9 vqñ„§x§p b%c»šÌØ7¨D³¤ùF|X1/§¬ñFÛÌxË./U­Åß4 -ˆ~_ȋõì盽ׂR¬£ U«Ö퟼¿52Wëýà9ZOÚ$a߶mO¼ësm@ƒÏJ>4¹5Êe3iöÅlê<$ê;4¼&™’ãÄÙОiցÜtþùê;^1]öÐP½†Ä -¨p9¹¸LNüÒÇÀÍБi'ëVên­_ÖËX¼L+UíZ÷¾÷\£–/ܱ šeý‘ne#x=XJ ±RúSô‰ÔÑ{£¡otdKaðĤå d@ˆ›Oàš595´ºà³هꔨÒõ÷ÍvJH\µè&©)rp´T{þ-mñ¾äšuåžÏ(t6#=êåV§¨øBKFôJ‹„vÍCВü­gúLjvbÜ7ÕôF™„[.èɞ1„øVï}ÂóǕ9Ì]¸û†§é¡X×+ô\§1€¬6ú$mu܃t˜=,8pA1QÌNu¶Ö…ôD/°à¡ r?Ū-ŸÑîá&릊˜ÅöHƒÔ’Øx¡ ^ù‹K[FÆe‡ÚØû6÷#sn…@© “=Ö‡M·—ùæügŠÓ‘U…tL9$îšþ!§ãC!Ö«2tE&›•ÄM½·è‰{TîMe¤na9Ь«ÆߣÏÂé®6\D…I~µÒ(¼¬¦,pÝ]j/·6«,\Ï­Šc*-~iÔ<¸Ú,Ô2©0ÈfíǺcY…7° é¹É…§‚.®\3N¨sÏ7Lœ(€w¬XÙÜ+÷l‹ ð•·$±l{Ÿÿ}ã}.Ð"ÑÔ9Ec›.:Ձ -¤ê¸‡g¿ Õ½†ÇËßí]kìjÜù?e¬“e5H º£Æ,q¾Æì3zñµXk)p…«ˆÄkrK‡{ßiT±P¢”O×Õ«ÔM¬¸,p¶0p -¾Õx;xŽM„}ÌÅȺéf‚øL¶Ãpr6Ë(ÔTà£'Žãáܖ½‰Læ‰=¼’cÉDÛ­¡“â-‚¶:àž k„Τ/ýjº‰/®ÙɊaÑ¡&©£Î•4#¨–͸Òڋ¦b-ùÜu¸ò]ΚÊi^-6Š¹ÇºCè×Êu} M={ ØÁj"¹/¶Îž\].¼ÜkYèä$U6“ B¤l÷Jß"bÈÊ";„Fuj§&0$¼ò/Äé»c†È́kñéP/¾I”³,[R!&À$µ'¾?Á¥1Öaи¡€f(9 ÿ&œÐò -EɍÃc9²ÎÄS‡õ(.&{>AY›uS)/âȈ†óôi‰‹V<èXÞl˾)jÊ22ø~ÁU؆ҰfNmi%:iš~Vò]moòãªkYÞB5òûõêÏ4º8Tq$1òUé¼y§lP6Ö_ó½c^yÝø}·øš£”™ãD6­Ûˇ=Sœ/ƒ‡ªKȶº ‹áÆ#JŒ0âüØoÛÖmf¼9ŽýS&çùÍ:\Ã<ä¢B©"H{f¢y®«Ÿ· d¶uzýØüøD…ŸbÝØ/”¿"ΦU_³µ/!0?ٔÌa£zêÙëDÔH¿îBqi›i–Œ`HËöCŤÇLéòñK'oùºæ…–à@(ê×-[„rh–H~BV´Ü4è¡@O€h‚œ±¢¶—ÛÛ/f¦¨–‚p[—È"„ÇzúQòüÐ;­­äš/èN@öµÇ¶æwÒ$é;ÉYP›:r=Ñï9„EÿBx'aËdzI–ᵇ^ÕTä摨 ¬-Xœ¨ðoOòW<[z9sá›p ß:—¾Ûl~(æ„B²b ø>KƒSÐþ2•ŒûĚåêx꼄JýX§;{B v - -¥&ôÙÝxK”ætªü«*Ã}Eñ($ kbAk² -Íï!VS@ù¯b;8 ~‡ÛUgžƒ¥ÎŸ“ µ~ÑÆìåÔú<Ž}¸K­¾jﮣj„Þ²’ççIYBÀõðœ{ûZ„Ì¿ Q>3¬ -®Ã±U ,m;Œê*§Éáèï 7‚§¯¨»×¹n[¡Óˆè¶bÌž þ$”ŸÏid÷cvXqh@ú‚DmÛâÄWÅèôsÃù£í«Ó: -kÅAž—v|étå@òó0´U]¼Y¨ß©ðYôsÚ÷/þGûôý…ã8pÜÂÙqöÞÎ&ãì¬d22Îv!ãrÙÊ9#3ûçÌtÙºÌã"{dd¼…Ì>ßÿáûÛçñyýÏß^Ñð%¥Õ“ó/½Þx+¢ç«À:C_j=ä ¦DÅÈÖë8ÍT\Ln Íæ¹°†DŽ%‘ÍÐL÷ʵûYÈSEkþý÷•,¨8=ñt³Ô‰¦EP&§!ÉIÆ ÿ:ÚËítüF kû!®9:<ÚMÂÀŒOÅEàg€R&Ö¿_n›âT˝1ê ¾ç·Ÿ[~òTýpD÷ni³Y3Àܖês¨½”‹‹Ôñõz–bÚzÍísÃú ëgša9ZlÈê_֍mO‡çH¦ª­Çʬû%!#Ÿ£”ªÂ÷¾Ù¨ÙÈՕë˝Àå¾$1 ¹—bT!PÅÚhº¡Îî^Ԉ6ëáÐr‡Ý£=e[]t×w“ãŠóùzmæE DƒL%½ó\}°¡·¬ÿ å„|;®–ÚRÑX -3ŸÖrÿFíöJÞL–¿8ÁϘ/»«Ð,!DDžî<ÆiÊOµSٔñ£ÝT²ǑN#èxîj«»åuûoñ:Þ֧׹‹»ÄózF꒽Tõœý -˜‰âüÝTRŠ‡ì¶NòØ]Æ_Ӕi¬ŽŸ_úú‘Å‚¼K‚ΆÇSIÊe°µ{ˆ×Xsë(ÛÜT+ö®ë^º -+ •QͲƒâ„Þ˜Ò¸.É Ôï­]Wpü½¯vëùëBåP•®ðDÐ8©ôNr°z¼‡ïæìñ6ù]“ó ˜Õ¥™ß‡ÄÂ9.æw™þÐ˜ÝºÓ -…%lÜOÍßc†ó‰é4Ü´Ê0Kñ•ªA[lØAuâÂØáÑÂ÷>DÙÇ+ø³ûôëófÔÈóÖ)ñÄIw‹ªè×J#4RH΋‘¯¤ÐÛCé_ネņkŒKº·mWfö/… <å"èq:”$±öñå”M¸уÜVý*Ž¼ù餱Î- ÎcH“í`ן,¬ùô­O­@ ™˜À­Ò„rÖ:«Í·䗈•Ö’"îJìK4åäNϲN^U©çuÃ̼ß!¿|gbTM‡H³™¢" 1WK‹pr)*Ó:ô}øù&X}¿³¼åð¡øúùDʒ‰‰à†£/ÿ©“€óD-z°,¢L“4G{¨îwNÍÌħ[¡™õ¿”_h\'ÃJ€ôZˆþøñÑ°ÖÑT h…¤/ˆ)«Ìbð‡Ëڈ··XìÚù‡®[ۀØy†ÚG‚¹’I` õzàž±ŒÑ-¼B—&atü~­Ï `€‡jçyò‰ªqýÌ÷>%ÒÚµgŽþ*øôé§Q ?§@Û¼ ÉÂmz=)”§[ðiª YêªóÚ -Ã磵E˜±Ÿºùxünôqb ßd˜[<ÇfÎ@ߤ»Pª p§vŠ,à ÈY·“›Úˆg”þ½#©Ø¦”üëÈ`…>—âI¼¤®;p»ï“‚ºúÈޘÔm}*Ð÷î7zžôCDuQÒé”c§„Ë/οcÖ”N~?¾¨À¦Œâ~ Ò®QR__èeýrå(ð6ù_²â²­B‘õy耣½ñ,º‡Í|«AvfjlP9|!á&؎\½{j7{sHáûæ÷— cýpŠU/Ï5‡k˜ vx°£ºCY‡D¹>Ãcû§&ጂÂCÛÈ{Ó¯¹ˆ{'1Ýçy¸ìr•€NéB6ºC«>»•k§ ±7=Ô ˆ•prhlGŒÃÆ>RÑþ9Aê>(Sgãr[‡¿Wþ(g‘ñrn.J½«#¸ì¡7Â{¥™þ \ï¢:'¥&¾sÏÛn±^Z(¦¢âë˜ ¯ÏaY•3Žšpz”þœºYŒ77_,é™%¤ŒXú kúæ>zDžd͇tud®£ûNÜ4ÇÿDÕ<›­¿V;°ž½_¤ÑhBҞ¦Wå:OOF§ò¾ÚV}Þ÷—õø³»jór½2¥í™«ÍÂ9öÞ’Lܙ¡fÕiM yƈ¿B#Yѹ˜‘{BÂä_xܲª÷HÛÎdQ ö »ã9å״ܺúTŒE{O`±9I:Øq;š›9Öp7DzÉë:£Ì²”­´|d{¹á-ð†9–O‰X6GK›4’G§k…X90–”¥DªãN·5š¢øK 蔁0U-VâË\fKÙÂM‰%VNý -@¤õÃo_U¡;¤¢æªe?Z*½¿ÚOæËͦcZ¢6zÓ*î2FFi oPdö]ã UýöÜNr‰—ù֛¯s“_̀«ÐêõÉ?º,å)}¬å„ ÁñÍ®Qñ~®8Ü_®ö?DR>…£b{m㔿/£HŽç,Û»MEr2ï©Åèg(ãw„†Ó¤,DûJ.pW£?W؃ð›'HÂMcՋ~[5 j´iÝ "£õëÈbýN¿”òà–`˜ä§×ÛəÍeÒԓÇ먄lŸyú¿ýw¬ª±›ä»~¤J!“A=ÐÐé8êâ N1&ƒ¨8#vŠ:ÚQ™¡ù 0 RÛ¤T(þ×ût„Í$þbwF˜ß® 7)ÒZ¥ëî±´X¾;dãQ¡ÅC…sNÏڑ!jCù‚#XÎäüÃ_Ä÷ -€mK1”£»ãß:¹Õ˜z_#å *’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±ãxÂZ©–\å.ÉÉq™5í—]Í_ãÓ~w X~˜½UÖ"bg¬%̗ÊÉbÙ¶Õ¾VÂ3a¾$þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞ :\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚»pR¸ÿ͋°E²(oh~÷ƒ¸hk充Dۖ‡[ÒÆ¥o֙ziUèɉ±-Ïòk^Mï•ôÌ,öêf¬”ñx” ŸGS6 »æÐ>²+5Xە½åfìÔm·ë×®þv*¦Øp ëÔ,ÆêWàÅ{+"‹ÜV¦Å—iÂÿÆ6ë,Y¶ÍSßl£ÐãìÖH”þœÙ¶‚;»£:Jb†öÿcÂ2üâ' í½dn”»†õ¥ÂJz]è°^kSâ…v‡Æ¤>fÊýQ̒Ñ飺˜N•½º%ÞAäÙiÁO…Ûoñ­¢/ÝvٟHMpÿdÓ.š8yиæâ<·ûÌTêüÈÏöé]øÝYØzÔ0óYJöÊVêôøÿ¦/=¢W"ýÓ:C衁Êà^+ósZ…íôqÜvOø$ÕiÚøVýq${zìxŽÊ«Q‘c²ârÞQ¨Uz™F`Ô4ùjþ1gæ\xEŠ „ûɘÄEÕ¬«‰~*U;³Ù ¿É› -Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-Fêkދ³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔL ùR„wOƒùͳ¬¯ãƲ¹ûx¥óuj2a™ dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W 3‚èíRõÑ¹c§EsšN1}œÇ‹”Çžácž!\°­1£,,ᄬ¨\XMԐ›ÖÁ€Dʟ&ë«~9F=Þ'KJk®©YGŽ¿¸éí s¬z֏ÃÔcü„Xnú°à¬KNT‡E}Í®¶ˆjYMr5†Ò™NgeƒËÝ Ë ªòÒ •õ¼š3÷1¨vypæËj6µ}åI_ói­EÅÎq¸'½ šþñ+„žb2ä÷R…‚¶~UÞci„eù‹Pz©k!ïÊ×2oˆáûv)³!> ­ZJ®‰ÙGj]ÙîWðH:‘”·Y«äMŽ˜‚Ïéì©qîmuëO#/3K®ÈíöiEpë×3䇁ÔO@â0¡á‹5!³ÑŒ¯ Ü8ßï;*UbÊS”ßÖq—2,Â#h=ÕM x'üÁROª…ÙB!É<Áq ݘ87¥3üB$ò:ÿÕzÆOE:óP¶%õŠkÄ´{@æÿíÿ€ÿ -ÀÝÏói<ÐÿiŒö? ͪ¾endstream -endobj -618 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 2 -/LastChar 151 -/Widths 1347 0 R -/BaseFont /VGVTRI+URWPalladioL-Ital -/FontDescriptor 616 0 R ->> endobj -616 0 obj << -/Ascent 722 -/CapHeight 693 -/Descent -261 -/FontName /VGVTRI+URWPalladioL-Ital -/ItalicAngle -9.5 -/StemV 78 -/XHeight 482 -/FontBBox [-170 -305 1010 941] -/Flags 4 -/CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash) -/FontFile 617 0 R ->> endobj -1347 0 obj -[528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ] -endobj -607 0 obj << -/Length1 862 -/Length2 1251 -/Length3 532 -/Length 1862 -/Filter /FlateDecode ->> -stream -xÚíUkTgnõJÀ+ŀ€¸T -æ2M°hZ 䢘ʐLÈ@’I¢ TpE *TEJ+¥õ‚.R.+ -ž -rÓ(˜€`E.º¢î€zìڟ»¿öì̟yŸçùÞï™çýÎùœxA$–„}Q™‚’A&àã´¤ ™JpròÁ`H ²õf §'°”QH¨ &Ê¤3N€«Æ(±pöùdFÄXRC ð‡bXŠ÷@  °BMX 8³BÂrÛ É„ˆ@DÂQˆŒ@™qđ‰P€ñ -*cßP;`LŽ›œq“Ÿ¸E!*“¨!,"PP|/wòß0õns_¥DIgÚϦô’"õk*U*` ðG…0&{W -¿2ç ¥ô]–£€$ˆ€%‹’À t'SÝè¯D`!QĀ’ÈáY– ßµ‚Ç7k„ -憆¸¾žë,Ƀ™b³:¨oÕ³5ø¶ÆSÂN%S© .Äß7_üw6ûL&@…ˆ, - Ñ=à 5?AxE@‘ a«pDz UàK<š]€Å3c݊ÁX035Å ûŠ ”H+͔« ›V=O¹±dz®ë±]½^4uâw•gゑP]J‚§E`TÁåC‹?ÝhX÷B\ôpIBºvà(›˜² ü–aŽÁxÀ.–yK˯&×É<ñkÀÚ#úô´éˊú/ÕU¬ )ä45ÞaìY4Yÿ,ÅÙðMNÏq®}I÷óc•{Å@‰±¸÷ŠbUY¯œ5iˆ)ýôhrmk¯wª]™_[œ =O͹_Š–„5¹[”K:NË;ÁñvÍçjù×ÿžá½³}Áč›pƅ#ša?ÜÓnËm¾eC–MÏÏ ×5^òŽîg]4SFJšMz®ÙZÏI[C ³L'Ü¥ ùYü‘ŽâUÖ¶ òì6PD’pblý4ñ>ýÎäòM}#ó˜¬¢úm©î~TÂq‡¾Žßn Ÿ7ôsw£µ¡¦fû¶ö´ÐD?Ç©UúAýãÅkZ:H{×æqïqöuÎö;hÒ3¥5››Zž(l¾àŽ%mQvîÊ 4é҈‹çGtTˆÞ³ þ‡áÿ þ'àW7„)P)„ÅþE¥þ}endstream -endobj -608 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1348 0 R -/FirstChar 13 -/LastChar 110 -/Widths 1349 0 R -/BaseFont /VAUOWV+CMSY10 -/FontDescriptor 606 0 R ->> endobj -606 0 obj << -/Ascent 750 -/CapHeight 683 -/Descent -194 -/FontName /VAUOWV+CMSY10 -/ItalicAngle -14.035 -/StemV 85 -/XHeight 431 -/FontBBox [-29 -960 1116 775] -/Flags 4 -/CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash) -/FontFile 607 0 R ->> endobj -1349 0 obj -[1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ] -endobj -1348 0 obj << -/Type /Encoding -/Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef] ->> endobj -599 0 obj << -/Length1 1616 -/Length2 24746 -/Length3 532 -/Length 25639 -/Filter /FlateDecode ->> -stream -xÚ¬ºSek´&š•¶Í•¶mÛ¶mÛvf¥mÛf¥mVªÒ¶}kïÓ§OÇé~êÛ3bþßÀ7þ±VLRBeZA{#S1{;ZF:.€ª’º‚¡¡‰¥½ ­’½­!௘š”TØÉÔÐÅÒÞNÄÐŔ  nj1501999¡IÂöžN–æ.Š¿”ÔÔ4ÿ%ùÇ`äùŸš¿žÎ–æv²¿/n¦6ö¶¦v.!þ¯•MM.¦3KS€°¼‚¦¤œ8€B\N njgêdhPp5²±4ÈX›Ú9›RÌì6ÿqÛۙXþSš3Ý_,Ag€!ÀÙÁÔØò¯›©‡±©Ã?*€ƒ©“­¥³óßw€¥3ÀÜÉÐÎåo\ì–vÆ6®&ÿ$ðWnfÿoBNö-lÿêþ‚)Ø;»8;Y:¸þFUû<], ]þ‰ílùW °7ûkiboìúOIÿêþÂüÕºZÚ9\L=\þ‰ed -0±tv°1ôüû/˜ƒ“å¿i¸:[ڙÿW4'SsC'Sgç¿0±ÿéÎÕ ø_ª7tp°ñü×Ûþ_«ÿ™ƒ¥‹³©4#ÓߘÆ.c›[ÚAÓÿ3*’vföF†ÿ›¸:ü§ÎÍÔéßQü33”“04±·³ñ˜˜šAÓËÙ»ü  ø¿c™îÿÉÿ(þBðÿzÿÿ‘ûß9ú_.ñÿßûüß¡Å\mlä mMÿuüçŽÈþY2vÿ›µ¡­¥çÿÉþ¿[ª›þG’ÿGIÿ­´3ÿKÃ-Å,=LM,]Œ-f†6ûô¯\ÕÎÄÔÉÆÒÎô/Ÿÿ¶@ËÈÀðßt*–ÆÖvÿ4žõ?T¦v&ÿ=÷¿ý›9½–²ˆ¼° -õÿ¾SÿµSø˽‹Š§ÃßÔþG)²ö&ÿóðŠ½À›–‘ @ËÄÁü÷Ê118Y˜}ÿÿbü¯³¬¡‹“¥@ûoÙ Œÿÿ?žÿ:éþ7Q;c{“¦EÙÅÐÎäï€ýOÁ?jcW'§¿¼þ{çÿýŸçGÝÔÔÃÔz}Åޘ;Ä*=+Ã¥#odJD{ Ÿd$Ô¡¬I¥¸0 Ö¾Ï?=âg•ÁG](]ó ×W‡çò™ÃçÕáX?º y_ªéU®/1å¯B¤-².vêà z½2¸Œsõïë%™P-6µÃÝ)E%½Òp¼™.f'ÈëgÊb·ÂT’'x?ã´Æx´nÄf äú¢³s²¤“ç'ò¡ñёá¾[°_8Ô¹ñP¤Ün pdÑŽ¹8üZª•¢Õmjí{}ÚìF~b¿?¥ä]°C³ZžWGýG+S¯¬ÆyÀ'‚²¿÷i5G¶ú¸m¦txS7ÃæPÃo¢Z-žÔ¦×âÚÑk·ðßÄoP¿5ã<Æ=v0_ž ÔYqÆ­%~hÝýÉåc P>U:­`ï½züôTSÓö{¿4NKªeu„0Š¿m$æõü‹â êóT•EÖQaQe®ÿ²%Jg‡õPÁ÷ø½Ìçƒm˜•@¨õ‡ôÍPç#ó·ˆkûy6¯e§‹ÕÜT%hÁÁ:Ø¿Ä%Ð*âwâ§Ç­±ÆYHa\üëu*¡‰ËäWGy‘ýÆ÷:â|“J*”•Cö8 -å< (&.ÕÃè25)hTbp§bâßVv*—èTï/o;eÚ0&±º¥Œ¤8FOX5Éávדñ9Ė ªA àÊü·Sog´ mY²mÄl?dEŠL0ç…ÿœæ¿Ô¸Å¤ÍÙl\Ֆlfñm³lvÑ+bžþTê¢Jd‚þâ•*®%ß^÷%Mzú,yGºð¢È¨Nð,-’ Ó`ʐᮠ؝'J˜Kn árËÏÅ%?ÙÜ\óÿâÞõý#„-îÌC½Jœn)„¦Á‚…`ªXS“.ôR°ßµPË,Ñ?Ž™·w©&|!Ž|Õfœ9p-¡BÝ՟—þBЁ9’ÐÇ1#Äـ‹ —i&®¼Úß= Ғ—cú²LcDvØ·÷GüS >*²)œ&ü9?·»b“Ä);âxˆðpÆò÷«AtãSZøx®Ñ‘k˜Í˜û°3!‰¨M$nò…4¯k< ±ÅÛGw¢­šÁ©uš`›n] `ð½Vύ.q>Á¦d¯ëžÏAd@rwir?¤ûQ·éEÐ#¦7,Ký[y¶»}å5:}¡\ƒOÆ͵z4«[®×2KO­z¹ÝBr•§§N— …ÛM♊»0xÒ]¿[•ƒf—<#’¼uë9ÿŠT1~¤+.ïwù.ŸB➥^I첗Üv–•à…=rÿ­¼ÆIçcLª¨+ÚTŽÐ©f{ëøoyHëu2ÊØhڟcJxPå]âÌW0¿§YוÀLð³ÆÀ´È µ4€£Šô2ÀWO#ÛüIiv%R‘,rØìk$™Ž.ëì c❡´åj›ß\!†¨ª—ÌoéšÈ¼á¤Ž \(ù jv rx±1½gòaÐr_ù¦Âðõéhyô¸ñ -Xf’W9wðc -æl®Ù¥èÝ}£AIS ˜çèÕeCkCh Õ":Êâ$nOn‰²î¬ü›T1†õPXÅÎȂ«HÍ¤» "ä ‹?gìé8ék@Mdùi¿ÖšB\µôÁ͕#з4͝÷–ç¹tԂ©±* ×£+!·_§ -¶Ãp¿I~!½æÀV(®Ž·SXF|3Áq‚åh½Ím~Û Xã3w™úN# ’ L>¯·åíF½Ì½3H/L2A$D†—„çYw2ýä•_M„çi­-cp\¸“ƒk=प4çÙqUÏ^™ÔÉþD?Ǐ›ýCúö±¨-/pØ<'ž³”Ù‚äžûa‰¶ÀâÝPÿ]ßÂcÛìË~úsph -D$¹\¨ q ìk[; $å;£W­>wFc)F%‚WF)ˆWJd½‚L›Me©F}qyY÷×¾+¼¸ç³óVRhɔ¶Úþ¥¸â¤Æs¬[¶ÈªCŠ"ÔÛÒº:-«J™$ -&ÿ%hr½ÚoçLá3ï³°4:®ò¨ç“ë°×6pvh‘«F€Å*±‰ƒTêœWÏÁ ¼ÕÆÆ#®’Š,§~Õ\ÀoØ5¸Øgk¼ÁÐ<7dYiÕʦ|¹ªROØò5z&< Hú½Ü”B(îwâšÕÃp”Õ†A§êžé¯h’ªZÛeÃÓ¦{äÛ«¢ù}Ë÷ r8±PȈ½WhPÁîŒ ËŸ"=°:³zã>ÖP¼ þ-´mÆfX´ädÄòt´ÊD©Ÿx‚Ìr†u¥‰çP;õj ÓzužØ¼ô¦F "YµŠ†'–$Y5häâ<<ÄËaÚ![.)ýâfÙL¯s¡Føǘ…ÌÍ þ-KJþÎ~Þ(™Ø™ôi.xˆÚ’øÓcºTQ[ CN^|*TOû;¨:ãEò–Nږ.›$Çòþõéº=òR€ÙDg1´¡øk¥Œ-ûÑñڔc šc²» ˜Ç:Øз‰ôœp¸Â®²:±÷Î PâiÈÅ´Vý Û9*k c-J|ý#$ e öy6?ãgٗšNÝÌaÅó3Z×iÑF?$‡Kd4Š:?\ôp¥ðYvŽRp¾_Ñ#Õaä–!/ ‰é6ã˜7(LáöÏj¾ŒÍ­†/Cz=ôõ7WxR„àQrGÈ(/èñ¼ßômãˆ9¶À{‹Âi’©±•f~õhi5ÄRX`²\ãYq ¥.ܦ|ÌFŒÅ6YڄÊõiSXI?ùêT• ú×~ͨrl„Rü°±SÆñŸ3„@]½[ώýõ~_Œ r*Œ~Ûp’°7™õÇ2-û±ˆT¬8Ug>^-š=´é5Ö_¯¡oU,Žr¦õWÙª¯1Çû: Ã÷°ÝQÀ°‹klRW&Àüq-î¿\bú›!@ïÞP[þ!0¹ºQ°‚7hh`ª1 ½å4 èÉ_}~Ýz——7u~+ À¤ãTÏ91ê‘m] Ûoq¦p´#­!ÓÒ¤20 f9–ºHŒÎ¬¡)[!ˆƒ‘‹m -3ï•r¤Ü×\¹û Hj±Z9ôۚWò0R1öë<üëJÃBU²æ©6.Èj¯¥SB?ú%ig-š ô" Ózõg- -»µmF È÷06úgûFíÊ%;'iòºó°0`Í0“s*aÙ¨6 xcAˆðÄW»Û_‡’è{õÖ¬þÔЅ1‰’6j† -­ñJñ¶LöP£4R'Ç¡rkuÌ [Xñ1H'°à‘ñ£Û¤Ÿ"‘m¼LÐAÈ{~íë£Q§³Î•‡\%"ÞÔn¿ƒKZÖÕxKiߣƒEÁÅ-\´!ˆ|’ w§©ÊB> -âœ]qO%¦Ÿ™¼^–ÖiÆ¡²Þ-ËÔHZr«ûÿq£ýº‹)CÁn‰ð²Ìf„J¸W¿ÍÕRýýâk[f5*ÂÎKýB É{œläã]» ÄTdõô1€Oë#Š’<‰p²…)Œ™Í©—ÍcL æãà%–´§’ˆ»{™.²=2ôr-*ýk» -éæÉçz¸ùëS%¸ªB(\ɤP›<î‚jßuäF4gºË »©_}VÞoJ ¶Œ[†óOLÊaYë)¨vZÏÛR"ó†ôµ4¥%)eÈöüDÁ¥‚˜û ;Ïhúg(—óÏ>’Å“àýßYÝó±‹<¾l¨1y-i•éö`ãx­3ú Ø_š±ÚúÖí÷‚ï…(F·01æ?_y­|P.Êd<¹91†Î…9ÓÜVô¡ms"jHÒ+fkµnäPBüdI 1†ݗxiµÿ„ík#vý$b{ÙVv)+W¦dŽò™Œ“Û‘VöJd•UþހôÓŠè7V!KC.Pw¶‘ÙðNF/å󴞜0ºøÖCýÑ4söûÒcÂâ©Bü9+ןxDå>÷Ü%÷LèÐäpï2…âÌ2Ka .ÉfϚ=Þmi'ªn#Ú7}@G™?õ -íY»7üTç¶Ù®©´!È©»5ad&- 5ìÜ° +@ô«³RbHïÚƾñäuò±›¿T¤;§Ñjܟ]q¸Kïê¥]6ýT½µ‰ù¦P°u"ÌÝ*p¯œ]D ÜZHÆ@Ð^Ä/x"sRCšSÊxVéûdzJãâeG»ÍwQE£5·ÕZ…X,ö²IÒ;ö]¦M~­ˆÏž˜0sßgµk¥Š~@ ëó øœt]­+ -J9¦êhÉ[Aºª¿é0C»òc²œ=µfÞš]E©I@˜üuŽomÏ z£ Í¥#¨Ûw+iu” 0Ðo÷Ìí,ŠFi=«ï`ÈB£Ú‰­€a¸³ÄEnfYQ‡íÎ3ZCr#¿RŠÖþ4G—-Å°§Ôr%ø¹‡WC‚ -v<Ò„O·Â¸‘óÓ¼”I ÿ´õ™6ŸÜ(Œ¡ˆ|lc`k։àøûÅ1õ”¾JK¾àÕ¶e8KœÛBTÿíü  ”«>ÏüoD2‚‰Žtý¯üW ßéZFTJ -ú=úCÓÜYMÑÕÇÓ#J$ø_Ò¶jRbqš©Ÿc¶ G2Aê£ü/-Öt³/?¶Mº½´¯’yÖØg½h -¯ìØEV‹¤uíw üԗì{’ZÞ䢜çtÒU'àÃùº'à(>€µÏHUo-XY¾tCßNƒÿ4Éh³GoWøíntOï ¬°nû‚½—W´²éÝÌ[¤´*KQݕ_ŠFãLX¥hš|=Ú«nµ;)Ú^Ûי¯ÏÖÙY ”ðæŒÌ˜vK€„ BUfC›ŠA…>¢.¬¶Á_BÅ13Á¢ñ-=Ÿ?£ n¦€!ܰ°›&re€Õð$åŒKúÔx`:—=T"Ðu¢ö­TL'ë;õ¦üĐsÂxë9"§¥PicRQ#‹;М|§°lèö„¨jÂÓSdÎqSdÒB¢´ŸdƘ4I{r¹ëKºÿ($ɍɝ¯cºVUÉj˜3>…2==LN§p\zNO¼cð“6nX ‰·nLLgŸòåÜÖLh•ÒþÅnÞÆèÙÂÈâªôŠ«½ -Ò\¨4›± “ÙHIB™4ÍÀ4ÄÍ\Üidfùæý„³Ù••çÆLYmýNYv ž«:ÿË Øg$e*#åÕa>zљçüƒä*:Šêþ7yl‰@,‚~¢X~cþžúÌx}tÚ´¢ºîÉàÄیcšž+ÊšÝoŠúÆßÉ®‹¢Äñl…ÀD0N°E·¼C´N¨, –t3‡H±aÓpÒ¯a%é 3L„’¾— (¥¹¦H„»mÏM,§ðX© i  «›dý  îÏãAugUd=-– þ‘ýkٟÉù_‚ЋÜøæuÂ,ªëöW³b°/ô l£³'ÛJÒIœ(\c º¡ýkC!7¸Ëtä­¡Ã+Š•~O÷]IiÖΠ›éP?áSñÀì®sð~̐Ïý1¥âŒþVÿ~@à¨sÍÄô·ð³¤³ªˆkSGÄߧðY”X3GB„ üIj5ÓÎ2\J5ÍIÚáŸwÀ¥7ó>MÅÒð‹¼”%¤½÷Xu´tYð"wàK±>,Ö5:™Í œ'ÓûÊ Éïš$šPéÅ™emÕaÎh7‚¶»<ö]Çc6Ô}Ñ „yی×áF¶º…[`w$ù#¼FcÛ·âû²XG5wžâé[ Ǿ§Þ€ømõ §Q¼JfÐ2hÒPÙ+š%t q“àk Ó.Ói¥4ôޔ³·P<» Чã'*€¯îËþ””ìôzÚðԅÿ$Äâ¿"lTœÜÝA‘ãê…älOaW”æi‘?û Иñ2Z‘6Ü°7…úZê|Ôü9—Í#ˆ‡YE Bs þãÍ[ã)YVîUu佔Åõ³κ(Ð{D¾ÿe»1i™ëã1­Öu®|ã\®@sW12ïz·mL½+O$;Œä¾mÉu…™ÏXF?y­ ]¼„a×7f(üÙþזÛTÒ¢äÃùݺî҉èhî`(\Äƾ´5–$ ð²ïOÖ*µóŸËÎñÆö0àE…guÉ؅ -‰Ë2„ҝ,Å>Ô@BCRÑ;ueAíßÑN06»Øa¶Uy Ì;N.£ýÜõ¤4«%ræ›Õª6£eŒÔ:³WãQ2“b.[o Á!ñÀv è2¦ïü¸à|ƒ^TX§^Ã/¨ã*ÂÒ+pÙR.x¢d½tFšòo˜šÇÄ_°¿#Ö=£÷#ªÒ›»"ž/×ïͬävUÅ­oÈÃê`WI3wï[õ<;,¹X¬š£}y¨^%±¤õ©5µˆ]ôO®ej¯¯·a"­›LáÜ]¿Ä8ÀnÕ¨dà©PÏ[œ¢Auï9]m´~sÀŒË󰏬&¹¬Ú{Éóû™¥‚4£¡GÜë µxôár‚î¸)üX*î û’™ãì’ žÜëصåY—Áûp.µ0E«bŠ v[Ów'I7[­…ÑFut°ÂÂ,åƒp¡Oô×ÅäX_⹓SÔ;¹!—ƒA‚ «rí‘<îc{<'Uù¿H½ògÓe -oBší=Ñ¢KÓ·\ôV×±õŒ!ªEö¯î÷Ì«ŽŸ¥ÇýEWՒ±mB¹_Š$X ¢Jª‘$⏨YL¿¸¶’Æ‚'¯ä½,ê¦'ÈnÃáå¨X¸Y;x*J_gÀåÂíìd²p\b’&“—®p×îšêà¬ì?í9{•¦,žýߟh-ã£ÙâYutX -–Òê¸e$ö$®á-MÖFÅØ…ÝëöýJ|Kü„#?¥®¤ìÈ#‚!Óp'v%`qÊ!žÀy‹œnäÎçN—/+‹.Ì"¬ã@Љ­¢•ým·a•µ‰RÙD9oe É ¤› iHÉVb¿†Ï")Pê`ò]^€Æ¶T®†˜¿†§†- §ÅÛÖÁ Oó³þŒåeFXƒ$ÊS¸Ÿ¯÷kŽŠò͙fL¢˜šëʲF‘9‚‰_«õï+ʋ\™¿¢úƒª¸QÏís‘ʲH§µÈ=Ɏ±ÿˆ `# -”—¦e•>KDØ£8ë<^=\üH93Ñ2W‡¡aàÚÃÉø\þAݪˆøZä¨"ú<¦å­O±gVV­S´je먌(“ïް¸6EPÀf­ßÁ×zÍ°Ÿ©/†¥eÝ鳨7µ‹&‹öŠôºG2agD±ˆÀ|6Àí 9s ö¦€Ý1c`¼×멘îªÙHv-Ë3ðîߋáü«ACrÔǚ¼^=YãZ¨ÐzT]'¹Û‚MÏì™ÓbÑÚØ»-Ó®1eZ.Ò+£¦ä5Ú×#í7h¿Øþµ.'ÏŸMï°òR¢ÔÂÅ+oê·ûåþhMí_W6"u¦ +&V“‚…ÞWÑ0{‚!ýÓ2üqô¨_š?Yob|_‡™ŠA«¼ƒKµËà<¾í¿oD÷"é†dÃåv©ùÑøŒ¿ ´Â§¸“ ÁO?%cÅùoÑÞK«›àc¾ƒLÀùKè:+y7H³àÉ×ÊuЪhCtd8ü;|£ðÐÐT/Ô2,uÉz˜}ôÚP8ºø~úàµL˜î¥1XӅçE'9ìQWKöu@a2ø -}zˆ‹Àœë D1ÝÆ54­º +²ZW™jEá&+jJ”Nr·°ˆZNj“Ût³ÅDwû+gõ(ê¦ÎáߪYð]p‚'fNùä“#É™’UŠÉ }¯Û))âO]¨Üõ -·. ';A^… ?Aǵä(_F%XybS¶Öiî™y6]_¤¹¢ÅBe¦â:æc§Ø騋vÁ„äܦæû_©×µ)¦beÿø×/*㚁"m#æݹ©ÅóS)x äÝTßBã<óê´0î âqe h´>ëj™­ÌWDOÆÉa†³üKã›jLLŸL" -¼ÁjõŒ8^–ScŽ…O¥–"};J¸„1 8—šP£íÝFÁ[²òéMÊqT,ø®}«ó³1YQ͋ã$ð'ˆ[_ÜÚ üÄÜ¥l˜VX)¯4’ÍҌÜ)%èyjµý0Oê¼-ª ÄˆÈ¶wÕ:¢¢diËƇmZ·]„ûòB-½_ëd“8¡4Û=ѴúK(÷ãô×Ú±Žÿ!>:*ÒHˆÙÂWæŽ!B¸ýË!Aȱò‡âGù¸8íÃqWA‚?×Éb%˜$1£€8:&ëg‘%PöŸXû—±Á¬ì˜%þS¹KT;½k·¢sq,yS‰ïŠ¢Çߚ?˜TM~þû×1z€l¦=sÂvÙ$ÙRñ s¡û§}Lz½´ç„UüCÉê¥2Ÿ&bŒ*tÛKLèÄôýd³…:©oñI†¥cWX։dÐÍϔ§ØѤÜÀuóü¨ìè¬$÷ð¾s¿÷d»ûËó0ߟ Zìè¦LwÐ4#Š¬ˆßó¢,c܊˩ä&?â -øE«µÉØó Ê\Þ°f¼Ê쾑²3‚ ü׬؅é+±&—€q ¼¤§Ù:ª²³ \²ü™ýIݦ³e.©ÍìLO%T£{èeEvqÂêµ1l3n,!ŽÎZˆâÚÄØS%"øêÔ  Ð‹Ÿ;Öl F˟\ŽJ±²k.ß˜µ¯ì*œo»±ÊTŸgº?²"6ì$~¢÷™n¸…>¨º²¡ë›=gs_÷ÎnÀÀ‰AÓU´E^ºšZlj5¤¤7îîSÉÐ ¨ Çõ¶OÈäQµ¸t)HDúîj)ÝÇí­&-Íb[ prG¦ڂŸ‰E%¸/8ø Ôã;DÁ·-Ý^-,[äxÆd°¸HÃØb…ÁQFK¦…ßH—ULñm¼N#–…¨ð›Eá²5éÖ¿?1½Ò‡¡¼î“] þ–ø¥sŠÿd2¸.ä=æ†L?Ë l¦ÚŽºðÚ¶L÷YV._’)”Ñ9öÀ(#ž¤pi/Òb;¦= cèªÙq±î Ü=xº!ËN,‹i›(ׁY©gtX¤ @¡€›D|Y]'(Ý?¾Å{Dj²®½VÌË¿»[‚}KaO rI¯ WðJ-›º!H§¿õĪÛ=ûlóHW͕„5lHÏ˦‹ëá¥ld7lèéøXì2Þvç ÂòÔêOµ–áu–hrî§ûâü|½t\:@KWEÚÓÓ{$Záû¸ZAGêŽkèþ>#gû1B ‘i!±Wœæ¢Žå -jGžvCÂÚ,ÿ»â.éø*â QÖlþØóR™äæåU÷Ù;[å]w”‘}{·X~=dðƒ½7¼—æËy©Ÿ†Lâ¦q4ÇÐûr4Sg$ØE…cø¢Å!q‘F8dS}gìY?èOÚۖ¯W_ü'¼Î£A9nc?R¿p.?t3G¿ÝþBîÞ×prƒp´Ô¹ÓV«§í¯á|»¹5ÄQEû^Khóð{"²µ·‡ŸÎ²ý®0=ü½NX¤é}±·ÅZõÖRÒs,ûïÁ7ýC&¨ž–×ÁX‚f.ë½1l ú”0âu!–Œì·ýÎSÁ69¨…îl¹Z^îØÏhûiR±oæÊw•¼™"Çý„˜’Ј”.Ò¢; …xb“LôLiÇø}¤CÈú­¶ÈFe‰ÞŸ¨ùŠ¡wG¸¢%à°Ù寃áÞËÛ¯†žxÅɝts9ýwI©Ã¶ -­/h`p¦‚ùЃþ¾nA´JWŠ¯C;ÜyúûV¹¡zŽíx웋(ŸêªÞŸ2Iµ‰Vd“7%ÈL«X3u”‚Ô¡\•µñ\¨ÁkœÅÝõ×ÑëVñD`„<òú%#ŠÀC.-Ýw¿U©IAÍ\¿eXÕëʲ¹8¾q4׸¿\Éë»sø?®(P=2r±>¾)—x÷…~Ü¥3dn©å\Û-=âÁ_Iø´ytTl§w`˜»q¯eIÁ4š“é‚°§¹ô[K¬¯dV´ÏW~†å¬­Œ¹¶ø'Î_lûoú7³rÍÈ<¹*Î]?…÷ ù6°·ßIË)òzâÇt‡o$pCt$Ôó_dŽVè@2]FwA ¤‹Ð®Û€¸‡}–ðKÖ·'û~$¥Ï•*€‘þ~… º èax̢㒲¬ \ÏBó©œR]Æÿe´úx( øêådKi7ö…•Øà§l@.q]®É%vò~k5öwð{]ÉF׋|¤pÕÑ¡M -$Uù‡:ƒ sŽßHQºš§p¯ìn©"¯‚Nux€yRÂL -"a¹Âz£t°p[ÅH¯cAq˜h½>þ… ûsö¡i®¡k%lûÖ.›Wz¥"*Gb&øÆB<Aza¾ØX⫋\¬Ë#9ÜY »é†vÿò7]î½(\ڟô*2÷v -°ÞQd›vèµw89’9.„[>;häe¸ c\_ë‘Yf`¢ÆZCº$ò5ˆÕn!Ûɦ æÞ¤sx½®ÄrR=*À@:×9ï+Û»%êÓ­fþ -‚BàuÀT·n*ό ÜóÙRF”àêkRà? ™mD)ÙÊ$¾Ôô‡6õÆcíؔʊÊfú[አ-‘HòGNè½W¯¸;¡Máן!ÒPÆAÞò?‘é©ú@ãß}{¿BߔZŽŽ2ÐeXk®ÍÑ=&"Òp¯.$Yªûïññœ´é¢q{ónÂ#K÷¼Õß,SÊ×z¥vçSÅ`/r´ÔtUn݁¯¥IàÓé´{y{õ‹¸%—ÃhIËÉ3”27—Ôë¤"YOK Ý~Lƒ&ºA7?¾ð."nzš+Ø´z'î,`J)D—ˆ*ª× OUym‚ `•–  W7Ð!p u6†Æè4âœêq÷9!¯³îÑ3T‘!?9šFÙºÿY %ìär9göó&ÇjÅ-jw­„ ‰µ??˜‚U¶†?3Ýö·5dœ•àÕ).b[yÀë53àí­¶cÄEw yQ}NdIF,kéAŽ…Ù¶`'9¨ÊðôÀϲ…R‹úÚ£?èôî¬lКZ6~N³{þVš‰Ï[Úp³Æz»œJ`Ž¿9ÉT¢cšåZXø»z4×Zul=Ñ6»p né´¿–KN -‘IÜ11‡yÔÞ·k—J؉÷…Êy~Úµá*'t†&.{^åÜùÉuö×ßW_wûeð{2?X%KûN›ÏȂœ={T;‡d}5ˎœ¼uo{µÓæ®mEi7hRïáÈyNo0P2ûI8Õí'Üàü5FÈ5rjuñµãÖm´‰Ý5‘ ±Á#âÓ ¹~³»''Óm=^mÌ%°ÞJU#Í?çgE||ë÷£}HréƒÿàVŠD6åËÌq^CLwˆ|Gƒén‡ : 0ኽæïR _ƍV1†øQ/Ú à­¯ˆ¨`QN¿T7ŒÔöi@ÍÌ®åθ »MÔEì¾ Ì´®CÅ 8;mžT­í£J2«X8K˜èº­í¿û³1ĆQÈ}ñ ÄU â…îäî'&5«{ƒpF^¸GœÒò†…&'²›1C‰L‡°EÜðL´SØмïô½zÆòR©âs¦]ƏF§IaY#„Iö(ɵs3\Ø ÐËêFÊôÉ©kWê½ÀµX%öý’W€oÓó{À–„œîJוâÊ_màó3îñ^R ì°¿=ÔÛ¹øñ ¥òs£?èÐ3ÿҏ¥­_ |J:Y£™O²ª¼ ž•lV•d’ú606Ö^ŠAé] N‰V™Ìˆ/‚:ëÝjæ`0…f“f¹ðÝ^eëãnÃÈQ@¾kÕ4Þú©‚ÔŽCtyé#|°H’ζ+EÃïÒ*`Ëh÷]\ê2 –>àOÉfêäNšqjuVÞ2©Žï$ۈ©5ŸñÎO©T–Š,S6ª:“\ìÐ¥Wå r¯# D}»D/ßx ûfç\ÚÜX˜,árßÎ9¤!IP™<,IßÊ?ëøzT©0|妝‘¤8Ód‹PµHüj ŸK(X¡szº"ÙØX;~´_ñˆ½à_Ëä< ?]Ö¨½Á,[£X}Ëe -§ŠçÍ%Vš›)|CÓîÏ9vÉÓôpXRH.…]ÃÌ ò›øþTu{¾zÖÚ9p†a«hÿ Ž©æµ¨󞽘Q\5KñíÀعQòJØys鱖W?yj,S=¦¥¾jCÃYd…ÂNˆ£¶YHzŠb^Pkè¾ $Ôs1¥\ÂQü[ê`Ƽ$˱ÞÒNr·äæJŸ¾óáv½_ ·»~xu 4“õ¼P&;±¤Ï=ÓÇAÒógÁÂ_ |0™›¾À:ÔqE9®uÜ Ïqr„.aaéeõßÁûì6Ī/ÝûàtvˆË -ªDÌ1ñÕ ò X¿äzcƒ>2ë4c"fî -t­Q:ÔÄ|éòýÞ~¾Ÿ/:Øü  U` ì(›ËwzæÖÃÚS3dú@xN%jFîjüÚcZÂè) 8\"}Gˆö—}×ì0!ñÃ/ñŠFÙqhÕL`è_ -†ÊµßhÂĺ3Þ#4RÀ© “ìכQ&êI([êtÚ¬—ægCVÆÀ_‰aΆY: „Ô‡É2ÖQ¾×]ìù¶³QœzQ¥íûI¿„Hù·ÚP¢aёX‰Dfk"&G¦Ü­ª -‡Û6Òú×ë_ ‰kYhJۜN*A?7ƒƒ~åjØîZ€ás/ä MTÉ:¾ãÃÝò¦³NŒ²¹é+ <í|0N<ûDCÌ2@@Ð"‹Ržâ‚4g*%ZŸóĺk‹y™OÁÕ.ŒZâõ³Ø×7ö<üÎe¼‰å³À’Šp÷^ú…*˜U‚§äfäQÔÏF -ùf¶Bïô;‹y9ûWu FjÁ ô…Õ2~pls%BUî-֟^ é”†ß‡‡Ø÷q‡×¹Óv*j9•¬ï®£"›ƒ~¼cR;ôڙØÕà„°™}tkà>9ÂÛ9­Üq é ÏÃ$ ‹,ˆ''Ä8íæ.ϝO¢û7…~Ù,“ÏtÄírã¦EH•±×Œ¤—79—Á²iÁ£gi֋úC–8Lí3£sžºaâã XÿhœBù 2äüa"òê›þ6»qrUãô•~{GRkÍ è%©Á*‹6…zAáwÝHˆ×ñ˜i߉’šþ§£Mxòx‡ÓØ -=%?“Ž·ðV‰üì?´ë|ÜúHä/§ _«IæˆrCÒioìӀ±•£ò¢€<'¤tuÌΖÌdÕ«eM~Æ4"žôüO= hTQà xT ^,6§EÈ'C’|“à—-ЗŸA4ˆ#Ì %ŽIù.e›Ò“ŽòYžÞd¶tvó]³ß Dóßã­ø®åtÉÁڜ1qHo²#^ؚÀ&šÅÞÏÐç÷ZT,þ”Ç=… ä9ΩµWN0™­ §¦DÚ¨®–®«„¥Ä¿pzú6+ZTÜ=µ÷™{牞Êü)Úð8é=±¾€ÍrUW˜AÊ/>¤¡J»®_³]ï£çj’Ý“E¯û¡ ƒ÷Ò÷òÚkž‡…æxÖ¨u8xŒRO7#0'k¸×É ¦Ù3¸úó+Ô¤ÞLݤ‰LÄ -Ǟž–ˆJç\þ,ûÀŽF×T|©xöA4ªàJe"7³(ý ü±^|›üfŸ×Ÿ†ÁÒþÊ$¯«éFòK0Y²ÖoԉÁÁúSƒ`ÍjTT¨C¨¾øÆä¹<·}1L¹œ7óˆÙÑEÚäHµ×gÞ\ ] ¬äÀº©–•ùh´GÉh¯úr¯PGáÒªÚ(_aœSå‹a‰·ê0Ù|ýP_v$kø£Yù%ùœ~‚:\ႂɖ~NÖCIÂAíÕ]˜¯¿n0» «'‚pu”¢é·|õõ /@ҸȊ{]Ðt”v&_ Ô~8u‡îªfîX§‡µø´“Íî”5֞+- À=‹™ˆnü0 :ߊ]ÔÚ?ëïÅ»÷0MRƒñ?mª¼P°U¨'/:֊½TZŠ2„!Ĭ½%û¸,pÅÛÁbÙüÒhÖr\:ýܙŒô[éï×y¯^аçu¡íe*öë•.øntY"|­ÈåŠ †4V¹RH¯áæ¾á¡· >[/ éú?”3^ޑf±Æ<ÈÄðD{àçÂ5?ß9sôbð4ôTssGbh6 -¥³mÈ*¤tZ®œf‘k™Qr‚ŸiµYéJ–“ríÃ;¶˜”æŽ×uqµlŽ/Í£ëûñQò3ÆNQé[!›`SJ9†v/ú9ï1ѹ¶qã~‘—:‹^º¨˜Q¥žcsö²¹¶tÃò³™AÎmé9tüpP¦ úµ•E’Åég·³‡»?>c2ÒVvýƒŠª“C§ý#¯Èu}·Yµ¢é9ù J™åáoXLV¾#]LxÄS»6’ËÍo˜³ÛŒ‰# -«ó/¶õ<øvçsK³~¨’mxÒ£€'´…ðîðRûPȆÏé‰= ¢6X7º -å‚3Ÿ»¶¥+FL{‘¥™É¸Ê{¦›d wE<Ûðöuª¡b~$.› o1PYyàZ°„íãq»÷ê6›Kw¨Ð@Òøm!p–wB¢ÓxÙpܾâÏƚu֌P9IL“Fˆü“VðW¡˜N¾«5Šoé -¹;~—ÿ409±‰z…:Ƀ˲Ϗl'ˆÅÉO‡:⼤ßTÿŸg½0֑ãC -‰)`Ül®Èå©` —«dÛeö‚÷PÅ=õ>©k¿Ç“ù1UâÔÏÎS9¾8¦¸ÉÏh(óÛÔA»SmÖIˆUH~bóŠ`®õ¥P>ÊÛD²D£¾æ¦“³ÂiϸlZE¼ jJ2à‹£®£ž¼òÑÆ;JäüÈ»Iúâòã–øèÑz¸ ;4ýƒoŽՏz¿Ínьlœv»fºü±±7†p•Efí¤t”ͤêNy(IF(¼Á_ ¥Î -’p6°’{çOt\AŠw2¢VúaMŸxJäÑÈ®BZ骿² rL?¯1 -G”=ˍò…#†Õ4ä ñK"´µð°“Þy¿Ä½¬ãpÜ-Ñ[É~JheæɎraaî%7UŸÔòŒ”1², ûWæ³Û/¨^ -$9mhoàpÝ0V™/>Ý ×ÚÊ H2†>Å3¡ª_?ã…îÅr8罅Šu6³é±*K6ݱ -ÍÔ¼¦³ÂØ´VEíRÔ æ¹^ hÊ;2¾'ºîGÂ"òåå㊻¥ÉG‰Ò½’ïÛH £-êí'Ee›_·á•žŽk² ȼ\éÑ,úa+¾Ð¡};½#&Sÿ¦á*²ôhP³Ñ¯sn ·×7o¶EŠbÎÞsî\ô·oÛê` -ò‚ -â†tãӈ'—%CVÓIšb¤–§µë~ç&à!;°ë-GÂÞ YސœÇê+ÄNä‚b|—AtFÄÅwÇóZ;žÌfíáLÖ#•«µ Zzêdí8žÁ Ê,`Pðª°àògqæó ýhí¾>¾ÆþPÐZ7“:®fìãèrÖΰ¦xÑ]Ôãa‘s~ç»+Vúšu\X`…À䌜÷ǧ”ÖÍÕÏîõ€4+3wQt1ûAYh¯‰/~òÙÉøM‡ô¦øÈ_—³•œi0!šœäjª÷yÙl±‚r€ éED -蘭(Æ|(h„ÈA½®îÈGs%ÛA’Ã+© Ûb2ý—¼ŠÊƷ͚íhÁó¹)[ǃ¥ Ôµ ︌2¾½¡'ÔÃ,N]¼tâÕå[²u&Ô˜?!&ôP{PÌóÀ´êì0Yͱ=·ºe ÖÁ¸‰‹ûyŽÆ»ZAKÕª}-¬þäs3C:3 ,»€DŸÃ#‡ÒÓ¼°Ÿ)þD°;·Zßj °’êp_$S¢¸=\<8âg(Êî/vSÈÍTõŒ¥¤r Ù ß¦8N‹‡mpl;û|~kPæiÀä?¦ ÁDͦœ1ÜwÆ#Eϒdï"ñ`S¤!²ҜC:lCÌô~}WìÙP–3")Z&ýn2ôYp•Ä:Ï~¢rÓu}²6dÅMCO¹¹6+‡$€'@®Mm`Å-º6V^¹SWnwFbJgG¦h_[¡3³MWÂWmÎ -¼Ÿ'Ïû¨H³·Âë ä!ªEüñžë£?ßFïíÉs+ؚˆO¢)þç½ð²Ç’×QúSòiãF& v¬¨5ef˜ï2xœÀPÔk»ã±5ekÒ;Êx¿Ï•fa?E–õéè•yMhΣ ºr yìVáå09Âf ¹®ÑÁÈ?Lö²©«’â¾­^爛0è8ðvr·áj;øë{Yèâr¡_›LÐÎ<ë‚6ã‰!týÕÍ㳌+Mƒ$,ËúåIòrJAύR§9sĎH:{ÇRÿ¹•FÜ]Šß[ñB¾ù[^¢Wu¸ÛE ¤89„Õ'ùêâÒIŽyü†ê=º—ÌÒ£6æžê:´:žåGëZ{<ï!ÈLãóUýÁ¯öå¾8)yÁ´²'ÛNWÃð#bžÃ««óXU›þ|>KÞ°_Ñ£(Z¯ûÞYåx™O÷6tB™W³ÈÊZ#Ç ¥Ù.W@£7eÌá=j¶ÇÅ[t›~SØÀf[Þ¿”8#E í´KlkäJIó°ünQ²&»ŸäbeɾdÅb«B˦àJ ³…PçȽ#ïExwö÷W+ü(3  Ü3ß¾ÎâÐ"¶lTƤ%Âç5™“˜ÉÍ́|¢Î—ùªPk$ã4·‹r{$‹¬ä— è½0 ˜ã1–òÂÈm_—ö\ùfɸ…ìÄäƒïSÚ‡» '93!Ŝ,ùÏkÅõ®“ù³§Z`Ì:v÷D)™éŸüJÔÙ³…6<åY¢'°~S渊ØNÝ]öËPNGˆÔ”F]g$p€9K†ûÐ:ÉÊÜ®f­Ù˜N£o/¿Ò§Ð+÷TìxÝgä—J.ì#­^Id—§jè›ð{O†>ÈÝqYãºUj -Vèp ‡—-,9,©Áz*[5í¶V‰µ}¶ÔµNÛK­`TRøðôÐå}¼Ëº,5®¼SƒÚ }U^æbôžK N˜‹1¤åÎo ]½§½X&îŒÃJl±s§‹hÙÕü† -’!c«ý”ý¢F)0ÀðJXÜ|—Y«N¯ÛØ¡ O1:ï¢f2˜³ë¡»ž ï¦Ì+‘L,xÂ9¢Þ¸rQÒ'䘞ˆ˜lÏF~‚æ—Ã?a¾Ý0YZùCÀQ/Èk ã4G“ç+Ž´,´õÔ§‰ÎŠ[ Š€‡Ø× S&s áïF¦¡÷2ܳ™ û„K¶‚m÷Ä)þqêÔÜnpæÂ.¬¢6ۉ±št -gñc¦ÕŽ™¡Ü3€ä˜î¸î -Nïƒ_8B÷Œý±?·¡R¨[œå7Ø\ë!“Û¤QIÜ](äãZ9/!;aߏîJ7(d§¹.·òŽíÙ"ÁãP[½ô¯t*ë·ZŸÏu2ÖX¿hrG¢éùÞ¿P¹÷$plñbì%4ªÝù£7-ÿ¬eØ­uLôùôfŸ šZÆw¤–H9»S?à5ùö\¸$$iÄh±Àßj ½}æøè—.3’L—íçv"X£ÇŒKfd”v¿ï[}™<‹âÍÁ,Ô:&—â„)Wßͦ¿¾öHâ¨o·±‰@ꃼZe2Þí1›È÷2ȸA@/ ½Lj¡=Ø-æ©.ò&ŒÔ‘þObw æØ CJ\q¦û6_¼AÅèØJæÖ´ö˜Øë2ÊB÷ ©zhÛúXQ½îò# ETÄÝ*lÊ6×ÖOéþéetX%í$TÉÊȃËrrÙË«³Raµ'p¤›€®Þ½ÐüB:ËbF“•¢õ”«Ú0dieš†¡¬Í|iÄYõÿ6ü dòžsu #EËên³ø…>°‡&¾%TÅĐêâúÔ>¡)TÀ8ì2‹Rà?ì)œñÎJ“F7J ]ÚkúDG‰œ·^ßÂÑ$”mË8?äò›U–ãêw8”dR׎º™þ×)Uªžàa*Ç%n' -5”û´¦LÀu¬cA‹æ¤(ž¯ÏúÓ/YNRZÕcù˽Ð)€¾¢_M\¼íöú£˜: l#¶Q_DE¶¶ü’yÓ ðL©NlKõß·h„#£3įÎ/Þ>€ºL&?Ê6æÂcr›zö96 ϗ9²uD¿†nEÓ;†#YƒwA+ÎIíš×çyéAcÖ£ÝUTýR óJïk„Á GY”#JŽÔÈr: ËA¨µÕúÆßÇa6 2œ­Êò›€ÄŸêÖuXÄ}û9—º€X›æ) K­]¸8å¡5·ʼ«„Ë$Yµ,6z—±íHþúÙa“šËþ:8eš‡ÀoŸÏ0‚CONY˜L°-)ùúc s_±Þ w‘‰‰PÕõî -sìm<ßò“ûöüàÏû@n6“$ZÿbáÌóå•h -ßÄCù  6#11ß7ÎQb­Üc󨮎ê*„QÖżÿ°H¾ tü˜á±Oá\jz£Ï)v;<’)›Ûù;•a ò>å5`Zæ?µ»qòŸhš¨—Æš—jäž -–|ږ¨ZjVሠ¡~ü;È»¬«ójoœ ¸Ö’@·Î§,1ؾ~hW2Ѻ¦“sËRsIÛiv‰XCt”€™Wg$Œe0‘.փg†-‰>HÒ¬jÉ4!™¢'±ßõãÈ2Jt°™ñ/£ºÌQ>Yý¤ª•IŽá’,ÊV;á._—7€yØ«UËbG dŽcÖ^]Œð -' Œä××6nÕ÷_¨ïo=›öÊ`Êp˜—#aèôhëܺÂqá’Ÿ槆71|uå,'ÿ P w\=X•ËÎWB«¸¸ñ|_<­8Œ¥ùè×᪗é”|À¶ šÀ8Ýø²:yº„>¥‚x߉¸[Ð} °8}̑™÷‘¡K³Ô–ða\“…¬¼ëDŠ±ýi9®±e˚€¬üKýąÿ ’"€ØSJqÎT.ŸêŠ—BRݐ„ðú“W¢@Ú(| í!lÝ4Ð:°ŠŸ-TËWSÞX“Bo‹ëÇ£’¬\U‰ -lŸUÄÙ!1îõJ k&eüù'Ègw¹Còd¯ "ýú{['^Ì3Y»G Ñ{K¾|ˆ‹-ï?1âɳZöQ™±šjA!ÏqÎp¦D9Ï°1‰æ—ßϐñšyªJ߇Àè€ü?±2àÙ°«³´~w¨‹Æ¢˜˜‘°vN*·nø‚(Y/¿åã^Uûºö¶+FDû±_HÿOŸ˜­ìw] \˜Ó—1é6+ۓ†CE]Ïï›l¦Zh8{BÂjP1æöÐÑÕ2ÌS9Y–Ïð-Æ^èØi<¬ÞÀÏl$Þ‚ˆgY\î·e]ø‡·‰í¤LH¨V_àó-AhRah—JéÂ2­ÍX\L/ê [ºÚ1qNd„̍@­µÏÛ÷ -¨ë cR÷aƒ>½x™&¥\—Kº>VG—Gá·oT&Íe'\¥«Ð"9kƒ^´•÷ûq™qà£|I“¢·ÉÌ)‰ò¿l8lM©”iìc^$]ý-¬h^¿3:Uؘa¤ËÏübA¥J:Mn¥ó‚,L{µF }rÝ}æɁz¦2;!{„U-zE­¨*ñ†ÄðP -÷¿ÏTÊRáÕä´ã—ámñ[©“Ö¢ÈÕoÜTÔr³I,¨ìÚâƒèr“DÒk×.iOGEÃŒïpì} dö¤™È}-wÆNMÛýV«*oðË]|VN×ÉÄÐdIÍ]n[ìJ!&°žc,Âل~G3^>Ðb&b÷6›$¤qUUø[S K^“€“8U³æ1xâºòq³ÛÆïw …:×=€%¦¥¶äÄF·)–Ê]&$©†‚9vaDËiŽù¶­¿ÈF v_íó\ä]]W bãSGЬ>1­ßæ\Ï¬ÏÏ¿àðÓÒ,؃H_T$$ݓ¿\¯†q¶Mk~7…ÒNA¹'a\버Æ-Ÿš©÷ †®$ÊdáFä(·—¾9Wí®‹ºièÀZ†¤•zÐáÈ=Ê ±÷Q¡Þ`^SâQ©¸ôŠgòJFñ¯Ë±ƒpr~|vÇÞéÆvý ù4p¥v -Ò0ÃøNðE»L`À÷%ìë±ðQ˚/À{ú.-ävÓoo@W éÒ¯ñ2wCÍÈí$_±NÁ³æq˜FÔfTiu׳Ï5uò¶û¾¼l¼«õ‰à-Xˆ&½²æ'ù€ L©¬ÿÃÏBeZYIgŽïÝ;š!< $B…ýíÁXI±<ƒ”@hš³¬÷DP.·æBúþ­€dö"¢žHÀ½¦©e|B܇K É£û'c~{…±Kí!FfBýÊ>5—ÅË@Ge!¯{Óô^aÐÏë ñR@͋N„¤ú£…Q@â`c?èá»ä¦Ý»ÁŒ#Ì/cáôPä²´µêÍÞ=¡±Ÿ/Wgžƒö“ Ã]íµ¹š[ʟ 0t¶wpí,øß:œ Œ!*}_›Ï¨œ=ËCiN@“Fk(2‰Æ!¿Ðì´V•Á£Ü¿7š@×Ímãå@Ð$5ÚÜ´V+«ÐqqãÞ fÖˤׄð²:ħirmhѲP&#ãê`Ä/Û¶<Še´ZmbÉÒbÖ^ë€8ø2¸Ê-æ½èž~¦»¦¤¥ÕeY"é"¿èßÔÕB*Šÿëæ"#¼1’/EzÎH,6M¼¼„•ê­ÏĦ¯àÈí_[‰z ‹‹ì…A؈å~×\ñâ´¹êÃu;ÖN/CÜ~ê,NÌ“÷üÙ¿‚NÙÇûhü³Ù1ê¹VK -#7k9+~FÑؙ¤wI¡Ý5?xIõMœb»o~—9ûn`Bâñ«ƒ›ù=—ì¨Þâ¡Ó=:R®Üæ±³§Ïýë;Ü Þ°ë2©p¡ÔWì (˜=ÝYr„9òç$ž:®ãBZ:óæ²È¾HwE>…T²;ëÐњ?Eg:Ç/BóÃ"gwCšíYŠ+•9¨Ñ(©öþ‹)ÍTVƒ±Ù¹/žãNJp0þ 8RÌ×ó€€Y÷Žˆ6øÑþÆÈ]“aVÅ;6 ̃.ÊÏË7NFðeÆ»‰¥É]±•è ×¬ý©·qÇjKÎèùÑs/Ki(OÙëÅkpI]Ô~© -×C&©ü7ÙÖì€ÓåÅ;¨Ý.ô©qF…0W¬tۀ¸œ&Æ,0þ¯ÆÝx }B¹âáÃÍÃlr²ÁÿCPZ_>Y>÷ñu%ëÓTÁÊè@6%ë»î(_þOÒ[})ì׌#*¶XgËñ{u•8׀.´7Z˜gJ‚Hz Õ -½»ôúaDz—\n T£î©Ãc¢@ºÍšèU#í´j,*'YimщA­Ø*–WÀ°;šQôÜø A¼ê.ŸcmˆD9Ò>#ÉôÅÿdUÚ¾ÞRÓU=þ”äê1ːPžÿRÇýɞÀŒÇ7 ÉçKpÁ&‹ž¿ØßA4›DP§­¬ã²4äôCðQ?è≠-i7Žk¯¢¦Vúìë1=:—1nÁƒd‰ÄÇbŠê€ñ-þÞ2–R–,*ؼB²:¦È½ WŠãŠ’Ïæ8ªóŽ[MTÄmëA¸Ûr Š -®?ìÑÈ:Ì>n.¦„څ†AWy1ÔÑ3mÕ]}íËd¯‰ÏἏ!yÂú/1½º²6Ⱦž»(…è5Å߁Þ-S©-פlÝHÄÒÙ$øªèÿõ\ú²ÍÚBašÔCSQ¬?{÷Õn‚Å©"¦R꟢âLJ­ÿYz–œÁã5¡4dÁ/* Þ÷ÊJïYÁ³ož–yh\Y< ¼&ÊoKqÐfÜÚüà xÙµµÓÝO…+åb|ìý­Þ·â˜¸ :$eÂ]ä‹[}"{µËq:V¬yšèBA ¨äì¨Ú‚þÚVNF¼ÃÚW¨$Æý·qÝ?j¥W ж1mPe6SôóJÛõ˜Šy°·KZeë*X.º’Àm›¬*/—"÷Ë\ŸŒdõ}˜Æ LºŠ@/å>n®ÚÐҐHT‹ƒÌŽÆAÊõx$ôA.Ğ@'¨ç‡š, -T!}³Ý Îäýð†â £/=Åÿcvz#þ#k”ˆ£ÉÄ㻑„ì¿aÝ f…¼…$â”3|t(Ž¾4hléŒØ×ÿw®ˆ[Žë;ÕØ¿©í?O¶ÿ¼3–a}+Æj¹3Fm˜¸"ÝM £lçòþ¤VÊ I‡ §iÊßà‡‡ãDù¤‹¬…9þû.ƈú›£’à@¤=KTxçyO nZ[Ž/Bý®g\ÝÅi‰ KÖÒMýœÆ}jÿ+ë±5d7í:oæc¨‰€!póúŸDͽ†/Gªæ‰·ŽTï0î#E/ÃrÉM~+ À.…*ó'©oŒžã˜qÑàöB¹ÇÉm£ÅéúÝò‚9hnì˜ÕM~£Y:À¬ª|å_SÑ÷E¤÷Jåƒè@¸¤&_÷ä¾iº /×E>UR'UàÍm˜óµ¦•k`°¡«Íù¤@); sžŸC¦²áB?§°[RIx ¯‹‰"5ÌZ÷Æß•3 tm›Ð²ýÀ«B«Ïc”õŸj'Áþqƒt„® -pS>FŽÇ_è|/ÉQê£°–—þù"t5@Óºá÷Qу;vä=­íڝ[|r9>t4™ynÓry>lä<þ“ýֈ•ÑÓpeBïaÂ)&ÓôF(ÜlŽª<ÖÆÑÇڋçÊ6B¹ìÎÑd¹p†¯UÝwŠø ¦šŠœ}J%æN.፟·-Yg¦I&ÞÅoÂÂÝáòŒÖÝ ’ëüîÅ%ÙºR¹å‡fǼ¶øáSŸ¦RNëê·P¹ Žý§ RVª,ukªZž5ð°dã ê/z’#ѱ‰·V„ÆáÛ5åcSŸaŸ®ÔŽ½YŒg<^ƒßL‘àŒ>îâô?8}˜fý£Ö,}$ú릷;Úã5ÒÌZQø$k»o^ËòøC@„Çlª Zƒ]TÐá·[îHâf(Š|ìKçê1ŽæÀYÞøæFÄû‡6ÕÈb7ì9ôêýq³ŒG¿ìn¿7jù¯£ænØÁ”Wç^•VVÑY‚dXh.‚Ë“gà oRåB¦´H§VÿQ-Qú×Ilìeì§wçYýäÊJý§cµò'(ûŸ\.ó<~ž'Ä -L€-²¥ø»¼Jîýý -¡YÆS4{Ú0…b3ð?°äVf‹±Ò‚"©†¾£:iHß^Áa1`IÊRŠOÊGë½qP̎3†aµæÁ¶ìêÒZ (¾QûÈ´µ*½TÌ~4Wl?tnt49$ºÚÉ-zs^"ΉTŽ ¿ÚLi‹¨'}ãN~)™Ø˞IS–+×XC” œï€tsai9£–Óv4êø&O¶ê¾ùš\CV昃ÉZLÞRȍÇHýI½…àV8’ãÚ«#w}Ýá¸û"--xõôLd:ÞÂ9cœBŒÂÙ*ï#»Ã¡áÕô„u ‰¨Ù³)ŸáB¤É®…uÏÎÛoU†LÁÄِWsÞ×£ö>ÅÉÚéH\"ü…ô›šu0a& † ¸V•Úð¥;T§’›î:¾Ð×'—LÕ=¸‡ Bí;`51&®séUÐœ`¤‘ øŽºT¸‹¥{1ƒA'’‡É{²&šðS›çaÁ¤õ÷r7ÿ>‚Gª4:9êi*§ö‚–îÛ0¡ëõõû¼§{m-O:ÁO­Â\Q·„+›Á+ÝÛöbwDù­ f ³N$™½€’祼¡‡Ä\Ä?D%ǔæD/ú°èÅFqàx·0‚ŒuùÁÿšgCp=R“±‡‰D•M¤³¾Çƒ:ûƓQ{J6_GR'ÀÓCÇvæŸØÔÞöI¼ax9³•ðDaDÖòÔü$«GóÅ ç:SÌáI1«^žÀõpFbJ³v*Æý™“`ú=þ÷…ÄߤÒÔj–†´k“Èû­[=*¤Q+ÔCµ‹âüdŒ?Ö é¤7Ýò±FÌ(¶¼+h6bslhïIÀÁ#ËšnjGôqH‰²‹9VjLÅÉ£pñSŠRñ¢Ԇ„Ñî”su0LÄø”M¬õ ^oÙ±§9‡ÆcL$:? ðˆKIÐâÉ.û¼…˜Ýhöª“-ëªx? 鼱ٜJ–Ë]©\ß1ÖB LqOcZ8pWMt×÷S«åKJ DSõ¡™üM®R}»çc;”uÂ:¬~×gkwlš]òVÆ/}Å¢K”ƒXƒaïŸyǂyårÞ¸›5Jš ±urç;@…¿¸£Î  ­.ïƒüvZ›@W}˹Rن4˜½wU±ÉžÒn$N4NŸ3©{Wç&cMû%”¨>Ö#.µûQœ1sò1‚ÌTäêy“¥d4'l -Ð]ŸXêy‘ß²oӀ$ð ;ñ^¯ $bМǒƒeR¨õJQ°~𒽢h•ƒöjtÁ𒣏 Aš–ÝHFþŒßæ¦>ù~~ێÂғ]Ž3 Îk¥@\-`y-Œì|Šòg.3÷–ÑÇhEw²ê0þö•¹¦4ȹœÅVL_呧 ‰=ÙÒ­µ,¾ø‘ø°ÁLn$c‘_½ŒGÙ<üJ âc̔Mi/Ó¥¯œ7ƽ -o<Ã;…‘ÇØÙLGAPýª‡”W&َÂù¡›Ù"—¾(9Û¿ºµw¾óÞ¦˜‘Šl ]uÁDRpñuwAU.—Õg±ç=َj‚’ÄMkAAÄ´ì* â™"æg×äjwr:Ó-*å<çéZ<·ïuŸXD,’%E±È—VÍN¬Jo٘U®ã ,¥#ˆk„å9„ÕÄܼ'ºàv}é%©@Ûµ;¯1/ò5¶T_/B£uÄEŽÛK,: -8¨™€¢íuÉu( {¤”ðßÁá*¬Ï‡pr^!Þ¢ë0SQPVÆ;”M°(ÎE0’A æÛ£Ÿq E©¸›sFÍ5Ñ¥·¬XÌÖX;q¡{{ïHäP'Iðmå¨u葅ʲz­~̏|™Á¦­¤Ê×춻r­ŠŸ2µÕГ(ÚÆDÕ Š·Ž¾Lb`Ån\a#ð-7ÊaÐ@ß™HÙ¶-dØä.`séBȁ‹Å(Óâ‚4æ/gËÏÂ1‹´ˆ¶êC-u’E'ÛS«ßñ£»ýàœVqóô‚à׉’§NŒÆ€ÓL\”b¶Ààhö‡6T‰ Ëÿâÿÿ'3{ 7G;Äÿ\tÀendstream -endobj -600 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 2 -/LastChar 151 -/Widths 1350 0 R -/BaseFont /ZSDOCT+URWPalladioL-Roma -/FontDescriptor 598 0 R ->> endobj -598 0 obj << -/Ascent 715 -/CapHeight 680 -/Descent -282 -/FontName /ZSDOCT+URWPalladioL-Roma -/ItalicAngle 0 -/StemV 84 -/XHeight 469 -/FontBBox [-166 -283 1021 943] -/Flags 4 -/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash) -/FontFile 599 0 R ->> endobj -1350 0 obj -[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 0 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ] -endobj -596 0 obj << -/Length1 1614 -/Length2 24485 -/Length3 532 -/Length 25368 -/Filter /FlateDecode ->> -stream -xÚ¬zceß³eÙ¶ë–m£Ë¶mÛ¶mWuÙ¶mÛ6»Œ®.×ôïÿ4ñf>ͼ'âìÌÜ+WæʽãވCF¤ L'hbod*foçBÇDÏÈ PURW0´±14±´—¡²·1ü5³Á‘ ;™ºXÚۉº˜rÔMM"¦Æff @ØÞÁÓÉÒÜÂ@ùƒŠ††ö¿,ÿ„Œ<ÿÃów§³¥¹€ü©½ƒ­©Ë_ˆÿçÊ¦¦ S€™¥)@X^ASRN@).§ -7µ3u2´(¸ÙXd,MíœM©föN›[ŒííL,ÿ)͙þ/– 3Ààì`jlùw›©‡±©Ã?.Z€ƒ©“­¥³óßw€¥3ÀÜÉÐÎåo\ì–vÆ6®&ÿøk7³ÿ!'û¿¶}Áì]œ,\³*ˆˆýO C—r;[þuìÍþFšØ»þSÒ¿|aþz] -íœ.¦.ÿä22˜X:;ØzþÍýÌÁÉò_4\-íÌÿ‹-ÀÉÔÜÐÉÄÆÔÙù/Ì_ìºó_uþ·ê l<ÿµÛþ_QÿÉÁÒÅÙÔƌ†‰ùoNc—¿¹Í-í`þI;3{ã¿ÙM\þÃçfêô¯Qþ33TIšØÛÙxLLÍ`äì]þ¦Pþ¿©Lÿ?'òÿ€Äÿ#ÿÈûÿ'î×è;Äÿ¿çù¿C‹¹ÚØÈښþkà?î€ àŸKæÿ6´µ´ñü¿…ÿ÷HuÓãøC‘t1üÛA;ó¿b0Ò3þ›ÑÒYÌÒÃÔDÁÒÅØ`fhó·Kÿ²«Ú™˜:ÙXڙþUó_Ð112þ7ŸŠ…¥±µÝ?mgû7—©É§þW g—•¤ù?oÔÅ)üUÞEÅÓá/µ¯DÖÞä?ÿ  Ù{¼é˜Ø˜t,ŒLÜ_>\,l¾ÿ—Œÿbú¯µ¬¡‹“¥@ûoÙwþSü¿?ÿµÒýo0¢vÆö&ÿ̊²‹¡ÉßñúOÃ?ncW'§¿ªþëÄÿ-ú?ÖÿtSSSc˜U{cž«ŒŸ™.õ˜y£Ó"ڃýL £¡eM*Ņµö}þû\Uu¡ôͳÜ_ž+¿>¥¨OÆû1l(úÒLo -ð|I¨ -‘wÈ»8hN‚ôÊà3/Õc¼o—eöÀ´ØÕN¦•ôJ? ðg»Xœ nÿP¸ ‘>; ø§7Æ£w#5¡Ôýº$O>ÿóL1<16:Òw>pŒK“MÆãOà˜‹Ë¯¥Z)ZÝL~ӑmÂ{ôÔ*’»RÆ¢)ï0=ã½Ég —\"nsYâ‚{s’?ËçžiE«vY«Ôè€9¡ÇΗ©5{ý‰÷r=Fa‘ŠÚòBLÖÔ—J|‚íuÿáq™ßx&™å2‹r&G-H.‹Û"]pYÝÝÝÜÝé&èJtfRÅÝEÇN ¦÷å»Íਠx'Yӟ6töà‡­ã•c7éË#ÖñJÝ5ÛÁ+cÃú:v{y)ŽË4øö¢·—ÇØé½V,ã³Î3ê - "+0Tjêkə”“Œ†yF¶6mœæ ¹{¯ òÙ¼¾žÐbâB¥} ÁŒn’Eötµ•tqx‰xͤ¡"„³úï¯È÷ñ#£Àó©hÆ<‚Ê&1¥útö¦I0ՈT¦YR0ÐC²åôɁz‘g‘Ú¢ö!¯9dÌnžîƒƒ³úëg0.›™c˜ Šöh‘ïZd¡{yz©J‰™™I‡\®\ñù¿¹ -3o¡a³ ìR€Á ¥äËG—$5]Ÿk&”Èԛîª7[ãúÞÛÕ3Üî2R×HŽƒvž>kMt]ËwE*–3¼m–ô»°˜(×5ƒ> ìÛ:¸øJ¼ü;xÏÙúãÌôÆë2àÑÞJìîKéÑTXŠ Ñv…—ÇP¤úJzöJèXëÈ0¨Ê@-œéÇ=$!áFŽÚdÉr ¸Ò*û3JE›1*-Yé -5=Wx²à¶$_?äÑåŒ6i7ei¸pÄ9ÎA÷ H»æ(»Ñ4@ïêŠRaï†cû •cœ¦Ã™¸ß÷Rž¾Ï¬º/säæ¤Ux\Wx!’™²– -ûˆÝ{Y„Í!\®©E.M.û¬BÛ)°÷d)”(Ü}Lxܞ s1Ôú~ã^ZˆUø‹t¦íÝ]TV!ò³þ"«ˆêVØ¥ÅBŸ‰òc yGOiEåŸáÉ[1*‡¸8E[¹ähÕï9¸Z˜3q¥MÕ2^¾dŠ¼Da—ÌLŒû\ﶓ×G hàºõ¦‚Úr¤ïåXØx·à외[]tWÚ*¢å#îÑfÙ -<ËnJ;ØW9EÛÛW0҈¨š¡ý=OésmàìPr‚ž!at5nd‰÷GJ—‰ŽsÍï:¨›+|}]›2Bjr¹“Þ14Á© ¾qêE®l=ÎÙqXñEpõÐëLïgß* R-h^è¶ynªÖö«$¿1mcqm›àÍÌGm­` …ð×K𗎲©«t»­e‰åû—´´,‰#7Êc1^Ë XSú33<þԂQ*¤ž´@·‹´ñi 2Äí­kÔȸ70ƒ@9}¥áejÎÐ -d„Ü)-l ÕZv±uãV Ò‘ÈU¤‡éœÙù¶›náBFöR`i# VGö{Cà -µ<ćI‰¡ÿ&)õduä.lõڅ¾UF¯*뛦‡7æÛ–8*²I°m~¾9ÀP‹U¡ÐIûVó(B–)l;߸´JŸÒðQ]ìF¨ñÏ1Jò+î;©³5à"^Er5äg¶Ð ò¦.‹í5ÄéÄùm ¿Ž+[ñCJuM2މ@¥q‘~+á Ûå(c¶öäÝ÷°œX³ þŽ8¾cçz° RŠžØàW+@U`q¸2'Ô÷éöu3GLiÖÌP‹!Œ ²ý}Æ>$íég“œáœ·íç‚ÖU½½˜.ˆU-”Y2„bIi—Iª@Vóàï¢ø=ú/÷!ÁÈϹ5ä`¨xÏb¨ðrŽeA¸ìö˜:0µ.m¦¸.#3 Ù\ˆc­t”àŒ´Ñl- U­™ésÿÏÕY݅žƒPòÝ×­uó͟Óð,ŠM{ˆêBCœ¾vb¸ÔTCR§dÚc¸eëq61»y«Ä'ù -\®¨c­?šœö©?Q®ÉóeŒCÝ»ñ§ š˜PE˜©•Øõ!™»ïë¿x/ëí-¤Kñ1(LùË\1ñyBµ³õ¢§X‰¶ Îç°w¸­)Šë–·ö H!û!|½Ž(§‚ ÿ&W;©2 -çüø±Pu¯Žq÷¹<¦^RvÂà ÀGuOܶBžÃD@ ˆ•ŒVÇ8 ¿öýG^ÅЅÂÔܒ‚×4bãÝ#¼c£NðÀK%ÝíֈÓúÛْ<@´çªÜßp–oè°B/::â±Ý.û›QW3´ÐK¨Sû–Ab­ˆ‘¾IìxˆV©]ºü}ír² {•j6b„[£ uh*pÅP2TÄ̵vŸ 11 Y÷2xiú—‹VkaŠý¯ª«^QÇ× …ˆT±rk³û ”ý¨ËÂϏ2ÿZ€9b“*‚Zpe¡¡l fSɃ“ÖÊ&Žte -.o¥¢è›xێ=m§<°·‡Ñ"a¿YDUrçÓ8å<Ñ綉¯àçËgX´½xD‘ WÕ^¤ú]ÏbݸDÆ~œiÐٌ9BWØðÅ -ÀcYûÞ´Nƒ%„›#5ÆT½”÷ µ“)¶;ч*þý³mÃ{ÀӚ¿†xÙ:~rƒ‚æ¢p¡ÊOGÊ|‡{Â]D‡R—xdHi?¯e8ß#u0됫²ÒAR¢×㓊omE°“Ž˜¹Ö1W¼V6­ºÜEÍ8X“ÂA÷M™*=´Î„ÒzÓôž½žC ©ÁýÖ v§”åfk &¡îKYŽè \ý¼üÎ-{7±¤mí‚0o….†)Ž‘TûáYª{è•ïÉ«ö»± -!ä/woD3“*·â—þzöq¼7VwJ -áèñ!r±Otž˜¹f{«› (‡*Qs­#òèRMc}çè–ßþî©vâl¿Ëñ{¸Q7(P#,L¿Omƒqäµ<­§5:Q™ op`[õ9†rïõNy’ ÃTñEs(ê”#„&ü¦»pÜlUÛ/æž@ûTn|«ywrõ¿-Yî€ÈôU`%vÑʽѠƒ OÞû®JxàuÕL¾ñ’Ã}änwJ×á L=ƒãMnižgT2älÕ§9¿ÜžYÄ'H£Öþ…öL=òlÆ4ׅF”ÖÜ+gruǦҐ3&T -ŒÓ2l8¨ ¦…þJoË¥Ò§c½}„BU °À˜öÙÃ!ïúx,ðz¡á3 2y÷î(B 'PÖ2’©Ìo«)<€Lb†£JqÛõñKÿüŠ»j³tDïL«¬«’;åBÑ2«G¬eCõMô'[’½®'êª(@¯ÿ!—LÊ*~Â2ØòQLyü¡ºüå(&ßJf†³Æ²ä”6{€ t}(ñ«á9j[*$C©”·CƎ‚!Gî,WH%s«Ëê˜u¹¬ûxK4…ƒ0 ÒÇÛwÅ9£RÐz¬ÿ~‡5Ê5k›^t‡çîa“À¨aÌ|m‚‘ìuô'ž<:Còói Dˆ*®‰ˆùˆ)prŒZ’}iô³®[Ȧ®ëå¼éç†q™¤åP´’ -þ£ÁuâÖW¨ÌÜ|ò h0®&Ÿ#ñ Éúp覻Q ¢Áîjg”Þþ€Òƒ -¹Œ'µ@O§þKlЭí÷¡‰ŠÆŸ@,Û—š·%¡°„`鸘\,˜3›}y§O’¢Av(˜igísø?/Æ¢ÉÇ1w«rû ñîäÐnfÁ‚ê;+êÙáNïõƒÓé2‡l §Áœúî„]î"¹àᛇ?ÉPl¾^·f˜SÊËq²æøÐuяR™lkOVöÿ=išA1ØêþìÄ~Iȼ¼÷Ï(ÄXkÂç?[¡ƒ4"Ô <ºeYA/,vȕ±%sK -į´^ÑæJ4«KsGØèx8¤õH¯H{s‚Ï+³ûuŠwœ‹ä ”ã¶Eʌ˜©øzV᫃‚³]ÃÎ+6%ô,ñ%ËZ"3vò;îÇšmçÊi-å:L~NY|Je™ç›¯¢ x*.º¾<Èzíòiw^ª(xw6ôÁu¥v8£½/DÕýˆ*Túøˆô´å˜ÜÍ-‰úøL…µ0[0îßӃíÅ·³nÜÁ.yÉ8vJvd;~­ë½cæ,²3ŒÙŶçŸ] ÊÞDx‘¸¯ˆpt¶n3õy(ƒ[øô¼}!µ}IDM /@ã¾#Á‹1éósùÉ©õZ˜F©bÓÄ$²>th mpÇÖ´i QgdË÷¯„â–œý”'÷t‰jP -¨a§ÎßÿñóÅ,ÿÓċ‡îRmÍAšMžbã÷Dý0ɤATédEü~܆¾Ë@¦KØjv¸ÉâU—xêÚ¢ÆhÉã\a.rÈãoʙ;&㩉I·xnÂ8Agԏ¢ÐÖQŵfäӗ»~èJ(¦äDÜR¢R¸k³”;2vúÁ}‰džZò³ØJ›œàÔ±Û˾0â!›q“‰æCÿ”8:Ú¤K¢Jä‡Ô+Œ[ -Y -?ž®Ëm´¢˜^ÝkB°gmpŸÇhAÁ›ã+’½ ¦´ùCºìÛ* ¶‘ÊÌèmiԁYHjÈêo‘©ma¥î¨ÆŸ­´ºÁtPäšP¥i¢‰Ã Gö] Û,[wdbÕ8ì`Hj•¬F(!2"L<ý蔸ÙÌvØä_C8Z¢=|„Àh[œ_sbN~•–F‰Èå/‚œ69v98  ÛúIÀ[µ!w3¢ï‰=R‡x*’ÁÁ~ú!ñT™N c•Öd)ƒ—®²Å³`¤@À6«Ù â··ÚþóÿU±3«Š”ì ûe“ öà ;ˆût­án‡úÝqرØ9î]OÖăkp§OŠºçhÚqèìùœ*é4!QÅ]leo P¯° û(ŠpžOH;Àpn}XÈ&ùhzb}>-o1‚לä¥Qò{qAb0hºAxô¬eš–G¡ž« ÷·=³^þ•Ø;¶)îtŸ~FjÒÃ÷°&….V’‘bP5Çzj;êü;¼N–åW' ̓3Mçzª~®¤?ú%öRRl{3!¸ýGT˜òýªêbј?ÄOO‡ö?é‘ä4~#ÀLÝš7æ´n¢™hfì÷$¡Tk2­_+šçä[{p¿¥¦Ñ§t±¸s;Eº·øeÙ'ÉsH°]á#e­pÝÚB[NÖ©Ìì9ôŠ~+CK¹’´5vôϔ¿§Åû$‚rq|xØÃñz˜¥-`)®þٚî(‚–ÂPªã4·Áq…e•Š©™.\Æ)¥÷Ð×åø@·_ÈK‹ÆÁs;;/ÅÓaQ(Á&µV‰Wî0C¥žXág)Ÿfº…k|¹½•l7¿Vp´Š0žH8ùÔÊWÒd2F-xL:Ff* ±Þú {jgã2÷Øè÷çÚ܏G’h«ÿûo;(©â[ G N½¼Ø)M-§³šÁ0[ƒz 7ŒÅÍײ¼šŠÈہ”=Z¶ËG7ï«û9|£jY¶Tr}Чր¿%P‘Ó汶}ºéÍ=^|{‹’ì’4f©Þ·(I¡ÖÄGHµT× µ\’ÒV½קâИÛ<¢gÐ;5ÂÊ÷Êû3bƒáØqø'1“~X»5^!dšô©ÙÂvÊÓß×¼?%Š^e剱Á›ƒS53AŸY¸í¦¨ºØæ0Q$®¼$»¯@} t}',ýõ‡®aKjw*lY/öÍ ˜1,KÉëEø5ÉÉݜÍ Gƒíéš—Àîëò]IVÖÇewËØ®uCº`Rtk«ðZ?Þ»WM ?ï²DPë>Wíݷۑc‡w’Å*zÅÅ ÚÝÝloL[!ù;‘“€'÷‚?0' Ÿ>¼õšÎåJº+Ë"ˆÙ¶ÜšÇ%=ôÎrƅXô&çŽÒ¢vͅ­ ©±ã I¯Á•5þpy$„ý’>VýÐÿ.Á×.Æ7üôUn€ÞuM´éî¶j–&……¶QÏÂý|Øô}bÚý€ÊWz„¸ë i◮ƒ“z¯ùt.Iû3V'ìµüp¯tâ“<òŒqf8!V*áÍ..¢Ô¾QA4±P‘ÂÊ­..=s¹ò¢‡ÉXÈØa 7—Ð"áð²)òèåÁ^·a?âïe¸çr”‘ëò >'Êxcà¦ÀtÄtžÔ£~RÚ´]Ò"å(¹ë•³šÈ™©üº¼~Œ bà¿uv• ÿõʖ*õŽ…/èyÇG8Ý]Üóó:áSI6ãè` 8„ -·ò4«4é5Tò÷¢uv¶GÜL܈%Z š tρÆY²éw*žw6Ÿ+¿ m;ÆèfûºlA“]^™òÒ6§)gÛç4([é`¦Š¶°¥eO‹[ÌUЭ e|÷Å[nÌKÆXkˆ2³æÛzÒÔ‘1È ØÍNgûhU}†‡Y¤V/ƒ`ç®r»üŕwŽk²ˆU©Z -Ocòֆ›k<²8ÞCà8táÑ£µ¾l,Ỹ‡þKLP§FuéÈFÊï†ìÔxaÇÆr96ÊÚv W¸E^òÍk¿…æ\áàdG• çg¼T>§Î*Ùà‚O…¡1‚úmKD÷y™8­¦¹H*Ê°Û¡”|c\,M{]áÝ°ó­ëx¢ „Á÷âÌz®†¤¦W+cXgbÑP«Vˊ™ûRÁ®.›ÂãÓ¨"¬È"§û놡R «6ùèù+“£E‡ßu¦ÊÙÊ՝T?ýÞCž3š eè=&º Bå˜AÈWòª7ò ”û—¶Ê’‰ž äé~Å$UŠvXÿa¼ñž ÁÖZ×yÍP¤ß™gÒöÄb›Â+ÕùêÝ ¨ú³Ce,º,:øy áà:ÿцh¾ÿèp>åõó«q+Ø2Ц¢›¼;œWË|¦qÖ¹ŠåâÀ{íPRí~=Ðø7‚Z RûÔfx†Ä2ËÙ¯«xë9$¬y!íL>ɄQÊvŠùpðp‡L.};ÏÓ­‘Ó*ƒ‹‡d( ”m"4Å6Â$káäü{àDSZ«”jåý_¯»l@I8XïL!áe(Óý7¹ú´K¼‘Å?Í!ÒVÏ×Â̶þD¢*|.zâò‰jI†^[æ/Í0˶KŸÕpoÛ8³Ø]‰á¶£ÄåޝیÏнÔ(ìÌñùhŸ¦²¹N‡PÝh-> 8F ®¦š]…AIø½=z]eßWfR£& i8=iÀ:&@Iuãµf÷‹l €³ ¹øWÈûô%¼f‹~etZœRÏԗ¡ƒ¼¶ßGPÜhB)¦Ž8±•ëÂ0 céìÊ/2ª5U´+s íÉA¬¸ZûáÑ%_ðwÐ&]6L¬8v=:ÁŸFöÜg³N”F¨€.Ä`Öꐓ~î…/jiÝñägï•^î¾Oûù€¬)eÄo²©»#ô±Þ¢;Ûȸ)yU8§Z¬rzV«¬alÎ>Ícà“݇`¼l}=Àj—GEݍ¬4ıð'|£6‡Ó¡ÇEÜðkB#vü½R®K<"On9$êð›è·×p%f:ÁrêŽn{ʶ (ëòéh¸7@ý‘Ø&x*®Ñ|ÐTÔәìŸYJb€"gºCŽÍp÷f™ BÈ9 Ïx~N«Û4'È*˱ oË1ڗb843Á›× \åŠ*7ù}TÉ­ š:¯ã*æ$9jf´Šú_;QG­0/§ó۝Cf"3Ú€Uß ±kÿñ¬òˆ¨ -? -©çœ.Ñ1FЋd4èõŸDú½åÜüÒª»x+˜ôL½›’jËeÆYîÎ)}hïÌ)Ô…9Õ1$5zü6Åhæ¨dlxMˑ¥]ŽÿF„k§±œ¬Óš¥E]T‹æu¹ÓyEì±ûÜT¨&š(H‰Z­—¢ö³Ž½%ÒánôâÜë#ê…“ jš-¢Í-ÿ1¶ˆ†£iµÝéËõ¬õXbßÄÂxò6Q‡kWPNÇ<0z%ª$A‹\Âœð²j÷À®HÕ©”Ó"¡°~¾üós¿›éùÀ_íÝ 2mµ9ÐQ€’TB†@tÁTõ£;ËEßWEÌDÌ­ŒguÅ]gÊf)"PÆÖâ1¿í^‰šVÝæI×ÐK‹qùÍÐX ŒÊY€²Âú1Ž» vp9t#ûÎvCkρToòϝĦ.ÚÒ Åp¥Øð*ÞÅAšàal.‹Òj¨BNš®)s\¬AØ(-¾Â‚`}¢þ•¿¹t€ƒ'ÚÞÇØç¦Á ¥‹i†Ö«nµðý“kf—P.Ye8ÚF‚Hôóž‚^AÅô“͉a'Ô0Ñú||{†aÑSOKn§ a·¯dŸ‘æjlšTŸxCbyŒÔí£ÝñÔMÊuÇiYðr‚ÐurÚëxªnø˜n©œ0’Ýø$^´' J#æ›Q[ÝèøyE˱éëˆî¯Gj(Ûïh>4±ï3vÇ]«×3…1Ox/n±êψ´Ph| \k±Z/BÛØ;n~ åá*`Ñ,n·¬§CßÓ5‚ó ÑÜßÃû‘aèTq«ý’„,é±®²ð%¨¸¦¸H™˜þ_8²ºlH,ÏÉP?2N'Ë¢Cs32Œµ]•Ôtf… p”-Ϩ,ùï“Û³É ?O„"_PÃm  :Q0tӜƒIsCBg(Ÿa²ÝHz–Þ§×@­“Ø;²üQÞ}‰6„¿½£„Yf¾6Ìû£ÉœÄ(Éuy{ -×ÝÀýr2`cÑ•:ï_ï6ësˆBª/ù43°±Ð¡;cÒuݽ‘H^ñ—¥™hÁŽJKýfc)§˜*˃RsžËÄw ¶˜­¼‹ú…{î''!¦9¸ªÄ«7:·™‚ÿϬ9ÅÝV8â÷ÕB9oÁËuõÕf{7_w†,pґ:;Î3®÷ªn¦½ò1¸ S,²©ßÙ³`¡Ì_²#ûËAfdøæíô—Ææð³„׬–'£Ogòµ\N`8Ú¥¸’¹ˆ‘î •£ÀEò"äÕ0î„!HÐêýˆ¼ Ô4cW’ë¿£d?Ò/VÁµ©ïJ[+z óiHOûè~yÍÀN‰²Fù„ðWKÔR‡\¶ëZòz[®ÈÞ6ʁ2¨4§¼vèõ/À‘7³²Ü´=0%Ç‹ÕkDµ*–¼%#§Ù—Eœ”TÇ]!LxÝV“lÍÀ–mä¬ -c[/ì¶}1?ƒ8»ãe§Tº¬lÊ£Çɐr´Ð–†)ˆ?~%@{$û뤓Ñ_•LrH›¨XòÅz£²á‹¼££N5R?Pâ¦&+û•VÕ¯5t×PF¢×=Œ'SÙÖƚ•âˆ7”Di´ÔÍÌÐø×u¬÷“„Á§ïj¾¨Œ*Æ'mÓåÍFי9j>"þ ªƒÎZ—©®›k²‚ŠÁ¨ùéCÌÂ\ìżÁ5ÉëòöƒlLƣڀvíE• (Š_‡EW¹ÞOèIBai°…@Ôóþ11šÏ[;„ -mø-³²a£7 ™ˆÑ4yª¦” Š.éw- áÏA&7–æ˜hæØ-syÊýem5ÖÔ¸ÙR—¹Õð™$¥£–1u*Z&‰%6Ù0å!Ù$‡"˜«¸&%‡ÒæÖzMUôG+40\ëGBÝÍßYi”¿¯Ã„Ä€¶MõtÞé1ûineç°ùØW4N|ËþU§ -˜¥^n蠔íê灕âÎ,ŎӲ:$!¨5]š¼ úuØÍÿò´¢·8“å‹ W"°ˆý¡VN -Z„1Û÷ ÿêséGeÉ8rœHºŽˆ²ÙÌl8 æi€Ì%„ÆPüe7û4\‰Ó|¹y <ž1+dÃîuZà²û¯]€‘+ ÿ~_ª†BAÊc¿.õ–B›ƒnŸ¡\n¦Ñ’ØÏ=Fe@ÛjiöAËÛ9è¢ôN vVÔc»ºîf{]²ÆýÈ"žÈA^poæÝDçÅ*Å/¾~U%{Á̓¢8¡Á[á\?‘Ø¡S µšá¸£³¾’!!\¡»NfM;–ù€y¾u/‰m_L‚{Hàéš41,³ø·YŠ†ÈEh+þ¼¡ÿ1ÿÁc¤Kw‰æ@áðB­>sÑX»ÒVücdåªïċ5Ëb7½ÆR¥çEŽ[/Ò†Ôü‘Î -)<=U|xxtp9Wlz7;B#Jk•ï*$¥:˛ɚ§rSWí»ü¾‚6Ƀ`"ëPÑÙ8f’cDÍ3UO°úOZ5i”ö ›¸¯Z¹³uzÏýåkÒªŸÆû‰Ô8è AiµåD¬Ê¯ÌÌ -¹J)°•§Ù´0 ×)NÇv*‡ B×ýD:)‡‘>}†rB¯csÏïq\þ%2Òûà<óÐYZoor¡›š+µKòj`Ѽɐ(šLÙ«µž¥ºª¾°6ê€ÚQmù_ã†S ûÌלä¾Z핾RøóóMÅT °…ñOPâÉu߁…t!kX™À¿î¬e°¼ˆ»Ç ÿ|£`ÌÉ$B‰Q˜².ÌÍÖuŽ’Æ6iF©Í–ÌI%ð ùK(¬‘í„HÀðaï Êym“g&”(¸1"‚ßµ×&ÕO5:ÁjD-Ä+¼TóîZ÷‹ciÏÑ._T®™Ï¨47Gå2ö³/¡Okέ-òoÜËú]Þ¬RIµYÊ;1;D.žsÏ/~„÷ÑÔµ±)4ûè—øf"‘FOx“0on‡¼a­¶Ð}|ø—|LÏf_ùëuÓëÿDë% ¥9…¯™Ð¡ÃÝy.YÚ>:Á i`‡½@|‘P»tSæÃN7o 1^lMôF,:=ýu†`/‚$ÈU±]ÿ»§üà@Ža¨‡‹úÁËÑ äÕL#€ðÈKô¹ÍûËϲ‰ŽRX%$ÑÏ/Œ‡ ( ‹ :QdiiÌ`{9šÎºüXÎ!M ]ÜAÃÒ (V % ?9s6÷%: +ÜÃhë¹8±Ã2ǜ»Ädñ†’¸ÆbäØ\Ô&PèaåÜS~žE¤ºÃ•P³e}ŒC’37@Ðì=Cù¦9Ü°hcW7£v)P½¹3ùx%ì=Q M–ýHÕøÄ žª ™Iú+|W"ÁÚÑöq¿–‰c#}~8ÄldTԛ#ì‚zŸŠË b8ƒ½ÌàÚ/V}zÑ Eê2eâ ƒÂIyP™!Âp@÷CxKŒK³óì>5A 3…Ê‘–r0صàŵ€?Ž=µ~‰l~lE½ ÚÝÄ>=ƚ”,S ð–lö-ok8‡ªâ7} -æb¶+Mƒ $(-TbaÄnÜπ³î¸‡ë7›KæӐˎê¼`Ëؔ!êQÊ—`µ{y±>Ñ:ésHçz¸$-©žY¬|ÄýÁP/[0«'ý–~õ™î!;ޞù ߦvoª~.§±h½sMlS¤’èǚ˝6ÍÌ0ç'5VL‚fÂ¸!D@_ǞŠ{…šñÃ嘙 Ã{êk)™½¼‚Yòl±ÝSðØõLˆÞ±Ó¹wÓ>pl©”B¤”åUn¤²¼]Mº0ÏÍõ®:™ºAXugOÒ <}†Ãþ -Åñf!*BJpc3w”Ò¥õ½ -_¥êûRô9>Î1t%¿Y¯ÉIÍefæ%ÕÇtìÁS=·Û;éÇË»â Ófé¢òðÒ?­Ç^|cgGKgËhçÞÓüñæ³ø[ <£ªFö:&Ë¿H28*§ªƒe*ÙYƒ”p>Ÿå‚žq$®!W¤²ÉIÒᆘÍìôµ2'h Õü›ê¯©ÑðúÀ†\¯E>æ$ü¿ÁpnNÌðªÌy݄¤à ÈÄp©É?·~ºÇiڎÐYçÝzC£‚un`×HK`ÀiájÿP~Á«ÕáR*Uk(ñÞjóe~?r/]S7 éÆRúí;|@“ -ðÊ C@ -]Ç]½|ˆmë‹0µZ~Vy¾ -‡.Wƒ”½‘ð®¯c[æ±`¸}Սp{Ù§EÞ…lž=E9Yðuh­`‚ø-s™Ê‡¡Eæú䊬Ï›1Û'å‰ë˜Er’\o¯õ»‘QòL™B¼Ów@ZsÜ3|Ø2ó b¥0š!D'Æ0 „4„›<뚌D&yÅÎà©~”:Èt7¢º¼õQ©QúƆ䰄ôë·6D)¨•ž-E3 MÇÂ#ùáك¬§f”Õmꑞī|:d¢ Å 9ÔÀ엪$纓ÀŸKHªyn|©s‡Œ Þc{¯ÙO$0B¯«OÌxCôtþdyCF%֖oy6”9¼DG&ŽîÕx,aÉzV–#aQä±ø|øŽkê»èLQÓå´öWÕZ•‚ŸÕ€ýÒ¦ñl¢AöL‹8Já}è]¸T -|Éûw°©ØâjrÉHÒ,ɋÆ,CbE¶—»Þ^èFêÛ9¹çnx,9c¤œãÖxrí“Í$åÈ£˜Ð^òK~_“â¨ö «48 -+ÇRaçÉ粝7[BÞºé¥4\faZ€T ¨ÏŒg"”¦¡9¨™_Ûü Cµµ’)µëËÏ ‡8Ÿ]ی±î}èÀ,??õbÒfÞÑ5MË$_ÿözÞ?=¬ - F]|N—éUÍQ̏Vá°ÊEšŸk´`ô—Y±fD T‹¾g뉓ďw„Óg"‡ÓZ3<Ýãýøð£ÈZžp Í M>3ίðåñ—2ºÔ7¨ažb8»×錏5!‰Ñ~þš‚ ¾dm>Ú¡³^óZ¾7±YijûvV +Ö²¯LL³fúêW‘¬ñExm íˆ/˜Ö39¢N1ÒŠyógõ4R–(,wV:Ív¡³)·…âÃÚx‰y¡þ3éT–V²`mÁ¦oA¼,×Qf*Å -†ìÓg¤…žVVÔMˆ"óC>”-²™é=$uÖI€å°•p„ Ô䪀]ƒy€ -áSý qÓS¿ª†R.“=©Àô®¸å)léj“%ÕÐ}PˆJ®D‘é=œ¼™–Ïßõ‰¼ØÇ´:4]‡ÔÇ ž¤=ðøsÃuú³ä0A*›Â«mõß¿5Ä%#6ä@¾* æCàK}‡õdƒÖô_?±íÒÑaÑçpZöñj¤F{ªUpþ¶«EAHJÉûµGCåF=fw÷ëãmÂ-\ƒßuñ(ƒ€ñwzJ°/_n•¯™ŒM°6â=(Ï>æ°û@Ç}²¨w¢¤†±(oE?Œº€wÎڃ%É -wÔ84<õòN!…OÑÑ5%:Šjªª Ì Ÿ—ý×GzÛÊL.ß ÜS ¥¤ô¦a¾ˆõFÙú¨˺11[?7¬âʑàU ¡FWópñóý‚O$ âHeP÷{+_-Kë­\)"¹j·Û2{ÃAÌ|¿d¿ûOa«ŽmÇÂøGœúy_°n$ß֍, ŒB茟k ^'2bO·oHêú6ó=Ò¢€Ïö™=×PÉ*Ýg¾ŽAKßýZG§ù#«†[¢)­§]ª%ñóü­½=îו˜Áž05b…h@ |ë4Gp”‰“¨Ò5z“Úzž oŸY’|f½‘s*š±¹°’zŽqðÅKC`ÉÅÎ̅)¨à<3¾C}M‡2V|öψ6v|’»¸Àñšûˆ×K3ÿ¯¶Ú½V±í­£óÍJêh.·ø"ž³ßú´¥+Jó8L!sµ~Ë@Õ¡›Ä»Ùs$C–¡@Ú3Àž%WE/èFKKÜeprœ½]’@Nœù™ú&é8ŠE²q3 ”™\☄K“¯ÂÓO¥ú¿`f< &=õì­gN¸ã2|Dq;9Á„èÞAê€òªÀҔEô :¼Ø” I«ïk/×p×$êר·~h®Ç–êGÇ -•m›;ÆւN‘šI‰Ì>0åœ\×ÔÁrÁ–~¿ß¦Wp—|@(’ý$&hdž–mGë¿L‹a1Dx,}ŠÊq—›ƒEr²S¤ÌÂ*—; ҞÏpòb܂7§"suʖXŽ¢jÅVvdJ9e°ùZØü¢·±›¡6 Fj’uoß@žÕÂÏRØA£šÏè7±R³ÜŸC¿«=¬z«R(–&HÍéE×`l¹Õé<˧2&žù?Ñj›]#Èvÿ£ïo¨ðk£â„ÕˆH@ü‹õëE 5XVº[੨1?\ýbûìS£Ao!b1/ѳ§‰J<<×*½´—Ô [,'{11ÅÓät—«‹É«˜Ù½U,ÓF•€û?çIIïºÒÂëGS#Íç‚FÄg ñf¬"Gh€ãÄ.OÙ[‰]W‡BáSdSÔVÙþ´¥àÍü‚íLjÚOX=BÆ'ûÎSÈá§ùÀí!ŒéÇÞÙÏI`HÈVŸ±ç‰À2KàN׈½ý7cÄ3"'Ýxm˜N°~I»Ëz -³š}±ômCa¨œs¥”—žÀÔ|%«¯bå„ÊÁ®U‰P¤ÑU£3ʚØ=çäÁὦ½Ü j ˔“0ÂÀ²Ú/ÕH«’º}Ÿ½'ÒôÃûψW–˜k† ô@k«Fì¨,çl÷Œû[o½­¯åÏ HQÒ‰…< v:Qñ7~to‹ô îÍñˆ”µÏŠaT'cΜֹE8«™É&Ö+¯«exÞÓIþ#êÀK„N¨à;=/mÒ,ŽÞ5êgné*š^D‡S "‰±­pÍq>Ým…’º>à ìöû×ÇãJ@zæxÕÕFW8^bUʾü·?ìõn}æ.çG®!ü–/|c²OQ0Þn"uÌ"Î{o±Ò+rÓ9cD[ø"r¦8"°‡2°¯ŒÈH… â¯ÛeÉ¿–™êÞ×Ɯ«QzV»ëߍ„ypٛaòòØvƒÕ…³ñ3’î÷»eäB¨hQ!K¦ɍȱ\oÞG)VàÁà‚9²¸3üAîכ9w;—¼¯i~WgÞÎV¼¬õš®«vÎé ÓsÌÚM‚þº‚`=|˜ >ïæÖGW=ÁöÙ7.¼Vª— ]m(2o•`×Mäƒeí2y^ӢˎêçÆFƒ<é>Ñjí!ϳ3¬ÕhÞÕÖ>þYÊýñYî·Ö -.@ ü,ñ“`aMJ!λŠ6N‡ú:žØ7y|‘Rä, ,²àMgBˆ·»¦8o¹®(QF ™³nZˆpZª„;¶ƒ¤Ää.«³:‹}ïþ흸<$ÈñÄٓ†öú¬vÇ†“IF#ûeyùéëBCⲶtÊgìvve] Š|(Ü©½ÞŽÖ2Ç -"IúvœÝ~ÙuÊ)k˜ˆB­±©R…Vd›}‚Áà,‰$™ØmŸF3S)pŸœOigRD['ù<пi[Ïe2rÃ2;í¢Ð ŸUATþV]¤·êœUÃþe½ø¹7㠓àìxáO¹¦€`¼Æ!³†…˜I®‘fþ²¸<Üzm7—‡£©ŠT›ä% €ȯ•“º»®bÔq᎕ÂÙxú§Åd%]òR¾ˆNa†PåÛ‘Ô›§­ÅË·o#=璙¦™›ý&à¼)g‘^%›Ï¥ ‘¹m8®à†aiå==çƒÀ¶ rAao¼¶5–‚ñbP¥C‹ð¿Ú7‡õJ@ÙƶÛ¶m³cÛöŽmu:¶mÛîØêØæù'÷ îì|§`M«Ö „í±-!‹°!Š£ñFll«šuÿ¶³àEl°è^÷ìQú)æ<3¶ÄeóçUU$…»j×~a»XL^äMΊþùýê㉃j[‡‡·CÄ*Ä⮈àÒh‚»¦QË;u|ºUw">,œ¤âÔ;û2Ùöí„gè‚s+‘뻹ˆ5' ò5lÞ¢óëöæE¢!V§Ôëig„_›0ˆ²eŚ¸ƒÎä¬ø™FÈÞ»nš—4;¯Ò¦}B‘¹ªNÊgeoX™Ú|ãÂ&÷ó_Ñ.‡`…ZPBÐïV-Ïdp-Þ ÷ôu¿VjÒé³-‚núR?uC².Vstã øu $]du=ÉæéFtâ¼}ÀC˛“›:æû¾˜𓿺± câ2Ià‡—„-Ü<Ì´•’[k+¸êÇQy—©Öÿc¡ŽCˆeŒ¼Ôÿ²áÔÓ; Ý מ %ÍOD5Ñ™C¹ì*ޖyßq. ÆÏ'›oãê¼ ™æ>紝,Œæñ³-yÉß«Œ'D¶u]v Î­âQ8ŒF÷Ùî>Áß e´âÔItŽfsX;†Ýõ/‚)rž -|dà3E¹Æ:[qáڙ£ò|Q²îî -¦A½­! V™Ñ«ô¸õ!UÖ‘»¿ûZì´àž÷¼ˆ_Éx ºËEµz™ãŸæ`ߎµ1BT5¢S.t´ÕãGéÓª›Jfƒ@áƒüZ~9:מÊF&–es×A·„^_Òj:Š54e°ñ2ZÅ[»É8=–èlÂÑßøè\ÓÒØø³h!Y@ÁÓý_¦ñµÊh1Û áu7\°’¥Äå{ÆR=úGn2ÜF«ä¿+ÛþäôzK×î=_B¥¶4o®ñ‹Tœ‘6\¾±TéT3]‹jÚat،~‰Ì d…ú;ÁxÄïÌ_¡ñÕÀoˆÜ*@ÆÜ©ç9㗮£=h@ä8Öþ"%™ü—7¸3»óùÜêe: ­ Á¦a‘À=“ùTý îO”5¨84W@â‘Íx§²MÂõAU¤×yZl -ïZgUñYÄٚf8Âôd¿ÜÕÌ°ŠkÄǑ­Pöd¼ùCSÖèJEAPÖ6ÿÝĸî­$˜ç¥Ç§¤F§Íä0'tÀ¸í•kØ0-öÈ*¯X&ÜÞÎe0ª"Ӟ`1ґÿZJPé‰|ϪâŽëH¸Äo¯"0‘y‡Äúyú#gcqꇍót}_/ ^ÈdkwÜÙíúòÜכã“3ųʶe/oJ„yÍ,½ä!…‘NV§7S£dò=á`ëNŠ°›½7›.5ö_4cå6Ä}|3mÏ ‚¡há9é4΅c ÄæeG(½¯üª§!Dî§Â‰ë%mëÒI¿lbÿr?¤áoÛTZô=É閇™Ã¦…ñL22–ÏÔW‚b²’BžÕ”1Ó¾=ne AŸ˜ç¾cqaZ *^"MïpØ -f‰ª^±Ü‹ é¼E..ƒ§úW÷#^ߥ3áÖøfF,þ­œ{L$ÆLÜ#bâ4óË ë×b Ó>Fõ´í+3w¹ü Üú¾r•M0Л͇ü™Œ(Zʽ‡è ÖÝJth¼Ž¥FP¹o#¢€ù‹i»½×Ç ¾™vôS5ñú''Xieûµ¨ÔØÇá…ü–JjMB¡Öx0ïtKY¿îJôÁ¤ø9ÐYe³ä\NxúVȵôz؟BËLL«?sRÙíŒ1`¸O egƒêWØþR¨ªðHú&š¹‚V;ØTz°7Œ25»[àÿ8˜ ªg·t½ÿ™P¥bü§‡ØP "ªM}ÇìÒÃ‡h“÷þè҂]ž+™„¨c•ñ× -ƒË[ÓôÚ¯^dþþÂ()<е€â¬‰fL^:Q+ -*ç+Ë7t±;¶Ý¢ *%:‘Õ]=âï›Ëu'–¸bȦ•@ø¶$®ä“Ns5>7;mjo'õ£NL)H?”ÌsŒÈÔ$aËêׁtPf\D:. 3Üí ]0ŒEFöáGÌåëd\W”%mÔÀàWíQÎ1‚Ôé^ȃÂgì/}™ïTJ@f¢”³ìr'÷W@LÓL7ô˜Ù×Ê4Gz™·j±RÑv·WX¯ eÑæӘ¬>îcçE[(Œ4ÒÝãÄ6æ«wadX.ì‹ÖõI&b3%™Î|Ä„£• µ€MÛƆYýS1­\Q­{ô"²ôvq¿qJáænTPXšß~ó™*¨0D6_d ðvû—Ïä"SE¾2å¹얠cÅ:ßíx:?>þ´Ì\û¯ÕuËi-kÅá·eájAŽö´­€Pª÷,û“x+ñ–N³WyÞ%I'µ¯²NŽã¼õç!ªÞg÷º˜°Û—ÇÎ{ó;j’k˜',ž¼Á9@d¶ÇŒyßúsèìÊÀăԱî“æ_Æ·髜P8 G݁ýÞÌi<úyÈ°2«0$įoUiPÌ3+Pdñ:K Ñº–%‘\·ӜA³nL™=ôø~ØsP sé¾ìEí$³Ô›†i2 Î1‚‰"þiaùøj¾U¢0@‚³ÜóEnˆk“¡ýAßèŒ0¯±¶è3‘éStCÜ3¡…NðöÞ°QOè/ -Ÿ–YBAí¿†ÒŒê§äkÖÁ[„Xé„5ÔOBÌå猝;ç0NGGw¶;è‹qJ¤:„ËIñÃ`’&§ -~êŸch]8-ož¨­`¤÷3oi>ýß" C¸ð*$4üÊVÊǍà-L>?´<²èl7“xxފâƒs̙ú sŠÒµÅG -‹I: "0²sŠ|¯ÕÁí›góij§6W]˜d Ý£,P•9Q¦%·Þ$,æv'){Ù¨«wÆ -š -éɃSaåò5¨îŠ‘NK÷ɓäQgÀeÁŠã*C†QÊú;±W¨+Ì(=ð¶ðr ¶}!YÏÍê»pD™Vµp¦ÔÃHã/°²\k‹÷ï-7•g;먴R‡:g\;ìÇiw^îmֺԁ£…&ú§uâ@’åàº\s›eðV -ÕÊz]¹§0Ë0Ôo{„ù9fJY?ó*î ^”ƒðé )U_‚)(ƒ+ |õ÷±íàõ§¼Õæ÷ãæGT jO×~ªØ:_†Üª63+‹êËí [ºšŽjJ½põŽÚìt -®Çïu;¢¸a -X§äÊÎ L‚|]BuKÚ ãªX›ŠŠji·ý ÜÉL5ÕvÜ4±bY(G¹Á©{»QR3œ”äï³IgҐü»IlštêÉÛ|ÃÓD ¬k{[Åi6ވâàô@ðww=ã›{Qúã¿TêFióLmò¤llÃ?æáúnÝöþƞçètÒn¢³¯?> -ukóñð^$r­…ùÛ0¬˜¡dâ,ö§éi¶h9PϹçÏX+#œá-1kÂ`þ73´>ÕÏiՀâ9rµÖîÍu1‡[Úýoóçu¹Òè™ÒN´¦7¢5LvFN”‡…Zäöüäؠӕ"ÇoÓpšm®“° -.òvŒÆ›ãWa°r՜ܔ`Ÿ}ö¿¯ÂýÛwq¹ÙïÖ”‚·0®„i‘%Áüwþ!W¤Ìëe²Ó -¿£JÄäôÀÈ~ ïbþCñ÷a¼™V£;Ò9Dáö$hGSú‰]À¼#A97±§ãÈ*Á¡atìm}¶—†mK•8ù6T«Ç}þ֐åãÜxò`žüyþÕ\ÈqïN51FA1Â'Œ‘uôÐÅ42î²8ݕ沊° Fô„«Ô¬àCøb&åûlÅ -.ô.!¯ ùŒl}‹²-ꦚ!Î(®dìQl’ç0(oih7»"âØS ~M¹û¶%úÇõ+°jÐMᶵ=$,ƒ‰½=öPSÆO>ßʳqa—ïñˆëo"èäËÇt>U¦©Cði‘‚1åÄÀU±l¾Ø ÉB½Wiõã(¼šQí‹Ù».¬@Üÿ ÄñŽš‰49c̤HD–…P=ºÝXt>-š-”ã¸4•öv‰_1E‡1;K-ώØõÆ©É-4iž æ5¿Ó³ƒæ‡ÈÌÞ\Ԇë1tD‹ÈÄtŽËd6_EófNñŸZ:‰»M¸²Åˆ§Ÿ·ö!4sBúmU¨ëˆ€è¾ ˆ¥g? à*Tڟ®¦„ñ½>3V ð -…¯oÏà’X³`G ʟMjâVQ̼ó{?#ü{¨ -ÿ†%ôAn÷«Et_I^}Ü<&ì°ÄªäcY:/‹Èš 7Ôöyvcªð, +´Âpmê_oS´±KR*\ÍeãzÜ­ bfú0óz30s–ÙXsø1ðniȹ‡"/]vºrÊO‚0Ð4.²'‚çàž³ÖVŠ¢2ðm+ø«Ö°ÎhP_  P^ÉòâRý;ÐēœjÒ Ë&Oæng•Ûlý0kôÂ7¢mWÌçO5RŒ0 -ŠÇ½Íè÷å/‘:Ìé5b"=žOæýÕ0Z꛳Ùø¹'sä3âçDç&EÇ]ñO¶>Ä®ÉoœíáQO˜­¤zêY`úü˜´Í¬Ž5íh'^oýHÑPbìPŽzÝñ)aþtgڍӀ'ÁÀêÂß8$æ K&ßçÁ[NÖøü¡—ýÕv³-Aõ£qž«ÙæwC…ú‹† ؝”Šÿrlçז„rjÓäŸõ[N1Ij’âú˜¢^…æ‚pBÆ×}# ¹Ùʏ‡†êQuÆÚï2K/Q}äŠñþB–å^Kðo£ò‰PÌ •ÔZ³]pð |"XöPìv(Ȝ•!»–AC†²Üȝ飤QB$ÐÄg™¶T7ä;ß²'¿¼ÒOѪ^ß -ƒA’/˜|ËÝFʚVqÝ¿ˆi7Ü/Ko›S¬š«©1 -‘ƒúS¼×¨,î$‚Ñ¢±Í97Åցàb+𶡸5f‰ôÍÄEáĊ\u’ Ϲs? -¸ÑàXÎRP*;Výt”ÄùYh.H­ ‘¦P‡mºx¬KÆ2¥¶­^’f²­å娍t¤Ç´gˆîPsÐ;íÆžÿ|>w…Äv»Úhwò®â€n ÷¯ü×@(áÆzø­³Æ)±GÈû Ðú¹'»ÐÛºäz÷VýgÜÌ?Ù_øö'jœÙ‰Ìk@Ì•›é™fÐñŒï·ÂvÍã™'ð”ÚÖ¦E;¾SôŸÕÂoÍQ±‡å*ÄÚT`~ª0¤®1æ; û³?Ø^ùM›DÃ%‹†ÚÉ {:õ ̓XP°"ù5DØbÁvZÃÞûµäB•,º ¿›´üÅ\‡)W©+±UÐKü€FY²{çU¾‚Š'2èB),éÉ ‚ã$W’îÏ°=w>ÒT› -ªCð’󬧌¤piÅ2{Oe«pFañp¨“òK¯Áf¤wÍÍF¯×p˜û$ð«—þ£R>,ÈÃð2*ÍpÃÛ@Hd/¿«–e†‘[Ã~“®ä“Ô‹Ëq˜øeˆ ÛvŒëkmÆ{iâñø*@À˜BAY¸9“X±Än©StÞSÖL( J[/ÎtS> üƝ3Ý[מ¢ÿ}×yáõ1&—(~Ÿ(â¹]èÖà_Bæ»L \òÆDša×+ù›>•§:Χ¡I‡: cº¡NƒU‹SôÓÉt<þŒP¦_kt(­Ìkß#þv&1‰oJ£ -êä;ã¶,¤ R††§t«É–¯Îo$–Nžù˜ªÏÍê;~6owAõÁf=c³½ŒÎF[ńæù–¢ k¦ƒùœrÏ%ǨTá…äé ~BÖ|®âËGbÏîå ȲÆà|RMì^ï6QÌHè6 jRjôäßÄËèT[\û≝RµÃÂ/H]\qfˆN¼fc*)¥Ö`õâÌ<ò&$´­†»€ËVђoþ¤qP¥`•i«ìœ/‚®iø=Ã؅®¤ ØH’‘·LŸwžðˆVßÉÛ¤Xù¹ ‡¸N‰UÈF)ŸùÍ/'!xx2¼yT.o|³ìŽò©ÏÍ#$£A:Â>§%÷ˆºjôyáÄÅ ïaÿa$îÉ·FrQòÖü›¹Ó+üy»¡B•oV”`¦Úv -&®[öà"¥ƒÊr0—®£½ Où´i½TªWÂW’œÃ9“? &µ=,³J.Ÿ!½ˆq·¥ÄŽb½«<.]—æ|2Çy¨²¿äfþ¸p›­0ÐÜõ‹´ÙC“žî¤ðš'M`\•xºrAÚ\WQol¾EîßgîI"wÛæÔ×¢B‹ŠJ4H ‰¤½1—hòK»ß diG!áÅ~Aðö†ÞßÁ½â ¿ZoGÝ. P×£h?¡j3BáëÖ׬s‰cëؚ&æÕpzð8Æ9Ùw;ž ‡YQ”«®ô¹?XA¢j#(О)Ù5¬4*ÉþGˆ#_hX -‘pG̜'¡véÏ jËN‘D "jÀ=DÆ/¬?õKjNêps÷y Egð¸›âæÑÅÀé¸ eZʍÌÓÉj¸-•0Ýàµ%‚aĀ%’'ðX ŒÞy˜ ž9˳Õ-AŠ^¢&‡†¡Äú¢|;“õ’ð­[Ճ¼“x¦Ñëc-£V^ùéïÎ$W‚ -cd(¨[÷[qJDü­5›UÁï¦ùúª“|i‹DÞø£– ¶8ÐďÎ9_µàé4dað@˜Ÿ P´¼jp-sð}Æ÷FþP³‹3ó#¢•Cø°¯‹ÀÀ«£“TK|å÷lfËZ¬h'B‘@á4u®°8ó]0tƒˆ‚Ÿ·Èr»‹•Å!¦¿Ñ TŽºéør:4xé"&ÅN Œ/S;8gw¿…×Û¦‰*™ÎûTហ“axe4ܧ•>³î@E ƒÉhª…Ê(ˆ·êÃÖ&L}n³‘ƒÉ1rǺj,ƒ©}j¯Ø`í}¦|ÙQì¼¼ ó.òE)Kïݒ|³I4.Î3qÉ-™ÑŽa‰~Ó»š—8Ãd®HÎù¢záá~o͕ƒtfž -®RÁ1æ"+Ob´½ÞnšŸF±¡é’Þù4g?nhO)Õ"AD·â™¥ïŸÜõ׶auE‰ø–ßl·Ðò¹…ž $ênúŠ–ööÃdq…K¹Æ}¦…k'Í^ó` -ØNB†@–·üa`laø¯"kÝ =“¿'pryÄWæV(ªŸö_š_ЪeÆ?±÷Áž–Lô]̈́ ~=³_PHã7HPͲü§.÷àÚG ❓™•o…–ÃÅÎق–¥kD˜°ùÓïÎ,€Ý¶ =ÏkßWÁ¢°™mNž«Ô­I­š^ØG1߬þ?ÌÝkœ ({¼L”<Èà+3¼$S¥I¬L`h9Ä÷}6·b'º^» -3c]MŽ*9Œz±â{¥ò˜r»¨A®€ÎVÝÁã¤þ칧ǘ¡O–•½¬€K™òLޓN¿b ª:"eä%‰zÖ¾˜+°¢ v¯ –=üµ{nváû¸iɳ5@“¥¼ ŽÀQEG}Ò="ÎÊg2¹k}rgÁÎaïÄbF2§«:ôq‘l5eúY[Ûh[Pz¨ãLF37öÐkKã D?¯[6ènºMeÒÊЪ“Ž\Ì¡Œ@\$ì1‰ìÒ%$¸˜¿Ó‚j)Û±œžhÄßF%²&â}–ž9 ÷»¸nqôM‘棆dŽà5<ƒ(»°äHd´ -ÿm“'èZÿm+‰pÁB"ÊÚO‹a££‘Úàÿa¥ÅCîp7¨Ûw_¬QOuü"’­8ÏΓX£ìì?³F£,  »«VH¤nÈ8ò»‡Ö œ»Œ¯WhHâÍQ6ååõ0bÞwþOäÀG•tÙAz‚ÿr½S{–§ÝrðÃF5'va¿ ƪb…T› »¬ñº´=:I£V‹åc¢pf€ÅFw”™þ¡±šç©‰Øô:î»:·€·^Ϗ¨„¯¶qzº QVàD~͑6‰KÞY[ÑÛ"•y'$˼Р;w%˜ÐqàÆ9æuµ4Œ H”iX± -Æ94£ë Fsf‡U…ÞpÃxò¯*N.sžuÒ7#0÷Óc‚H՘ –âYph9ÅUG— Þ¿¯çÖëY:/¾=¶'·2€ùµG³<~ª:™HJë¸p”£0L;µ/$I@ÁW» |8ú‚¹>ú¦êd,xTjè4q -ŠÝØfxö7w÷Aꎎ­L¤³íXUòW³.’¼ª’;ÓÓ¡E"Så]FÞÉÊÏ"iòmþò¯Ñ7„ò—Ú+ÝظqŸKәû˜Žz„Œ¼{R?5ùÁ.’ª–).ÄYðñ¡“ÿ’‡èa£öî3Mä¬8; O'ÂÒÃ{(:õ„ -2 _LØÅ£™>÷R¤½¼ -NÜßúú -Lœ›Ê%…LeÌ¿+1Œ-•*ŒÂ0G70ýo2ˆ…"³ôd°Ç\g¶i7±ÝâsqLÆ7!õòîϝ¢{ßr%tCáвA@òÊý»ÑÕ*k„ï:qÉê“2²)]dÀ҂¸ê‚ƒL/j”ª®äQéâ a“H'‘±èñä^¹®˜%ö/ïŽö»Gž¤ò÷»F¬Píù'€.wÉ¢‰ç’‘H=¨>9ŸhxÓ~TÑMÖìܑœ\nÁ¼)¬2ÂÆP¶R7wõ/qiÉ#·gD^&Ñ6JD»‡ùþþµ˜‹VÕz<ƒªÕ! -6_mŠq'2~‹Ò=aFŠ†þМ²?Ç ¯Z¡._|;l[×OX˜àJÁ+QGýiÜZɏP&Yyf2—<²è•rŒG Ü75·ïá3òŽÃ#z‡FF⨾ãúF4þN¸ü5àcíÚ6P·¡“eä è‡Ék¢œu_KŸ¥°L‹*·éñ0MH¼CrœT>Ü㇟x FÿàRÂB_!äµi¨NÙ%$hâ]tÞ ‰¢èÛîûs¶¼ª=nù<ü¨òÁËY©ÞØîƒQKñ™ÆýgF==ˆ3šöùsCì¶G’Ð!YŠ WaðŠ +·Yà¾]ˆh‘!{â#iŽ»¤"”¯ùù4bwËZ¨X à2&£‘.¿l=b, ¢,ÙlÔúAœ¦Gôì©5W0!ÒãBîV\Êå6ÔÔëߥåíýŽá;RЭ$øžv(Ó@ÃICM«Çv¹Ì_§/# È -ÙÌÑ‚§õ±Á¿2å 6ôw’ä{0ëó¬+/6A3C¿X ¬Ÿ?ö¹¤Ñ<ۈUëœ"¸¢R2ìú6ÉOôi¦Æ·:+tÝ•;¯–fnÎÇ -¥0©j T™¶„qÚ]¡ÁÂ'DY¸ ö.g¬Âñ¨û ;AJÒ´á¿ÔÍ­[ßÇHûaA@Ôñ ?ÍJµAì»tI•%[Ø­$ ҍð³"ɾs™ÿ?÷€ÿS;sc7G{c[¸ÿ£kendstream -endobj -597 0 obj << -/Type /Font -/Subtype /Type1 -/Encoding 1336 0 R -/FirstChar 2 -/LastChar 151 -/Widths 1351 0 R -/BaseFont /NEGMHA+URWPalladioL-Bold -/FontDescriptor 595 0 R ->> endobj -595 0 obj << -/Ascent 708 -/CapHeight 672 -/Descent -266 -/FontName /NEGMHA+URWPalladioL-Bold -/ItalicAngle 0 -/StemV 123 -/XHeight 471 -/FontBBox [-152 -301 1000 935] -/Flags 4 -/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash) -/FontFile 596 0 R ->> endobj -1351 0 obj -[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ] -endobj -601 0 obj << -/Type /Pages -/Count 6 -/Parent 1352 0 R -/Kids [590 0 R 603 0 R 610 0 R 629 0 R 646 0 R 657 0 R] ->> endobj -672 0 obj << -/Type /Pages -/Count 6 -/Parent 1352 0 R -/Kids [664 0 R 674 0 R 679 0 R 687 0 R 698 0 R 706 0 R] ->> endobj -717 0 obj << -/Type /Pages -/Count 6 -/Parent 1352 0 R -/Kids [713 0 R 720 0 R 727 0 R 739 0 R 748 0 R 753 0 R] ->> endobj -764 0 obj << -/Type /Pages -/Count 6 -/Parent 1352 0 R -/Kids [757 0 R 766 0 R 776 0 R 787 0 R 794 0 R 803 0 R] ->> endobj -813 0 obj << -/Type /Pages -/Count 6 -/Parent 1352 0 R -/Kids [807 0 R 815 0 R 819 0 R 829 0 R 835 0 R 843 0 R] ->> endobj -861 0 obj << -/Type /Pages -/Count 6 -/Parent 1352 0 R -/Kids [853 0 R 863 0 R 877 0 R 884 0 R 888 0 R 894 0 R] ->> endobj -907 0 obj << -/Type /Pages -/Count 6 -/Parent 1353 0 R -/Kids [900 0 R 909 0 R 916 0 R 920 0 R 925 0 R 931 0 R] ->> endobj -947 0 obj << -/Type /Pages -/Count 6 -/Parent 1353 0 R -/Kids [938 0 R 953 0 R 957 0 R 967 0 R 974 0 R 982 0 R] ->> endobj -992 0 obj << -/Type /Pages -/Count 6 -/Parent 1353 0 R -/Kids [986 0 R 994 0 R 1001 0 R 1006 0 R 1013 0 R 1021 0 R] ->> endobj -1035 0 obj << -/Type /Pages -/Count 6 -/Parent 1353 0 R -/Kids [1029 0 R 1037 0 R 1046 0 R 1051 0 R 1055 0 R 1063 0 R] ->> endobj -1084 0 obj << -/Type /Pages -/Count 6 -/Parent 1353 0 R -/Kids [1075 0 R 1086 0 R 1102 0 R 1114 0 R 1120 0 R 1127 0 R] ->> endobj -1149 0 obj << -/Type /Pages -/Count 6 -/Parent 1353 0 R -/Kids [1138 0 R 1151 0 R 1158 0 R 1164 0 R 1168 0 R 1176 0 R] ->> endobj -1196 0 obj << -/Type /Pages -/Count 6 -/Parent 1354 0 R -/Kids [1186 0 R 1198 0 R 1202 0 R 1209 0 R 1221 0 R 1276 0 R] ->> endobj -1335 0 obj << -/Type /Pages -/Count 1 -/Parent 1354 0 R -/Kids [1327 0 R] ->> endobj -1352 0 obj << -/Type /Pages -/Count 36 -/Parent 1355 0 R -/Kids [601 0 R 672 0 R 717 0 R 764 0 R 813 0 R 861 0 R] ->> endobj -1353 0 obj << -/Type /Pages -/Count 36 -/Parent 1355 0 R -/Kids [907 0 R 947 0 R 992 0 R 1035 0 R 1084 0 R 1149 0 R] ->> endobj -1354 0 obj << -/Type /Pages -/Count 7 -/Parent 1355 0 R -/Kids [1196 0 R 1335 0 R] ->> endobj -1355 0 obj << -/Type /Pages -/Count 79 -/Kids [1352 0 R 1353 0 R 1354 0 R] ->> endobj -1356 0 obj << -/Type /Outlines -/First 7 0 R -/Last 555 0 R -/Count 9 ->> endobj -587 0 obj << -/Title 588 0 R -/A 585 0 R -/Parent 575 0 R -/Prev 583 0 R ->> endobj -583 0 obj << -/Title 584 0 R -/A 581 0 R -/Parent 575 0 R -/Prev 579 0 R -/Next 587 0 R ->> endobj -579 0 obj << -/Title 580 0 R -/A 577 0 R -/Parent 575 0 R -/Next 583 0 R ->> endobj -575 0 obj << -/Title 576 0 R -/A 573 0 R -/Parent 555 0 R -/Prev 567 0 R -/First 579 0 R -/Last 587 0 R -/Count -3 ->> endobj -571 0 obj << -/Title 572 0 R -/A 569 0 R -/Parent 567 0 R ->> endobj -567 0 obj << -/Title 568 0 R -/A 565 0 R -/Parent 555 0 R -/Prev 559 0 R -/Next 575 0 R -/First 571 0 R -/Last 571 0 R -/Count -1 ->> endobj -563 0 obj << -/Title 564 0 R -/A 561 0 R -/Parent 559 0 R ->> endobj -559 0 obj << -/Title 560 0 R -/A 557 0 R -/Parent 555 0 R -/Next 567 0 R -/First 563 0 R -/Last 563 0 R -/Count -1 ->> endobj -555 0 obj << -/Title 556 0 R -/A 553 0 R -/Parent 1356 0 R -/Prev 535 0 R -/First 559 0 R -/Last 575 0 R -/Count -3 ->> endobj -551 0 obj << -/Title 552 0 R -/A 549 0 R -/Parent 535 0 R -/Prev 547 0 R ->> endobj -547 0 obj << -/Title 548 0 R -/A 545 0 R -/Parent 535 0 R -/Prev 539 0 R -/Next 551 0 R ->> endobj -543 0 obj << -/Title 544 0 R -/A 541 0 R -/Parent 539 0 R ->> endobj -539 0 obj << -/Title 540 0 R -/A 537 0 R -/Parent 535 0 R -/Next 547 0 R -/First 543 0 R -/Last 543 0 R -/Count -1 ->> endobj -535 0 obj << -/Title 536 0 R -/A 533 0 R -/Parent 1356 0 R -/Prev 511 0 R -/Next 555 0 R -/First 539 0 R -/Last 551 0 R -/Count -3 ->> endobj -531 0 obj << -/Title 532 0 R -/A 529 0 R -/Parent 511 0 R -/Prev 519 0 R ->> endobj -527 0 obj << -/Title 528 0 R -/A 525 0 R -/Parent 519 0 R -/Prev 523 0 R ->> endobj -523 0 obj << -/Title 524 0 R -/A 521 0 R -/Parent 519 0 R -/Next 527 0 R ->> endobj -519 0 obj << -/Title 520 0 R -/A 517 0 R -/Parent 511 0 R -/Prev 515 0 R -/Next 531 0 R -/First 523 0 R -/Last 527 0 R -/Count -2 ->> endobj -515 0 obj << -/Title 516 0 R -/A 513 0 R -/Parent 511 0 R -/Next 519 0 R ->> endobj -511 0 obj << -/Title 512 0 R -/A 509 0 R -/Parent 1356 0 R -/Prev 239 0 R -/Next 535 0 R -/First 515 0 R -/Last 531 0 R -/Count -3 ->> endobj -507 0 obj << -/Title 508 0 R -/A 505 0 R -/Parent 463 0 R -/Prev 491 0 R ->> endobj -503 0 obj << -/Title 504 0 R -/A 501 0 R -/Parent 491 0 R -/Prev 499 0 R ->> endobj -499 0 obj << -/Title 500 0 R -/A 497 0 R -/Parent 491 0 R -/Prev 495 0 R -/Next 503 0 R ->> endobj -495 0 obj << -/Title 496 0 R -/A 493 0 R -/Parent 491 0 R -/Next 499 0 R ->> endobj -491 0 obj << -/Title 492 0 R -/A 489 0 R -/Parent 463 0 R -/Prev 487 0 R -/Next 507 0 R -/First 495 0 R -/Last 503 0 R -/Count -3 ->> endobj -487 0 obj << -/Title 488 0 R -/A 485 0 R -/Parent 463 0 R -/Prev 483 0 R -/Next 491 0 R ->> endobj -483 0 obj << -/Title 484 0 R -/A 481 0 R -/Parent 463 0 R -/Prev 479 0 R -/Next 487 0 R ->> endobj -479 0 obj << -/Title 480 0 R -/A 477 0 R -/Parent 463 0 R -/Prev 467 0 R -/Next 483 0 R ->> endobj -475 0 obj << -/Title 476 0 R -/A 473 0 R -/Parent 467 0 R -/Prev 471 0 R ->> endobj -471 0 obj << -/Title 472 0 R -/A 469 0 R -/Parent 467 0 R -/Next 475 0 R ->> endobj -467 0 obj << -/Title 468 0 R -/A 465 0 R -/Parent 463 0 R -/Next 479 0 R -/First 471 0 R -/Last 475 0 R -/Count -2 ->> endobj -463 0 obj << -/Title 464 0 R -/A 461 0 R -/Parent 239 0 R -/Prev 271 0 R -/First 467 0 R -/Last 507 0 R -/Count -6 ->> endobj -459 0 obj << -/Title 460 0 R -/A 457 0 R -/Parent 443 0 R -/Prev 455 0 R ->> endobj -455 0 obj << -/Title 456 0 R -/A 453 0 R -/Parent 443 0 R -/Prev 451 0 R -/Next 459 0 R ->> endobj -451 0 obj << -/Title 452 0 R -/A 449 0 R -/Parent 443 0 R -/Prev 447 0 R -/Next 455 0 R ->> endobj -447 0 obj << -/Title 448 0 R -/A 445 0 R -/Parent 443 0 R -/Next 451 0 R ->> endobj -443 0 obj << -/Title 444 0 R -/A 441 0 R -/Parent 271 0 R -/Prev 439 0 R -/First 447 0 R -/Last 459 0 R -/Count -4 ->> endobj -439 0 obj << -/Title 440 0 R -/A 437 0 R -/Parent 271 0 R -/Prev 435 0 R -/Next 443 0 R ->> endobj -435 0 obj << -/Title 436 0 R -/A 433 0 R -/Parent 271 0 R -/Prev 431 0 R -/Next 439 0 R ->> endobj -431 0 obj << -/Title 432 0 R -/A 429 0 R -/Parent 271 0 R -/Prev 427 0 R -/Next 435 0 R ->> endobj -427 0 obj << -/Title 428 0 R -/A 425 0 R -/Parent 271 0 R -/Prev 423 0 R -/Next 431 0 R ->> endobj -423 0 obj << -/Title 424 0 R -/A 421 0 R -/Parent 271 0 R -/Prev 419 0 R -/Next 427 0 R ->> endobj -419 0 obj << -/Title 420 0 R -/A 417 0 R -/Parent 271 0 R -/Prev 415 0 R -/Next 423 0 R ->> endobj -415 0 obj << -/Title 416 0 R -/A 413 0 R -/Parent 271 0 R -/Prev 343 0 R -/Next 419 0 R ->> endobj -411 0 obj << -/Title 412 0 R -/A 409 0 R -/Parent 343 0 R -/Prev 407 0 R ->> endobj -407 0 obj << -/Title 408 0 R -/A 405 0 R -/Parent 343 0 R -/Prev 403 0 R -/Next 411 0 R ->> endobj -403 0 obj << -/Title 404 0 R -/A 401 0 R -/Parent 343 0 R -/Prev 399 0 R -/Next 407 0 R ->> endobj -399 0 obj << -/Title 400 0 R -/A 397 0 R -/Parent 343 0 R -/Prev 395 0 R -/Next 403 0 R ->> endobj -395 0 obj << -/Title 396 0 R -/A 393 0 R -/Parent 343 0 R -/Prev 391 0 R -/Next 399 0 R ->> endobj -391 0 obj << -/Title 392 0 R -/A 389 0 R -/Parent 343 0 R -/Prev 387 0 R -/Next 395 0 R ->> endobj -387 0 obj << -/Title 388 0 R -/A 385 0 R -/Parent 343 0 R -/Prev 383 0 R -/Next 391 0 R ->> endobj -383 0 obj << -/Title 384 0 R -/A 381 0 R -/Parent 343 0 R -/Prev 379 0 R -/Next 387 0 R ->> endobj -379 0 obj << -/Title 380 0 R -/A 377 0 R -/Parent 343 0 R -/Prev 375 0 R -/Next 383 0 R ->> endobj -375 0 obj << -/Title 376 0 R -/A 373 0 R -/Parent 343 0 R -/Prev 371 0 R -/Next 379 0 R ->> endobj -371 0 obj << -/Title 372 0 R -/A 369 0 R -/Parent 343 0 R -/Prev 367 0 R -/Next 375 0 R ->> endobj -367 0 obj << -/Title 368 0 R -/A 365 0 R -/Parent 343 0 R -/Prev 363 0 R -/Next 371 0 R ->> endobj -363 0 obj << -/Title 364 0 R -/A 361 0 R -/Parent 343 0 R -/Prev 359 0 R -/Next 367 0 R ->> endobj -359 0 obj << -/Title 360 0 R -/A 357 0 R -/Parent 343 0 R -/Prev 355 0 R -/Next 363 0 R ->> endobj -355 0 obj << -/Title 356 0 R -/A 353 0 R -/Parent 343 0 R -/Prev 351 0 R -/Next 359 0 R ->> endobj -351 0 obj << -/Title 352 0 R -/A 349 0 R -/Parent 343 0 R -/Prev 347 0 R -/Next 355 0 R ->> endobj -347 0 obj << -/Title 348 0 R -/A 345 0 R -/Parent 343 0 R -/Next 351 0 R ->> endobj -343 0 obj << -/Title 344 0 R -/A 341 0 R -/Parent 271 0 R -/Prev 339 0 R -/Next 415 0 R -/First 347 0 R -/Last 411 0 R -/Count -17 ->> endobj -339 0 obj << -/Title 340 0 R -/A 337 0 R -/Parent 271 0 R -/Prev 335 0 R -/Next 343 0 R ->> endobj -335 0 obj << -/Title 336 0 R -/A 333 0 R -/Parent 271 0 R -/Prev 331 0 R -/Next 339 0 R ->> endobj -331 0 obj << -/Title 332 0 R -/A 329 0 R -/Parent 271 0 R -/Prev 327 0 R -/Next 335 0 R ->> endobj -327 0 obj << -/Title 328 0 R -/A 325 0 R -/Parent 271 0 R -/Prev 323 0 R -/Next 331 0 R ->> endobj -323 0 obj << -/Title 324 0 R -/A 321 0 R -/Parent 271 0 R -/Prev 311 0 R -/Next 327 0 R ->> endobj -319 0 obj << -/Title 320 0 R -/A 317 0 R -/Parent 311 0 R -/Prev 315 0 R ->> endobj -315 0 obj << -/Title 316 0 R -/A 313 0 R -/Parent 311 0 R -/Next 319 0 R ->> endobj -311 0 obj << -/Title 312 0 R -/A 309 0 R -/Parent 271 0 R -/Prev 307 0 R -/Next 323 0 R -/First 315 0 R -/Last 319 0 R -/Count -2 ->> endobj -307 0 obj << -/Title 308 0 R -/A 305 0 R -/Parent 271 0 R -/Prev 303 0 R -/Next 311 0 R ->> endobj -303 0 obj << -/Title 304 0 R -/A 301 0 R -/Parent 271 0 R -/Prev 299 0 R -/Next 307 0 R ->> endobj -299 0 obj << -/Title 300 0 R -/A 297 0 R -/Parent 271 0 R -/Prev 295 0 R -/Next 303 0 R ->> endobj -295 0 obj << -/Title 296 0 R -/A 293 0 R -/Parent 271 0 R -/Prev 291 0 R -/Next 299 0 R ->> endobj -291 0 obj << -/Title 292 0 R -/A 289 0 R -/Parent 271 0 R -/Prev 287 0 R -/Next 295 0 R ->> endobj -287 0 obj << -/Title 288 0 R -/A 285 0 R -/Parent 271 0 R -/Prev 283 0 R -/Next 291 0 R ->> endobj -283 0 obj << -/Title 284 0 R -/A 281 0 R -/Parent 271 0 R -/Prev 279 0 R -/Next 287 0 R ->> endobj -279 0 obj << -/Title 280 0 R -/A 277 0 R -/Parent 271 0 R -/Prev 275 0 R -/Next 283 0 R ->> endobj -275 0 obj << -/Title 276 0 R -/A 273 0 R -/Parent 271 0 R -/Next 279 0 R ->> endobj -271 0 obj << -/Title 272 0 R -/A 269 0 R -/Parent 239 0 R -/Prev 243 0 R -/Next 463 0 R -/First 275 0 R -/Last 443 0 R -/Count -24 ->> endobj -267 0 obj << -/Title 268 0 R -/A 265 0 R -/Parent 259 0 R -/Prev 263 0 R ->> endobj -263 0 obj << -/Title 264 0 R -/A 261 0 R -/Parent 259 0 R -/Next 267 0 R ->> endobj -259 0 obj << -/Title 260 0 R -/A 257 0 R -/Parent 243 0 R -/Prev 247 0 R -/First 263 0 R -/Last 267 0 R -/Count -2 ->> endobj -255 0 obj << -/Title 256 0 R -/A 253 0 R -/Parent 247 0 R -/Prev 251 0 R ->> endobj -251 0 obj << -/Title 252 0 R -/A 249 0 R -/Parent 247 0 R -/Next 255 0 R ->> endobj -247 0 obj << -/Title 248 0 R -/A 245 0 R -/Parent 243 0 R -/Next 259 0 R -/First 251 0 R -/Last 255 0 R -/Count -2 ->> endobj -243 0 obj << -/Title 244 0 R -/A 241 0 R -/Parent 239 0 R -/Next 271 0 R -/First 247 0 R -/Last 259 0 R -/Count -2 ->> endobj -239 0 obj << -/Title 240 0 R -/A 237 0 R -/Parent 1356 0 R -/Prev 227 0 R -/Next 511 0 R -/First 243 0 R -/Last 463 0 R -/Count -3 ->> endobj -235 0 obj << -/Title 236 0 R -/A 233 0 R -/Parent 227 0 R -/Prev 231 0 R ->> endobj -231 0 obj << -/Title 232 0 R -/A 229 0 R -/Parent 227 0 R -/Next 235 0 R ->> endobj -227 0 obj << -/Title 228 0 R -/A 225 0 R -/Parent 1356 0 R -/Prev 131 0 R -/Next 239 0 R -/First 231 0 R -/Last 235 0 R -/Count -2 ->> endobj -223 0 obj << -/Title 224 0 R -/A 221 0 R -/Parent 215 0 R -/Prev 219 0 R ->> endobj -219 0 obj << -/Title 220 0 R -/A 217 0 R -/Parent 215 0 R -/Next 223 0 R ->> endobj -215 0 obj << -/Title 216 0 R -/A 213 0 R -/Parent 131 0 R -/Prev 199 0 R -/First 219 0 R -/Last 223 0 R -/Count -2 ->> endobj -211 0 obj << -/Title 212 0 R -/A 209 0 R -/Parent 199 0 R -/Prev 207 0 R ->> endobj -207 0 obj << -/Title 208 0 R -/A 205 0 R -/Parent 199 0 R -/Prev 203 0 R -/Next 211 0 R ->> endobj -203 0 obj << -/Title 204 0 R -/A 201 0 R -/Parent 199 0 R -/Next 207 0 R ->> endobj -199 0 obj << -/Title 200 0 R -/A 197 0 R -/Parent 131 0 R -/Prev 195 0 R -/Next 215 0 R -/First 203 0 R -/Last 211 0 R -/Count -3 ->> endobj -195 0 obj << -/Title 196 0 R -/A 193 0 R -/Parent 131 0 R -/Prev 191 0 R -/Next 199 0 R ->> endobj -191 0 obj << -/Title 192 0 R -/A 189 0 R -/Parent 131 0 R -/Prev 155 0 R -/Next 195 0 R ->> endobj -187 0 obj << -/Title 188 0 R -/A 185 0 R -/Parent 155 0 R -/Prev 183 0 R ->> endobj -183 0 obj << -/Title 184 0 R -/A 181 0 R -/Parent 155 0 R -/Prev 179 0 R -/Next 187 0 R ->> endobj -179 0 obj << -/Title 180 0 R -/A 177 0 R -/Parent 155 0 R -/Prev 175 0 R -/Next 183 0 R ->> endobj -175 0 obj << -/Title 176 0 R -/A 173 0 R -/Parent 155 0 R -/Prev 171 0 R -/Next 179 0 R ->> endobj -171 0 obj << -/Title 172 0 R -/A 169 0 R -/Parent 155 0 R -/Prev 159 0 R -/Next 175 0 R ->> endobj -167 0 obj << -/Title 168 0 R -/A 165 0 R -/Parent 159 0 R -/Prev 163 0 R ->> endobj -163 0 obj << -/Title 164 0 R -/A 161 0 R -/Parent 159 0 R -/Next 167 0 R ->> endobj -159 0 obj << -/Title 160 0 R -/A 157 0 R -/Parent 155 0 R -/Next 171 0 R -/First 163 0 R -/Last 167 0 R -/Count -2 ->> endobj -155 0 obj << -/Title 156 0 R -/A 153 0 R -/Parent 131 0 R -/Prev 151 0 R -/Next 191 0 R -/First 159 0 R -/Last 187 0 R -/Count -6 ->> endobj -151 0 obj << -/Title 152 0 R -/A 149 0 R -/Parent 131 0 R -/Prev 147 0 R -/Next 155 0 R ->> endobj -147 0 obj << -/Title 148 0 R -/A 145 0 R -/Parent 131 0 R -/Prev 139 0 R -/Next 151 0 R ->> endobj -143 0 obj << -/Title 144 0 R -/A 141 0 R -/Parent 139 0 R ->> endobj -139 0 obj << -/Title 140 0 R -/A 137 0 R -/Parent 131 0 R -/Prev 135 0 R -/Next 147 0 R -/First 143 0 R -/Last 143 0 R -/Count -1 ->> endobj -135 0 obj << -/Title 136 0 R -/A 133 0 R -/Parent 131 0 R -/Next 139 0 R ->> endobj -131 0 obj << -/Title 132 0 R -/A 129 0 R -/Parent 1356 0 R -/Prev 91 0 R -/Next 227 0 R -/First 135 0 R -/Last 215 0 R -/Count -9 ->> endobj -127 0 obj << -/Title 128 0 R -/A 125 0 R -/Parent 111 0 R -/Prev 115 0 R ->> endobj -123 0 obj << -/Title 124 0 R -/A 121 0 R -/Parent 115 0 R -/Prev 119 0 R ->> endobj -119 0 obj << -/Title 120 0 R -/A 117 0 R -/Parent 115 0 R -/Next 123 0 R ->> endobj -115 0 obj << -/Title 116 0 R -/A 113 0 R -/Parent 111 0 R -/Next 127 0 R -/First 119 0 R -/Last 123 0 R -/Count -2 ->> endobj -111 0 obj << -/Title 112 0 R -/A 109 0 R -/Parent 91 0 R -/Prev 107 0 R -/First 115 0 R -/Last 127 0 R -/Count -2 ->> endobj -107 0 obj << -/Title 108 0 R -/A 105 0 R -/Parent 91 0 R -/Prev 95 0 R -/Next 111 0 R ->> endobj -103 0 obj << -/Title 104 0 R -/A 101 0 R -/Parent 95 0 R -/Prev 99 0 R ->> endobj -99 0 obj << -/Title 100 0 R -/A 97 0 R -/Parent 95 0 R -/Next 103 0 R ->> endobj -95 0 obj << -/Title 96 0 R -/A 93 0 R -/Parent 91 0 R -/Next 107 0 R -/First 99 0 R -/Last 103 0 R -/Count -2 ->> endobj -91 0 obj << -/Title 92 0 R -/A 89 0 R -/Parent 1356 0 R -/Prev 67 0 R -/Next 131 0 R -/First 95 0 R -/Last 111 0 R -/Count -3 ->> endobj -87 0 obj << -/Title 88 0 R -/A 85 0 R -/Parent 67 0 R -/Prev 83 0 R ->> endobj -83 0 obj << -/Title 84 0 R -/A 81 0 R -/Parent 67 0 R -/Prev 79 0 R -/Next 87 0 R ->> endobj -79 0 obj << -/Title 80 0 R -/A 77 0 R -/Parent 67 0 R -/Prev 75 0 R -/Next 83 0 R ->> endobj -75 0 obj << -/Title 76 0 R -/A 73 0 R -/Parent 67 0 R -/Prev 71 0 R -/Next 79 0 R ->> endobj -71 0 obj << -/Title 72 0 R -/A 69 0 R -/Parent 67 0 R -/Next 75 0 R ->> endobj -67 0 obj << -/Title 68 0 R -/A 65 0 R -/Parent 1356 0 R -/Prev 7 0 R -/Next 91 0 R -/First 71 0 R -/Last 87 0 R -/Count -5 ->> endobj -63 0 obj << -/Title 64 0 R -/A 61 0 R -/Parent 23 0 R -/Prev 55 0 R ->> endobj -59 0 obj << -/Title 60 0 R -/A 57 0 R -/Parent 55 0 R ->> endobj -55 0 obj << -/Title 56 0 R -/A 53 0 R -/Parent 23 0 R -/Prev 39 0 R -/Next 63 0 R -/First 59 0 R -/Last 59 0 R -/Count -1 ->> endobj -51 0 obj << -/Title 52 0 R -/A 49 0 R -/Parent 39 0 R -/Prev 47 0 R ->> endobj -47 0 obj << -/Title 48 0 R -/A 45 0 R -/Parent 39 0 R -/Prev 43 0 R -/Next 51 0 R ->> endobj -43 0 obj << -/Title 44 0 R -/A 41 0 R -/Parent 39 0 R -/Next 47 0 R ->> endobj -39 0 obj << -/Title 40 0 R -/A 37 0 R -/Parent 23 0 R -/Prev 35 0 R -/Next 55 0 R -/First 43 0 R -/Last 51 0 R -/Count -3 ->> endobj -35 0 obj << -/Title 36 0 R -/A 33 0 R -/Parent 23 0 R -/Prev 31 0 R -/Next 39 0 R ->> endobj -31 0 obj << -/Title 32 0 R -/A 29 0 R -/Parent 23 0 R -/Prev 27 0 R -/Next 35 0 R ->> endobj -27 0 obj << -/Title 28 0 R -/A 25 0 R -/Parent 23 0 R -/Next 31 0 R ->> endobj -23 0 obj << -/Title 24 0 R -/A 21 0 R -/Parent 7 0 R -/Prev 19 0 R -/First 27 0 R -/Last 63 0 R -/Count -6 ->> endobj -19 0 obj << -/Title 20 0 R -/A 17 0 R -/Parent 7 0 R -/Prev 15 0 R -/Next 23 0 R ->> endobj -15 0 obj << -/Title 16 0 R -/A 13 0 R -/Parent 7 0 R -/Prev 11 0 R -/Next 19 0 R ->> endobj -11 0 obj << -/Title 12 0 R -/A 9 0 R -/Parent 7 0 R -/Next 15 0 R ->> endobj -7 0 obj << -/Title 8 0 R -/A 5 0 R -/Parent 1356 0 R -/Next 67 0 R -/First 11 0 R -/Last 23 0 R -/Count -4 ->> endobj -1357 0 obj << -/Names [(Access_Control_Lists) 1172 0 R (Bv9ARM.ch01) 613 0 R (Bv9ARM.ch02) 667 0 R (Bv9ARM.ch03) 682 0 R (Bv9ARM.ch04) 730 0 R (Bv9ARM.ch05) 810 0 R (Bv9ARM.ch06) 822 0 R (Bv9ARM.ch07) 1171 0 R (Bv9ARM.ch08) 1189 0 R (Bv9ARM.ch09) 1205 0 R (Configuration_File_Grammar) 849 0 R (DNSSEC) 782 0 R (Doc-Start) 594 0 R (Setting_TTLs) 1141 0 R (access_control) 963 0 R (acl) 857 0 R (address_match_lists) 827 0 R (admin_tools) 704 0 R (appendix.A) 554 0 R (bibliography) 1217 0 R (boolean_options) 736 0 R (builtin) 1025 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 510 0 R (chapter.8) 534 0 R (cite.RFC1034) 1233 0 R (cite.RFC1035) 1235 0 R (cite.RFC1101) 1290 0 R (cite.RFC1123) 1292 0 R (cite.RFC1183) 1270 0 R (cite.RFC1464) 1310 0 R (cite.RFC1535) 1262 0 R (cite.RFC1536) 1264 0 R (cite.RFC1537) 1300 0 R (cite.RFC1591) 1294 0 R (cite.RFC1706) 1272 0 R (cite.RFC1712) 1324 0 R (cite.RFC1713) 1312 0 R (cite.RFC1794) 1314 0 R (cite.RFC1876) 1274 0 R (cite.RFC1886) 1254 0 R (cite.RFC1912) 1302 0 R (cite.RFC1982) 1266 0 R (cite.RFC1995) 1240 0 R (cite.RFC1996) 1242 0 R (cite.RFC2010) 1304 0 R (cite.RFC2052) 1280 0 R (cite.RFC2065) 1256 0 R (cite.RFC2136) 1244 0 R (cite.RFC2137) 1258 0 R (cite.RFC2163) 1282 0 R (cite.RFC2168) 1284 0 R (cite.RFC2181) 1246 0 R (cite.RFC2219) 1306 0 R (cite.RFC2230) 1286 0 R (cite.RFC2240) 1316 0 R (cite.RFC2308) 1248 0 R (cite.RFC2317) 1296 0 R (cite.RFC2345) 1318 0 R (cite.RFC2352) 1320 0 R (cite.RFC2845) 1250 0 R (cite.RFC974) 1237 0 R (cite.id2492354) 1333 0 R (configuration_file_elements) 823 0 R (controls_statement_definition_and_usage) 718 0 R (diagnostic_tools) 655 0 R (dynamic_update) 734 0 R (dynamic_update_policies) 774 0 R (dynamic_update_security) 972 0 R (historical_dns_information) 1212 0 R (id2465864) 614 0 R (id2466744) 615 0 R (id2466798) 619 0 R (id2466807) 620 0 R (id2467648) 690 0 R (id2467665) 691 0 R (id2468484) 635 0 R (id2468627) 637 0 R (id2468647) 638 0 R (id2468664) 999 0 R (id2468955) 639 0 R (id2469040) 642 0 R (id2469114) 649 0 R (id2469205) 652 0 R (id2469226) 653 0 R (id2469245) 654 0 R (id2469274) 660 0 R (id2469306) 661 0 R (id2469332) 662 0 R (id2469364) 668 0 R (id2469388) 669 0 R (id2469399) 670 0 R (id2469481) 671 0 R (id2469490) 677 0 R (id2469521) 684 0 R (id2469537) 685 0 R (id2470116) 694 0 R (id2470121) 695 0 R (id2471306) 723 0 R (id2471318) 724 0 R (id2471731) 745 0 R (id2472292) 761 0 R (id2472308) 762 0 R (id2472342) 763 0 R (id2472358) 769 0 R (id2472366) 770 0 R (id2472406) 771 0 R (id2472458) 772 0 R (id2472502) 779 0 R (id2472516) 780 0 R (id2472633) 781 0 R (id2472699) 790 0 R (id2472766) 791 0 R (id2472909) 792 0 R (id2472933) 797 0 R (id2472992) 799 0 R (id2473012) 800 0 R (id2473180) 811 0 R (id2473387) 824 0 R (id2474020) 832 0 R (id2474046) 833 0 R (id2474140) 838 0 R (id2474155) 839 0 R (id2474184) 840 0 R (id2474329) 850 0 R (id2474694) 856 0 R (id2474736) 858 0 R (id2474862) 860 0 R (id2475131) 868 0 R (id2475146) 869 0 R (id2475169) 870 0 R (id2475190) 871 0 R (id2475261) 880 0 R (id2475456) 881 0 R (id2475508) 882 0 R (id2476201) 897 0 R (id2476729) 903 0 R (id2476870) 904 0 R (id2476933) 912 0 R (id2476977) 913 0 R (id2476992) 914 0 R (id2478674) 934 0 R (id2479741) 960 0 R (id2479792) 962 0 R (id2479971) 971 0 R (id2480128) 977 0 R (id2480722) 989 0 R (id2480738) 990 0 R (id2480976) 997 0 R (id2483475) 1017 0 R (id2483930) 1032 0 R (id2484556) 1042 0 R (id2484673) 1043 0 R (id2484741) 1049 0 R (id2485414) 1058 0 R (id2485420) 1059 0 R (id2485425) 1060 0 R (id2485658) 1066 0 R (id2485689) 1067 0 R (id2486790) 1105 0 R (id2486949) 1107 0 R (id2486967) 1108 0 R (id2486988) 1111 0 R (id2487128) 1117 0 R (id2487779) 1123 0 R (id2487888) 1125 0 R (id2487909) 1130 0 R (id2488198) 1132 0 R (id2488313) 1134 0 R (id2488331) 1135 0 R (id2488705) 1142 0 R (id2488878) 1144 0 R (id2488892) 1145 0 R (id2488984) 1147 0 R (id2489003) 1148 0 R (id2489059) 1154 0 R (id2489122) 1155 0 R (id2489153) 1156 0 R (id2489213) 1161 0 R (id2489545) 1182 0 R (id2489621) 1183 0 R (id2489678) 1184 0 R (id2489885) 1190 0 R (id2489891) 1191 0 R (id2489902) 1192 0 R (id2489920) 1193 0 R (id2490050) 1206 0 R (id2490055) 1207 0 R (id2490243) 1213 0 R (id2490554) 1215 0 R (id2490899) 1229 0 R (id2490901) 1231 0 R (id2490909) 1236 0 R (id2491001) 1232 0 R (id2491025) 1234 0 R (id2491062) 1245 0 R (id2491088) 1247 0 R (id2491113) 1239 0 R (id2491138) 1241 0 R (id2491161) 1243 0 R (id2491217) 1249 0 R (id2491277) 1252 0 R (id2491292) 1253 0 R (id2491331) 1255 0 R (id2491370) 1257 0 R (id2491398) 1260 0 R (id2491406) 1261 0 R (id2491432) 1263 0 R (id2491499) 1265 0 R (id2491536) 1268 0 R (id2491541) 1269 0 R (id2491598) 1271 0 R (id2491636) 1283 0 R (id2491671) 1273 0 R (id2491725) 1279 0 R (id2491765) 1281 0 R (id2491792) 1285 0 R (id2491818) 1288 0 R (id2491826) 1289 0 R (id2491851) 1291 0 R (id2491875) 1293 0 R (id2491896) 1295 0 R (id2491943) 1298 0 R (id2491950) 1299 0 R (id2491976) 1301 0 R (id2492003) 1303 0 R (id2492039) 1305 0 R (id2492078) 1308 0 R (id2492099) 1309 0 R (id2492121) 1311 0 R (id2492146) 1313 0 R (id2492170) 1315 0 R (id2492193) 1317 0 R (id2492238) 1319 0 R (id2492263) 1322 0 R (id2492269) 1323 0 R (id2492342) 1330 0 R (id2492352) 1332 0 R (id2492354) 1334 0 R (incremental_zone_transfers) 742 0 R (internet_drafts) 1325 0 R (ipv6addresses) 801 0 R (journal) 735 0 R (lwresd) 812 0 R (notify) 731 0 R (options) 923 0 R (page.1) 593 0 R (page.10) 689 0 R (page.11) 700 0 R (page.12) 708 0 R (page.13) 715 0 R (page.14) 722 0 R (page.15) 729 0 R (page.16) 741 0 R (page.17) 750 0 R (page.18) 755 0 R (page.19) 759 0 R (page.2) 605 0 R (page.20) 768 0 R (page.21) 778 0 R (page.22) 789 0 R (page.23) 796 0 R (page.24) 805 0 R (page.25) 809 0 R (page.26) 817 0 R (page.27) 821 0 R (page.28) 831 0 R (page.29) 837 0 R (page.3) 612 0 R (page.30) 845 0 R (page.31) 855 0 R (page.32) 865 0 R (page.33) 879 0 R (page.34) 886 0 R (page.35) 890 0 R (page.36) 896 0 R (page.37) 902 0 R (page.38) 911 0 R (page.39) 918 0 R (page.4) 631 0 R (page.40) 922 0 R (page.41) 927 0 R (page.42) 933 0 R (page.43) 940 0 R (page.44) 955 0 R (page.45) 959 0 R (page.46) 969 0 R (page.47) 976 0 R (page.48) 984 0 R (page.49) 988 0 R (page.5) 648 0 R (page.50) 996 0 R (page.51) 1003 0 R (page.52) 1008 0 R (page.53) 1015 0 R (page.54) 1023 0 R (page.55) 1031 0 R (page.56) 1039 0 R (page.57) 1048 0 R (page.58) 1053 0 R (page.59) 1057 0 R (page.6) 659 0 R (page.60) 1065 0 R (page.61) 1077 0 R (page.62) 1088 0 R (page.63) 1104 0 R (page.64) 1116 0 R (page.65) 1122 0 R (page.66) 1129 0 R (page.67) 1140 0 R (page.68) 1153 0 R (page.69) 1160 0 R (page.7) 666 0 R (page.70) 1166 0 R (page.71) 1170 0 R (page.72) 1178 0 R (page.73) 1188 0 R (page.74) 1200 0 R (page.75) 1204 0 R (page.76) 1211 0 R (page.77) 1224 0 R (page.78) 1278 0 R (page.79) 1329 0 R (page.8) 676 0 R (page.9) 681 0 R (proposed_standards) 746 0 R (rfcs) 644 0 R (rndc) 875 0 R (rrset_ordering) 696 0 R (sample_configuration) 683 0 R (section*.1) 1228 0 R (section*.10) 1321 0 R (section*.11) 1331 0 R (section*.2) 1230 0 R (section*.3) 1238 0 R (section*.4) 1251 0 R (section*.5) 1259 0 R (section*.6) 1267 0 R (section*.7) 1287 0 R (section*.8) 1297 0 R (section*.9) 1307 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 462 0 R (section.7.1) 514 0 R (section.7.2) 518 0 R (section.7.3) 530 0 R (section.8.1) 538 0 R (section.8.2) 546 0 R (section.8.3) 550 0 R (section.A.1) 558 0 R (section.A.2) 566 0 R (section.A.3) 574 0 R (server_statement_definition_and_usage) 951 0 R (server_statement_grammar) 1034 0 R (statsfile) 929 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.23) 438 0 R (subsection.6.2.24) 442 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 466 0 R (subsection.6.3.2) 478 0 R (subsection.6.3.3) 482 0 R (subsection.6.3.4) 486 0 R (subsection.6.3.5) 490 0 R (subsection.6.3.6) 506 0 R (subsection.7.2.1) 522 0 R (subsection.7.2.2) 526 0 R (subsection.8.1.1) 542 0 R (subsection.A.1.1) 562 0 R (subsection.A.2.1) 570 0 R (subsection.A.3.1) 578 0 R (subsection.A.3.2) 582 0 R (subsection.A.3.3) 586 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 446 0 R (subsubsection.6.2.24.2) 450 0 R (subsubsection.6.2.24.3) 454 0 R (subsubsection.6.2.24.4) 458 0 R (subsubsection.6.3.1.1) 470 0 R (subsubsection.6.3.1.2) 474 0 R (subsubsection.6.3.5.1) 494 0 R (subsubsection.6.3.5.2) 498 0 R (subsubsection.6.3.5.3) 502 0 R (table.1.1) 621 0 R (table.1.2) 636 0 R (table.3.1) 692 0 R (table.3.2) 725 0 R (table.6.1) 825 0 R (table.6.10) 1112 0 R (table.6.11) 1118 0 R (table.6.12) 1124 0 R (table.6.13) 1131 0 R (table.6.14) 1133 0 R (table.6.15) 1136 0 R (table.6.16) 1143 0 R (table.6.17) 1146 0 R (table.6.18) 1162 0 R (table.6.2) 851 0 R (table.6.3) 859 0 R (table.6.4) 898 0 R (table.6.5) 935 0 R (table.6.6) 1018 0 R (table.6.7) 1033 0 R (table.6.8) 1061 0 R (table.6.9) 1106 0 R (table.A.1) 1214 0 R (table.A.2) 1216 0 R (the_category_phrase) 892 0 R (the_sortlist_statement) 1009 0 R (topology) 1004 0 R (tsig) 760 0 R (tuning) 1019 0 R (types_of_resource_records_and_when_to_use_them) 643 0 R (view_statement_grammar) 1027 0 R (zone_statement_grammar) 965 0 R (zone_transfers) 737 0 R] -/Limits [(Access_Control_Lists) (zone_transfers)] ->> endobj -1358 0 obj << -/Kids [1357 0 R] ->> endobj -1359 0 obj << -/Dests 1358 0 R ->> endobj -1360 0 obj << -/Type /Catalog -/Pages 1355 0 R -/Outlines 1356 0 R -/Names 1359 0 R -/PageMode /UseOutlines -/OpenAction 589 0 R ->> endobj -1361 0 obj << -/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords() -/CreationDate (D:20051104123603+11'00') -/PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4) ->> endobj -xref -0 1362 -0000000001 65535 f -0000000002 00000 f -0000000003 00000 f -0000000004 00000 f -0000000000 00000 f -0000000009 00000 n -0000018859 00000 n -0000483529 00000 n -0000000054 00000 n -0000000086 00000 n -0000018983 00000 n -0000483457 00000 n -0000000133 00000 n -0000000173 00000 n -0000019108 00000 n -0000483371 00000 n -0000000221 00000 n -0000000273 00000 n -0000019233 00000 n -0000483285 00000 n -0000000321 00000 n -0000000377 00000 n -0000023668 00000 n -0000483175 00000 n -0000000425 00000 n -0000000478 00000 n -0000023792 00000 n -0000483101 00000 n -0000000531 00000 n -0000000572 00000 n -0000023917 00000 n -0000483014 00000 n -0000000625 00000 n -0000000674 00000 n -0000024042 00000 n -0000482927 00000 n -0000000727 00000 n -0000000757 00000 n -0000028190 00000 n -0000482803 00000 n -0000000810 00000 n -0000000861 00000 n -0000028315 00000 n -0000482729 00000 n -0000000919 00000 n -0000000964 00000 n -0000028440 00000 n -0000482642 00000 n -0000001022 00000 n -0000001062 00000 n -0000028565 00000 n -0000482568 00000 n -0000001120 00000 n -0000001162 00000 n -0000031474 00000 n -0000482444 00000 n -0000001215 00000 n -0000001260 00000 n -0000031599 00000 n -0000482383 00000 n -0000001318 00000 n -0000001355 00000 n -0000031724 00000 n -0000482309 00000 n -0000001408 00000 n -0000001463 00000 n -0000034112 00000 n -0000482184 00000 n -0000001509 00000 n -0000001556 00000 n -0000034237 00000 n -0000482110 00000 n -0000001604 00000 n -0000001648 00000 n -0000034362 00000 n -0000482023 00000 n -0000001696 00000 n -0000001735 00000 n -0000034485 00000 n -0000481936 00000 n -0000001783 00000 n -0000001825 00000 n -0000034609 00000 n -0000481849 00000 n -0000001873 00000 n -0000001936 00000 n -0000035645 00000 n -0000481775 00000 n -0000001984 00000 n -0000002034 00000 n -0000037323 00000 n -0000481647 00000 n -0000002080 00000 n -0000002126 00000 n -0000037447 00000 n -0000481534 00000 n -0000002174 00000 n -0000002218 00000 n -0000037572 00000 n -0000481458 00000 n -0000002271 00000 n -0000002323 00000 n -0000037697 00000 n -0000481381 00000 n -0000002377 00000 n -0000002436 00000 n -0000040313 00000 n -0000481290 00000 n -0000002485 00000 n -0000002523 00000 n -0000040564 00000 n -0000481173 00000 n -0000002572 00000 n -0000002618 00000 n -0000040690 00000 n -0000481055 00000 n -0000002672 00000 n -0000002739 00000 n -0000043869 00000 n -0000480976 00000 n -0000002798 00000 n -0000002842 00000 n -0000043995 00000 n -0000480897 00000 n -0000002901 00000 n -0000002949 00000 n -0000053818 00000 n -0000480818 00000 n -0000003003 00000 n -0000003036 00000 n -0000057084 00000 n -0000480686 00000 n -0000003083 00000 n -0000003126 00000 n -0000057210 00000 n -0000480607 00000 n -0000003175 00000 n -0000003205 00000 n -0000057336 00000 n -0000480475 00000 n -0000003254 00000 n -0000003292 00000 n -0000057461 00000 n -0000480410 00000 n -0000003346 00000 n -0000003388 00000 n -0000061908 00000 n -0000480317 00000 n -0000003437 00000 n -0000003496 00000 n -0000062034 00000 n -0000480224 00000 n -0000003545 00000 n -0000003578 00000 n -0000068735 00000 n -0000480092 00000 n -0000003627 00000 n -0000003655 00000 n -0000068861 00000 n -0000479974 00000 n -0000003709 00000 n -0000003778 00000 n -0000068987 00000 n -0000479895 00000 n -0000003837 00000 n -0000003885 00000 n -0000069113 00000 n -0000479816 00000 n -0000003944 00000 n -0000003989 00000 n -0000072115 00000 n -0000479723 00000 n -0000004043 00000 n -0000004111 00000 n -0000072241 00000 n -0000479630 00000 n -0000004165 00000 n -0000004235 00000 n -0000072367 00000 n -0000479537 00000 n -0000004289 00000 n -0000004352 00000 n -0000072493 00000 n -0000479444 00000 n -0000004406 00000 n -0000004461 00000 n -0000076214 00000 n -0000479365 00000 n -0000004515 00000 n -0000004547 00000 n -0000076340 00000 n -0000479272 00000 n -0000004596 00000 n -0000004624 00000 n -0000076465 00000 n -0000479179 00000 n -0000004673 00000 n -0000004705 00000 n -0000076591 00000 n -0000479047 00000 n -0000004754 00000 n -0000004784 00000 n -0000080038 00000 n -0000478968 00000 n -0000004838 00000 n -0000004879 00000 n -0000080163 00000 n -0000478875 00000 n -0000004933 00000 n -0000004975 00000 n -0000080289 00000 n -0000478796 00000 n -0000005029 00000 n -0000005074 00000 n -0000082997 00000 n -0000478678 00000 n -0000005123 00000 n -0000005169 00000 n -0000083123 00000 n -0000478599 00000 n -0000005223 00000 n -0000005283 00000 n -0000083249 00000 n -0000478520 00000 n -0000005337 00000 n -0000005406 00000 n -0000086059 00000 n -0000478387 00000 n -0000005453 00000 n -0000005506 00000 n -0000086185 00000 n -0000478308 00000 n -0000005555 00000 n -0000005611 00000 n -0000086311 00000 n -0000478229 00000 n -0000005660 00000 n -0000005709 00000 n -0000090413 00000 n -0000478096 00000 n -0000005756 00000 n -0000005808 00000 n -0000090539 00000 n -0000477978 00000 n -0000005857 00000 n -0000005908 00000 n -0000094681 00000 n -0000477860 00000 n -0000005962 00000 n -0000006007 00000 n -0000094806 00000 n -0000477781 00000 n -0000006066 00000 n -0000006100 00000 n -0000094931 00000 n -0000477702 00000 n -0000006159 00000 n -0000006207 00000 n -0000098209 00000 n -0000477584 00000 n -0000006261 00000 n -0000006301 00000 n -0000098335 00000 n -0000477505 00000 n -0000006360 00000 n -0000006394 00000 n -0000098461 00000 n -0000477426 00000 n -0000006453 00000 n -0000006501 00000 n -0000102189 00000 n -0000477293 00000 n -0000006550 00000 n -0000006600 00000 n -0000105995 00000 n -0000477214 00000 n -0000006654 00000 n -0000006701 00000 n -0000106121 00000 n -0000477121 00000 n -0000006755 00000 n -0000006815 00000 n -0000106371 00000 n -0000477028 00000 n -0000006869 00000 n -0000006921 00000 n -0000106497 00000 n -0000476935 00000 n -0000006975 00000 n -0000007040 00000 n -0000111147 00000 n -0000476842 00000 n -0000007094 00000 n -0000007145 00000 n -0000111273 00000 n -0000476749 00000 n -0000007199 00000 n -0000007263 00000 n -0000111399 00000 n -0000476656 00000 n -0000007317 00000 n -0000007364 00000 n -0000111525 00000 n -0000476563 00000 n -0000007418 00000 n -0000007478 00000 n -0000114467 00000 n -0000476470 00000 n -0000007532 00000 n -0000007583 00000 n -0000114593 00000 n -0000476338 00000 n -0000007638 00000 n -0000007703 00000 n -0000114719 00000 n -0000476259 00000 n -0000007763 00000 n -0000007810 00000 n -0000125127 00000 n -0000476180 00000 n -0000007870 00000 n -0000007918 00000 n -0000128845 00000 n -0000476087 00000 n -0000007973 00000 n -0000008023 00000 n -0000128971 00000 n -0000475994 00000 n -0000008078 00000 n -0000008141 00000 n -0000130711 00000 n -0000475901 00000 n -0000008196 00000 n -0000008248 00000 n -0000130837 00000 n -0000475808 00000 n -0000008303 00000 n -0000008368 00000 n -0000130963 00000 n -0000475715 00000 n -0000008423 00000 n -0000008475 00000 n -0000136313 00000 n -0000475582 00000 n -0000008530 00000 n -0000008595 00000 n -0000140379 00000 n -0000475503 00000 n -0000008655 00000 n -0000008699 00000 n -0000159492 00000 n -0000475410 00000 n -0000008759 00000 n -0000008798 00000 n -0000159618 00000 n -0000475317 00000 n -0000008858 00000 n -0000008905 00000 n -0000159743 00000 n -0000475224 00000 n -0000008965 00000 n -0000009008 00000 n -0000163657 00000 n -0000475131 00000 n -0000009068 00000 n -0000009107 00000 n -0000166745 00000 n -0000475038 00000 n -0000009167 00000 n -0000009209 00000 n -0000166871 00000 n -0000474945 00000 n -0000009269 00000 n -0000009312 00000 n -0000174775 00000 n -0000474852 00000 n -0000009372 00000 n -0000009419 00000 n -0000174899 00000 n -0000474759 00000 n -0000009479 00000 n -0000009540 00000 n -0000178845 00000 n -0000474666 00000 n -0000009601 00000 n -0000009653 00000 n -0000178971 00000 n -0000474573 00000 n -0000009714 00000 n -0000009767 00000 n -0000181984 00000 n -0000474480 00000 n -0000009828 00000 n -0000009866 00000 n -0000185943 00000 n -0000474387 00000 n -0000009927 00000 n -0000009979 00000 n -0000189321 00000 n -0000474294 00000 n -0000010040 00000 n -0000010084 00000 n -0000189579 00000 n -0000474201 00000 n -0000010145 00000 n -0000010181 00000 n -0000194073 00000 n -0000474108 00000 n -0000010242 00000 n -0000010305 00000 n -0000197229 00000 n -0000474029 00000 n -0000010366 00000 n -0000010415 00000 n -0000197486 00000 n -0000473936 00000 n -0000010470 00000 n -0000010521 00000 n -0000197615 00000 n -0000473843 00000 n -0000010576 00000 n -0000010640 00000 n -0000202325 00000 n -0000473750 00000 n -0000010695 00000 n -0000010752 00000 n -0000202454 00000 n -0000473657 00000 n -0000010807 00000 n -0000010877 00000 n -0000206017 00000 n -0000473564 00000 n -0000010932 00000 n -0000010981 00000 n -0000206146 00000 n -0000473471 00000 n -0000011036 00000 n -0000011098 00000 n -0000207911 00000 n -0000473378 00000 n -0000011153 00000 n -0000011202 00000 n -0000211360 00000 n -0000473260 00000 n -0000011257 00000 n -0000011319 00000 n -0000211489 00000 n -0000473181 00000 n -0000011379 00000 n -0000011418 00000 n -0000216452 00000 n -0000473088 00000 n -0000011478 00000 n -0000011512 00000 n -0000216581 00000 n -0000472995 00000 n -0000011572 00000 n -0000011613 00000 n -0000226764 00000 n -0000472916 00000 n -0000011673 00000 n -0000011725 00000 n -0000230938 00000 n -0000472798 00000 n -0000011774 00000 n -0000011807 00000 n -0000231067 00000 n -0000472680 00000 n -0000011861 00000 n -0000011933 00000 n -0000231195 00000 n -0000472601 00000 n -0000011992 00000 n -0000012036 00000 n -0000238969 00000 n -0000472522 00000 n -0000012095 00000 n -0000012148 00000 n -0000242553 00000 n -0000472429 00000 n -0000012202 00000 n -0000012252 00000 n -0000245916 00000 n -0000472336 00000 n -0000012306 00000 n -0000012344 00000 n -0000246174 00000 n -0000472243 00000 n -0000012398 00000 n -0000012447 00000 n -0000246432 00000 n -0000472111 00000 n -0000012501 00000 n -0000012553 00000 n -0000246561 00000 n -0000472032 00000 n -0000012612 00000 n -0000012664 00000 n -0000249442 00000 n -0000471939 00000 n -0000012723 00000 n -0000012776 00000 n -0000249571 00000 n -0000471860 00000 n -0000012835 00000 n -0000012884 00000 n -0000249700 00000 n -0000471781 00000 n -0000012938 00000 n -0000013018 00000 n -0000255562 00000 n -0000471648 00000 n -0000013065 00000 n -0000013117 00000 n -0000255691 00000 n -0000471569 00000 n -0000013166 00000 n -0000013210 00000 n -0000259402 00000 n -0000471437 00000 n -0000013259 00000 n -0000013321 00000 n -0000259531 00000 n -0000471358 00000 n -0000013375 00000 n -0000013423 00000 n -0000259660 00000 n -0000471279 00000 n -0000013477 00000 n -0000013528 00000 n -0000259789 00000 n -0000471200 00000 n -0000013577 00000 n -0000013624 00000 n -0000262719 00000 n -0000471067 00000 n -0000013671 00000 n -0000013708 00000 n -0000262848 00000 n -0000470949 00000 n -0000013757 00000 n -0000013796 00000 n -0000262977 00000 n -0000470884 00000 n -0000013850 00000 n -0000013928 00000 n -0000263106 00000 n -0000470791 00000 n -0000013977 00000 n -0000014044 00000 n -0000263235 00000 n -0000470712 00000 n -0000014093 00000 n -0000014138 00000 n -0000266737 00000 n -0000470593 00000 n -0000014186 00000 n -0000014218 00000 n -0000266866 00000 n -0000470475 00000 n -0000014267 00000 n -0000014306 00000 n -0000266995 00000 n -0000470410 00000 n -0000014360 00000 n -0000014421 00000 n -0000271002 00000 n -0000470278 00000 n -0000014470 00000 n -0000014527 00000 n -0000271131 00000 n -0000470213 00000 n -0000014581 00000 n -0000014630 00000 n -0000271519 00000 n -0000470095 00000 n -0000014679 00000 n -0000014741 00000 n -0000271648 00000 n -0000470016 00000 n -0000014795 00000 n -0000014850 00000 n -0000284749 00000 n -0000469923 00000 n -0000014904 00000 n -0000014945 00000 n -0000285811 00000 n -0000469844 00000 n -0000014999 00000 n -0000015051 00000 n -0000015405 00000 n -0000015653 00000 n -0000015104 00000 n -0000015527 00000 n -0000015590 00000 n -0000466703 00000 n -0000441039 00000 n -0000466529 00000 n -0000439990 00000 n -0000414055 00000 n -0000439816 00000 n -0000467708 00000 n -0000016305 00000 n -0000016120 00000 n -0000015738 00000 n -0000016242 00000 n -0000413370 00000 n -0000411224 00000 n -0000413206 00000 n -0000019484 00000 n -0000018674 00000 n -0000016390 00000 n -0000018796 00000 n -0000018920 00000 n -0000019045 00000 n -0000019170 00000 n -0000410370 00000 n -0000390012 00000 n -0000410196 00000 n -0000019295 00000 n -0000019358 00000 n -0000019421 00000 n -0000389071 00000 n -0000369672 00000 n -0000388898 00000 n -0000368945 00000 n -0000352561 00000 n -0000368772 00000 n -0000024167 00000 n -0000022985 00000 n -0000019608 00000 n -0000023479 00000 n -0000352026 00000 n -0000335109 00000 n -0000351842 00000 n -0000023542 00000 n -0000023605 00000 n -0000023729 00000 n -0000023854 00000 n -0000023979 00000 n -0000023135 00000 n -0000023328 00000 n -0000024104 00000 n -0000231131 00000 n -0000271712 00000 n -0000028690 00000 n -0000027655 00000 n -0000024291 00000 n -0000028127 00000 n -0000028252 00000 n -0000027805 00000 n -0000027967 00000 n -0000028377 00000 n -0000028502 00000 n -0000028627 00000 n -0000043932 00000 n -0000031848 00000 n -0000031289 00000 n -0000028814 00000 n -0000031411 00000 n -0000031536 00000 n -0000031661 00000 n -0000031785 00000 n -0000034734 00000 n -0000033927 00000 n -0000031959 00000 n -0000034049 00000 n -0000034174 00000 n -0000034299 00000 n -0000034424 00000 n -0000034546 00000 n -0000034671 00000 n -0000467826 00000 n -0000035770 00000 n -0000035460 00000 n -0000034819 00000 n -0000035582 00000 n -0000035707 00000 n -0000037823 00000 n -0000037138 00000 n -0000035868 00000 n -0000037260 00000 n -0000037385 00000 n -0000037509 00000 n -0000037634 00000 n -0000037760 00000 n -0000040816 00000 n -0000039949 00000 n -0000037921 00000 n -0000040250 00000 n -0000040376 00000 n -0000040439 00000 n -0000040501 00000 n -0000040091 00000 n -0000040627 00000 n -0000040753 00000 n -0000189385 00000 n -0000044121 00000 n -0000043684 00000 n -0000040927 00000 n -0000043806 00000 n -0000334582 00000 n -0000325273 00000 n -0000334405 00000 n -0000044058 00000 n -0000047626 00000 n -0000047441 00000 n -0000044245 00000 n -0000047563 00000 n -0000324830 00000 n -0000318031 00000 n -0000324653 00000 n -0000051895 00000 n -0000051505 00000 n -0000047789 00000 n -0000051832 00000 n -0000051647 00000 n -0000467944 00000 n -0000106560 00000 n -0000054068 00000 n -0000053633 00000 n -0000052032 00000 n -0000053755 00000 n -0000053881 00000 n -0000053942 00000 n -0000054005 00000 n -0000057587 00000 n -0000056549 00000 n -0000054192 00000 n -0000057021 00000 n -0000057147 00000 n -0000057273 00000 n -0000056699 00000 n -0000056860 00000 n -0000057398 00000 n -0000057524 00000 n -0000140442 00000 n -0000166934 00000 n -0000062160 00000 n -0000061369 00000 n -0000057685 00000 n -0000061845 00000 n -0000061971 00000 n -0000061519 00000 n -0000061684 00000 n -0000062097 00000 n -0000276260 00000 n -0000064989 00000 n -0000064617 00000 n -0000062310 00000 n -0000064926 00000 n -0000064759 00000 n -0000066145 00000 n -0000065960 00000 n -0000065113 00000 n -0000066082 00000 n -0000069239 00000 n -0000068550 00000 n -0000066243 00000 n -0000068672 00000 n -0000068798 00000 n -0000068924 00000 n -0000069050 00000 n -0000069176 00000 n -0000468062 00000 n -0000072619 00000 n -0000071742 00000 n -0000069376 00000 n -0000072052 00000 n -0000072178 00000 n -0000072304 00000 n -0000072430 00000 n -0000072556 00000 n -0000071884 00000 n -0000226828 00000 n -0000076716 00000 n -0000076029 00000 n -0000072756 00000 n -0000076151 00000 n -0000076277 00000 n -0000076403 00000 n -0000076528 00000 n -0000076653 00000 n -0000317678 00000 n -0000315683 00000 n -0000317515 00000 n -0000080413 00000 n -0000079853 00000 n -0000076853 00000 n -0000079975 00000 n -0000080100 00000 n -0000080226 00000 n -0000080350 00000 n -0000083375 00000 n -0000082633 00000 n -0000080537 00000 n -0000082934 00000 n -0000083060 00000 n -0000082775 00000 n -0000083186 00000 n -0000083312 00000 n -0000271195 00000 n -0000083833 00000 n -0000083648 00000 n -0000083499 00000 n -0000083770 00000 n -0000086437 00000 n -0000085874 00000 n -0000083874 00000 n -0000085996 00000 n -0000086122 00000 n -0000086248 00000 n -0000086374 00000 n -0000468180 00000 n -0000086869 00000 n -0000086684 00000 n -0000086535 00000 n -0000086806 00000 n -0000090790 00000 n -0000090042 00000 n -0000086910 00000 n -0000090350 00000 n -0000090476 00000 n -0000090601 00000 n -0000090664 00000 n -0000090727 00000 n -0000090184 00000 n -0000094744 00000 n -0000095057 00000 n -0000094496 00000 n -0000090888 00000 n -0000094618 00000 n -0000094868 00000 n -0000094994 00000 n -0000098587 00000 n -0000098024 00000 n -0000095194 00000 n -0000098146 00000 n -0000098272 00000 n -0000098398 00000 n -0000098524 00000 n -0000101201 00000 n -0000102440 00000 n -0000101079 00000 n -0000098698 00000 n -0000102126 00000 n -0000314870 00000 n -0000306196 00000 n -0000314698 00000 n -0000102252 00000 n -0000102315 00000 n -0000102378 00000 n -0000106623 00000 n -0000105810 00000 n -0000102592 00000 n -0000105932 00000 n -0000106058 00000 n -0000106182 00000 n -0000106245 00000 n -0000106308 00000 n -0000106434 00000 n -0000468298 00000 n -0000111651 00000 n -0000110085 00000 n -0000106734 00000 n -0000111084 00000 n -0000110259 00000 n -0000110409 00000 n -0000111210 00000 n -0000111336 00000 n -0000111462 00000 n -0000111588 00000 n -0000110567 00000 n -0000110718 00000 n -0000110902 00000 n -0000286325 00000 n -0000114845 00000 n -0000114282 00000 n -0000111788 00000 n -0000114404 00000 n -0000114530 00000 n -0000114656 00000 n -0000114782 00000 n -0000119363 00000 n -0000119178 00000 n -0000114982 00000 n -0000119300 00000 n -0000122390 00000 n -0000122020 00000 n -0000119474 00000 n -0000122327 00000 n -0000122162 00000 n -0000125190 00000 n -0000125379 00000 n -0000124942 00000 n -0000122501 00000 n -0000125064 00000 n -0000125253 00000 n -0000125316 00000 n -0000129097 00000 n -0000128329 00000 n -0000125490 00000 n -0000128782 00000 n -0000128908 00000 n -0000129034 00000 n -0000128479 00000 n -0000128630 00000 n -0000468416 00000 n -0000131089 00000 n -0000130526 00000 n -0000129208 00000 n -0000130648 00000 n -0000130774 00000 n -0000130900 00000 n -0000131026 00000 n -0000132625 00000 n -0000132440 00000 n -0000131200 00000 n -0000132562 00000 n -0000136439 00000 n -0000136128 00000 n -0000132723 00000 n -0000136250 00000 n -0000136376 00000 n -0000140505 00000 n -0000140019 00000 n -0000136563 00000 n -0000140316 00000 n -0000140161 00000 n -0000197293 00000 n -0000144437 00000 n -0000144127 00000 n -0000140629 00000 n -0000144249 00000 n -0000144312 00000 n -0000144374 00000 n -0000148409 00000 n -0000151142 00000 n -0000148227 00000 n -0000144561 00000 n -0000151079 00000 n -0000150045 00000 n -0000150198 00000 n -0000150354 00000 n -0000150538 00000 n -0000150711 00000 n -0000150895 00000 n -0000468534 00000 n -0000149877 00000 n -0000149934 00000 n -0000150023 00000 n -0000197679 00000 n -0000155337 00000 n -0000155152 00000 n -0000151320 00000 n -0000155274 00000 n -0000159869 00000 n -0000158946 00000 n -0000155461 00000 n -0000159429 00000 n -0000159555 00000 n -0000159096 00000 n -0000159681 00000 n -0000159806 00000 n -0000159264 00000 n -0000207975 00000 n -0000163782 00000 n -0000163282 00000 n -0000159980 00000 n -0000163594 00000 n -0000163424 00000 n -0000163720 00000 n -0000259852 00000 n -0000166997 00000 n -0000166560 00000 n -0000163906 00000 n -0000166682 00000 n -0000166808 00000 n -0000305670 00000 n -0000297780 00000 n -0000305497 00000 n -0000170997 00000 n -0000170812 00000 n -0000167162 00000 n -0000170934 00000 n -0000175025 00000 n -0000174397 00000 n -0000171108 00000 n -0000174712 00000 n -0000174836 00000 n -0000174962 00000 n -0000174539 00000 n -0000468652 00000 n -0000179097 00000 n -0000178486 00000 n -0000175190 00000 n -0000178782 00000 n -0000178908 00000 n -0000178628 00000 n -0000179034 00000 n -0000182112 00000 n -0000181794 00000 n -0000179208 00000 n -0000181919 00000 n -0000182047 00000 n -0000186072 00000 n -0000185406 00000 n -0000182278 00000 n -0000185878 00000 n -0000186007 00000 n -0000185561 00000 n -0000185723 00000 n -0000189708 00000 n -0000188941 00000 n -0000186184 00000 n -0000189256 00000 n -0000189087 00000 n -0000189449 00000 n -0000189514 00000 n -0000189643 00000 n -0000194202 00000 n -0000193524 00000 n -0000189874 00000 n -0000194008 00000 n -0000193679 00000 n -0000194137 00000 n -0000193841 00000 n -0000206081 00000 n -0000197742 00000 n -0000197038 00000 n -0000194368 00000 n -0000197164 00000 n -0000197357 00000 n -0000197421 00000 n -0000197550 00000 n -0000468774 00000 n -0000202583 00000 n -0000201630 00000 n -0000197854 00000 n -0000202260 00000 n -0000201795 00000 n -0000201945 00000 n -0000202389 00000 n -0000202518 00000 n -0000202107 00000 n -0000206275 00000 n -0000205826 00000 n -0000202695 00000 n -0000205952 00000 n -0000206210 00000 n -0000208039 00000 n -0000207720 00000 n -0000206387 00000 n -0000207846 00000 n -0000211746 00000 n -0000211169 00000 n -0000208151 00000 n -0000211295 00000 n -0000211424 00000 n -0000211553 00000 n -0000211618 00000 n -0000211683 00000 n -0000216710 00000 n -0000215208 00000 n -0000211858 00000 n -0000216387 00000 n -0000216516 00000 n -0000216645 00000 n -0000215400 00000 n -0000215562 00000 n -0000215724 00000 n -0000215886 00000 n -0000216057 00000 n -0000216227 00000 n -0000221529 00000 n -0000220300 00000 n -0000216822 00000 n -0000221464 00000 n -0000220492 00000 n -0000220655 00000 n -0000220817 00000 n -0000220979 00000 n -0000221139 00000 n -0000221301 00000 n -0000468899 00000 n -0000226892 00000 n -0000224533 00000 n -0000221654 00000 n -0000226699 00000 n -0000224779 00000 n -0000224932 00000 n -0000225094 00000 n -0000225256 00000 n -0000225418 00000 n -0000225580 00000 n -0000225742 00000 n -0000225904 00000 n -0000226066 00000 n -0000226220 00000 n -0000226381 00000 n -0000226536 00000 n -0000231452 00000 n -0000230255 00000 n -0000227017 00000 n -0000230743 00000 n -0000230808 00000 n -0000230873 00000 n -0000231002 00000 n -0000231259 00000 n -0000230411 00000 n -0000230581 00000 n -0000231324 00000 n -0000231388 00000 n -0000235060 00000 n -0000234739 00000 n -0000231577 00000 n -0000234865 00000 n -0000234930 00000 n -0000234995 00000 n -0000239098 00000 n -0000238648 00000 n -0000235159 00000 n -0000238774 00000 n -0000238839 00000 n -0000238904 00000 n -0000239033 00000 n -0000242812 00000 n -0000242102 00000 n -0000239223 00000 n -0000242228 00000 n -0000242293 00000 n -0000242358 00000 n -0000242423 00000 n -0000242488 00000 n -0000242617 00000 n -0000242682 00000 n -0000242747 00000 n -0000246688 00000 n -0000245725 00000 n -0000242937 00000 n -0000245851 00000 n -0000245980 00000 n -0000246045 00000 n -0000246110 00000 n -0000246238 00000 n -0000246302 00000 n -0000246367 00000 n -0000246496 00000 n -0000246624 00000 n -0000469024 00000 n -0000249829 00000 n -0000249251 00000 n -0000246880 00000 n -0000249377 00000 n -0000249506 00000 n -0000249635 00000 n -0000249764 00000 n -0000252798 00000 n -0000252477 00000 n -0000250021 00000 n -0000252603 00000 n -0000252668 00000 n -0000252733 00000 n -0000253251 00000 n -0000253060 00000 n -0000252910 00000 n -0000253186 00000 n -0000255820 00000 n -0000254911 00000 n -0000253293 00000 n -0000255497 00000 n -0000255626 00000 n -0000255755 00000 n -0000255067 00000 n -0000255282 00000 n -0000259916 00000 n -0000259211 00000 n -0000255945 00000 n -0000259337 00000 n -0000297459 00000 n -0000288246 00000 n -0000297273 00000 n -0000259466 00000 n -0000259595 00000 n -0000259724 00000 n -0000263363 00000 n -0000262137 00000 n -0000260081 00000 n -0000262654 00000 n -0000262783 00000 n -0000262912 00000 n -0000263041 00000 n -0000263170 00000 n -0000263299 00000 n -0000262293 00000 n -0000262465 00000 n -0000469149 00000 n -0000263816 00000 n -0000263625 00000 n -0000263475 00000 n -0000263751 00000 n -0000267124 00000 n -0000266546 00000 n -0000263858 00000 n -0000266672 00000 n -0000266801 00000 n -0000266930 00000 n -0000267059 00000 n -0000271776 00000 n -0000270426 00000 n -0000267210 00000 n -0000270937 00000 n -0000271066 00000 n -0000271259 00000 n -0000271324 00000 n -0000271389 00000 n -0000271454 00000 n -0000271583 00000 n -0000270582 00000 n -0000270760 00000 n -0000278658 00000 n -0000274598 00000 n -0000271927 00000 n -0000274772 00000 n -0000275480 00000 n -0000274950 00000 n -0000275128 00000 n -0000275304 00000 n -0000275545 00000 n -0000275610 00000 n -0000275675 00000 n -0000275740 00000 n -0000275805 00000 n -0000275870 00000 n -0000275935 00000 n -0000276000 00000 n -0000276065 00000 n -0000276130 00000 n -0000276195 00000 n -0000276324 00000 n -0000276389 00000 n -0000276454 00000 n -0000276519 00000 n -0000276584 00000 n -0000276648 00000 n -0000276713 00000 n -0000276777 00000 n -0000276842 00000 n -0000276907 00000 n -0000276972 00000 n -0000277037 00000 n -0000277101 00000 n -0000277166 00000 n -0000277231 00000 n -0000277296 00000 n -0000277361 00000 n -0000277426 00000 n -0000277491 00000 n -0000277555 00000 n -0000277620 00000 n -0000277685 00000 n -0000277750 00000 n -0000277815 00000 n -0000277880 00000 n -0000277945 00000 n -0000278010 00000 n -0000278075 00000 n -0000278140 00000 n -0000278205 00000 n -0000278270 00000 n -0000278335 00000 n -0000278400 00000 n -0000278465 00000 n -0000278530 00000 n -0000278594 00000 n -0000284877 00000 n -0000281570 00000 n -0000278809 00000 n -0000281696 00000 n -0000281761 00000 n -0000281826 00000 n -0000281891 00000 n -0000281956 00000 n -0000282021 00000 n -0000282085 00000 n -0000282150 00000 n -0000282215 00000 n -0000282280 00000 n -0000282345 00000 n -0000282410 00000 n -0000282475 00000 n -0000282540 00000 n -0000282605 00000 n -0000282670 00000 n -0000282735 00000 n -0000282800 00000 n -0000282865 00000 n -0000282930 00000 n -0000282995 00000 n -0000283060 00000 n -0000283125 00000 n -0000283190 00000 n -0000283254 00000 n -0000283319 00000 n -0000283384 00000 n -0000283449 00000 n -0000283514 00000 n -0000283579 00000 n -0000283644 00000 n -0000283709 00000 n -0000283774 00000 n -0000283839 00000 n -0000283904 00000 n -0000283969 00000 n -0000284034 00000 n -0000284099 00000 n -0000284164 00000 n -0000284229 00000 n -0000284294 00000 n -0000284359 00000 n -0000284424 00000 n -0000284489 00000 n -0000284554 00000 n -0000284619 00000 n -0000284684 00000 n -0000284813 00000 n -0000286200 00000 n -0000285620 00000 n -0000284989 00000 n -0000285746 00000 n -0000285875 00000 n -0000285940 00000 n -0000286005 00000 n -0000286070 00000 n -0000286135 00000 n -0000469274 00000 n -0000286357 00000 n -0000297701 00000 n -0000305945 00000 n -0000315264 00000 n -0000317923 00000 n -0000317892 00000 n -0000325072 00000 n -0000334868 00000 n -0000352366 00000 n -0000369353 00000 n -0000389635 00000 n -0000410774 00000 n -0000413857 00000 n -0000413627 00000 n -0000440544 00000 n -0000467222 00000 n -0000469354 00000 n -0000469474 00000 n -0000469597 00000 n -0000469686 00000 n -0000469768 00000 n -0000483639 00000 n -0000495601 00000 n -0000495642 00000 n -0000495682 00000 n -0000495816 00000 n -trailer -<< -/Size 1362 -/Root 1360 0 R -/Info 1361 0 R -/ID [<398C74303A70323E9600C964366A931D> <398C74303A70323E9600C964366A931D>] ->> -startxref -496080 -%%EOF diff --git a/usr.sbin/bind/doc/arm/Makefile.in b/usr.sbin/bind/doc/arm/Makefile.in deleted file mode 100644 index abd32aeacdb..00000000000 --- a/usr.sbin/bind/doc/arm/Makefile.in +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001, 2002 Internet Software Consortium. -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.12.18.8 2007/08/28 07:20:03 tbox Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_MAKE_RULES@ - -@BIND9_VERSION@ - -MANOBJS = Bv9ARM.html - -PDFOBJS = Bv9ARM.pdf - -doc man:: ${MANOBJS} ${PDFOBJS} - -clean:: - rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx Bv9ARM.toc - rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp - -docclean manclean maintainer-clean:: clean - rm -f *.html ${PDFOBJS} - -docclean manclean maintainer-clean distclean:: - rm -f releaseinfo.xml - -Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml - expand Bv9ARM-book.xml | \ - ${XSLTPROC} --stringparam root.filename Bv9ARM \ - ${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl - - -Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml - expand Bv9ARM-book.xml | \ - ${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \ - ${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \ - @PERL@ latex-fixup.pl >$@.tmp - if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi - -Bv9ARM.dvi: Bv9ARM.tex releaseinfo.xml - rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log - ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - -Bv9ARM.pdf: Bv9ARM.tex releaseinfo.xml - rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@ ; exit 1) - -releaseinfo.xml: - echo >$@ 'BIND Version ${VERSION}' diff --git a/usr.sbin/bind/doc/arm/README-SGML b/usr.sbin/bind/doc/arm/README-SGML deleted file mode 100644 index 0f38334b178..00000000000 --- a/usr.sbin/bind/doc/arm/README-SGML +++ /dev/null @@ -1,329 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000, 2001 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -The BIND v9 ARM master document is now kept in DocBook XML format. - -Version: $ISC: README-SGML,v 1.17 2004/03/05 05:04:43 marka Exp $ - -The entire ARM is in the single file: - - Bv9ARM-book.xml - -All of the other documents - HTML, PDF, etc - are generated from this -master source. - -This file attempts to describe what tools are necessary for the -maintenance of this document as well as the generation of the -alternate formats of this document. - -This file will also spend a very little time describing the XML and -SGML headers so you can understand a bit what you may need to do to be -able to work with this document in any fashion other than simply -editing it. - -We will spend almost no time on the actual tags and how to write an -XML DocBook compliant document. If you are at all familiar with SGML -or HTML it will be very evident. You only need to know what the tags -are and how to use them. You can find a good resource either for this -either online or in printed form: - - DocBook: The Definitive Guide - By Norman Walsh and Leonard Muellner - ISBN: 156592-580-7 - 1st Edition, October 1999 - Copyright (C) 1999 by O'Reilly & Associates, Inc. All rights reserved. - -The book is available online in HTML format: - - http://docbook.org/ - -and buried in: - - http://www.nwalsh.com/docbook/defguide/index.html - -A lot of useful stuff is at NWalsh's site in general. You may also -want to look at: - - http://www.xml.com/ - -The BIND v9 ARM is based on the XML 4.0 DocBook DTD. Every XML and -SGML document begins with a prefix that tells where to find the file -that describes the meaning and structure of the tags used in the rest -of the document. - -For our XML DocBook 4.0 based document this prefix looks like this: - - - -This "DOCTYPE" statement has three parts, of which we are only using -two: - -o The highest level term that represents this document (in this case - it is "book" - -o The identifier that tells us which DTD to use. This identifier has - two parts, the "Formal Public Identifier" (or FPI) and the system - identifier. In SGML you can have either a FPI or a SYSTEM identifier - but you have to have at least one of them. In XML you have to have a - SYSTEM identifier. - -FP & SYSTEM identifiers - These are names/lookups for the actual -DTD. The FPI is a globally unique name that should, on a properly -configured system, tell you exactly what DTD to use. The SYSTEM -identifier gives an absolute location for the DTD. In XML these are -supposed to be properly formatted URL's. - -SGML has these things called "catalogs" that are files that map FPI's -in to actual files. A "catalog" can also be used to remap a SYSTEM -identifier so you can say something like: "http://www.oasis.org/foo" -is actually "/usr/local/share/xml/foo.dtd" - -When you use various SGML/XML tools they need to be configured to look -at the same "catalog" files so that as you move from tool to tool they -all refer to the same DTD for the same document. - -We will be spending most of our configuration time making sure our -tools use the same "catalog" files and that we have the same DTD's -installed on our machines. XML's requirement of the SYSTEM identifier -over the FPI will probably lead to more problems as it does not -guarantee that everyone is using the same DTD. - -I did my initial work with the "sgmltools" the XML 4.0 DocBook DTD and -"jade" or "openjade." - -You can get the 4.0 XML DocBook DTD from: - - http://www.docbook.org/xml/4.0/ - -(download the .zip file.) NOTE: We will eventually be changing the -SYSTEM identifier to the recommended value of: - - http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd - -NOTE: Under FreeBSD this is the package: - - /usr/ports/textproc/docbook-xml - -NetBSD instructions are coming soon. - -With packages listed below installed under FreeBSD the "catalog" file -that all the tools refer to at least one is in: - - /usr/local/share/sgml/catalog - -In order for our SYSTEM identifier for the XML DocBook dtd to be found -I create a new catalog file at the top of the XML directory created on -FreeBSD: - - /usr/local/share/xml/catalog - -This file has one line: - - SYSTEM "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" "/usr/local/share/xml/dtd/docbook/docbookx.dtd" - -Then in the main "catalog" I have it include this XML catalog: - - CATALOG "/usr/local/share/xml/catalog" - - -On your systems you need to replace "/usr/local/share" with your -prefix root (probably /usr/pkg under NetBSD.) - -NOTE: The URL used above is supposed to the be the proper one for this -XML DocBook DTD... but there is nothing at that URL so you really do -need the "SYSTEM" identifier mapping in your catalog (or make the -SYSTEM identifier in your document refer to the real location of the -file on your local system.) - -HOW TO VALIDATE A DOCUMENT: - -I use the sgmltools "nsgmls" document validator. Since we are using -XML we need to use the XML declarations, which are installed as part -of the modular DSSL style sheets: - - nsgmls -sv /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml - -A convenient shell script "validate.sh" is now generated by configure -to invoke the above command with the correct system-dependent paths. - -The SGML tools can be found at: - - ftp://ftp.us.sgmltools.org/pub/SGMLtools/v2.0/source/ \ - ftp://ftp.nllgg.nl/pub/SGMLtools/v2.0/source/ - -FreeBSD package for these is: - - /usr/ports/textproc/sgmltools - -HOW TO RENDER A DOCUMENT AS HTML or TeX: - -o Generate html doc with: - - openjade -v -d ./nominum-docbook-html.dsl \ - -t sgml \ - /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml - -A convenient shell script "genhtml.sh" is now generated by configure to -invoke the above command with the correct system-dependent paths. - -On NetBSD there is no port for "openjade" however "jade" does still -work. However you need to specify the "catalog" file to use for style -sheets on the command line AND you need to have a default "catalog" -mapping where to find various DTDs. It seems that "jade" installed out -of the box on NetBSD does not use a globally defined "catalog" file -for mapping PUBLIC identifiers in to SYSTEM identifiers. - -So you need to have a "catalog" file in your current working directory -that has in it this: (these are probably more entries than you need!) - - CATALOG "/usr/pkg/share/sgml/iso8879/catalog" - CATALOG "/usr/pkg/share/sgml/docbook/2.4.1/catalog" - CATALOG "/usr/pkg/share/sgml/docbook/3.0/catalog" - CATALOG "/usr/pkg/share/sgml/docbook/3.1/catalog" - CATALOG "/usr/pkg/share/sgml/jade/catalog" - CATALOG "/usr/local/share/xml/catalog" - -(These would all be "/usr/local" on FreeBSD) - -So the command for jade on NetBSD will look like this: - -jade -v -c /usr/pkg/share/sgml/catalog -t sgml \ - -d ./nominum-docbook-html.dsl \ - /usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - ./Bv9ARM-book.xml - -Furthermore, since the style sheet subset we define has in it a hard -coded path to the style sheet is based, it is actually generated by -configure from a .in file so that it will contain the correct -system-dependent path: where on FreeBSD the second line reads: - - - -On NetBSD it needs to read: - - - -NOTE: This is usually solved by having this style sheet modification -be installed in a system directory and have it reference the style -sheet it is based on via a relative path. - -o Generate TeX documentation: - -openjade -d ./nominum-docbook-print.dsl -t tex -v \ - /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \ - Bv9ARM-book.xml - -If you have "jade" installed instead of "openjade" then use that as -the command. There is little difference, openjade has some bug fixes -and is in more active development. - -To convert the resulting TeX file in to a DVI file you need to do: - - tex "&jadetex" Bv9ARM-book.tex - -You can also directly generate the pdf file via: - - pdftex "&pdfjadetex" Bv9ARM-book.tex - -The scripts "genpdf.sh" and "gendvi." have been added to simply -generating the PDF and DVI output. These substitute the correct paths -of NetBSD & FreeBSD. You still need to have TeX, jadeTeX, and pdfTeX -installed and configured properly for these to work. - -You will need to up both the "pool_size" and "hash_extra" variables in -your texmf.cnf file and regenerate them. See below. - -You can see that I am using a DSSSL style sheet for DocBook. Actually -two different ones - one for rendering html, and one for 'print' -media. - -NOTE: For HTML we are using a Nominum DSSSL style instead of the -default one (all it does is change the chunking to the chapter level -and makes the files end with ".html" instead of ".htm" so far.) If you -want to use the plain jane DSSSL style sheet replace the: - - -d ./nominum-docbook-html.dsl - -with - - -d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl - -This style sheet will attempt to reference the one above. - -I am currently working on fixing these up so that it works the same on -our various systems. The main trick is knowing which DTD's and DSSSL -stylesheets you have installed, installing the right ones, and -configuring a CATALOG that refers to them in the same way. We will -probably end up putting our CATALOG's in the same place and then we -should be able to generate and validate our documents with a minimal -number of command line arguments. - -When running these commands you will get a lot of messages about a -bunch of general entities not being defined and having no default -entity. You can ignore those for now. - -Also with the style sheets we have and jade as it is you will get -messages about "xref to title" being unsupported. You can ignore these -for now as well. - -=== Getting the various tools installed on FreeBSD -(NetBSD coming soon..) - -o On freebsd you need to install the following packages: - o print/teTeX - o textproc/openjade - o textproc/docbook - o textproc/docbook-xml - o textproc/dsssl-docbook-modular - o textproc/dtd-catalogs - -o on freebsd you need to make some entities visible to the docbook xml - dtd by making a symlink (can probably be done with a catalog too) - ln -s /usr/local/share/xml/entity /usr/local/share/xml/dtd/docbook/ent - -o you may need to edit /usr/local/share/sgml/catalog and add the line: - - CATALOG "/usr/local/share/sgml/openjade/catalog" - -o add "hugelatex," Enlarge pool sizes, install the jadetex TeX driver - file. - - cd /usr/local/share/texmf/web2c/ - sudo cp texmf.cnf texmf.cnf.bak - - o edit the lines in texmf.cnf with these keys to these values: - - main_memory = 1100000 - hash_extra = 15000 - pool_size = 500000 - string_vacancies = 45000 - max_strings = 55000 - pool_free = 47500 - nest_size = 500 - param_size = 1500 - save_size = 5000 - stack_size = 1500 - - sudo tex -ini -progname=hugelatex -fmt=hugelatex latex.ltx - sudo texconfig init - sudo texhash - - o For the jadetex macros you will need I recommend you get a more - current version than what is packaged with openjade or jade. - - Checkout http://www.tug.org/applications/jadetex/ - - Unzip the file you get from there (should be jadetex-2.20 or - newer.) - - In the directory you unzip: - - sudo make install - sudo texhash - - NOTE: In the most uptodate "ports" for FreeBSD, jadetext is 2.20+ - so on this platform you should be set as of 2001.01.08. diff --git a/usr.sbin/bind/doc/arm/isc-logo.eps b/usr.sbin/bind/doc/arm/isc-logo.eps deleted file mode 100644 index c6a1d7a5af3..00000000000 --- a/usr.sbin/bind/doc/arm/isc-logo.eps +++ /dev/null @@ -1,12253 +0,0 @@ -%!PS-Adobe-3.1 EPSF-3.0 -%%Title: Alternate-ISC-logo-v2.ai -%%Creator: Adobe Illustrator(R) 11 -%%AI8_CreatorVersion: 11.0.0 -%AI9_PrintingDataBegin -%%For: Douglas E. Appelt -%%CreationDate: 10/22/04 -%%BoundingBox: 0 0 255 149 -%%HiResBoundingBox: 0 0 254.8672 148.7520 -%%CropBox: 0 0 254.8672 148.7520 -%%LanguageLevel: 2 -%%DocumentData: Clean7Bit -%%Pages: 1 -%%DocumentNeededResources: -%%DocumentSuppliedResources: procset Adobe_AGM_Image (1.0 0) -%%+ procset Adobe_CoolType_Utility_T42 (1.0 0) -%%+ procset Adobe_CoolType_Utility_MAKEOCF (1.19 0) -%%+ procset Adobe_CoolType_Core (2.23 0) -%%+ procset Adobe_AGM_Core (2.0 0) -%%+ procset Adobe_AGM_Utils (1.0 0) -%%DocumentFonts: -%%DocumentNeededFonts: -%%DocumentNeededFeatures: -%%DocumentSuppliedFeatures: -%%DocumentProcessColors: Cyan Magenta Yellow Black -%%DocumentCustomColors: (PANTONE 1805 C) -%%+ (PANTONE 871 C) -%%+ (PANTONE 301 C) -%%+ (PANTONE 7506 C) -%%CMYKCustomColor: 0 0.9100 1 0.2300 (PANTONE 1805 C) -%%+ 0.3569 0.3608 0.6353 0.1882 (PANTONE 871 C) -%%+ 1 0.4500 0 0.1800 (PANTONE 301 C) -%%+ 0 0.0500 0.1500 0 (PANTONE 7506 C) -%%RGBCustomColor: -%ADO_ContainsXMP: MainFirst -%AI7_Thumbnail: 128 76 8 -%%BeginData: 10692 Hex Bytes -%0000330000660000990000CC0033000033330033660033990033CC0033FF -%0066000066330066660066990066CC0066FF009900009933009966009999 -%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66 -%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333 -%3333663333993333CC3333FF3366003366333366663366993366CC3366FF -%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99 -%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033 -%6600666600996600CC6600FF6633006633336633666633996633CC6633FF -%6666006666336666666666996666CC6666FF669900669933669966669999 -%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33 -%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF -%9933009933339933669933999933CC9933FF996600996633996666996699 -%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33 -%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF -%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399 -%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933 -%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF -%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC -%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699 -%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33 -%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100 -%000011111111220000002200000022222222440000004400000044444444 -%550000005500000055555555770000007700000077777777880000008800 -%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB -%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF -%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF -%524C45FD1CF852FD63FFF820272726272727264B27272627272726272727 -%26272727264B20F827FD63FFF827FFFFFFCFFF84365AFFFFFFCFFFFFFFCF -%FFFFFFCFFD04FFCAF852FD63FFF827CFCFCACFCA2F0607A8CFCACFCACFCA -%CFCACFCACFCACFCACF7CF827FD63FFF800FFCFFFA8A8070D06A8CFFFCFFF -%CFFFCFFFCFFFCFFFCFFFCFA7F852FD63FFF800077E2F0D060D060706537D -%CF7D2FA8CFCACFCACFCACFCAFF7CF827FD63FFF8000D062F070D062F070D -%062F2F0D062FCACFCFFFCFCFCFFFCFA1F852FD63FFF8050707062E517651 -%522807060706072ECFCACFCACFCACFCAFF7CF827FD63FFF8002F067C757B -%757C757B512F072F2FFFCFCFCFFFCFFFCFFFCFA1F852FD63FFF805075251 -%75517551755175512F062FCACFCACFCACFCACFCAFF7CF827FD63FFF8F859 -%75765176757C517C757B2E2F07A8CFFFCFCFCFFFCFCFCFA1F852FD63FFF8 -%00517551757CCFCAA751755175060753CFCACFCACFCACFCACF7CF827FD63 -%FFF8F87C75757CFFCFFFCFA7517C752F072F59A8CFCFCFFFCFFFCFA7F852 -%FD04FFA87D527DA8FD5AFFF827757551A1CFCFCAFFA0755175280D060706 -%A8CFCFCACFCAFF7CF827FD05FF27F827FD5BFFF8F87C51767CFFCFFFCFA0 -%517C752F062F060D84FFCFFFCFFFCFA1F852FD05FF7DF87DFD5BFFF80552 -%7551757CC9A7A05175517606072F7E7DCFCACFC9CFCAFF6FF827FD05FF52 -%F852FD27FFA8FD33FFF80059757C7575517C517C517C2E2F06CFCFFFCFCF -%9293CAFFCF6FF852FD05FF7DF87DFD04FFA8FD05FF7D7DA8FF527D7D7D52 -%7D52A8FFA8527D527DA8FF7D7D527D52FD05FFA8FD05FFA87D7DFFFFA852 -%7D527DA8FF527D7D7D527D52A8FD19FFF805075275755175517551752D0D -%0653CFFFCFFFA78C6899939344F827FD05FF52F852FFFFFFA8F87DFD04FF -%7D27FFA87D7DA8F827A87D7DFFA8F827A8527DFFA8F852A827F8A8FFFFFF -%7DF8FD05FF2752FFFFA8F827A8527DA87D7DA8F827A87D7DFD19FFF8F82F -%0752517C757B757C2E0D062FA8C999CFCFC28C928C8C8C6EF852FD05FF7D -%F87DFD04FFF8F87DFFFFFF7D52FD05FFF852FD05FFF87DFD05FFF852FFFF -%F852FFFFFF7DF8F8FD04FF7D52FFFFFFF87DFD07FFF852FD1CFFF8000607 -%062F2852282E060D0607067D928C9293688C6892688C44F827FD05FF52F8 -%52FFFFFFA85252F852FFFF7D27FD05FFF87DFD04FFA8F852FD05FFF852FF -%FFF8A8FFFFFF7D5227F8A8FFFF527DFFFFA8F852FD07FFF87DFD1CFFF800 -%852F2F062F070D062F072F062F0D9A8C928C928C928C928C6EF852FD05FF -%7DF87DFD04FF27FF52F852FF7D52FD05FFF852FD05FFF82752527DFFFFF8 -%52FF527DFD04FF527DFF27F8A8FF7D7DFFFFFFF82752527DFD04FFF852FD -%1CFFF827CFCF7D2F060D062F2F7EA82F062F938C68928C8C68926E994AF8 -%27FD05FF52F852FFFFFFA827FFFF52F852A852FD05FFF87DFD04FFA8F852 -%FF7DA8FFFFF82752F8A8FD04FF7D52FFA827F8A87D7DFFFFA8F852FF7DA8 -%FD04FFF87DFD1CFFF827FFCFFFA80D062FA8CFCFCA927693928C928C9292 -%75517C7B51F852FD05FF7DF87DFFFFFFA827FFFFFF52F8F87DFD05FFF852 -%FD05FFF87DFD05FFF852FF52F8A8FFFFFF5252FFFFFF27F8277DFFFFFFF8 -%7DFD07FFF852FD1CFFF827CFCFCACF06062ECFCAFF928C688C6892688C6E -%765175517C26F827FD05FF52F852FFFFFFA827FD04FF52F852FD05FFF852 -%FD04FFA8F852FFFFA8A8FFF87DFFFFF8F8A8FFFF5227FD04FF27F8A8FFFF -%A8F852FFFFA8A8FFFFFFF852FD1CFFF827FFCFFFCF7E53A8CFFFCFC99292 -%8C928C92757C757C517C7551F852FD04FFA852F852A8FFFFA8F8A8FD04FF -%527DFD04FF7DF827FD04FFA8F827525252FF7DF827FFFFFF2727A8FF5227 -%A8FD04FF52A8FFFFA8F827525252FFFFFF7DF827FD1CFFF827CFCFCACFCF -%CFCAFD04CF93688C688C6F7651755175517C4BF827FD05FFA8FFA8FFFFFF -%A8FFA8FD0BFFA8FFA8FFFFFFA8FFA8A8A8FFFFFFA8FFA8FFFFFFA8FFA8FF -%A8FD09FFA8FFA8A8A8FD05FFA8FFA8FD1BFFF827FFCFCFCFFFCFCFCFFFCF -%C38C928C8C6E7C7576517C75767551F852FD63FFF827CFCFCACFCACFCACF -%92928C8C688C6875517551755175517526F827FD63FFF827FFCFFFCFFFCF -%FFCA938C928C928C99517C757C517C757C7551F852FD63FFF827CFCFCACF -%CACFCACFA093688C6892757551755175517551754BF827FD63FFF827FFCF -%FFCFCFCFFFCFFF998C8C926E7C7576517C7576517CA7A1F852FD06FFA87D -%527DA8FD58FFF827CFCFCACFCACFCAFFCF996892686F5175517551755175 -%7CFF7CF827FD05FF7D2752A82727A8FD57FFF827FFCFFFCFFFCFFFC2BB8C -%928C8C6E7C757C517C757C51CFFFA1F852FD05FF2752FFFFFF52FD58FFF8 -%27CFCFCACFCACFCF99688C68928C6F5175517551755175CAFF7CF827FD04 -%FFA8F852FD5CFFF827FFCFCFCFFFCFFFA0998C928C926E7C517C7576517C -%51CACFA1F852FD04FFA827F87DFFFFFFA8527DFD04FF527DFFFFA87D52A8 -%FF7D527D527D527D7DFF7D7D527D527DFFFFFFA8FD06FFA8FD04FFA87D7D -%7DFD26FFF827CFCFCACFCACFCACFCF99688C6893517551755175517575FF -%7CF827FD05FF52F8F852FFFFFF52F8A8FFFF7D27A8FF5252A8A852A852A8 -%7DF827A87D7DFFA8F852A87D52FFFFFFF8A8FD04FF5227FFFFFF7D27A8A8 -%52A8FD25FFF827FFCFFFCFFFCFFFCFFFA08C8C92927C517C757C517C7575 -%7C7CF852FD06FF52F8F852FFFFFF27F8FFFF52A8FFFFF87DFD07FFF87DFD -%05FFF852FD06FFF827FD04FF2727FFFFFF2752FD29FFF827CFCFCACFCACF -%CACFA799688C68927575517551755175517526F84BFD07FF52F8F87DFFFF -%A8F87D7D52FFFFFFF8F87DFD05FFA8F852FD05FFF87DFD05FFA8F8F8A8FF -%FF7DF8F8A8FFFF52F852A8FD27FFF827FFCFFFCFCFCFFFCF9368928C928C -%995176517C7576517C7551F852FD08FF7DF8F8FFFFFF52F827FD05FFF8F8 -%27FD05FFF87DFD05FFF8277D527DFFFF7D52F852FFFF277DF8A8FFFFFF52 -%F8F87DFD26FFF827CFCFCACFCACFCAFF938C688C688C6875517551755175 -%517C26F827FD09FF27F8A8FFFFFFF852FD06FF52F827FFFFFFA8F852FD05 -%FFF852A8A87DFFFF527D7DF8FF7D52A8F87DFD04FF7DF8F8A8FD25FFF827 -%FFCFFFCFFFCFFFCFCFCFC98C928C92927C517C757C517C7551F852FD04FF -%7DFD04FF7DF8FD04FFF852FD07FF7DF8A8FFFFFFF87DFD05FFF852FD05FF -%52A8FF272752A8FFF87DFD06FFF8A8FD25FFF827CFCFCACFCACFCAFD04CF -%99688C688C6E7651755175517C4BF827FD04FF5227FFFFA8F852FD04FFF8 -%7DFFFFFF7D7DFFFF7D27FD04FFF852FD05FFF852FFFFA8FFFF27A8FF7DF8 -%52FFFFF852FFA852FFFF7D27A8FD25FFF827FFCFCFCFFFCFCFCFFFCFCF92 -%928C928C926E7C517C75767551F852FD04FF7D272752277DFD04FF7DF827 -%FFFFFF7D27525227FD04FFA8F852A8FFFFFF7D2727525252FFA8F8A8FFFF -%52FFFFFF2727A8FF275252527DFD26FFF827CFCFCACFCACFCACFCAFF998C -%688C688C688C68755176517526F827FD07FFA8FD07FFA8FFA8FFFFFFA8A8 -%A8FD05FFA8FFA8FD05FFA8FFA8A8A8FFA8FFA8FD07FFA8FFFFFFA8A8FD28 -%FFF827FFCFFFCFFFCFFFCFFFCFCF92C29A928C928C928C99757C7551F852 -%FD63FFF827CFCFCACFCACFCACFCAFD04CFFF998C68928C8C6892689344F8 -%27FD63FFF827FFCFFFCFCFCFFFCFCFCFFFCFCFCFC98C928C928C928C928C -%68F852FD63FFF827CFCFCACFCACFCAA8537ECACFCAFF938C6899688C688C -%689244F827FD63FFF827FFCFFFCFFFCFA8072F07FFCFFFCFCF992F0D5992 -%928C928C68F852FD08FF7D7D527D52A8A8FD54FFF827CFCFCACFCACFA70D -%060753A87DA8CA5A0607069368929AC244F827FD06FF7DF8527D7D7D52F8 -%27FD54FFF827FFCFCFCFFFCFCF2F2F070D062F072F062F07539993C2FFFF -%76F852FD05FF7DF87DFD06FF27FD54FFF827CFCFCACFCACF7D0D060D0607 -%060D0607060753FFCACFCAFF76F827FD04FFA8F827FD07FFA8A8FD15FFA8 -%FD3DFFF827FFCFFFCFFF592F062F072F2852282F072F072F7DFFCFFFCFA7 -%F852FD04FF52F87DFD0CFFA87D7D7DFD05FFA8FD05FF7D7DA8FFFFA87D7D -%7DFFFFFFA87D527D7DFD04FFA8527D527DA8FFFF7D527D527D527D7DFF7D -%7D7DFFFFA8527DA8FFFFA8527DFFFFFFA8FD06FFA8FFFFF827CF5959CA53 -%07060D066F688C6892684B060D06077DCFCFCF7CF827FD04FF27F8A8FD0A -%FFA82752A87D52F852FFFFA8F87DFD04FF7D27FFFF7D27A87D52FFFF5227 -%7DA87D27F8A8FFFFA8F827A827F8A8A852A87DF827A87D7DFFA8F852FFFF -%A8F827FD04FF2727FFFFFFF8A8FD04FF5227FFFFF827A9062F070D062F28 -%928C928C928C928C92282F072F847E5953F852FD04FFF8F8A8FD0AFF2752 -%FD04FF7DF87DFFFFF8F852FFFFFF7D52FFFFF8A8FFFFA8FF7DF8A8FD04FF -%27F8FFFFFFF87DFFFFF87DFD04FFF87DFD05FFF852FFFFFFF87DFD04FF27 -%52FFFFFFF827FD04FF2727FFFFF8272F07060D060D278C688C68928C8C68 -%8C688C060D0607060D06F827FFFFFFA827F87DFD09FF7DF8FD06FF27F8FF -%A85252F852FFFF7D27FFFF27F87DFFFFFF2727FD05FF7DF852FFA8F852FF -%A8F87DFFFFFFA8F852FD05FFF852FFFFA8F852FD04FF5252FFFFA8F8F8A8 -%FFFF7DF827A8FFF827FF2F2F070D06938C928CBCC9CFC9BB8C928C6F070D -%062F0706F852FD04FF27F852FD09FF52F8FD06FF52F8FFFF27FF52F852FF -%7D52FFFFA827F827A8FFF852FD06FFF852FFFFF852FF7D7DFD05FFF87DFD -%05FFF852FFFFFFF87DFD04FF2752FFFF7D52F852FFFF277DF8A8FFF827CF -%CF2F0D064C689268C2CFFFCFFFCFC2688C682E0607062F52F827FD04FF7D -%F8F8A8FD08FF52F8A8FD05FF52F8FFA827FFFF52F852A852FD04FF7DF827 -%FF2727FD05FFA8F852FFA8F82752F8A8FD04FFA8F852FD05FFF852FFFFA8 -%F852FD04FF5252FFFF7D7D7DF8FF7D52A8F87DFFF827FFCF59062F6F8C8C -%99CFFFCFFFCFFFCF938C8C4B2F0759CFA7F852FD05FF52F827FD06FF7DFF -%A8F852FD05FFF852FFA827FFFFFF52F8F87DFD05FF7DF8FF52F8A8FD04FF -%A8F8A8FFFFF87DFF52F8FD05FFF87DFD05FFF852FFFFFFF852FD04FF277D -%FFFF27A8FF272752FFFFF87DFFF827CFCF2F070693688C99FFCACFCACFCA -%FF998C686F060759CF7CF827FD05FFA852F8F87DFFFFFF5227FFFF52F87D -%FFFFFF5227A8FFA827FD04FF52F852FF527DFFFF5227FFFFF827A8FFFFFF -%2752FFFFFFF852FFFF27F8FFFFFFA8F852FD05FFF87DFFFFFF52F8A8FFFF -%7D27A8FFFF27A8FF7DF852FFFFF827FFF827FFCF53062F6E928CC2FFFFCF -%FFCFFFCFC28C926F2F077ECFA7F852FD07FFA8FD06277DFFFFFF7D27277D -%527DFFFFFF7DF8A8FD04FF527DFFA827525252A8FFFFFF5227527D52A8FF -%FFFFA8F852A8FFA82727A8FFA8F852A8FFFFFF7DF827FD04FF52277D5252 -%A8FFFFA8F8A8FFFF52FFFFFF2727A8F827CFCF2F07066F8C8C92FFCFCFCA -%CFCFCF8C8C8C4B060D59CF7CF827FD0BFFA8FD09FFA8FD05FFA8FFA8FD09 -%FFA8A8FD07FFA8A8FD05FFA8FFA8FD05FFA8FFA8FFA8FD05FFA8FFA8FD05 -%FFA8FD05FFA8FFA8FD07FFA8FFF827AF2F2F070D4B928C8CA0FFCFFFCFFF -%998C8C92280D067ECFA1F852FD63FFF8270707060D0607688C688C99C9CA -%C9938C688C680D0607065A76F827FD63FFF8275A062F070D07528C928C92 -%8C928C928C928C2F070D062F072EF852FD63FFF84B842F597E0607064C8C -%8C68928C8C688C6828060D0607060D52F827FD63FFF827FFCFCFCF7E060D -%062F6F928C928C934B2F070D0684A85A59A1F852FD63FFF827CFCFCACFCA -%590607060D06282728060D0607067ECACFCFCF7CF827FD63FFF827FFCFFF -%CFFFCF59062F070D072F070D062F2FA8CFFFCFFFCFA7F852FD63FFF827CF -%CFCACFCACF2F07060D0607060D06070653CFCFCACFCAFF7CF827FD63FFF8 -%27FFCFFFCFCFA82F070D59CFA8A8A859060D07FD04CFFFCFA1F852FD63FF -%F827CFCFCACFCFA82F0D2FCFCACFCFCFA80D060DA8CFCACFCAFF7CF827FD -%63FFF827FFCFFFCFFFCFFFA8FFCFFFCFFFCFFF7E7EA8FFCFFFCFFFFFA7F8 -%52FD63FFFD09F820FD07F820FD07F820F8F827FD63FF27F827F820F827F8 -%20F827F820F827F820F827F820F827F820F827F87CFDE2FFFF -%%EndData -%%EndComments -%%BeginDefaults -%%ViewingOrientation: 1 0 0 1 -%%EndDefaults -%%BeginProlog -%%BeginResource: procset Adobe_AGM_Utils 1.0 0 -%%Version: 1.0 0 -%%Copyright: Copyright (C) 2000-2003 Adobe Systems, Inc. All Rights Reserved. -systemdict /setpacking known -{ - currentpacking - true setpacking -} if -userdict /Adobe_AGM_Utils 68 dict dup begin put -/bdf -{ - bind def -} bind def -/nd{ - null def -}bdf -/xdf -{ - exch def -}bdf -/ldf -{ - load def -}bdf -/ddf -{ - put -}bdf -/xddf -{ - 3 -1 roll put -}bdf -/xpt -{ - exch put -}bdf -/ndf -{ - exch dup where{ - pop pop pop - }{ - xdf - }ifelse -}def -/cdndf -{ - exch dup currentdict exch known{ - pop pop - }{ - exch def - }ifelse -}def -/bdict -{ - mark -}bdf -/edict -{ - counttomark 2 idiv dup dict begin {def} repeat pop currentdict end -}def -/ps_level - /languagelevel where{ - pop systemdict /languagelevel get exec - }{ - 1 - }ifelse -def -/level2 - ps_level 2 ge -def -/level3 - ps_level 3 ge -def -/ps_version - {version cvr} stopped { - -1 - }if -def -/makereadonlyarray -{ - /packedarray where{ - pop packedarray - }{ - array astore readonly - }ifelse -}bdf -/map_reserved_ink_name -{ - dup type /stringtype eq{ - dup /Red eq{ - pop (_Red_) - }{ - dup /Green eq{ - pop (_Green_) - }{ - dup /Blue eq{ - pop (_Blue_) - }{ - dup () cvn eq{ - pop (Process) - }if - }ifelse - }ifelse - }ifelse - }if -}bdf -/AGMUTIL_GSTATE 22 dict def -/get_gstate -{ - AGMUTIL_GSTATE begin - /AGMUTIL_GSTATE_clr_spc currentcolorspace def - /AGMUTIL_GSTATE_clr_indx 0 def - /AGMUTIL_GSTATE_clr_comps 12 array def - mark currentcolor counttomark - {AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 3 -1 roll put - /AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 add def} repeat pop - /AGMUTIL_GSTATE_fnt rootfont def - /AGMUTIL_GSTATE_lw currentlinewidth def - /AGMUTIL_GSTATE_lc currentlinecap def - /AGMUTIL_GSTATE_lj currentlinejoin def - /AGMUTIL_GSTATE_ml currentmiterlimit def - currentdash /AGMUTIL_GSTATE_do xdf /AGMUTIL_GSTATE_da xdf - /AGMUTIL_GSTATE_sa currentstrokeadjust def - /AGMUTIL_GSTATE_clr_rnd currentcolorrendering def - /AGMUTIL_GSTATE_op currentoverprint def - /AGMUTIL_GSTATE_bg currentblackgeneration cvlit def - /AGMUTIL_GSTATE_ucr currentundercolorremoval cvlit def - currentcolortransfer cvlit /AGMUTIL_GSTATE_gy_xfer xdf cvlit /AGMUTIL_GSTATE_b_xfer xdf - cvlit /AGMUTIL_GSTATE_g_xfer xdf cvlit /AGMUTIL_GSTATE_r_xfer xdf - /AGMUTIL_GSTATE_ht currenthalftone def - /AGMUTIL_GSTATE_flt currentflat def - end -}def -/set_gstate -{ - AGMUTIL_GSTATE begin - AGMUTIL_GSTATE_clr_spc setcolorspace - AGMUTIL_GSTATE_clr_indx {AGMUTIL_GSTATE_clr_comps AGMUTIL_GSTATE_clr_indx 1 sub get - /AGMUTIL_GSTATE_clr_indx AGMUTIL_GSTATE_clr_indx 1 sub def} repeat setcolor - AGMUTIL_GSTATE_fnt setfont - AGMUTIL_GSTATE_lw setlinewidth - AGMUTIL_GSTATE_lc setlinecap - AGMUTIL_GSTATE_lj setlinejoin - AGMUTIL_GSTATE_ml setmiterlimit - AGMUTIL_GSTATE_da AGMUTIL_GSTATE_do setdash - AGMUTIL_GSTATE_sa setstrokeadjust - AGMUTIL_GSTATE_clr_rnd setcolorrendering - AGMUTIL_GSTATE_op setoverprint - AGMUTIL_GSTATE_bg cvx setblackgeneration - AGMUTIL_GSTATE_ucr cvx setundercolorremoval - AGMUTIL_GSTATE_r_xfer cvx AGMUTIL_GSTATE_g_xfer cvx AGMUTIL_GSTATE_b_xfer cvx - AGMUTIL_GSTATE_gy_xfer cvx setcolortransfer - AGMUTIL_GSTATE_ht /HalftoneType get dup 9 eq exch 100 eq or - { - currenthalftone /HalftoneType get AGMUTIL_GSTATE_ht /HalftoneType get ne - { - mark AGMUTIL_GSTATE_ht {sethalftone} stopped cleartomark - } if - }{ - AGMUTIL_GSTATE_ht sethalftone - } ifelse - AGMUTIL_GSTATE_flt setflat - end -}def -/get_gstate_and_matrix -{ - AGMUTIL_GSTATE begin - /AGMUTIL_GSTATE_ctm matrix currentmatrix def - end - get_gstate -}def -/set_gstate_and_matrix -{ - set_gstate - AGMUTIL_GSTATE begin - AGMUTIL_GSTATE_ctm setmatrix - end -}def -/AGMUTIL_str256 256 string def -/AGMUTIL_src256 256 string def -/AGMUTIL_dst64 64 string def -/AGMUTIL_srcLen nd -/AGMUTIL_ndx nd -/agm_sethalftone -{ - dup - begin - /_Data load - /Thresholds xdf - end - level3 - { sethalftone }{ - dup /HalftoneType get 3 eq { - sethalftone - } {pop} ifelse - }ifelse -} def -/rdcmntline -{ - currentfile AGMUTIL_str256 readline pop - (%) anchorsearch {pop} if -} bdf -/filter_cmyk -{ - dup type /filetype ne{ - exch () /SubFileDecode filter - } - { - exch pop - } - ifelse - [ - exch - { - AGMUTIL_src256 readstring pop - dup length /AGMUTIL_srcLen exch def - /AGMUTIL_ndx 0 def - AGMCORE_plate_ndx 4 AGMUTIL_srcLen 1 sub{ - 1 index exch get - AGMUTIL_dst64 AGMUTIL_ndx 3 -1 roll put - /AGMUTIL_ndx AGMUTIL_ndx 1 add def - }for - pop - AGMUTIL_dst64 0 AGMUTIL_ndx getinterval - } - bind - /exec cvx - ] cvx -} bdf -/filter_indexed_devn -{ - cvi Names length mul names_index add Lookup exch get -} bdf -/filter_devn -{ - 4 dict begin - /srcStr xdf - /dstStr xdf - dup type /filetype ne{ - 0 () /SubFileDecode filter - }if - [ - exch - [ - /devicen_colorspace_dict /AGMCORE_gget cvx /begin cvx - currentdict /srcStr get /readstring cvx /pop cvx - /dup cvx /length cvx 0 /gt cvx [ - Adobe_AGM_Utils /AGMUTIL_ndx 0 /ddf cvx - names_index Names length currentdict /srcStr get length 1 sub { - 1 /index cvx /exch cvx /get cvx - currentdict /dstStr get /AGMUTIL_ndx /load cvx 3 -1 /roll cvx /put cvx - Adobe_AGM_Utils /AGMUTIL_ndx /AGMUTIL_ndx /load cvx 1 /add cvx /ddf cvx - } for - currentdict /dstStr get 0 /AGMUTIL_ndx /load cvx /getinterval cvx - ] cvx /if cvx - /end cvx - ] cvx - bind - /exec cvx - ] cvx - end -} bdf -/AGMUTIL_imagefile nd -/read_image_file -{ - AGMUTIL_imagefile 0 setfileposition - 10 dict begin - /imageDict xdf - /imbufLen Width BitsPerComponent mul 7 add 8 idiv def - /imbufIdx 0 def - /origDataSource imageDict /DataSource get def - /origMultipleDataSources imageDict /MultipleDataSources get def - /origDecode imageDict /Decode get def - /dstDataStr imageDict /Width get colorSpaceElemCnt mul string def - /srcDataStrs [ imageDict begin - currentdict /MultipleDataSources known {MultipleDataSources {DataSource length}{1}ifelse}{1} ifelse - { - Width Decode length 2 div mul cvi string - } repeat - end ] def - imageDict /MultipleDataSources known {MultipleDataSources}{false} ifelse - { - /imbufCnt imageDict /DataSource get length def - /imbufs imbufCnt array def - 0 1 imbufCnt 1 sub { - /imbufIdx xdf - imbufs imbufIdx imbufLen string put - imageDict /DataSource get imbufIdx [ AGMUTIL_imagefile imbufs imbufIdx get /readstring cvx /pop cvx ] cvx put - } for - DeviceN_PS2 { - imageDict begin - /DataSource [ DataSource /devn_sep_datasource cvx ] cvx def - /MultipleDataSources false def - /Decode [0 1] def - end - } if - }{ - /imbuf imbufLen string def - Indexed_DeviceN level3 not and DeviceN_NoneName or { - imageDict begin - /DataSource [AGMUTIL_imagefile Decode BitsPerComponent false 1 /filter_indexed_devn load dstDataStr srcDataStrs devn_alt_datasource /exec cvx] cvx def - /Decode [0 1] def - end - }{ - imageDict /DataSource {AGMUTIL_imagefile imbuf readstring pop} put - } ifelse - } ifelse - imageDict exch - load exec - imageDict /DataSource origDataSource put - imageDict /MultipleDataSources origMultipleDataSources put - imageDict /Decode origDecode put - end -} bdf -/write_image_file -{ - begin - { (AGMUTIL_imagefile) (w+) file } stopped{ - false - }{ - Adobe_AGM_Utils/AGMUTIL_imagefile xddf - 2 dict begin - /imbufLen Width BitsPerComponent mul 7 add 8 idiv def - MultipleDataSources {DataSource 0 get}{DataSource}ifelse type /filetype eq { - /imbuf imbufLen string def - }if - 1 1 Height { - pop - MultipleDataSources { - 0 1 DataSource length 1 sub { - DataSource type dup - /arraytype eq { - pop DataSource exch get exec - }{ - /filetype eq { - DataSource exch get imbuf readstring pop - }{ - DataSource exch get - } ifelse - } ifelse - AGMUTIL_imagefile exch writestring - } for - }{ - DataSource type dup - /arraytype eq { - pop DataSource exec - }{ - /filetype eq { - DataSource imbuf readstring pop - }{ - DataSource - } ifelse - } ifelse - AGMUTIL_imagefile exch writestring - } ifelse - }for - end - true - }ifelse - end -} bdf -/close_image_file -{ - AGMUTIL_imagefile closefile (AGMUTIL_imagefile) deletefile -}def -statusdict /product known userdict /AGMP_current_show known not and{ - /pstr statusdict /product get def - pstr (HP LaserJet 2200) eq - pstr (HP LaserJet 4000 Series) eq or - pstr (HP LaserJet 4050 Series ) eq or - pstr (HP LaserJet 8000 Series) eq or - pstr (HP LaserJet 8100 Series) eq or - pstr (HP LaserJet 8150 Series) eq or - pstr (HP LaserJet 5000 Series) eq or - pstr (HP LaserJet 5100 Series) eq or - pstr (HP Color LaserJet 4500) eq or - pstr (HP Color LaserJet 4600) eq or - pstr (HP LaserJet 5Si) eq or - pstr (HP LaserJet 1200 Series) eq or - pstr (HP LaserJet 1300 Series) eq or - pstr (HP LaserJet 4100 Series) eq or - { - userdict /AGMP_current_show /show load put - userdict /show { - currentcolorspace 0 get - /Pattern eq - {false charpath f} - {AGMP_current_show} ifelse - } put - }if - currentdict /pstr undef -} if -/consumeimagedata -{ - begin - currentdict /MultipleDataSources known not - {/MultipleDataSources false def} if - MultipleDataSources - { - 1 dict begin - /flushbuffer Width cvi string def - 1 1 Height cvi - { - pop - 0 1 DataSource length 1 sub - { - DataSource exch get - dup type dup - /filetype eq - { - exch flushbuffer readstring pop pop - }if - /arraytype eq - { - exec pop - }if - }for - }for - end - } - { - /DataSource load type dup - /filetype eq - { - 1 dict begin - /flushbuffer Width Decode length 2 div mul cvi string def - 1 1 Height { pop DataSource flushbuffer readstring pop pop} for - end - }if - /arraytype eq - { - 1 1 Height { pop DataSource pop } for - }if - }ifelse - end -}bdf -/addprocs -{ - 2{/exec load}repeat - 3 1 roll - [ 5 1 roll ] bind cvx -}def -/modify_halftone_xfer -{ - currenthalftone dup length dict copy begin - currentdict 2 index known{ - 1 index load dup length dict copy begin - currentdict/TransferFunction known{ - /TransferFunction load - }{ - currenttransfer - }ifelse - addprocs /TransferFunction xdf - currentdict end def - currentdict end sethalftone - }{ - currentdict/TransferFunction known{ - /TransferFunction load - }{ - currenttransfer - }ifelse - addprocs /TransferFunction xdf - currentdict end sethalftone - pop - }ifelse -}def -/clonearray -{ - dup xcheck exch - dup length array exch - Adobe_AGM_Core/AGMCORE_tmp -1 ddf - { - Adobe_AGM_Core/AGMCORE_tmp AGMCORE_tmp 1 add ddf - dup type /dicttype eq - { - AGMCORE_tmp - exch - clonedict - Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf - } if - dup type /arraytype eq - { - AGMCORE_tmp exch - clonearray - Adobe_AGM_Core/AGMCORE_tmp 4 -1 roll ddf - } if - exch dup - AGMCORE_tmp 4 -1 roll put - }forall - exch {cvx} if -}bdf -/clonedict -{ - dup length dict - begin - { - dup type /dicttype eq - { - clonedict - } if - dup type /arraytype eq - { - clonearray - } if - def - }forall - currentdict - end -}bdf -/DeviceN_PS2 -{ - /currentcolorspace AGMCORE_gget 0 get /DeviceN eq level3 not and -} bdf -/Indexed_DeviceN -{ - /indexed_colorspace_dict AGMCORE_gget dup null ne { - /CSD known - }{ - pop false - } ifelse -} bdf -/DeviceN_NoneName -{ - /Names where { - pop - false Names - { - (None) eq or - } forall - }{ - false - }ifelse -} bdf -/DeviceN_PS2_inRip_seps -{ - /AGMCORE_in_rip_sep where - { - pop dup type dup /arraytype eq exch /packedarraytype eq or - { - dup 0 get /DeviceN eq level3 not and AGMCORE_in_rip_sep and - { - /currentcolorspace exch AGMCORE_gput - false - } - { - true - }ifelse - } - { - true - } ifelse - } - { - true - } ifelse -} bdf -/base_colorspace_type -{ - dup type /arraytype eq {0 get} if -} bdf -/doc_setup{ - Adobe_AGM_Utils begin -}bdf -/doc_trailer{ - currentdict Adobe_AGM_Utils eq{ - end - }if -}bdf -systemdict /setpacking known -{ - setpacking -} if -%%EndResource -%%BeginResource: procset Adobe_AGM_Core 2.0 0 -%%Version: 2.0 0 -%%Copyright: Copyright (C) 1997-2003 Adobe Systems, Inc. All Rights Reserved. -systemdict /setpacking known -{ - currentpacking - true setpacking -} if -userdict /Adobe_AGM_Core 216 dict dup begin put -/nd{ - null def -}bind def -/Adobe_AGM_Core_Id /Adobe_AGM_Core_2.0_0 def -/AGMCORE_str256 256 string def -/AGMCORE_save nd -/AGMCORE_graphicsave nd -/AGMCORE_c 0 def -/AGMCORE_m 0 def -/AGMCORE_y 0 def -/AGMCORE_k 0 def -/AGMCORE_cmykbuf 4 array def -/AGMCORE_screen [currentscreen] cvx def -/AGMCORE_tmp 0 def -/AGMCORE_&setgray nd -/AGMCORE_&setcolor nd -/AGMCORE_&setcolorspace nd -/AGMCORE_&setcmykcolor nd -/AGMCORE_cyan_plate nd -/AGMCORE_magenta_plate nd -/AGMCORE_yellow_plate nd -/AGMCORE_black_plate nd -/AGMCORE_plate_ndx nd -/AGMCORE_get_ink_data nd -/AGMCORE_is_cmyk_sep nd -/AGMCORE_host_sep nd -/AGMCORE_avoid_L2_sep_space nd -/AGMCORE_distilling nd -/AGMCORE_composite_job nd -/AGMCORE_producing_seps nd -/AGMCORE_ps_level -1 def -/AGMCORE_ps_version -1 def -/AGMCORE_environ_ok nd -/AGMCORE_CSA_cache 0 dict def -/AGMCORE_CSD_cache 0 dict def -/AGMCORE_pattern_cache 0 dict def -/AGMCORE_currentoverprint false def -/AGMCORE_deltaX nd -/AGMCORE_deltaY nd -/AGMCORE_name nd -/AGMCORE_sep_special nd -/AGMCORE_err_strings 4 dict def -/AGMCORE_cur_err nd -/AGMCORE_ovp nd -/AGMCORE_current_spot_alias false def -/AGMCORE_inverting false def -/AGMCORE_feature_dictCount nd -/AGMCORE_feature_opCount nd -/AGMCORE_feature_ctm nd -/AGMCORE_ConvertToProcess false def -/AGMCORE_Default_CTM matrix def -/AGMCORE_Default_PageSize nd -/AGMCORE_currentbg nd -/AGMCORE_currentucr nd -/AGMCORE_gradientcache 32 dict def -/AGMCORE_in_pattern false def -/knockout_unitsq nd -/AGMCORE_CRD_cache where{ - pop -}{ - /AGMCORE_CRD_cache 0 dict def -}ifelse -/AGMCORE_key_known -{ - where{ - /Adobe_AGM_Core_Id known - }{ - false - }ifelse -}ndf -/flushinput -{ - save - 2 dict begin - /CompareBuffer 3 -1 roll def - /readbuffer 256 string def - mark - { - currentfile readbuffer {readline} stopped - {cleartomark mark} - { - not - {pop exit} - if - CompareBuffer eq - {exit} - if - }ifelse - }loop - cleartomark - end - restore -}bdf -/getspotfunction -{ - AGMCORE_screen exch pop exch pop - dup type /dicttype eq{ - dup /HalftoneType get 1 eq{ - /SpotFunction get - }{ - dup /HalftoneType get 2 eq{ - /GraySpotFunction get - }{ - pop - { - abs exch abs 2 copy add 1 gt{ - 1 sub dup mul exch 1 sub dup mul add 1 sub - }{ - dup mul exch dup mul add 1 exch sub - }ifelse - }bind - }ifelse - }ifelse - }if -} def -/clp_npth -{ - clip newpath -} def -/eoclp_npth -{ - eoclip newpath -} def -/npth_clp -{ - newpath clip -} def -/add_grad -{ - AGMCORE_gradientcache 3 1 roll put -}bdf -/exec_grad -{ - AGMCORE_gradientcache exch get exec -}bdf -/graphic_setup -{ - /AGMCORE_graphicsave save def - concat - 0 setgray - 0 setlinecap - 0 setlinejoin - 1 setlinewidth - [] 0 setdash - 10 setmiterlimit - newpath - false setoverprint - false setstrokeadjust - Adobe_AGM_Core/spot_alias get exec - /Adobe_AGM_Image where { - pop - Adobe_AGM_Image/spot_alias 2 copy known{ - get exec - }{ - pop pop - }ifelse - } if - 100 dict begin - /dictstackcount countdictstack def - /showpage {} def - mark -} def -/graphic_cleanup -{ - cleartomark - dictstackcount 1 countdictstack 1 sub {end}for - end - AGMCORE_graphicsave restore -} def -/compose_error_msg -{ - grestoreall initgraphics - /Helvetica findfont 10 scalefont setfont - /AGMCORE_deltaY 100 def - /AGMCORE_deltaX 310 def - clippath pathbbox newpath pop pop 36 add exch 36 add exch moveto - 0 AGMCORE_deltaY rlineto AGMCORE_deltaX 0 rlineto - 0 AGMCORE_deltaY neg rlineto AGMCORE_deltaX neg 0 rlineto closepath - 0 AGMCORE_&setgray - gsave 1 AGMCORE_&setgray fill grestore - 1 setlinewidth gsave stroke grestore - currentpoint AGMCORE_deltaY 15 sub add exch 8 add exch moveto - /AGMCORE_deltaY 12 def - /AGMCORE_tmp 0 def - AGMCORE_err_strings exch get - { - dup 32 eq - { - pop - AGMCORE_str256 0 AGMCORE_tmp getinterval - stringwidth pop currentpoint pop add AGMCORE_deltaX 28 add gt - { - currentpoint AGMCORE_deltaY sub exch pop - clippath pathbbox pop pop pop 44 add exch moveto - } if - AGMCORE_str256 0 AGMCORE_tmp getinterval show ( ) show - 0 1 AGMCORE_str256 length 1 sub - { - AGMCORE_str256 exch 0 put - }for - /AGMCORE_tmp 0 def - } - { - AGMCORE_str256 exch AGMCORE_tmp xpt - /AGMCORE_tmp AGMCORE_tmp 1 add def - } ifelse - } forall -} bdf -/doc_setup{ - Adobe_AGM_Core begin - /AGMCORE_ps_version xdf - /AGMCORE_ps_level xdf - errordict /AGM_handleerror known not{ - errordict /AGM_handleerror errordict /handleerror get put - errordict /handleerror { - Adobe_AGM_Core begin - $error /newerror get AGMCORE_cur_err null ne and{ - $error /newerror false put - AGMCORE_cur_err compose_error_msg - }if - $error /newerror true put - end - errordict /AGM_handleerror get exec - } bind put - }if - /AGMCORE_environ_ok - ps_level AGMCORE_ps_level ge - ps_version AGMCORE_ps_version ge and - AGMCORE_ps_level -1 eq or - def - AGMCORE_environ_ok not - {/AGMCORE_cur_err /AGMCORE_bad_environ def} if - /AGMCORE_&setgray systemdict/setgray get def - level2{ - /AGMCORE_&setcolor systemdict/setcolor get def - /AGMCORE_&setcolorspace systemdict/setcolorspace get def - }if - /AGMCORE_currentbg currentblackgeneration def - /AGMCORE_currentucr currentundercolorremoval def - /AGMCORE_distilling - /product where{ - pop systemdict/setdistillerparams known product (Adobe PostScript Parser) ne and - }{ - false - }ifelse - def - level2 not{ - /xput{ - dup load dup length exch maxlength eq{ - dup dup load dup - length dup 0 eq {pop 1} if 2 mul dict copy def - }if - load begin - def - end - }def - }{ - /xput{ - load 3 1 roll put - }def - }ifelse - /AGMCORE_GSTATE AGMCORE_key_known not{ - /AGMCORE_GSTATE 21 dict def - /AGMCORE_tmpmatrix matrix def - /AGMCORE_gstack 32 array def - /AGMCORE_gstackptr 0 def - /AGMCORE_gstacksaveptr 0 def - /AGMCORE_gstackframekeys 10 def - /AGMCORE_&gsave /gsave ldf - /AGMCORE_&grestore /grestore ldf - /AGMCORE_&grestoreall /grestoreall ldf - /AGMCORE_&save /save ldf - /AGMCORE_gdictcopy { - begin - { def } forall - end - }def - /AGMCORE_gput { - AGMCORE_gstack AGMCORE_gstackptr get - 3 1 roll - put - }def - /AGMCORE_gget { - AGMCORE_gstack AGMCORE_gstackptr get - exch - get - }def - /gsave { - AGMCORE_&gsave - AGMCORE_gstack AGMCORE_gstackptr get - AGMCORE_gstackptr 1 add - dup 32 ge {limitcheck} if - Adobe_AGM_Core exch - /AGMCORE_gstackptr xpt - AGMCORE_gstack AGMCORE_gstackptr get - AGMCORE_gdictcopy - }def - /grestore { - AGMCORE_&grestore - AGMCORE_gstackptr 1 sub - dup AGMCORE_gstacksaveptr lt {1 add} if - Adobe_AGM_Core exch - /AGMCORE_gstackptr xpt - }def - /grestoreall { - AGMCORE_&grestoreall - Adobe_AGM_Core - /AGMCORE_gstackptr AGMCORE_gstacksaveptr put - }def - /save { - AGMCORE_&save - AGMCORE_gstack AGMCORE_gstackptr get - AGMCORE_gstackptr 1 add - dup 32 ge {limitcheck} if - Adobe_AGM_Core begin - /AGMCORE_gstackptr exch def - /AGMCORE_gstacksaveptr AGMCORE_gstackptr def - end - AGMCORE_gstack AGMCORE_gstackptr get - AGMCORE_gdictcopy - }def - 0 1 AGMCORE_gstack length 1 sub { - AGMCORE_gstack exch AGMCORE_gstackframekeys dict put - } for - }if - level3 /AGMCORE_&sysshfill AGMCORE_key_known not and - { - /AGMCORE_&sysshfill systemdict/shfill get def - /AGMCORE_&usrshfill /shfill load def - /AGMCORE_&sysmakepattern systemdict/makepattern get def - /AGMCORE_&usrmakepattern /makepattern load def - }if - /currentcmykcolor [0 0 0 0] AGMCORE_gput - /currentstrokeadjust false AGMCORE_gput - /currentcolorspace [/DeviceGray] AGMCORE_gput - /sep_tint 0 AGMCORE_gput - /devicen_tints [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] AGMCORE_gput - /sep_colorspace_dict null AGMCORE_gput - /devicen_colorspace_dict null AGMCORE_gput - /indexed_colorspace_dict null AGMCORE_gput - /currentcolor_intent () AGMCORE_gput - /customcolor_tint 1 AGMCORE_gput - << - /MaxPatternItem currentsystemparams /MaxPatternCache get - >> - setuserparams - end -}def -/page_setup -{ - /setcmykcolor where{ - pop - Adobe_AGM_Core/AGMCORE_&setcmykcolor /setcmykcolor load put - }if - Adobe_AGM_Core begin - /setcmykcolor - { - 4 copy AGMCORE_cmykbuf astore /currentcmykcolor exch AGMCORE_gput - 1 sub 4 1 roll - 3 { - 3 index add neg dup 0 lt { - pop 0 - } if - 3 1 roll - } repeat - setrgbcolor pop - }ndf - /currentcmykcolor - { - /currentcmykcolor AGMCORE_gget aload pop - }ndf - /setoverprint - { - pop - }ndf - /currentoverprint - { - false - }ndf - /AGMCORE_deviceDPI 72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt def - /AGMCORE_cyan_plate 1 0 0 0 test_cmyk_color_plate def - /AGMCORE_magenta_plate 0 1 0 0 test_cmyk_color_plate def - /AGMCORE_yellow_plate 0 0 1 0 test_cmyk_color_plate def - /AGMCORE_black_plate 0 0 0 1 test_cmyk_color_plate def - /AGMCORE_plate_ndx - AGMCORE_cyan_plate{ - 0 - }{ - AGMCORE_magenta_plate{ - 1 - }{ - AGMCORE_yellow_plate{ - 2 - }{ - AGMCORE_black_plate{ - 3 - }{ - 4 - }ifelse - }ifelse - }ifelse - }ifelse - def - /AGMCORE_have_reported_unsupported_color_space false def - /AGMCORE_report_unsupported_color_space - { - AGMCORE_have_reported_unsupported_color_space false eq - { - (Warning: Job contains content that cannot be separated with on-host methods. This content appears on the black plate, and knocks out all other plates.) == - Adobe_AGM_Core /AGMCORE_have_reported_unsupported_color_space true ddf - } if - }def - /AGMCORE_composite_job - AGMCORE_cyan_plate AGMCORE_magenta_plate and AGMCORE_yellow_plate and AGMCORE_black_plate and def - /AGMCORE_in_rip_sep - /AGMCORE_in_rip_sep where{ - pop AGMCORE_in_rip_sep - }{ - AGMCORE_distilling - { - false - }{ - userdict/Adobe_AGM_OnHost_Seps known{ - false - }{ - level2{ - currentpagedevice/Separations 2 copy known{ - get - }{ - pop pop false - }ifelse - }{ - false - }ifelse - }ifelse - }ifelse - }ifelse - def - /AGMCORE_producing_seps AGMCORE_composite_job not AGMCORE_in_rip_sep or def - /AGMCORE_host_sep AGMCORE_producing_seps AGMCORE_in_rip_sep not and def - /AGM_preserve_spots - /AGM_preserve_spots where{ - pop AGM_preserve_spots - }{ - AGMCORE_distilling AGMCORE_producing_seps or - }ifelse - def - /AGM_is_distiller_preserving_spotimages - { - currentdistillerparams/PreserveOverprintSettings known - { - currentdistillerparams/PreserveOverprintSettings get - { - currentdistillerparams/ColorConversionStrategy known - { - currentdistillerparams/ColorConversionStrategy get - /LeaveColorUnchanged eq - }{ - true - }ifelse - }{ - false - }ifelse - }{ - false - }ifelse - }def - /convert_spot_to_process where {pop}{ - /convert_spot_to_process - { - dup map_alias { - /Name get exch pop - } if - dup dup (None) eq exch (All) eq or - { - pop false - }{ - AGMCORE_host_sep - { - gsave - 1 0 0 0 setcmykcolor currentgray 1 exch sub - 0 1 0 0 setcmykcolor currentgray 1 exch sub - 0 0 1 0 setcmykcolor currentgray 1 exch sub - 0 0 0 1 setcmykcolor currentgray 1 exch sub - add add add 0 eq - { - pop false - }{ - false setoverprint - 1 1 1 1 5 -1 roll findcmykcustomcolor 1 setcustomcolor - currentgray 0 eq - }ifelse - grestore - }{ - AGMCORE_distilling - { - pop AGM_is_distiller_preserving_spotimages not - }{ - Adobe_AGM_Core/AGMCORE_name xddf - false - Adobe_AGM_Core/AGMCORE_in_pattern known {Adobe_AGM_Core/AGMCORE_in_pattern get}{false} ifelse - not currentpagedevice/OverrideSeparations known and - { - currentpagedevice/OverrideSeparations get - { - /HqnSpots /ProcSet resourcestatus - { - pop pop pop true - }if - }if - }if - { - AGMCORE_name /HqnSpots /ProcSet findresource /TestSpot get exec not - }{ - gsave - [/Separation AGMCORE_name /DeviceGray {}]setcolorspace - false - currentpagedevice/SeparationColorNames 2 copy known - { - get - { AGMCORE_name eq or}forall - not - }{ - pop pop pop true - }ifelse - grestore - }ifelse - }ifelse - }ifelse - }ifelse - }def - }ifelse - /convert_to_process where {pop}{ - /convert_to_process - { - dup length 0 eq - { - pop false - }{ - AGMCORE_host_sep - { - dup true exch - { - dup (Cyan) eq exch - dup (Magenta) eq 3 -1 roll or exch - dup (Yellow) eq 3 -1 roll or exch - dup (Black) eq 3 -1 roll or - {pop} - {convert_spot_to_process and}ifelse - } - forall - { - true exch - { - dup (Cyan) eq exch - dup (Magenta) eq 3 -1 roll or exch - dup (Yellow) eq 3 -1 roll or exch - (Black) eq or and - }forall - not - }{pop false}ifelse - }{ - false exch - { - dup (Cyan) eq exch - dup (Magenta) eq 3 -1 roll or exch - dup (Yellow) eq 3 -1 roll or exch - dup (Black) eq 3 -1 roll or - {pop} - {convert_spot_to_process or}ifelse - } - forall - }ifelse - }ifelse - }def - }ifelse - /AGMCORE_avoid_L2_sep_space - version cvr 2012 lt - level2 and - AGMCORE_producing_seps not and - def - /AGMCORE_is_cmyk_sep - AGMCORE_cyan_plate AGMCORE_magenta_plate or AGMCORE_yellow_plate or AGMCORE_black_plate or - def - /AGM_avoid_0_cmyk where{ - pop AGM_avoid_0_cmyk - }{ - AGM_preserve_spots - userdict/Adobe_AGM_OnHost_Seps known - userdict/Adobe_AGM_InRip_Seps known or - not and - }ifelse - { - /setcmykcolor[ - { - 4 copy add add add 0 eq currentoverprint and{ - pop 0.0005 - }if - }/exec cvx - /AGMCORE_&setcmykcolor load dup type/operatortype ne{ - /exec cvx - }if - ]cvx def - }if - AGMCORE_host_sep{ - /setcolortransfer - { - AGMCORE_cyan_plate{ - pop pop pop - }{ - AGMCORE_magenta_plate{ - 4 3 roll pop pop pop - }{ - AGMCORE_yellow_plate{ - 4 2 roll pop pop pop - }{ - 4 1 roll pop pop pop - }ifelse - }ifelse - }ifelse - settransfer - } - def - /AGMCORE_get_ink_data - AGMCORE_cyan_plate{ - {pop pop pop} - }{ - AGMCORE_magenta_plate{ - {4 3 roll pop pop pop} - }{ - AGMCORE_yellow_plate{ - {4 2 roll pop pop pop} - }{ - {4 1 roll pop pop pop} - }ifelse - }ifelse - }ifelse - def - /AGMCORE_RemoveProcessColorNames - { - 1 dict begin - /filtername - { - dup /Cyan eq 1 index (Cyan) eq or - {pop (_cyan_)}if - dup /Magenta eq 1 index (Magenta) eq or - {pop (_magenta_)}if - dup /Yellow eq 1 index (Yellow) eq or - {pop (_yellow_)}if - dup /Black eq 1 index (Black) eq or - {pop (_black_)}if - }def - dup type /arraytype eq - {[exch {filtername}forall]} - {filtername}ifelse - end - }def - /AGMCORE_IsSeparationAProcessColor - { - dup (Cyan) eq exch dup (Magenta) eq exch dup (Yellow) eq exch (Black) eq or or or - }def - level3 { - /AGMCORE_IsCurrentColor - { - gsave - false setoverprint - 1 1 1 1 5 -1 roll findcmykcustomcolor 1 setcustomcolor - currentgray 0 eq - grestore - }def - /AGMCORE_filter_functiondatasource - { - 5 dict begin - /data_in xdf - data_in type /stringtype eq - { - /ncomp xdf - /comp xdf - /string_out data_in length ncomp idiv string def - 0 ncomp data_in length 1 sub - { - string_out exch dup ncomp idiv exch data_in exch ncomp getinterval comp get 255 exch sub put - }for - string_out - }{ - string /string_in xdf - /string_out 1 string def - /component xdf - [ - data_in string_in /readstring cvx - [component /get cvx 255 /exch cvx /sub cvx string_out /exch cvx 0 /exch cvx /put cvx string_out]cvx - [/pop cvx ()]cvx /ifelse cvx - ]cvx /ReusableStreamDecode filter - }ifelse - end - }def - /AGMCORE_separateShadingFunction - { - 2 dict begin - /paint? xdf - /channel xdf - begin - FunctionType 0 eq - { - /DataSource channel Range length 2 idiv DataSource AGMCORE_filter_functiondatasource def - currentdict /Decode known - {/Decode Decode channel 2 mul 2 getinterval def}if - paint? not - {/Decode [1 1]def}if - }if - FunctionType 2 eq - { - paint? - { - /C0 [C0 channel get 1 exch sub] def - /C1 [C1 channel get 1 exch sub] def - }{ - /C0 [1] def - /C1 [1] def - }ifelse - }if - FunctionType 3 eq - { - /Functions [Functions {channel paint? AGMCORE_separateShadingFunction} forall] def - }if - currentdict /Range known - {/Range [0 1] def}if - currentdict - end - end - }def - /AGMCORE_separateShading - { - 3 -1 roll begin - currentdict /Function known - { - currentdict /Background known - {[1 index{Background 3 index get 1 exch sub}{1}ifelse]/Background xdf}if - Function 3 1 roll AGMCORE_separateShadingFunction /Function xdf - /ColorSpace [/DeviceGray] def - }{ - ColorSpace dup type /arraytype eq {0 get}if /DeviceCMYK eq - { - /ColorSpace [/DeviceN [/_cyan_ /_magenta_ /_yellow_ /_black_] /DeviceCMYK {}] def - }{ - ColorSpace dup 1 get AGMCORE_RemoveProcessColorNames 1 exch put - }ifelse - ColorSpace 0 get /Separation eq - { - { - [1 /exch cvx /sub cvx]cvx - }{ - [/pop cvx 1]cvx - }ifelse - ColorSpace 3 3 -1 roll put - pop - }{ - { - [exch ColorSpace 1 get length 1 sub exch sub /index cvx 1 /exch cvx /sub cvx ColorSpace 1 get length 1 add 1 /roll cvx ColorSpace 1 get length{/pop cvx} repeat]cvx - }{ - pop [ColorSpace 1 get length {/pop cvx} repeat cvx 1]cvx - }ifelse - ColorSpace 3 3 -1 roll bind put - }ifelse - ColorSpace 2 /DeviceGray put - }ifelse - end - }def - /AGMCORE_separateShadingDict - { - dup /ColorSpace get - dup type /arraytype ne - {[exch]}if - dup 0 get /DeviceCMYK eq - { - exch begin - currentdict - AGMCORE_cyan_plate - {0 true}if - AGMCORE_magenta_plate - {1 true}if - AGMCORE_yellow_plate - {2 true}if - AGMCORE_black_plate - {3 true}if - AGMCORE_plate_ndx 4 eq - {0 false}if - dup not currentoverprint and - {/AGMCORE_ignoreshade true def}if - AGMCORE_separateShading - currentdict - end exch - }if - dup 0 get /Separation eq - { - exch begin - ColorSpace 1 get dup /None ne exch /All ne and - { - ColorSpace 1 get AGMCORE_IsCurrentColor AGMCORE_plate_ndx 4 lt and ColorSpace 1 get AGMCORE_IsSeparationAProcessColor not and - { - ColorSpace 2 get dup type /arraytype eq {0 get}if /DeviceCMYK eq - { - /ColorSpace - [ - /Separation - ColorSpace 1 get - /DeviceGray - [ - ColorSpace 3 get /exec cvx - 4 AGMCORE_plate_ndx sub -1 /roll cvx - 4 1 /roll cvx - 3 [/pop cvx]cvx /repeat cvx - 1 /exch cvx /sub cvx - ]cvx - ]def - }{ - AGMCORE_report_unsupported_color_space - AGMCORE_black_plate not - { - currentdict 0 false AGMCORE_separateShading - }if - }ifelse - }{ - currentdict ColorSpace 1 get AGMCORE_IsCurrentColor - 0 exch - dup not currentoverprint and - {/AGMCORE_ignoreshade true def}if - AGMCORE_separateShading - }ifelse - }if - currentdict - end exch - }if - dup 0 get /DeviceN eq - { - exch begin - ColorSpace 1 get convert_to_process - { - ColorSpace 2 get dup type /arraytype eq {0 get}if /DeviceCMYK eq - { - /ColorSpace - [ - /DeviceN - ColorSpace 1 get - /DeviceGray - [ - ColorSpace 3 get /exec cvx - 4 AGMCORE_plate_ndx sub -1 /roll cvx - 4 1 /roll cvx - 3 [/pop cvx]cvx /repeat cvx - 1 /exch cvx /sub cvx - ]cvx - ]def - }{ - AGMCORE_report_unsupported_color_space - AGMCORE_black_plate not - { - currentdict 0 false AGMCORE_separateShading - /ColorSpace [/DeviceGray] def - }if - }ifelse - }{ - currentdict - false -1 ColorSpace 1 get - { - AGMCORE_IsCurrentColor - { - 1 add - exch pop true exch exit - }if - 1 add - }forall - exch - dup not currentoverprint and - {/AGMCORE_ignoreshade true def}if - AGMCORE_separateShading - }ifelse - currentdict - end exch - }if - dup 0 get dup /DeviceCMYK eq exch dup /Separation eq exch /DeviceN eq or or not - { - exch begin - ColorSpace dup type /arraytype eq - {0 get}if - /DeviceGray ne - { - AGMCORE_report_unsupported_color_space - AGMCORE_black_plate not - { - ColorSpace 0 get /CIEBasedA eq - { - /ColorSpace [/Separation /_ciebaseda_ /DeviceGray {}] def - }if - ColorSpace 0 get dup /CIEBasedABC eq exch dup /CIEBasedDEF eq exch /DeviceRGB eq or or - { - /ColorSpace [/DeviceN [/_red_ /_green_ /_blue_] /DeviceRGB {}] def - }if - ColorSpace 0 get /CIEBasedDEFG eq - { - /ColorSpace [/DeviceN [/_cyan_ /_magenta_ /_yellow_ /_black_] /DeviceCMYK {}] - }if - currentdict 0 false AGMCORE_separateShading - }if - }if - currentdict - end exch - }if - pop - dup /AGMCORE_ignoreshade known - { - begin - /ColorSpace [/Separation (None) /DeviceGray {}] def - currentdict end - }if - }def - /shfill - { - clonedict - AGMCORE_separateShadingDict - dup /AGMCORE_ignoreshade known - {pop} - {AGMCORE_&sysshfill}ifelse - }def - /makepattern - { - exch - dup /PatternType get 2 eq - { - clonedict - begin - /Shading Shading AGMCORE_separateShadingDict def - currentdict end - exch AGMCORE_&sysmakepattern - }{ - exch AGMCORE_&usrmakepattern - }ifelse - }def - }if - }if - AGMCORE_in_rip_sep{ - /setcustomcolor - { - exch aload pop - dup 7 1 roll inRip_spot_has_ink not { - 4 {4 index mul 4 1 roll} - repeat - /DeviceCMYK setcolorspace - 6 -2 roll pop pop - }{ - Adobe_AGM_Core begin - /AGMCORE_k xdf /AGMCORE_y xdf /AGMCORE_m xdf /AGMCORE_c xdf - end - [/Separation 4 -1 roll /DeviceCMYK - {dup AGMCORE_c mul exch dup AGMCORE_m mul exch dup AGMCORE_y mul exch AGMCORE_k mul} - ] - setcolorspace - }ifelse - setcolor - }ndf - /setseparationgray - { - [/Separation (All) /DeviceGray {}] setcolorspace_opt - 1 exch sub setcolor - }ndf - }{ - /setseparationgray - { - AGMCORE_&setgray - }ndf - }ifelse - /findcmykcustomcolor - { - 5 makereadonlyarray - }ndf - /setcustomcolor - { - exch aload pop pop - 4 {4 index mul 4 1 roll} repeat - setcmykcolor pop - }ndf - /has_color - /colorimage where{ - AGMCORE_producing_seps{ - pop true - }{ - systemdict eq - }ifelse - }{ - false - }ifelse - def - /map_index - { - 1 index mul exch getinterval {255 div} forall - } bdf - /map_indexed_devn - { - Lookup Names length 3 -1 roll cvi map_index - } bdf - /n_color_components - { - base_colorspace_type - dup /DeviceGray eq{ - pop 1 - }{ - /DeviceCMYK eq{ - 4 - }{ - 3 - }ifelse - }ifelse - }bdf - level2{ - /mo /moveto ldf - /li /lineto ldf - /cv /curveto ldf - /knockout_unitsq - { - 1 setgray - 0 0 1 1 rectfill - }def - /level2ScreenFreq{ - begin - 60 - HalftoneType 1 eq{ - pop Frequency - }if - HalftoneType 2 eq{ - pop GrayFrequency - }if - HalftoneType 5 eq{ - pop Default level2ScreenFreq - }if - end - }def - /currentScreenFreq{ - currenthalftone level2ScreenFreq - }def - level2 /setcolorspace AGMCORE_key_known not and{ - /AGMCORE_&&&setcolorspace /setcolorspace ldf - /AGMCORE_ReplaceMappedColor - { - dup type dup /arraytype eq exch /packedarraytype eq or - { - dup 0 get dup /Separation eq - { - pop - dup length array copy - dup dup 1 get - current_spot_alias - { - dup map_alias - { - begin - /sep_colorspace_dict currentdict AGMCORE_gput - pop pop pop - [ - /Separation Name - CSA map_csa - dup /MappedCSA xdf - /sep_colorspace_proc load - ] - dup Name - end - }if - }if - map_reserved_ink_name 1 xpt - }{ - /DeviceN eq - { - dup length array copy - dup dup 1 get [ - exch { - current_spot_alias{ - dup map_alias{ - /Name get exch pop - }if - }if - map_reserved_ink_name - } forall - ] 1 xpt - }if - }ifelse - }if - }def - /setcolorspace - { - dup type dup /arraytype eq exch /packedarraytype eq or - { - dup 0 get /Indexed eq - { - AGMCORE_distilling - { - /PhotoshopDuotoneList where - { - pop false - }{ - true - }ifelse - }{ - true - }ifelse - { - aload pop 3 -1 roll - AGMCORE_ReplaceMappedColor - 3 1 roll 4 array astore - }if - }{ - AGMCORE_ReplaceMappedColor - }ifelse - }if - DeviceN_PS2_inRip_seps {AGMCORE_&&&setcolorspace} if - }def - }if - }{ - /adj - { - currentstrokeadjust{ - transform - 0.25 sub round 0.25 add exch - 0.25 sub round 0.25 add exch - itransform - }if - }def - /mo{ - adj moveto - }def - /li{ - adj lineto - }def - /cv{ - 6 2 roll adj - 6 2 roll adj - 6 2 roll adj curveto - }def - /knockout_unitsq - { - 1 setgray - 8 8 1 [8 0 0 8 0 0] {} image - }def - /currentstrokeadjust{ - /currentstrokeadjust AGMCORE_gget - }def - /setstrokeadjust{ - /currentstrokeadjust exch AGMCORE_gput - }def - /currentScreenFreq{ - currentscreen pop pop - }def - /setcolorspace - { - /currentcolorspace exch AGMCORE_gput - } def - /currentcolorspace - { - /currentcolorspace AGMCORE_gget - } def - /setcolor_devicecolor - { - base_colorspace_type - dup /DeviceGray eq{ - pop setgray - }{ - /DeviceCMYK eq{ - setcmykcolor - }{ - setrgbcolor - }ifelse - }ifelse - }def - /setcolor - { - currentcolorspace 0 get - dup /DeviceGray ne{ - dup /DeviceCMYK ne{ - dup /DeviceRGB ne{ - dup /Separation eq{ - pop - currentcolorspace 3 get exec - currentcolorspace 2 get - }{ - dup /Indexed eq{ - pop - currentcolorspace 3 get dup type /stringtype eq{ - currentcolorspace 1 get n_color_components - 3 -1 roll map_index - }{ - exec - }ifelse - currentcolorspace 1 get - }{ - /AGMCORE_cur_err /AGMCORE_invalid_color_space def - AGMCORE_invalid_color_space - }ifelse - }ifelse - }if - }if - }if - setcolor_devicecolor - } def - }ifelse - /sop /setoverprint ldf - /lw /setlinewidth ldf - /lc /setlinecap ldf - /lj /setlinejoin ldf - /ml /setmiterlimit ldf - /dsh /setdash ldf - /sadj /setstrokeadjust ldf - /gry /setgray ldf - /rgb /setrgbcolor ldf - /cmyk /setcmykcolor ldf - /sep /setsepcolor ldf - /devn /setdevicencolor ldf - /idx /setindexedcolor ldf - /colr /setcolor ldf - /csacrd /set_csa_crd ldf - /sepcs /setsepcolorspace ldf - /devncs /setdevicencolorspace ldf - /idxcs /setindexedcolorspace ldf - /cp /closepath ldf - /clp /clp_npth ldf - /eclp /eoclp_npth ldf - /f /fill ldf - /ef /eofill ldf - /@ /stroke ldf - /nclp /npth_clp ldf - /gset /graphic_setup ldf - /gcln /graphic_cleanup ldf - currentdict{ - dup xcheck 1 index type dup /arraytype eq exch /packedarraytype eq or and { - bind - }if - def - }forall - /currentpagedevice currentpagedevice def -/getrampcolor { -/indx exch def -0 1 NumComp 1 sub { -dup -Samples exch get -dup type /stringtype eq { indx get } if -exch -Scaling exch get aload pop -3 1 roll -mul add -} for -ColorSpaceFamily /Separation eq - { - sep - } - { - ColorSpaceFamily /DeviceN eq - { - devn - } - { - setcolor - }ifelse - }ifelse -} bind def -/sssetbackground { aload pop setcolor } bind def -/RadialShade { -40 dict begin -/ColorSpaceFamily exch def -/background exch def -/ext1 exch def -/ext0 exch def -/BBox exch def -/r2 exch def -/c2y exch def -/c2x exch def -/r1 exch def -/c1y exch def -/c1x exch def -/rampdict exch def -/setinkoverprint where {pop /setinkoverprint{pop}def}if -gsave -BBox length 0 gt { -newpath -BBox 0 get BBox 1 get moveto -BBox 2 get BBox 0 get sub 0 rlineto -0 BBox 3 get BBox 1 get sub rlineto -BBox 2 get BBox 0 get sub neg 0 rlineto -closepath -clip -newpath -} if -c1x c2x eq -{ -c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse -} -{ -/slope c2y c1y sub c2x c1x sub div def -/theta slope 1 atan def -c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if -c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if -} -ifelse -gsave -clippath -c1x c1y translate -theta rotate --90 rotate -{ pathbbox } stopped -{ 0 0 0 0 } if -/yMax exch def -/xMax exch def -/yMin exch def -/xMin exch def -grestore -xMax xMin eq yMax yMin eq or -{ -grestore -end -} -{ -/max { 2 copy gt { pop } {exch pop} ifelse } bind def -/min { 2 copy lt { pop } {exch pop} ifelse } bind def -rampdict begin -40 dict begin -background length 0 gt { background sssetbackground gsave clippath fill grestore } if -gsave -c1x c1y translate -theta rotate --90 rotate -/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def -/c1y 0 def -/c1x 0 def -/c2x 0 def -ext0 { -0 getrampcolor -c2y r2 add r1 sub 0.0001 lt -{ -c1x c1y r1 360 0 arcn -pathbbox -/aymax exch def -/axmax exch def -/aymin exch def -/axmin exch def -/bxMin xMin axmin min def -/byMin yMin aymin min def -/bxMax xMax axmax max def -/byMax yMax aymax max def -bxMin byMin moveto -bxMax byMin lineto -bxMax byMax lineto -bxMin byMax lineto -bxMin byMin lineto -eofill -} -{ -c2y r1 add r2 le -{ -c1x c1y r1 0 360 arc -fill -} -{ -c2x c2y r2 0 360 arc fill -r1 r2 eq -{ -/p1x r1 neg def -/p1y c1y def -/p2x r1 def -/p2y c1y def -p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto -fill -} -{ -/AA r2 r1 sub c2y div def -/theta AA 1 AA dup mul sub sqrt div 1 atan def -/SS1 90 theta add dup sin exch cos div def -/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def -/p1y p1x SS1 div neg def -/SS2 90 theta sub dup sin exch cos div def -/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def -/p2y p2x SS2 div neg def -r1 r2 gt -{ -/L1maxX p1x yMin p1y sub SS1 div add def -/L2maxX p2x yMin p2y sub SS2 div add def -} -{ -/L1maxX 0 def -/L2maxX 0 def -}ifelse -p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto -L1maxX L1maxX p1x sub SS1 mul p1y add lineto -fill -} -ifelse -} -ifelse -} ifelse -} if -c1x c2x sub dup mul -c1y c2y sub dup mul -add 0.5 exp -0 dtransform -dup mul exch dup mul add 0.5 exp 72 div -0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt -72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt -1 index 1 index lt { exch } if pop -/hires exch def -hires mul -/numpix exch def -/numsteps NumSamples def -/rampIndxInc 1 def -/subsampling false def -numpix 0 ne -{ -NumSamples numpix div 0.5 gt -{ -/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def -/rampIndxInc NumSamples 1 sub numsteps div def -/subsampling true def -} if -} if -/xInc c2x c1x sub numsteps div def -/yInc c2y c1y sub numsteps div def -/rInc r2 r1 sub numsteps div def -/cx c1x def -/cy c1y def -/radius r1 def -newpath -xInc 0 eq yInc 0 eq rInc 0 eq and and -{ -0 getrampcolor -cx cy radius 0 360 arc -stroke -NumSamples 1 sub getrampcolor -cx cy radius 72 hires div add 0 360 arc -0 setlinewidth -stroke -} -{ -0 -numsteps -{ -dup -subsampling { round cvi } if -getrampcolor -cx cy radius 0 360 arc -/cx cx xInc add def -/cy cy yInc add def -/radius radius rInc add def -cx cy radius 360 0 arcn -eofill -rampIndxInc add -} -repeat -pop -} ifelse -ext1 { -c2y r2 add r1 lt -{ -c2x c2y r2 0 360 arc -fill -} -{ -c2y r1 add r2 sub 0.0001 le -{ -c2x c2y r2 360 0 arcn -pathbbox -/aymax exch def -/axmax exch def -/aymin exch def -/axmin exch def -/bxMin xMin axmin min def -/byMin yMin aymin min def -/bxMax xMax axmax max def -/byMax yMax aymax max def -bxMin byMin moveto -bxMax byMin lineto -bxMax byMax lineto -bxMin byMax lineto -bxMin byMin lineto -eofill -} -{ -c2x c2y r2 0 360 arc fill -r1 r2 eq -{ -/p1x r2 neg def -/p1y c2y def -/p2x r2 def -/p2y c2y def -p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto -fill -} -{ -/AA r2 r1 sub c2y div def -/theta AA 1 AA dup mul sub sqrt div 1 atan def -/SS1 90 theta add dup sin exch cos div def -/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def -/p1y c2y p1x SS1 div sub def -/SS2 90 theta sub dup sin exch cos div def -/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def -/p2y c2y p2x SS2 div sub def -r1 r2 lt -{ -/L1maxX p1x yMax p1y sub SS1 div add def -/L2maxX p2x yMax p2y sub SS2 div add def -} -{ -/L1maxX 0 def -/L2maxX 0 def -}ifelse -p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto -L1maxX L1maxX p1x sub SS1 mul p1y add lineto -fill -} -ifelse -} -ifelse -} ifelse -} if -grestore -grestore -end -end -end -} ifelse -} bind def -/GenStrips { -40 dict begin -/ColorSpaceFamily exch def -/background exch def -/ext1 exch def -/ext0 exch def -/BBox exch def -/y2 exch def -/x2 exch def -/y1 exch def -/x1 exch def -/rampdict exch def -/setinkoverprint where {pop /setinkoverprint{pop}def}if -gsave -BBox length 0 gt { -newpath -BBox 0 get BBox 1 get moveto -BBox 2 get BBox 0 get sub 0 rlineto -0 BBox 3 get BBox 1 get sub rlineto -BBox 2 get BBox 0 get sub neg 0 rlineto -closepath -clip -newpath -} if -x1 x2 eq -{ -y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse -} -{ -/slope y2 y1 sub x2 x1 sub div def -/theta slope 1 atan def -x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if -x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if -} -ifelse -gsave -clippath -x1 y1 translate -theta rotate -{ pathbbox } stopped -{ 0 0 0 0 } if -/yMax exch def -/xMax exch def -/yMin exch def -/xMin exch def -grestore -xMax xMin eq yMax yMin eq or -{ -grestore -end -} -{ -rampdict begin -20 dict begin -background length 0 gt { background sssetbackground gsave clippath fill grestore } if -gsave -x1 y1 translate -theta rotate -/xStart 0 def -/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def -/ySpan yMax yMin sub def -/numsteps NumSamples def -/rampIndxInc 1 def -/subsampling false def -xStart 0 transform -xEnd 0 transform -3 -1 roll -sub dup mul -3 1 roll -sub dup mul -add 0.5 exp 72 div -0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt -72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt -1 index 1 index lt { exch } if pop -mul -/numpix exch def -numpix 0 ne -{ -NumSamples numpix div 0.5 gt -{ -/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def -/rampIndxInc NumSamples 1 sub numsteps div def -/subsampling true def -} if -} if -ext0 { -0 getrampcolor -xMin xStart lt -{ xMin yMin xMin neg ySpan rectfill } if -} if -/xInc xEnd xStart sub numsteps div def -/x xStart def -0 -numsteps -{ -dup -subsampling { round cvi } if -getrampcolor -x yMin xInc ySpan rectfill -/x x xInc add def -rampIndxInc add -} -repeat -pop -ext1 { -xMax xEnd gt -{ xEnd yMin xMax xEnd sub ySpan rectfill } if -} if -grestore -grestore -end -end -end -} ifelse -} bind def -}def -/page_trailer -{ - end -}def -/doc_trailer{ -}def -systemdict /findcolorrendering known{ - /findcolorrendering systemdict /findcolorrendering get def -}if -systemdict /setcolorrendering known{ - /setcolorrendering systemdict /setcolorrendering get def -}if -/test_cmyk_color_plate -{ - gsave - setcmykcolor currentgray 1 ne - grestore -}def -/inRip_spot_has_ink -{ - dup Adobe_AGM_Core/AGMCORE_name xddf - convert_spot_to_process not -}def -/map255_to_range -{ - 1 index sub - 3 -1 roll 255 div mul add -}def -/set_csa_crd -{ - /sep_colorspace_dict null AGMCORE_gput - begin - CSA map_csa setcolorspace_opt - set_crd - end -} -def -/setsepcolor -{ - /sep_colorspace_dict AGMCORE_gget begin - dup /sep_tint exch AGMCORE_gput - TintProc - end -} def -/setdevicencolor -{ - /devicen_colorspace_dict AGMCORE_gget begin - Names length copy - Names length 1 sub -1 0 - { - /devicen_tints AGMCORE_gget 3 1 roll xpt - } for - TintProc - end -} def -/sep_colorspace_proc -{ - Adobe_AGM_Core/AGMCORE_tmp xddf - /sep_colorspace_dict AGMCORE_gget begin - currentdict/Components known{ - Components aload pop - TintMethod/Lab eq{ - 2 {AGMCORE_tmp mul NComponents 1 roll} repeat - LMax sub AGMCORE_tmp mul LMax add NComponents 1 roll - }{ - TintMethod/Subtractive eq{ - NComponents{ - AGMCORE_tmp mul NComponents 1 roll - }repeat - }{ - NComponents{ - 1 sub AGMCORE_tmp mul 1 add NComponents 1 roll - } repeat - }ifelse - }ifelse - }{ - ColorLookup AGMCORE_tmp ColorLookup length 1 sub mul round cvi get - aload pop - }ifelse - end -} def -/sep_colorspace_gray_proc -{ - Adobe_AGM_Core/AGMCORE_tmp xddf - /sep_colorspace_dict AGMCORE_gget begin - GrayLookup AGMCORE_tmp GrayLookup length 1 sub mul round cvi get - end -} def -/sep_proc_name -{ - dup 0 get - dup /DeviceRGB eq exch /DeviceCMYK eq or level2 not and has_color not and{ - pop [/DeviceGray] - /sep_colorspace_gray_proc - }{ - /sep_colorspace_proc - }ifelse -} def -/setsepcolorspace -{ - current_spot_alias{ - dup begin - Name map_alias{ - exch pop - }if - end - }if - dup /sep_colorspace_dict exch AGMCORE_gput - begin - /MappedCSA CSA map_csa def - Adobe_AGM_Core/AGMCORE_sep_special Name dup () eq exch (All) eq or ddf - AGMCORE_avoid_L2_sep_space{ - [/Indexed MappedCSA sep_proc_name 255 exch - { 255 div } /exec cvx 3 -1 roll [ 4 1 roll load /exec cvx ] cvx - ] setcolorspace_opt - /TintProc { - 255 mul round cvi setcolor - }bdf - }{ - MappedCSA 0 get /DeviceCMYK eq - currentdict/Components known and - AGMCORE_sep_special not and{ - /TintProc [ - Components aload pop Name findcmykcustomcolor - /exch cvx /setcustomcolor cvx - ] cvx bdf - }{ - AGMCORE_host_sep Name (All) eq and{ - /TintProc { - 1 exch sub setseparationgray - }bdf - }{ - AGMCORE_in_rip_sep MappedCSA 0 get /DeviceCMYK eq and - AGMCORE_host_sep or - Name () eq and{ - /TintProc [ - MappedCSA sep_proc_name exch 0 get /DeviceCMYK eq{ - cvx /setcmykcolor cvx - }{ - cvx /setgray cvx - }ifelse - ] cvx bdf - }{ - AGMCORE_producing_seps MappedCSA 0 get dup /DeviceCMYK eq exch /DeviceGray eq or and AGMCORE_sep_special not and{ - /TintProc [ - /dup cvx - MappedCSA sep_proc_name cvx exch - 0 get /DeviceGray eq{ - 1 /exch cvx /sub cvx 0 0 0 4 -1 /roll cvx - }if - /Name cvx /findcmykcustomcolor cvx /exch cvx - AGMCORE_host_sep{ - AGMCORE_is_cmyk_sep - /Name cvx - /AGMCORE_IsSeparationAProcessColor load /exec cvx - /not cvx /and cvx - }{ - Name inRip_spot_has_ink not - }ifelse - [ - /pop cvx 1 - ] cvx /if cvx - /setcustomcolor cvx - ] cvx bdf - }{ - /TintProc /setcolor ldf - [/Separation Name MappedCSA sep_proc_name load ] setcolorspace_opt - }ifelse - }ifelse - }ifelse - }ifelse - }ifelse - set_crd - setsepcolor - end -} def -/additive_blend -{ - 3 dict begin - /numarrays xdf - /numcolors xdf - 0 1 numcolors 1 sub - { - /c1 xdf - 1 - 0 1 numarrays 1 sub - { - 1 exch add /index cvx - c1 /get cvx /mul cvx - }for - numarrays 1 add 1 /roll cvx - }for - numarrays [/pop cvx] cvx /repeat cvx - end -}def -/subtractive_blend -{ - 3 dict begin - /numarrays xdf - /numcolors xdf - 0 1 numcolors 1 sub - { - /c1 xdf - 1 1 - 0 1 numarrays 1 sub - { - 1 3 3 -1 roll add /index cvx - c1 /get cvx /sub cvx /mul cvx - }for - /sub cvx - numarrays 1 add 1 /roll cvx - }for - numarrays [/pop cvx] cvx /repeat cvx - end -}def -/exec_tint_transform -{ - /TintProc [ - /TintTransform cvx /setcolor cvx - ] cvx bdf - MappedCSA setcolorspace_opt -} bdf -/devn_makecustomcolor -{ - 2 dict begin - /names_index xdf - /Names xdf - 1 1 1 1 Names names_index get findcmykcustomcolor - /devicen_tints AGMCORE_gget names_index get setcustomcolor - Names length {pop} repeat - end -} bdf -/setdevicencolorspace -{ - dup /AliasedColorants known {false}{true}ifelse - current_spot_alias and { - 6 dict begin - /names_index 0 def - dup /names_len exch /Names get length def - /new_names names_len array def - /new_LookupTables names_len array def - /alias_cnt 0 def - dup /Names get - { - dup map_alias { - exch pop - dup /ColorLookup known { - dup begin - new_LookupTables names_index ColorLookup put - end - }{ - dup /Components known { - dup begin - new_LookupTables names_index Components put - end - }{ - dup begin - new_LookupTables names_index [null null null null] put - end - } ifelse - } ifelse - new_names names_index 3 -1 roll /Name get put - /alias_cnt alias_cnt 1 add def - }{ - /name xdf - new_names names_index name put - dup /LookupTables known { - dup begin - new_LookupTables names_index LookupTables names_index get put - end - }{ - dup begin - new_LookupTables names_index [null null null null] put - end - } ifelse - } ifelse - /names_index names_index 1 add def - } forall - alias_cnt 0 gt { - /AliasedColorants true def - 0 1 names_len 1 sub { - /names_index xdf - new_LookupTables names_index get 0 get null eq { - dup /Names get names_index get /name xdf - name (Cyan) eq name (Magenta) eq name (Yellow) eq name (Black) eq - or or or not { - /AliasedColorants false def - exit - } if - } if - } for - AliasedColorants { - dup begin - /Names new_names def - /AliasedColorants true def - /LookupTables new_LookupTables def - currentdict /TTTablesIdx known not { - /TTTablesIdx -1 def - } if - currentdict /NComponents known not { - /NComponents TintMethod /Subtractive eq {4}{3}ifelse def - } if - end - } if - }if - end - } if - dup /devicen_colorspace_dict exch AGMCORE_gput - begin - /MappedCSA CSA map_csa def - currentdict /AliasedColorants known { - AliasedColorants - }{ - false - } ifelse - /TintTransform load type /nulltype eq or { - /TintTransform [ - 0 1 Names length 1 sub - { - /TTTablesIdx TTTablesIdx 1 add def - dup LookupTables exch get dup 0 get null eq - { - 1 index - Names exch get - dup (Cyan) eq - { - pop exch - LookupTables length exch sub - /index cvx - 0 0 0 - } - { - dup (Magenta) eq - { - pop exch - LookupTables length exch sub - /index cvx - 0 /exch cvx 0 0 - } - { - (Yellow) eq - { - exch - LookupTables length exch sub - /index cvx - 0 0 3 -1 /roll cvx 0 - } - { - exch - LookupTables length exch sub - /index cvx - 0 0 0 4 -1 /roll cvx - } ifelse - } ifelse - } ifelse - 5 -1 /roll cvx /astore cvx - } - { - dup length 1 sub - LookupTables length 4 -1 roll sub 1 add - /index cvx /mul cvx /round cvx /cvi cvx /get cvx - } ifelse - Names length TTTablesIdx add 1 add 1 /roll cvx - } for - Names length [/pop cvx] cvx /repeat cvx - NComponents Names length - TintMethod /Subtractive eq - { - subtractive_blend - } - { - additive_blend - } ifelse - ] cvx bdf - } if - AGMCORE_host_sep { - Names convert_to_process { - exec_tint_transform - } - { - currentdict /AliasedColorants known { - AliasedColorants not - }{ - false - } ifelse - 5 dict begin - /AvoidAliasedColorants xdf - /painted? false def - /names_index 0 def - /names_len Names length def - Names { - AvoidAliasedColorants { - /currentspotalias current_spot_alias def - false set_spot_alias - } if - AGMCORE_is_cmyk_sep { - dup (Cyan) eq AGMCORE_cyan_plate and exch - dup (Magenta) eq AGMCORE_magenta_plate and exch - dup (Yellow) eq AGMCORE_yellow_plate and exch - (Black) eq AGMCORE_black_plate and or or or { - /devicen_colorspace_dict AGMCORE_gget /TintProc [ - Names names_index /devn_makecustomcolor cvx - ] cvx ddf - /painted? true def - } if - painted? {exit} if - }{ - 0 0 0 0 5 -1 roll findcmykcustomcolor 1 setcustomcolor currentgray 0 eq { - /devicen_colorspace_dict AGMCORE_gget /TintProc [ - Names names_index /devn_makecustomcolor cvx - ] cvx ddf - /painted? true def - exit - } if - } ifelse - AvoidAliasedColorants { - currentspotalias set_spot_alias - } if - /names_index names_index 1 add def - } forall - painted? { - /devicen_colorspace_dict AGMCORE_gget /names_index names_index put - }{ - /devicen_colorspace_dict AGMCORE_gget /TintProc [ - names_len [/pop cvx] cvx /repeat cvx 1 /setseparationgray cvx - 0 0 0 0 () /findcmykcustomcolor cvx 0 /setcustomcolor cvx - ] cvx ddf - } ifelse - end - } ifelse - } - { - AGMCORE_in_rip_sep { - Names convert_to_process not - }{ - level3 - } ifelse - { - [/DeviceN Names MappedCSA /TintTransform load] setcolorspace_opt - /TintProc level3 not AGMCORE_in_rip_sep and { - [ - Names /length cvx [/pop cvx] cvx /repeat cvx - ] cvx bdf - }{ - /setcolor ldf - } ifelse - }{ - exec_tint_transform - } ifelse - } ifelse - set_crd - /AliasedColorants false def - end -} def -/setindexedcolorspace -{ - dup /indexed_colorspace_dict exch AGMCORE_gput - begin - currentdict /CSD known { - CSD get_csd /Names known { - CSD get_csd begin - currentdict devncs - AGMCORE_host_sep{ - 4 dict begin - /devnCompCnt Names length def - /NewLookup HiVal 1 add string def - 0 1 HiVal { - /tableIndex xdf - Lookup dup type /stringtype eq { - devnCompCnt tableIndex map_index - }{ - exec - } ifelse - setdevicencolor - currentgray - tableIndex exch - HiVal mul cvi - NewLookup 3 1 roll put - } for - [/Indexed currentcolorspace HiVal NewLookup] setcolorspace_opt - end - }{ - level3 - { - [/Indexed [/DeviceN Names MappedCSA /TintTransform load] HiVal Lookup] setcolorspace_opt - }{ - [/Indexed MappedCSA HiVal - [ - Lookup dup type /stringtype eq - {/exch cvx CSD get_csd /Names get length dup /mul cvx exch /getinterval cvx {255 div} /forall cvx} - {/exec cvx}ifelse - /TintTransform load /exec cvx - ]cvx - ]setcolorspace_opt - }ifelse - } ifelse - end - }{ - } ifelse - set_crd - } - { - /MappedCSA CSA map_csa def - AGMCORE_host_sep level2 not and{ - 0 0 0 0 setcmykcolor - }{ - [/Indexed MappedCSA - level2 not has_color not and{ - dup 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or{ - pop [/DeviceGray] - }if - HiVal GrayLookup - }{ - HiVal - currentdict/RangeArray known{ - { - /indexed_colorspace_dict AGMCORE_gget begin - Lookup exch - dup HiVal gt{ - pop HiVal - }if - NComponents mul NComponents getinterval {} forall - NComponents 1 sub -1 0{ - RangeArray exch 2 mul 2 getinterval aload pop map255_to_range - NComponents 1 roll - }for - end - } bind - }{ - Lookup - }ifelse - }ifelse - ] setcolorspace_opt - set_crd - }ifelse - }ifelse - end -}def -/setindexedcolor -{ - AGMCORE_host_sep { - /indexed_colorspace_dict AGMCORE_gget dup /CSD known { - begin - CSD get_csd begin - map_indexed_devn - devn - end - end - }{ - AGMCORE_gget/Lookup get 4 3 -1 roll map_index - pop setcmykcolor - } ifelse - }{ - level3 not AGMCORE_in_rip_sep and /indexed_colorspace_dict AGMCORE_gget /CSD known and { - /indexed_colorspace_dict AGMCORE_gget /CSD get get_csd begin - map_indexed_devn - devn - end - } - { - setcolor - } ifelse - }ifelse -} def -/ignoreimagedata -{ - currentoverprint not{ - gsave - dup clonedict begin - 1 setgray - /Decode [0 1] def - /DataSource def - /MultipleDataSources false def - /BitsPerComponent 8 def - currentdict end - systemdict /image get exec - grestore - }if - consumeimagedata -}def -/add_csa -{ - Adobe_AGM_Core begin - /AGMCORE_CSA_cache xput - end -}def -/get_csa_by_name -{ - dup type dup /nametype eq exch /stringtype eq or{ - Adobe_AGM_Core begin - 1 dict begin - /name xdf - AGMCORE_CSA_cache - { - 0 get name eq { - exit - }{ - pop - } ifelse - }forall - end - end - }{ - pop - } ifelse -}def -/map_csa -{ - dup type /nametype eq{ - Adobe_AGM_Core/AGMCORE_CSA_cache get exch get - }if -}def -/add_csd -{ - Adobe_AGM_Core begin - /AGMCORE_CSD_cache xput - end -}def -/get_csd -{ - dup type /nametype eq{ - Adobe_AGM_Core/AGMCORE_CSD_cache get exch get - }if -}def -/pattern_buf_init -{ - /count get 0 0 put -} def -/pattern_buf_next -{ - dup /count get dup 0 get - dup 3 1 roll - 1 add 0 xpt - get -} def -/cachepattern_compress -{ - 5 dict begin - currentfile exch 0 exch /SubFileDecode filter /ReadFilter exch def - /patarray 20 dict def - /string_size 16000 def - /readbuffer string_size string def - currentglobal true setglobal - patarray 1 array dup 0 1 put /count xpt - setglobal - /LZWFilter - { - exch - dup length 0 eq { - pop - }{ - patarray dup length 1 sub 3 -1 roll put - } ifelse - {string_size}{0}ifelse string - } /LZWEncode filter def - { - ReadFilter readbuffer readstring - exch LZWFilter exch writestring - not {exit} if - } loop - LZWFilter closefile - patarray - end -}def -/cachepattern -{ - 2 dict begin - currentfile exch 0 exch /SubFileDecode filter /ReadFilter exch def - /patarray 20 dict def - currentglobal true setglobal - patarray 1 array dup 0 1 put /count xpt - setglobal - { - ReadFilter 16000 string readstring exch - patarray dup length 1 sub 3 -1 roll put - not {exit} if - } loop - patarray dup dup length 1 sub () put - end -}def -/add_pattern -{ - Adobe_AGM_Core begin - /AGMCORE_pattern_cache xput - end -}def -/get_pattern -{ - dup type /nametype eq{ - Adobe_AGM_Core/AGMCORE_pattern_cache get exch get - dup wrap_paintproc - }if -}def -/wrap_paintproc -{ - statusdict /currentfilenameextend known{ - begin - /OldPaintProc /PaintProc load def - /PaintProc - { - mark exch - dup /OldPaintProc get stopped - {closefile restore end} if - cleartomark - } def - end - } {pop} ifelse -} def -/make_pattern -{ - dup matrix currentmatrix matrix concatmatrix 0 0 3 2 roll itransform - exch 3 index /XStep get 1 index exch 2 copy div cvi mul sub sub - exch 3 index /YStep get 1 index exch 2 copy div cvi mul sub sub - matrix translate exch matrix concatmatrix - 1 index begin - BBox 0 get XStep div cvi XStep mul /xshift exch neg def - BBox 1 get YStep div cvi YStep mul /yshift exch neg def - BBox 0 get xshift add - BBox 1 get yshift add - BBox 2 get xshift add - BBox 3 get yshift add - 4 array astore - /BBox exch def - [ xshift yshift /translate load null /exec load ] dup - 3 /PaintProc load put cvx /PaintProc exch def - end - gsave 0 setgray - makepattern - grestore -}def -/set_pattern -{ - dup /PatternType get 1 eq{ - dup /PaintType get 1 eq{ - currentoverprint sop [/DeviceGray] setcolorspace 0 setgray - }if - }if - setpattern -}def -/setcolorspace_opt -{ - dup currentcolorspace eq{ - pop - }{ - setcolorspace - }ifelse -}def -/updatecolorrendering -{ - currentcolorrendering/Intent known{ - currentcolorrendering/Intent get - }{ - null - }ifelse - Intent ne{ - false - Intent - AGMCORE_CRD_cache { - exch pop - begin - dup Intent eq{ - currentdict setcolorrendering_opt - end - exch pop true exch - exit - }if - end - } forall - pop - not{ - systemdict /findcolorrendering known{ - Intent findcolorrendering pop - /ColorRendering findresource - dup length dict copy - setcolorrendering_opt - }if - }if - }if -} def -/add_crd -{ - AGMCORE_CRD_cache 3 1 roll put -}def -/set_crd -{ - AGMCORE_host_sep not level2 and{ - currentdict/CRD known{ - AGMCORE_CRD_cache CRD get dup null ne{ - setcolorrendering_opt - }{ - pop - }ifelse - }{ - currentdict/Intent known{ - updatecolorrendering - }if - }ifelse - currentcolorspace dup type /arraytype eq - {0 get}if - /DeviceRGB eq - { - currentdict/UCR known - {/UCR}{/AGMCORE_currentucr}ifelse - load setundercolorremoval - currentdict/BG known - {/BG}{/AGMCORE_currentbg}ifelse - load setblackgeneration - }if - }if -}def -/setcolorrendering_opt -{ - dup currentcolorrendering eq{ - pop - }{ - begin - /Intent Intent def - currentdict - end - setcolorrendering - }ifelse -}def -/cpaint_gcomp -{ - convert_to_process Adobe_AGM_Core/AGMCORE_ConvertToProcess xddf - Adobe_AGM_Core/AGMCORE_ConvertToProcess get not - { - (%end_cpaint_gcomp) flushinput - }if -}def -/cpaint_gsep -{ - Adobe_AGM_Core/AGMCORE_ConvertToProcess get - { - (%end_cpaint_gsep) flushinput - }if -}def -/cpaint_gend -{ - newpath -}def -/path_rez -{ - dup 0 ne{ - AGMCORE_deviceDPI exch div - dup 1 lt{ - pop 1 - }if - setflat - }{ - pop - }ifelse -}def -/set_spot_alias_ary -{ - /AGMCORE_SpotAliasAry where{ - pop pop - }{ - Adobe_AGM_Core/AGMCORE_SpotAliasAry xddf - true set_spot_alias - }ifelse -}def -/set_spot_alias -{ - /AGMCORE_SpotAliasAry where{ - /AGMCORE_current_spot_alias 3 -1 roll put - }{ - pop - }ifelse -}def -/current_spot_alias -{ - /AGMCORE_SpotAliasAry where{ - /AGMCORE_current_spot_alias get - }{ - false - }ifelse -}def -/map_alias -{ - /AGMCORE_SpotAliasAry where{ - begin - /AGMCORE_name xdf - false - AGMCORE_SpotAliasAry{ - dup/Name get AGMCORE_name eq{ - save exch - /Adobe_AGM_Core currentdict def - /CSD get get_csd - exch restore - exch pop true - exit - }{ - pop - }ifelse - }forall - end - }{ - pop false - }ifelse -}bdf -/spot_alias -{ - true set_spot_alias - /AGMCORE_&setcustomcolor AGMCORE_key_known not { - Adobe_AGM_Core/AGMCORE_&setcustomcolor /setcustomcolor load put - } if - /customcolor_tint 1 AGMCORE_gput - Adobe_AGM_Core begin - /setcustomcolor - { - dup /customcolor_tint exch AGMCORE_gput - current_spot_alias{ - 1 index 4 get map_alias{ - mark 3 1 roll - setsepcolorspace - counttomark 0 ne{ - setsepcolor - }if - pop - pop - }{ - AGMCORE_&setcustomcolor - }ifelse - }{ - AGMCORE_&setcustomcolor - }ifelse - }bdf - end -}def -/begin_feature -{ - Adobe_AGM_Core/AGMCORE_feature_dictCount countdictstack put - count Adobe_AGM_Core/AGMCORE_feature_opCount 3 -1 roll put - {Adobe_AGM_Core/AGMCORE_feature_ctm matrix currentmatrix put}if -}def -/end_feature -{ - 2 dict begin - /spd /setpagedevice load def - /setpagedevice { get_gstate spd set_gstate } def - stopped{$error/newerror false put}if - end - count Adobe_AGM_Core/AGMCORE_feature_opCount get sub dup 0 gt{{pop}repeat}{pop}ifelse - countdictstack Adobe_AGM_Core/AGMCORE_feature_dictCount get sub dup 0 gt{{end}repeat}{pop}ifelse - {Adobe_AGM_Core/AGMCORE_feature_ctm get setmatrix}if -}def -/set_negative -{ - Adobe_AGM_Core begin - /AGMCORE_inverting exch def - level2{ - currentpagedevice/NegativePrint known{ - currentpagedevice/NegativePrint get Adobe_AGM_Core/AGMCORE_inverting get ne{ - true begin_feature true{ - bdict /NegativePrint Adobe_AGM_Core/AGMCORE_inverting get edict setpagedevice - }end_feature - }if - /AGMCORE_inverting false def - }if - }if - AGMCORE_inverting{ - [{1 exch sub}/exec load dup currenttransfer exch]cvx bind settransfer - gsave newpath clippath 1 /setseparationgray where{pop setseparationgray}{setgray}ifelse - /AGMIRS_&fill where {pop AGMIRS_&fill}{fill} ifelse grestore - }if - end -}def -/lw_save_restore_override { - /md where { - pop - md begin - initializepage - /initializepage{}def - /pmSVsetup{} def - /endp{}def - /pse{}def - /psb{}def - /orig_showpage where - {pop} - {/orig_showpage /showpage load def} - ifelse - /showpage {orig_showpage gR} def - end - }if -}def -/pscript_showpage_override { - /NTPSOct95 where - { - begin - showpage - save - /showpage /restore load def - /restore {exch pop}def - end - }if -}def -/driver_media_override -{ - /md where { - pop - md /initializepage known { - md /initializepage {} put - } if - md /rC known { - md /rC {4{pop}repeat} put - } if - }if - /mysetup where { - /mysetup [1 0 0 1 0 0] put - }if - Adobe_AGM_Core /AGMCORE_Default_CTM matrix currentmatrix put - level2 - {Adobe_AGM_Core /AGMCORE_Default_PageSize currentpagedevice/PageSize get put}if -}def -/driver_check_media_override -{ - /PrepsDict where - {pop} - { - Adobe_AGM_Core /AGMCORE_Default_CTM get matrix currentmatrix ne - Adobe_AGM_Core /AGMCORE_Default_PageSize get type /arraytype eq - { - Adobe_AGM_Core /AGMCORE_Default_PageSize get 0 get currentpagedevice/PageSize get 0 get eq and - Adobe_AGM_Core /AGMCORE_Default_PageSize get 1 get currentpagedevice/PageSize get 1 get eq and - }if - { - Adobe_AGM_Core /AGMCORE_Default_CTM get setmatrix - }if - }ifelse -}def -AGMCORE_err_strings begin - /AGMCORE_bad_environ (Environment not satisfactory for this job. Ensure that the PPD is correct or that the PostScript level requested is supported by this printer. ) def - /AGMCORE_color_space_onhost_seps (This job contains colors that will not separate with on-host methods. ) def - /AGMCORE_invalid_color_space (This job contains an invalid color space. ) def -end -end -systemdict /setpacking known -{ - setpacking -} if -%%EndResource -%%BeginResource: procset Adobe_CoolType_Core 2.23 0 -%%Copyright: Copyright 1997-2003 Adobe Systems Incorporated. All Rights Reserved. -%%Version: 2.23 0 -10 dict begin -/Adobe_CoolType_Passthru currentdict def -/Adobe_CoolType_Core_Defined userdict /Adobe_CoolType_Core known def -Adobe_CoolType_Core_Defined - { /Adobe_CoolType_Core userdict /Adobe_CoolType_Core get def } -if -userdict /Adobe_CoolType_Core 60 dict dup begin put -/Adobe_CoolType_Version 2.23 def -/Level2? - systemdict /languagelevel known dup - { pop systemdict /languagelevel get 2 ge } - if def -Level2? not - { - /currentglobal false def - /setglobal /pop load def - /gcheck { pop false } bind def - /currentpacking false def - /setpacking /pop load def - /SharedFontDirectory 0 dict def - } -if -currentpacking -true setpacking -/@_SaveStackLevels - { - Adobe_CoolType_Data - begin - @opStackCountByLevel @opStackLevel - 2 copy known not - { 2 copy 3 dict dup /args 7 index 5 add array put put get } - { - get dup /args get dup length 3 index lt - { - dup length 5 add array exch - 1 index exch 0 exch putinterval - 1 index exch /args exch put - } - { pop } - ifelse - } - ifelse - begin - count 2 sub 1 index lt - { pop count 1 sub } - if - dup /argCount exch def - dup 0 gt - { - exch 1 index 2 add 1 roll - args exch 0 exch getinterval - astore pop - } - { pop } - ifelse - count 1 sub /restCount exch def - end - /@opStackLevel @opStackLevel 1 add def - countdictstack 1 sub - @dictStackCountByLevel exch @dictStackLevel exch put - /@dictStackLevel @dictStackLevel 1 add def - end - } bind def -/@_RestoreStackLevels - { - Adobe_CoolType_Data - begin - /@opStackLevel @opStackLevel 1 sub def - @opStackCountByLevel @opStackLevel get - begin - count restCount sub dup 0 gt - { { pop } repeat } - { pop } - ifelse - args 0 argCount getinterval {} forall - end - /@dictStackLevel @dictStackLevel 1 sub def - @dictStackCountByLevel @dictStackLevel get - end - countdictstack exch sub dup 0 gt - { { end } repeat } - { pop } - ifelse - } bind def -/@_PopStackLevels - { - Adobe_CoolType_Data - begin - /@opStackLevel @opStackLevel 1 sub def - /@dictStackLevel @dictStackLevel 1 sub def - end - } bind def -/@Raise - { - exch cvx exch errordict exch get exec - stop - } bind def -/@ReRaise - { - cvx $error /errorname get errordict exch get exec - stop - } bind def -/@Stopped - { - 0 @#Stopped - } bind def -/@#Stopped - { - @_SaveStackLevels - stopped - { @_RestoreStackLevels true } - { @_PopStackLevels false } - ifelse - } bind def -/@Arg - { - Adobe_CoolType_Data - begin - @opStackCountByLevel @opStackLevel 1 sub get /args get exch get - end - } bind def -currentglobal true setglobal -/CTHasResourceForAllBug - Level2? - { - 1 dict dup begin - mark - { - (*) { pop stop } 128 string /Category - resourceforall - } - stopped - cleartomark - currentdict eq dup - { end } - if - not - } - { false } - ifelse - def -/CTHasResourceStatusBug - Level2? - { - mark - { /steveamerige /Category resourcestatus } - stopped - { cleartomark true } - { cleartomark currentglobal not } - ifelse - } - { false } - ifelse - def -setglobal -/CTResourceStatus - { - mark 3 1 roll - /Category findresource - begin - ({ResourceStatus} stopped) 0 () /SubFileDecode filter cvx exec - { cleartomark false } - { { 3 2 roll pop true } { cleartomark false } ifelse } - ifelse - end - } bind def -/CTWorkAroundBugs - { - Level2? - { - /cid_PreLoad /ProcSet resourcestatus - { - pop pop - currentglobal - mark - { - (*) - { - dup /CMap CTHasResourceStatusBug - { CTResourceStatus } - { resourcestatus } - ifelse - { - pop dup 0 eq exch 1 eq or - { - dup /CMap findresource gcheck setglobal - /CMap undefineresource - } - { - pop CTHasResourceForAllBug - { exit } - { stop } - ifelse - } - ifelse - } - { pop } - ifelse - } - 128 string /CMap resourceforall - } - stopped - { cleartomark } - stopped pop - setglobal - } - if - } - if - } bind def -/doc_setup - { - Adobe_CoolType_Core - begin - CTWorkAroundBugs - /mov /moveto load def - /nfnt /newencodedfont load def - /mfnt /makefont load def - /sfnt /setfont load def - /ufnt /undefinefont load def - /chp /charpath load def - /awsh /awidthshow load def - /wsh /widthshow load def - /ash /ashow load def - /sh /show load def - end - userdict /Adobe_CoolType_Data 10 dict dup - begin - /AddWidths? false def - /CC 0 def - /charcode 2 string def - /@opStackCountByLevel 32 dict def - /@opStackLevel 0 def - /@dictStackCountByLevel 32 dict def - /@dictStackLevel 0 def - /InVMFontsByCMap 10 dict def - /InVMDeepCopiedFonts 10 dict def - end put - } bind def -/doc_trailer - { - currentdict Adobe_CoolType_Core eq - { end } - if - } bind def -/page_setup - { - Adobe_CoolType_Core begin - } bind def -/page_trailer - { - end - } bind def -/unload - { - systemdict /languagelevel known - { - systemdict/languagelevel get 2 ge - { - userdict/Adobe_CoolType_Core 2 copy known - { undef } - { pop pop } - ifelse - } - if - } - if - } bind def -/ndf - { - 1 index where - { pop pop pop } - { dup xcheck { bind } if def } - ifelse - } def -/findfont systemdict - begin - userdict - begin - /globaldict where { /globaldict get begin } if - dup where pop exch get - /globaldict where { pop end } if - end - end -Adobe_CoolType_Core_Defined - { /systemfindfont exch def } - { - /findfont 1 index def - /systemfindfont exch def - } -ifelse -/undefinefont - { pop } ndf -/copyfont - { - currentglobal 3 1 roll - 1 index gcheck setglobal - dup null eq { 0 } { dup length } ifelse - 2 index length add 1 add dict - begin - exch - { - 1 index /FID eq - { pop pop } - { def } - ifelse - } - forall - dup null eq - { pop } - { { def } forall } - ifelse - currentdict - end - exch setglobal - } bind def -/copyarray - { - currentglobal exch - dup gcheck setglobal - dup length array copy - exch setglobal - } bind def -/newencodedfont - { - currentglobal - { - SharedFontDirectory 3 index known - { SharedFontDirectory 3 index get /FontReferenced known } - { false } - ifelse - } - { - FontDirectory 3 index known - { FontDirectory 3 index get /FontReferenced known } - { - SharedFontDirectory 3 index known - { SharedFontDirectory 3 index get /FontReferenced known } - { false } - ifelse - } - ifelse - } - ifelse - dup - { - 3 index findfont /FontReferenced get - 2 index dup type /nametype eq - {findfont} - if ne - { pop false } - if - } - if - { - pop - 1 index findfont - /Encoding get exch - 0 1 255 - { 2 copy get 3 index 3 1 roll put } - for - pop pop pop - } - { - dup type /nametype eq - { findfont } - if - dup dup maxlength 2 add dict - begin - exch - { - 1 index /FID ne - {def} - {pop pop} - ifelse - } - forall - /FontReferenced exch def - /Encoding exch dup length array copy def - /FontName 1 index dup type /stringtype eq { cvn } if def dup - currentdict - end - definefont def - } - ifelse - } bind def -/SetSubstituteStrategy - { - $SubstituteFont - begin - dup type /dicttype ne - { 0 dict } - if - currentdict /$Strategies known - { - exch $Strategies exch - 2 copy known - { - get - 2 copy maxlength exch maxlength add dict - begin - { def } forall - { def } forall - currentdict - dup /$Init known - { dup /$Init get exec } - if - end - /$Strategy exch def - } - { pop pop pop } - ifelse - } - { pop pop } - ifelse - end - } bind def -/scff - { - $SubstituteFont - begin - dup type /stringtype eq - { dup length exch } - { null } - ifelse - /$sname exch def - /$slen exch def - /$inVMIndex - $sname null eq - { - 1 index $str cvs - dup length $slen sub $slen getinterval cvn - } - { $sname } - ifelse def - end - { findfont } - @Stopped - { - dup length 8 add string exch - 1 index 0 (BadFont:) putinterval - 1 index exch 8 exch dup length string cvs putinterval cvn - { findfont } - @Stopped - { pop /Courier findfont } - if - } - if - $SubstituteFont - begin - /$sname null def - /$slen 0 def - /$inVMIndex null def - end - } bind def -/isWidthsOnlyFont - { - dup /WidthsOnly known - { pop pop true } - { - dup /FDepVector known - { /FDepVector get { isWidthsOnlyFont dup { exit } if } forall } - { - dup /FDArray known - { /FDArray get { isWidthsOnlyFont dup { exit } if } forall } - { pop } - ifelse - } - ifelse - } - ifelse - } bind def -/?str1 256 string def -/?set - { - $SubstituteFont - begin - /$substituteFound false def - /$fontname 4 index def - /$doSmartSub false def - end - 3 index - currentglobal false setglobal exch - /CompatibleFonts /ProcSet resourcestatus - { - pop pop - /CompatibleFonts /ProcSet findresource - begin - dup /CompatibleFont currentexception - 1 index /CompatibleFont true setexception - 1 index /Font resourcestatus - { - pop pop - 3 2 roll setglobal - end - exch - dup findfont - /CompatibleFonts /ProcSet findresource - begin - 3 1 roll exch /CompatibleFont exch setexception - end - } - { - 3 2 roll setglobal - 1 index exch /CompatibleFont exch setexception - end - findfont - $SubstituteFont /$substituteFound true put - } - ifelse - } - { exch setglobal findfont } - ifelse - $SubstituteFont - begin - $substituteFound - { - false - (%%[Using embedded font ) print - 5 index ?str1 cvs print - ( to avoid the font substitution problem noted earlier.]%%\n) print - } - { - dup /FontName known - { - dup /FontName get $fontname eq - 1 index /DistillerFauxFont known not and - /currentdistillerparams where - { pop false 2 index isWidthsOnlyFont not and } - if - } - { false } - ifelse - } - ifelse - exch pop - /$doSmartSub true def - end - { - exch pop exch pop exch - 2 dict dup /Found 3 index put - exch findfont exch - } - { - exch exec - exch dup findfont - dup /FontType get 3 eq - { - exch ?str1 cvs - dup length 1 sub - -1 0 - { - exch dup 2 index get 42 eq - { - exch 0 exch getinterval cvn 4 1 roll 3 2 roll pop - exit - } - {exch pop} ifelse - }for - } - { - exch pop - } ifelse - 2 dict dup /Downloaded 6 5 roll put - } - ifelse - dup /FontName 4 index put copyfont definefont pop - } bind def -/?str2 256 string def -/?add - { - 1 index type /integertype eq - { exch true 4 2 } - { false 3 1 } - ifelse - roll - 1 index findfont - dup /Widths known - { - Adobe_CoolType_Data /AddWidths? true put - gsave dup 1000 scalefont setfont - } - if - /Downloaded known - { - exec - exch - { - exch ?str2 cvs exch - findfont /Downloaded get 1 dict begin /Downloaded 1 index def ?str1 cvs length - ?str1 1 index 1 add 3 index putinterval - exch length 1 add 1 index add - ?str1 2 index (*) putinterval - ?str1 0 2 index getinterval cvn findfont - ?str1 3 index (+) putinterval - 2 dict dup /FontName ?str1 0 6 index getinterval cvn put - dup /Downloaded Downloaded put end copyfont - dup /FontName get exch definefont pop pop pop - } - { - pop - } - ifelse - } - { - pop - exch - { - findfont - dup /Found get - dup length exch ?str1 cvs pop - ?str1 1 index (+) putinterval - ?str1 1 index 1 add 4 index ?str2 cvs putinterval - ?str1 exch 0 exch 5 4 roll ?str2 cvs length 1 add add getinterval cvn - 1 dict exch 1 index exch /FontName exch put copyfont - dup /FontName get exch definefont pop - } - { - pop - } - ifelse - } - ifelse - Adobe_CoolType_Data /AddWidths? get - { grestore Adobe_CoolType_Data /AddWidths? false put } - if - } bind def -/?sh - { - currentfont /Downloaded known { exch } if pop - } bind def -/?chp - { - currentfont /Downloaded known { pop } { false chp } ifelse - } bind def -/?mv - { - currentfont /Downloaded known { moveto pop pop } { pop pop moveto } ifelse - } bind def -setpacking -userdict /$SubstituteFont 25 dict put -1 dict - begin - /SubstituteFont - dup $error exch 2 copy known - { get } - { pop pop { pop /Courier } bind } - ifelse def - /currentdistillerparams where dup - { - pop pop - currentdistillerparams /CannotEmbedFontPolicy 2 copy known - { get /Error eq } - { pop pop false } - ifelse - } - if not - { - countdictstack array dictstack 0 get - begin - userdict - begin - $SubstituteFont - begin - /$str 128 string def - /$fontpat 128 string def - /$slen 0 def - /$sname null def - /$match false def - /$fontname null def - /$substituteFound false def - /$inVMIndex null def - /$doSmartSub true def - /$depth 0 def - /$fontname null def - /$italicangle 26.5 def - /$dstack null def - /$Strategies 10 dict dup - begin - /$Type3Underprint - { - currentglobal exch false setglobal - 11 dict - begin - /UseFont exch - $WMode 0 ne - { - dup length dict copy - dup /WMode $WMode put - /UseFont exch definefont - } - if def - /FontName $fontname dup type /stringtype eq { cvn } if def - /FontType 3 def - /FontMatrix [ .001 0 0 .001 0 0 ] def - /Encoding 256 array dup 0 1 255 { /.notdef put dup } for pop def - /FontBBox [ 0 0 0 0 ] def - /CCInfo 7 dict dup - begin - /cc null def - /x 0 def - /y 0 def - end def - /BuildChar - { - exch - begin - CCInfo - begin - 1 string dup 0 3 index put exch pop - /cc exch def - UseFont 1000 scalefont setfont - cc stringwidth /y exch def /x exch def - x y setcharwidth - $SubstituteFont /$Strategy get /$Underprint get exec - 0 0 moveto cc show - x y moveto - end - end - } bind def - currentdict - end - exch setglobal - } bind def - /$GetaTint - 2 dict dup - begin - /$BuildFont - { - dup /WMode known - { dup /WMode get } - { 0 } - ifelse - /$WMode exch def - $fontname exch - dup /FontName known - { - dup /FontName get - dup type /stringtype eq { cvn } if - } - { /unnamedfont } - ifelse - exch - Adobe_CoolType_Data /InVMDeepCopiedFonts get - 1 index /FontName get known - { - pop - Adobe_CoolType_Data /InVMDeepCopiedFonts get - 1 index get - null copyfont - } - { $deepcopyfont } - ifelse - exch 1 index exch /FontBasedOn exch put - dup /FontName $fontname dup type /stringtype eq { cvn } if put - definefont - Adobe_CoolType_Data /InVMDeepCopiedFonts get - begin - dup /FontBasedOn get 1 index def - end - } bind def - /$Underprint - { - gsave - x abs y abs gt - { /y 1000 def } - { /x -1000 def 500 120 translate } - ifelse - Level2? - { - [ /Separation (All) /DeviceCMYK { 0 0 0 1 pop } ] - setcolorspace - } - { 0 setgray } - ifelse - 10 setlinewidth - x .8 mul - [ 7 3 ] - { - y mul 8 div 120 sub x 10 div exch moveto - 0 y 4 div neg rlineto - dup 0 rlineto - 0 y 4 div rlineto - closepath - gsave - Level2? - { .2 setcolor } - { .8 setgray } - ifelse - fill grestore - stroke - } - forall - pop - grestore - } bind def - end def - /$Oblique - 1 dict dup - begin - /$BuildFont - { - currentglobal exch dup gcheck setglobal - null copyfont - begin - /FontBasedOn - currentdict /FontName known - { - FontName - dup type /stringtype eq { cvn } if - } - { /unnamedfont } - ifelse - def - /FontName $fontname dup type /stringtype eq { cvn } if def - /currentdistillerparams where - { pop } - { - /FontInfo currentdict /FontInfo known - { FontInfo null copyfont } - { 2 dict } - ifelse - dup - begin - /ItalicAngle $italicangle def - /FontMatrix FontMatrix - [ 1 0 ItalicAngle dup sin exch cos div 1 0 0 ] - matrix concatmatrix readonly - end - 4 2 roll def - def - } - ifelse - FontName currentdict - end - definefont - exch setglobal - } bind def - end def - /$None - 1 dict dup - begin - /$BuildFont {} bind def - end def - end def - /$Oblique SetSubstituteStrategy - /$findfontByEnum - { - dup type /stringtype eq { cvn } if - dup /$fontname exch def - $sname null eq - { $str cvs dup length $slen sub $slen getinterval } - { pop $sname } - ifelse - $fontpat dup 0 (fonts/*) putinterval exch 7 exch putinterval - /$match false def - $SubstituteFont /$dstack countdictstack array dictstack put - mark - { - $fontpat 0 $slen 7 add getinterval - { /$match exch def exit } - $str filenameforall - } - stopped - { - cleardictstack - currentdict - true - $SubstituteFont /$dstack get - { - exch - { - 1 index eq - { pop false } - { true } - ifelse - } - { begin false } - ifelse - } - forall - pop - } - if - cleartomark - /$slen 0 def - $match false ne - { $match (fonts/) anchorsearch pop pop cvn } - { /Courier } - ifelse - } bind def - /$ROS 1 dict dup - begin - /Adobe 4 dict dup - begin - /Japan1 [ /Ryumin-Light /HeiseiMin-W3 - /GothicBBB-Medium /HeiseiKakuGo-W5 - /HeiseiMaruGo-W4 /Jun101-Light ] def - /Korea1 [ /HYSMyeongJo-Medium /HYGoThic-Medium ] def - /GB1 [ /STSong-Light /STHeiti-Regular ] def - /CNS1 [ /MKai-Medium /MHei-Medium ] def - end def - end def - /$cmapname null def - /$deepcopyfont - { - dup /FontType get 0 eq - { - 1 dict dup /FontName /copied put copyfont - begin - /FDepVector FDepVector copyarray - 0 1 2 index length 1 sub - { - 2 copy get $deepcopyfont - dup /FontName /copied put - /copied exch definefont - 3 copy put pop pop - } - for - def - currentdict - end - } - { $Strategies /$Type3Underprint get exec } - ifelse - } bind def - /$buildfontname - { - dup /CIDFont findresource /CIDSystemInfo get - begin - Registry length Ordering length Supplement 8 string cvs - 3 copy length 2 add add add string - dup 5 1 roll dup 0 Registry putinterval - dup 4 index (-) putinterval - dup 4 index 1 add Ordering putinterval - 4 2 roll add 1 add 2 copy (-) putinterval - end - 1 add 2 copy 0 exch getinterval $cmapname $fontpat cvs exch - anchorsearch - { pop pop 3 2 roll putinterval cvn /$cmapname exch def } - { pop pop pop pop pop } - ifelse - length - $str 1 index (-) putinterval 1 add - $str 1 index $cmapname $fontpat cvs putinterval - $cmapname length add - $str exch 0 exch getinterval cvn - } bind def - /$findfontByROS - { - /$fontname exch def - $ROS Registry 2 copy known - { - get Ordering 2 copy known - { get } - { pop pop [] } - ifelse - } - { pop pop [] } - ifelse - false exch - { - dup /CIDFont resourcestatus - { - pop pop - save - 1 index /CIDFont findresource - dup /WidthsOnly known - { dup /WidthsOnly get } - { false } - ifelse - exch pop - exch restore - { pop } - { exch pop true exit } - ifelse - } - { pop } - ifelse - } - forall - { $str cvs $buildfontname } - { - false (*) - { - save exch - dup /CIDFont findresource - dup /WidthsOnly known - { dup /WidthsOnly get not } - { true } - ifelse - exch /CIDSystemInfo get - dup /Registry get Registry eq - exch /Ordering get Ordering eq and and - { exch restore exch pop true exit } - { pop restore } - ifelse - } - $str /CIDFont resourceforall - { $buildfontname } - { $fontname $findfontByEnum } - ifelse - } - ifelse - } bind def - end - end - currentdict /$error known currentdict /languagelevel known and dup - { pop $error /SubstituteFont known } - if - dup - { $error } - { Adobe_CoolType_Core } - ifelse - begin - { - /SubstituteFont - /CMap /Category resourcestatus - { - pop pop - { - $SubstituteFont - begin - /$substituteFound true def - dup length $slen gt - $sname null ne or - $slen 0 gt and - { - $sname null eq - { dup $str cvs dup length $slen sub $slen getinterval cvn } - { $sname } - ifelse - Adobe_CoolType_Data /InVMFontsByCMap get - 1 index 2 copy known - { - get - false exch - { - pop - currentglobal - { - GlobalFontDirectory 1 index known - { exch pop true exit } - { pop } - ifelse - } - { - FontDirectory 1 index known - { exch pop true exit } - { - GlobalFontDirectory 1 index known - { exch pop true exit } - { pop } - ifelse - } - ifelse - } - ifelse - } - forall - } - { pop pop false } - ifelse - { - exch pop exch pop - } - { - dup /CMap resourcestatus - { - pop pop - dup /$cmapname exch def - /CMap findresource /CIDSystemInfo get { def } forall - $findfontByROS - } - { - 128 string cvs - dup (-) search - { - 3 1 roll search - { - 3 1 roll pop - { dup cvi } - stopped - { pop pop pop pop pop $findfontByEnum } - { - 4 2 roll pop pop - exch length - exch - 2 index length - 2 index - sub - exch 1 sub -1 0 - { - $str cvs dup length - 4 index - 0 - 4 index - 4 3 roll add - getinterval - exch 1 index exch 3 index exch - putinterval - dup /CMap resourcestatus - { - pop pop - 4 1 roll pop pop pop - dup /$cmapname exch def - /CMap findresource /CIDSystemInfo get { def } forall - $findfontByROS - true exit - } - { pop } - ifelse - } - for - dup type /booleantype eq - { pop } - { pop pop pop $findfontByEnum } - ifelse - } - ifelse - } - { pop pop pop $findfontByEnum } - ifelse - } - { pop pop $findfontByEnum } - ifelse - } - ifelse - } - ifelse - } - { //SubstituteFont exec } - ifelse - /$slen 0 def - end - } - } - { - { - $SubstituteFont - begin - /$substituteFound true def - dup length $slen gt - $sname null ne or - $slen 0 gt and - { $findfontByEnum } - { //SubstituteFont exec } - ifelse - end - } - } - ifelse - bind readonly def - Adobe_CoolType_Core /scfindfont /systemfindfont load put - } - { - /scfindfont - { - $SubstituteFont - begin - dup systemfindfont - dup /FontName known - { dup /FontName get dup 3 index ne } - { /noname true } - ifelse - dup - { - /$origfontnamefound 2 index def - /$origfontname 4 index def /$substituteFound true def - } - if - exch pop - { - $slen 0 gt - $sname null ne - 3 index length $slen gt or and - { - pop dup $findfontByEnum findfont - dup maxlength 1 add dict - begin - { 1 index /FID eq { pop pop } { def } ifelse } - forall - currentdict - end - definefont - dup /FontName known { dup /FontName get } { null } ifelse - $origfontnamefound ne - { - $origfontname $str cvs print - ( substitution revised, using ) print - dup /FontName known - { dup /FontName get } { (unspecified font) } - ifelse - $str cvs print (.\n) print - } - if - } - { exch pop } - ifelse - } - { exch pop } - ifelse - end - } bind def - } - ifelse - end - end - Adobe_CoolType_Core_Defined not - { - Adobe_CoolType_Core /findfont - { - $SubstituteFont - begin - $depth 0 eq - { - /$fontname 1 index dup type /stringtype ne { $str cvs } if def - /$substituteFound false def - } - if - /$depth $depth 1 add def - end - scfindfont - $SubstituteFont - begin - /$depth $depth 1 sub def - $substituteFound $depth 0 eq and - { - $inVMIndex null ne - { dup $inVMIndex $AddInVMFont } - if - $doSmartSub - { - currentdict /$Strategy known - { $Strategy /$BuildFont get exec } - if - } - if - } - if - end - } bind put - } - if - } - if - end -/$AddInVMFont - { - exch /FontName 2 copy known - { - get - 1 dict dup begin exch 1 index gcheck def end exch - Adobe_CoolType_Data /InVMFontsByCMap get exch - $DictAdd - } - { pop pop pop } - ifelse - } bind def -/$DictAdd - { - 2 copy known not - { 2 copy 4 index length dict put } - if - Level2? not - { - 2 copy get dup maxlength exch length 4 index length add lt - 2 copy get dup length 4 index length add exch maxlength 1 index lt - { - 2 mul dict - begin - 2 copy get { forall } def - 2 copy currentdict put - end - } - { pop } - ifelse - } - if - get - begin - { def } - forall - end - } bind def -end -end -%%EndResource -%%BeginResource: procset Adobe_CoolType_Utility_MAKEOCF 1.19 0 -%%Copyright: Copyright 1987-2003 Adobe Systems Incorporated. -%%Version: 1.19 0 -systemdict /languagelevel known dup - { currentglobal false setglobal } - { false } -ifelse -exch -userdict /Adobe_CoolType_Utility 2 copy known - { 2 copy get dup maxlength 25 add dict copy } - { 25 dict } -ifelse put -Adobe_CoolType_Utility - begin - /ct_Level2? exch def - /ct_Clone? 1183615869 internaldict dup - /CCRun known not - exch /eCCRun known not - ct_Level2? and or def -ct_Level2? - { globaldict begin currentglobal true setglobal } -if - /ct_AddStdCIDMap - ct_Level2? - { { - ((Hex) 57 StartData - 0615 1e27 2c39 1c60 d8a8 cc31 fe2b f6e0 - 7aa3 e541 e21c 60d8 a8c9 c3d0 6d9e 1c60 - d8a8 c9c2 02d7 9a1c 60d8 a849 1c60 d8a8 - cc36 74f4 1144 b13b 77) 0 () /SubFileDecode filter cvx exec - } } - { { - eexec - } } - ifelse bind def -userdict /cid_extensions known -dup { cid_extensions /cid_UpdateDB known and } if - { - cid_extensions - begin - /cid_GetCIDSystemInfo - { - 1 index type /stringtype eq - { exch cvn exch } - if - cid_extensions - begin - dup load 2 index known - { - 2 copy - cid_GetStatusInfo - dup null ne - { - 1 index load - 3 index get - dup null eq - { pop pop cid_UpdateDB } - { - exch - 1 index /Created get eq - { exch pop exch pop } - { pop cid_UpdateDB } - ifelse - } - ifelse - } - { pop cid_UpdateDB } - ifelse - } - { cid_UpdateDB } - ifelse - end - } bind def - end - } -if -ct_Level2? - { end setglobal } -if - /ct_UseNativeCapability? systemdict /composefont known def - /ct_MakeOCF 35 dict def - /ct_Vars 25 dict def - /ct_GlyphDirProcs 6 dict def - /ct_BuildCharDict 15 dict dup - begin - /charcode 2 string def - /dst_string 1500 string def - /nullstring () def - /usewidths? true def - end def - ct_Level2? { setglobal } { pop } ifelse - ct_GlyphDirProcs - begin - /GetGlyphDirectory - { - systemdict /languagelevel known - { pop /CIDFont findresource /GlyphDirectory get } - { - 1 index /CIDFont findresource /GlyphDirectory - get dup type /dicttype eq - { - dup dup maxlength exch length sub 2 index lt - { - dup length 2 index add dict copy 2 index - /CIDFont findresource/GlyphDirectory 2 index put - } - if - } - if - exch pop exch pop - } - ifelse - + - } def - /+ - { - systemdict /languagelevel known - { - currentglobal false setglobal - 3 dict begin - /vm exch def - } - { 1 dict begin } - ifelse - /$ exch def - systemdict /languagelevel known - { - vm setglobal - /gvm currentglobal def - $ gcheck setglobal - } - if - ? { $ begin } if - } def - /? { $ type /dicttype eq } def - /| { - userdict /Adobe_CoolType_Data known - { - Adobe_CoolType_Data /AddWidths? known - { - currentdict Adobe_CoolType_Data - begin - begin - AddWidths? - { - Adobe_CoolType_Data /CC 3 index put - ? { def } { $ 3 1 roll put } ifelse - CC charcode exch 1 index 0 2 index 256 idiv put - 1 index exch 1 exch 256 mod put - stringwidth 2 array astore - currentfont /Widths get exch CC exch put - } - { ? { def } { $ 3 1 roll put } ifelse } - ifelse - end - end - } - { ? { def } { $ 3 1 roll put } ifelse } ifelse - } - { ? { def } { $ 3 1 roll put } ifelse } - ifelse - } def - /! - { - ? { end } if - systemdict /languagelevel known - { gvm setglobal } - if - end - } def - /: { string currentfile exch readstring pop } executeonly def - end - ct_MakeOCF - begin - /ct_cHexEncoding - [/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12 - /c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25 - /c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38 - /c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B - /c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E - /c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71 - /c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84 - /c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97 - /c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA - /cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD - /cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0 - /cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3 - /cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6 - /cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def - /ct_CID_STR_SIZE 8000 def - /ct_mkocfStr100 100 string def - /ct_defaultFontMtx [.001 0 0 .001 0 0] def - /ct_1000Mtx [1000 0 0 1000 0 0] def - /ct_raise {exch cvx exch errordict exch get exec stop} bind def - /ct_reraise - { cvx $error /errorname get (Error: ) print dup ( ) cvs print - errordict exch get exec stop - } bind def - /ct_cvnsi - { - 1 index add 1 sub 1 exch 0 4 1 roll - { - 2 index exch get - exch 8 bitshift - add - } - for - exch pop - } bind def - /ct_GetInterval - { - Adobe_CoolType_Utility /ct_BuildCharDict get - begin - /dst_index 0 def - dup dst_string length gt - { dup string /dst_string exch def } - if - 1 index ct_CID_STR_SIZE idiv - /arrayIndex exch def - 2 index arrayIndex get - 2 index - arrayIndex ct_CID_STR_SIZE mul - sub - { - dup 3 index add 2 index length le - { - 2 index getinterval - dst_string dst_index 2 index putinterval - length dst_index add /dst_index exch def - exit - } - { - 1 index length 1 index sub - dup 4 1 roll - getinterval - dst_string dst_index 2 index putinterval - pop dup dst_index add /dst_index exch def - sub - /arrayIndex arrayIndex 1 add def - 2 index dup length arrayIndex gt - { arrayIndex get } - { - pop - exit - } - ifelse - 0 - } - ifelse - } - loop - pop pop pop - dst_string 0 dst_index getinterval - end - } bind def - ct_Level2? - { - /ct_resourcestatus - currentglobal mark true setglobal - { /unknowninstancename /Category resourcestatus } - stopped - { cleartomark setglobal true } - { cleartomark currentglobal not exch setglobal } - ifelse - { - { - mark 3 1 roll /Category findresource - begin - ct_Vars /vm currentglobal put - ({ResourceStatus} stopped) 0 () /SubFileDecode filter cvx exec - { cleartomark false } - { { 3 2 roll pop true } { cleartomark false } ifelse } - ifelse - ct_Vars /vm get setglobal - end - } - } - { { resourcestatus } } - ifelse bind def - /CIDFont /Category ct_resourcestatus - { pop pop } - { - currentglobal true setglobal - /Generic /Category findresource - dup length dict copy - dup /InstanceType /dicttype put - /CIDFont exch /Category defineresource pop - setglobal - } - ifelse - ct_UseNativeCapability? - { - /CIDInit /ProcSet findresource begin - 12 dict begin - begincmap - /CIDSystemInfo 3 dict dup begin - /Registry (Adobe) def - /Ordering (Identity) def - /Supplement 0 def - end def - /CMapName /Identity-H def - /CMapVersion 1.000 def - /CMapType 1 def - 1 begincodespacerange - <0000> - endcodespacerange - 1 begincidrange - <0000> 0 - endcidrange - endcmap - CMapName currentdict /CMap defineresource pop - end - end - } - if - } - { - /ct_Category 2 dict begin - /CIDFont 10 dict def - /ProcSet 2 dict def - currentdict - end - def - /defineresource - { - ct_Category 1 index 2 copy known - { - get - dup dup maxlength exch length eq - { - dup length 10 add dict copy - ct_Category 2 index 2 index put - } - if - 3 index 3 index put - pop exch pop - } - { pop pop /defineresource /undefined ct_raise } - ifelse - } bind def - /findresource - { - ct_Category 1 index 2 copy known - { - get - 2 index 2 copy known - { get 3 1 roll pop pop} - { pop pop /findresource /undefinedresource ct_raise } - ifelse - } - { pop pop /findresource /undefined ct_raise } - ifelse - } bind def - /resourcestatus - { - ct_Category 1 index 2 copy known - { - get - 2 index known - exch pop exch pop - { - 0 -1 true - } - { - false - } - ifelse - } - { pop pop /findresource /undefined ct_raise } - ifelse - } bind def - /ct_resourcestatus /resourcestatus load def - } - ifelse - /ct_CIDInit 2 dict - begin - /ct_cidfont_stream_init - { - { - dup (Binary) eq - { - pop - null - currentfile - ct_Level2? - { - { cid_BYTE_COUNT () /SubFileDecode filter } - stopped - { pop pop pop } - if - } - if - /readstring load - exit - } - if - dup (Hex) eq - { - pop - currentfile - ct_Level2? - { - { null exch /ASCIIHexDecode filter /readstring } - stopped - { pop exch pop (>) exch /readhexstring } - if - } - { (>) exch /readhexstring } - ifelse - load - exit - } - if - /StartData /typecheck ct_raise - } - loop - cid_BYTE_COUNT ct_CID_STR_SIZE le - { - 2 copy cid_BYTE_COUNT string exch exec - pop - 1 array dup - 3 -1 roll - 0 exch put - } - { - cid_BYTE_COUNT ct_CID_STR_SIZE div ceiling cvi - dup array exch 2 sub 0 exch 1 exch - { - 2 copy - 5 index - ct_CID_STR_SIZE - string - 6 index exec - pop - put - pop - } - for - 2 index - cid_BYTE_COUNT ct_CID_STR_SIZE mod string - 3 index exec - pop - 1 index exch - 1 index length 1 sub - exch put - } - ifelse - cid_CIDFONT exch /GlyphData exch put - 2 index null eq - { - pop pop pop - } - { - pop /readstring load - 1 string exch - { - 3 copy exec - pop - dup length 0 eq - { - pop pop pop pop pop - true exit - } - if - 4 index - eq - { - pop pop pop pop - false exit - } - if - } - loop - pop - } - ifelse - } bind def - /StartData - { - mark - { - currentdict - dup /FDArray get 0 get /FontMatrix get - 0 get 0.001 eq - { - dup /CDevProc known not - { - /CDevProc 1183615869 internaldict /stdCDevProc 2 copy known - { get } - { - pop pop - { pop pop pop pop pop 0 -1000 7 index 2 div 880 } - } - ifelse - def - } - if - } - { - /CDevProc - { - pop pop pop pop pop - 0 - 1 cid_temp /cid_CIDFONT get - /FDArray get 0 get - /FontMatrix get 0 get div - 7 index 2 div - 1 index 0.88 mul - } def - } - ifelse - /cid_temp 15 dict def - cid_temp - begin - /cid_CIDFONT exch def - 3 copy pop - dup /cid_BYTE_COUNT exch def 0 gt - { - ct_cidfont_stream_init - FDArray - { - /Private get - dup /SubrMapOffset known - { - begin - /Subrs SubrCount array def - Subrs - SubrMapOffset - SubrCount - SDBytes - ct_Level2? - { - currentdict dup /SubrMapOffset undef - dup /SubrCount undef - /SDBytes undef - } - if - end - /cid_SD_BYTES exch def - /cid_SUBR_COUNT exch def - /cid_SUBR_MAP_OFFSET exch def - /cid_SUBRS exch def - cid_SUBR_COUNT 0 gt - { - GlyphData cid_SUBR_MAP_OFFSET cid_SD_BYTES ct_GetInterval - 0 cid_SD_BYTES ct_cvnsi - 0 1 cid_SUBR_COUNT 1 sub - { - exch 1 index - 1 add - cid_SD_BYTES mul cid_SUBR_MAP_OFFSET add - GlyphData exch cid_SD_BYTES ct_GetInterval - 0 cid_SD_BYTES ct_cvnsi - cid_SUBRS 4 2 roll - GlyphData exch - 4 index - 1 index - sub - ct_GetInterval - dup length string copy put - } - for - pop - } - if - } - { pop } - ifelse - } - forall - } - if - cleartomark pop pop - end - CIDFontName currentdict /CIDFont defineresource pop - end end - } - stopped - { cleartomark /StartData ct_reraise } - if - } bind def - currentdict - end def - /ct_saveCIDInit - { - /CIDInit /ProcSet ct_resourcestatus - { true } - { /CIDInitC /ProcSet ct_resourcestatus } - ifelse - { - pop pop - /CIDInit /ProcSet findresource - ct_UseNativeCapability? - { pop null } - { /CIDInit ct_CIDInit /ProcSet defineresource pop } - ifelse - } - { /CIDInit ct_CIDInit /ProcSet defineresource pop null } - ifelse - ct_Vars exch /ct_oldCIDInit exch put - } bind def - /ct_restoreCIDInit - { - ct_Vars /ct_oldCIDInit get dup null ne - { /CIDInit exch /ProcSet defineresource pop } - { pop } - ifelse - } bind def - /ct_BuildCharSetUp - { - 1 index - begin - CIDFont - begin - Adobe_CoolType_Utility /ct_BuildCharDict get - begin - /ct_dfCharCode exch def - /ct_dfDict exch def - CIDFirstByte ct_dfCharCode add - dup CIDCount ge - { pop 0 } - if - /cid exch def - { - GlyphDirectory cid 2 copy known - { get } - { pop pop nullstring } - ifelse - dup length FDBytes sub 0 gt - { - dup - FDBytes 0 ne - { 0 FDBytes ct_cvnsi } - { pop 0 } - ifelse - /fdIndex exch def - dup length FDBytes sub FDBytes exch getinterval - /charstring exch def - exit - } - { - pop - cid 0 eq - { /charstring nullstring def exit } - if - /cid 0 def - } - ifelse - } - loop - } def - /ct_SetCacheDevice - { - 0 0 moveto - dup stringwidth - 3 -1 roll - true charpath - pathbbox - 0 -1000 - 7 index 2 div 880 - setcachedevice2 - 0 0 moveto - } def - /ct_CloneSetCacheProc - { - 1 eq - { - stringwidth - pop -2 div -880 - 0 -1000 setcharwidth - moveto - } - { - usewidths? - { - currentfont /Widths get cid - 2 copy known - { get exch pop aload pop } - { pop pop stringwidth } - ifelse - } - { stringwidth } - ifelse - setcharwidth - 0 0 moveto - } - ifelse - } def - /ct_Type3ShowCharString - { - ct_FDDict fdIndex 2 copy known - { get } - { - currentglobal 3 1 roll - 1 index gcheck setglobal - ct_Type1FontTemplate dup maxlength dict copy - begin - FDArray fdIndex get - dup /FontMatrix 2 copy known - { get } - { pop pop ct_defaultFontMtx } - ifelse - /FontMatrix exch dup length array copy def - /Private get - /Private exch def - /Widths rootfont /Widths get def - /CharStrings 1 dict dup /.notdef - dup length string copy put def - currentdict - end - /ct_Type1Font exch definefont - dup 5 1 roll put - setglobal - } - ifelse - dup /CharStrings get 1 index /Encoding get - ct_dfCharCode get charstring put - rootfont /WMode 2 copy known - { get } - { pop pop 0 } - ifelse - exch - 1000 scalefont setfont - ct_str1 0 ct_dfCharCode put - ct_str1 exch ct_dfSetCacheProc - ct_SyntheticBold - { - currentpoint - ct_str1 show - newpath - moveto - ct_str1 true charpath - ct_StrokeWidth setlinewidth - stroke - } - { ct_str1 show } - ifelse - } def - /ct_Type4ShowCharString - { - ct_dfDict ct_dfCharCode charstring - FDArray fdIndex get - dup /FontMatrix get dup ct_defaultFontMtx ct_matrixeq not - { ct_1000Mtx matrix concatmatrix concat } - { pop } - ifelse - /Private get - Adobe_CoolType_Utility /ct_Level2? get not - { - ct_dfDict /Private - 3 -1 roll - { put } - 1183615869 internaldict /superexec get exec - } - if - 1183615869 internaldict - Adobe_CoolType_Utility /ct_Level2? get - { 1 index } - { 3 index /Private get mark 6 1 roll } - ifelse - dup /RunInt known - { /RunInt get } - { pop /CCRun } - ifelse - get exec - Adobe_CoolType_Utility /ct_Level2? get not - { cleartomark } - if - } bind def - /ct_BuildCharIncremental - { - { - Adobe_CoolType_Utility /ct_MakeOCF get begin - ct_BuildCharSetUp - ct_ShowCharString - } - stopped - { stop } - if - end - end - end - end - } bind def - /BaseFontNameStr (BF00) def - /ct_Type1FontTemplate 14 dict - begin - /FontType 1 def - /FontMatrix [0.001 0 0 0.001 0 0] def - /FontBBox [-250 -250 1250 1250] def - /Encoding ct_cHexEncoding def - /PaintType 0 def - currentdict - end def - /BaseFontTemplate 11 dict - begin - /FontMatrix [0.001 0 0 0.001 0 0] def - /FontBBox [-250 -250 1250 1250] def - /Encoding ct_cHexEncoding def - /BuildChar /ct_BuildCharIncremental load def - ct_Clone? - { - /FontType 3 def - /ct_ShowCharString /ct_Type3ShowCharString load def - /ct_dfSetCacheProc /ct_CloneSetCacheProc load def - /ct_SyntheticBold false def - /ct_StrokeWidth 1 def - } - { - /FontType 4 def - /Private 1 dict dup /lenIV 4 put def - /CharStrings 1 dict dup /.notdef put def - /PaintType 0 def - /ct_ShowCharString /ct_Type4ShowCharString load def - } - ifelse - /ct_str1 1 string def - currentdict - end def - /BaseFontDictSize BaseFontTemplate length 5 add def - /ct_matrixeq - { - true 0 1 5 - { - dup 4 index exch get exch 3 index exch get eq and - dup not - { exit } - if - } - for - exch pop exch pop - } bind def - /ct_makeocf - { - 15 dict - begin - exch /WMode exch def - exch /FontName exch def - /FontType 0 def - /FMapType 2 def - dup /FontMatrix known - { dup /FontMatrix get /FontMatrix exch def } - { /FontMatrix matrix def } - ifelse - /bfCount 1 index /CIDCount get 256 idiv 1 add - dup 256 gt { pop 256} if def - /Encoding - 256 array 0 1 bfCount 1 sub { 2 copy dup put pop } for - bfCount 1 255 { 2 copy bfCount put pop } for - def - /FDepVector bfCount dup 256 lt { 1 add } if array def - BaseFontTemplate BaseFontDictSize dict copy - begin - /CIDFont exch def - CIDFont /FontBBox known - { CIDFont /FontBBox get /FontBBox exch def } - if - CIDFont /CDevProc known - { CIDFont /CDevProc get /CDevProc exch def } - if - currentdict - end - BaseFontNameStr 3 (0) putinterval - 0 1 bfCount dup 256 eq { 1 sub } if - { - FDepVector exch - 2 index BaseFontDictSize dict copy - begin - dup /CIDFirstByte exch 256 mul def - FontType 3 eq - { /ct_FDDict 2 dict def } - if - currentdict - end - 1 index 16 - BaseFontNameStr 2 2 getinterval cvrs pop - BaseFontNameStr exch definefont - put - } - for - ct_Clone? - { /Widths 1 index /CIDFont get /GlyphDirectory get length dict def } - if - FontName - currentdict - end - definefont - ct_Clone? - { - gsave - dup 1000 scalefont setfont - ct_BuildCharDict - begin - /usewidths? false def - currentfont /Widths get - begin - exch /CIDFont get /GlyphDirectory get - { - pop - dup charcode exch 1 index 0 2 index 256 idiv put - 1 index exch 1 exch 256 mod put - stringwidth 2 array astore def - } - forall - end - /usewidths? true def - end - grestore - } - { exch pop } - ifelse - } bind def - /ct_ComposeFont - { - ct_UseNativeCapability? - { - 2 index /CMap ct_resourcestatus - { pop pop exch pop } - { - /CIDInit /ProcSet findresource - begin - 12 dict - begin - begincmap - /CMapName 3 index def - /CMapVersion 1.000 def - /CMapType 1 def - exch /WMode exch def - /CIDSystemInfo 3 dict dup - begin - /Registry (Adobe) def - /Ordering - CMapName ct_mkocfStr100 cvs - (Adobe-) search - { - pop pop - (-) search - { - dup length string copy - exch pop exch pop - } - { pop (Identity)} - ifelse - } - { pop (Identity) } - ifelse - def - /Supplement 0 def - end def - 1 begincodespacerange - <0000> - endcodespacerange - 1 begincidrange - <0000> 0 - endcidrange - endcmap - CMapName currentdict /CMap defineresource pop - end - end - } - ifelse - composefont - } - { - 3 2 roll pop - 0 get /CIDFont findresource - ct_makeocf - } - ifelse - } bind def - /ct_MakeIdentity - { - ct_UseNativeCapability? - { - 1 index /CMap ct_resourcestatus - { pop pop } - { - /CIDInit /ProcSet findresource begin - 12 dict begin - begincmap - /CMapName 2 index def - /CMapVersion 1.000 def - /CMapType 1 def - /CIDSystemInfo 3 dict dup - begin - /Registry (Adobe) def - /Ordering - CMapName ct_mkocfStr100 cvs - (Adobe-) search - { - pop pop - (-) search - { dup length string copy exch pop exch pop } - { pop (Identity) } - ifelse - } - { pop (Identity) } - ifelse - def - /Supplement 0 def - end def - 1 begincodespacerange - <0000> - endcodespacerange - 1 begincidrange - <0000> 0 - endcidrange - endcmap - CMapName currentdict /CMap defineresource pop - end - end - } - ifelse - composefont - } - { - exch pop - 0 get /CIDFont findresource - ct_makeocf - } - ifelse - } bind def - currentdict readonly pop - end - end -%%EndResource -%%BeginResource: procset Adobe_CoolType_Utility_T42 1.0 0 -%%Copyright: Copyright 1987-2003 Adobe Systems Incorporated. -%%Version: 1.0 0 -userdict /ct_T42Dict 15 dict put -ct_T42Dict begin -/Is2015? -{ - version - cvi - 2015 - ge -} bind def -/AllocGlyphStorage -{ - Is2015? - { - pop - } - { - {string} forall - } ifelse -} bind def -/Type42DictBegin -{ - 25 dict begin - /FontName exch def - /CharStrings 256 dict - begin - /.notdef 0 def - currentdict - end def - /Encoding exch def - /PaintType 0 def - /FontType 42 def - /FontMatrix [1 0 0 1 0 0] def - 4 array astore cvx /FontBBox exch def - /sfnts -} bind def -/Type42DictEnd -{ - currentdict dup /FontName get exch definefont end - ct_T42Dict exch - dup /FontName get exch put -} bind def -/RD {string currentfile exch readstring pop} executeonly def -/PrepFor2015 -{ - Is2015? - { - /GlyphDirectory - 16 - dict def - sfnts 0 get - dup - 2 index - (glyx) - putinterval - 2 index - (locx) - putinterval - pop - pop - } - { - pop - pop - } ifelse -} bind def -/AddT42Char -{ - Is2015? - { - /GlyphDirectory get - begin - def - end - pop - pop - } - { - /sfnts get - 4 index - get - 3 index - 2 index - putinterval - pop - pop - pop - pop - } ifelse -} bind def -end -%%EndResource -Adobe_CoolType_Core begin /$Oblique SetSubstituteStrategy end -%%BeginResource: procset Adobe_AGM_Image 1.0 0 -%%Version: 1.0 0 -%%Copyright: Copyright (C) 2000-2003 Adobe Systems, Inc. All Rights Reserved. -systemdict /setpacking known -{ - currentpacking - true setpacking -} if -userdict /Adobe_AGM_Image 75 dict dup begin put -/Adobe_AGM_Image_Id /Adobe_AGM_Image_1.0_0 def -/nd{ - null def -}bind def -/AGMIMG_&image nd -/AGMIMG_&colorimage nd -/AGMIMG_&imagemask nd -/AGMIMG_mbuf () def -/AGMIMG_ybuf () def -/AGMIMG_kbuf () def -/AGMIMG_c 0 def -/AGMIMG_m 0 def -/AGMIMG_y 0 def -/AGMIMG_k 0 def -/AGMIMG_tmp nd -/AGMIMG_imagestring0 nd -/AGMIMG_imagestring1 nd -/AGMIMG_imagestring2 nd -/AGMIMG_imagestring3 nd -/AGMIMG_imagestring4 nd -/AGMIMG_imagestring5 nd -/AGMIMG_cnt nd -/AGMIMG_fsave nd -/AGMIMG_colorAry nd -/AGMIMG_override nd -/AGMIMG_name nd -/AGMIMG_maskSource nd -/invert_image_samples nd -/knockout_image_samples nd -/img nd -/sepimg nd -/devnimg nd -/idximg nd -/doc_setup -{ - Adobe_AGM_Core begin - Adobe_AGM_Image begin - /AGMIMG_&image systemdict/image get def - /AGMIMG_&imagemask systemdict/imagemask get def - /colorimage where{ - pop - /AGMIMG_&colorimage /colorimage ldf - }if - end - end -}def -/page_setup -{ - Adobe_AGM_Image begin - /AGMIMG_ccimage_exists {/customcolorimage where - { - pop - /Adobe_AGM_OnHost_Seps where - { - pop false - }{ - /Adobe_AGM_InRip_Seps where - { - pop false - }{ - true - }ifelse - }ifelse - }{ - false - }ifelse - }bdf - level2{ - /invert_image_samples - { - Adobe_AGM_Image/AGMIMG_tmp Decode length ddf - /Decode [ Decode 1 get Decode 0 get] def - }def - /knockout_image_samples - { - Operator/imagemask ne{ - /Decode [1 1] def - }if - }def - }{ - /invert_image_samples - { - {1 exch sub} currenttransfer addprocs settransfer - }def - /knockout_image_samples - { - { pop 1 } currenttransfer addprocs settransfer - }def - }ifelse - /img /imageormask ldf - /sepimg /sep_imageormask ldf - /devnimg /devn_imageormask ldf - /idximg /indexed_imageormask ldf - /_ctype 7 def - currentdict{ - dup xcheck 1 index type dup /arraytype eq exch /packedarraytype eq or and{ - bind - }if - def - }forall -}def -/page_trailer -{ - end -}def -/doc_trailer -{ -}def -/imageormask_sys -{ - begin - save mark - level2{ - currentdict - Operator /imagemask eq{ - AGMIMG_&imagemask - }{ - use_mask { - level3 {process_mask_L3 AGMIMG_&image}{masked_image_simulation}ifelse - }{ - AGMIMG_&image - }ifelse - }ifelse - }{ - Width Height - Operator /imagemask eq{ - Decode 0 get 1 eq Decode 1 get 0 eq and - ImageMatrix /DataSource load - AGMIMG_&imagemask - }{ - BitsPerComponent ImageMatrix /DataSource load - AGMIMG_&image - }ifelse - }ifelse - cleartomark restore - end -}def -/overprint_plate -{ - currentoverprint { - 0 get dup type /nametype eq { - dup /DeviceGray eq{ - pop AGMCORE_black_plate not - }{ - /DeviceCMYK eq{ - AGMCORE_is_cmyk_sep not - }if - }ifelse - }{ - false exch - { - AGMOHS_sepink eq or - } forall - not - } ifelse - }{ - pop false - }ifelse -}def -/process_mask_L3 -{ - dup begin - /ImageType 1 def - end - 4 dict begin - /DataDict exch def - /ImageType 3 def - /InterleaveType 3 def - /MaskDict 9 dict begin - /ImageType 1 def - /Width DataDict dup /MaskWidth known {/MaskWidth}{/Width} ifelse get def - /Height DataDict dup /MaskHeight known {/MaskHeight}{/Height} ifelse get def - /ImageMatrix [Width 0 0 Height neg 0 Height] def - /NComponents 1 def - /BitsPerComponent 1 def - /Decode [0 1] def - /DataSource AGMIMG_maskSource def - currentdict end def - currentdict end -}def -/use_mask -{ - dup type /dicttype eq - { - dup /Mask known { - dup /Mask get { - level3 - {true} - { - dup /MaskWidth known {dup /MaskWidth get 1 index /Width get eq}{true}ifelse exch - dup /MaskHeight known {dup /MaskHeight get 1 index /Height get eq}{true}ifelse - 3 -1 roll and - } ifelse - } - {false} ifelse - } - {false} ifelse - } - {false} ifelse -}def -/make_line_source -{ - begin - MultipleDataSources { - [ - Decode length 2 div cvi {Width string} repeat - ] - }{ - Width Decode length 2 div mul cvi string - }ifelse - end -}def -/datasource_to_str -{ - exch dup type - dup /filetype eq { - pop exch readstring - }{ - /arraytype eq { - exec exch copy - }{ - pop - }ifelse - }ifelse - pop -}def -/masked_image_simulation -{ - 3 dict begin - dup make_line_source /line_source xdf - /mask_source AGMIMG_maskSource /LZWDecode filter def - dup /Width get 8 div ceiling cvi string /mask_str xdf - begin - gsave - 0 1 translate 1 -1 Height div scale - 1 1 Height { - pop - gsave - MultipleDataSources { - 0 1 DataSource length 1 sub { - dup DataSource exch get - exch line_source exch get - datasource_to_str - } for - }{ - DataSource line_source datasource_to_str - } ifelse - << - /PatternType 1 - /PaintProc [ - /pop cvx - << - /ImageType 1 - /Width Width - /Height 1 - /ImageMatrix Width 1.0 sub 1 matrix scale 0.5 0 matrix translate matrix concatmatrix - /MultipleDataSources MultipleDataSources - /DataSource line_source - /BitsPerComponent BitsPerComponent - /Decode Decode - >> - /image cvx - ] cvx - /BBox [0 0 Width 1] - /XStep Width - /YStep 1 - /PaintType 1 - /TilingType 2 - >> - matrix makepattern set_pattern - << - /ImageType 1 - /Width Width - /Height 1 - /ImageMatrix Width 1 matrix scale - /MultipleDataSources false - /DataSource mask_source mask_str readstring pop - /BitsPerComponent 1 - /Decode [0 1] - >> - imagemask - grestore - 0 1 translate - } for - grestore - end - end -}def -/imageormask -{ - begin - SkipImageProc { - currentdict consumeimagedata - } - { - save mark - level2 AGMCORE_host_sep not and{ - currentdict - Operator /imagemask eq DeviceN_PS2 not and { - imagemask - }{ - AGMCORE_in_rip_sep currentoverprint and currentcolorspace 0 get /DeviceGray eq and{ - [/Separation /Black /DeviceGray {}] setcolorspace - /Decode [ Decode 1 get Decode 0 get ] def - }if - use_mask { - level3 {process_mask_L3 image}{masked_image_simulation}ifelse - }{ - DeviceN_NoneName DeviceN_PS2 Indexed_DeviceN level3 not and or or AGMCORE_in_rip_sep and - { - Names convert_to_process not { - 2 dict begin - /imageDict xdf - /names_index 0 def - gsave - imageDict write_image_file { - Names { - dup (None) ne { - [/Separation 3 -1 roll /DeviceGray {1 exch sub}] setcolorspace - Operator imageDict read_image_file - names_index 0 eq {true setoverprint} if - /names_index names_index 1 add def - }{ - pop - } ifelse - } forall - close_image_file - } if - grestore - end - }{ - Operator /imagemask eq { - imagemask - }{ - image - } ifelse - } ifelse - }{ - Operator /imagemask eq { - imagemask - }{ - image - } ifelse - } ifelse - }ifelse - }ifelse - }{ - Width Height - Operator /imagemask eq{ - Decode 0 get 1 eq Decode 1 get 0 eq and - ImageMatrix /DataSource load - /Adobe_AGM_OnHost_Seps where { - pop imagemask - }{ - currentgray 1 ne{ - currentdict imageormask_sys - }{ - currentoverprint not{ - 1 AGMCORE_&setgray - currentdict imageormask_sys - }{ - currentdict ignoreimagedata - }ifelse - }ifelse - }ifelse - }{ - BitsPerComponent ImageMatrix - MultipleDataSources{ - 0 1 NComponents 1 sub{ - DataSource exch get - }for - }{ - /DataSource load - }ifelse - Operator /colorimage eq{ - AGMCORE_host_sep{ - MultipleDataSources level2 or NComponents 4 eq and{ - AGMCORE_is_cmyk_sep{ - MultipleDataSources{ - /DataSource [ - DataSource 0 get /exec cvx - DataSource 1 get /exec cvx - DataSource 2 get /exec cvx - DataSource 3 get /exec cvx - /AGMCORE_get_ink_data cvx - ] cvx def - }{ - /DataSource - Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul - /DataSource load - filter_cmyk 0 () /SubFileDecode filter def - }ifelse - /Decode [ Decode 0 get Decode 1 get ] def - /MultipleDataSources false def - /NComponents 1 def - /Operator /image def - invert_image_samples - 1 AGMCORE_&setgray - currentdict imageormask_sys - }{ - currentoverprint not Operator/imagemask eq and{ - 1 AGMCORE_&setgray - currentdict imageormask_sys - }{ - currentdict ignoreimagedata - }ifelse - }ifelse - }{ - MultipleDataSources NComponents AGMIMG_&colorimage - }ifelse - }{ - true NComponents colorimage - }ifelse - }{ - Operator /image eq{ - AGMCORE_host_sep{ - /DoImage true def - HostSepColorImage{ - invert_image_samples - }{ - AGMCORE_black_plate not Operator/imagemask ne and{ - /DoImage false def - currentdict ignoreimagedata - }if - }ifelse - 1 AGMCORE_&setgray - DoImage - {currentdict imageormask_sys} if - }{ - use_mask { - level3 {process_mask_L3 image}{masked_image_simulation}ifelse - }{ - image - }ifelse - }ifelse - }{ - Operator/knockout eq{ - pop pop pop pop pop - currentcolorspace overprint_plate not{ - knockout_unitsq - }if - }if - }ifelse - }ifelse - }ifelse - }ifelse - cleartomark restore - }ifelse - end -}def -/sep_imageormask -{ - /sep_colorspace_dict AGMCORE_gget begin - /MappedCSA CSA map_csa def - begin - SkipImageProc { - currentdict consumeimagedata - } - { - save mark - AGMCORE_avoid_L2_sep_space{ - /Decode [ Decode 0 get 255 mul Decode 1 get 255 mul ] def - }if - AGMIMG_ccimage_exists - MappedCSA 0 get /DeviceCMYK eq and - currentdict/Components known and - Name () ne and - Name (All) ne and - Operator /image eq and - AGMCORE_producing_seps not and - level2 not and - { - Width Height BitsPerComponent ImageMatrix - [ - /DataSource load /exec cvx - { - 0 1 2 index length 1 sub{ - 1 index exch - 2 copy get 255 xor put - }for - } /exec cvx - ] cvx bind - MappedCSA 0 get /DeviceCMYK eq{ - Components aload pop - }{ - 0 0 0 Components aload pop 1 exch sub - }ifelse - Name findcmykcustomcolor - customcolorimage - }{ - AGMCORE_producing_seps not{ - level2{ - AGMCORE_avoid_L2_sep_space not currentcolorspace 0 get /Separation ne and{ - [/Separation Name MappedCSA sep_proc_name exch 0 get exch load ] setcolorspace_opt - /sep_tint AGMCORE_gget setcolor - }if - currentdict imageormask - }{ - currentdict - Operator /imagemask eq{ - imageormask - }{ - sep_imageormask_lev1 - }ifelse - }ifelse - }{ - AGMCORE_host_sep{ - Operator/knockout eq{ - currentdict/ImageMatrix get concat - knockout_unitsq - }{ - currentgray 1 ne{ - AGMCORE_is_cmyk_sep Name (All) ne and{ - level2{ - [ /Separation Name [/DeviceGray] - { - sep_colorspace_proc AGMCORE_get_ink_data - 1 exch sub - } bind - ] AGMCORE_&setcolorspace - /sep_tint AGMCORE_gget AGMCORE_&setcolor - currentdict imageormask_sys - }{ - currentdict - Operator /imagemask eq{ - imageormask_sys - }{ - sep_image_lev1_sep - }ifelse - }ifelse - }{ - Operator/imagemask ne{ - invert_image_samples - }if - currentdict imageormask_sys - }ifelse - }{ - currentoverprint not Name (All) eq or Operator/imagemask eq and{ - currentdict imageormask_sys - }{ - currentoverprint not - { - gsave - knockout_unitsq - grestore - }if - currentdict consumeimagedata - }ifelse - }ifelse - }ifelse - }{ - currentcolorspace 0 get /Separation ne{ - [/Separation Name MappedCSA sep_proc_name exch 0 get exch load ] setcolorspace_opt - /sep_tint AGMCORE_gget setcolor - }if - currentoverprint - MappedCSA 0 get /DeviceCMYK eq and - Name inRip_spot_has_ink not and - Name (All) ne and { - imageormask_l2_overprint - }{ - currentdict imageormask - }ifelse - }ifelse - }ifelse - }ifelse - cleartomark restore - }ifelse - end - end -}def -/decode_image_sample -{ - 4 1 roll exch dup 5 1 roll - sub 2 4 -1 roll exp 1 sub div mul add -} bdf -/colorSpaceElemCnt -{ - currentcolorspace 0 get dup /DeviceCMYK eq { - pop 4 - } - { - /DeviceRGB eq { - pop 3 - }{ - 1 - } ifelse - } ifelse -} bdf -/devn_sep_datasource -{ - 1 dict begin - /dataSource xdf - [ - 0 1 dataSource length 1 sub { - dup currentdict /dataSource get /exch cvx /get cvx /exec cvx - /exch cvx names_index /ne cvx [ /pop cvx ] cvx /if cvx - } for - ] cvx bind - end -} bdf -/devn_alt_datasource -{ - 11 dict begin - /srcDataStrs xdf - /dstDataStr xdf - /convProc xdf - /origcolorSpaceElemCnt xdf - /origMultipleDataSources xdf - /origBitsPerComponent xdf - /origDecode xdf - /origDataSource xdf - /dsCnt origMultipleDataSources {origDataSource length}{1}ifelse def - /samplesNeedDecoding - 0 0 1 origDecode length 1 sub { - origDecode exch get add - } for - origDecode length 2 div div - dup 1 eq { - /decodeDivisor 2 origBitsPerComponent exp 1 sub def - } if - 2 origBitsPerComponent exp 1 sub ne - def - [ - 0 1 dsCnt 1 sub [ - currentdict /origMultipleDataSources get { - dup currentdict /origDataSource get exch get dup type - }{ - currentdict /origDataSource get dup type - } ifelse - dup /filetype eq { - pop currentdict /srcDataStrs get 3 -1 /roll cvx /get cvx /readstring cvx /pop cvx - }{ - /stringtype ne { - /exec cvx - } if - currentdict /srcDataStrs get /exch cvx 3 -1 /roll cvx /xpt cvx - } ifelse - ] cvx /for cvx - currentdict /srcDataStrs get 0 /get cvx /length cvx 0 /ne cvx [ - 0 1 Width 1 sub [ - Adobe_AGM_Utils /AGMUTIL_ndx /xddf cvx - currentdict /origMultipleDataSources get { - 0 1 dsCnt 1 sub [ - Adobe_AGM_Utils /AGMUTIL_ndx1 /xddf cvx - currentdict /srcDataStrs get /AGMUTIL_ndx1 /load cvx /get cvx /AGMUTIL_ndx /load cvx /get cvx - samplesNeedDecoding { - currentdict /decodeDivisor known { - currentdict /decodeDivisor get /div cvx - }{ - currentdict /origDecode get /AGMUTIL_ndx1 /load cvx 2 /mul cvx 2 /getinterval cvx /aload cvx /pop cvxs - BitsPerComponent /decode_image_sample load /exec cvx - } ifelse - } if - ] cvx /for cvx - }{ - Adobe_AGM_Utils /AGMUTIL_ndx1 0 /ddf cvx - currentdict /srcDataStrs get 0 /get cvx /AGMUTIL_ndx /load cvx - currentdict /origDecode get length 2 idiv dup 3 1 /roll cvx /mul cvx /exch cvx /getinterval cvx - [ - samplesNeedDecoding { - currentdict /decodeDivisor known { - currentdict /decodeDivisor get /div cvx - }{ - currentdict /origDecode get /AGMUTIL_ndx1 /load cvx 2 /mul cvx 2 /getinterval cvx /aload cvx /pop cvx - BitsPerComponent /decode_image_sample load /exec cvx - Adobe_AGM_Utils /AGMUTIL_ndx1 /AGMUTIL_ndx1 /load cvx 1 /add cvx /ddf cvx - } ifelse - } if - ] cvx /forall cvx - } ifelse - currentdict /convProc get /exec cvx - currentdict /origcolorSpaceElemCnt get 1 sub -1 0 [ - currentdict /dstDataStr get 3 1 /roll cvx /AGMUTIL_ndx /load cvx currentdict /origcolorSpaceElemCnt get /mul cvx /add cvx /exch cvx - currentdict /convProc get /filter_indexed_devn load ne { - 255 /mul cvx /cvi cvx - } if - /put cvx - ] cvx /for cvx - ] cvx /for cvx - currentdict /dstDataStr get - ] cvx /if cvx - ] cvx bind - end -} bdf -/devn_imageormask -{ - /devicen_colorspace_dict AGMCORE_gget begin - /MappedCSA CSA map_csa def - 2 dict begin - dup dup - /dstDataStr exch /Width get colorSpaceElemCnt mul string def - /srcDataStrs [ 3 -1 roll begin - currentdict /MultipleDataSources known {MultipleDataSources {DataSource length}{1}ifelse}{1} ifelse - { - Width Decode length 2 div mul cvi string - } repeat - end ] def - begin - SkipImageProc { - currentdict consumeimagedata - } - { - save mark - AGMCORE_producing_seps not { - level3 not { - Operator /imagemask ne { - /DataSource [ - DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse - colorSpaceElemCnt /devicen_colorspace_dict AGMCORE_gget /TintTransform get - dstDataStr srcDataStrs devn_alt_datasource /exec cvx - ] cvx 0 () /SubFileDecode filter def - /MultipleDataSources false def - /Decode colorSpaceElemCnt [ exch {0 1} repeat ] def - } if - }if - currentdict imageormask - }{ - AGMCORE_host_sep{ - Names convert_to_process { - CSA map_csa 0 get /DeviceCMYK eq { - /DataSource - Width BitsPerComponent mul 7 add 8 idiv Height mul 4 mul - [ - DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse - 4 /devicen_colorspace_dict AGMCORE_gget /TintTransform get - dstDataStr srcDataStrs devn_alt_datasource /exec cvx - ] cvx - filter_cmyk 0 () /SubFileDecode filter def - /MultipleDataSources false def - /Decode [1 0] def - /DeviceGray setcolorspace - currentdict imageormask_sys - }{ - AGMCORE_report_unsupported_color_space - AGMCORE_black_plate { - /DataSource [ - DataSource Decode BitsPerComponent currentdict /MultipleDataSources known {MultipleDataSources}{false} ifelse - CSA map_csa 0 get /DeviceRGB eq{3}{1}ifelse /devicen_colorspace_dict AGMCORE_gget /TintTransform get - dstDataStr srcDataStrs devn_alt_datasource /exec cvx - ] cvx 0 () /SubFileDecode filter def - /MultipleDataSources false def - /Decode colorSpaceElemCnt [ exch {0 1} repeat ] def - currentdict imageormask_sys - } - { - gsave - knockout_unitsq - grestore - currentdict consumeimagedata - } ifelse - } ifelse - } - { - /devicen_colorspace_dict AGMCORE_gget /names_index known { - Operator/imagemask ne{ - MultipleDataSources { - /DataSource [ DataSource devn_sep_datasource /exec cvx ] cvx def - /MultipleDataSources false def - }{ - /DataSource /DataSource load dstDataStr srcDataStrs 0 get filter_devn def - } ifelse - invert_image_samples - } if - currentdict imageormask_sys - }{ - currentoverprint not Operator/imagemask eq and{ - currentdict imageormask_sys - }{ - currentoverprint not - { - gsave - knockout_unitsq - grestore - }if - currentdict consumeimagedata - }ifelse - }ifelse - }ifelse - }{ - currentdict imageormask - }ifelse - }ifelse - cleartomark restore - }ifelse - end - end - end -}def -/imageormask_l2_overprint -{ - currentdict - currentcmykcolor add add add 0 eq{ - currentdict consumeimagedata - }{ - level3{ - currentcmykcolor - /AGMIMG_k xdf - /AGMIMG_y xdf - /AGMIMG_m xdf - /AGMIMG_c xdf - Operator/imagemask eq{ - [/DeviceN [ - AGMIMG_c 0 ne {/Cyan} if - AGMIMG_m 0 ne {/Magenta} if - AGMIMG_y 0 ne {/Yellow} if - AGMIMG_k 0 ne {/Black} if - ] /DeviceCMYK {}] setcolorspace - AGMIMG_c 0 ne {AGMIMG_c} if - AGMIMG_m 0 ne {AGMIMG_m} if - AGMIMG_y 0 ne {AGMIMG_y} if - AGMIMG_k 0 ne {AGMIMG_k} if - setcolor - }{ - /Decode [ Decode 0 get 255 mul Decode 1 get 255 mul ] def - [/Indexed - [ - /DeviceN [ - AGMIMG_c 0 ne {/Cyan} if - AGMIMG_m 0 ne {/Magenta} if - AGMIMG_y 0 ne {/Yellow} if - AGMIMG_k 0 ne {/Black} if - ] - /DeviceCMYK { - AGMIMG_k 0 eq {0} if - AGMIMG_y 0 eq {0 exch} if - AGMIMG_m 0 eq {0 3 1 roll} if - AGMIMG_c 0 eq {0 4 1 roll} if - } - ] - 255 - { - 255 div - mark exch - dup dup dup - AGMIMG_k 0 ne{ - /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 1 roll pop pop pop - counttomark 1 roll - }{ - pop - }ifelse - AGMIMG_y 0 ne{ - /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 2 roll pop pop pop - counttomark 1 roll - }{ - pop - }ifelse - AGMIMG_m 0 ne{ - /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec 4 3 roll pop pop pop - counttomark 1 roll - }{ - pop - }ifelse - AGMIMG_c 0 ne{ - /sep_tint AGMCORE_gget mul MappedCSA sep_proc_name exch pop load exec pop pop pop - counttomark 1 roll - }{ - pop - }ifelse - counttomark 1 add -1 roll pop - } - ] setcolorspace - }ifelse - imageormask_sys - }{ - write_image_file{ - currentcmykcolor - 0 ne{ - [/Separation /Black /DeviceGray {}] setcolorspace - gsave - /Black - [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 1 roll pop pop pop 1 exch sub} /exec cvx] - cvx modify_halftone_xfer - Operator currentdict read_image_file - grestore - }if - 0 ne{ - [/Separation /Yellow /DeviceGray {}] setcolorspace - gsave - /Yellow - [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 2 roll pop pop pop 1 exch sub} /exec cvx] - cvx modify_halftone_xfer - Operator currentdict read_image_file - grestore - }if - 0 ne{ - [/Separation /Magenta /DeviceGray {}] setcolorspace - gsave - /Magenta - [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {4 3 roll pop pop pop 1 exch sub} /exec cvx] - cvx modify_halftone_xfer - Operator currentdict read_image_file - grestore - }if - 0 ne{ - [/Separation /Cyan /DeviceGray {}] setcolorspace - gsave - /Cyan - [{1 exch sub /sep_tint AGMCORE_gget mul} /exec cvx MappedCSA sep_proc_name cvx exch pop {pop pop pop 1 exch sub} /exec cvx] - cvx modify_halftone_xfer - Operator currentdict read_image_file - grestore - } if - close_image_file - }{ - imageormask - }ifelse - }ifelse - }ifelse -} def -/indexed_imageormask -{ - begin - save mark - currentdict - AGMCORE_host_sep{ - Operator/knockout eq{ - /indexed_colorspace_dict AGMCORE_gget dup /CSA known { - /CSA get map_csa - }{ - /CSD get get_csd /Names get - } ifelse - overprint_plate not{ - knockout_unitsq - }if - }{ - Indexed_DeviceN { - /devicen_colorspace_dict AGMCORE_gget /names_index known { - indexed_image_lev2_sep - }{ - currentoverprint not{ - knockout_unitsq - }if - currentdict consumeimagedata - } ifelse - }{ - AGMCORE_is_cmyk_sep{ - Operator /imagemask eq{ - imageormask_sys - }{ - level2{ - indexed_image_lev2_sep - }{ - indexed_image_lev1_sep - }ifelse - }ifelse - }{ - currentoverprint not{ - knockout_unitsq - }if - currentdict consumeimagedata - }ifelse - }ifelse - }ifelse - }{ - level2{ - Indexed_DeviceN { - /indexed_colorspace_dict AGMCORE_gget begin - CSD get_csd begin - }{ - /indexed_colorspace_dict AGMCORE_gget begin - CSA map_csa 0 get /DeviceCMYK eq ps_level 3 ge and ps_version 3015.007 lt and { - [/Indexed [/DeviceN [/Cyan /Magenta /Yellow /Black] /DeviceCMYK {}] HiVal Lookup] - setcolorspace - } if - end - } ifelse - imageormask - Indexed_DeviceN { - end - end - } if - }{ - Operator /imagemask eq{ - imageormask - }{ - indexed_imageormask_lev1 - }ifelse - }ifelse - }ifelse - cleartomark restore - end -}def -/indexed_image_lev2_sep -{ - /indexed_colorspace_dict AGMCORE_gget begin - begin - Indexed_DeviceN not { - currentcolorspace - dup 1 /DeviceGray put - dup 3 - currentcolorspace 2 get 1 add string - 0 1 2 3 AGMCORE_get_ink_data 4 currentcolorspace 3 get length 1 sub - { - dup 4 idiv exch currentcolorspace 3 get exch get 255 exch sub 2 index 3 1 roll put - }for - put setcolorspace - } if - currentdict - Operator /imagemask eq{ - AGMIMG_&imagemask - }{ - use_mask { - level3 {process_mask_L3 AGMIMG_&image}{masked_image_simulation}ifelse - }{ - AGMIMG_&image - }ifelse - }ifelse - end end -}def - /OPIimage - { - dup type /dicttype ne{ - 10 dict begin - /DataSource xdf - /ImageMatrix xdf - /BitsPerComponent xdf - /Height xdf - /Width xdf - /ImageType 1 def - /Decode [0 1 def] - currentdict - end - }if - dup begin - /NComponents 1 cdndf - /MultipleDataSources false cdndf - /SkipImageProc {false} cdndf - /HostSepColorImage false cdndf - /Decode [ - 0 - currentcolorspace 0 get /Indexed eq{ - 2 BitsPerComponent exp 1 sub - }{ - 1 - }ifelse - ] cdndf - /Operator /image cdndf - end - /sep_colorspace_dict AGMCORE_gget null eq{ - imageormask - }{ - gsave - dup begin invert_image_samples end - sep_imageormask - grestore - }ifelse - }def -/cachemask_level2 -{ - 3 dict begin - /LZWEncode filter /WriteFilter xdf - /readBuffer 256 string def - /ReadFilter - currentfile - 0 (%EndMask) /SubFileDecode filter - /ASCII85Decode filter - /RunLengthDecode filter - def - { - ReadFilter readBuffer readstring exch - WriteFilter exch writestring - not {exit} if - }loop - WriteFilter closefile - end -}def -/cachemask_level3 -{ - currentfile - << - /Filter [ /SubFileDecode /ASCII85Decode /RunLengthDecode ] - /DecodeParms [ << /EODCount 0 /EODString (%EndMask) >> null null ] - /Intent 1 - >> - /ReusableStreamDecode filter -}def -/spot_alias -{ - /mapto_sep_imageormask - { - dup type /dicttype ne{ - 12 dict begin - /ImageType 1 def - /DataSource xdf - /ImageMatrix xdf - /BitsPerComponent xdf - /Height xdf - /Width xdf - /MultipleDataSources false def - }{ - begin - }ifelse - /Decode [/customcolor_tint AGMCORE_gget 0] def - /Operator /image def - /HostSepColorImage false def - /SkipImageProc {false} def - currentdict - end - sep_imageormask - }bdf - /customcolorimage - { - Adobe_AGM_Image/AGMIMG_colorAry xddf - /customcolor_tint AGMCORE_gget - bdict - /Name AGMIMG_colorAry 4 get - /CSA [ /DeviceCMYK ] - /TintMethod /Subtractive - /TintProc null - /MappedCSA null - /NComponents 4 - /Components [ AGMIMG_colorAry aload pop pop ] - edict - setsepcolorspace - mapto_sep_imageormask - }ndf - Adobe_AGM_Image/AGMIMG_&customcolorimage /customcolorimage load put - /customcolorimage - { - Adobe_AGM_Image/AGMIMG_override false put - dup 4 get map_alias{ - /customcolor_tint AGMCORE_gget exch setsepcolorspace - pop - mapto_sep_imageormask - }{ - AGMIMG_&customcolorimage - }ifelse - }bdf -}def -/snap_to_device -{ - 6 dict begin - matrix currentmatrix - dup 0 get 0 eq 1 index 3 get 0 eq and - 1 index 1 get 0 eq 2 index 2 get 0 eq and or exch pop - { - 1 1 dtransform 0 gt exch 0 gt /AGMIMG_xSign? exch def /AGMIMG_ySign? exch def - 0 0 transform - AGMIMG_ySign? {floor 0.1 sub}{ceiling 0.1 add} ifelse exch - AGMIMG_xSign? {floor 0.1 sub}{ceiling 0.1 add} ifelse exch - itransform /AGMIMG_llY exch def /AGMIMG_llX exch def - 1 1 transform - AGMIMG_ySign? {ceiling 0.1 add}{floor 0.1 sub} ifelse exch - AGMIMG_xSign? {ceiling 0.1 add}{floor 0.1 sub} ifelse exch - itransform /AGMIMG_urY exch def /AGMIMG_urX exch def - [AGMIMG_urX AGMIMG_llX sub 0 0 AGMIMG_urY AGMIMG_llY sub AGMIMG_llX AGMIMG_llY] concat - }{ - }ifelse - end -} def -level2 not{ - /colorbuf - { - 0 1 2 index length 1 sub{ - dup 2 index exch get - 255 exch sub - 2 index - 3 1 roll - put - }for - }def - /tint_image_to_color - { - begin - Width Height BitsPerComponent ImageMatrix - /DataSource load - end - Adobe_AGM_Image begin - /AGMIMG_mbuf 0 string def - /AGMIMG_ybuf 0 string def - /AGMIMG_kbuf 0 string def - { - colorbuf dup length AGMIMG_mbuf length ne - { - dup length dup dup - /AGMIMG_mbuf exch string def - /AGMIMG_ybuf exch string def - /AGMIMG_kbuf exch string def - } if - dup AGMIMG_mbuf copy AGMIMG_ybuf copy AGMIMG_kbuf copy pop - } - addprocs - {AGMIMG_mbuf}{AGMIMG_ybuf}{AGMIMG_kbuf} true 4 colorimage - end - } def - /sep_imageormask_lev1 - { - begin - MappedCSA 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or has_color not and{ - { - 255 mul round cvi GrayLookup exch get - } currenttransfer addprocs settransfer - currentdict imageormask - }{ - /sep_colorspace_dict AGMCORE_gget/Components known{ - MappedCSA 0 get /DeviceCMYK eq{ - Components aload pop - }{ - 0 0 0 Components aload pop 1 exch sub - }ifelse - Adobe_AGM_Image/AGMIMG_k xddf - Adobe_AGM_Image/AGMIMG_y xddf - Adobe_AGM_Image/AGMIMG_m xddf - Adobe_AGM_Image/AGMIMG_c xddf - AGMIMG_y 0.0 eq AGMIMG_m 0.0 eq and AGMIMG_c 0.0 eq and{ - {AGMIMG_k mul 1 exch sub} currenttransfer addprocs settransfer - currentdict imageormask - }{ - currentcolortransfer - {AGMIMG_k mul 1 exch sub} exch addprocs 4 1 roll - {AGMIMG_y mul 1 exch sub} exch addprocs 4 1 roll - {AGMIMG_m mul 1 exch sub} exch addprocs 4 1 roll - {AGMIMG_c mul 1 exch sub} exch addprocs 4 1 roll - setcolortransfer - currentdict tint_image_to_color - }ifelse - }{ - MappedCSA 0 get /DeviceGray eq { - {255 mul round cvi ColorLookup exch get 0 get} currenttransfer addprocs settransfer - currentdict imageormask - }{ - MappedCSA 0 get /DeviceCMYK eq { - currentcolortransfer - {255 mul round cvi ColorLookup exch get 3 get 1 exch sub} exch addprocs 4 1 roll - {255 mul round cvi ColorLookup exch get 2 get 1 exch sub} exch addprocs 4 1 roll - {255 mul round cvi ColorLookup exch get 1 get 1 exch sub} exch addprocs 4 1 roll - {255 mul round cvi ColorLookup exch get 0 get 1 exch sub} exch addprocs 4 1 roll - setcolortransfer - currentdict tint_image_to_color - }{ - currentcolortransfer - {pop 1} exch addprocs 4 1 roll - {255 mul round cvi ColorLookup exch get 2 get} exch addprocs 4 1 roll - {255 mul round cvi ColorLookup exch get 1 get} exch addprocs 4 1 roll - {255 mul round cvi ColorLookup exch get 0 get} exch addprocs 4 1 roll - setcolortransfer - currentdict tint_image_to_color - }ifelse - }ifelse - }ifelse - }ifelse - end - }def - /sep_image_lev1_sep - { - begin - /sep_colorspace_dict AGMCORE_gget/Components known{ - Components aload pop - Adobe_AGM_Image/AGMIMG_k xddf - Adobe_AGM_Image/AGMIMG_y xddf - Adobe_AGM_Image/AGMIMG_m xddf - Adobe_AGM_Image/AGMIMG_c xddf - {AGMIMG_c mul 1 exch sub} - {AGMIMG_m mul 1 exch sub} - {AGMIMG_y mul 1 exch sub} - {AGMIMG_k mul 1 exch sub} - }{ - {255 mul round cvi ColorLookup exch get 0 get 1 exch sub} - {255 mul round cvi ColorLookup exch get 1 get 1 exch sub} - {255 mul round cvi ColorLookup exch get 2 get 1 exch sub} - {255 mul round cvi ColorLookup exch get 3 get 1 exch sub} - }ifelse - AGMCORE_get_ink_data currenttransfer addprocs settransfer - currentdict imageormask_sys - end - }def - /indexed_imageormask_lev1 - { - /indexed_colorspace_dict AGMCORE_gget begin - begin - currentdict - MappedCSA 0 get dup /DeviceRGB eq exch /DeviceCMYK eq or has_color not and{ - {HiVal mul round cvi GrayLookup exch get HiVal div} currenttransfer addprocs settransfer - imageormask - }{ - MappedCSA 0 get /DeviceGray eq { - {HiVal mul round cvi Lookup exch get HiVal div} currenttransfer addprocs settransfer - imageormask - }{ - MappedCSA 0 get /DeviceCMYK eq { - currentcolortransfer - {4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll - {4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll - {4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll - {4 mul HiVal mul round cvi Lookup exch get HiVal div 1 exch sub} exch addprocs 4 1 roll - setcolortransfer - tint_image_to_color - }{ - currentcolortransfer - {pop 1} exch addprocs 4 1 roll - {3 mul HiVal mul round cvi 2 add Lookup exch get HiVal div} exch addprocs 4 1 roll - {3 mul HiVal mul round cvi 1 add Lookup exch get HiVal div} exch addprocs 4 1 roll - {3 mul HiVal mul round cvi Lookup exch get HiVal div} exch addprocs 4 1 roll - setcolortransfer - tint_image_to_color - }ifelse - }ifelse - }ifelse - end end - }def - /indexed_image_lev1_sep - { - /indexed_colorspace_dict AGMCORE_gget begin - begin - {4 mul HiVal mul round cvi Lookup exch get HiVal div 1 exch sub} - {4 mul HiVal mul round cvi 1 add Lookup exch get HiVal div 1 exch sub} - {4 mul HiVal mul round cvi 2 add Lookup exch get HiVal div 1 exch sub} - {4 mul HiVal mul round cvi 3 add Lookup exch get HiVal div 1 exch sub} - AGMCORE_get_ink_data currenttransfer addprocs settransfer - currentdict imageormask_sys - end end - }def -}if -end -systemdict /setpacking known -{ - setpacking -} if -%%EndResource -currentdict Adobe_AGM_Utils eq {end} if -%%EndProlog -%%BeginSetup -Adobe_AGM_Utils begin -2 2010 Adobe_AGM_Core/doc_setup get exec -Adobe_CoolType_Core/doc_setup get exec -Adobe_AGM_Image/doc_setup get exec -currentdict Adobe_AGM_Utils eq {end} if -%%EndSetup -%%Page: Alternate-ISC-logo-v2.ai 1 -%%EndPageComments -%%BeginPageSetup -/currentdistillerparams where -{pop currentdistillerparams /CoreDistVersion get 5000 lt} {true} ifelse -{ userdict /AI11_PDFMark5 /cleartomark load put -userdict /AI11_ReadMetadata_PDFMark5 {flushfile cleartomark } bind put} -{ userdict /AI11_PDFMark5 /pdfmark load put -userdict /AI11_ReadMetadata_PDFMark5 {/PUT pdfmark} bind put } ifelse -[/NamespacePush AI11_PDFMark5 -[/_objdef {ai_metadata_stream_123} /type /stream /OBJ AI11_PDFMark5 -[{ai_metadata_stream_123} -currentfile 0 (% &&end XMP packet marker&&) -/SubFileDecode filter AI11_ReadMetadata_PDFMark5 - - - - - Adobe PDF library 6.66 - - - - - - - 2004-10-06T16:15:40-07:00 - 2004-10-22T21:51:43Z - Illustrator - 2004-10-06T16:15:40-07:00 - - - - JPEG - 256 - 152 - /9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgAmAEAAwER AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE 1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp 0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo +DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8AiX5AfkB5O/MTydea1rV5 qNvdW+oyWSJZSQJGY0ghlBIlhmblymPfMfLlMTQbIQBDOPM//OKX5U6B5e1DWZ9R1uSOxhaX0hcW il2H2U5G0NOTUFcOCcskxAVuWOaoQMj0Y1+Wf5EflJ56N+kUuvWEtgImZHu7OTmJS4+Glmv2eG+3 fMvXYJ6etwb8v2uPpNRHNdCqZz/0Jp+WH/V01v8A5H2n/ZLmv/MSczww7/oTT8sP+rprf/I+0/7J cfzEl8MO/wChNPyw/wCrprf/ACPtP+yXH8xJfDDAfzv/AOcc/JHkPyHN5g0i+1Oe9juIYVju5bd4 uMrUYkRwRNXw+LJ48xkaRKAAfT/5V/8AksPKH/bE07/qEjzJaiynFXYq7FXYq7FXYq7FXYq7FXYq 7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+BfyU/MTzH5Nhnn0yUPbSzt9ZsZqtBJ8CAMVBFGHZ hv8ARtmz0uihnwkS58XPryDrdVqp4sorlXL5st1/z/8AmP5whlgu7p20+b7VnCqwW9AwYL250YD7 TE5eI6TSncgS+Zccy1OoGwPD8ggfLXmTzl5HvJLzTD9X9YKtwroksUiqSVVjvTc9iDlkp6bVjhsS +wsIxz6Y3Vfc9B1b/nJjWZ9Hhh03TYrPVmH+lXTt6sQp/vqM/wA3+UTT365iY+w4CVyNx7v1uTPt eRjsKk9s8j+YrjzH5W0/Wbm0aymu4wzwtsCRsXTcng1KrXemaHV4RiyGAN07jT5TkgJEVae5jNzx v/nLL/yT91/zG2v/ABM5dg+pjPk9M/Kv/wAlh5Q/7Ymnf9QkeZzjllOKuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+eX5W6Yl7aztLvBDMSy/zEqtB8tsyJ644NP6fr lI18hZcX8oMuf1fTGP6S9h0Ly3rGtzm20q1M7RgF6UVEXtyZiFHTbOa3ke8u52Adr3lvWNEnFtqt qYWkUlCSGRx3oykqeu+DeJ7iuxDANasU07UIriJFaF29RYmAK8kILKVPVc7bsjWnUYiJfVHY/oLy /aOlGHIDH6S+zNB1K31TRNP1K2UJb3lvFPEg6KsiBgu38taZzGaBhMxPMF6DHMSiCOoR2VM3jf8A zll/5J+6/wCY21/4mcuwfUxnyemflX/5LDyh/wBsTTv+oSPM5xyynFXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+A/yedP0NepT4xccie5BRR+FMxNfE8ET0uX+9bNP IcZHWh+l9K/kxr2kW1neaZcSxwXskwmjaQhfUUqF4qT1Kla098wMUg5Mgq/nNrujzada6XDKk9+s 4mbgQ3pIEZaMR0Lcht9PhjlIWIeCebnQQ26U+MszA+AAAP31zoPZyJ4pnps6ftqQqI67s3/KGD81 YPMejRFNVh8ts6tKJ0mFp6HAsOPqDgFYUoVzYdonTGEvp4/hduJoRnE4/VwfY+lCyggEgE9B45yr 0Lxb/nLe8tYvyoe2kkCz3N7bmCM9W9NqtT5A5bhI4wFlAmBI5B6l+Vf/AJLDyh/2xNO/6hI8z3EL y3/nLq+1nQPJem69oWsalpWoyapHZytZX11BG8UltM5BijkVK8oFoaePjir0v8ooJB+W/lq8nu7u 9vNR0uyvLy5vbme6keaeBZXPKZ34jk52XbFWYYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FX5z/l3fy2Nq88Y5D1mDodgylE2zaafSR1GnMJfztvI0HWanUSw5xIfzf0l6Zb a3plwnITrGe6SkIR9+x+jOdz9k6jGa4TId43dti7QwzF8Ve/Zq61zTLdORmWU9kiIcn7th9Jw6fs nUZD9PCO+W37Vzdo4YDnfu3S3y5bW3mjzpptlqVwtnZ3U6xO5JoEFTwBAPxP9kH+Y+GdXDCNJpyI CyBfvPf+Ojz5ynU5xxbAvozTPzt/L2W4vbT60bO109R6E8qFY5kX4SIVUF9uylakduucN+aiSbfQ Z9gamMYkC+LoOnveJeYvzDnP5kTeatBmlMUUoayS7qRxMYSRCgbZHPLYHp4HMKWT18Qet03Zo/Kj DkA5b179vixD84/zA8y+btFi/TEsbJaSVt44o1jVTIRy6bn7I6nMzRZJSyi+4un7Y7OxabSS8Mcz G32N+Vf/AJLDyh/2xNO/6hI83jwxeUf85q/+Ss0r/tuW/wD1CXeKvVfyn/8AJWeTf+2Hpv8A1CR4 q8j8x/nX5n8ifnH5nGr28+o/l4tzp9rNKnxtp082nwSckAqQklWYp0Y1K/FUFV7F5gutN1/yJe6h pmoSNaT2M1xY6jp1zJC1fRfi6SwMh2PY9+o2xVjP5faLe+ZPyb8tx3WtanDPqNraXmo6jHeXBvpD QSMqXLSGSIOwAbifs1HeuKvOfzm0m/8ALHnz8tdI0fzJ5hhsfMmqG01aNta1GQyRC4tI6KzTEp8M 77rir2bQfIEWia5+kbXWtYurZ7SW2msNQ1G7voS7yROkyC4kk4OgjZajs2KvH9Is9R1n/nJrzd5Q utf12Py9p+mRXtnZQavqEQjmaOxJIZZg1K3D7Vpvir2Xy/5JTSdO1PTZdW1PUbS9ujcW8l3fXUlz bxmGKMwpcmT1uIkjZx8X7WKvB/8AnH/RPMX5gflhrGqaj5x8wQa/BqE9rYagNWvfTjEdtBLH6kLS NG685TyqtaYq9K/5xr86+aPOH5Yw6n5kJlvYbqa1hvWADXMMQUrK3EAVDM0ZPfjirHPzm/M7zt5G /M6wvNIt5NV8u22jC78waSrbCD620RuUG5R0LKC4FKfa23Cr1fyr5t8s+ePLcWraHeG5066HFzG7 RTROAC0UnAq8ci13FfwOKsS/JBbuS183fXNQv9Qaz8y6rp1s97eXFyUtbaVUijX1XYLxA6jfFWA6 RZ6jrP8Azk15u8oXWv67H5e0/TIr2zsoNX1CIRzNHYkkMswalbh9q03xV6vB+XE8Oi3+ijzJrJs7 2/S8W5e+uJL6GBI4gbWK8eQzIjSxFiQfssy964q8i/ObSb/yx58/LXSNH8yeYYbHzJqhtNWjbWtR kMkQuLSOis0xKfDO+64q9n0DyDFoWvDU7XWtXurdrWW2m0/UdRur+Eu8kTpMq3MknF0EbLUdmxVl WKuxV2KuxV2KuxV8tf8AOKPkvyrr35Z6zJq+mQ3k02qy2zTSL+8WJLa3dVRxRk+JyaqQcqnqsmMj hkR1T4EJg8QtKPzn/LXS/JV9pzaXNNJaakJisc5VijQlKqGULUfvO4zoezNdLODxAXGnR6/SRwkc PIsk/Ln8gtN17QNP17V9RnSO9VpPqMCKhCh2VaysXryVQ32B1+nMXW9ryxzMIgbdf2ORpezIziJS PPownzdp3kO384XUWjyXMOkWbMrRg82kkiFCsEjVKhn25PWg+LfZc1uP2mIgRKPFLoeh9/7Ofk9P H2GyT4JxkIxl9Q6x93f+hj2oXjXt9cXjIsbXEjStGleILmpArU985ORs2+nYcfhwEbJ4RW/PZG2X l+4mAec+ih6LSrn6O2TjiJdNre38WI8MPXL7Pn+Pek/5j6Pa2nliWWMuW9WMfEQep9gM2GhxgZHm O0u2cuoxGEhER8v7X2j+Vf8A5LDyh/2xNO/6hI83LzpeUf8AOapH/KrdKWu51yAgd6C0uv64q9V/ KYg/lZ5Np/1Y9N/6hI8VYb5Q0/SvMf5j/nBpWq2yXNhdzaVbXVq+4ZBp/p12oQTwqCNwehqMVea6 5Yeb/wAgZ9Tgtlm1r8qtdWWJVrym0+edCq1rQA1NK/ZkHg2Kvevyiiji/KrycqDip0TT2I93tY2Y /STiryz/AJyO/wDJp/kv/wBtw/8AUXp+KvoDFXzXp/lvSfMH/OXnney1P6x6CaPbzJ9VurmyfmsG nKKyWskLkUY/CWp3psMVe6+U/LmkeW0vdK064llV5hfGK5nluZo1nURqGlneSRlLQNxLH27Yq+XP yK8n+e9f/IrzOPKfmS5025fULiJdIRLcQ3LLa2zOPXaP6xE8qNwqkqjYV74q93/Ij8xPLvmnyhBp tjaR6Pq2hItnqnl9FMZtnj+CqI3xemxB3O4NQ2+KqFxLDN/zkwllKitGfJMpYPQhxLqiqUKkb7R4 q8984/l15r/JzzNP+YP5axNd+WZjy8w+WBXikIqzMgFf3a7lSByj90qMVehf8476tZ635O1fXrON ooNZ8watqCJJTmFuLkugehI5BKA0xV57p/lvSfMH/OXnney1P6x6CaPbzJ9VurmyfmsGnKKyWskL kUY/CWp3psMVe6+U/LmkeW0vdK064llV5hfGK5nluZo1nURqGlneSRlLQNxLH27Yq8e/5yO/8mn+ S/8A23D/ANRen4q+gMVdirsVdirsVdirsVfOv/OGn/ksNU/7bc//AFCWuYeo+pux8ntWreX9C1hE TVtOttQWLl6X1mFJeHOnLhzB41oOmQx5pw+kke5M8UZ/UAUFq3mDyp5P0+zhv7iLTLI0t7KMIxUB F+yqxq1AB36ZTlzC7kdy5ek0OTN6cUb4Q+XvzM13S9c866lqGmRJHZO4SOSMcfWKDi0xG28h36dO u+arLIGRIfRey9PPDp4xmfV93l8EHoGmqVF5KtTX9yD2p+1/TJ4odXS9vdpkHwYH+t+r9f8AanuZ DyTEPzS/5RKX/jNF/wASzJ0f1teb6X2H+Vf/AJLDyh/2xNO/6hI82zhlb51/K3yR52EK+aLGXUYr ducMBvLyGJXpx5CKGaNOVO9MVTHy15Q0Ly1p0em6MlxBYQp6UFvJd3VwkaDosYnll4AduOKoTRfy 68p6Lr1/r2m29xDq2qFG1G4a9vZfXMYIT1ElmeNuAYhart2xVPNS03T9TsJ9P1G3ju7G6QxXFtMo eN0bYqynYjFWtK0yx0rTLPS9Pi9CwsII7W0hBZgkMKBI1qxZjxVQNzXFWO+avys8j+a9VstV16xm u7/TW9TT5heXkIgcFTyiSGaNENY1NQOoxVlFvAkEKQoXKIKAyO8jfS7lmP0nFWDXn5Gflnd69P5g n066Ot3NPW1FNT1KOZqKEHxpcqacVAxVO9F8g+WdFsr6z02K5ij1Fle8le+vZZ3ZAFWlxLM8y0Ap RXGKqPkr8s/JfkmGWDyxZSafbzuZZbf63dzRNIVCl/TmlkTlxUCtMVWXX5XeRbjzT/ir9Gm28wkF ZNRs7i5s5JAQAfVFtJEslaCvMHFVWb8ufKU3mtfNklvcnzAkRt0vhfXqlYCxcxCMTCMR8mJ4caYq yUgEUO4PUYql2g+W9D8v2cllotlHYWck0lw1vCCsYklNXKrWignstBirFLz8jPyzu9en8wT6ddHW 7mnraimp6lHM1FCD40uVNOKgYqyLyx5N8v8AllLpNHhmjN66y3Ulxc3N5I7KvFayXUkz0A7A0xVL vNX5WeR/Neq2Wq69YzXd/prepp8wvLyEQOCp5RJDNGiGsamoHUYqyi3gSCFIULlEFAZHeRvpdyzH 6TiqpirsVdirsVdirsVfOv8Azhp/5LDVP+23P/1CWuYeo+pux8nvOY7Y8/8Azo8q6Nq/lK61O/eW O40aCaayeJqLzYCiupqCGZVB75j6mAMbPR3XYeryYs4hGqmQC+XIYmlmjiX7UjBR82NM1z3+XIIR MjyAtmqIqIqIKKoCqPADYZmgU+X5MhnIyPMm12Fghvzc8i6jZ/lNJ5hvHEKS3FsLe1pV2SRtnY1+ HboMy9JH1W1ZTs+nfyr/APJYeUP+2Jp3/UJHm0cQph5t84eXfKWjSaxr94tnZIwRWILvJI32Y441 DO7t2Cj8MVYZqX57aRpCQXOs+V/Mel6ZcOkUep3ViiwBpCAgfjM0sfIttzQYq9MxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvnX/nDT/wAlhqn/AG25/wDqEtcw9R9Tdj5P ecx2x4p+e3lfzteTXGr2dy7eXLa1Q3NoJ2ChkY839H7J6jf2zC1MJXfR6z2f1eniBCQ/emWxr9Lw yw/3utv+Mqf8SGYkeYen1wvBP+pL7mZZmvmTsVZ7/wA5N6hZ6h+Rn12zINtNc2bRhabDkfh27r0O bDTm5Boyci9X/Kv/AMlh5Q/7Ymnf9QkeZ7jF43/zl1Lrmk3vkTzVBAbvSNC1Fp7m3IPpfWFeGWES 0rtIsLqK9PpxV6v5X84+R/zX8mXB06cXFleRGDULJqLc27Ov2ZENeLKd0bcGlQTiqF1P85dE0r8w NN8j6ppGp2OpauwXTr6ZLX6lKDWhWVbhm+0OPHhyrTbcYqnfn7z3pvkrRYtWv7S7vo5rmGyhtbBY pLiSa4PGNUjlkh5knspJ9sVa1vz9pOg6TZX2t29zY3WozJbWGjlY576a4k+zFHHbPOrN40eg7nFV C2/MOI6rHp2p6DqujGaGa5hur2O2Nu0cCeo/7y3nuOLcd+D0b2xVj+t/njDofl6TzFq/kvzJZaPC sby3M0OnrxEzrGnKP676gq7qKccVRNp+cf1rSrPWU8meYho97HDPFf8Ao2DRiC4CskzLHePIE4sG Y8dh1xVW8+/nFpHknXNH0bUtG1S7u9flNvpDWS2jpPMGjTgPUuYmU8p0HxAdcVR+kfmFNfa7a6Pe eV9a0aW9SV7e6v47P6uTCvJkL29zcEMR0FMVTTW/OGiaLrWiaPqEpiu/MEssGnGg4GSGP1CrGu3I bLtudsVTvFUj8u+cdD8w3utWelymWTQb06ffNQcfXWNXbgQTUKX4GtPiU/MqobzF5/0XRdZtNBEV zqfmC+jae30iwjEs/oKeLTSF2jiij5bcpHUE9MVVPLXnBNb1HUdNl0nUNH1DTEgkuLfUY4V5JcmV Y3ikt5biKRawOCVfFWQ4q7FXYq7FXYq7FXYq7FXYq+df+cNP/JYap/225/8AqEtcw9R9Tdj5Pecx 2x51+eHmy/0HysLa2sUuYdZE1jPPIW4xCSOlAi05MyluPxbU6HMfUzMRXe7zsHRxzZrMqMKlXfu+ YCHR6EFXU7g7EEZrn0AgEeTMrO5W5to5l/bHxAdj3H35mRlYfNNbpjgyygenL3dFbJOIxj80NQvk 8i3Fis7izluIXe35HgWVtm49K++ZWj+trzfS+u/yr/8AJYeUP+2Jp3/UJHm1cMpxrekaHr2nXeh6 vbxX1lcxgXdlLQ1jcnixA+JfiQ8WHcbbjFXx/wCefJXmT/nHvz/p3mzy1cyXHli9mMSo7fEU+1JZ XIFA1UFUf2rsVxV9Efnb+XUf5geRuWnEx6/ptNR8vXa1WRZlAb0ww+IeqAB7NxPbFWLfk35j1D83 LrTPOOsxenY+VIhaW9r+xNrTxA3N5xB+ykLqIlP2S7HFU7/Pv8vvN/mO20LzF5MuBH5o8p3El3YW zlQswlCc1Bf4OX7paB/hIqD1xVA/lD+ek/mzXn8necdGOh+drBWlELIyxSlFIdo1kq8T8GJpUgrU hqbYqmH/ADlH/wCSJ8zf9GP/AHULfFWVflQA35VeTlYVB0LTQQehH1OPFXkn/OTk89v+Y35Pz29u 95PFrEjw2kbIjyut1YFY1aRkQFzsCzAeJxV61onm/wAwahr0Ol6n5SvdFR4JrlLy6uLKaP8AcsiF V+qzXB5H1h1ptirxr/nJzRvMHmLzXZRaFM8eoeTNDm8ywrGKuXN7DH8BrXmEt3kX4TulO+Ks6i/O car+TVj5q0dFk8x6z6el6fp43/3MzH0fTof2Uesu/wDusVxVhn/OMdldeWPP/wCYvkq8uWu5rOe3 uVuXJ5SGsgkkIPd/UQ4qmv5xeUPzP0Pz/b/mj+XcS6ldrZDT9X0dl9RpIUfn8EYKtIrUWqoeYK1F a7Ksv/Jv839H/MewvZVsW0rzDphSDWNOloXQ1fgVchWZOQfZgCpqCO5VejYq7FXYq7FXYq7FXYq7 FXYq+df+cNP/ACWGqf8Abbn/AOoS1zD1H1N2Pk95zHbGiqkgkAlTUHwNKfxxS+UPzkutEufzA1KT SkdOLCO+5rwU3UfwylFNDTYVr1apzV5iOI0+jdiQyR00RP4f1ejGNK1RrOQq9Wgf7Sjsf5hkYTpe 1ezBqY2Nsg5H9BZRDNFNGJImDoejDMoEF4TNgnilwzFFif5pf8olL/xmi/4lmVo/rcXN9L7D/Kv/ AMlh5Q/7Ymnf9QkebZwykHm1PzQ0f8w18xeWdIh8w6BeaZBYajpf1uO0uVnt7i4lSaJp6RfZuaHf f2oDirH/ADj5I89/mxe6Rp3mfSI/K/k3TLpb+8tXuoru/u5kVkRF+r8ook4uwJ5k71xV7DdzSW1o 8kFs908Y/d2sJjV27UUytGg+lhirx7/nGDyX5z8keT7/AEHzPo0thcz6lLexTie0miMb28MYH7ma R+XKE/s4qzXzNqX5haV5piutG0L/ABB5euLRIrq2huoLa5guY5Xb1Y1uWjidWRwGHMHb23VY/pvk zzH5j/NnTvzB1/SU0CDQbGSz0ywaaK4vJpZxIjyTvbs8KIkcrBUDtua1xVGf85AeXvMnmb8r9V8u eXtNk1HUtSNuIwstvCiCC6hnYu08kXVYzTjXFU9/LC11iw8haBpGr6bLpt/pWnWllcRyyW8oaS3h WJijQSSgiqV3p1xV5z+fXlHz/r/nbyHq/lny9JqsHlO+a/umN1Z26y1mtZljT1plf/j3YElcVZ/p 3mfz3qGr6fay+TrrRtPeR21HULy70+ZUjWJyqpHbXE0jM8vBelAN8VSnyzpHmVvzd8z+YNU0S4tN Jv7KxsNKuZJbSRSluJHnMkcVxI68pHAX4DXvTFWOflr+Q0vlP8ytZ1R5eflS3ma78q6dyDJFc3iB LiUx/stCiekh7qcVdZ+TPO2hf85H635ztNElvfK+uWEdrNPBPaKVlWKD4/Rlmhf7dvStD9onFWXX ut/mbpHmnWI4/K7+YfLtzJFNpNzZ3tpDNCBbRRywyxXckAoZkd1Kt3xVB/lr5C1ew84eavPWu28O nap5nkhWLSbdxKttb26BAZJFCq8spHJ+OwPc1xV6RirsVdirsVdirsVdirsVdir51/5w0/8AJYap /wBtuf8A6hLXMPUfU3Y+T3nMdsQGoa9omnT29vf30FrcXTrHbQyyKryO7cVCKTU1O2WwwzkCYgkB hLJGJomrQd15K8p3eoXWo3WlW897ex+jczyIGZkC8e+wPHao3zGOKJNkOdDXZoxEYzIjE2Hyf5k0 uzj81alp2hRTzWkFxLHbRspaXhETy2ArQUPUVp1zWGO5p9G0+c+DGWUgSIHuspTBc3Fu/OFzG3en eniO+AGm7Pp8eWNTAkEr896vd3Plp4JuLD1IzzpRtj7Gn4ZsNBMnJReT7d7Jw4cByQsGx12/Hxfb v5V/+Sw8of8AbE07/qEjzePFFlOKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV86/wDOGn/ksNU/7bc//UJa5h6j6m7Hye85jtj5B/OE2S/mVrEun3KTwvKkglicOFkM amReQJ3WSvyztuzb8CIkKeW19eMSCzGx/wCcmfMNvaWsM+k29zJDGqTztI6tKyinPYUUnqeuYM+w 4EkiRDlR7XkALDBvzG8+t5y1tNSXT49NVIkQxxkO7utfjkkCoXO9FqNhmZoezoaeyN5Hr+hp1naW TOBAkiEeUb2vvZjpf5M+bNeg8vanNJHLYX8UL3tz6oNwkUjGQu4YDkwjYKtGY9K0zi+1cHFqZcIA jfT7ftfRewO2oYNCIzMjkAJF7+4Wln/ORn5QaL5T8irq+k3F1KGvIYJobgo6qrh25hkRKfEoXfxy OlwCGQENGt7ZyanBKExEcjt7w+kPyr/8lh5Q/wC2Jp3/AFCR5tnnCxj88Pzoi/LzTrSz061Gpeat YPDSrA1KD4gvqyhSGK8moqjdjtUbnFXaF+WHnPUrGO988+dNYfV5xzmsNGuf0bZ25bf0k+rKkknD pyL7+GKpJ5+/Lfz15b0afzB5N89a4X04fWbvTNUufr8UluhDS+m8ysyssYLDlyrSm2Kva8VdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfHH5K/mFceTPyPvZrD021W98wzR2qyg soSO0tGlYgUqKUXr+1lul0Yz5al9IH9jRqtUcWOx9RKa+aP+cgPNGu+XW0lLaLTZ5zS7vLV3BeKm 8aK1SnLueZ22za4Ox8eOfFfF3AutzdpznDhqnmkUApyfv0X+uYHavb/gyOPFRkOZ6D9r1Hs97HnU wGbOTHGeURzkO/yH2nyVQqAEBVofYE/ed85qXbOqJvjP2Pcx9l+z4x4fCj9pPzu1jwIw+H4W/A5t tB7RzEhHNvH+d1H4/FvOdsew+MxM9L6ZD+AmwfcTuD7yR7no/wCT/wCbcnlK4k0vWZJJNAkDsigF 3gmAJ+AdeLnYr47+Ob3tHs8ZwJwri+8PBaLWHCTCd19xX/n5+cXlzzh+Xt/pGm29zC8c1vOs1yEQ OElClVVWc/t1zUz7MyYQJSI+Ds8WvhlJiL5Poj8q/wDyWHlD/tiad/1CR5BtL5u8+3Bv/wDnMzSL bURW1srrTYrMP9mgt0uEpX/l4kP04q+usVaIBFDuD1GKvMPzU/MTW7LzT5d/L3yq6QeZvMzGR9Rk QSrZWUfIyTLEdncrE/Hl8PwmuKprc/lSs9sKebPMkeohaDUE1OZfiofiNsKWp3PT0sVYX+Vv5k+d NP8AzL1L8qfPk6alqVtGZ9F1xEETXMKp6gEqr8JJiPIECoKsGJ64qk/mP86/M/kT84/M41e3n1H8 vFudPtZpU+NtOnm0+CTkgFSEkqzFOjGpX4qgqvYvMF1puv8AkS91DTNQka0nsZrix1HTrmSFq+i/ F0lgZDsex79Rtirz6383eYPLf/OMsHm2ykn1PXhpNvdtPezS3bmacokkzGZnNIw5k49NsVVfI9jo /nfybZavoHnbVbvzAkcMt7cDUp1CXNFd4LmwRhBGjMrLQRV4/ZJGKorzz588wal+Zenflf5Uuf0b dzW5v9f1wIkstraAEiO3SQMnqybfEynjyFB4Kpxqn5TyT2kh07zd5isNVKn0b46lPOgfqC9rITbs teoVF9qYqxj8kvzR806t5j1/8u/PHpyeafLvJhfwKI1urdHWMyFV4gNWRGBUCqsNgQaqsa0qz1HW v+cmfN/k+58wa7F5fsNLjvLOzt9Xv4hHM8diSVZZq0rcOaHbfFU5/KrV/PVl+avnj8ur3WLjWtI0 i2juNN1i9P1ie3kuFjeGKSQ8WkJSY1qesZpSuKqX52eTpvJv5R6vrmkeZ/Mn6Y09bQRXk2tag9TL dwwuzR+sI/iSRv2cVT3yT+Xh1n8v/LesnzL5ii1m+0ywv5Lg6zfyRtcSQRzNzheVozGzn4lp02FM VY//AM5AX+sad+Zf5X22m6tqVha6/qv1XVra0vrqCKaFbmzjCmOORUX4ZnBKgVrirJv+cj5b3Sfy d1fVdK1C+0/UdNFoLS6tby5hkAkvIYW5tHIvqVRyKvXFWUflR6z/AJa+WLu4uLi7u77S7K7urm6n luJXmnto3kYvMztuxrQGmKsJsDej/nJi80U6lqLaPF5bXU49Oe/vGtxdC8ii9T0mlKH4CRxI4+2K oX8/fzcvPIHm/wAivDK/6PknuZddtkJo9n+6hqyjqV9RnT/KXFXsFzrGmW2kSaxNcoumQ25u3u61 jECp6hkqP2eG+KvJf+cd/wAz9U8+XnnafUGkQQanHNY2cvW2tJ4jHDEFJ+Ha3JbsWJPc4qwz/nFD QdH138oNY0/VrWO7tJNbn5RyDofqlrRlI3Vh2INcx55pY5iUTRZ+HGcakLDyTU7a1j1y9t7RWW0i uJlgSQ1YRI7cQxHU8RnU6zUyxaaWT+IR+0/tdN2Xo46jWwxfwyn/ALEbn7GWflb5Oh82+bodPuiR Ywo11ehTRmijKjgDsRyZ1Wo7Z5tihxy3fae1dZ+VwcUef0x/Hk+p7Py/oVlYiwtdPt4bMLxMCxIE I/yhT4vpzZDHECqfPZ6nJKXFKRMu+3g357/l3pegyWuu6PCLazvZDBdWqCkaTcS6NGP2Q6q1V6Cm 2YOoxCO45PY+z/aU8wOOZuURYPk8buFHIMB1G/zGdr7O6g5NPwn+A18HgfbbRRw63ijyyR4vjyP3 X8WX/mR+VFlon5Kx+a57trnUL9rKW3iQcIoormj0Nfid+JG+w9u+U63tE5JnEBUQfudfo9EIR8Qm yR976m/Kv/yWHlD/ALYmnf8AUJHmI5heIf8AOUv5ZeY013TfzQ8qxPNeaV6LalHEC0kbWr+pBdKg 3YL0enQAHpUhV6z+U/5y+VPzE0aGayuY7fW1QfX9HdwJo5AKsUU0Mkfg4+mhxVkHnfzlpXlPQZtT vpYxMR6en2jtxe5uX+GKGMAMxLuQDQGg3O2KvEvzwFx5K/PPyX+Z1xE7+XkjGm6jOoLiAsJomYge MNyWXxKnFX0LZXtnfWkV5ZTx3NpOokguIWDxujbhlZSQQfbFXhOlab/i7/nKm58z6YPV0XyhYfUr m/XeKS9khkiMKMNmZBcNy8OPyqqyDyhp+leY/wAx/wA4NK1W2S5sLubSra6tX3DINP8ATrtQgnhU Ebg9DUYq811yw83/AJAz6nBbLNrX5Va6ssSrXlNp886FVrWgBqaV+zIPBsVe0/l3e6Lp/wCVHkSz 1Dgtvq+l6dZRxygGOSW4sRIY2DbH1OLCncmmKvHPze/Ke0/K7U9L8/8A5cXMumajLqMFmdAVyYrl rhifSiqeXF+NGiNVp0pTFUx84T/8q9/5yis/OOsAxeWvNdqti+pN/dQyiFIOLtSi0aCNmr+yxPY4 q+jY54ZIVnjkV4HUOkqkFSpFQwYbUp3xV4P+VWlN5k/5yB88fmNZrXy6iLpOn3Y/u7meKOCGV4mG zov1U7jb4hiqS2Wk6vqn/OXXniDStauNBuk0eCT65bRW87Mog05fTZLqOZOJLBthXbriqffkj5qf yz5r1v8ALfzoEg85zXcl7DrT1H6YSUkpJzcmrhBRFFBxHEAFWxVkX/OUf/kifM3/AEY/91C3xVlX 5T/+Ss8m/wDbD03/AKhI8VeVf85Hf+TT/Jf/ALbh/wCovT8VZv8A85HaVeap+Snmi1s4zLOsENxw UEnha3MVxIaDwSJjiqY/kjrFhqv5S+U57KVZUt9LtbObiQSs1rCsEqNToQ6HFWN+Xok1T/nJTzLr Fk/rWej6Bb6PeSrui3c1wtx6XIbFkSP4h2OxxVCeavK+n+f/AM1vNXl6+/3ktPKtvp4f7XpXF7dt dJMFr9pTbxMNv2cVYD+WeqeavNGi235IazBLDcaBfNH5mujXidFs3V47cPt8U0pWJaf7qFcVZL+W PDRP+coPzD0FVEUOo2kOoQqo4oSBDJRen/LU3TwOKsC/5x7/ADR0byR+VF8LqGW71C61m5a0tYxx Vgtpagl5SOKip7VPtksWglnnsaiObVm1kcMd9yWBTXZn1Ca6ICGeR3I6hfUJr91c6DXabxNPLGOf Dt7xydZ2TrRg1mPMeQnv7jz+xmf5V+cYPKfm+HULsH6jPG1relRVljkKtyA/yXRSfbPNcU+CVvtf a2jOpwGMfq5j8e59U2etaPe2Iv7S9gmsqBvrKSKYwD4tWg+nNkJgi7fO54JxlwyiRLup4D+fP5ga ZrtxaaJpE4ubSwdpbq4jNYnmI4qEYbMEUt8Q23zB1GUSNDkHs/Z/s6eEHJMVKXIda/a8duGqwUGo A3HgTna+zmnMNPxH+M38HgvbbWxzazgibGOPCf63M/oHves/m/5m0DV/+cb7S10y8WebTjpltdQH 4ZY3iURnkh3oSux6HNbqcE4ZyZD6iSGjTZYSxARPIB75+Vf/AJLDyh/2xNO/6hI8LIspxVg+v/kl +VOvXbXupeWrRrx25vc2/O0lZ615F7ZomLe9a4qoaR+Q35S6TqUGp2nl6Nr+2dZbe4uZ7m7ZHQhk ZfrMsoBUio8MVZvf6fYajZzWOoW0V3ZXC8J7adFkjdT2ZGBUj54qwy1/JD8s7MsLPS5bWByS9pBf X8Vq1a15WyTrCRv0KYqy7StG0nSNOi03SrSKwsIV4xW1sgiRR7BKUPviqT6L+XXlPRdev9e023uI dW1Qo2o3DXt7L65jBCeokszxtwDELVdu2Kp5qWm6fqdhPp+o28d3Y3SGK4tplDxujbFWU7EYqk+p +QPJ+qeV7XytqGmR3Og2McMVnZOzkRLbJ6cPF+XqAouwblX3xVB6P+VPkTSdSt9TttPkmv7Ov1O4 vru7v2gqKfufrcs/pmn8tMVT/WtD0bXNOl03WLKHULCYUltrhFkQ+BowO47HqMVYnbfkj+WltEbe HS5VsmrXTzfX7WdD1H1VpzBT24YqzOysrKxtYrOyt47W0gUJDbwoscaKOiqigKo+WKsXsvyo8jWX mqfzZbWdxH5iul4XOo/X79pJEAUcHDTlWWka7EU2GKovzf8Alz5L84NaP5h0xLyexYPZ3SvLBcRM CG/dzwPFKvxAGgbrirfmL8v/ACt5k0BdA1yC4vtJWnK3kvbwF+Lh19WRZhJLxZQRzY0xVHeXPLOj +XNMh0vSI5YbC3RYreCW4uLgRxpsqoZ5JSoAPQYqlPmn8rfJHmnVrHV9dsprvUNMcSafMLy8hEDg q3KJIZo0U1jU1A6jFWTRW0UVuLccniA40lZpWIP8zSFmb6TirCh+SP5ZJczXNrpD6e9weU8en3l7 YxOf8qG1mhiP/A4qyjy/5c0Ly7pqaZodjDp9ihLCCBQoLN9p2PVmPdjviqA0nyH5Z0nX77X7GG4T VtT9P9IXEl7eTCb0UKRc45ZnjPpqxC/Dt2xVMLPy/otlq+oaxa2ccOp6qIRqN2oo8wt1KRcz/kKa DFUmvPyw8k3fm7/GEljKnmQoIjqMF3d27lAnphSsMsaEcRTdcVfOX/OO/wCXGled/wApJ7e+mktm svMFzJHPCFL8XsrUOnxVA5UU/Rjj1stPMkC7DDLpY5ogHoU9/M/8hodE0RNU8r/WLtLQMdRgmZZJ TH19VOCp9n9oAdN+xzZ6Dtc5J8OShfL9TrtZ2aIR4oWa5vHIphTi/wBDf1zF7V7A8WRyYtpHmO/3 eb0vs97Yfl4DDqAZYx9MhzA7j3j7R5qoZCvLktPmK/d1znD2Nqga4D9n38nuI+1HZ5jxeLH7b+VW sedR9j4j49vxzcdn+zkuISz7D+b+s/qeX7Z9uIcJhpbMj/Gdq9w5376rzZn+Xv5ReYPOkFzeRyCw sYgRDdzozLNNX7C0INB+029OmdDq+0MenqNWe4dA8Dp9HPPcifiepQv5oflBrHlD8vdZ1PWJYZJP XtLayNuxdGV5eUjnkEYEcFA27nNZrO0o5hGML7zbsdJoZYiZS+D6p/Kv/wAlh5Q/7Ymnf9QkeYbm FlOKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV86/wDOGn/ksNU/ 7bc//UJa5h6j6m7Hye63Mxht5ZgjSmNGcRoKs3EV4qO5PbKYizTMmg+NNH8sa75q85nSVga31C7u He8EiFfQBYtK7qeJASvT6O+dzlzww4uK7iBt5vJwwyy5OHkSfk9Lk/5xf1YT0j16BoN/jaB1f2+A Mw/4bNUO3o19Jv3uw/kc/wA77Hk+q6PdeW/M8um6nCJJdOuAs0RFVkRWDAivVZEoR7HNxjyDLj4o /wAQdZPGcc6l0L7Wso7SO0hSzRI7RUUW8cahECU+EKoAAFM4ORNm+b18QK25PIf+csv/ACT91/zG 2v8AxM5Zg+pE+T0z8q//ACWHlD/tiad/1CR5nOOWU4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXyD5H/Lj/nLDyRpMuk+XLW1tbGedrqSN5dPlJldEjLcpGY/ZiXbK 5YxI7s4ypkX1b/nNfws/v0vI+BHuZcZUv0Z/zmb9Z+tehYfWuHp+vx0r1OFa8OXXjXemHwhVb0ji 3vZV+rf85r+Fn9+l4PAj3J4yl0nlT/nLmXVv0vLp2lyaoEWMXjx6S0oVCStGIqKV6jLBYjw2eHut rIjxcVC0x+rf85r+Fn9+l5X4Ee5s4ykfnHyH/wA5becdEfRdftrW5055ElaJZNOiPOM1U8oyrYY4 gDYQZW+m/IelXuj+R/Luk3yhL3TtMs7S6RSGCywW6RuAw2NGU7jLWsp7irsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVf/9k= - - - - - - - uuid:c63b31d6-45fe-11d8-8e7c-000393cd9a96 - - - - application/postscript - - - - - -% &&end XMP packet marker&& -[{ai_metadata_stream_123} -<> -/PUT AI11_PDFMark5 -[/Document -1 dict begin /Metadata {ai_metadata_stream_123} def -currentdict end /BDC AI11_PDFMark5 -Adobe_AGM_Utils begin -Adobe_AGM_Core/page_setup get exec -Adobe_CoolType_Core/page_setup get exec -Adobe_AGM_Image/page_setup get exec -%%EndPageSetup -Adobe_AGM_Core/AGMCORE_save save ddf -1 -1 scale 0 -148.752 translate -[1 0 0 1 0 0 ] concat -% page clip -gsave -newpath -gsave % PSGState -0 0 mo -0 148.752 li -254.868 148.752 li -254.868 0 li -clp -[1 0 0 1 0 0 ] concat -54.9161 147.252 mo -1.5 147.252 li -1.5 1.5 li -54.9161 1.5 li -54.9161 147.252 li -false sop -/0 -<< -/Name (PANTONE 7506 C) -/0 -[/DeviceCMYK] add_csa -/CSA /0 -/TintMethod /Subtractive -/TintProc null -/MappedCSA null -/NComponents 4 -/Components [ 0 0.05 0.15 0 ] ->> -add_csd -1 /0 get_csd -sepcs -1 sep -f -7.82032 17.3956 mo -12.9034 12.8946 20.6797 13.3624 25.1856 18.4405 cv -29.4395 23.2481 29.1768 31.1573 24.5225 35.4014 cv -19.4395 39.9131 11.2784 39.8477 6.76954 34.7637 cv -2.26661 29.6758 2.73926 21.9004 7.82032 17.3956 cv -cp -11.7549 43.3096 mo -12.2579 48.5938 li -16.7979 48.8663 li -17.9268 43.7178 li -20.3682 43.4747 22.7608 42.7344 24.8936 41.4756 cv -28.8946 44.7803 li -32.2999 41.7657 li -29.4512 37.3243 li -30.8975 35.3721 31.9356 33.1631 32.5196 30.8428 cv -37.9678 30.3233 li -38.2413 25.7842 li -33.0137 24.6417 li -32.794 22.21 32.0909 19.837 30.8458 17.6924 cv -34.1573 13.6866 li -31.1416 10.2813 li -26.8135 13.0518 li -24.8252 11.46 22.5674 10.3506 20.1846 9.75684 cv -19.6973 4.61329 li -15.1592 4.34083 li -14.0616 9.35645 li -11.6202 9.62598 9.22754 10.4092 7.04786 11.7168 cv -3.06153 8.42383 li -2 9.36426 li -2 15.0967 li -2.42969 15.7667 li -2.27442 15.96 2.14551 16.167 2 16.3663 cv -2 42.168 li -5.16114 40.1416 li -7.12208 41.6631 9.37012 42.7315 11.7549 43.3096 cv -/1 -<< -/Name (PANTONE 301 C) -/CSA /0 -/TintMethod /Subtractive -/TintProc null -/MappedCSA null -/NComponents 4 -/Components [ 1 0.45 0 0.18 ] ->> -add_csd -1 /1 get_csd -sepcs -1 sep -f -19.8682 23.167 mo -21.6221 25.1495 21.9336 28.1055 19.6426 30.2452 cv -17.7315 32.5264 13.9385 32.1124 12.1084 30.046 cv -10.2051 27.9034 10.4053 24.626 12.5489 22.7256 cv -14.6924 20.8213 17.9698 21.0293 19.8682 23.167 cv -cp -24.5225 35.4014 mo -29.1768 31.1573 29.4395 23.2481 25.1856 18.4405 cv -20.6797 13.3624 12.9034 12.8946 7.82032 17.3956 cv -2.73926 21.9004 2.26661 29.6758 6.76954 34.7637 cv -11.2784 39.8477 19.4395 39.9131 24.5225 35.4014 cv -/2 -<< -/Name (PANTONE 871 C) -/CSA /0 -/TintMethod /Subtractive -/TintProc null -/MappedCSA null -/NComponents 4 -/Components [ 0.3569 0.3608 0.6353 0.1882 ] ->> -add_csd -1 /2 get_csd -sepcs -1 sep -f -42.0054 124.904 mo -38.6949 132.106 29.9537 135.87 22.7505 132.561 cv -15.5523 129.245 12.4058 120.72 15.7144 113.527 cv -19.0259 106.334 27.5503 103.179 34.7427 106.488 cv -41.5435 109.62 44.98 118.187 42.0054 124.904 cv -cp -52.1324 108.189 mo -46.0132 109.425 li -44.6382 106.935 42.775 104.731 40.4371 103.029 cv -42.0914 97.1954 li -37.271 94.9756 li -33.9527 99.9629 li -31.0816 99.1973 28.1519 99.0762 25.3277 99.5635 cv -22.3921 94.2989 li -17.4175 96.1416 li -18.6011 102.011 li -16.1207 103.443 13.9351 105.404 12.2232 107.825 cv -6.41944 106.179 li -4.2046 111.001 li -9.19288 114.318 li -8.42237 117.192 8.30616 120.126 8.78467 122.94 cv -3.52295 125.882 li -5.36475 130.86 li -11.2349 129.672 li -12.6656 132.151 14.6226 134.34 17.0562 136.049 cv -15.4068 141.854 li -20.23 144.069 li -23.5582 139.057 li -26.3648 139.764 29.271 139.844 32.0865 139.344 cv -35.1089 144.747 li -40.0816 142.907 li -38.8687 136.883 li -41.3609 135.473 43.5679 133.563 45.2554 131.213 cv -51.0806 132.864 li -53.2984 128.045 li -48.1685 124.64 li -48.7964 121.878 48.8687 119.031 48.4048 116.281 cv -53.9722 113.169 li -52.1324 108.189 li -1 /1 get_csd -sepcs -1 sep -f -25.3804 126.851 mo -21.3306 124.99 19.5601 120.199 21.4234 116.152 cv -23.2847 112.103 28.0757 110.342 32.1226 112.198 cv -35.8609 113.921 38.1509 117.934 36.23 122.414 cv -34.9371 126.865 29.2769 128.645 25.3804 126.851 cv -cp -34.7427 106.488 mo -27.5503 103.179 19.0259 106.334 15.7144 113.527 cv -12.4058 120.72 15.5523 129.245 22.7505 132.561 cv -29.9537 135.87 38.6949 132.106 42.0054 124.904 cv -44.98 118.187 41.5435 109.62 34.7427 106.488 cv -/3 -<< -/Name (PANTONE 1805 C) -/CSA /0 -/TintMethod /Subtractive -/TintProc null -/MappedCSA null -/NComponents 4 -/Components [ 0 0.91 1 0.23 ] ->> -add_csd -1 /3 get_csd -sepcs -1 sep -f -51.919 34.2159 mo -50.1553 34.3702 48.4336 34.6612 46.7647 35.085 cv -45.0293 31.7598 li -41.462 32.9639 li -42.0958 36.6563 li -40.4815 37.3428 38.9317 38.1573 37.4639 39.085 cv -34.7881 36.46 li -31.7666 38.7081 li -33.5157 42.0323 li -32.1993 43.1778 30.9776 44.4268 29.8624 45.7686 cv -26.5 44.0938 li -24.3194 47.1651 li -27.0049 49.7813 li -26.1094 51.2696 25.3331 52.837 24.6817 54.4659 cv -20.9756 53.917 li -19.8526 57.5108 li -23.2159 59.169 li -22.8292 60.8477 22.5831 62.5772 22.4659 64.3418 cv -18.7579 64.9659 li -18.7999 68.7315 li -22.5225 69.2696 li -22.6778 71.0323 22.9639 72.7549 23.3868 74.4249 cv -20.0635 76.1573 li -21.2667 79.7266 li -24.959 79.0928 li -25.6456 80.709 26.46 82.2569 27.3887 83.7256 cv -24.7627 86.4004 li -27.0127 89.4219 li -30.336 87.6729 li -31.4795 88.9883 32.7305 90.21 34.0713 91.3243 cv -32.3975 94.6895 li -35.4698 96.8663 li -38.085 94.1827 li -39.5743 95.0782 41.1387 95.8555 42.7725 96.5069 cv -42.2208 100.211 li -45.8155 101.335 li -47.4737 97.9708 li -49.1524 98.3584 50.8799 98.6104 52.6456 98.7227 cv -53.2696 102.43 li -54.8282 102.401 li -54.8282 90.2071 li -50.5508 90.4063 47.168 89.4581 43.1543 87.2188 cv -31.6788 80.8194 27.5655 66.3292 33.9717 54.8516 cv -38.3282 47.044 45.9112 42.2872 54.8282 42.667 cv -54.8282 30.4581 li -52.4581 30.4971 li -51.919 34.2159 li -1 /3 get_csd -sepcs -1 sep -f -33.9717 54.8516 mo -27.5655 66.3292 31.6788 80.8194 43.1543 87.2188 cv -47.168 89.4581 50.5508 90.4063 54.8282 90.2071 cv -54.8282 73.5127 li -54.4903 73.5616 55.1485 73.5948 54.7969 73.5948 cv -50.8213 73.5948 47.5987 70.3731 47.5987 66.3975 cv -47.5987 62.419 50.8213 59.1944 54.7969 59.1944 cv -55.1485 59.1944 54.4903 59.2286 54.8282 59.2764 cv -54.8282 42.667 li -45.9112 42.2872 38.3282 47.044 33.9717 54.8516 cv -1 /2 get_csd -sepcs -1 sep -f -3 lw -0 lc -0 lj -4 ml -[] 0 dsh -true sadj -54.9161 147.252 mo -1.5 147.252 li -1.5 1.5 li -54.9161 1.5 li -54.9161 147.252 li -cp -0.99 0.99 0.99 1 cmyk -@ -0 0 0 1 cmyk -%ADOBeginSubsetFont: TrajanPro-Bold Initial -%ADOt1write: (1.0.21) -13 dict dup begin -/FontType 1 def -/FontName /TrajanPro-Bold def -/FontInfo 7 dict dup begin -/Notice (Copyright 2000 Adobe Systems Incorporated. All Rights Reserved.Trajan is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States and/or other countries.) def -/Weight (Bold) def -/ItalicAngle 0 def -/FSType 8 def -end def -/PaintType 0 def -/FontMatrix [0.001 0 0 0.001 0 0] def -/Encoding 256 array -0 1 255 {1 index exch /.notdef put} for -dup 67 /C put -dup 73 /I put -dup 83 /S put -dup 127 /Nsmall put -dup 128 /Tsmall put -dup 129 /Esmall put -dup 130 /Rsmall put -dup 131 /Ysmall put -dup 132 /Ssmall put -dup 133 /Msmall put -dup 134 /Osmall put -dup 135 /Ismall put -dup 136 /Usmall put -def -/UniqueID 45714 def -/FontBBox {-248 -284 1528 985} def -end -systemdict begin -dup /Private -15 dict dup begin -/|- {def} def -/| {put} def -/BlueValues [-17 0 750 775 638 660] def -/OtherBlues [301 305 405 408 -261 -256 -222 -209] def -/FamilyBlues [-17 0 750 767 638 656] def -/FamilyOtherBlues [301 305 405 408 -273 -255 -214 -209 -252 -239] def -/StdHW [47] def -/StdVW [118] def -/StemSnapH [47 55] def -/StemSnapV [118 126] def -/ForceBold true def -/password 5839 def -/MinFeature {16 16} def -/OtherSubrs[{}{}{}{systemdict/internaldict known not{pop 3}{1183615869 -systemdict/internaldict get exec dup/startlock known{/startlock get exec}{dup -/strtlck known{/strtlck get exec}{pop 3}ifelse}ifelse}ifelse}executeonly]def -/Subrs 5 array -dup 0 <1C60D8A8CC31FE2BF6E07AA3E541E2> | -dup 1 <1C60D8A8C9C3D06D9E> | -dup 2 <1C60D8A8C9C202D79A> | -dup 3 <1C60D8A849> | -dup 4 <1C60D8A8CC3674F41144B13B77> | -def -put -dup /CharStrings -14 dict dup begin -/C <1C60D8A8C9B6D5A0DEDEC57B918D61DDFA401F5A49FEA3B89C6864173301 -6BDC674395116B42D2387AF24DF2F1DC60C61A5B6585CC0DA86F050A110B506B -B65171C092F0636620BAA275DBDEA04B3E655EC58BDFB8B9B535650BF4DE0E82 -1C2ADFD8C9F649E0C395722C228833505318AA21D61F3D55D035246FCF9BC983 -692D83F8C9AF492468B91F4CB872C7D1953185BF38A8E7A5B72C7F51E36572D3 -718D9C26EEF5DDFAB02F3E79248875F4CA6CC06F7C289C017B388B2CFE4B85A5 -1B0090> |- -/I <1C60D8A8C9B77771C05B04C6A1CDBDED73825D1016AD1A9F739BE3AE28A3 -2F89A16FA0ADB365C478020BF11BB9ADC332932373DC2832A2FD54E961E2B084 -4B0EB81447C317CA2A36F9297140F653C6CF38B651D9BF313FA9254650245A3A -6E604D8E9EFFEAAF12423E3B4CFD19A9AFAFF5FC58BD3FF4189B6F8AF938C510 -BD91FB49103F7E5C2AE8440096A8B2CFB59E1B448BD934D6C96663C7ECAD3789 -1B4FEEBF9172B6A7CCC0965D9AA12297E39BBF30EB7B8F6243DD70D9185FBD81 -8CFC74B60F41E69C4533165A53D5C2FC5A9B44BA5F12F31CB79A71FA4F70F551 -E84E63E5837361F7B7736F91> |- -/S <1C60D8A8C9B7F51B95A0DFD92CF0B9552EA2D8DB80CD668D35E3A70F4576 -D4238E8EEA2F046EF8BC16C7785D1607E04A62100A5AFF084F37B544AFC2004C -0BC4AE1356D2B0EC8700AB99117F620401AEDDDFA69D53F0F4E5314303A9C779 -D85053ADE7DEA169C445735EBAC333F65F31A077498B479248885315A58C9DAE -7AD6ABA3F9562E1A36EA3EA3274E191D557F04A6CB9FA3B240660C95B31FD1EC -ACE3874E2F240022DE09CA2256274ED580EE94FBAA5793BD5F9D37682BE7C541 -ACC5EE4D95FB35149493D2CCA9BEA729ABD0DCEC9C95E902EA9DD124CA919CBA -F3364C7699DDBE268B46D54393CC359D98EA67700B83CEF348489F1F90A16D> |- -/Nsmall <1C60D8A8C9B6BC88BD85FE8659C453EEEB8E1BD03325A00213B3F3D -4D450DC128DD37CC24C857B6D60D557A08CD43D812DF35B5BD6760576A63576C -506A238602F1E6EA5D2CF18DAD28B193AFC0FA899C7F243B47EAB7B8460C0CB0 -4242476B1602C4D8E3342E27EB421C00D297126C6E43889F0137C7A1C441FC72 -2BE08EFEBABED7A59A7395971A284A820995BDAAE7D9478AB8745D9C9402C363 -B7514AFE9E3D0AF6A39663E1D555B5F7BDA2CE94F32DDC1E19216692DC849907 -7A3E6206E838004DD8DB4A986C8F31EDCAB6E6B82F722A0EF26221ADD2189144 -83D5E5F90B6CEB939F64EF523B4531C4C0B4ED4F521923EBA94C1FE7AE3B2648 -AB7B1D48BCD570F1DED35E03DBB412CF55B5989A09E378971DDF42BBC4FD1669 -7B92AE130992922E13408AB712F27D256F7305A6C6B07A0AD7C13FE23EFB63CE -65111A1A787D3875B8B8D9507C694904CE3BA8114CCE10FF99A55> |- -/Tsmall <1C60D8A8C9B66C0E1D18F4614EAB544F0CEC538C8C01A016933AA12 -429EBE5390D596C5F67CFF90C2108DEC0E3557EFE47A84AD0A504C83D7E8F287 -5DCBB9233950E37680119C5422B9BA74EB5E3A2AE4E2F090670CEE3CC015972E -6CE8DF50DCD73A5ECEE824E6627364F3B83B1B73833AA7E396445D318F119C4C -5EA2429D5B49B0EDBDDF4808A5790BF8CDC63B184CD3A9CE7C22C4D23ACC081C -FF7BCA42342880880724EDF5A0F6F9059ADD736C441B65FC95D81D78B14BCAE7 -32E0959A4FEDBBA605D7DB559BC1CFFED39160EF11111F189C967E86115A679A -21BB269B7452490D7C600719A2B02BE0A92DC8D7E101DFFE6011D579AD666FD2 -6352E7C3F88546D427880A3ED55A53668B9B911F227F478005846196CB2A821D -9436A361DD997E24624546B193AD16A013BF60C83D456FEFAB524A4C3C4DAF51 -640204EE51B9A6B98D186E77DE45F4BD3696405A93E6DE14A3A251AC1EF6440B -3F074B20C4913F3447DE56969C6BBDB2354148031166D8E9781263F94442062C -991765ADD918972AAE466DE6B9C6E0991428CD75BCCEE> |- -/Esmall <1C60D8A8C9B7FBE1B006E95A68A3EFE857D335EDE0BE9AEA4BE7F95 -2FA0109C6CB803A7F2B985E7BDE818880C9FD186C7136A63CCA57CEDB6AF2828 -DE38E8685BB8771E2988A810F73E0345E8908310C31FD0F7C222F54500389519 -240356E338A96366351A20F484B5651422D1A0FDAE927D548045766A19F6150D -CC390EA0D98D6C0EC5E1C97E0B4512533CA015299550D65A6EA9A741DBD81A7F -575EC26534A2210CD8BC3335B163A776277B6F29843653C092C384FA226EA0E5 -F40EBE1799B10828B444468B3DA053A6ABB46879088C5CDBC46D899C794B325A -A3C97D044BB760BC39839995FB64819C682832A40321F78B99C09513B805CEC3 -996F9F6C14C0DA278CFDCC8EE83409A0C9BCAE8289E42BA209582E05976E48A0 -66222F364CA72855AA1A8DD971B9E012D88EC883F11B6B8DD1F7A3A1A193533F -B42207516FD3B0F5443A7865F511A1795EBD587D37DBDF03F04386AD8496835A -76A8A2EA2B1821C0A26A3284A32DDD223178AF712B0015CA9C866D881702FB56 -88AFCD83EBB5B8B70C983ADB28C933F563180B2F5D693852DE904FE07D55275B -BF14C6F4184BD1B4A9AECA29C644CB5A0BE9622ABA21F24CFE079641418F3570 -3415A4A73F296C050FA68AD25A13C7E948BFB4A1F5816B4ED0207AE7F70F6A21 -CEF402873ACC39E699949E03BE7A042549D2AB51127EAC04572696553A61D3AD -7A50684611A83B8CC45B07DFB59CE66FF4633DDD79F> |- -/Rsmall <1C60D8A8C9B6232B67C2503515E3E19A361BD6B49811E165A598B41 -3BB79166E3FDF489EB666983D5C7D39CD639562A5B5DFFD54539B03730F39196 -01122BFF4EFD30EC733326ACD5E99E075E6AD0B22300446FDA3039558CE7D82F -A6C33C70F1D07536B16D4B1DC2398D650AD9DE1FE1EEF9FC8801CF7C62691F3D -44ABC62967E1B752BCC2F000EEC07286667F57839EF2E6B9C04C2DA9F22FCE01 -4B7A5598EA7A603107AC2DBC5AB39CAF9666BA8BD1E17DD88F1B0183C4C1C3F1 -1214AD45BA4F39EED6AE5D1943AADDA9D1EC079FB2B1E8FDACACF0141DE87287 -5FA936F561AD9761380B6FCDEE2C83C4F292D6BC0EFBBEBA1571BC78DB7E53A3 -C2355971E9941081B36BC438EEEB16D9D4B14BD1644AC5E58981D2AC452FD6A5 -580957C704505040E5A864423A1DEC798AD589C92753FF4E99FE4D12AC55E99D -5F0AB1E5E4B10AE2F480F509E7AF89EE8CEFA0BA716FB8CEAE96307008D32070 -D365B7F6583B829884DD2FE6EB7D95965527303A93BC3BED5A9AD904DA3DA> |- -/Ysmall <1C60D8A8C9B7CDD8BD7DBD65E184B9680768C945EF501FFBAF34DB2 -EB89B7C35DCB2E8CDE46F9D37FB471E35DF335DEED86CBC9BD25ACBBBE505717 -85D55C56B45ACC3A263ED736CAA051A570F787892A1CB6821A2FFAD018F8067C -A681AE9EC8078E3C7AFE94C42C7FD5A558E11749ACDE333C8BDC9884D4FA3DAC -AE8A34DD32D0843E9B8D09766739B4ABA55282A00532DD1F8B6DE1183006D340 -67C1700BABA7CDD73E0CDB5BE2DDAE32FBEED1C6D7EEEA3B5CEB4C4205571F0D -CF1A506D8FC5DC8499A45715F34A9B98FE00C59CEE5F28BBF36D76480FA97A6C -7DA2BD1F5844A8385287554D6A25D036C1B44B3D155C43934FF8AA5F5EFA8691 -C8A756E6E6312D494BA1468BA6D0686CD0C8B3FDB8C0351FA65E6040F976F25D -799285A835570C29A2FB34B27E1A794353E610FC2C4A30406992C247A28AA7F6 -E944BDFAB0BBA11598F8F567A868E003F8F3944F74A873C0B590A5CBD543024C -D6E3B83887E8B4201> |- -/Ssmall <1C60D8A8C9B79FB048C852057885B7FB39D71FC3016435158EC7538 -3A43C835122312509B1BFED76A61F209ED65A42B34BB62984E18488BC60B5218 -01752FF5C2563FA0352A4574582BF27E08DA350B6E25230194888F1FA389A5D9 -3FBF39576DDF170A31E4F9A79349B244BDF70FC82577F5D740926CBB4F2ACA8D -2425F341518CF5F38A11D5613BD07DDED6A6C9CC2A89D2BA18004761AD9B9FC3 -4EDA3D0BA2574B07F9B17535C3DFBDB872ECFEEFC15F4D3F7BCA04E0B730A15B -DD0D5BCB061E10476825BE14CC3CD57D1B8CD428D2118BB782F85F1A67B39448 -980A962927A8E8DBBBF65E6278D0AFECB529564B170722C87DEFBDB> |- -/Msmall <1C60D8A8C9B5BDB4869BB7396C2BCC7E2D035A8DDF69463A769AD1A -A49DB431BF0660A482C35C477875AA9502C9E16D281765C1FE89158C85EF4F3E -57125A0E615EF95AE1B7077390D7D5D6DDBA63FCBAB687625D16C58A812887A3 -BF8B333347AF25B78756DD80DFD049480BBC5CC2E60C8AAAAAEC52485278ACB4 -CB64431DB98372ED33A1281E6970D65A9DEE7B405CB6932D27F2DFA40B98C2E6 -9A163099093F74C6495CCB4C78B91CF36A00F110217924E037A2F56731347A29 -95E8AFF22D6698D628918F5A55716FEBDE556231C95D2821D1B0DE3CCFA65E60 -C9DDB56BAFC7C7328AEA86A4824D8004029A0A0834D297E9E2EE5DAE0DFFB8A2 -CC6F17A3EDC65> |- -/Osmall <1C60D8A8C9B6AE36D8AFC06EF7691CEA7388408CB5711A90AA9C8BB -7DF107C83E9F4C9D93C2707EED4FFD917928C910BF7966EA41381731C2EDBAD2 -707004603AE29A600E85B2D80CC1F8253013508BECCA2FDAB8779E3B7D43916A -0E2CE1B80BB3DF3> |- -/Ismall <1C60D8A8C9B704CCC403F91AADD9CB2F76DB90BC6EC90EF3D45C6A9 -10C33779B027A5893F399469312EDD288FF0EA2B3848F5A530D7C0162C275993 -6728784ECB91933A5B31FC0120544923268E389858466EE39EB2181D57CD3BF7 -07FB3669BB94B89A418CD729CFF5FBF8DC7045D58C25F7CB07F19116123D927E -59434BBF93B4FE5DBF40C126B117E6B60590BBF45DA98B6DE8B19144213326F9 -87495E510476E3585AE1A21D73828E47A902A177877DAAAB4C0EE1255BEF7F14 -75F7B919B37EA781F4D15EE851B6A63CFE7192BA2E00BB3BF61621837B8C6E3E -7AB8CE9EC58E9FFE71C29175C76E5> |- -/Usmall <1C60D8A8C9B6ED055F5BB1EE84E1A93ADDC8E7C125E88D8FF53587C -17D959293900B8FD46371B21619962E4E05301A5E3EA5963AEEE83B21393A2AB -3695359695D60CA9917C3B4C055638C566E55787F9201E25FB6F1ED940BE5C4D -321EC5E70BC368233DBA0CBD12DA827A229D0CC8A349901F7F6297A8D2B5EE1C -32919F009B7DEC73D0710E8891AA9A0D36238E9E944FAFD91D10D63C6B88D5BD -C3A7985808BE85B22B832353DB0C8315F69AE576B8073207A5E9FE25F5A1E4F5 -9C748E9F7D4D5B9763098CB580B40B6CD00897D0384713B624EAD8EE1E24E326 -A2BE8083CCA899DE1FAB4FB90AF9AEB63CFCC24D405FB6596CE1D598C7EFABAD -D016781F1785ACBA6641462356572572D87FF66C89B7A4AFB38B24B24E1E7B07 -44FD561E659DB89FDAA3D90E0980DCB66> |- -/.notdef <1C60D8A8C9B7A73DC56ED86593A26411A239A9F576A4BB06AD4079 -CBD73625AFEDCD129CE8B573E3C4C05A38ADB9D43C2E751D7FE69FF5F6F4BCAD -D50244964753D5C819FE275F32A27920BE3EA3D1AFD957ADA922B28CD2CD8E15 -58DDDC89C143A1> |- -end put -end -dup /FontName get exch definefont pop -end -%ADOEndSubsetFont -/FDJFDP+TrajanPro-Bold /TrajanPro-Bold findfont def -/FDJFDP+TrajanPro-Bold*1 -[ -67{/.notdef}repeat /C 5{/.notdef}repeat /I 9{/.notdef}repeat /S 43{/.notdef}repeat /Nsmall -/Tsmall /Esmall /Rsmall /Ysmall /Ssmall /Msmall /Osmall /Ismall -/Usmall 119{/.notdef}repeat -] FDJFDP+TrajanPro-Bold nfnt -FDJFDP+TrajanPro-Bold*1 [32 0 -0 -32 0 0 ]mfnt sfnt -63.709 49.9312 mov -(I) sh -FDJFDP+TrajanPro-Bold*1 [26 0 -0 -26 0 0 ]mfnt sfnt -78.333 49.9312 mov -0.080658 0 128 0.288605 0 (\177\200\201) awsh -131.874 49.9312 mov --1.83563 0 127 1.73947 0 (\202\177\201) awsh -188.218 49.9312 mov -(\200) sh -FDJFDP+TrajanPro-Bold*1 [32 0 -0 -32 0 0 ]mfnt sfnt -63.709 85.9316 mov -(S) sh -FDJFDP+TrajanPro-Bold*1 [26 0 -0 -26 0 0 ]mfnt sfnt -81.7983 85.9316 mov -0.213654 0 132 -0.177307 0 (\203\204\200) awsh -127.864 85.9316 mov --0.0141907 0 133 0.276245 0 (\201\205\204) awsh -FDJFDP+TrajanPro-Bold*1 [32 0 -0 -32 0 0 ]mfnt sfnt -63.709 121.932 mov -(C) sh -FDJFDP+TrajanPro-Bold*1 [26 0 -0 -26 0 0 ]mfnt sfnt -88.9883 121.932 mov -(\206) sh -109.841 121.932 mov -(\177) sh -130.882 121.932 mov -(\204) sh -144.271 121.932 mov -(\206) sh -165.124 121.932 mov -(\202) sh -182.77 121.932 mov -(\200) sh -199.487 121.932 mov -(\207) sh -210.59 121.932 mov -(\210) sh -230.869 121.932 mov -(\205) sh -%ADOBeginClientInjection: EndPageContent "AI11EPS" -userdict /annotatepage 2 copy known {get exec}{pop pop} ifelse - -%ADOEndClientInjection: EndPageContent "AI11EPS" -% page clip -grestore -grestore % PSGState -/FDJFDP+TrajanPro-Bold*1 ufnt -Adobe_AGM_Core/AGMCORE_save get restore -%%PageTrailer -[/EMC AI11_PDFMark5 -[/NamespacePop AI11_PDFMark5 -Adobe_AGM_Image/page_trailer get exec -Adobe_CoolType_Core/page_trailer get exec -Adobe_AGM_Core/page_trailer get exec -currentdict Adobe_AGM_Utils eq {end} if -%%Trailer -Adobe_AGM_Image/doc_trailer get exec -Adobe_CoolType_Core/doc_trailer get exec -Adobe_AGM_Core/doc_trailer get exec -%%EOF -%AI9_PrintingDataEnd - -userdict /AI9_read_buffer 256 string put -userdict begin -/ai9_skip_data -{ - mark - { - currentfile AI9_read_buffer { readline } stopped - { - } - { - not - { - exit - } if - (%AI9_PrivateDataEnd) eq - { - exit - } if - } ifelse - } loop - cleartomark -} def -end -userdict /ai9_skip_data get exec -%AI9_PrivateDataBegin -%!PS-Adobe-3.0 EPSF-3.0 -%%Creator: Adobe Illustrator(R) 11.0 -%%AI8_CreatorVersion: 11.0.0 -%%For: (Douglas E. Appelt) (Mad Doug Software) -%%Title: (Alternate-ISC-logo-v2.eps) -%%CreationDate: 10/22/04 2:51 PM -%AI9_DataStream -%Gb"-6CMtIYE[^blnitWj!HrIdV0lorEFGN3p=d2AK:U\*q_!hY[_$iT*gP5UX1]SSqSRQ?_'$)V>TY%qP`SMZ@PZ&5]GQS5IeD7R -%m`Y!QleGQ7K.p&6?3aPlR\_,pU'rp&CDDZ00VZam^DTYCI"bGS,pf>eC0p"$ku^->l[*"R8fVlPU'FAYD. -%pH<]YO.ZB_I5g)6.fSi&qjT5\No0V,*'aApjM1[&?VKA;s5+k>*rNhPC\4:.?Tp^0SRbF/qI]^'n%Sf"Iau[8YhK*1=8[PW@95Bj -%feh2gC0m5p>Dk5X:Z"Oie -%_>('6rT`ihmf%TV6aJF?pEP/0^\r2;05#YbIeS'\a5_%#Z`D -%M#tCQSj(t84WKTq]6a,!Z/=Ac38STd5'sfM!j\oF_"j]3hd,(Bg28!D:rMsrhk/^7$3khgXInb)kR&(e;*iD*,)s5!YHLWE;hFu@_jloh"cpiZ.#*V2om4is<'4&SdBk2#Kl=D(W,jr6[thj\_UF8BI"+-&1Xoq"0D1+W8Dh:JnpT+i -%?bp*J"_3/!:^b8g,Gjj:7.;#X^kgo%N*@Djcbc(-0AOC"i%MH*E2&Y,7.;#4%A-H(@tJn;2!Os8$cW@"U!DTsAMQKsF+Q,4Oe;i, -%kt)dRoq)"TIA=8=cXi-4#5pe=(a&[0Q=pJ:eFXd+(jnY%(n]#+6%tnan\JSBK@/*E_dD[hPe^Y)"lk6M1lI#5"BTn6]MWVJH7nt; -%F%6*QW'`.gS%s_I:;)FS;nqP0e?[:7eW:lO"/?ORK[IWb1huk&`Wq!e(?%32O'k<#_I'5DUT;*AbSJnUaO(q4]*3rnOg5*b&bcUD"n*]8_:'!OK[Sm3$^B[6 -%5`Z&2n8s>%6#pdm^#=2R9LnWSF!M=0COrQI(Rca192k+D=8^58KSZe<]Rr1otMX5/e. -%i[=]kpN.KAl),"U`6Vl[i%N>*h9-geqXLul[N?!kAp]o#p95J:So\,F?=@Y?r9HTE9mTU-eQ5>%g-7NM(++>09[hd@j04RP-UK1TF%c8k1lR(l6i1KQ.D>/ZiP77uF=:=.,l*oJ5h?SSg[%2rnj-9S%rs]G0#5Y%NI9>jRd)*Dm_=p:p6Ha4( -%%s]7ECC]5b_C2&frY,1V!dlA`)%DM2%tN!shJ!Ad=ANrJE#?0-pjfm:H\(YXcc>jYILn%7LGPCXK7=doF?NF3Tq-Amq6356p8p]/ -%6aLY9>CE'2qW-gq0ue!MF2[/GR -%ID^&7gH`q9k)StGE/[64elI6>-HA)u?IH9bK3#J6Y3dN$<6>cP#CnF3fQ7'/b18A51>EE4/c=%\dK7XPDtQBgl"Sm!\%$3Y`+g>^ -%phb4CTn#q_5Gi]fcCeRTY4"5qE(gL_B,hStRio_GnkVgFj:;#QGL.SM!pD(QA:T_K#IUb-.^[@YnKl!DO]%%E@$]M0nJRC?TJaO/ -%[/OG4$eMo?o)eM8UH$VVn0^Oaf&iE!L-:Ue^bO'_&jB#SoZSTJ1gB+)*ZLLtcG87`T*)j!Fq4E8\oG`8B]7Fc")p\s#s\DC1H6&Z -%^V)m8VOV"`D@n-.9Ri:D?2".%s#oN+DNk$.ZdGU'mT6QL,4qBY+@H[MF!OkpI7,gZ#I6AsAq1^9,N+OLJ_ -%0Uc_EnIin#3eBHQ$c%8\>ec#;QRRJ25F&?&^'+35b_\N[GM$P^0gZ\=Xp$HD=ZE^Y$$\,Fqge4XF^7(gSot56ST)P"8AU6<-)7,Q -%UpuHR/l2P/J=dI!&;Q>Z5h'uT%#cI\]flh6U9K+%qklsH<82S$i^Hu'LXNQmOTH#g)t?H/7.Z$'dRL#8OCRF`K,oY:V.i/9 -%6)H_q\\OhK#AX7.#W%%uFnAA(PN@jK0cnHeo(4+86'6O_)EI+eS)ToS`:0W?-MjmcVDF>)bc3-+I\o]2!?0a6sf"DnFd0hfJ5) -%\rN<5l"eD!!=b>g:hX64>lD -%i`;cm+I."DJKlOj`I80gcMO&DUHLk:Uti3!YmPSWJ0`AeoMEF;oMh?aKV!aA7%S/TP\ARfcOZbDd4]kh[C4_BbZ!$4@E+trFtD[Y -%JjO)n0TcLpVOTL6d`BmG(5\YKJ(H7+f#5moL'QgDl\XCe\.c9Y7emMN[R1WS&E\YX*rEF$ILt,.D8b;n1#3d.J)-X@/Vp+ZtJ<>D"11Z@q@ATG6L%WhJZTRLR+L/Zi,iT\cg0.(BXI7/.T$`VXDO5J0!,;0gilp_l^?ft$cOeN8]rFHV4KH5c.$C>L'c39Qq9D?s5N.7UUD!7#`V>hS`R7pP.&nB&VgH0O'61pfquQW9(N(dBXOB*5Nth7HqL%'4duc(9>$L^\o$7a=ck_HMh$i# -%U_*o&d28')d7gtLiXT!2b3)f(:Ab9oS^Y\CrcHUQjV/<9iG$odb.+72JK5HUV@"4Oeu45M\0cX&'5ItAGNeXIXkBQX2E9VG?LM53 -%CKeCbhf\7%kSMSsi+KF>#h5[;'N2HH[]=0C-EtO,g$UPR"maTmgp,MlBbrA4f^kY9;[:sA&NeecGlt/b"Q*&E7Z7Idl#mijK9L`g -%M[&hpCi6ju>86t'XOXQ4>L@2Mge2HoM:Qa0HfjEu*>RsKA^(RRNqTd2E`(FL#Rgqs3'Y"qfU3"_iutR%qi/B(m>?\$dOp0Rg=9ue -%1l7Q7BphR9il8ne78KT,**L+Plk=.OQ)n-gb-a"AQ8"Y^VGkjii-D6&3l"rNc+5U@F732Dc=;s!*\q3aT!J>rQ3O1h"^NO:8gGY) -%:snJ:C;h5G3n>@M^BLRTdVSQ[2EAj;efM-EmQ_a%g;"`1_J$=kpM+*KnI7)=&]%"8ViA:^+gp6j'fs3%H4VrOXW9fech-gF2?f+09bSrjX;81`e2)5b>9sNr -%Sj\lFfNjA\DD.;``k4=5K&ZX*Cun;HO#WaeO(*0e(gW`VPUjmI$^thg\cYj0T;!oOpSlAl)4nO=LN:;O4['aCP"O-AV>@Q0$`*dc -%n^,a"[3bTF[$M"kk\9_r;ao:Flh`A6P(k/\BA*_pqk9aLN4<(!,Lu*`ZE6PV&hZ[p7s%0J?-E.\)e)pS-epH/\=ti)io;3GAS*e9 -%?n%PAXKAnm/>LfI\tR#eh?/1hlk`mP+ma!'#U?N!`H`4nF,Y9EdX&m`,@t$_OOOi42m2)37!>F5C/LT52P*U_:0/>&4@k+Cc:K]M -%&/;@6ABkLn]ja:]&ab)FMtV-]ng8FliDD\;5slM]i2Apple@,k#IY>CV4reK?3L8]Db,J]lU[.'TemP=,K72KG!OdQ-o/QsJFs.$Jb'Q0XfDq'AX5Ds'oGR3d,LaU%1F78@74ZEh)W3pqF -%F]%_t66M/\_\F#Yef+'r0JfDs>b>N>8L>oW4@]\cZV -%U,PR.JR9'*ej4tgqL7/9ITO0H+;@XbU/:n2c#&GbY!;)/;VoThfae;,?)JuAT>%eH4_ps&m;G4>HRJd$]fUe7m:UG:r9""Hk3`KN -%0)UdfI!^89nu;Iae[`kQs)RjQr-Wqi_p*2_`lfIlYQ!Pf/u4j"&(ejKs39`MotCD%Er5k2iVM^!l>hCIrl`4Lo(N[H2]n'H?V@fl -%nrMad/#mWDX^,8H^V53tjn/**pn*mSYmrpHKoNj6`fKn*Fa9cQO6Y,&Gk@Gn^SX'DWm5acF,S:EQZlF'Np>K#\p'k9*HgHO;KS??`or;"?"koTf*I;9oWhqrkYq&]IT -%0-BVc4rd@"pHMq]+2[=rDXSW1*'[c4pQo6:^:F+<@hjkbh0f$G]"\+U/'6u#a4ned(L(-Up#P`4rkldODsI2m#lgO"5/7,<"#j-: -%b*V_Ss8C.21CWilh-Y%QO8o%Tk3@X"HL/4lIs'cn#Z#l]\au#SGN4H3I]AI,]8)m9a+nn0O>u+P>^q?fJ,XQ_rckuNa]L@)n]1Y" -%%WLM&KC@7MnUr!?a<&:PW8(4=GSeQ&nAFpK>Q]Q\TEU__9DIu9r>!T@rlb6\p(Sr%oGd8'\a&bG[3%)tLO\pW-i]dM%tGc^f9+AX -%I.d:P3f#`/lGJ[,?TrfNW@ld07JH*I2.=KgFDamIq(7m3T.U?Ln5a"Ond>hslih->ARn8ro!Hi3.!rKVl8qJMANo#!\>s4uikVrM\r^\;)5bQ+rJrU'JD#Vu8$lMEE6a%#k% -%l-`P@2"esZs1A<')Ya/+RU3*\h#7'Dh9V^ReXr;8@Cfc&;g7KbF8Ybc=#U]IFEr<3dF6.Rc\guf-GjRg]6kiid\JP -%](p=Dn`-Gfg^3!k/jJ1LIJEBiZ\E8QiWCkphu)gn^HNZf\6;ml)_O9$!('jHDS!LWj<+.mmY.,`GK62.X&[pHN4khJrp+h+_f=6# -%2,q<[q#(*"5G.q&GOtbZI<#l%%=KA/Idc7nNLqI%4/dW.$,2hBs5rI%s6B(@n%O2GmHqs+l;n7ZeMe%PE.@cXXoIS)e`QkSk9!d_ -%h;-obHBhOhYG`32o):r,55PgsGId\)d#6W7??q9W>kn/DWVOF*iB9i[SpfSVk3Dp_gVDS5H1o?uh]jOB]hH0JN>J0GrrtlJld)K] -%YUYM05DBc!U2E*fr>_9"gXrcTfDd"Jk8W.r5Mk4geC7slrq8R:2g:l.(dj/COfNuC])T.e/G.5Ol3@ibDnfOA*90HESN]?dip,8? -%YYT3EVF+7k/g?`BesV(S_%*WF$2I2.FQK>4NuhJc1C;7 -%@_M5E:fiaFd$G?3;:m*.i39sY[JL>4LGZfa`a;q`'C'&YEPa)nh&^48_7>3og>_b7IdX+_oMaW@?/Kt0Y.I'1 -%pO1qB)\2r#c/$l8aDUH$ZE660ep`arpB\D(W4N8;/e$_V4F22md36I"i/rNP!OhNkFe1KE$X:dl<78\cmSt3 -%GK_;HJ%Dd?aqonV6mA2J&8?bbg*)Rg8>Hn3WN1!TJOm7@UjFB8)Mtgi,$cPE*KoY1,uYpa:So1&UPG(HS/jS5Y0@HrRACLkFpt4%g"=(kbV<4C%$H@]JY8qQ -%&o34'0rftq'FoQ.@BXstHQI'_6QLE=:Qg5JQ+gtY-Hikt81cTH9eAgS#(EnD?g\A:Y.=_JYT"#aLfY/.0X -%pN625*ng%=Qa"[P(nVJI-+l^I-.E^A,m7;6 -%)qeF)g>,ndS+,/[ESKau]3X@'ou5kdU,nR`WLd*QYBFONh!3Sco36nT(06C<=O"+>j^atM9_2LjJMh3`MC1M?B[NVdcLn:)H1s+% -%l)BH[s+QL8+.X!,U,_jmcGoGikPA57m`7S!( -%$i"C3Hqt@m&i>%aZ"3i -%VVKeZm"/5'N!!X<_=+NkI(9#up$GO>s16W;^9p`&"L8U298N5/bVbm5/=UV;iNGlQfl*$hCTa5=m*@u#MEVMmE])uoc./5_O&s\VUF."[_05&L?rO.$PJh+8J<%pVG4J5=">)Q,J>*FrRfMp7/_qZ[HPG^sqk6T;sjV(RaQg3ZG;kB?@ -%jV(RaQg3ZG;`:IPes8dOckpjhdJr@%"hL?7ME\NV>+oVa]:^8*<<_Bc_\M`WKW>J^cW@>kBX+/8l4fqnt -%]#Uu=nLE[9cX544'ae#`m]+Q^]m)..<*@&pVCJ%(CWNb>A$3A8+DC^iYm)Ws%TK>aI\YGnd[0`.4cb\NY&6fLJf<0)L1I_:P7@>\Z.,hpPQ0*RETcDbQGpA&J(mE^heM0Amsm8am3Yrh^iD-UcUH<+E=MG_ -%9dC[]jT?Xb3_'ifktCp'7Fr5%I&Xu(M!UW.j+j[j]DL.XkG'E3jOUfm$aBk)PVTHW+]B_hH$h)2]OE#[J^tF7VN>O#>%=d_K1D[d -%-kE9YOXLfNDGj,aF?o,h8e_Z8>%mTG.N)F;8CS)H34-i%eW-/BS7o<5[W$mq]<5bM2S*AK;XmZJVMKDfgK+OiYLFg_u6)A6fC20 -%bPCSU]P:^Xql8b'.=eS`tR# -%>2Ql:Hgi'3^"bYRQ-I3"[glJNoC0r*_c>APr,V+B[CFQS6L/T%c,4iL4kW)gPMMF>@;Gbf]s:7IDl9(9D:gBYQnQ]m[ql_$bNp9o -%>:&%Z7.g:E2j1plFYaEhO9:Z>ib^iT1^@1G+4%7,SAZX(qW2)MEHk229Jm\W_oo?WZYJ6 -%\46!,"Dl_@NAiN>&ZE)62^4l7S9J3g?cZ&<:(_VpN9E:j9. -%Y7sX%;jJIeF+pC@JTW%.Cq>4RYVp63@qdO.)h51P@b -%HC\tSDVD'rk?F4@L9&r%ll?0g@\Oj;W?8u2(o9V!]mM4>PfYj9NSc9A)pA^(nH&W)(RIa(RLtdjr0/2Qj?FI[k,2u0qp$>2o -%8M#?kO&^Gm71EE2h'ZRJR(Ki@r^So'bJ),8iP56cT@P,&P[:VB.]o;B[u'("X/G6"@QE9>:#^`&BiQf^4L!n.qj=1/<)7dE5C-!l;k@'UEQ$#UYtEVkq5TPY[Vj9dE1BV#n;7CVL(:D&L8Q1['m%Q.[YM2'=Mh4?9YhW63T[[X4JBl]>G+&V$37bF8Tpn&@krCh(h]?]#6W1Q]*'aA49($)^.tjGV?.^0m -%F`^NKPE"2(kuom/bB@Z?SZ17[-Mkr.N:t)++`+sQ)@h=Cp]Xj="?eBjZ*Y\HWRV:SA:M^(31$5>7Q=5Pm"?<./]OYe&(e8Y^-)VlYZT" -%A-;Z;%H/#.pP+Fl@BSJ<&3e^r>8k@-qe,7shDDAT:r.tlUr*#/auT[7<:XRJr=`N3T[i9jek+/%6W0OBim6? -%)=)f)kB'dmYJH?R-SO(7j?!"P<-bekY=],2-j'Q!JoGQ/.rEMUO9M=B?Bpi;/`t_)LW6LMMc.TiNZ6/?b4Mp:NgIUp-lh+=?]"_k(P>$sjr -%ahC)/CkpEj%@^iJT[,QYMS-P])nQK-Y,QFt)n^,-=JGTMe^MX_6cq%EkJ>)]X`\\73jKVQ\_3"Z+UUP^6gZ>(QLfZ7iN!X]S)J<759pRkX/%'4K/]FSAQa3oi<3+B"6gdr1_)t6 -%eBGUl/AR)O\6=^$=bs]KYa\PK%>We>@N=Oo)i:EHF%-F1&AaJgRuiunKkj`@7#P!S`cG4O8D"083!(AYp!ADge;RAb)R.`WW"\b+ -%et+k"`*H'#(]1Jj[%):i?peKF0)u;[UUpMS?gUaU^87nl/N#GF(K94i<'L!`MTk$\pVV]W5#p?d6)3Q#GJf+R[(_ilA)/1FQnCK] -%\lEN9>l9nP3c;"c]Pc4n8qf'.@-u?-]$FD-DDm)pV&$$e^a=C.k;;ns!% -%nXOASG?&:i*+*_d`T$.D=+u.*Hf'GRjI+UU4j9N9@J,?]+*2(`=(Z2p/2uTe#"J=)H\3%#dBlldV.'j:>4jd&guJ7=HHB#$k8#Z" -%o5^,;U.(QCB=57=_@fY1H$%056D=q.FJt?>c-KY6)&Zt/0Q)KbcSf#I^=M8+,D0UB4J\tt*=Y4''i%`^amhi+\0Ope9_ZVoA@6]n -%YBYt+\e0EMI'(:4k8MV(&l'(M;;cb_8IC4fIN4b8Z[4m56ZJeb=f))nIGqJW/U+2$W)RpLHeAOj0m[&2BbnCm$DH;L)@P.n\-ftE -%V9jdV_e83]j"b2$e<1>XamV*Rad]6D2"B.["jZNr]]c0.?VXc"mlP+BnPcK!a&nsMF>*qb -%`j=cgcDkNJ=nMp\K<"9dY]sVWaZh.E_,hr.3BP@!a*p%nOIoSh'C\G_SEQ*a<,-'.W&Z+^92Bm/;`oa;r+HIBBZ4ocoG653RcnjZ -%DRf2OlbJnI3E<7%3*5JZ:Y&sa(n4[s<]s?EX@_(+?KG\cq[;#"3krjIQ,5O9f'695p,,kl&(H3)#>4qV>*U''\K^1;OK$)_MRf+" -%9)cM'fO/aS[DLk3I#9+<$_8\hU>RbOpaS*-D'f40Z5YDh.To`-+@8p>KM`]6$,dJYX,q+'P0*./Tn%/%?p"a7@N":Eq1%Ai5M7Qj -%_O5n+g+f5qUq_0"hgQTlpqu_%eDYlQ?p@_lF8b*dIUYO9ZVJWP,F01OL!:k>Hp3@cn5C'Z?Dpop%^QA4D,lZCAnKd-G=TZ22U?g/Z-Tcu>IYAYGbKe75qou6jBB#-L-n7L7l\83n,?8Kpai%F=JE:,k#HkdJXS`\D@fV:D'q("AuZL]QPl_Ohn5/"cX -%8kRjk[A@0`g@J-**UK[5mbV?ecLF(dGN$,VbZ]Fr4uo0#0k?!Y/JEoU3#=G7R:e^/6JY_B&8cD[U,?-fY>7a^f1r"2P\SP6WdB0>W.bGJS(fFe -%kQ"bCr"D\_5j'-\n=#@KGU2\Nf;#^Xln!d@,1/?WrU2=A"TDRI"$V.10_At?QHb2kKu[@@U]1dEtlc[\;I!t'+0>C?!IPDN^HUb -%Po&HN;&48l_["I%(j5ZJU@%WA:J\'qA,\W4E@Nh2W11qma6UH7TF=8?1-k&+&1G]ahYQ*$]*_=!FB,lprpj(3o4BXqniq?cSoBCU -%C:j,EH,?u7YK@Qh-X?8RX%M@bcQXkoE^%ir]q9u8c>ms5`.0[a>:*Dhkf9a"gHP3d+KUIQh.e_>hj -%&,YYZ&qSEHZ?j^\%j9)r\'4gOiiIJ%b#4_hrd*_bs#CND_,Sa@:OM7"T@@8CbWb8Bm=]#r&oA@YMI.^b`sDFeoNI:hmht\Ub2sSj -%d%_kfLq"p4nRG2U'?ocsQ:WrWI(]'pRp3PEa2X[A%t(6;L6hQOE3B:pM.i6&c_:%2W`YLl&VddO*:H8=S:b>2NB2s2+*[mK`*UWT -%3H1#\ZBs+OMcg@n;5S/hS=*CTf@&9rlB*VP#%pX3/pAM@JgRgo&BfO^e%T#*7hl7m:$`hiK^0_*=orp?6pb7&f.AI -%j'%HlN59KH+K%Tf-qKBEl'4e"F]pH#cRP`Wkn^^L%4sC -%duChn1@!It2SgS[B\eR;p#@7H\Vo;hZcYK'[/(K/6OVh41@s%FASjBV\uA_7HV^_=$h9pG2oCg40A-/t'7(+:[b@dJhc"7^4lsC> -%A5nl[ba/j(`*9an#&^_pgSml]ajr&=]qG(jo3jD#$NB]OU[1LHB1CQ4!I@t.5EtknML.ltbcMO-V6ZUm8m'WC)jPT?SV/lBuS8=g1j5:c`eSce/Ea98E4'oba;F[-`E#kH;ZI -%Pc)Klm!Pt6:5Lb -%5SG[WB9,&64,@'Vj^1l:?$%mllTtM.bO`JJ5p'u(UG3tR6HRP2bUVh#4*55LB\5Nmp^g5H0@!PYi21fD\1&kVcI29UI_:+hrkEnJ -%H1h.a^Ud*VIB11#g%3e.T9?=KRPcS$'.U4>5")c(NE*K!'X$<\\,\8k=)W:f!#^Kkf3!`"7cEVic2I>&_tEC-J+GT+\+LQfmm"WI*I[P(e\f;prmi=m -%qYk`IqSSXA4Jmm`=&!a5:L1"bPCJ>LkIZ*c4 -%r<_BZ2'ib8JVqkerU/Ci:SINboKMY70E"PenrE@]53JcIn7-tip$i+X+rp:gCrFSSh.n#o3k>\p%Pr:+SM+0M4,1%a]'u0P%/6@Y -%go;AJ`hDd#':_oV\CD@dJ[2kbZ50Kch%4M&\Y8nOmsP`:Om/TWC'W#7DOTK@j4o]rEV9`-^M;`&*oIk9#9,*rl<3;_^,&M#FZ5@X -%B7_]T\;+\6B__S?J#7!7I+9[1FT^7[ICXiE\8TkQ>W,7ldocK.gr;%DmudMAe2Q_eW5F&VpR\hRGi4#j"Tg[CTa*ic"<^'UiMh89 -%5T+2Jd`M5Kk1AL7cJq2-%GrB53]cCqauV`pc?H[?(Of(4YC0_nCeH..`OT_lT\oWOj#FngM.`JoPoR^.8#T[2s^$Z]`$,Ho3n^T#m\?^o]V=N^^)#__7^75*BGXqu283Y2pS( -%05]]cPFrd&ecVk=h'/YKC&Ki8+#PY=p^P7!ESc=m+@h_N(Vt>SB'6tru"7_h>kJSCI -%<>StFc`W?'C19LIlqKPE.^h&kjre4tZacC^C&sr*N47kETGWD;$;=PZp*_d'KQ%$+Y07mp'^S[B-(XKaLa>jjd-j"P3=fu%n)N'd -%0_X'^]94LgYIr`TOW#64^uqAYMR18ojt:B3O`G`"gT+1&#Q)KX."9L$q%Bfl.6Y>dmYhQZ")F>VhCa; -%.Rp(7H!?HR4P15MmsMGM%0&pqR+'4'b;RWj4$BsW@]Wj1-eUa:+Nc7ZE&l)FEt%aEQj=d>/41qK(@[=grq@<_:lHcY#"Z\-qZJ1n\A2<6$h9V]h5?-'K*jHBg:)M\JX?YfKdHfjd)UJL!@DA6 -%kW"+iT_!DG2hMSsN'Z?jB;P'JmcIi!0*+d+Pb8&merBm,P+'.c-R[e4YdVAcfFs`S]b+b/6#aU9DG5mRjGoj4ZDk\#+='S$M=iZmh,bc -%HVHiTDmkDE"+p]J"!,aLFTdD9kQ&6,ejC.;I$ -%+>O]TdO!*t!Mfa;@4'9u&b`%K@N]C*Cra_O9::`M6AA?S$h&N\\dCqo?=5[\Bo3*P44QG*4g(X>^&8@akrbMhL=IO/.]BIM[EV\. -%P'U@U0ggL0Oa805cm+R;.;ig<0)IpO;i)0abf]K3MmsP51ZU2#a>q43=B*lcM`NT25kjb@r<>6SkU)jeTqg5ijhC2(rM9a1']]@q -%5^i+?Y$Vu#:XrJkiV$A321aN";4h:\Gj]2p8epnB32iPBcsWI+Du6e^JJ*8GaQO7J^ip+p6mCj2psaO<;YQS7coJC_LbdEuDI@&V>'N?,&#P-8+IHZ`?<'0jnR7DnsXZmjtK?r%k-[hT3R;_OWN*ESur$q>Tp,7=e8 -%0!$NF7B?jgT%3mC9-e.PUu@sm-HkDFT.V#^UkfiecCk8N@#"E3/nG6\f.am9"%3=WN=+Z,3`#DMqG0* -%(8ASR%4(i9MS+Rl>Z30k881c[fHe(%ZU`*@=jUC^n>qjsn-O61h")Stf*gtB2PUH[\#=\8ZWC2dXr1(+##*$B19[O^Ng9Z!`XWj< -%J;^ga*9Zn46TNK*6Wp^09sjLO_fm?mFj5A<55T>C['A/. -%S-P-6@hXg-ZU^)p2\XTK3(9LpM2>sK*q'0-74TOo6t*:&>Y>uKo'h*0Y_d^_P:"1+hB:Qf9NR\tM$B!CDV!?\SHe41)1Z3ilgdT^lZr8c^m*n-tK+t4Em;*Z1nZ9(RJjUVR -%`)*A3Y[87C!BHQ@^FgFh%g>]ePXSRhmPMZ!]k2%X7Vp>e'5=BN.go,\n+*!EIYGf1YiM;K;6_B@'rh\?8,*eESrfu?Z7$gCAPkXe -%b6;CCZ!\@Vgl"X@0pGm0q@Xqt`+Fk25d/DbI2UZl!]\!V3CZc9@r"Yi9Mt#LfKm;.MhNHNc&HDf`g5<:=<[7=l1uPQ7,TL$#+J%s -%UU$hUSC&q4[L0Ad:Y=^5HXJ/35D*M1]jRnk^6i7LG[==#aA\b'CrP)p#I?Kh_J+r&O3inVWn?ob -%@#MX1AL@r=?"E7-#C7d!'[%K[WV$tV'+U8"^.G[g//t(_`JXCBm'&P!U@aJ,K<7Jm"_*72#@!%E'8LePMQCjXFrfh_&r-P6WQjcr -%N(FkEMF3dtDt[F5b2t.'%p]b-?F,Vf`c3ETL;]J#HZU6boL7)$' -%Xk<9`=HqWkju%mXJIrfj-H5C;pR+$a@b29M\XJ6Q,)jX4$K40H-F$k)L;\Q2CUD594cuS4oJBsU_*_^@J7Cs%":5e4bMloiUDY+W>gI*B%(ue41,N(,b6%(.[(Sa(I`N/> -%+Wuma%KW%/0He/'%$H-(bcR<4Lb@e^/N`bU<@7KLYc$uF68-bNQ:B7q*r$?p&LNOU,f4tn]L@np_^)#e$'SIVZ4ma"P3.R:E8=>W -%JQU3PCt0Z94=ASbVW2n6EO'\j\1plDNDlNo0W7;LMNg[<&jIu\81!WI`*4_i$3H@q.P;;7Lu8mhcq78p -%R^Je"T2rE%=X\eP'PNJ2'p>RJm>.o]V^1SnCVS`6M -%%'^(;5dE0u6FKf?2>GO<40UMn%fim8/9;-@8M$cBk!kJC=cSdKq5i;mWfHFq1Of"iE/4C15Zr1ZOUZ7Y8:jW(TfmMkc,aJ.,f,bL5FX,iU25#haJ#ETor_2;nTFANE-1\!HeL?.mKnSr'RlA5XbN'8_G+.:b6>]\GgUt)`sZ'$F7 -%@Wk)t">9Hhf5o[+P:i(jTULOKN!1[6"(d+Xrn=(.^c2QS%G2*]q>?2I["KQ^Re]:+ii!`uP=UIt7=L&X$8@TM.17E?'c,Sd9;,W, -%MA_WdD^kG"p9lY%a&F2?)\#XA1og>1@K8nAk3WbYA@pPUWE#m'&1,Mr_L`,cqBQs]mlac5)?Xln9i-1@kXWDr7_Jru%n_baO'9CI -%_,*RtOgC;co)Ua!hCE:@Mf/[/o(ereg*&k<:kha,6BjCs"FX)cM(#i+W6r[bi>0;;6G,a,apWHV@88_V_S@a:b#*D;TIJ9h6A/DW4bn8b&3X0C -%9;9Lb;&mIQ65YLI^C\F_#'E*OfmMm(ZbnQ9/k#k+U:Y!T'pYJO";;+od]dt5oIf\i$-rmi9Y2n[F\/)ddXhY^s/;`H%X/L6+lP$t -%-7%BCAD5.K8+OogdKYU;DD:o5"3VnEZ"GS).<&(/XW"aKA[>sZ6tJ\/TgY72Xo@4Eo`'$*O4D1Qd3jf^f]a'SQu)GP=:?oJ+r3Q, -%=TO`3BPh@G-b\Mt/1P.=$hT3(:l+*D'r\Sk:g[+OP)-d[YSlNnff:"dDr)I5pS<<7#`@ZLgaM2ajiGq#V?H*s@][&"$5X4EOMe,\]m<_Bs7FZ/c%6&#\>hUE#[sMm[AUSh0&&r/)Bk\2%??c1^%BulHG^1D"AFc\2Bg1:fBu+Q6Jt$4'["ukp9.oJ0KOg(2sk" -%$gtqKP>6uc"DkEs=Mi_7?>%N.\]Jcaa!JODJL`f;2dK7GTb(F]sT3Oe!a4M8@j$p"J_ -%$#mmRO;SXfO?;W.CpE=@q+6el8@@rh`B-)2/+10@!#!S%_^s0-5[2:\k3*(M9=->(7T3H^t-0IZIU5s -%buqF4i$B_2*LB=g=2DLo^PI&ZM!$!K-c(\F4G^'dn$q;YDg]"Od:pU*rRbL+!BAekpHTl]V#`dJq,hW9uG^;$,06c]isf!!!b`-MgiC -%_to`'`YGV1/-.'Z7jOnKr5`,X+*j_qM9HN?(V&51H)bU.OU*>R5bs?Gah\;3.IF]!*LBSG)46'a'l>5I;:R_5(>K"o$Xr1,=S+pR -%0uRNt$-S.h8jJ.c>m68lAlc=hVbWA(,fZQ/)aimUDAVXGg;7I68X@X8r,rVi!).YoG0A=1*^FL"Z<^n;>VW/9[l64-X/Jk5,)9HR'k-H@dPF0>Dhg)l"P,skB'?i -%[jSTMNWR/AQXq&QEluP0&jIu;>f2^t>T9NH6oG2ad\I59[]kU?-"WfY8Jk?^F$2t(e.As'B(%;D9?R*1l]oho,2lW9@KfHF:bC-R -%4F(Z1(AK8bYSEaF=`T)hPSdB:]eV&Ze(?]YjdlUr-<9.AP%9C@"9gTL?d#)n""V]_SPM?)q,$Es/N=([3u;15h-NlKTlQ1#k+o0*(8lJ0u9CYrB,+ -%A]K\Pr??=0=S.>S5ec5IL#(%s2S@2s)iJ-Y2Csdl)WJW":&R`V;!N)PD"c`61b@[8TV!EnfmT?+@qTdTAXAU3FjjA/C-rjX9F"U" -%>ILIWaZJ0F2t0:Zb>*@T@`+W%d4n#!h$grag9SoT5^TI^];,nC=k>.2G,RfQEm!hpcVKbSX7/Z'Xc!h@8fq15^.*$H3l/ -%9KoNk<63@/`2V/V`IS/_1ZOg8;mQI&)SM_Ogi?5?u)'>[`6WQ")2asjsi%!+Ir-WPo!0/\/uhNC?r&JH(!qYW8PD4#GM]u>SZ2,MZS\l.@+L8<-Uj2)lB,#:tUu)A\ZNQ*=8NIkuoj3/Z/W63h54gZr+]I!]F4u?,GfUop.'7 -%P]P+tB4,`1.-KiGFTbBD0Mn^XPOo*+r3bf+k_8[HlX58@&DQ+[nODb*kb'tYS9J$S=Qr3U2]$bGjkgr*0+fS.8T*51GbdIDD.a(% -%,tNZ+/lFU3Q]![t+rMV/XlM'*B6KQ%nV37^(`[^6U8Ce.)7&9^0s^#:)F0NqPqkGE$qk8mBqefmHje@[E16!61_:]CK\=C9b//^8 -%gd[DW/Jk]tWi44='5&Z#2#1e^Q#*X+P,1<#,:ea;K91dp)9OBqYmdPKPRQTXN3*6EF1Q269BKiD37`.I[?U?sl-QY*m+K&+W%cDd -%j&-hnhOXgJ)igIhq6*2Yn&Z3rE`c&^hMWrhh1uuuW]g*J%J($UP4WRXDqL6t$q=kO7Pf+eK6Cof855>T5#_F,W03EM>\k&<+l<_s -%\G%W8:uB8sKc\ZVNQeD=*nhd+MHH\ofP]+c4&k[cWAguO>&sY5poFR!6CMI[`X_;[9LUb/S2'+.`c:*ZN!5g54U,rC#n6QsWON"L -%)_c"4(M;Tara=W.dUgiWgZpW\YjB?7T6t0Z5-f6Yc?>LLA5=CC@$BZe`j(88Q6hMJdqZ#9>LJH[1@CY?n3kM`3JA:1+>gQ%h5t@c\9Uq)$eDY5VUAKa$8b:Df%k(mF5;=Z&5!SRg.=1V"+2oc>C#Y>F -%Kcs0kq[gZJSXKj=[2J+QH"M(2[ep[m5"!t$:<27pBcZX -%/G5O/bYXZM^_2XL,G5iIXIgc9.h!k*S+n6SFT@+X!_f^af.\%OeNQQe0mm3CGgUd(R_ZM>NBV=LM*%k#pV_[tjX[n)dqInWPs.dC -%)EA%sQ=IG>#R2p4BOi6[nYl?+q[.*oj$K*nA>?NE]`0M$nV5)6ORbCCjF)&hXapCF(@iIF:W+^9!FL!<-0sZJ>"f>dS -%;T?.)*Otd!kghi7Z;02'nQ^r#ghVgU.$KkB\n'j,@,L8%n[+S![3j$Uhoan]1So/1eNkoEMZ=dR,?)EKpR%A*l9a15\"E5Z$t[p6 -%3b3s=p$ANM\tk@R^g7Q<]I9OY0G<#DH+Rjam=X-+;S/:,0_[#F=SsW,R.u8UACqZBFpVhS&a3%Z(NZ-P!,4\;:9 -%4G%heIAUQ4Z`I>]E`rt2&Ai2ZPk\Ds"4FOMSp:2UrT>aTa^I8i4Xh;X\>d>%s](OdbWL0V>o9(gmA_:WLe7*A'aX,t. -%a$]Lc-&3Aj]7ih]'5&]$2#3QEcJ%j[PrANa[N)g-ZeoTBJR,)erAfpFq[UPSZf8G0J^QVr5I,_R`cB@qf@&q5idI%.>"/5Bt!--SXuBaV:@hm.VpL)QK*sNG-^JgOQ7YH1B-H.G=q2J1WIOVR$FdW!YJ_eo4f$JAp^Ai]"R3(Sr1#"]/HFN0ZV1qaZ>(92#O:3G>%/0DN9I[3![B5:)0PU1jA,hag1X;HfX -%lr#U(H]>,#N$CAFNU.MHQhG,7;RSfNWE:S%Yi[rG>in%H>f(n-BhF6j/!%"bOfVfBnLFcBXH'!7*2:GFCsdr2cA,k?B9Mk[L(J?` -%a/LIjS`CJ,@\=AVikn$j'D%SLBmoMH\h*^DBs"mQJ=)d)X2&-4E=C;Q0d`ogSGJHp:ORg$iDr[1PR1uljQIKDCh7"Nn?h[;c&$F' -%['#63pVi2N-A3\9GSr])Th+<@fG+'^'<:\,1_AoVBHTaUR'gj:qffkGDXHYUS\7E_QJ*lI('rL;%2^^O\'KG\;LjSHH2F;CbeK-fEu/;7ZAr04`/Q[Ygb*`3HjtN69F9\QM2qiUDT.mEjcuK -%\cpDkR\Ls3_r3uA?H$%^lJR4eToG5sf/htrLY\+lYAsKJNkn@0W^Yfrgl'*sR:NaN4*L6kiOBpX)`Xpsi@(hi/bjA1;6d=5:%M-7 -%YAIuKbe+^>,HUouorhI;9+ejR[q&\dgWhM-?$8<2ZjAGW0E`XG*ufA5,j2sLgm5:9&U(LTK[pq3+!D_R`qJ5KD/i@Rm):.EZ.#l- -%YmaPDn<1Y.6@tT\3J>PuDQDekUpA_^@H_.sa2M#)iX5-6;l7(A43j'>mbLY"@[&j;E6\bO83"n%X6q2Gi3JcWf1MRUCr23Ejd@62 -%.T.TJ.+3k*lh@>5m#/f]KQBo0]iu#&SaL(-icHgb&XK/AVXl,=:I0PVP%K8X75b0Wil&Vco;_5b9`RlY!R>GCkmZq&?u2!"B.EM, -%"D6&4AE-8`[jDat1_%RN?iZRY;0\J8+PO8QMlcQH-\A2C;iAb;EDlLdO_Bs^o;)jopC8?5`>Lu%Pb?D/Sb4_A8"'_XBoIe2!EuFs -%X<>]jGd]]!+]KJP1B?-"r.*gTW[.ekER<_/+s$to2mcDUQ].dmc(1P$9tL^KQft'Z4(QDFhB=#(^]P$(M,Ig(W[S0d=U^*'F$?Zu -%VYX92aM*0J(4ut_.!3@K1)gH':cQ`2.fg@4C?V(7$O9L!R06>W)auU,0[\nE+tPh>&BAlt6Ph]"lS`lU#mIt/7=GB5Q8fN,S/Y0:T9*8k@9+*aT+H_LiiL[=VkOC0%%f^m(E*U6DB,KHo#pqIkg`;Tk"9qPDbLTs3YmBI/+dNo"_*1ECK/*f9KgeT%l<:e1p\ -%A.Y<,0W7gA@U*(c0J/766DFgm&nDIk_2_i=M@Y^1kGRVk!\4FYT13%,V+XZ%PX,^3$/?#/gqoV>$4#@sV?! -%&Ogq0$af,nq4VUt-+0,r$("beX=\DmeJYs2B -%:Ip=YcL[uEa9X)7RtKl=Z?`J#%Hap@0(Q&U3%P<0:X+0!''gFtmhpF_0&nK\Z(MrZ#QWC,+`AuR,_rgWJ^mt=[LCnfKG5b:6&WL:NN%UZG\$7.;iRX>=:%2Mbm*/'IKaIeXY)/ -%rU:R$L;3qcmLYd/e1G"`#pa&62t1)ZBaK/gN)0i<%D2A/(P_=(d2_2nFOj^M^m@C@_&"t/G4;oXOH;+mY'cFPVsUQ(R2,aIdD[(KB>lJYp-8T,$'B)(JH%qR:dcb5sjTe^6*E$1B.Z[ -%LZ^\9R0689:)=3a:*6O+oPJ):k$$)-iNga$0N-%k1T"BN:Pk/GeRDEl$regUdR%=k/HfN+l\o94:UJ9Ko;/9oM#S&9)$5=V8erf; -%9GEp5-SrGp=_6s$5_g!2,q@;QZMiN]We$j2ZP=]VE:`iNiX7AFI, -%q+M6m"o_>-+bmlKQk4RLM%V+@=$b#5j8^'ia>cc:D_f8?UerD1F+2*&LX55s$??*413)]*SD63]/$#[ -%cT"&m:eA\RJ1:u/2#&%U(4[9a5H7!V&R\_"3db30DE -%3E=?s#"8h)&m6V+5p@huJR6YL`GI;'X/VcPI(GgsSC95>83p%J.`4.jEe.RHNpXDR&k=5GQ8g'+=2@FXn>7[Vh)n -%72,W?+IcNFLQ"1C`b94N`_:*/e08l=d5ckI=K-sm#V.K&90..Ie.rXh?q&;`N4CBh6d8%!P>F'_s%5bAVhDB&8nMrUZ"B2_BuTea -%p9ZZHF%W;Q>TLYV"@s_D$6mQKWD&6cph>TJ-4DmZR5U>X'([B.#1?Ik5*Rp=b`aGX"ho+;VTn$So6J7*/_eU+T!:W*.Z5K4mC40= -%C%,'$T1Nja!3ekZ+0-7?W(39G1rJoWI*o7FN3O.3S-D!N;2_0jPm1s-+N'?D-CkN[/'Y;PRt^/g`9Ym&_D&@6kUdIT9QFRQQ6MBI -%0#nTnK-r<'LK*']uNZeN9!%*H90f8-U@iGU3q9\e_MKOhaXfRt1VD -%V#p`p$Io:Z>LM(HqYOpAiRG6,,6&;D(])gjUt1nD(_6IN&0F*V?=A9hn_Y2PUF>&d[4Lf?D34p&e>dRR_ila?"D(Gl0XK]*"Yu_m -%U+ckqU?YR%;.@&=P6YZM:m;7LFOt8i+F\U9O2KHCpfsdp((1G<%^r9qZ=<7U;nsa=fbB^nmV-q-];7 -%"9]'d-3sl.:G@qR5QC0'M[2a#+q-T-LjY#Cnle@/J>c1Ak0D&(5U@s,'Tj)DjAdI'R_Vhf;No$O[7XCdngIDVCPeh9_*j\/XLo+e -%&0VSk6R7D`$P=8=/6HLPW[JM!,#+:_*9;jO#SA%C&0a(872-'fNTgI+b9f.n7uTg6Hpc3S\9s`79'4OsNjWVMlBe0g(fEcuV2Yj_ -%n<8m)P6H.d:LO4k+kPVpOf5(Nm(5n%kkU%9IKW$*l(:#R.%_0)SJ9K5VSl!l-*p:7>rDBE8['.e-/.1?++ -%j[E96M%Pa*Cc7:b\ioqUJu%RK1SFl)a8qG7UUl4T5"KP,cgYg/]$t-D\R!Te4#.p;8gj%hH_X>Ir]3J%35SP2E?i[CuEYJ%b^PiVr]&naiq7F-"rTHu]o:bk@RVV7g46KE(]'I,SF5rT\U-5Q,B2qLI]- -%r!1)%KK;#F@Del:YJu',rk-5Mi@2t^JfXX,Js`03J"]btam\0CPgtcnmopD=K'NAl:uSuqW&oaF:Bo=0f=/fHa45Cc2[$)?*n*Dt -%SU>\-?T[gUK22^.Q[Bd65V?pH'MIKjmmp@@QR-3JrE[uTK_Zj$B7@)BC6iQTR>'H1`]%UXh7T_n7=Jj(fE@&9rXF8-8-NHa\':5JRBg9 -%I[B]S%7@)g:=\Bk]usUf0B&%M@0YW+E.V,dP>Y35L."R_.TM\pj>@umTj\MQ,Jq@mNc;q'[18,W(/DR3BiE]cgI"&2DFnr6nCfJ. -%A4qtCaGL=9NXi0/q\kM^C4YJ5r^gLs^(&[OUc3`q$3Vo+D=kUs(5TE>p*JAB8A.#T>NT`[Nr\JnfS64Z@qh+0fhA#R53%?Dn@+S;&i]bqtN/-DRN"g9!S#ji>`%bl]q2p=PFhuJ.* -%J:MLc8M18OHp8qJ`_V'`%#O<^#bDL@&AUG.TE(a?h*-BV!.IGmA,^f`KK0VeRuZ6BNY7)aGQ&Vc#%tZAoniN3jrV)lof,Wk:!;sd -%T[NM3U4YNMN7P6\n1C>Uf20X-?Ak36+U6,>H*h/=)4GFlgUh"G8(:qrCRZ*1;.m*LqYRG`-QE0@04AlKJc^2Eb522U#"lfp%kLf_ -%?Y136635F>P5,G!!9IgEF9=-R\GYlTE%nR((nf/F_k(7o(Jl'sKHW%&f2&c,&280\>M2idlpF@(PQ0T?/`74f1="cKLMPQ]4.u -%O=)W6E`G%\DsHJ:8%>N,n>+3GLs5M]:#N`$(dG$c&2Q3<=r'4a3/F\\E:+uqP*6Z3[$7gd6W-q,K+Ym4l\'7XSkeP\:Rc*r@1J_YR$BZYe9>?@':P^hj&[q;ND6d-aqMO%95GQr -%np<(tH%I3:WlLkJ*V_a>"!qJf(6/o%%?H*(AG)/L]gTjBL%lCETKRt9EAp!1)Z(SfJ_frM@Fhn1;8C''2I].ld=s[jNR.ks9YX(3 -%+jdPYC>]REZZR8%UQ"XM*&+VV\HN+#P16E48VP!]kk,L[kOHWCn0H8W%lY_O(bkS#:'cF/)t@4t:a-:S\ -%EOegb&_KWE"b(G>Ta$QX=s-@hGLUWAPh-MTKCd?"nebtmAjg^kHndlO5.!GFU!le$9jQN"6#t,k#?2Gc.N_i-3$;8Y!k.]7(6e7o -%WZpX>0IZuI#^H&;@2?m+Lcs5UfO>>p#!_9Ia.k2aXO7;H&R3s1re]Kd\u7BX@Z3$Y"+!DQH]D3#,oS\!RGt2C>$^O"JF7rJ5b;J_qYk8a*n:B -%\9#'FII3/Sqt*1k"E)iYN+gr\KR%ocb>SBE['X!N9Ar:)2,kW5uX+'S],c -%&ZT`rNNWAh.Zc's$D8j5YM=no!Z59"U"p<@bk3L'St+t0&,M,?'?E?*Gn0BtjL$dj7C4r2F@Wn'rL3Wc30D6hHA:nGPC/a>*Jg05 -%FWc)Nh9Yj;HtFWRCbW[g3JmmX1r*UPCA^4ufKd+a<:\qW(7')@pl9S"](\.f0Pk^ALu-)";GBcL*i@Y%l-KaM#Q$TM2DE`S_q?2` -%N6ncI[tCP;?8Z,";ZI=hn\_n7,OFjYaqje&7Yo,K_h[eME`p^k9Z)9S6+nle%r1t!hbRL -%CC22'Q%l[tk2VuZ'Jg9U5YV:GZ_?Z4.)b(n`+1PX!N^GGUPWJ4!7m\K/$#7FCWIkBMub%ZAc;^"&8[Ke6c499>in'B#j^;ch\/LM -%I-H&h$m]j4D/7ks*glsa/V=n7LE#0U$']b-ZNNl&_&8o!S'QUC3,?71V?8rdK2k`_#4ct.EYBksIL;9fWC20W2?oh$d -%+FjrqdL>CQ)"L/Y66IUZJhoGqTt1:`/^Wcd%Q`l#2'F#nL,_R7bP)DfFS(p*T%A,D^8#M\!218MY8KZ;b4cI949Gb0!1c/9VKn7( -%`*1Y"%=mRZJ=f)?Uo58`ciBL6i..C">VTX&%f(sfYso"EEJd#]EKr6l6Ik#O`'>Nu#bZ.(:^.QH#(SQ&,9CZej0R%3mQWUI%)>(N3fCnF4)&6@06Bp'H*np,Xqt -%iSfF(9>`,toe`rT%q)\1<<*q,Ekq,EHR=MS"?"7XL(PsUi44:P'6h@,\E+sFd$i_]9FlB8inV"a\7Z?^*I&92 -%95-)0cRlE!%Q&\Jjg!SrHuPJuAUR:MZ>e^J;&^oeRP%.H)1r`Un\EVh]5\i!gph2LeRgo8#!Ogp-<'\!g'n,Y[!e#$s1)Q\Z3@+g -%NDtJ-V*N54_,rjp3RhUX7(E$4QJ<0tWG4a*!;MA'ei+U8"lgOk1*O_%6>7cBJ5?Ir@M>@7XMTB9?j)(-I7#M5[.)[\>X^RUkRO## -%HJr3L87!V,)N.#M=j`nPH-^7!k;1Z%7/cDZm/"Z>VNl-&W,1$h(suo34pB` -%EMOVu4`3&MKUaXhSMH,DLg_^%C>/9JqRYd2"/`lL<$_j0\f_h(N'P=CQ9"LO=:Lr^bb"<_Gro'g[mPIa$[PWD=rXUi-NOhuj.Y^, -%[SpS+#aH<)155h/%Hec;fHVU5?4dJ;%&A%bqcLndH(+">cNcm`a>/Lc3f-Hdk+G?H?=cDj?AmWL!"4YN0gcG6=; -%5kNYc%L^_$.O]S@XZ-fj-3m#EBMBcI4[9SMDus3$a`jD?G(cfsViAb82n4C,M'nEm!8f#c@#kZ#>"]mg`G3#0n&SC\PQ[C[K[]ZP -%\WiZn<0Ncjd=D?%XF?ZK:BHQ5L+WQR4F+0Ie]'^Ao+dcH$A"St=;?o%bQcjcmPkeoMEi(oO1lXoZ/ZK&W,ij7#[jRAB;t/^fI2b: -%,-m2qo+4oQL@0$n;H&m9FKi&ieRNG6C_O5*MAAD'/d-'I@RHf=e<=F(_u.]f/^`TB/"X?c\t"dY.G&36q.%[MD[:8kVZmEJX?!A> -%%MPT@HsL6I@A"@AMed^]9FY!,LGclr$Z>,KFWrr=bL7#ub2il*QA]J\h9:`g3.anm0;>'^bDD,f8.8n^cmpAZ%m5C$hMgKObBWY4 -%CFHb)?ch=u#jer3<,d,jq/I_Y7Q13+KI;u_Tb#De5UL$dkHsk -%[K5D.1,'EB.e->>3286/WH^XW`l\D%AuKE@NL#:nV87]nQ.uL@E+#Yl7WJ!,b&2Y(@6RMQ8k#%4,EDf -%[QS86lh>>4N9G+H5*.=Jdfcnf_4goP&fR!hciWRcA`Eu*]d=>rUrHe`GopIP]qg$C#ClLMqj;t(#IM)%RNZ7g>%%b_.LW/k_?OH/ -%gB?%p,ugc=W4Lalg0&KF#pU?,<$G6Tdm2.eN^&6ss4c[G;]QFI1Tm6UjPX"Z533]2t&_''G4PZJ(O"D2Xc7[bb7L4=a7q#6HU0-<5:j]SZaVNcDH5/s]X>"ET -%oK_14KY4d_0PX2-'*RG&Q69NR1/ef,Pb+<]7K2n%3:Rl&32A:G#O7dFIg[QJsH0`g4#?=PrQF!KuUl%pN)2k;Gs=@*=$ -%&AB9[**kN)1hMiWjd.^8NL97o7K@t)+!A8reqL,-30;krb#<7![\+_"it4q-:I1Lf$dRi$_M*uDIb&)kci@';k(Y&5$-sSXWK5FU -%^l5j5-5?b'IfuJidBN(W&Fs0[/iW6A6#boggSW]sr^uJM!UA?sD^O1Fue90Eq/" -%88`CJ%Z?4H.9[+KJsRV2$@^<66SP5-3BS_?69a^rS$@n&^26.PQ!On\Tgh!/183b64T9CmDhHuoKD[q-_mITIHmlcGp#A>J*Rlfc -%Q]bku7g"8k0ZNft!!,KhU2:)g=Q=ISXfY+BbT1$sDS:5]6a+8G=k7S)F,7'pdd?#tn5+X"RI;5*d>fQ?&Wr.Uc3G0:ssQo/7j8VEjq] -%SjAYU:d0X7IHY'0r4$$"Q6<:GG=3>#N_-676AH.TB:FMC)m;)klUD8UL*7Pt011%)T8qnNpLi,HOde+^n8rCjPfhH@if=YfmBhSM -%cZt3X,H6q$Ysldk+d7@@TltGUeI;g/q*@`UZ8uF9`mdE5N(d^\*.&`$.NYn9<"\QNE4-QaD_11'6`q8'a\*_*5)9Kp*Y#R]M$*_ANq/9%_F]k)^X]e:c\lrmu?,8T92.OL.PRiT+k*p@Z%D\Ecmj$Z'[XF\0C=jtAUL>.0s[l2:uci9(e5sNOb3.Shbq(o>drH]gU3ia]7VDhk, -%_ijj/*a,32+l:atC=7&dp`h(F+O\Dnb"'Bs3Pk6P?X?lq`ReRFjn9_M[sbXAX@=m,-%@uVTY?Y;74Q'G."s4LY&/53hslsaP'^OmQ\I,30D=dTE%b>91& -%P06Z,JD]d)e.JZ[V@5``1i_el*TD+.r%0s\L_>f;$>5%e]c9`FHN;`@mRZDg`Su2BtF5C%//e%^#IE -%8m>q#(u1tH9obEVb.&HQ,+asYCM0f)`\h%m0-O;&7DTRN/(IjH%4,?AlV(S*gJT;$hA?,#r!#=br^sErZ`8Q*7oM$Z@.<]$#ZD;a -%T)#==&Zq5]#fUcU`jb_<9hD+*%%F]U0UaLH(s;!72M4Y4+`"raI-*4*FZ3&#Bu#0Tl>8S29GC?DAq]&fE;19p0NSGZ-_E,/1VfIa -%0TX[[9qm76!Oq[S_8L;4`=)&3fkHCE4X"P^K?Js+bSr*i,I2!7)!>dhnG(@rn%TFm/kV$X&6rh3N>D_7@q<`L9`eUB!`]R=lq_#P"]X;D=ur79dR//,7OL[Y2DO\B2h@b -%j)8Ra(?b$o:RM`d.G5nEo+Bo=Y75XtS2A,9uK-WGUD -%B:`6:jFf.2W(`R)/SH=S52qTg92>Z?k?d"REY_8Y\u8,r0=YdDl(2Zoald+asFCJMg7#;FZCJdW)A(K#W]T.Ep77&ST7mPD>C/Aft;1 -%gnd]UT6WhfGG@PChSS*O[gDm!q)e0*nAa2)/B)F-,kr$(+fu81jCY8:jrHQ)!atMAA=YEJkPTVqM>8U'S'W,J;J3:ur$qadm%RD\ -%N[_@G&2ulg!Ej4XM>+!jdPpI%>_YiPj\LDRhJ_)X4k"uR"F?!MIUb4UIE&a<*k*XUa):NUOh0kq#C&_HD#65EO;:?.e$mW#AJug\bco@'Td6#%[N(E?EqJqTfL*W7Xi^aFParo5 -%*!'Q$"-N%51jI4TI$8feF\DQe%6m-G4^=&&$\9$7hr8@/!uIP"+779B?G.k5i=o7f'A+EuVSTN3'Gl"bqjL!=M)VY=rmoo,\*1E:67T8_f.5\Tf="1\$Wj(Qo/Z6*$I+mKo"L\j%!Gi=h(OK_1,7uhIbihF=R:(Ae_5/F -%;tH)T+R/8r`JSU('Vhpq2-FQ]1/ad(!jf&S>c(7Ea"mj<_Zac+1btm0fg4+nJ$J@H!H#iK/oE7CIib]&*t/-Se.25uG4G22gau/Ode1fhYk"ff=#Vc&QN?9 -%aFnql(47`\Lng6/EgBVOFDi"%3V.f@,P4gBkGGJS]*Joamg$nDbj.<&UE8d*A&"IRhV[3(^G?#/f -%JE%u#AO0/$hV0%.GJi9LjN#J&m>6g\#LgBg&DE@/9M`$6L+59)8s##!>&'5\l)OT$%n0)\$`;'-2Xfg&;R(G>UkE"X:'g"('>k1Z -%G.M;c0--!n0Q>PVV+I%D`r:Sq&aor\k'c(L4OLJRb4-)q9?*=.BBVFA];K22.nVZuH'u(_Q1aGBbaI&o45AgMq6s;i!l#TG2BtHK -%f4@&r1O:]e7MHIN+6iYeK";Ye,+]@k(7eN1FL\LY3sdSP`iE7._+1(lM-Lee?@%UL3Oq\P_8)dZb -%e+/[`N%>_5PY^/+&Q,Q;8"`9TX(pq!dk?Dh91I!eVJWKJg9d'V'D'SAmG8O\@rW0FUPoO7P=I]9::q[OT2_s2.0dYC"#7so%UYAY -%-BoTI?si#;i>59ORG"$@Vgb60QFqe..5DZ[TbQn60<BikeWRFp\l:)[KN^6. -%X@.a-nQ=nA%7Kp-ZFAoF^Jm@$'>XVfh[0L^qI/"0c;Du."Tpn]rkX;nAFnI#9=]8>.IW3e+I%8pH,3TUE,b,UCh&sfA.`V]liNfG -%UiqgJTP5D.j2GqZStCoL;j)t7"YJ`9N2e8Y>L@5@SP-Po+XINh!hpti-.`;F)2C-qOq95eRuYm+;arcLc.f07qg=IYFQ=?_]EC

'V(m;R69]Ku\j_VAEaUc\k -%E50eMroNNcaIf(\^GqH97tt\q#@W^87p,)h%s>.[PW[]8#qR,(r%<=Jk_9;1UnTb)gW.3*%ZCTb9RJ1TXgrC7p,Ao^$8p`4dIB]+B]bV_ftG]A*SX -%q/l\HU&UXP.qSqD0nsQD[s(#o`9bbtSn+k3ETl3NBOoVLhI+`WL+XYPq"MFBcn;G^/%]XSL7VDZGn-B*ruf'aIQ8K9'XeTLq%\QR -%rAoJ`d!s8k_'`t[^8cE2s7ZHdY:KWm:T*KG(jDP96D\b,GW+"%35Yd_i__q,Q93JhoVZ9*CZ+N?[%)[XAb]cnXEp_e?cDo?_T7&\,@<=mBJh8\PP-&D8ek`,Ld -%qqJ?):@)BC0G+?KFIL7.:!LVC"5#BbcEH77j%f$:AVj_._K(CeP-L400A3MP])Vk?lhra0WfZh!i*C&h(q=lWZI:/e>\'Y#X-HM1 -%)8L+Q5A*f3F2WMSmF'nNI4_.##2p#%dTi72[BcZm?t8;BpGbO4V'pu3";P/+VA!6h39/c?kA$(9":jJ%2S&1GK@gs*ANN&RZA+k/ -%^Yf&Lnt/hq,c]*men"@JgIm*o/`M2G=_4(5etarGj04D^W9*(XZ]9^OEaWNYZ\V%Sk^\JO2aK157pa^]rJ,lia,ZuYh.>?k%7X[t -%?f1lAo)G!j^a;[m:p"JVQ*DQjeO4LE.p#)Zg]p"%Jf[P.`e\DS\KN8CF;df&,HeE.OLmJFT0jra,).Z,#-`L0Ce(Q2o&)6H`7O=i -%7iW$!oD02J#:=Af%@6_.B4+R3\`oN2[F3L0LFWUa<6B7?;Yid\'ST)eI1?1D?m^o+/b<0D@2FMe(3Be$OZZt?23Ml-+["T*I"Zt< -%9*#DqLjZG-W9LN\-.uLNPLq\uOmQFGK*aH8NU!MZf`DoM@BG)4@SK@QP_tOEmTLGeGbA*qEQB_eca%FrX5f-.eCX<_=/1a!K>E$XBj#V36SdJR:%6Pa)iit-d]AA&RO;bSSm#,?g7h"GW]VYLB!M;0ZY$C[K -%F9&hF\Lp>fJ3MhVO*>sV+@72Fk\Luo1D2Z@;P=8l:TsN2Fu&jo(^$:&o_%Qs`^OPK(*GF.?kNU4T[/OBK**((`kM_d<"+_:mA4]@ -%0ipJEnhh2<$_XgPKI:o$NYs\G:_Fq)r"lY\`3sRnO0E^_W3jVPB6U3F+aY$s"/)]+[k!4!-EHt]h@pag&%e4A:?PY4kEiZ*NGU,e -%(esb@737>!o'#eqZ[l\$aCKoR1-h8jk#ItqVFTlL0FH)kVc\sa^h[o]cFsKq?pkE`r\HUKPmI27a4D^OjR'1adF-R>b(lp/We$>C -%:[T6&P6^[V?%3=o+o4WRph37?]H0CN,eHB-9sUd(%.5GKHlH;las-E=/-O69]HiQ)HjdK@9]5(oeeo[B6EC2LhtM51%uhLXE$"Fl -%+##.p-"[Jr-E##.I-(NcK:Xk]o[c2\jO:cu0g*=\d?NK3O)TTnf.[Eop7VdEl+i)X$J551mlrVc=BkqWZ7K%blrH@uoM4'AGP+3L -%St*lU#T/,9,_ -%?WE/.Uji\,i1SQum?cFP?"-=*?_m1V,LMF?`Lc)J8g.L\k82kYVeSnIk(dY+@sFejaMKs;)W:lI?q4q_U^-U5^\:,L&ppQ2d9Mn_a,hEL#.#_KW -%;nH$]h1rZjg;1)ZA5$[#Ma+5Mae5geFa9Pa*nfmtXra4iBtDG=IV+O*%dI9ghK46(].SR"M&h@$;h_od`Y=2Ku'>I@rX0`P>#KT\qe-R)'!m;Y[mAfN/9e2P#VRq\A;W'I!)91Gq9+]V;Sa56*-=_h#W0*;UEJ6Qf -%FM]/c`T!hb+Kf2jXlT)nc(VuGh>*rseddI88(ELb!n3]N= -%&RrmU")]NZc32NQ!fJFp@.aqEX88Lu[7@T@#@8@na@X7cbb']\;DkL4_n[A#:)Cl_Ic1=5o64K)_2KstV!dhFPe;7_#Y@H<$Z8M@ -%%qbD+_ub'lZBHFi6PqC#)CI,^gPs-:!nq`W*mK9:\*EgY=8UMS73\\E%Or;f0jTZrL> -%A0[&AggY`PekSgOTVu6#YB*Pg2Q$V*5]F)$1q)-@*i=6f=@Z#!-c6QM6!9T1&6P)dI!i*JSG8"2q4X*Y^jZb==.>bR/L!-+ndPVc -%9[!ou3.7O?VE0ZeNO^V-QSM'hk`%M"ghKHs!`hj22aQX]0m("=Gd7Gd$4AY2b:jh^Y]UVF/j%aQ`GXG^U]`S0_.Lm[+CBCmU&)Z+ -%YA3i$,R-Z6jVd2LS-K.Z.RkV)QpuU)OFA,GS$Y6Ua:d)^0k(:-IEp9:UAY_S`U'G"#_A(:DNo4d8TJU6""nY^H0lU&,npL5L!DO- -%.p]k';nakYVYeU&<.c$)Gp/Z?C#>o4SErnc%tH0Ii$BY<*)/@-/@BphN:dr=:inMtUf')\`YTunL,^[`H,Q;Dk/LP="IG*0 -%YJm>JDk!gGX])4I`8h\Ckp]'a6kNo4gEm5VDTuK+.H'-_(iF%",a;>3]8$opdS:K@FCih7C+kXl -%$\H&M_n_d;egQFU87R^9$Y>HUuFCr51R@'=d))R"lmqPprheK/;:-!l+-p(Aq"*&hK9#bYXXJ^d)?e;&;f3,dK6`fcnZk085!EOc&7mE`0t)O#%_jft;C53,;AG/cF$L'PCEBA0OiTgWEE*$+-8nXb@+GBJSFlQI`d.rt#j=t+S8:mQE5I'3XtIF[Z&4*"cUT1`1!/cPOCpLT,`>sOPnMO2!&1>o6u?A1hn`D< -%(n+aH?M0t>LiS#XQ5C\`rlYWkfbIs1\4?5JB,A^p9eKNh,LY5=NsD:%E?FPoP"LTf\+T$l[1?/t!_'Y-o9:_P>3miBUUoMTUff+D -%M:.X'$X!"LES1rNJ=\+^3Rk"q:U?Go.E+'4&jU1u1F53*m^$faJZZX$p=[>H"2U%t.HkOFW@Kisb7G$NT3ksmH;K(A9_8IO*_T/L -%(?#UoQ"ojLCuEI%V'Cn_IQQ@Q2RM37X7U4dAlt#r>g_F5HOD*uJh?MC.Od!bQDZZ;5pARJA(ZmbY].T)!Td^0aQ;GC5l]lO":!Ea -%m_'>e+QIF@mq=*$;M^R,8e;*IA?rLSaKpsd7n_@f/PW$>8ntF]ZHK_-<)(@DKK*KtR+''?.K-L@;!M=EArK=B&$@qAU(ha+4tZFC -%YC`!=p#^-T/jAlk(6`h=a6ctsrC2)V=hIK6G#)ohfo505(c4#TC`tCYpm?3gF0%'NOegk9lL?/.'>=;kpBPQ]_\sob#[[Z:^7YAh -%rZ<'GAn!NR@VleN+Q,#K>Bk)>Qj6h4H/=P)>Rl=.R%U1=WP0#oY*-`>I$]2"dEZPr&H,oHR]-%;j;#2)VH@7tD3J74T@Y6\N2DY\B&,X?C^*u#kUu`L\en'cf3@DZ@n<-$8b:GMY4@b9B1[*;.++]Z -%(g*^?JJ82YWoa4CODJ_K\pPZa>o\k+#=ZV1LQ2=/JKU)l#[ -%o-Bu(oI4p<4%To4"ClrHe5@>@b6B1X**e*Bf9:h=Wig,8EmdN4SfUmYGt*@J..M;/Zt!"B%KfF_3f]P/,#e."3MJpm09>RA'Vc,# -%A[[I4Xbe/B(4M/pWp\r+hOosY=@">;eYF8D&U,$b<^JJlg#n@U[@;`Ka_"!r/ul$Anktno)JJ4*PL*1soCHEUX%ml.R4KW;5YhjV -%"/iHV\jY@@kfpJM[>U$0rY72kcb[=h010)Y\F1KJ>M+c"/a5>(`D!oAhPTV\YjKKn'GZQGF17[WWY2:uak&'=7=*PQ5S(j7jjPo5&D_XLqCbR@7JDH^JWi^nn4*M+g!a)Zl%hJb:nZ`56NM2W\.h*%0`4*^r:X\(n@kb&m(_LNe -%MGffIcr#B*"e%>L#,=ck%Ftt2!X2Pg$k_M07(?9]q&]:2<,P,d[hBLC:/)7bdgetePjsp+'hFZb>?R"n[#dfl-,Fo:<>\Tj,;3aj -%:2IA]ZkPk9lu<`KTcfDj+dcfK1Wum,gP@g"4!30)fEPm7`5;?lo%TB[[+2T6;-D0Q -%>;`a[+qfNuLY-X*+Ghukd6MMW)DDl7co0QFZ$Q5SOH+1s6Xid[&/Y)W!aUY[@VUK0U+Np7_cAnQZDCa1\`C.C&K?As+utY3=tmHI -%GugCi]fS&sT*'P->/aFa/gnc_Kp<@tbA[,>=SL6`gn$bHH> -%@QSQW6)t,r]7tb_dRIHPN/'Q05U/XNb>P\#"ZD!R'5,h)ki\Vrk"$q9fH+"8YZ@QU8GH+qE+pQE(:Iu'5*LD]p_OMjFatjm`&kn9 -%Q^tK8k"5a1D3qE2,T<+r>p4&GZH3&4h#]W,aQ]e+e#OeVP\*uTTXeZ/(/Oh1&=[,1((Mtr#?kM6Pa*dOr\EcJa\GB;1(D"K0,2up -%Zk%;,MY#>d$aZ^q+b+a+JA%>MQ@rncZ"p(.1$(H3LFuL.jLDRA3_eGnb=,M]MU;`D])6@rG`fpg;nndag`4J36TV3&S!iTt[US4i -%;!QOWXt_[c<(a';%Jb/+&ruT6C8Bb=_HPLp.#9_&&pT$3>0TeE[Us$WKfPJ4,cde*/l!8"$9'6Xu0^-5(gSSdg -%J5`d.29S/j,eK0."=b$]=L5%;8u1GMN5[,IZQa''4AaJF:Z\:AK79;?XO:*:_.2SB=`'(g0\qX#(H2e\,esuD<`D39hOqi)4s]dA -%4LO-Q#?Rm!77)%Y*`3Jj$I>rfC'kY-gm3>,'a1t>&(W:rDU.mba8cHfZdC'81G5M+l'*$h%d-dW.m3Bo,CZ1KX=t/O -%eBC.8!(ZJ63Z:^:$&MIKG"bPjG9skE;qh_,>)"$Ejj[A:J/OAUA59C/-YX>Hd^%6"/!ben+TUecM>N\Y[L/nu6!'?9;_51BlL3b> -%i&I3D4Ci(IS>`g9%7*;@kC?ne!3>/k\MD<1;GfEH3t*!&nmO,$1i4[9bTO5tl%5NaARocF-i'Cq(:BjW70pV)<1Y3;M'=)_Gas65 -%53bO.:`c^ZpOa,#KSY$'f`mC.3A*=fATFg -%Pj@"g^kL2Td9l&^^p-9A'&M`V-ZIu%`[;:GVtqXI4?WH$E]>?0i,?K$E.OZCSAZ:>8#f=NmDQKX7j;'m@ZnNDLC#,tU6a<\J7#56 -%5h=T_HS,?W@\D9"79WF5:6m=2:8eqDhuM\138cM+^`#q(2A2&T0"Q\HADmGo%d'_>NuZ`DHI8 -%Olpa$2FP<\W*+&MN?\.KQ^0(-/Y`"PWa"hCF5gI1ni_;Gf@5t]Xj=_l@ -%Ig(C*Q,c/!-`_EG1dNhB_+=4QSP#i52oJVP8L<%:p=es)_JDkU;2fUAFA"3?lC3h8^Wf_D/e"e&$BRN'PQdJQnl":hX/R(<:]Asl -%a_bsi5ThjLPu2$3LDo?U;cM,U.[L8aIoQ5FirOAX2(+V2S)ZuMB#l8TackBj7d<(.V:Y$PKUa*4J8W/!8:P"n71uVcgUBAnE$:>9m(n@o83-S#:`%ur2_pO$%0Fmc)':NZ'^%Rgg+A+]3 -%5c!M"0PosRJes.@%[6El5)?d?h1/%(Nac21k@oIUWN0I\A&u(^E<'S`%c;*&(3c[oVs(Hp\1-[2;gj6a4gN<,o,s'JN&q(db&r*e -%#"Sf*`7,GV":4`:15`:Ub*_]m2u@(M&lJ!gll")nEl4Uh#oH9:%Tcl<\hMdUdqET!)f.MM@7F*K(p/VXpRK?b%1a,bc!jQI"lSi# -%D$-8fDUbbV(75Rc(mkqmNc%P6/=-iA:U1FVD)149REM;l:Z2f%_A^-Wm1aOP1u/u2M52U,;oP5l44rAd*K)g(l6IQ]t:od%7dLCS5HM?0D$KM$+$#:J?b0M_k(0Xe/;IL7sJMmq\R?goW/IVAB;0' -%*:u8;1J.M"XXePMQ`>Bj)K@U+j[<7Hm]q=D\Jh#u<0t4rHk&XZUZe-bp>^q/]h]$Kc#$=V:X@Dh[,m[a`d%a^'UFA=O.D-CY?Qa' -%3dGGg!B`3@:4hL4[iHd+&nRsYbe\>)JY9SJjeAW>i&m3fXns)N/-%pZX#LRDVS$tb%LuVOpEnTAdFlEdhrP$M+>sZ\a:_,e"Va>Ft9j3l[[V-%6hK@u?H$j'gA3&).VKkkUF;,\15-p6.#+&mpoea)%H5.utlcH67_uRs]jaA1ik.48Q#_uR$D*#6i3;L?4dPIpad**ab -%U[te-[2bhJMW(9']j>>"C=e(X1VZ)ns#))+eQP*0Ys2_6g8t^ba*h$"2u`4r;H1jrFqa!dKG8^T/ilKb:f-u*G9DHrF.l_r3r2^K -%,_;a0XuT#]T4bIh.NE-mZYE6#bpc)WVJjnRl9^i2aXdK%H&8N#:.W7=")n1m5ZII2bMg4)$^BGrX^-C5$Is,-pJ[[`R/.O's7Omb-If'OJ&Rj3Cu;3Ha\` -%5B1J,&oBCo."73TD5N8V$^K$QM[&i(?O*_W3\M&_/;_`9ZlMU\?l(C+q&#)ghlt$'((0=E_bhQe/"CZ7>Mr]>d('J#p"L][*%O_h -%I#>rb]?S@0DQ6+ACik;rh;G.<$s-(U6"1SW"g:N0FJgj5mUA%;LAs/KL=;gGf]pLn<9'j:ZP<:ZY:V_th'EDq.%Bt/>OMn2!_hA$ -%i%rTjh57B)CDhlq:J\!i@,`PkeB6J\/M.LEH,Xh1rNL"`,16p=TrtAb&`T#dF!`+>qN,KL:/JuJFB!5Aq?Hp;s4\e;Ho3IjZ.(OB -%].kB0]9(=8W2U3K/("f7g(l$8?J%7*:t-T\KpkoM!s%\b*LES=8iWL2`k:sumoMX2MI5-/E?V\.>/Tj5OT7aJ#u:tJJpkFHokAR^ -%oM"F@6ilT[#7S1>YrB8%*en*):BS7(WcdnF_U7XW\0?1lQRh\q*a;tg?-L7`9,IUf2`\Tl.r+" -%O"DT%4lKugX=Z7T^tW%ZfiUZLg!H>P5;8hNl"9c\&ouY!#H&$;/NiI[V=:rhV/W&Zs7c.(VM7l?[:\,tK95Gr1g;WUWADC2%'a8V -%GV%NS9K5DD(7+41_]r.aE$^eZIqNC?c%d"H_e;Y+Nr[R`:PpC?`B"go0EnYfi[J(BQPR&@2anXJ*oZYLX@&Ij@mXcqF<.VEgo*g2,4*E*Eus=)-%CuYn1^rSu>85i>Wp+SlN#*Y4UHDLAo'^6-ucNfc"=ADCSnGWb0d?[M9,6otWHh -%["!2).VmStA51>":C<0J%',p8h58emrgVf2H'siM]"L?qd7l2\#_7.YPaehe0;\o:;-@^WdghKgo3#O*?tR[k!6gB2aTEZZa1YuH -%``J[(>=m[+^iIO"E0LDKC5`EG(_uP1.GEs%L=Z,nWt&#$a3T9YN&oc)"\m!!m<4-obI!Q6CmK.:NWkc2ZM/Pf^!59)Q@W$E^B>Ya -%)]-&XBsFXK=TR;0B[$os(Sm0)])AeNaI_[*k6S_&=ntS]O41\2=f=#lI&!X4A=3Q9M3?tN%g($57$19S%t%hi@d:+:$ld*#f*,?_CsCEP,:u@SPA_"S+q%*bcSYo/di:T^M@PH8SYcMFnYhp -%S]$7Ng38?X,Rj$X'O@F`$OSpJ0&/>7K%8)`]\T\d[o/mO]^.oRB:G6'1O^Z?mm.5Tl!K4'h/Mlpa#0OSJEb)N6I;G]4Jl$Ndn6f! -%J9V@p*+%G:?\_Z)-)A#Hr/?*Ch,>TDb97BpiVfp%8O*<./(CdeG%AL5+6qOQD(eL:+5$E^@E6>:j;^M/V;$cV&gX$iWfEDtOtMtj -%XO0M'V"dX4G4@E.cNlTc0!7Y+,Nj%$1i.^s75%*B/HfFh7P+CfLR$_.$+K"X!XEN,ZI',r)ibbg&Q-5,J3pJI'$+oH;:,:0<=+U6 -%4;[o7/;^092[(D-]*,kUlc*#-n\*.T%Q>lM=4D5@I7!@ElY,2We6ML@fH8E()ZTm25/]kg&Nc:T1o[AtTdd"WV:gp`f7/9AMt3>F:*=8F.KH8fRgn`rM;$L*T0XPD8sD\J/crLjpUG9[J0n.=Lf!V;.".83#] -%Ba/r-:*.?`\3>AnZD?[lZ8*Q?!9>$YA)62jYV)%!kTL5t``J$G)##Y3rAam;Ai2=\1^\,9cBF)W&VJLa^M@DDh[u9'paf(k*JAbV!R7*& -%ra>?;2l["a/MDZg@6&A4#^3^QKLEt8OChkMS&]0rQ<.l"9G1[A(R#I="KlA(O]$RP!qAQk;84[cgNiL\dGnr9\!]n)c*:/344Vb> -%)5s\GU.GLA!3Hs+ZOK;BbL/[)Z_"uOdS!H8;0OHmB/VAn-Urepe9FteH1X"a_+%dSp*6ZWA+**]^ -%>5&nfC#^_or>&[&))2k\:BCHeQ'iG,65EQNMi3;+D7ig-ZY`>^ZM9j!FY[s]UmV7F<8#aL,QRHJp3aM*[,-mI_Q6,Mj2XA6:abMBh>!UUQZ>m>Ak2l2pcc5qtroL+BV2H35LMU^5,9;!Gq.N/0%L5(hgE+[p3Bn5^2a -%@!=OeNSAU2>dJ#@"JDt3@[FgFnnRYq3fP6=Ii.9O[L_m(&)hcijH`N19lLY_m9&PAgP)Qo -%OpT_8BZ&77NGhM40"!#-<.Nn/Q?,sRSf>f4i`3IaHt39`2%6r% -%cq.;q`.hij'S_UN\CGa?EJouZFELen%6cFtI4%bC0_nP-11bj1SLei2^,+i6_M^c9)KoYs-s[,rG"68o8kqCQW/9P0L:nJght+*t -%@&ZOd&;*\LhumkPr%"+mO@Uo]iDaIl4:iG1]0fLB6K!!][K=(Y+%8HHe*dOk5%:49h70c+Y[56P# -%fJF>8D,]l,o,[FUUL.t:_3U#mXSZAYW*-P'&j!]SINg?F@._o;Dc=*"Lqbhp.YDQ).-k'4A&>DKcZd`c@pUNH6h8'dbOM]u/]e6@ -%$\#NN?e7N'PQ.Gu!tlt^;F[i6p*7kpRoIPW]`.mp(Xj^79X);CV_hG"1IEk<8DkEf:@*%>4fudhe#[+"pG9: -%[2/0Ba[.C]F7@ct`SAfC.okEp`@GT1+M:(f46Znm*AsDGgM5&(qnF1Il.Z=heb7YN<92I4'f9E*[-*9MXt')G'9SW3'Wm([VE%c28ErVEW2Y<4"<)Ar5,T`!.(b]Pf>Y-`i>.et=]C`n-;.U@ -%lR"EcJUX##$&]__d<&^*BQB43Ih(s//H#)Zl)QA41`.%$@OFLpLNS7a13Urb;oQ)#.>4T')KBEZc"2g8Y99(pMS4`Z,%-rbeus't -%5\qq-f!U*P5jBTBZQnP*m.Zidi(K,h3LohcSV$Hpi"',B[@8$%3R"sX8;]Xi*6WBCK5$g[Bh_VEK=iOK?.d2t8^4;kiiY%41E"r1 -%)(6B>[$eJ].,cFt^CpI31_@WN\AWe^;i<$oLmO7TF,u=\*177X[)0GW_\B/0%Nrn,eP,]2EP>$iOpI9d(0NYoYRX+Zb2Khp$j2R% -%-CB4oGRi179h:l#AZ^ob%DNTo8KWb!]Md6B`fV^pN!&+%))DpUIu4.QK)[TdBdghZ"Js^F4=k+^4]j\+]9NoA7f#"Z8D;Rh:(RJ[ -%%[VH`@qUU+;Wj^;@$U!>r*`So2X6/n+K6J.M7a>/`@P:Z@UF*uNd7rC$!iJGS2QNOlfZ$,3AdZ'^5UQ@`]jO5fZ<9]*D*WY"=g[# -%`]UqAK706:PCR4VT,Q1q@3t<8d(0<@+5;[1TPX0KA0ps0raij$i7++-;HDe'K&[1om4#k"))>Rs[TGR9Dr)8W_[3m<*D"$/;G+$*Z8uTl9NRMB -%9*HoI.9);gR&Mg&nms,B]8o30rbf,[2L2Q)-pS$;U_Fo'I@4]B[P)BKka@#i(Hh=PFO=o)buRFaYnSuY3hM/)6[>(M#;m'5+]i[W -%(28J+2iQfPic&i-^6Wa7Qk#TD.OKH`GIbtq*9(&8>(:5H7o6$b0NfhDpe@fZI?,t9WVR;Pt)ET!03eU1khZ\-'Ca+uL_*lKUq9)=dVS+D(JSGO\ -%3J521_UuQ.5B_rg.[jd=E+s6ElI8Hk,&Z-<[n/T$.H:mj&eDbC_?3;BA6>i"8#bD)Z]'KYE!M,2qMpi2G5/A+IFk7FMl6erRnM`` -%$rO7@7^ErRIC*ok=AmdR,X^M%L7)/<7N4'l%eA:(T&%VXl#`8[NZ^)Q7N<#idS?*=iRb]1UM2&I4-$qUZ278%!R"@IKMOHY]+'&R -%$m4nL.U0Hr,8l%_%6mP;;9%FEB'CTlI1>me5)P[SS=lR9\BoX<3Kau^8"-C[E?',DAL-iAr8h3VeZrX8&[s?W3)O57\bs/P)*I'=p!Y&$"-.]pgLR>$u's`ps#C?rV,([DZ^[hfn@*50b:Z^.)`#/Vq\!1&((b_$>a99"6-7!M -%)3Me=kCu'[\ua+c&VQ0eU=M_W?ogkdMcCW>!-mI1EtZsVSb'%b<$g;l$A=2;5Js@!IFcKmsq,N`R[djLu9*M&O)ON -%&kX7kXMmqhnS:RESI;u,A;C'pk(2bpL^F3=Y+M)t&oW=R\YhIfn,L$&"&AAc"bXI#JOC*7TE%Dc2*1usXi/pr/BDsK2+Y>oUVdm< -%I2^s=0uVaD6/a8G*/HM("e1DRCYikKED6cBA?1R3@Ddl -%'%O/%Y[@ss5]u5QF1tfkj(GmcflbsO+G(,(,g&S\mAmW2!+r6rU#\VGW>P,$UfSWJ\g.4+PL9X+_&qN5+o&A1D,,Na*Y&c(i8.4+ -%1E:!KAZlP,;1Gle(f\Ag&_n+Y]BkhTdCHAOK4ATb]Mg.+;hD=1R,:^F^lBo+Y\10o_R"R-*!WMXC6Jdhb$AI0b!4T)D!siF&5-HA -%D%W*>Mam6i>]JUG$Kd=CLsAr]('0+2/nsR'k9Eo\OY]8k.Y@14SB#;)cH$@VHMVSig]%`Inbc1`PiWLLVccR]&;^\K1Q$=Hloe@\ok\ZJ)bTJ%'a:+_S!H@_VN"at)rm?J;^95S.MIGt^ -%X#oj!:'/+T6V3L+<`>2eB_.1qH"0+?t%R6^,Z0 -%MUF(r7d"Fij\_RCTu7="a!)cMS3hOVnF+8c!oU"ee^G-O2V$<[feDA5PfDA?([>Fkc@Nadt\o86SIF8%U/Q-RFG?9HQ- -%dPsTGNL2NW,p`@fA#BB[,\DI#,$19@X4[=RaFM\Kd+6-mq-Qp-Q2400^!1%FDR9*?::$oL#=lYZ;Y\Yhmnls<:gW3iZD_qKP/qff -%?'cqu)`_4]!psOs+<3(pV/QJYM\uX+#bo@9$m]%(Q%/ouil7?Q`kmqhm-I(5P[^WiU\S;nLhVi3KW(E0IeECp;1.#O,(G7pbdto` -%rN!(QS%o7Q38:AU[Od#65o0ru&dTUK=b`G$FI`=pArqNDk+B.dmZVX[^n9#I71mF8F1^U3fcpT%J6SMe!EauOM"Dp&d9Nb"'F)4] -%Ui\?l#<]pq9p#s)n7q$$juF]iSOm@TT+Y4U<5:-L,\9^\%V$)pLIcllpeO#-/4#A(Q4lM(:e4"FR.P$+p_phfIQ"!9'_$%2@9JSA -%%'uq5mQrpe1b&I)7cGlW+R>:e+fH -%lj.h\-6l3D%"&;2SOFn6U,&n8/qZ2K@)J^mfa)N@FG..O!3?1-"-1dMVk8RIPY@:/ak2@_,5u7L2S\7PF;jEPG0]4pfB4Hs\S\0: -%dcPfc`Ffs3m%p8F%"e8lA+KF\LQN=)L&+O(A&U00sd;FjUlE6]>&&0!") -%R/YHnfRf$!!VV+J/l)%h?aKGa+hqPloRS3$AM$eWFbH+*-;=&W2=*N[U=Fe:=R^m:E@f9EL"I&LHn$Ll;bV"bX+fc`da -%2D\s7hs&i;eR,R4kWddu`$Z@F/Ib>Z1#K%bk@Ybi\Xg'-5O6J*bUA(Oe"WYc^nSPnAraG^2)*C38D,N`.lTW<'_1\i;lsq;%05;n -%AG<5:'6Jn91\bI]I.$Lp"TPCRVob3<]*1.o:+CX+"gld>%9k==0Y=&:)TJLcR -%D)%'EnY.M-@ILMbQ=Umea5V$rGiU_sd?K,;;*9"5Z]LJ%q*nFL-pGKsW9NY@rN)LE$)d![J!eIudmFC`\i0VL)`lL0[c+C.3B^&b -%f#;(LeM$:"AL-#`^;N;H^o]NoWb`pPVc`35ZPfOW?C#B8i^utK]j"&K#;3h\<@C/+"fJ@6A4$\_(Pc$LNb:ed -%Go?H;X?eKhHp5tYR_sm6\u+b3[$p/$1PZ`[:l -%;FD>+ebM$2*&d?^7&:*<_Z'bXn8o/7X73HYg/*MJ3'a<[pZn"jQegTiKdfKoV82=U:N$V"fORusVZEXs9UOp&AM_s?=a<@ldjRi\ -%ZjUAZkD=&;W2;IrPc.?gK]2ugmc<0O6CqG6QE[-7+C2-U?rHJqs-2Om#5]k^Q.Z]@0fShkROFH3S,/5^H8SY)@,=+3j1Z?Wi]'0g -%U;A4+h.2A)N#)!jKHEFJ3.c/+HB<4^9Q(Mo[/J)N@2i6p@0ipI'ja,%l#"+J7?&\\$ufi%EAeN[ -%l2:TO&bS"iHeDsq,`6Xr\2&l0RL2YATd\&r@o%r\DHZ'4GCQk>K9K%ukd&KCZ$ohL0Q(DH&Wn'$`afeD$pDF[Xe7Sf&@4pq[C?qt -%5%C^KPAkt_nn-/g:M0.fR7J?,+nUm[_33eKkFs7W^Hf-S)+F$tRsJg1-U-osUl\hk]2R[??\a"E=FI\7rb%j>B&%[Wdb?fcS-ZW6 -%ST_k<@G(Y#8BuHmTJf&b(bg8GuDQ:d#'u/_mnXRi7HG$leQJY-d"?A3[eJaW$FFpG#>@ -%?Jo$nTeqj&&I%2S(rYJ0qD8lt@=q\(R-B@[d:0`Ta>*;'9CFuQQ\.=sXb9h0p_ASpq-*P,6Ypj?WFr4#V:/gh&XlJ^3:pVXA5M@65 -%e\jD8a@$W1,rJ\Pc.&jXq-t!@:!72qfV859:08;IB6HlKSGGdVB+sC#_(f4;nX$8D_rGCF:f/=3MN+-`!JP/P:VfYpQ%K7]O1V`s -%qeQO."Ao4!=#;RXU.Va@$PEcd$E;&k&/RsKJ86IYZQkq*cM@6*J*9B2M39!,@$s;/R]T5LQ*GH&2Z>*aR`PCMY6tJ'BSeGCiPU%% -%X8c:6+d(HL9Ms=]tVT-W`K8l;&RO"E$E;EFV#CdP:'(!>oiT]AC-]8YBEkr$I:G`Z#A=^LA -%<4:'XTgY9H\skf2@rsYT;GGI`4LB[U*O>*Q(R\![*!.^0"^3kYTLB8AKgVbnl#%::mo>K^"h1TB&^;=/]t3X$:q0c6!((S*j7mG3 -%X,I\KWKI?r7X%FQTEs%.K#+mOklDYI!XF/>%oKW1#>1`#+oI@"]1%_&:^Y(=2?4=ci4I[R8PA)UC37jrIl`tuAW,+f.r0p[;8U0Q -%?2@4KJ]Y[+RWUDIB.<$5YhL`0s071'9L?CF;7=%"XDZLf3K!tf-gDW67jer"T>TMcB84-!6^UuID*e1\Q&11snd.%I'l)f?=.A63 -%KJ*?fkhruG&;`N@e:],9AI:/a81K>;.JDiYk"GAt]?usI%$GB%%69#+h.5jaFOBYtX.]-P2?YJAVXj.g];*lB>%\r.],CR^(ECf% -%#B''#`&8(m`bB)AS,'>JBdX9o<&VYXZOPb>AK'H?'%"^#_#i\V19J\lpiIXP*Qp3-7$6P(JL$/_=Pob4B$H?MO$ngk@/I1b+MeJ$aDs!4T%GY_<^!?31;p-,DrK&^tXTlg^o"[4+[#HEdF[D[6B\*@!PaHp30%m4C=1jp=Xm8M$8fg^]]mQ6[Ms0>AD[.7Rr$'C072C1eUkf9j^o_"uiMGPX -%AE.2V7J%5YkJM=YPOm]N@`:uHQ47/borgPF,^5W0$NcG(ou-bg/<6+UI&C,(<=gHa6R_0fT7H9*67_T/_$j/ILa&cCK>Z]fh-\,Z -%`s7o1O$="#[0-.l]T`^Rfr3uhmG3G8^Y?A!"Psiuc)@3X>$^b[_G@;.jnh^JTjoUJm82%$>Wu(0^r(221ZYZoL'^DhE)8=97/rur -%AJDSZ/@L(k!@p@ghGrjGr_AYlfuLl2BdB_mb5>SK]L1;u#pP/q&Bc_%Hn==#99nDl.OJctBnpM/(1rO(%6U\Z:?F',DKMDC&e?.m -%,Dcj5_HKL=gukRbaaKeRVNQRg.,[X(`tqa#E-`b+XRbQSZEm%Tb*`k(HDd4[*gV8Cj9?q,AC?7J`:K`PdMu-8SV%^h+(Hb=mZ0(c -%`.@b(TN4F)JT>#?iFT8MghWD7>t`kg@e/J$b1L1M9,6HF^E:3Lk;Xo*pn$afa%T<3>HIUI!-4ZQ-!1PN-t=EtO*ju6Qc+;q>W'1? -%:-Gr$j/E6M,J0eC1*flD)LlJ5JVE>rj:D?iPpV`:Pl&VF-ZHp9E'u@?L&N(7.Fn^/3 -%Y]@.3TGi/F/IG(+-SQs,/(i<,$%pbXW)ed(OpA"A6"jbRFqb.]@Cqt++mD\%j6Iibh$4,c]DLrZfT?U8^ebQiR)6j[9O6]HNjb'^ -%Fhf/l.SPR2V4"*))#8$;)&!%#IF-;qdm?&HDA%WcU],mBeM9O-*+],C6X5*up6 -%n;fUF4V)AV)N+/@%_5QOQD&>Pb`>!.7-*t.>t![FZAk-FY>tbs/8W!HV1Z+KMlr>d:7Y"]ZD173Fa8i=P.)]<+Vt5u$:9MJ=7[]Y -%9@gdY%>SoVWc!ZL,XLr"niB19#"`K"5I0\#8d/ -%-UH0Br^I^_s0T(LeX\qT9',0Z,R`&Ng+^rmd!7s_:0aTX/b;qTP%8DL9t2[R3ab3IJF.Z8R+1O(>CZqM*4'/'k_,cWhV,5aaU\5a -%<`+N-iJK..hNFTN[nh;TnOsnoH6FO:_2FL=\D-Z5PH9#$bgPg!D]hfJ_TA&]g!o_b+tij3qu@r;nSELGa#CU#3)f1_[Da)eW90h& -%&,UC'7iU6r3)mHl/@!jdbd@g5M0VcWS]O#pRhC$I<%&*XD'M`74\9$O(NSk5-hpT'>;MtjqK+*iE;\_s\Hh-7-K -%Hd\;,kY`;:_?Ku1Yl=t*d7>EWe_mY#)F$hXqC<`s -%!L+Q5(g)f-D:<:N;hjU-*r+j/Mtp)n5DJn/s1E*:kgh.P'KE0XgoZUhgj*_"&?*_MrmHk*9NWGFZ1/!.!-!VF,])0dmNi!Y-[?f) -%IKOk-`3%$1-*c<*CJm:dA5d.g=U(if4GBdkdT3(=+!^!DM#iO\A-2OAHoJD0QoAZT\<=qr81d0^#e:*YeF8]=(Blnl,)%-u=IYcF -%r`aaRi?]sVs6/'I<'ZRB60/),;7Zm%<'$-*Qtipt_0Z7WR\WcI%?l>$U>udX"rf)&R(uf@G=o>Z5n!k88Q()s$1o5"bre4+PM&6U -%L0D?X%I5IfZG;SaK:G2L?HQ[Z^lmS0I=Gb#4h-c#h1YLh'.no3\-F,;!HaJ%&6m%PN]eF9TiqK -%ncu+S.Y\U]@gELa--n'f.=HB_=2lA/oQgtc,L8Y^QMD>V0uP9k^$L[T>6?(M5($,0V`W'RT57&8`*"PnY#;-TYFs>E,pV0!Z!=5q -%G)JJfmBKUdL42E_(V]qaT%F]eA/Z@[ZJ7HN6#[f`a,@FD[\71KK7IfX;PC+FbPX*7Rq[>u&1\)+)'RNCL10oiINoJs2@L0"&.&M* -%e-?NeIrnYG;O1Zu.^4pe$mV0LV(Q_[n^su?3QXmO3nf0_!(n5q[9k+@JbU#kR;-cLiOBGj;Q)7$qf8#Z$Lf(Q2*f<;C\9F)Rq[XO[F=men?0JXUfShQWXsF.9FboY]CQ(4,r$^i1,s?q@."XCIL;?(0oA$(;:;)VO -%mX9"3Xn\W*f(i'AXhs4/Hr6Gb#AmjLjdL`AN_Y,S]9hI1WEd -%:b[9Uo4FVeQ+Eu6UFgS"#Ue#L?TJp<*sIco$(Sd>E#6$*oR*S#DQnPfB*muVl2WYH2)pG7]hlf\Z#).,W"_"?=+t0'@KWF:lSK4> -%P&OO2Zl>VT8jgQO.##2W#`sJmh1p83cd.2J;^iZ=_V5q^GciUd+C3L+1p%/Ae.?R;XBbSYJ+kR,RVrOgp4j/4kSmJC0K/1XfW,Xp -%k;u,r@%1-=YRh`^c,cmo>)FT[P\mEmaP*HC>4-')_?NC`&Jdi>lT*+sR42rUf(F!h3A&Z(+0pPLJouoA(o?BL -%csm$61=4)J@>gcH<-@9bj_&fo`&L$-$L\Xn7&kf%`d%rq -%ISA^"B2VPI0TltXKFM0]$A&gHra.;Ei\#!5;5?2B<>1dJP69["Z!h>WPh22_EAc)VWk6E8]jf(=e>_lXTMNf4Wq&b[icM4Gi*k9mFSqN(Wm5CRjqFF5dc2l='k&#c,_3-FFt\aS&$O`+82ddI[Oe-L.ATb'CWZ/h -%d885-G_f[a<>si;,f-VI$77>)DNZQqaQ]-M>+$*VDa9Gh%re,jkZD^pM_V@ij)4eVlIJI'"f*d&@E*[kiOoLWJ=.AI[>`@-o"(lp -%i8T]uXX0F*l?3M>nq]i.B"^pZO*NJJKq+Fn.5RiRi&=>";K7Nu/Fp5_gH[ZG9)LP:K,PMp"_*n6"B]W3EM'&Lh,dKOf"m)MRLCf2 -%>P9XH:L=#U�qm^(B9L6P4oJZf/cQ^iIj$g9?*Run?2+=dfR -%&^_0,*6o.?beplu3Vi.>\8$#JE-=5b9mJWB8pQ?*Tna8aoE`HqE%ah;(/8:k0OR8h,%,GWp55$A7G%`="uWQ'<_oSrL]Qm7\O=fp -%iD$#h'A+.D01ljC:rS0s7OT?!0Uf<4m&Fs]N5*SWMjPJ"c!-H8pJd5KJ/g"Cfp1uC3>FcT$AOR1='k+7i24;PMgscqgd:WqNHt]7 -%r0[MbL2/P>br[6s@Tf";n`j)3=VB?eW+nj)JNLX\6F:Gc)B\K-Xqp;_0!7abiQMqZ"(e!gDQT_LpiP@40>MPE. -%L"0dpoGW/A#!O,9_=tR%Nu/:aQrJp[I=3<.blS^qm`HdGnO0'"nB@XpnD@Bn7gJ.>l9uN`2t^>T,+L^I#FtF$9@Zlm0[6/ -%#o^AhQLc/qps(STr4ZUKoqqnA:u'l' -%XnLf.?sb$KMH*l5<@U7tJ0cGuEj%,SbO@9#gXZD(!@#VUnVaWSKo-\ET0.6D^`HT8-k)\#nE0rq]0UC/s#cE-"lCpi]eTuj4W7??7* -%?M6kGJ/'5PT/c-cCp_0,j9[9O#m2iH$`+m,NQh:($_e^;%o\K`86_\mfP]K4^2].>s&7gS^mlY->68nIqaFI#jA)^I`Un/$ck2rB -%F;f=FPRAb^ib@-$Pl-b+`a+:X#fL&S5*>nKc$VK1S!rtUjT&oQSYr.JSe!,bQXn?\#W#Z=3o>fP6(/bWZ41K@SA6kQ%\]qpU8 -%bZ!![P;`sRmD#4Mi3FmpJ>fYJ(^Q=A%bF,9`j*a/FU0Y1e;7/[C=*I*K+V2h?A`bd*R+6Zj1rqqkBJ`K9,@V5Z6AKja)P:^$:+5r -%m]sSq=r@aS7n93)TAoZC11=t3U;fjl:K==le9=lV1FkAiR)2da*"`"dl,.MDbHC@o$TKqsRG8nFKmDDG2CC`O`pjPKPu(JA*[r:P -%1Ui1qaC>#VL;SZZ"%8$V<_]"`*15,B2(-#.<)9p;-]&b^74e4mN6WR45hFros`c.+mb@GS6>i=M\aHOf:cQ!q>kPRk$F,2*;DukSM*'86`g*T -%NIATOo)%28X>>leqnS+O]#B:u*d).@o&NF##+-H0^``'"]"M$r0Qe-0RabS!bRUNbk`'1K`(]F&Y,([40RO*26l -%YZUQg9Al@d#cYd:6,1eodH\Al4(XsQr[[ig8SR#oTW9Y+H6/;;)$Vq\lVrIkbtQo/lED6UruafXMoPn"=0J>jiPV\)7+K&nc$e+_ -%8@BS)#uqaG<#DWGA6/bcPio\_VnYN7ZuK1[L(oUA^_A[>%kM9l+j7Wb:u:EY -%3?-YrnNmU?m6Bf!Jq_pAKtnpq>CWYB#a9oA&-l+$,RnQ\!hg%KC0RA],`i`H:[OHg -%_nP$P^iD"ia7D3g%qZ[@\%6T/[KDG_JFd?pQ6BH9c!9g;W-U_0ZkJ.L#/$lJ*_Qgm"RqeG=[EfjPKYG\""Bic=&,0,FegR(\'baV -%%?5O=Ub+Y^C"BELmdrXSG[_Nf)UI/S3nfUNj;VRCV]?0i)()k!MWqog&,EhR9F2+@"AhY^=h9m?EbJW"fU=uq[d"TKSjM'D2)H_r -%fT/R!!#-aK)\`439V&VE6U9_`@,eL"m,>W"m&Ch.'?_gnl1g`n4KL`Bf?WV[snLM6aX!Pr,]2?US2W([ULCiRaBCWS`Zo."1L.t@VP)G2;*%?)i+cZFpF -%2J0LU5)6\)?1?hNO*\l9`.1fT[H=WNfid[+$(,,rR"/!H':)>pN=u5A.+2T,2!_sZ76FDb%ZjAE.9.S=-PjRI1iK^r"ssQ`9Ytsf -%3/'1D9KRrtV/j*`<`k%qm:,%q7XgCJfF95mi7Cb3fOf[;0p_nP6_W8AW+-EP#DfpPXeQJqDR'io)p&FS_W:o)=CSX!/+OP&g[$0e -%En$lXTn<@*<)F/+Y;!c0QK6b`34e=06KB@@(%<:6Do3i`'H..C;&7LLdNO381GJN#5Q^[W-fYBnFh1>>%X"2!YU$=r,7r,OXYT>J -%$t,&#PJ2hD2CiH$9*"ujp^5ULV>N9!Qg%J0Ak>IMVjJj(7W@c#[.Mj5aDQ1E]"-V91b4VW4OJ:uc7X'EOf068#/6Hq/=5*O&N61Z -%fcUZq\#sf]lBmB(7,K%sGa&jDkam#%*@3BG_T0]9hPS&bn?NVLDYB@(Jd[,)(E'.'I5JNm(8U\Z.R6r$^gHZ8Uh\?]F5I=5VB)!pa)RDY -%;sHan_NU]bV`$=j_T6VHJ"VF@/AM;.!Xqs,CSf=gaNLgYJ`2(ej__;;.ZZEDW1!Y93Ou[/R*Kp!gi2SV\P#+.9/??)>?HM@7F9%O -%UETD+EVL^JP#$](>$i\XfDB@BUjidHDC@M>-&kRV;2G1M_3gqB\JK,\(IP<$GRDQ5&!.Y&6_gr!0D9Do_)gP!pMqAT[YZ9PU9 -%G7W.eFB-g\f."-3L81-W#^*/nQ!(Z#Wi9F:\QnG<66YA7$!l]564mms&P4;U4-C)ZE7lL^m'^&Z/cW&%<&mRfmnSW\?+?\<"!:`@ -%Ve@jt"X4o?I2\J*m4nCFBq(f((X<\e+FcI\5Zb6qFM!o<#*?B3jCY3"+dp(biQ@$GFY@T&a93(@D/s*4[BeHJU**0Fdb><^1[WsF -%'m@VlUtKe[_t`DJs'o+.s2q;.4crTe-:KMD/OSpsPMAC8?4'+;jp#V5tJ($Pm5P_T"t -%d=asG0#ZMAo&Djai)?["[KjF5*q$TOrc1!;lbJ>ojOC#c;PM8K)nsO+HP4A272Le/5;9reDHiqYQEhel4aj([eQ\7,InZQgoM$s" -%cN(P0:#oPkj/.%;V8iuS4pD=RMsG?Ai5[,=>qd9F=M?B_2W)qY<#30_bE?P`b4>PKcpo<;O^8 -%;1t1EEg^`%a2+osQLGo`LjnGIOQF&HWOXH2Z,ANu4c5SoQEH=7N9S$&0=0I@E>(?9Md=@HU9SOp!\P#m0Mi%-\'Onu,$>KGVJ7F7 -%WT/ciF@Pj^c\_jT,&%qqLrc]l00SR#o6=&'3SJhSc2jtnT030hqp3uKR)NPdDj)_XJ4Iu2D3K?AKi-NhLVF*C#I8$6d^r,T;D?qG -%/1_Oe_qdsU1#lLKaCH.#\1VGs\&^_8@ISY`:3i:JTA;Z*;*EJWP/U8Hh>d)SN><3L#J&UE@IoDmhlsDf%Q?Z#EAt-ET1%3\SCb0lo3le;tu$>:c/o8&lAR` -%X/&@O%u7L)\Tr4o5R5h?PO+LPJXHO,QsHqd:h7`%/acd0e5C0:pm.FmXo/m@C-Ehr@>&+d$$[s*:El/Cr/T91.oWTn!t"";G,`3DbQF;.7G3I-SFAM0h-Z,gN$P6&V(]7S=hJHPT=&D!8F[RibTV)4m5[PFh\0G!m^U],0s;.fVnit%rS -%oKHe6nr(U%crWC0Wr#oYQ_$bp6JZI\fj+%("*pA(WCfG7Q>]'&Vq@F823TcTgSc8^V?g'GNaY'Y!TN]MB_40H\+u$C@c^K\MCcQ/22DkfJ*Mi^H6>c5WN8W>\*15#ls#(Y -%:l:0]/g-f8$3R'$AA[ -%k#?JK+Ya.M-H"q4!X8@]0uPc1i@cj\,5WQAF:nBR).UJ$NVG62Ui'EuJ&qVF,1>J3s.kRJ)krhNV<.fS5JTa8.=k90K1(8mEj)2O -%]d./[3e..*+\FYkU.nJh80PEE0OXL+PcSbTfTC0??p1CVC$^@oQ6Ks/_nY%PFS7L&A -%jPSp6i,(Zm(]TGoa`aD6Vl\sZG#fB*3iNG1@U(2-o_iPs`T&Vr/nn-);8]^;Q3,PcMA.1DLM[*L\%os^9=J$l!0;YDAp78"SdQmr -%)/=oA2m7C]Sg2.2L,EXh=IP9Uo4k.3*!04nUG-DL6L)am?krKY92ohZC5s^"!Z>H4,5]gd/[o2A@g,UWKLCE4Ijg'W?2uCbgP,W&g;OK^-VI'dmc`5OY:t_A9NegmU$[kCm6//VqUZu -%YTcf0MT7j"oH.!JZ[4G;_bi_EoHC4WZMSM;J5p9IdTM5*fXU%-=<7o37h)$&a2#+]'I!P`GG:suhlZUlro0er_m45spa&&H;<"c/'`,EQ"[qP%]=:bs]FQS2)E+-ZUX+(q=&MV$$&*.R9V+W:n> -%q,5S"!.A((N]^@P6DncOJ*GSS5fC&uFhqO"B!9ZU:#O9&(J?Qm)-'DePeGd^2^;W,uZ37K2ZncL:P22a-^bS -%OBgl!$M]OuD<^g=SQ21]U9O)q;.`J<]1&Q`?3[8?\Zg'&FAPY\<^J`K'i&)=&G" -%4WGiX?Z+\4]*MXPH;r[,CE<1%alXOrloJU`TJ0_A72)2iBF^]hY5&meP-]F2P@K;PYJ\YC:Q;?Db$*B[0TLD`Vgp(E7Lca\su -%mT;?Kn9q25N,uJ?^7H$D"=Gf;?t,P@3MkI#&0c^Mb>O05!&jbgDKJ%WcaX2+-A^Oc'PN_]6bJ1VO%-9>T%_X-pKa:IcqKM%5e@I9 -%Itih>5Wfmo$pPj*9f_W7PRJ?_^mU!dJWR]n91cuqpRA-/BKY:"p_]h2TEIBL,l)?g*ask6\[0.^1N+%H8aCs:Z"o!7$Mfgh'`M(h*JboP];cDbUF:4N`<7PJ0NMd!,Vlm!o0)MG*+Rf$E&?Ql -%M3P8c#sJQ!'=N7[?#*$)\cr1h[,8(5AV8&\q-DJr0!@"CJAh&E8q)UbN,d)Of[B!09UE#@;+Y1Qu!YC+R7+#_Z.'*?rC;^Qb!,dlK&, -%]Xktep^SL:_+3-^mI;up4%rSqRsGY99tp\+**I"1jn1EE7d12+_Gioq7B$g)MpO1N(8"$rCTn-gqBf7&`E5_;2'pteT!u?k.;Z,% -%5=D2-tdQmQ^< -%St@BBe\5hiMFhOpc_*&J>jQ%/T#H+.SQ.-S[rcSp96HZ&p72B(Eq_?J0#Gb;;ELSh&ncR4FR"M<]Wm8t*J#s.:sH3b)N;26#6eIt -%Do*f,Q.W-545]c\92?&js7S,+RRB8u\86(\qa6qli3Ma54*7]:a)0V_SW^$1nLgi`/N7WYW:5&@EVFp:aZ^t/==5a7i7p[9+&X#6 -%7E-n'><\9?f8=pE#pLo:$7'9MEpP-%`13,MMYPg>8IhqR2FaJl'>^@6(-\XSCk7'CpG,Zd'FD`X>m8GLTLdlBa0_'a_4HOI5/3.2 -%H9$8,KMn!9Q3jK\Ejk'"+a*&Y_k)_lZB7`r+%;s(i@S&6mUUS>Vi>:WnM=8B_9cQnA0$/kP"n!,d.Ts;oPlc!G;D@.jJ%qdc?FD: -%X%=Q?;_agd=N*qQG6\h=;>+3e.\`W99_DjBh/KHhA;sOr"iFa?D-/AiP1%csSMq3+UWGXJjPn)\Z&]TK$.,3_i]W3gV#g@@6OW[- -%s%pjnWE:2DJ!*BEKJeihAUpD#nF*J5Pm0W@jW:-``,dJ6iaD1<)XnRU3=)Zf]g1-Ki9iHi-aTi1IP%spBS]%6\Rg4mX::nsG*[7! -%07u9[A>plS=1]C>SB4M],WHsHnU?K+mZ'u'6@OKTNM3A%L7?t0ARKg4eqhdu-mE4BbAM/6s7ti]pG.Zs:g%/Fh^T'O'n$p*9BM5u -%r:p5]YUK-K_P$A-s -%1aA6P!in6B$=1"',4fHB9GU806J4sj$G))QT;W/3`)\KY056'H6>/9Ri]mf;s7q",f4j@>f*!+:F/'@/dj`/X-j!LeDYK^4Ku -%Zbn)tW&'pAg=e6kZ'njRUBm-SLo6"+a)/k<]H$Ze85I@T)"0/B&b.Zi<.'`h3/Sh8I^VID9J@m#dD\)bCZgaA1]JKN%9U[[8c+pa-HQA/K -%;;Q,20q?`(lnER#Pf"WjSg\5o.Y5?I#$?i%UFJ^\P+LrfAEDL'`)JtpI`gs2JoAh#<08@r[muS$kp\fE0Yu^/7&O3@Aq.2"([M$Y -%E=oXjXu;J"B''%ipMRU+,[#q:1g%<64X./;&OO>4P\2i -%R;L]*mBr0tR?E-=MLr/O>kQ1Q=L3'?+ioL;m$@ul(f:a',SlT>dQ9::+r&h#M+Jkfq%N^WISb(S]n:gi@"fnc:j7qs'3>)p,1j1A -%gA1TT'ch@)G+Pt\Hd9]LdeSm?L@nU1>Nmkjo'qNt#9<:aSbaqY#$?.%otU;P@\-[F6p:CKm!T+^(5A6Zg'enP*Ru97fTBE(\0arG -%M6$ht%]F?9*"ofM&Q-AR9q'^HY't2i<,71F-RKDk'MKP=n%1?tpS)F@'h@U1&M=J&*e8>LjGTV`aI^!6g6fJ^<&)J7=+H'eEuuPp -%E4CI+RoAuQ3VrqAXf`WAd.T'B`*bQch^8!2F&@P9'.pX?67p1m\fX*`NGBi*6."j]J^1j'/a-3^kKSmHAb*`N`K44^kFQ.>G^4J= -%QHRW=]8`)[BI&NAgbYT35XSClk,FEEUKdFPTZMssV:X/7L`HRT[=)'ukiU9&gXtLp9J%(:i&>Cc_gKXRolDC$j5PM6+%$9#jOs.X2QFp*gb\qFdo>I5i7Mca:.Q'a\B4QdMBAg=O>XKoY-(?4;,@Z92ri'n[jU9Z">1X5fF:=#mM4G#X&`h/2L^QTe[g(`[#F>,gLRX&=frR]j=-!_aJ;W -%*G]2e8I_/l1k/J"=B.1uQ.81R@Q?kR40FL[J0$lKeX>PY"(r/:maS[k0"jKG.rWMj)T;%^k;T(KDfTKHGi]rBB3=)%1]#?3sHjt/jFVnf>3Xi7W'U+W-_\%#2 -%n;`5R_)4[2+@re:CTI@W:,j[EeT8:O95=(UV)L;adu<8P\o./!qf!AY0S&i?`FR;C&j:@o+T9O8c'UF5aQ@5HWt@&KfG(9M@UjUK -%P:DGag5$LKQm^.T(L=e3I86F0U2;!HgETC[Q(SYBFXXNF9=qK69t0dO=P^M,,f="`Z"E$Y$JeG4+It)>\piqXHfu]5o9jM61;3UJ -%G`1^"%/rP1gYWU2K*7+E%d]V1=hKj"7h>-n6-jV*#I/e6*j)dHYD*WmOHs%64\)3n9hKn&THA%.YD]d.Rq$hIl -%m&sqX6KX5576@0I\3ZV`r?khGbr4-XORKa"'4rYeJm[Lm(j@N*/>%\6\U&A+D]T5%Eh9^FoorV/?g9525dO3$5QGF^POg@_e8FU[ -%4Sp`?c0iD-L0;ia=ef_f5>PYUm;ALnLq(<#i^E&*!IF!tHb>?bD8pn1AMLEOZT'/LaUj#&HI:Ls'hR.LLnc7Jul0YOc:)&LcKJ)lWTY$([Kj9A4N'WCm)M -%`gCaqf(]4Z3`EuIP2cD\ro&*VB>Gh]D4#,OSs=3GTf$4?c_5F&:\+QCZQ>#.F0Eo8NG?uE$`TY,.8P*jO?,I]`0,[]_"G1C`R0t* -%iUD3gmWFBLZE#.Rn7Z@O$_E=H@K;3\,Q$U(N^G64%irRKrK7P2-F4H?)d'6G82=b[9t8DTkm>*?d3lf.kZk@9'gnD\.3L#sZ0PWC -%fJ)B.&A-(#Icf[Wqi@GK,OdY17tXZ*==$#1VlH+UO)=FX)CT- -%Z1A,AbG&4neT`C5G9>/FPNsJg8;?J;/VdP#T[5,KO_gIXfU-XWrXo:mr?00dHr"7KRi4NQgR+uP#3)Su<9=%LU7`nA`,<@4=[[tV -%-n\=,D:TOm.3U_>/8NI4kF$7^ujoc'o;@`';&PL0;dUn,Q*juTkWgDX!(ehBWfh&8C1@raA>[nY305++@-^SJYgeD`.jS`3OiU[oC7KPVOPNq3F1-uokmX>ONTf^'TiYkVhuS5 -%O*H/2(`"*UW!@LNNu!M.RkRsJ7':)brAfJh9G)Mn.$F0)9S9_.EPpNC32tP\E%k8oM9%Z0W1G*sS/=CLhZ*K(G-g/>IKFjZ-]p7Xj_Y%!2`=^.V*NA#+a%pn*:?LG")T0N@p?iKuTs+-gAePH5$^\j_i -%s8K5$r]g?7J,I?:r0r32H[Yl8s5s@ZgV7sUs7#Ver7aI8h;A4n:\rCIktc\c6/Hs)MiTsuPP.TI1&_%%rsq?nlc26iY=IW&rOMn) -%Dh%cDraYg#5I(0js#pCGfXEAJnHn\-83pZlF#ng:6Lj+ai"bcVc2(8`$fl(@M*EAD.jFn$? -%iR'G;i6STVAkZ(d#&4eR5#EQ:3>L*Mq6@,3kR-DP<'H`e3B>8_Ml&CO)@45m`CPfs_)rqrHg9u]d?k3U8Jij=cPRf%KNg*-h@cFe-45W^sp6+ -%jSlRJOT98Q<,='6NlU11IY4i7Z5.Z3/e]Gl5T2N1mVP3#,7:ahun[OuYH`X8/6'jG-euZ3g!S$,U`hH$Kri_&K,@Zh[Y#E0 -%'Q2VFV%%ZMXG5ST:#BAu/Z&MW^*!GL`^MjO3:p+!D[c1VWpH^Q]s*uqacs$TTFoA%3Ptn"%ftf,p?pmbNX:mFq2T,F#GE5)gCA3T -%0MM'6rm" -%5Ybt'@35JDK)'YLkT^Jj5d1g[5M][LjuqoXlj!O-1P$+efCt>Tnb/!b#+Xg7\c)ru/Bn/[.llp^9'q`c-H4QCi1_V^XL#m/ReWdjTN%JoqBNktut;&mp47E"`\m@t^ejBP*&7P';IRbl`&QYu_o`+NaF!F]Hhik_j7AXC=ee*6j0ZDtq014VBQ -%R`dledQX27n#,c%T:R+kEgeJND=ElMqSuPPJ't!r<6ZJi%/:MMnTr8.kRRK&EH>NA,2FJnmT2!\S0(<[`^je4UojJB?la@_bk'?*iKk/M*Q!(Yj!ns-6]b4Ieh@EN6Q%q4 -%k[ZXDeJH!F#YNS6UlfCOV;R*h'16.D4XcRSfYfQ[Ea3.JO`+>u/%GD',]>lgX^W!bd+Qame7r7]=U2REpdKq^k]<$<1K\)tCJ"s0 -%cr]EtXZF0o/0pk[4m4H[Ae#h!>OboFdkRE6,g-W4m\0( -%+/-_+BTg-ee:[b4CBXT1G)8OR![,8o`#j`^G9?fpA`3-d^]'`NH4C-:g4LD&838@&$Agk7@n -%+]TWq,@FS`E6h=.4^6@^]uk[XQ[S&oo'*7M5fmC#J=J5=+OTIC0m_Cr@HB0gNV%]lS760"=ssdW'D@<8oc=dR(nbN=9VF.leT2`p -%,WL[#jK_X?7HH#.B43Vc^P/MJ9lM=R(j*A^`"^f*_+gVII_03\Vs/MMYcK6BTnHC7oCjL177\#:43?fHu$pF63H -%K/?sj2V=LeqpER'-=[d].q6sA(&e(\b7dmH%DKO&'ore]>UMOV$D@u -%Fch=F\(AF4c(OEGd?\7`m@ne?r+7duRmOp\rpaP=.4gRa(NhNtm*DjR0oi8I24Jon/D!nk%HkIO6gF0([##0\8I_W%EV0TF05\^8 -%pt99ai3]!OYg5KIOSM1h_In/m'[d]S"C#+cQ\>QTdh6Ps?-6_7)k4>?UpjqeW:nCZuRRaWkAA4Ye4[DZi\$EX0*Z+p*UA)N+t)uT%3lJ(@92^$B,N6)5j#I^.`dZi&^I,s\5Eb.XubGeEH.N^YQW,O]F,drehK0k/O/Z*(s*@c<0?2qh_P -%^43"([6K/PXmq)2H%'uc\3E:G(JgBC>C!g*S'Sd'@ZPiH:-0=M'>Jo/ImI19\IOV-pH9RNC?UU/LJ#nt5JC"sk,YHca"!B7amX%\jmi:@s2Oi.$CLq\?bNnKq4_Cb?ncHkP<*5%p,fs^&;kHcB8 -%BS1:mhuJfo,V*7"\AYX46d.4cN83>q7OMZkH?VfiYBi+RpJsq]K""dk.<[3G<19Z)?C,(JN?X+6f -%_77Oho#;M(%!0)Z3p@qrK!$>U5o^+9qi3?:BcZ?^02',514)e95Ne<:#5eiS^@T\Ndn`2eK#ZM#L^X-(CU'\/I9>WY!DDM]f25;+ -%c2!&,SDWGVRU`a<"@u0n,:`1Q%C@]*XZR#!m7r-\[>, -%$OtK,A9`ou8+![@UJ[(Hg"aV-IaqKCZ?kRTOsJ"GRm(BU>d9hdnAD-PJR>h0W.R=X-*s[IA6T:q)\=a^s@:`$`pmb -%.mEq^&"5N-BERQ3MS5dZ!TZt7BT5C$O(+TlimF>L+c*E:%4J8h+3P0engq]">S8gLM'QR9EPc,VG(P)LJh#OsR3.Qd7g?gqK42]U -%R&obU*8kF+-pi(ZQL4W[&q3^h_c;8JA&s0%(o"FR'VC!Uu'"VV!HhIW(t.]C.tCFM]%Ob -%FnQqZ3HpHt^3"?(fFjYZ.(W@YX!+-9SHm*XFCAmi<(7T)"*P0maX`?a>BE-s8]FdZGYehNXu]!;QQh>3*\:OjIL_2[bFd:GQC&;R -%W$99-H..:t!V6esGB!gL$OWQ8%"LHPI1DUc3jIr\RgDb\3Lcrk,Ph]@7_^lIHC]uFlOdm7=J[g0&Lm^+5 -%;sFA,Fr0g+ef`0dXA+rD:0d&i`*,EiX7W&:T[Ia]9r\Tf@aT<;61[`\H'8DK)MEroa4B7KKkn63SYYu>XW46`Afe#>.cuJc*q%Gj^e.+biG)EcGC8_AB60a7T6J81Z6ie`5 -%cu$>S/.ira(aSe^$TGkJk]kMdAC_&ZbknD^S4U*G3ksZ&OD<\uLjQp]5_]?AK;EpLl0Z"[Eki3pF[=Fs?^WBfVta@OiQ(9-L/%T( -%^Nt#iIrm.L\3X&EmEHBj-5?-0="oAF_U(Ou-/il0j,KI"g/-RC4S&Q8TksRAK+b\Cg8Icq,"6LB2 -%nkY&Q,jLE:q'.03Jse%VgJiT0eV]!W`=!d5Nu6Y3@aIPrW:!b'`aQ\@EJ6S!FWUcQrNm$:_6/H6('N')n%`+_e-(]SUf.Yj_T%>E -%U)=n,ODRTX/QIB(3$#cVnq=!5o#bgPK\'$:M*p'bb6U?2a_We`-U%uqhfKbT+1M"s5Hk?[&"&$]KDcI3G%7+e;sfV'f%ZLrZY -%Q+0JUpiM'/cUMQMlWI]uLfMA@&:$I$AI5UgC0OU.JmLmO.CqD_#qtJNUbR^%cF6l":b^?FaD)@!(*>:.P87\l@iC;jQ"u#[/?1t9 -%jK,CM!;VbJ"hG$JAeE(Vi2TT]KfT:n."VEknl"XaZ'6meFafE@+lH8n1h8s>F?&UN=>HJWJ^@E.23*8Cg&eYkKJRVT,p]^^B\Pt. -%38o*L/_JVf"lu)pU#W]7V)r5>2,:mbNYFgWp]Nj<;-nPkHKO;W$.0*WF1Ps,K3k9S1o\Xt -%2g$/XHj[lg*n#YM^oe3O6q@C`^AX8@[pG@HMe@`W;@d7]5RD7"dFW<$82EXu"G%3:Uci=i":OFRm#0X&CD%hS>Br%><,V+RU-sK[ -%cZA/N,&%8VZFLGdD+1+*iiNe]Se`p9.;kX/ZH5.WeJUgF"h7H)Z$hMDQjjKNr@E'(b"iSP,0nYOf-V*2CtTI5D^3Fs'Y(2%6+>EV -%r$96u5s0sYQkrf1Cu&::=>5S_81dDoM2;&Vlp`$lP&$`V4$]snCk -%b-GGWJHaOGZ!.8M1Uj__`l$gKC1I.PY`'8Ao%>'p1PIWQRJ!YQa2A;`g>Q^Z2F@KoXcm6MPFBus0,*@RiG1F1Uf"L:0A(m?cnuB\ -%J^^+b8$83R:#2I:/?(]rK*JE$2Q$V7guRZMb>.'`".$$*JaY-Xpm.,'oJT9N/g[^KaGmMPo`BRd"<=jVj7.pfhJU<=N>F2=SV$a/ -%3&o7[f@PE@U-Dfkp$_nO5Q:&RJ,HpNs6tOm.Thi"9&/n5eFq]ZWF*$ciadRh]G+'*>NX%@5tn4$NA9TDtrs)C`*OiR#?qg*#Dh#rYK,^#!O^Dgm/uDJ8o#HlA4rA)i\6WueD6BqS$C3q!GqU*^q& -%Hl$`8_MrrH/\_)WmG2Xj0_Ck$#g)'hll-HhVn00l6LW[2M)=Pc^af\)Gd#A!rVZA,f)m;@S]<^oL@*l3U/1POL_H=HZeMA'Q3Mnf -%[k5>kq47E=*e8Qu8Ni^O8K%XQBDMsl+DkC+LU@>`_Q4*dS8XG\tJo#856S;3gDn$L&X5JM9SlPY/Uk.:Hs*^c=SBcB"C9,cf6gWF(JYP3rf -%-ou_.O8jC2KG[$X1?s#=C\'JL^U_rdHFiD`?+9cU[FB?T"BGs'`-ZA"HD'GJIDj^pK7G@9C&W$P$\B<7YV9O,DnXW^Dgm.VYMYma -%e>4MDk[R_HLYH[IHT/A7k52j#q!RIp6XbPf^Y -%hF+27ZMkV#1h,'cGc[8+5nr7H(4Y`CgH0hZA)V(Y0$(fkVqk24FV?_U$qn@af&M%Ime"+\"n*Z,`1?%VB+Re&^lEP"%cf%qC\(Ul -%^V/Al-5?@cP.H;-1S&n/gAktn;;P0bh\P,Jr6G7)[%qNO$0bPZ/'r-E?LIs!"0_H*>C?2:488Wni_A:QbZNgY^M'AHj7,H,"obAF -%^A%GoHc>H'oW[qBs89A+nAi:jS8nH;k!6sbd:Fu.fcAR05klQ'o+!gbGPu]#M]6GsGl>29f(f7-GOB_sLjZT+`MXk2B0ZF^T:"tk -%m.V,8RDI-*\nIHur"dGQT\#U]_j3XEmSiCeg[Un#r'\3=9LSX,6!TpOR*m$g?Y4b&+a.FJGlceO8CJ(`eEA;CP]D[/&H3HmfsSK3PFeTr\XiBmK3"D&2JFL>[aY&^KM`3*P2spZ -%EG`RR/gQ#E<\8/G5+O(q+UC[t_MlUYcK$_oM\Hk3%/$gb9\UZ%SJGehq*"S%KSAo%N"^irYU(JeU^fU_\NJeL6q2;AtrJ"mdr)g7\B5Upgt96*0h@17-fJM%!I60eGlC76l#%-U.sB(^tJ5o,qpN/2%/9F8>?KF8W*Jqs\/*_;`h -%D]Y]7\3&aY9/ibXD^).\J?Q!f]UER"FCPp?*7^d,$,OSdK_n8gPhM,";LlJk0uH#A\If6]9ak1KFfm0\MKC_S'>^?=E)5_Jnj(-G3/i"]"ZY6)0:dB4D -%`,46_JSAWiEQ3)PnB.oB`Gs$>ph[JRIA%"R#$R4#EjmU'lnMXGBngdZu'XJm/:45aL:0Q`\Q= -%1@_]LH:ch%C>#a9?_3+8,bp*9r"A:#?4<$NI -%>qGk-RF7\gXSZ*;$>*A@r#(jQ]^JLCgl<\(pN8T^]3=J_7o[=gD6Dr_hjD_?H1q/qV49$[><+mMjdFUbbYs2]t;;r=):HoKAIZKq'WViX[9G/0FX< -%Y!X>g"6-D]7Lq9b=`Q4T<(Y1qcKQjLd)QVTUs3+8RDQA5GHF,%]P%q!i-NO1Q=Yb#\mHUSiR-Ld[@aOJHa@\qYPSd>VTf7Z(uBT[Sl%52njEIr0gV^D\e"k7^A'-A[Vr -%%TURS,gK>N*)B9E!?trJC2t17-G6u[Cclq'kpe"FEAZ[7])7R^au.:s\)q-J/;?Q;!km@(*Y%Q!OdH.rVuTf!F?pHXfpDR;hH'cW -%/V"M(.g`CEgBYT!/pYo`%3AJI`ePW*SsnX]3Pu0BlL,G:Ap*.3fME45or02t3PGS@FgDD4!q -%ZiubPCi(IR(-PQbK,i7rmeaf4gRfgMFf:9dX-%`.$NCV:K7b! -%I2_tc'R$e'mS4NJa%@Y_883'bKu2?3eabPT7/r6Q;FPPZbhHX]JO'dMkYON>pO)?cI18pC$NCYQRM^t+npLP?-L_<)a^>3>[_.uL -%Rr6Z[[IMJ")%W,+/m9r40RNnodj.r/F5lhkK,j4r'nJGX.$@fIS&o/YnEG]tK)/WO=(*=);L(#/BZ&mp -%O+#BMhto0i-$IBXlfc3@LN+HSJl?13#-p@ooEi\ha!7BcPbqh_Qj$=*H/'/m=?BB6QpSL4=S'_5YT=>M)kPVq;oV@#1m+*AV!$PE -%TeLWL?qm?a@Zg#A;FZW]TSeH9P[-Vm@6l5uoop6:88.-lrF2CTN8L+jlQF#'rp/Q@:3omQEniY6s(k.;Ko.EE2:lSu;A@E+:k\O8Y$% -%+hu_W@mjdmJs,O,a"+-'R@rXdc`q7EGSPGT,ujok]:s^#9J0$8P75E%$I:i^P1L@<$8;i -%Ml[P-iYac\&+9V8!d=9X$O%Yn3NOTG)aIXJ=TrqdZ+fh[]?$-/p>!2QbOauQ+h0j\/N2@Pl;Q"1+H+<9oIR:Y,S!!YCM`-3^S\&% -%;=Zp6l-QHZot"'+ZTDrgiBtRm -%d_t7_oO5VeAc@X:W<_B!KY6i^9JnklRb2#cBSqd7T,T.dm._R`.a;iRjec"98[Qe)5*=E,nZ`4K9rNqPb-Y[E;DUIB82SHEA9V`:,$L&F,cBrKtS2=:oY-Qe)sFh+;Pu&t+`K-o;GP=aQTTJl"Q.fR.QSA\IhYh)UoVF5GH::0E.U-ErbO1C$/&'+@ndBEK,d(G -%rYs18*R&X"LBAiJVTpcIf>"kY'nMa.d[FPi(<[6R?=%j]!\-VuMsGh:I$Mc:N7ef"2!*YXmfWZ\+ikPfB@s?uesrVA^G^bHiF?G5 -%%0\>]`YL'c-&]^KmBWf@e#lZfE?F#&>6/4V^6J#qK4LiN-VG=5_\_NFJL>7^86FqTI%P8$IZ0Ll1If -%r@6*$_K&S4Nne):g"_RP"MANKKdqrnZKoEaa#XRfVnh3M=gb-2C2h9V7CF((4M%gk>;9c?d`Ic'UpgDZVNA6P$ilX_o,4L1/h`!e -%B#J -%a7MR7!U.3J!HE'C"LXZ=>HQ`M7iX.gO5Y!RG3"pD47\ab(8S-k6';k2Io+G?sp1FuCVe1OiE@r1t6Gr<:*jC6i$ih2Ge#611Q$bd#.Z6LJ8bsPIqRr%&QHkN_Je&%6?&bX$-SNki7h1?j:.WG@8+7H>@ftM -%8N3/2:\K`m2A^XT?$X$6?8CjEE]O")%Zq1K^2>Ve:(g`Pm0Z`)*+r>\3$$1OC^Yc$'Ll>7p'$0mL-3`;f/QPrR1:j>/3mcC_QgJq -%KNo/u%VB1bD-Ag?UOKeL`3JlU6U6]OX?/A:?:J(9n&LepC/X^e('!jpI97[&K+odeOi\3/O$&U-Iainqkl>;BPqIbf3f\Hk -%QB42$%!G#i_&ZC-i%hVL!@]6]B.1#:&Qp/D9pQKd1>69(^I21,L0ogg\8c(6FbZ%G5S7:V+/@n@^rmQc9bL:*Th%_Tq"3#=0Ok*1 -%9D_D<,C&k&.b?XmSm4=+bnr75dd&q:1FCOO4XdY74F5r0(g8@T,8+\0?cV+hOCl!UH/D@%)et+LH>Wc:1Y+*u6`oICc*Aa#gOYh_ -%em;2g$Sk3"rnu%gZS+<=B29EB5b-4O<^2BroHlj0!BJV2hRrS=V,S,aSnA`K8jF&\#mEt6J&cqghFZG_Gree+C\DO%!Rid6AHehJ -%2UIeYeB]7O*_i1Uc8:sKf7(d[n -%8,,ih('4Y@8dj$MP%2^?X;1hjd]ZJ!i#qi-F9hNKoj=K;M>@M82/CWZ2u9&4R<+U$B"Bg;dc2mdiPTO60b_)$2kr%Or+_<<*3=sQ`rb`@ucj!fASl#r,S+R;]5S-YGq=!aDN -%$"aT/T@[Jm7j7'qlTb?c5Q9Krr8g`E&$Sf&iT"qO`PDOZ.A5biFoV*[WiLQZUMD!SNcW:S?[g(4(B!/R9t)e4X);'J5tqfek5OWF -%oABO3U-IT6JYAi2rdtenjDuD%rKAdqqZsUSqdJ"npU6(k2E+&u*^>8YI:XN?`f`%bI)-5G-1qsb\cN%5jQGep$:FKpN:p#*6S&h:&"[^ -%.3?fT4`;H3j/#j7_h9R3Upb;"rTsE`S*@ulGTDTMB>(139g>5Ege>JrR1@-deQ\N0/'n:R9V:?k -%Iu``:Y^bG%5J*!FA,F7sq`HcU9q-RNXPQW89XESLHG;3+qeMDTt -%k&@_NRn/"nZu'loGAaiL>\uc6IlFptlgBCjr6487_V*7?DpKEl]5GsC:>>_1[LM6q*nB(qh9YOEm_A)V,(t(8NTFT]:HNTj5*%lf -%G+P0a,^ZLUZcTlUFJl>2N9i9TRpIuQHO0WO$(26+Y@c8h`Y-dQXDZ]i6p3l-FqJ\4p3^nYqWr;NP`t\19L<`0$62AV5EToBKH<.] -%_2&:UA`NBc>5B`dn=gAgL7l7qk)fPA/X$l=^$5pA]0dM$7qkX55`c'EXD!aVs&ZuF8>[P-+;N9:]@ou"32@Djp[Wmh/b[`XMg*\O/LaBoT6'r+d"[Mpg?1TjKlV#tp -%We^D@a&\9WF.)A>`4AbSbM;6Q1r3G>eFGE9W[LF[D/G*qZ<;Po@tK&9*+7-cZt7kGGV-JjH;P[a]R:R9=q7NiVZ2j(Dhe:mW]f)L -%7i2^h]BNtr6iSTiIV@r-'LZgW8k8pkPN2UQ#d9qO=>]`t@7ARD['u&OJ_6f<9Q*:*Mq^d%SlMYHk5ed'cHBTTA(nF^Dj,F)9almf -%YQLgdJu%YA9Hdt%:nM8(A68*oE!?prf8XhK>sfa62FUG&:;Z4Vr#F`3FI4VG9hat&YT$[(#Z2E3A-`*M4)"UgZQ8PJMVeH%'0lT1 -%WO8iQ6QhYa+o"5rG'putAVM=[[H*?p:iQpgBda4X3WpXHKh`W))0;boW(E@,li<_[3)d%H6q8DG"1*NP_;9P?+4ADmq+82Xi7:>t*uR%adq!i.>[;[3^ap!pkgF*g)U<-^],^(L-r`:@'m))/9C`q;dN$QEP0rs:pAj^`-;ca_PB"@fOs4hC7d"eR3L`TqH^q[i"0--KosbIKUhAIJnA:+:CJsjT;%khY3l%@O\hd%)%SZi7__1"A -%,t[]Ver##.">isu!UmiN>uUtAh1cGDk?3kfT#`h.WQk0pK?I_U,bsG%>Mm7TYlR(8ZuMc_l:$gE66(o+kdq!r5M:D\N8#=)=u@AK(u;iJR(]hW5>M!G5o -%,nN-Xbe0iK/&4='.6goDEj3N0oK]5H9i(:n#%1XS-s!\Mt@h>g6Xd[TWpL0"6D+g^:"&$ -%-@pb;@/"hFP=Q^YK]9Kd(^qLYE;HN!lRi;$GK^DQGT'#\L)@nW,q'JdJH?TNV$Z`bLCHlL_CcBN!(<^k%TRa9GT+kgmLV`=f%6+D -%8D86o_:&IT!hakq*\pW]aR(2HEXl5cb?#WIlT>%B.`6r\EuG"LaE"$qsL7;*ic#J3k^[W -%JMeLf]ZC"eQg\�GiX=aB#RMdi5,Fc:S9["(s$_]j+XaL!:E8=n.Ni]I'tc6,!"@*MUuQ< -%$3Ukk(e!f;@gibcF&101OC_t98FD;nB2s;q#PPXda5-2X!gBM]I.M6ANC>iT!+<].%./kr@]"K0g5B%=S -%W^5mSV4o?+5p`AYdr=/eNuuC-YuRG5&GX(fAlL&gMp_6$Ha/5(DJ]MAke!s'0mB'2,1Q93%ZdGMQRf;^hlmT("@]ErQpQ';EQIY+M^buD7i19YDEC-Fcn>iVpDfDoh%d4Si?Ue*PflJ*?'iiZkBDb0e90A]pr)dRk!"%dNHO+<*q\%\f'>JVq]7,pdoP;N\=)`/A%$T&]Zdh!A%)8og"u)\,KoIr]iDaklbM6hBb-gj"!,]g%/ofG=CCW(Z6RA3l!/G?ASlPVAf#G- -%_@:M"Ba5!fL2e5%,[/,pj*.E\"j!U3[c[&8C_XDb?[(k2qjHp1m1JZt/`.QrQ8DT.i;<34B:d^1MB!1WGMfQES>PE&FkM1h>F)ON -%Z`hg-cf]cKG+J4f3,[U,i]U%D+alT(oCgW"ADH>P!c#>3ccP-#HKr9/e(ai@37j^FA'O:3T)tGKrk!!FabR5G[H4DG^Cs_(7a3]kZEYSo!tbni^_GN<8VD+t$+*)p4^<92?:'1*V?>*_B3K`+C8KX!6hf9f#/>O-kEXo>kkE9=gLCi\o$< -%NtYB!2,pdb@,5,M"N;fo[g3d^3nL(nQ*_PD-IBEDJjU2UQ;c?KX,G"a8%])^""J)C&.qT)86[8d$*9f]OR?EIiIpk<)-A](c8TUU -%Hm4Hff2M.\@h$Qk6t6DFWZ4G0cnifgStr0\235ZuW0f;[)u*YX"/QC)<(8;9.ob -%r6WuJ9U'Cn59h(:Y%Z",igM;F"_IgT(r2Y#&HmE-W94]'Eckmu!@V&49tDb8JYRX8']SAd;5a+.Ks?mNV`nt&O;76k#]5bho*fqh -%gjL?0aFI5qb)RtB\AN*'C`WD-`k5DRR-@uopZo.>MHIUA8P;pi$7XLK8n\Fp(i8IMZac(Q%qCPkML9NSDBhk.\tV#Q*":1;;mjuL -%"(b`XrQE&r[O#Bb(eqnL`mQ,Gr!MJ7JPomH3T`ELUd/ZkeZE#.3,s8-CX:nZ9m"umV/D7Ke8(0iR"D.A/q@LF7D=f>=JNDoAVG5& -%>7YOPbti$ZWAJ8HF.2Fk1&Ld,;]NMra%2(b"\2JE%B>#9-t2Z/T((Qek?^tZ70T&G'#+JUU@C&'+':ji)D4Zh@6n(;8h,'$0R?s0 -%k\2k:*R$3t6-BiM[N'e^p -%,K5HeJ7l;gi(H\.YqQbieN?1=3%,:VQW2Fqco=G#n=FVj>WafE#q.PfSumt\H"eU#pAsbO!%YS><&L*MnR\6dj<8slZ5LS+\hG3JF>I\T"D&_V,\@]Y(8.t1Zn.Q"+9jU)?9BunX+kC5I#+e8F'LV>DjiHi`ok+ -%9P&rq`8fa[6fSfr)7IU6Wp?+IL/:=LcfD)^PbQOmH:LkMX(7ET86!c?hpC#HGG9g;%i^?"D^G+eqeE*W)U#HFg`>`mA:@Es`8f*O -%p_G$.U6K`,e1/$?&TNsNU]U[li*3Qsa.UYlT^Y11qa<-np5"`FPV+oMFdo -%H.3K_)"7g"\F%B48_/2@Tu`,@)r*(Zr+O!K,2#L7,oaiXPkDg'T/<3d1AQ8gbBq\^dgSs8gcSJlZ%oQF+0Np$BItR7>_?JTKRF3# -%GmI392[t+%24k7?:NbgKG^^XCPk@E@Ad->qD#&1ocp2dj&!o0$AhV$cQC.96gVe]GXEC4/<0loChB5"7l6b;BWeI'q2QQp]0.9>q -%[p1R>r5I,Ecj)6+l45,XVJ9]NN"\X2g"tJ4T)%J!r&W":+#1G&eaer2Z:##05!i&g9'>[QnN^1mJs.'"fqr+*W;UOeDK=@W1-WA_ -%OK1;UM]k>O!fEK.8qIs=ShpXW0D&EAW<&'sY2@BP,N1b]6VOuQAMAVS)9eI`eMV>$n2u_KYom*mn8#rFO?8AhF&RFlX`Urc?8Gf[ -%FVJRDTQGG%.4%$]JR/^H'mC3A-TnFrlk6.o_,'*(f:O;NR27bYYS'jjb).;XZh]"$0"N' -%"(N2b%b-$,&Bq5749N'ob&]<)[%E%f!;>J;.NY0J"ObeLWU.1**(To4<>fn*L57u8]$Sk3-;kYlD$`Rtmg#pk/r""+^/km_3@f&VNi3Yl$uffPUrR,=7@-.6?Y+Nj#hb2nX:(a7<*_0Y#L*La%&4"*hoNfgt[QAEE^"sjONEXoY+F"XC!UI&D`=X'qT+n5B[QZ/\"m;rBo+S"?uD:d)X2%\G)D)D(^u=Dppe? -%MGg-IT52ui5h!WW#W#l;%N4l@;sZ*>^&R?-pPGsQ=Zt*3#l>&`."p7eG$h!8F]Ra]a%s\"@;_HWhs#ObOm%0(b+KL`.qtd4!246' -%DL?YjS79A]88t0'-KQU?VPppJ*G&e`diY:AS0G%]fr)VC/7PQ0ep#=,e9*suB%IdXTO&?,72::]pTsSt:2iY>X4N"ZmJJSjN/+kC -%oIF%rOT,Ig(h_8FlbRW&H+L8Mib&6O@d3Vs%#.?A@9D363KS?o"BrGc3113o+7$1=Q:Z$%blk[3]#n.Dt3 -%6mO?(`l0^-E4WeT)+WSOhDnk12QYAdrm0uUO,VK*HB+p6,cmI"rjY4'eB(2hrpYBm4W\*oAY%dKt`RoMrCN;.CPn7i\_UBbpfq!cm?;+o1U(!XDPHmIK)%q.QFa0UJ"@*n-BL/VV -%ccA@qa#ifORBd`m,K)A<[mM$,GFFn)F10CEXS3K]/!Jc%?5#ZgTo;m*F0Rfh!7gs.[:!'fkQFM)]d%sFS$D3"Y -%@b=j30@]R&Il?DYtYNa;H%mH -%kI)qaPfRa__3%uQ3!G[hJQ`SE`HI+#PpC@ZmS$\:jPKN*da6`H:gjgOU4qqN8Q$OH&Sl_=)$A!HD]AY&As#1+/(UYrgU8nK_Su!` -%%LiYX,l("o'&ehFdMA/l%"esT8EmC\2+oM4;L;%K_0Tr['G!QUYDP=,Bn3A&r1UV"ST0X6&edIm9F/BgP1Xr:X7jZ:'-U1i=:%fE -%JIlQ]8T8hrLLjE?>LN)`=M#(Igt,-]ek*WZ9!YNTA9Vi(SV_pj=EanJW!K,-1Aq?'`]ZH:=C$iK<%*74E=/=Dr;D3Gh1[j.06+#[M==BrI8 -%!4Xm5o\'!)r](T-,i[6;Z\m!;gssuZrM']56NP'l5Socka!5lW+..%u5uS??npmB,_0H[r9p&a]k.,euVoD=2+d@SV7\n\C$n)=P -%J=*-33U)nm.1WgVT1kV@8HY#;/!aU1aCrCU>?Z#cl@KOt:;@>435S?o5%(?]7jc7-MpE(/$^7jTp%U#S+>(ki9O\5A;)XAo>`c:J -%/Ns"=_.U<@0>eX%5KkR:I)E0H4DX8g(fS&(X/=?8fNC>Jg3/Zn>Bm*o[`_[iUT8ftq)sZSF!3nngKk:F[S>*_/.Tb'(Y/H@L58"S -%@GD,"7iOX%SVk`JN3Mf7cQoAhN6`P7Ana"rfH*NHMe@tCcoa+f1=eJW&u(W -%5?#O*!^#LZ@Z\/CDHYO%UVNF)6^G=.E!X-fAThSA..&=(AXnr5B:["%KO>0q=L^fH`aXLR1KfTm]5a9DZ;^%a%22L\.n;`Ba!,9^L7O* -%!Bc*mSRDdSK0dDZe$PpY_T37%Am:0*e>?JMTt6L^`^chMEEkgYT\/pn!T`%CcS/&VJjD"m:d6^eaZ_m37lVT6T)l54`.f.;aqX90 -%'<<&'UGG*O'ug)"*^[jR9"iG`eo%1SK)#A8-q$ -%oscAI\[B:qGSg`m-r*9A`j!s=-q$),$@dtN4>tN[ -%ficS*Y75Y(90ZY`=Dg"pUNsa_@Np7AO8#M\*J`G:j:MEe_$CR8I3CG48;P@.an/%=8S>\j!?(j4GZSKN.r&VWWcs`^K5lNc[bPIQk*'.;XgDOL?#+RpE, -%i`#*t>"It62Pt:7gc-%#-(\Z=?qY`r@4S/M5q6G:Z&bRMRC3"p^5,b8]jiBP[-)mPE$eEA,rR2!aEXB7+s)Wj>8[Z\3LlfKdMW%u -%GTCThYHR\qV5.5D']C!!``t;pnrVi.*\-9mOh"_=1$%/NFkr\#e'.#,=n#PRd3R_1XW0?[U%f^NI-eS/8:u[ZW^pM%=5HnF$6oma -%9-a[=#dXgXR"ZkrE-VXFEEhW7s7g:bh!8tT_#AhloVMMV9M/6N>7i,`FFLNe`jW(Y!dHe;"4>['nn4$f.1%Brom$iOk^F2J^g'rk[@eU= -%?k0C@\7uQ^T&jSJ?%m^jV4o4W$X@(g;j2jA3VU85P.eI"2-q1\rTU=*6LT!ELoD/GS&@-PVer'Al7'/LJct7;c:-[NHTus9)dAl_ -%*JT7Qd0,OW5d^oIW>tmQD'Z`#TXXfe0q"*[$D^RdBZOc*co(DQ"4o<^>UYhh.#N)Y+G5Ll^fhAO9K/b.FH?!0fkJ"JKb8f -%HhS>Q2"'1ljWDbl*GRq.$bMl>4"N0or0[V-pYuh#hH*[7S2S8aUp'alY,T0TL.(,'cdYnCVO16MWu5bLF?YV>,$KM%JfPl"fGf)= -%eO?/kp#lo^B]f/X1.Rsd\r)+`mMpg+bu>B@Ye$'"WSVq/Q"T2MZG8B2CmetA?CBl?:(!5as/\(7!pm*r&Gm@<>9t_E0;_\Q`SQ"t -%Ad(D#`(e(L%YI/m1JhA70JZeh$Qk!UF3N)bn>:(Pa>Le'cCG8mn(!lt2#1FQTSUl/I6p+Nk'VfIo3t2li":XT7Vs99s$`MgdPf#V[+=l]R -%P@V\.?Kj(0[h4-5*Gq)p'mNK^oN\$.pVU>+EceuZQ!SK@i_aSIMT3r]j"QM]l4hkNEZ?f?.!T-A0O8*=fL<7N@&$`OFp][d)'PLn -%Q,=;nNa,=?n2u60V>sG43BKD@kE["\JIn9i"L0.=1o]I^3<$OU!mS9FV,1>l2'?86%'inl-[DrKW_O%4X..mqQ1ad@+2oj-Y.M=#_^>ON;"9-3Eo5Z[m4Y7QZf6.bg -%ZEt67Pj/m)""kJ:mAE!7"_gEY3Ng>I;na"\TtL`r1/I_BoFXfd_`I3S;rF*\o-!f]2h;LQo94eh_lkR_F&l+Q#-M'?Ie9!Bb3tYr=3Uo,(2T9a8WGe39 -%c4HpbU:n`>7Q+6J$Fm?iEto8K%@+%j(a"V2D`Ci-\[AqZk7&j\6H<.'7N#/BA1:bSU -%ikW!5Mlmjt&Rg)]EF)p3K]X\c%@T*'OH$mk$nb4@?pM]IG(>i2jtl9rBh7oM:'Xb/bH\hqQ0`#b(!$Z-o;4QdnV&ljgI -%m$M5DWQZJ9@HS<+B=JO?U.%M@1?@\=[\X;I>IAV#kd(A)#ip$%Z\_+&>0fTA<.6^TX;"b8^s`E\!F-,p`p\P-N8rRl(Vaj515&C8 -%NN0r^C0Zl7*%H>K1`e''1!`]j;A;]F(I:7rLT.kJ)E%:DKg77,UR8.-4Kf-`kX;])4$T2A^>/5nib$u_%\'@`bg%B`hc%gRoi8f1%n@7_kL[93b?)SC3lqE#s^P9"foJQ5BuI9=W217d&dYVj=Hfog`Z-qNs/[no"`?SOQ$_)6q,"A.d]S$NV!AUo9VRDb7+E`"_!HF-u"8L]dOs4/E8MVPnP?^Zk?7!E4Yjdo.`PskE(<@Yk:nlrTmO(2.b=#tIBf(3*FFNY\cn1.<@FH@H5Z%q9)mj4( -%fTLl1+oG6h"9WjQLoU5$]ol+&3r*'+I.VHsRL\3NZ%_]\L4&M>F;hhTi:6D&4$-r,\I3)%E%n-EVd]'eAoX;FViF_,ernfKK:MFU -%]k&sDVfb"ljG)>OTiB:C7?Yapmt(0(Fc?>?#GMS#Eud*7_kL9]2_(%+U@2%pRrrDao;4C>MCJKD[/:Y"C[;a8F#!HJ8OrNK.8uB'Ku7h/Qj5/iZ`EZ3')Ft`QId:/c[?)1_0k:+`bkuiDSc\ijX)0#9t=so -%Br]0@B%KP#j9/n2`Jc,i[$/[Q0)#hM%K,u1]h3f?j.VNJV][eW`\=ffR-KbjMtt@qrVA,gXdic6#TSVnpsD%XMpp9+1jXZ_Y?-KN -%b0W6T#J=u[4Y4.+7RWBL1$Ni);TBn&?M,n;H.k*A5I^.V=,a;h,IUn06@]74HBo*rW)4O=lP=CQ_Ze(-'`,W+a_0/i.@qdVd[0H`I68@Q^Kt*n*RZU%Q -%2,BA0E!Urm`"u6)(_:("/"N)^7n*agX!WK=PCu#Oodo"RW8PeS/)V;e'\B,Z`5m*F6QYc%,@k-\fmSOi2Kk(.W%NqT1R.umd!_&G\utVo`S!qL!>BAMK%.4:K'%&&A"W -%$G-.PkX/41;_VH+;a2=H.8T)gjPI3'l!dCsEQI^94cl&]#_*Ds;H7RuMZCiU)bBfnL'1m8H,-P6T"-B8jl,!I!hu#I3FhkiG=Udf -%`d<;aTrD9.mPqJ6=bk&B]CL_tXIH;l5tO0Gd\]@]?[fRWFf5"4W58o>M=;N_VFoYIWSq9Y."s)L]:4DMhe(dX=cjTFTXOp*[[\oH -%:EAF<,Lgk?C5#8TO7uaGXXE4XDnIDrPg$Y38J-nr%iCo&jT`%ICWMslP2nPjXJ98*Q%j%_!@pcb_#-bOYZN*0!t:\r_i8f-ZA.T/ -%@/OuolmJmS#P,ZM^i3>/WrP>$*2o/kL-0L;+1PEH=VEt&LA<$cJAI'k^D&OpaHFadUM\VtLF\H\NrjKoams?m#5\kE5%HgoE_m7g -%RhZ[G,`/.J,=F5%6u[ks[3W[g+B\^M-lAqi8#,ndDSCNtbYJaKXDr'F>D"jpKit\YkW9RF%Qd!2pf"qu'o'ah(!2E]#L:mN%CeBM -%A7-u1XL`WpPBSBZfD:Nr@*CcOMPCuM"@Mquql'H,PT\/.*Vg0*eP:*l"]%3.;kg;b -%h?Hea)EHOBMrH]HiL^]0nGaFN1_lV8kBA!.H@^:_X1H]Ak-k)_mkZ%>llZ#p\"Z8(/rON07>J5QCV.'<:d2'Ma1dI[E+,e2Vd0n-qlnd$a2 -%Zd7ICE^.?nC9[d8,(;4Nmap(d1TV1GeI[MOZJf+4lt';-eD7nbg+Y?>h?Bm*,2QLPC'.i]!>9I=N@M#4MTb-8[SJ0U:s_3U$iZk, -%a3ZY@5SBj*`7;DhO_VOgt -%%)"d@7n:nTR&n"XG-7eOrGe_>[T,J'C2,4E"A#-J!`07T4R#qtfpT$pRoa*4EZ""8E@M>!:>Rm%+;r)=T8O -%ML.B'%iFn`MoLjg]/eY'%B=4-Jh8qIAlY_]H?qrE5Mha#Q\Ts,m:bK]nm)3lqk-?(31%ZSfZ;f"%KsH_GD\[E=hPX/k<]1UK_aT_H".`$PW:j"t._M*2q6 -%&,cA=HLALFr6h4G4qX?3A\#%N;9o(0"s7%mbaM_sE.7Cn^_T5KouVaQYFOUrg8.mcW5mX)o,_,4T#OkU<`/1&D:15+aMJPLqBJ1oskZIHpEb?'"c(b"jCG-*HIP,,E6l$;-g8`;l9X(:5d7P_OKL\ki,I+5#/\"L2tE -%:VV%Dl8Fam4\\4.a(*e_=d#"1m'kd,H"#OpWf*.pP2nE_,N)NGPsrZ_e`X)2Lr\eR8E/0hB-$VYi,\9?2KtJ];oK,l00jkr&^+?0JnQRS33S8M=ZG& -%)1qKZ_RJ')aaBP-RU2',oFcU8[9q2@ODBTgU` -%s8&5R!SY<_>_MuJ'r1<0KEr`VHp$&T)ps:$S>1A#*@^6j/8_)U-JZ_McgdPR;eJHLWHei_pIQLn.3MsoVQFiA7i>q)dMD[je3J)n -%$>nk<7kl^pQ/..A.8LcS+8om#`N4s#!$mE:O%jDa;Cbs3BDQ.6OI`.D(c"FdVRP6Y,!MgM*t+pVG$a_olIm^IZo`g7$38AU;"j!: -%U,r6s(*s)&(-UAu&3t+*nu@K2W=b6%al'/c-F(S2I+,n/Qk0(t^\HcqWp"P^HZ^Q\YTf/7WJPZu:Pk&,0LC#O.j$4RFpO3ac$:9] -%?2e;V@aV4qTXoH7/7BXCb#PD+ZCHO'0;0%A$1b%B2XNYucgIk(g/n(_Mkoo$cBLmAD>"j2e)g8qhd,Z- -%l`r$,D5W.e=%ZSiN`?+UP(6?D]B6Z;0XC4?0<_TS(bBR<4`@btdEN@5M6r4u.5.%7;UM!=;qSo=9ZO#-aD%<]RO<*WU%GFf+/m&s\EV\KcbG,M\&3<(&*n;b;=bspY -%p43;=jl#ZNRL;s>UuHI<[6eK%WS%.5=-%D?.L:sRQgiYSOFMo3gm3L\_$Q&5QJOjCiEUL0-USX9d@H=.Otg:+)X1R@F]Q$]W#6OK^O -%/UZ19@t*S\_V'YPmp,hFRBs3l5d%tDVjEOA!N^LulMCCi4<5`ics'0PP#VaE?ch)dSpp>/;m.tdS/n-t`\jD`$$i+V<7QY37Pspo -%8,:W:>p;iDB#Q-^r?fRQP>rcEEIl%0f^P7AEL.h0SFoih,j5h"]KbT"K9Dr<*eK>"-qRKp&5Eq].VVat39-b*,:(/=\g\D50mo4. -%P7$6@589#e/"b9bH/O4KUN<\.`2=!Q37? -%+!0=a-<\Fpj`_cfSSoYEe_hCB,0COc[fG:k[M]JRdaBchqkL],NBe0/UE\\/4QbT7n0T#='NHVNb)Ra4&ZV8+bFmRB*#K3mdeN1( -%,:rGdXq&_1`N*G"Yr -%daB\<_9@I!FD9sV'oOSb[n6R&>]5'WTo_U1#eDRNPI)!YU019=c4m.IPI/0RUUr?&5u8cG-0//:%3BH -%Eg=ER^u).kWNt>2.XDdUKoTEh1-s#B]V::5CGeBJq*!_;X&sBRgp-3<'bE1$KX2Jg`bK-R.SIAb5Y:i)V@]-nYBimVIhEQm0nkH] -%,7LqLOt`OPU/hsg2I^*o+dOE:N/phaQfWUhM(DqAR)@iZNq2F75'g6Yl:=BLVUoi'[umi0mTa0G`fmPsY0Oa$/@_&L5.J%=d?c,6 -%(J&^;SJ(CMp\PU%_/uPe$!?cf-s5c9]#glf6Dgd8b>Wd'mLKRDiX.Fl8d>=s,8O0>^"LFG8V]T_rU^M#HT(u%aD -%?"ekWL]>b*mlAom=K*%4jXs_:/=V]g=S7fFP(Ig10&URO0tJN)0;cBbF0-t^`>#br#@54f?nae!N2E.crm$i:\&P3\q&9u -%:R?>_L!I3McS#h+*agd.(!KZAZ=49l'&@Y1,%m:Y_8*S>"0XXUpk6Q-R7VsN,*Ljb1<;1KCaBZOd/.e.M^GK[a%*fRS`"Ba'btQB -%N1n:+q2;]GWK;m;jL+)H0+IUI;UE5>L>6!1bS3rg,bImr$u.k&J0hKXTEtj@6MI7T!BD)"9-gOH7E4B(/ZN6]6N-Mo>gGgrPk;\Z -%9hnsD]c;kAL]>;VB/P*mq6c\gk=LRH&)2URgcg$"R6"nNYOeSPImg77s-lQC+d($Wb'Hl"rC@C$>*3S4E`PmK@hCs8#+b^)5\sHs -%YoBQ;QjE'`S*@&PUj";&VEZ^)O$b#7d>a"IC_n2d''86hkLT4mcX(@SY6t$$<0ahr8-n7"lAJ^3l8Bu+eD'; -%W%D+r`8J'8SN_0*[a7*[oXAHJXq`Gij\tSH>SrX7ZdZi1LJI-OEH^8^#ppshcgVmAG,!,d80mdi8U?>V@96T#gLt&u^I%-4fZj*$ -%*L#%Ni&C#M(T\(?N#X38Z2QILqnM>V>@kDt?rEO2/=bK,mhrc1D[lWiW^pj?]_1bN2Q<\Pod7oS6LMO'c-P\nhbSuIqIl"%j]9hJ -%XahDZ:\'"?l@A=-i<*Ssf[LU4:oK'k6HX34E-l^B&H&rH8Q^Zj=_]f'HkFE5lRI`aO*d))\5WX79n?B.b]?5ej^q%BN.[o)!hhDD -%o\[$>?q5aIh^";cqNit?pj1`ua2W.KS-]U'1[c&Q,+N$:U7+JohlipFXt/*?LL(*U7aY#d:$_'l#@&F!'2:-tE8U/N#\6M8?BIoJ -%.(FNkW!chrX_R@80S#'03ud!Da8u^I?DC*/E\9=q2_[X""eAR*BeXOW^TQ!$a1Y&O2!.FUV:@#%&)g#(QhWQ816aZVTV]JgL>(4\ -%S)+SubJU_1^'>kr,At\35kTHKnN>L9o'PoP>5P=,:&T/SM=i\0]LPOp5A`:>X`=SNV;=lihYI(m(h3!kUbRVNm\gf8ELOpD(CR@' -%i"4RVE`9!JM+pp?Bn$17&6@=]RM,^0VJ)62\2Ss\+[As+C9t'^h!Xn,BHMB,JBVU?E$g\4S!t7fa\%VDem#GuA'%@aL3tTs)8?%0 -%JqLa=K3a3""i*Q0oO42\GtH0iCN9i7+B^tFW^,.h$rWbmj4=]@G^#tc`f;Od@7!cXSGa).$]`Q,JlAI/)CqtG;!(4FI-:j1Bdpe: -%+3Ah-T0CTZq*]J!\p.6O8`5G5Ge<8TO06$#\O2PNM?%KoF"H5FreGMQgLQ[GBZY1-'9ucHKF8M&0l4gj:UK*5Lsk:e$<0)dn\O=7 -%\IeRT(H:A5gb]no0i]e7_/8#XV*7b=S'^ -%fNGsH_3;-hWVdtg^7C^#!gY[Zj=SJS`-E28F4SsW:*4)k`+39cLC&Zi'fm -%35Tg?j@/fg+Y[6o_T7m[Z%8gd12f6Y?A!6'>Q)[iV@&\*/KZ>JnA1l2kTB!J*i>GbN@_"bKVhkOqB[]:->[;t=m-Dkh)%/3jL5gY -%2fQ0Mr+h]Dm!I#G%KDgkA9%iJEm@c&*g<=DX0?)QJd]5u[qOMOLfN8KjkN'G*gc9r9rA\ZVm2_gELH$FS%jL(uH#AU\4K2)=d-Bo+j'_aIPK8k0g6$-W"N -%OMlGMX4Uuh.piPRqiHBG*bCV81+uWOI7pmH[J>3(U8H79`XLEo^$RbM*UO[\gW4D)`6XSAO6G9*1Vr#$7#kjord&qKV=-R'Qf3L_ -%=/i.\e8jh@Neo$j=YE`h&r>l5V-g@k!-eUe:1dg3no)@U&[0Fo*]P?MYe4_IpsT)DQtCTa0T*@BkG^,W,G*mJ`gL_?Oqc:/\0J*M6;Z,*);)/FJVNtbrPFY.sEo=DMk-LTF^UtZc1M-"ci[)U?A=S9ZY@"1@J=*q$ -%(/Okm@_/ZkV+gk+:Gu#j`5Zs""Q=RZr.@9/o>.J -%+M%cH3bBj`$aX].nQ<.3KmZb)f-7[^FkuBa*kGL^AXAM"aXDh.\be7.jRHEFOo7-5+4[etWA.(m3Z0?ap_O$tg3a`O;)K"-7N8>M -%J@7s1d7SY7dGhL3YKVE]Vr"Xp2Mopbmm7\7$aY7_7gY<8EVif_JOI^ru+iZ8p4?>elATP[MO`!)M2!AC- -%BCiKP^[[M'q'dksZ""W?mP'F9P'mlHob,rjZ"%\CkUlesD07#ie)5KY^ABBh-SR@)LMCs(QX2K"X8iB`'"IkYe&[Bii[gFp:]hE& -%oB*]B^UO\87a\_P\^*hBer:X`=&TY>T\oaQQ&IM8,7(KpE'YG@X7V)Df$pt%M(G"B#g%k8_U!*E=0kcIaHkE5DfM530p""T;dVmS -%%(nr*?!:W36hbT-i2$\`=oNu4O"*'0p^Vk@Ac_46V_qjk7Jmn5VJiNl*3T:-ng0MpF+TG\>m(d=,A%?":\FDq>K1e@IQQr/E/..Xk']89mZ[Qdhte2I17O2L`W3Z=P-H\$,JB]E -%it&.:126FP1(L0mbGo/6Wd+s#WD(\Ln38Zu"fDB]/jG<1;UIf$,%H'YEnu6FI<,F_;UC:[f.e(ke8a?UVUV -%?Pi:BEYD:r9m';=qA"E?:H=a'ER/4&i#A]I/L?BcYn]pfF`Xc:NUuD>Ac<(mA01H,Y;KY#E];0/qt!U -%X10gfO)saHkl1J"esX9qD(3/a%f+^oI#HgZc;5[7,)O=f1l.%"kd:gBj/s/)iNIOp$K2"RN&/Cr[slkNs/*]hl]:8$qpfk@b`(I@ -%D#%0Sr=%\1/mJH:o]oFE+*6-c5-2dp=Jcrr8m7S&3(qHff\nP2Nuqr`I[]H9>o)Z9&Au)K&Bp<=]s9:odVm_`P7@dIBXHs.Go.Mo -%Mn\\k,+Sid1UQgFHcFe68u9E0,F?SY0gc*R::>G0Skb2"(c[V5"1^fL1d'>osM/%o2,/J=k&=ck#IbFq-9e:1d0T. -%:Xs7EB5(G,Rq]U$IP%M]AbV_rK%@V6rE?;a[=4-rja@SjqRN4fB"gH/Ud(I5icSeSWT',Ee]LrSNK[DDa]+O,.s&J+*E6lXiI\gF -%TrkJGa\r'1aD*h][qE!ll2m4dIE>Zp>Ub3G?E83a"`LMD>LD!8;ld=@N$Cme?ab#MmhTlmp:EcDQb]^gps_JPlPf>O.+IXQB3_K; -%U39kM.@/).Yei>/oc[IU3r\b`_.T%@8Lef0N+blrUtGhYO..c/N3Z+]]SZ4?f&Bc?2a_*\dKAa3!rS#!cS=it-ml:MBSp&HpI -%TZo\@pn.>\BCb\9cF?W)bX60_5E_214fO0"XqPR)MM9:7@ES`&-tM/.g(c@'j$&I#$6kf%R+:$r'$=Q2;4gY)S]SlsChQ#QAb.g, -%lhq.?Z3knB"6/&+QD#Qp[BK=@R\E.ZR8jO0%7C.??`f6.R8q5V\mFSJ>ZV)A=!D&FD#0DQJ(9a.?$oa)++"W+[Qr4W[f1C7Yfs4k -%R@h'1p3Z_D-5^H6gI:hdm0oAh%i/[^O`dI)A#Q^;fERu>VK\=C6Il`qH0&2aB2&i[gHA+q?e(`L:k%(K=\L%k0=Wqk-CaHHd*TZg>n$JlSkPJ#L;>5q?@gdG8I,FXb_q:%@rSt8,2J\D^Dd*i2.I8/H1"K=a4g5=4eC6Rdn;nd"2I9] -%P63W`\3A&!Z.t%Qmab];U!@F*D=]kQek4b)btf^-^$jn0b^k=Ib_1:RaABKH04)TKDDG@n>msIbq4]"IK3u%ebY'm\A -%haP;sds%chqU9Yfr8GhC&Ztp-=j5fL('0QsnkipqH2/jXLL*10WH6seTWQ%W/u.f+,%'f4j0+JY1FSbqkOBt2o<-60pY,V%*54)& -%.&FS8qtJeIY(41ULDI1\DlD8JT@:^LX%6LeI+%8FcSViaRj';Q7QBkSHl#W00`-4CF'J$k -%V^f+B:Png0='O2][e/-nSUNa&B2NNrdWf)Gp=j@JiN(=D:E>I^7K5H=e3-?-]O0LEH(E.o$fN//$?D*O[VQiW7II[/`q1sTc? -%-W(L>dC^7j\nBhXN;rjs]>*Ns=92_qU*V*ohQrF=]CiOND._Dm9eU#Kh3qRUbK!IiCHd[ToSlksh3NoD_/40Caj.nIft-:)1QdBVf/sjS3#mG).T7orRBG1&@FShq-d8Vfg!3?]gt[0g=oI`7Wnlq;-B8GHFm=d2gU5pE+Mr -%leCcoZT_hl@!PA4g7!ERqc0cYS"=ErQP$l$#(3D)`@tc:,-4MQSB5e&"4ee/Y(YPa'qLAnD@"`N4Hl^@#*'h>]\#-&QZI_DZc5fS -%$`IAI/gr2=N81dX`DE\9cenQ[ISXqVYHN-!)F=+/_u$]"lMKBng63OpmG0PN[.eLpL.CrC[&9/shP+SXd>!*oihe=(G2f#JAG(TS -%>21c$+8GRPF\:St):-D$jaI!E1d;<37sR-Q>Sc36cdh@Lr\CprlYoKEmJ=80phDQnpk]hVcRk^?*dMh^eoqaCtbAI(_)V@J%s?+Xofq -%O\G<^qd_!4&q3rO:EOr]ZTV_36*6ds3>#Za)17+B6k7+I>H4cX(k[u$P?s(aKklEVR8T -%bHWE]m20(6#FOP!^b./)4!sl)EB)ViX+r4W!JQYNI[J,%%]Um].`!\6/TZBr,gFh-E@9STjBh#^/>i'`CQBgCTH*( -%*"uR,S3uW?oB1Oc?:>F*DC9ah"K:tZql7/`RoSIs82,rT)uFDJXoo:e.aSY;.m$s676(tlCFeF_CoG?b -%NY0GSPZ>BMSqe'O->Jj:.tV\k -%rF7De#a+CWT1.[^N!elO,g1RQWb@c&!s^'dA52s[:jI=2c/MdW/E8Z_J_V>jN<_/;]M\/Mp/dZC<=n0kojsa0j2"?IQ*.)u3#HY( -%C-7lYOtF![-k,Uo-UV/(bX9^5QQ%?rXpt/7cJ7.T:g$'p+T^Ad*H3a5fH"o>7-PJUW>WrQXD*1D2bqpN81_$!cn#$W9A`r3d6>>\_A/[2c3$ -%,lM6YZ0@>l'ifSU\po>>@7b"am&i[r3b7?;i8k0W(h?TOL[HqZX[+AY8,u&aW\G[p/t%!?5H-24)U&+@];8`Nknk(sW[?JV9m&Hr -%cF9d+CGH0oIa3(tX2/lf#K*W^7[OUimFM+q7tX*qf;mmm#>Y,>]m(?pK^U)""eq4!raAt;3GfUpCdF!t_-Xml.c -%Z2;93br%_e/nXY`4[tZk^n=ojMI[*`P_@.r8WGGqG+n^/eCJpB[llIU(=JIX(ZfJ@\W^AoRJ(-%;W"(;rncBhIW..SU,k/<8B'4V -%^9^'$]j4\t"#'ki#Be=0ibhTtG1T[CSpKE-*Cb.-8:oFeM5b\l[f\hX[,jN28i]UA4h]62(Q)c.![=9X4._VD["QZ:,:tss7m%Hh@33I'&<$,ZN -%Y-``sQi"HLj6,GdF^Pr\KRLOFj7r8%@V#*O*?!=n8q)q+>3-JXK<&l/.HbD`fm&)*d'9]?^u$*'b.Lc5EKQ@U7/Q1:&"(0[:5o1uI]"?>$u9bGPSRaD3c;d.Mi+:A`O]5'8n(lSZ(K -%>G7"R@HY,96%9@@dhmK,0dj+k"F@a8&rm)HM4MUJg(N=INR`;LeQqb= -%hHmTh/sO./+(niUQJ#QY/B'M1j1ISNmE>EVYIZuFkK(YFl>1c<'h(Ma8/"BTr&^@"r;>':lG7*.CbCjUDTB0@?f($QI7IaGaE(IC -%=7iP]&LJY3a^Z.pZI1NXVcgWW>J/33CS\)K\Y%m&67%t-SE=^gYdqXCihtCVDfnD]F?pp`Uo0$^%:l0'QO.9FpMJ3[FR$@Hn\dlB -%(p6DLgknP(.7p/_`o-N]j7`DnD^?#+;%pb;DSp1]GgX[r0(LL2aiJ\V]2ndY+"PY"Ip'`]Mtb=g,*e!b=abSU8$rgkmaU16H%DM% -%+.19_@Ip5OT%H#iD4^[P*Th_oBqW&dNFAFMpfm^mrT_;/NDJg[$Q1aL5ULrI^7AS9L=HifAfO-"-EQ'mgo=aB5<'b&Z4s5;>N4aM -%hSjs`\Xm_9,rpB2Ohl8QYTaJCd*F&[Oo7Xf6JXShZDd339EACZ.IF]P,3A[Nl\>i(VPd`s^SOaY+?ke"$sdq;IU55*ZEF_*C(5[c -%OldHEd>_9V6Z8)$.R!12LHk2$c_hq8&&[2G2fK(>]cpr=InJl]T7+4m`(*'s5\M)b=MF/ -%(9>4$NAoZ1D"Apo1Wp`NEShrs>=F=(Xs"YSG+M]+`S8#uiW-P=04Z34]0)\_B^JF7(c"e=FeSME-(NBEaR!,LIQ?(^:Y4s,)-;^` -%&-/X$"%4$@RP.&3(maXRFO7B0>pjn+Y_dA\>D9$B7Cp%VL*UrOHB4k^-!j=XI;H0P7\9SeI?i?.hluQZ@Z,]2_Q* -%W76Y2]mK#?>lV0O9ng6dX^"f`_l)Sk+ZQai&H'p6M[cS%[:BI`r;00?:o(3UD-29pGW)'qY[3um+m`+-f+\_.o6I)o/]2'KI;jdM -%ZWgTthP?hhFR>3T1ZlSWoYc&?G%+0p4naYFS!h34fkTAHLj*p*4Sm?bkghum[BpHc"SU0Ob'/%5E;(JlGb\c'ZCasiYhdZ:#/Ut8JT=)/9f`S&Krgi!5$p9P=0 -%iuo@BP=&3ne_,8&T>hn\Fde3nab*=c0siJS8)$^o%o&?A4o/'VhE80<"ZQ"A'!fig",IbNVXJ9;M8lg.WYL;@*i9L@_Vfc7W&-=6uC -%S$eK"N*0"KY@e&+'$N4<\tgfGr>DYZ^j05j@_fU>b!o+K8gj'9H0?/3j?tP\F,"pNjP,e_g;W4=U0bqp3GU7rXX5]0-m5V4Zl8*IR^,,)S9e+m;195LUmqMPg86@DW_;=QDl=/O3NTO15d!Zs.# -%fil]MM[9;dTUT(\/fB*Fisu((&'(5i:pa+k%(K1.VDSTsZ>:`)*OL?k2'iuA1;OS))\X&9?/Ru*YMR+Wu=QPE6lrnT)=u%p0H1\b=ZN%%h!O!0jOW<)c2hiHr:tWbhh@KO@M6fLOcr%Pm-MV -%h?ma=\kLIXFXq7NglF!!&hiYC103;^(fh]=0D"IEh<5m\]nWCLlRJ`)Rpm6g]b^^TJRTXCrh=pkOu*oL[j#X([YC1;paO-fW@^q9^=7EY'U?oRVM>O-C%l?SH,*gr:Oi;`kk_./Hk(SLD]Qq:CUWs2/\[-sL7kZ@<%a:*`[HW_X4N-LQW -%EW%A9Df?)Zr$!op;$m=aQ`N]h%,.d+p'OQrG_70Z(;^Vqqtl!hk1UTt#-FVU*+FK@/!U.OLRLia3$DYKmsF:-=jrTXn\199%kfdW -%E.KL2UhD*s$]&(0)AX)/aEX2a,A^2THEdNfAJ2W2<3g9X=ZeeiUH+GgRE]a4_#LG582c+g,[SBnX\`j7hNTY*L>2j[6IsR5B!#A/'JnX)%rP6W/0V -%P<--P2Q'u_WeOUgfXI[TZ\@SQf$K@pE?fMII#;_u*6ot6IiS6B)JqRS^R,V[_>OoA%ZIoRBK(i'1CF#;*EW`@!m2J4UgLk'HSp`ZFl!F6bRWC++u6W/^/+f"E:9ST>)phM@DMdmYa>?ZGK\ObSV9a(nU7`nJmTYpg^6],(26rcV&Ek-cXpZt_c+sf1G$nolJ%_V6Idc4BXeM,F=fJg -%^qL5OUs@GGjYsZ:[A;j0&'0*W2P<]!-^.PF3:<'N[tiU(+SNoFUkraBi['8h!e3-JId.LBm459:Wb)iR]7dpOH&jE62_5(WX38@i> -%+KS/bHq?$9;,e8B9*.(Pr4T22m+WtsfLNA#PEeVQ&tp(55C'AOX:i0t94M,i4\3_Rl>U0aj%]eaL7=!`!*RI&lGUG4eT[@E"^0Sl -%3u`NA;f'BLamr8!ErcA+=o+5W34"cp;JfC_RP2`MTg#eCAgJb1Jmo9<77=>*Xof7kD^.N'"@UA4Zt -%5&GpL>)''"c,V]Sg=J9lF_7T^5CfAuBm@s/cS0%hRqa -%FC'"X_Lo"$R[)Q?&?35YHA)bR*kR9pYSMS?-/3mR\Y3KJ.&5VM\b[([2g-0ubM]k^:RYA9NV1=GK[gE,50_$$B)XR/]VneiAh1-"WL(6%.m,/> -%+7q=63i(sZ^t^&J8&SAWN_Ts%@c))&Lo)OP2Nq/qKs42$G -%PeeA/F)ie3ZWM+/Hd,r+P<%@*/ebN_2qKPH3Ep[#i-AEtG61p$^YSU#1SuhC;d?sjgWS)opZ:&MZ'9C*8T=%&TZR%%29n717n('m -%^XrsXV?DacM5?D\n&:pW^T]/_l`l89A_SYl.E&n%bImG)fR')S?@mFq-f2rsD-0msS9j"7b'#-6.)?:h!u^3'-+--"KF+Ft=j2oR -%"Bp>X=FHGs72!PE3>b+)[OC"lDS0g_c_AkJq1S,nWY+c%A91[gX42&g\(,.X]nNk&*>k:hLHme,ZjNW]2dicE"\@YJaM=)>Sf_ -%diKN=_8*.8;,,d%S;b55+VMOlVO"6%B#Oc05om.',+Ho3TF!Urhn?FKoA185#4,qcc<3<*fS&Z_C;g9Qp^I.4!F[4jnZWdF^9$n:YXH#c;R^*:HI_Jon/77F%U%A" -%F=7fubQ>`)mY+fboFLh/#E+Ij4q*_%8_pHa(N9/q*&44)^lP]]AQf1l.W,)/hgug6J`6fMn%EP1Tr^=s1CY@bI86TWuL17WihIGhBFRV=8hg:@nj#9:\ -%f0FL[k`uXU@:3I3CpJULYdj\`5VgR1Qh`YW69'tHOOa1]Cl^5:(#n?3=D9h_<('rAARn1bf`K*dL(Ej#,fqh54Hf2k%oKq>5Jqf& -%b>9!CUrt+k_r*9%/0j*A6BR@A"(2MG)Dbn$XX^RLDZF<9=G!UX -%V?*c-?*OY99<=f'+afr^p]Q])&)%'S7V:8G=<-+s8K2]PV[7&1PC!A"`K9U?0W]EiQ=Q*+]L6&,4QNBp1rc+Vl9f@")'igO@U%t& -%QNU]^9JJN[nAUYUMip14?K<%K:lT[/KQc+n"RC)%N-N/7j_klC9fj4dPe];lg#$AdhC!Kd_^MT@XFB<[Yaq6UZb#G;X=-r>Y0t -%`aV6%at[+"&^S<36t#q%Z5EN`I*]7J#BH?m!q5,.)[c,MN66(+cXosDfsqjBjX\:ulX5R4Pl]>Qjb[do[gjB$3m+]E\j/M?DF-7h -%7FKY'c._BJbfM2qohPj/9@hg`SYT-o5er[*[M'YkGC,A>`R)SJCiR#Jo34_V,E4#+].^"E?Y&i8RY5,SGt,kUOD!?s[cdL$cgqWS -%pXSk>UV?+385g'r/;J>efuZ5E2+Q`LI+DuTNk%TqfYWAf2nS+/^i.pW9>A6C=Vt>uH@=K]]_CY`HE;-oX!o8A$lp%;Y)b)pr6 -%_ok";%f6!85/5sd]j86f`/ZghB`s:b/IRa,oVt'Gqeb@rT6>5%pRV"Q!ShdVkIWVHc?B^l`Notj1S\>e+uRG!E&IF4I8rkK_sG<3 -%c%=Z^%T[']Kq4^G"S$h&AZuET-2F'7:J;]YERpD07fYI@1ck9lrdD6`!j/hSO-=O"de+*W('U:@_VUFLt7BF6QCMe<$=&n77(!K!8(m#=`fEaO\\DUr?AJ+gr"5(gZ3!C!]7Pi['LT2T5%)k1( -%,hYL1d(TSGDSo$8I)0Ab[nUit\[`s2QA(7<+ -%MYJR)FkI_ip@A-']DaE%h61P'qdG7P2:QLfcrAaEaI"qRTF -%,QLRi)<`0>m[m2[T["aO(A@T9S/*!l%/7uG1GD2[c,:S[Gu#l$-O$6kKe,;Guui;d0a -%EE%Ju+/=S0QW<2\/jJN1cf2k*5V>\YK7=_0dsre+'J++n=p/f@/LsGL,>T]qN"Q/_\4uOt/[AY_Ks"\-blXS\dCYJ-pP(CYW_LOk -%YaE(9*$Ci)CK@h[r&l5GY.J*i'hj#aUqlL(d=3"#AH_T/h-=(FE:2uKB-;K`H"dsZ"-ELf7CIa9-(m[\G4P3r&kh<>997c>=GMWA -%6t6YQ@)d8l08*mLZBfB*fSs")]Wk!.<'u)u0k*qFJX--5@G-6\1.OouPaE1W9>gA>J;0sP7.sInUq>M$hdIB^aCY(M>=9GsRmYlC -%\ZLDh#61*a[gu\p]jfQ:Ms#nq!N-p)c8\DpXLcnA'@URqZ1[\3GZ7'QFe8ZV(P-FS..>mqCZ8Pf20N)sq&D,EDBKguJ>VNG -%+U=Je^aU:3oYC9V-'!##P&4a^YkYDO)IU@K/n$Z#h)U?-dHj>b"ZiDo,'BZQZ8nS)?@0SS3DeJ:prAkldZ!&GmG/"q2^E]OA7I=Z -%_8h+")cKfp`OWUmS!>Z!c-),-)Pk*&?oTBbh2Qlr!'$==82NLJQ59J>\YES@`#^ZfAn+gX6NHRL)MJBK%4A'l&g0AHaImm,s#n-' -%!gq.r_M>p0J0p,[#Nsr/.h\2AX>2_;*3MY/QeWe<1()M$T3BOH]_(K17[h4+^qhr1&!fgIRRB9K35Yg^/=p(sPpgle5(kOAe^(ONg"UDd:N%TGlL!h= -%IfBRjBtb!HMdOK5Y8F^srM6T^e,<]!;I#j7(hR[V7]@If1Z`ASBI*25b[-bJKER7Y[(lFZ5Mi0&D3f7nqsHVsU[9jY5/ZW2hb1QJ -%e#\Iu68JS;%&+I,9G=XMAFkr(=j_%qYY.qgK(MdMh\MSSgtT;,_ll_ -%['d[g#kFRaDjWu0A=ade0rEpuI=)!^hlW<9=Un!/hX\HlGdJRE[=<")S1=KtiJCi*)R:@[R]GNd2[*P)\%I*j>^GDiiUQ(ta5@f6 -%Q<>-F-?G6=GFj0Wc4BU%11M=90;mOB8d!/>RqLSpJmr,17XJZ,gaOT`+__D=6bnB6TSA:)n>6ca9L'DibaBS-p'-03[8%[nncKs% -%D)1[:"WUB=raL"+B`;#P(2;;i[CGRp:9m7mhs6%,.,\^+e25O;4eu^mMB!l]\?gH^@;:u?,DWJbP`BK5o_+^'MA9i*PPthWh.H/>51OTPA,6sdRN*]TBRQjp-GUkWD1"WH$%J'[W!/2$c1_q_)K!2LjN"](pE-C(AK#-'e\uu -%pe+_Y?r,H59]`2HJ%1OO:[,N([YIWP"?^q[i$&Oj;G:^^.10#dT^:.AaL0;IKO>go!G5u(+(!s2=R[\/8s\U\]85[/,.`SZ.WcG; -%p0MY]\enN60^PApj546\dpI`AJ`HR,m9d^ohV1lCq.I#S-D8jVdfP6b=D+IR&N=S%gp@-;bOg7e9iVpq2q\#Rp&o5L/$=Nr -%XhiV%k\6F]X;j)B_e%Ki2iE_0$chO#]SBmY-iSY:^_[r&k'k*JV2qta%GRW8./CurrL@2G@Hla']G*ejL1pWOX+niHd-8hQo@=7(poTVs=U7L'u,^WL*+@!%89mhQr%DS0 -%ct"F[)m93RBrT,5(h2n&Eb)1n2Ui3!h^smcZcS*,>q$9,>jW_Oc:7`Y$pNg8Gnt0NYE&Jm]?P1I(Qc@n"5b]KDmV,cY.OLnVr?[g -%""1r@mkb^dUA*Di+J*_/Bd@4OQQKS3j#ae9MAL=$VpKH]aZHkGf5fqZJCt[gN97A)39Mu!lGEF$6j?5^QAXSaTHf:(Nbm-@<6P'R -%XA8S:Tl;q;OW[tB2t0V?H"n*6m"m$M3`*h]2$B'*K2laJ4<+reS"m6Nf_Mo`jkagC_Ztfs(@>*e>*6QQlp'uuNP?Q)e7*;T!sNEd -%$QSNS3:8nb6u>Ri7WV.EZt6s.*$dehCs/9u>gi3O,g*K)eU(1Xo'Udt*4Am$Z2LV<8Wo'InX>6MeGg_&R(m*A3N(?Nm@(Pb'YVPr -%>+T&qk-TY=c1"Y$#U!Znt!GF7t(n+ZG9K/;8$n6!EW<'qtt -%MP=WnEIBaGM5TMn9JoquOC(+%bsSm*l',CaaWpiWEIoC4B31][B%YK*)(0@MVrM"W@msMQI'Es(;=c>7+\e]UF"*bLDX1[?]'Uo; -%bZW_ZIV:T&_CG`^$ZY/UUd0EHihdZ$#7]E-rnh9*P]u'(g%;XRhX-\5BR4+.eLpMWXH_j$KV`97,A&mqd98GU9(pEM>9(XMTc)q: -%+,1bDC,7&)8dm><2^I[67;&$*2(a^q1KsS`]]&g*:XH'NHC[IiRM[@o1#u7d8t)DA2.EE$[_^)1"QjX#DOFWW3#;> -%R:,n@n!2cqSnr`i-chPl[8KlWlt*KP%e8*(S:(*QfiQ#Hd:DcPn4I6?%$)9W+G)Sl/EZJ[bg^Q8_:t@67;M])#(UQ(*uVPJYYP<bH]4OfK(uiaa>3j_!fq:GZ=0E:\1+9(NV -%J,Jr\`..Rns7fC)hZ)Pis7lWQ^F]78J,(btqZ$R[hThblc*+n]h:I/OqhOn?o,lDAJ+<9j1'_\>)&m\ -%]m%rBWh7fA'9O`@"3d>_7#7u9,5GYk5O1D">lJu:L_KXqq1_V&ZdkXQ86Fs=R,r-Nrs7?Vl<+eR-DWb*9UKdpf_6SArF#r\Z`3H@ -%j$+78TdG4na4L^[Jsroq8!H=]!@Hn+M*g`tR+NhHq(.P:$->)^QdNS=@1Q,b?<['*22(3BDP_^3*bVjkefO"6$O;SRVdLU33,`ra -%7ie_7>h$P1h>kHB-H(o)F*)5sJ]CKo`3[_#Pod!a2[5&p`X$JD/k4HI^5^f)\DU.&D7C3E861UacTVbT'>hctau9T)AO_6-]1r9g -%Fr2dRa_,7kD]:7;/n*UnUO^Q$AC0iEU?QoY_8m$t&"fsaZ%4NR5WQ:Xm-SX:9b!YL4hm"<_`A!(NfFff -%euAq!&=Kc=S][;Hpjj"=cr.?Q/LQCQMa\j#0qp4(HoOk9&]lZ#&f/peiRhtT(0I?T7+hhL+f([O -%ALAN!Cf^%^Z:tV2m5%_J!:Pj5Fnep"2XFEa:ea-q?[0*MC*PB-1V7iBs`VX4>PE8+[!^9[.Cj!RE9MF=QTJ";gDu?DWCJo;/\8?Ye!= -%SuVHkBJTb.e$=Ji(oMpCLG(>SK908BG)iL&VJ5/A]8g#tn^?@%qeG!<'ej)t^<;n7B[8HAar6A="8#!bR`9aG=\$9_IaTSm'S;@6 -%-7;B9T>Q0;`%UZX[AVanPOV7.*LiDVaq/_h(pklH:n%c<$KY-5QU)U'<1Fc7`YOOBY7;,(C[[.Pf#0.a%0BOr9LiH-TeSATKg";.fSg#d2S/eS&f'<3mLHPo5Xjkg;6!>FF:]d6o=^)mmWG@+*ld^nXQQKFbD7lM'$#'=h[QS[rW/jF>hQ -%&HL.1`72'BmA;!K0fK$lT[=$=ACo'%4=tUk'agR]/-]l)Fl^"_<5sit!P!'*T$8uA0X\O=XDdL:9O%,A\Rj%*QRn'B\^`&H-ea'$;>tK!'32!&n7DLq0_QT:s6i -%a*KT#.LkWEp*QS)\nOSWYgea`."d2fk:Sc*_Kn;>=7?HBui<',Fl! -%PGdu>fJaI8O__=n9]+l:KjYXK?qbDU>VcC%6;YnZSJ<8G]5ggIGZ6W61?7%-Qad?Kfiu_4_C^$e-luls>sZ2!S6Aq)_Zu@V4P^jB -%UhR\.QC]?JR^Gfb?JSd&X#6TZ%BcT7Vj`]N_!^teZ\`P:,0@DTgP*aU2LQWU1QiS!ju<1Wf5fsX$TV_V,)[4aPsoG)MhK\oU1Sln -%V5C;:%s%_fpXct+o$fgP;gZ,N4l(CkF*LQTkY5W,eqr#%L0`(?l[HfNn9`gAVMhP/5"93Y3g"M-2s&n%$0.<^Um.kEAbQqL*t80Y -%igc0Y0Q;G]eR%laZ.g:0X?A>F<3?*?hB+f#YS?"O1*P2>c"+9KlmhFDb11o\G!,HW*funls#tXN!?lPo^E7W0T`\J*r-^$+pp85* -%_AnIdS+j]nd`2q^[6V,E.@)V=.tu*j;X$&NN[5KBF"(MINce+r1jB&:(?p1gVX^&XX&F(4M*NopPKMOg+1gQhFDAqjb2^MT_[QDl_pt"l8ojTX+FBn@!YAS#r]4@aJ)T$!;V8R$.+bQJRXat>rPFpBCV5Ag2E@Y1,1he(+(-d'$ -%!R9uV@A>2^TRE(+2f5IjA=5V.ln\9RVV"Aoahl79nnR,!i*o,'oO0*HrIPL)8)8cEpO;c#Dgq1PgAPrKL]-nLJ,^2lqqWCJGR9Q3 -%>Jk!SEgrUF*$/@7];Zs1hk%asF_!LsDblAjLA5KdnZmZEYbjl(ZH71jd-5V`T$f/nEmj"X_pJ0Fs^K;d":L -%mNi+RPIS_3$_a`Bb8;Ht8E+^ua'9o/=K/e6\'0bk$:5B9,EIOYg`f\UX\\R]5JBVUIiPBKBuY147rcp&"N`*MN?*A8%d5c?`3@J= -%cj7,ghjRgV;=g]rY_EC]!A.4Jfk$aaet$Y!ag2RI`O"nOi5'9F0B!7CiMuDmA-d-[!/@>sc--j;u5"Th$/21]6f/PsV#R4t;K2?,$bE5X4PDDV_mD6UE.Cm^S-,2=llt:nDI"L!1=IG"[ei -%Ir5Ma]sAfsFa0t3%459DVNBaib\f8K_strYZNK`]3Q1"fDAHUXU3MYt_rOO4DYJRk0,M^m("!4GS/UX#5O8&"]+\aT3Ssi_0(+4N -%Jk*n^2-lY@"Dl/ek',e?m#o[c,uekKh:0TQ1i1HY?5Qr -%F_&?Dm2k"iK/@kO;n/*[)tQL9A9U@kZ,03hq1P.%l,K0IJ(k^LJ6u+l!8pru4]29?VIpXGJoLM_Y6ZX3J3;Tn/GK&pi8=2H1CZ_. -%+(n!,(g-Cak#rgn,')>=[^fC`f3tGs%5D)k9IhT*@YGd8/*[j4X'6*826d/45c@=q-V@XLmpJUKoWg*)oiu?'"'OoPVUu\j+.'Xm -%^e3gq(<:=`nsT&[fNF9lN8i.nSgCc.*bN1a1?\k60Y;?/5Vc7faSI91P7%Y;*^]Y# -%CpXbak1t$m224cZ(Cr+g63_F9*f;i<*FsgSg(D$^&qoaZrG]XFi^3/i&TX<)YSm\0'g?X -%A!pb5Z[)V*7-l$Rt)T[;3-BBDl.s&?&`1di:(9,=_cGA8H3t>2q)0AE(lWlJ?/ZOTEfBK4bZGtY^=.PMl.hY.99XjUi*;a;PS=uR^T=@`cDFM4/E:q$b^0Z$7O[sH23=[ugEQj@:ji=,A1#")mGMaSn,E#Fr5HGKiNN7Fb9-`JT7?gO -%J,/Otrm),&T7(25['oOts7d]8cTh?N5Q1G>5Q9>CroIL7q=:^rs78JTiU?:&TE"[N4eDRY*rgRlX8Y_Xor;,1Z@&+E$@?@;Cl%X1 -%'%QB6Ys$pLqj;WaZ7R)oaA`^2?ZgNpDjEXnV,AUs+U&fNqZ=1TA1*QoN9\FiH,UY0Z#W^nZdN0qn.V]3rZ+qgaXEOJ^:#?R[rh\PnJ]:^m9Zg<.UEC=hN\i'#%=0a+ZeN^Hu]9gHe$&\ -%s.[W+3NEDVEfAK;$_cI7+lpauAO&=*0F/n;90I0%:!X_=#X[N-5?p^..TN9e1TJ1LEFBPf]ci;Gl)VFVbuTS5NS]#Qc:#BUd;Tft -%^Af$lM.I::7\f83Wg+M.1j,R/dIA3^qeECHk.<1IAmQ0T?IW&61(B<,dR&g>',]hCG;1'E-FCi%KI"huTge:G`8'<:Bm1N>DqpE2 -%2`%duroSfqpE3_k[79q\ -%poH-+;U'4WRf;CRb4_hl/E0BmIqpDjN`Ti4hJqY@)M^./dI]oOIF?n\%J4\!j -%Fpu3BPOKriiC/W`D0M#*,Do.+"^8%DY]e-4gN&pc=@*880S)oGW,Bs(Fk>0:Mq<0>4Vr;2g1N.K?Hc$_@01@$6M1S -%Hm^J+rsPHi3sFp*5b"X%lE(t*mC2SCY/G&!&.A6b'G3)n0T_p-]?(oa)2OdM:[5gjj,U=_q@K -%5@!0Rb.9]D._qDhO>*q7JLhWTbu;UR.9oc27(Km9KjK.*bt9VE_*81T"P5#o=.$[TqTl;ln!OYG/*# -%UDWmY-fHU^]b;,.bCR9a67;t81eCdqg8>9$:8IX8Y),^^$?]jko!\*XQ>jkHjr&24GSpe6IP8_rf:It;[1k7b)BsDg27K/iYa9;m -%>d6:s0;R!jOI)Un_W0![?t*@RjPUurSQe*7.OjU?E*U`-5agMm>Bq*b#WcUcff`n211jV.n@U\&"M]10D_2LQDK>uQ"?C5iVa)@E -%0Q#!Qb=l3&c#0Ib',nfE_IZO`5T,=4:f^g\g!q?@@`h^u>0B6DK*/dAo5!;1t1n6B1]fq -%'/J?Y6(_R<753^LnCh@1;!am3C6;p2PP^/f=Jd.FS$Y^r1#2+"u-kGf"ETG\)ZTpZu5Df!E],/eDt* -%fBQ:'11eph -%Frg5KRE3*S`9VH)M/;^ibV#&T4lGaF^(P_uS`")]_u],j_bOpDr\^BghW2`IR!0'W.66PG+\tbq:#]KG7fqd."%19(mBfK/+`!4. -%Ycb=Pe*7EqD[nd=f9RQYoZGi@qEi7mN2X-4S4L(D)]E`S\IChn%U[O"+GnN:X8B!pQU1Q7iY.=?B(C$/7FJDL:qs[c5CW<@oa"p& -%d/\/4QE:e\^.Ra*R2)>QiJ$WEG#i0si0M+l^ZLKB*LUJ2;d9A9QNNG-A-6CYkGo,pD/[9@UtmeMQac:[Nq6e),FQgraLuo?4IH\j -%_=+XR[^8U)CK_ho2q\j_\*Z,4Vq2"@,:!nne/8Gi?@Z1:Gp=S@;HC;f.g*[kem.M9E8/8%-@G`\6`bB.Gs=N`39's$qo[Qt^IgOZ -%&Y+X3kU(EGPH&C5*$*7Y_/?J>&g10u?t -%A_WfiJ"h2@MRpC'8NRKL.\RbMp.iPC:?#loH9lHmY2^/,Yj;mRq%cH3_Mj=5cr[iS#C8VOV[q5]YN!TL^-6eHBSZL9Y0A(gG!i]( -%1L[H@e';`Q<'`7JN5VT*+g_eh5&SJd*H8<8@H5B9#qo`LrL0%$@$_[SkrbXm$X9hZCbqsM\D!LN#e2bP7^h[Gs&fg+-$oBLMc)sl -%hrQX+WKV-Tjca:j8WE)Pl6k!+N)7I_R_(:d>aMo7fDK0iL&q[X.k3Sl,Wd>G*On1#A?8+@k^i;odq)#[jln[UK(MSlh$GY0K3_EHAYC_sl6q;1+NEc":N#fhK36f8h#^qt[m$:oqg4k3ot/'>CNt@PD5kAU=g>r<1Hk*h>+h -%':V8Vo[UoB]5j4lqB;@a6$AWN+"6Ud0&u(*rt%\f_"?qgP(GT.G>\^O@_`Gf[gX7`)EmNpCDU)JTNRJPpT?EJ"rg4< -%gn0XsC>l1'U>-dJ]L[XV=1(%O-r9P#ELL^),1#6D0LYAS"1fr!Z]iPZb.kSo7]JWm3_iFg^ei -%fW6r4_jjiZ@HupZ=0bo@Z@$manTK>l8JZ5#+L;kNRAUURVaen(qQUoR,[L$Vks[XJ^&KfO5-JEq0N--^/&56kaF*5$oal>Fd$aE; -%R@`XXX1d_U+<#Q3M9*94iX:tOLJ4i3^[R<($*@4MB -%eeq+Y,$2G#iO'Lc6,rsdRD+/@DN9UZ!&k.4pX=YqH.cF)TBOZTodOZlNn=onC0l--r&8HFU/rZ$k;$I'cnK0fMauSdb*N+t4RJ_6 -%6VgsS/C15!e?OaTjBLl2@PN'`YQEhAjLJjSId-3>_dNV#-'o4B6t\(!haLJtA?J^k'8b[AS+i?CHrbRARHjb' -%Cla\\=Z/Yj"Wg%Y7neX,\VBhK:l?`i)!1+>O^WDLHYa,-iX9OJRkO5S.q;*+DmC?]O(J1@O=VI76;Ntk+9(kq\Xpab3JNj/#7rTS -%abd"\1AL79G^`\b7^hT1rUIenqff#)RlLdOW6(D)U,gL -%KPC%[0[hN?Df7NuTTea]45T&[b+aU@;.pFdk^i#86f^7d0,"V.Y+Xe,$93K-%s^4R]=d -%)@g3H1TFURA=`XmW7kjqk];r?DPj&=4#l$(@;'-^($,KZ/'f%cV`O8T3=[0=s0j(WZprF0>!SnQqYs"G-[l-7D -%[oJ6gI`W=YADJ@Mb$e=Hg+Fn0YW.VGNL^5mTL-:99J#Za=hi_)mt'i`hE@&L13qc[^G+oN5U_4p -%Y"h`%p(B_)YZdTf-IGn)&W6#/r0('I7%!qe?+gf'DNZ5OaCbD$`Oap)f]S`^ARh%Y^T<]!ok`%(KhrZ?`NIa`5CT00nta''A4*+] -%5([U[E)AQiOSLRl4Z.m)&EL_'XP^MH#_Te7`QAC>2laODpDl4lios4mEWNqd3,]W-)#G4cPB<`qR$KrsJm'9g&QlXL&qt9>DkN'g -%>Eeeia#'*1RO?$_DciT<>o_*GWBO.$k?OY>F:\pX_*&d#BHVWf\QBF6qSrfYl2&+!5+'642k(s`P*R'*EffCHA-1WQiI!m#,b@<= -%T5D]"rjZ6H6>DYI%Te_sjhP=Kka\M$G^"96df%[K:(+6t-6K\n3fF*41bGm^EQ#sWb=ij3;6\p=2JFdeD>E"k6t4t@^%(X$c/"he=.(D7@FMVD\Cin;Ho19'2J=M.D' -%93D4Ln+Wgm,:J$m^\Fj&PLhm8k^L3"J;@Q-+emXZFG&sTK31])nN7f:q^h8[F>ko^krVS.M*0RhtlB=jNpU9pO)7rO2!5T@JI)+s2N\#)7elFmQIG00T(M>MpVR4'Xe["]Bl(3@^YM)lL5hfTdua"kA=V$_4c^+dKcYbJD6$#ZV]$ -%Pk5/"oi=E.&O8CRRrqNP,Wh8P,3>HshOQ-P![l$LW^[+n"6<(qa4HP-FR9Ms8-.>Ij^1j&^b=gQoq4=HB>g4*QZF.0Cd\QW>>aNf -%]E`<[-7cag%;_0#Ai$T+Ak$c&,gULF\3A\3N>+$Fm;$Tu3_qD@4F4f)U:k:K:0=YC'BjuelqeNnn]r2.MR9ZYFDO$qEOQ#foq"XW -%.HGM+ABp2B?f?=UGNkK^neEl-6u^be(%3;9%U?Q'*u"),I=58kB0/*A.H62Z`-,6KlW&R.3Cd&$:MV_:Xn)l'mXrg>OUsoKc8.a> -%YIdJ^W%LCD-oVl+&S>MC;S/oImd6V>2qiDbF+>4Br4^4ccZ;05Bo4TcHqj2MP-Yf/(bKd2m+,cnCNr\7a -%l=*@6MCe+"0@8_J?ll%kAbr'&\)!Q&/6O`Y)fJcH^fZ)VDUHS:P7>JY&M-p&"t@?XG]l'/V?cqDkR+hnEsB>D^pSK[G"aG.A`nXi -%:4='VS.%h2Tt$'?#Kn\Sj^j#6fc%IQE2p;diQIOp$hnam&L_3&^\B:`0e?/&N;%MD.Rn5A#R*j@Q=fsG)lR(d_niWp^t-i9jEV&Q -%G%$V'H/C?#&ZB#4ZN<9_2lh^9%!0_^!JrR$#*N?!$Z"6ZMLZ3E7EI#"k*>mU<'^QRo6G8I<:<"+dt:tdA]%e)HP!<:+)SsP^5\e. -%m<450&%l2u*4J4Q(eKe@5au'p$hWkb.b4;CWptoXF#r(aY:n(KID1r^:*4AGDYITsLBOrY4aufUV>Ofu"PS_?"Po6Mhn7M+LXg]Q -%kokL7[h=be@`A<"aW!PuRZIiq1JTP8VH2o5EVqgQm'%r;r-eZpNg9:C2I^5$-m=S;>.9Ik]sd;=@8th"*ZKVdH,r,VilfVnE'B34 -%l(c434Y'BF&XaQB9?Y;ll@^AnB$[GqQq]+!LaTfM3a=F=dl)jBU(o%cB*6UeIHeSi(`5TogGaK!J>81'Bl4S6f#B7rjhWu:^enJa -%*=)P$fY\RqNo,+K.QIK6o;&JK.oG=l"Q":q'Wq#/TPc0/Y:e\G=WJE<16QCI#;d-K/EL>g#QoJWEV4WgDL&JMj`KGkZE_tdfRqt^ -%Op">q4$4$t\(j^KrY*Sgp8^H6?QbYW$1i*A+U7%m^!N5>B`,?HUD> -%HY\X,s0s1I(!Lp1\@D@@nm7si_.7hE`IVOR`u\Qcjjqga[:9kB2BtSu=#P_HNDh4M(^l0V>/F[_9JD+%NYBK=&QMLf?0U^P2pT -%]n*nl(>3t6Te!kDC,H:ip\?Kr[YLkm_]KnsNa[u250m"Bi_,EP#?S -%)?fN@F&on_M6V7ha6&**4Z.*Zf@,BGE5[3t-i&1Z?0e.cGF%8c=M?PFU*ZT[5=3\S!U/&_lW2MeF-]P5lQk.XpN+Ot',S3=1]1P= -%?k-h&N994MRB4K.%PY&!6;O3qZ6h3:eZcC%Im.H]Pht$Rn?PGtDaji#Kh4H)aukEH%tb\b=_Kn5T8k4$3&b:0,,J15b!LXfOcI#ScH$KYS[^;b+ZYB^SF -%H9$7K7'K]$hVo:&P#Xqd@`ZXTn?.BaD:]TJ_[#SZbXthIK[ImrK&'US1-N'/&F@B -%p1ZNr-JVHL[VRV"F"G@e(AEr>LBM`FBo2DHSkK,m<(*jG0gI_S4sO]n[6"J*35`G>L1kr$Qri"cajQfIN:97FS5S)/O+gC;R5)S; -%_Pk4qkc<qOko(s1G)r?,:AWQ*98YYE>];;a7NhT[s@;!T)MTY%Uluo($J(^"hkO -%OjK*MV'JBbcaAb$lqLq8Xnm,WNPa)?QgcrT)+OATMd\`,LEX:l-/Qb9*&3.?*p,\X!;#OhCs*+;*X?:*;h]NZ0KMblY&SR$_Qg-fcpq9oAQ)p(3jR$9->\f<@pZX@CZ`gKgB6#)kj[2u140XKcC@0TG -%#$U:XUnIk"c.jbJ\/D]:#o8GQTiKmlNNQhI]IXMW^<)\)B(_NU)HirngL98I&Mn3#moIM.lmM1uQpXQG!ntmmFaMV(0_Oc?B2]uS -%4PkN@/`rlC>FlXb0d*+%4XrNH!>%r+aEQ+<:DQ.gTXJ7Zj'a#Lnk'j$!>O];MshaZYQMj%^!K@&6E:.4YYlhuaO\SG*+)(5Ea%q`5A2Hlpg@jRFS`\j4m%.\3/5j7D@9;pR:^cV6a";40j`XV1@R@6(Idc)jH,Lja?> -%3V7HtX!50-V/AIWT5F@Me2)H#]*"]"CMoQkWCAN*+VO`aciu]E\PHucDTS/82l_sl[4JnopRe+IfmpZX?fZaO7cU+'AaWR -%mQa.$LPL1A[9K3,ls]Kf'/tQ:(IYl/eTtf%Om"\ob`i/09%rOH/p&#A>NHmJT"un??e[J/"VTUD!d!Dt*h]`T?DN`?@gsQuYXn-& -%A35L2.foN4X-V[2Wku8Q,r6(uA]:i^WB#"A;k2DK:,"qV*5K957@La[W*8FDE&HO1DNclT)'c$jcZUsYmsKSoN[EqEnU1eZp?d+n -%^*`/e!o(&]MoV#FEX@i'8Y%^YYZ/ -%PBc=-rL0Tj`MIa#W*3*-s4lpo$`OnOD"kKrE;4D-tGS_1YFqoiT&'?V&"N9(,Cj)"n/3EQ"iS-dA,-10?PKV!Y*bmalXih,?e'img.+LLhN# -%kXJB4l#S)n9.[(($!f^20KJDCbUtRd;4o]?aPpX&S0OZmd)i"C?=_Br^75qpb-g*mf0QE(*;K#T!fe*n#4MK.&03e-g5%m#\b%\GjmjT51J.SB]3b0T,5D3]YACm'dl3N*Y;kHp907^6aW+NaBD5>rcogDj9I$=*!Sd16'i;09cee=Css(96XM$\0A6@7l%?@ -%F@^^5GD2J"^bH^LL&]qk*/O8M;/J8OOp*:O04sItA;R&nd&gV50^.n]k@6mC\_ADsQWaR,nWghKNqM<5nXr4+gtX7Q3Eq4cBAXp8 -%aU>/$N$qb7"O99[A&BS`2n@L3g+pc,d$qt&,Kkh[E#n6\rY,r&-pH%iVC3cK:GIB:a?/#0$fn*eUD2X'gh]%sA,=T2k -%p.B!s[5r"d94ml1AS%F*YSY7i@Qjk?Wkc/.;@m>GLuJ,204VHXZK/p5QE-%AZLT!iVFEqJ[d[GU]Hr[kcY&e#Wp=,r!gjSfVg80F -%S%H>_'FRHhWC`\q=-[WQmqPQm?I@nYK;fC7p#"=5KXrN'UgRW3k2W,l'VA)M3.u"PbPP5rQg7De] -%PN*5k#_dA-&aDe_\E\2f]+')h?M8K[oa=paZnJAWANZ`>oChj"_:4T)iaUG4*)"pM91N9ZC#3VS?>q-slhA+SS7EX?OFj(4WY4/j -%f,)ecZj%L)b4/Nd$Q=iIlHuQjpU0)KpIghsG!HhoQjSf,nImab;q\;=o%lYP>-F[6jFZXng6ZO<]?e?M1$S+.HCm/l^;OpjK#3#nZ_'7e\oQ17Da,[cGMW2BU-1P[<+S[6>?b,)Gf&hE# -%VXLH^!h!SQh<\(8JR^iQ+mMsgK8L)T/O)K1.Pf6"o).Jb<.XLpJ">PBCnKP9@3`G\a1ae>+_;`>s4h%=j4)o?G(k4*ph]-\e`73K -%?m=F?aW)^mY52]@2n'D_USb*kNLf-&6if3qgH8dILnhECM!B<"H,d2^4$dPuU(@O[Rh_ii%^@JR"U[EaJP[?n[qA4'GlKb1#O1_M -%\)9\N;=FS&mK\3%ieaE8^b5rM6jqA[nHFlKZ?bT0o?6!(W\&(uLsGNP<+=IFLTl/NG/sPb.$]@N:#%:PM0@As\WR\UUJRJcGkP+W -%hSE-0M@`%#Y&&NrOso91`X4Xd)7^j,YMIKB1O,hjCY2Js3QUoY5%;AIB$4:*lBs)b/7!(Tj$5HLTbTl7gaOTFg.re<:e@0Lf\6=O -%Y=X!*muaddh1tN3pbg2FS1)*PG8N-Qn$#lB:HtYMq^<*\3c>C!Of;[$T -%G2ZQJ(J"5Jci#TdboIX*jO+QI;gH/mr6V(;!+p;!OSQoIJC+/5bd2u?DD"JL)K@ZfVC-Z.K..LKYAl:!(DsY`L!2O9b5l'XJN[64 -%MW48Sl'*b`o3T=uQnCdKB11W1Pf(;o]dZmO3^kn5HS\^,QT`pS[7Q,e`SC@<'/L[r_aW;@gV*Aq?l)mPf?b5(*j;m%j[66\6=Jp:3ej?epjK8a[ah=\8g5qVYi"Ta0sP`=fm0K@R<#`T)4'\:?B&jFDC4C#@$P5].k8W>k2d((;2*[1Du4F<;#WadD7nD/ -%dH0El1b2>[=DfA9TTWa-r:`rSRKT;P1Q:l=1&[1.CF%a[(*cPG5uNu#b6u1C!gW&[Y^S?(caBF<*5R$Pc=rqRC7I4ZMUO&"W4r_E -%eh"=r]i_:ICQs_k^Q40f*HDRii\1V.e)WZ[;66k`2BlG2^1/.6IhVdoV\jLF\ViJ!FRP>J;(SrK28>Y@";Tg(hti&%6nWG.$<*8C -%[N>;s([VXL@=pXq)h^O]>r2#2B$GIr@n]MAOnTcY1C"ct2*F'Pal&4=E3KXjKh0Yt09GAp69#t\P3P)RkTr;O_TT"R@]?EQU=(L5 -%eone1S=:A6,6ES%]sHK_2Ie@$71`&#B"uYh1FHC9Ln7W;%EjVF#p&'Dn7]K7*8!p#DKJKYQG\94YK@pDlEC_F"B8q4rQ>("(ZhZI -%9?bMNE&)UOPC&^chC_,-GFnLD!7Pc%)96=YCJ5AU:64BJ[n^b"%hKIM6,s)T`JprLP7f[858!Vu"eh=>r+#_i7+bMTX_%;DL.FEc(!ldS5H@,+g,%>,ShH>%* -%CEs;mF75PY\Z<$A1=o#aXIJ6k/bT.EP5nPs5%JO-KI'FF03,tiPsP:)ZCpX]4M.qooStFGh.I>6=48^dWh3`j.[V.u>?A1FZ,pQd -%7%cW2Q_qFOmLEqTQfRdFW$U^d#V0qhY:8%>$9,dMW*JAF`c3Y.Y6@5p)P.)UXr=D=1*u%S[tN](@u&GE,@g8 -%-bh)`/>]Bp>tS18LggQ;M+45bMR%I'(c*sc7GRX.egh_eC')u+6F,>YiX/bi;#*g"!B7'MpB#mY`j,0pW[\h5(C21K5cut"k"I7P -%VtkI3e^'jYh;(i/TPW<;p5iRZdaIlF8I>_X9>I-A"cuAtm;J4JQUA&F"0$a6aG@`oA[;s%G\QBt*/#>W[MApRG/& -%[hk>t'[aiSC2::a%E9"6Sg&`?U.+.*1r(Xs1K0/Hnn'M%2DCHdb6.ZMnf^Bt[j7.'=c7Hp'Wh8!_dl&_C:i@X`d$f7D;fmUUn$^;1'Y2J#@"aJNgU]!f%W$#$->*liDgC9KKkeW*#AEkCI?EerD%QqV -%6-6p?FN'!5Z_iFLHD,a"^Oo0ETZti4I5CGU/l76ZXr>)^+];Z_La-3H(W+8%BD-/TmW#H/,4WpBBZP,r.+GCMncSgUd[ul&1kd^k -%?kiD(g';D)V?Ml6m/_b;N80Z+#aJGYpk-+R`m$^eM]HA(9kAY04adTIAHacjKei1j]pr8D4.X8@0lE$&Q+OD)'?)e)`C"CBpSRiJ(Jj>;V.pe:@F_.E@A9Stbi/)Om1FB*gkFsrl#)G99LPR_9@-pRKLpC)g!^n*t5ac@lFk^JD -%_B[Gu0WHc--)YpiQ*Nhafk)6onO!p%Kp\rI@IDOKh97[>?4E8"SRqm'1OR>!LQo/IOCa_>;:)rW01$9o3L[B@M-73',[\[tal/X2M:.+SVN3$Jbc9*p&P!]Ni'^EMcH%E=$cd#,N2$[/N7'm=G^s472'fjVt(4M -%^7RLhc^^+Ef&Os2a:]kl/FY[CVl)ZXgMe'.a`cV21i%$NaJO];M(7SOddLE@Pr`+q6N#V++l3je]X8N4-n/+Cr7ZP?`se[1(>R@h -%S@NG=aXZ0l&dL(2jgM!@=)QEhEqbePA((2?C2EbFm7Rdt@FkuX^"tu?6h[jS]'2003mNn\/D62JRS?jZO<>U`"65'HB8\\mZ4(s_f?<)FHW+'/]\_r/8# -%RKD`=n%`c*roJHaH0(sYS*W2L192Yn@f`(Q3O!mln/'&!Et)jZ$Yf[/`MA;t7LI8]5pR*U/*B_:9i -%cuO@Aq1c#t3Rhq&oFq"0d>pR(?umkPDPo4km7,\dmLY0B1^c=6UI06#2[XPPGM\iUgLN^beoW-]`JPnbfYk*qhsGfF\kp-2BCZck -%jXeOAS8Q"bP[(Q0n)AL\52?-bW;[.3&3#IZ>=33cXjD8A:gWbpbfm^iM0,61rF,mt!MEopuk?Yf>K6gl? -%(q2W0R.TjL$f\F9>W5W)oiUcfm0Sm7booK]j=[<3D=.=J-_f1b4?^(2-"#L1)f#OLh,UqJ9V864K0._s0J;Ki=sUIkT:ZaV:>p3[ -%n=ZI/oj&M"j/J&1`3pthCQE-f[ntEg2o)GcpK@?=OnZ(cI7ZT&;KC'CgD66#'W9,+Wr&A,Y;'o$7A_iiGmFXfp7)cm)Z*[Pt7=gZ#paiA_5j=D4p]TQ`gY8nGkqZKiFedmL3!F*&3Sef9`^!c!i`< -%KLk.#fq22Npcg@`]/XKJlP6=dl#09R(R&VhD@.;k4`3M\ooCge`$nGkC:jS4(F^q(#NXYI9^2?VGs<3#ogO'13S27":R0"(jXhL`UAL.dI-RE.e4e.2o"4>e'Doi0%S6FSk:h@" -%O."K#CdT"WI8!`3;s`l0P$QH],A6[p2EA.;@,u_$aY"Fc_i8 -%,7Q?'>D^8A!.Q=[Z?0g4Cth&HCL4Qd4#NP5S/h5.muPb:\0ORScPg>P*#qi)EE&*:MAYMG,oVX-YeL^k\6TGS,GfpI>#r26Km)ee -%92u,DGK^Z5/HL*[ZHQ;%n972h@>XKFma^$3W@)-^$=^9oG@"H;4*Q^FDYDg.[o-+G@G`SHGDNINU+gK,C6*(Q'qE[7Dl]nBnVQr3 -%5_:M',\`,)?Tjj"#LG6q4(r@06GU#m/DZPRWb'R(U4dqSJT\-Ibr9YBn2nkt25K'! -%\N9PVis$XYTcC_M[T*%#$/d@^]Kln+\'P'jr]E#r\"UH9g2q<>)9W%WB8IP#O%jDT-WmiCJH:CiOQFWtXb]sd<6^"?eJ6n9ge5;KMQ8k@?)j^P%^HZ`+k8E+)jl7GThh:_T48R8SS[cMdQ4K8(ZP6o)#9Xh0EK/%_2(9=UN^?Hl8lJ6du264kL -%3`d-<<['a`58004Bc`qQ`e-]0?nl)*`ia:(M=N@#WUBskj;S?VrARrP)F-I:-\]1gW0h_agaqK5`]5:E?JDb"3u;9]bb`q$U6'*] -%e9L($IZ$oYmD."M*%qmfmtsn!@I.^?[qd'b^6d!SXfcdBIn\5gHTkCu:';&5'V%7Rac:%;VuF8-"?^-_D:mZoU97[c`$T5MSO>Ep+7GDp3.X=5R9M\3BC/)b?.\M#SK>jk7A -%e#=pAs8"QZrDH)?Nj\W<0=!pZ.F8tNGld%-WS/JX7n_:a;8?%P"hbuqr]U`Nf!="EAV$9j$H*W8u8m:ss -%;5Pj7oKFf*NEH!1&?>O\].lO%p>C6`f#O!Ib*,K4Uf2&+';h6afD`_X:e6PUi4fT;sOijLm_W8*>&G'Q1+Ql=7p_T!-2*r?mf-F$bUnPY`7[KP!@\)'LA -%cE;<,%T[6M\K_;f.J/F9V:$&Y!7Ck/6SKT_X^ZVjbK]'cIN]IKAc@oA=ti4&:jYikp3XAD*U\5TCKp1()PG.-+Vm]e3='i@U^f9X -%dR!*Ih_Sd*gD&X:)mnht>s=@Zb.G6&eY4,3*'`eG6s"%eZPF*TE;,,ch#QXt-[jAClc&<&7-CDoV9VqLI"sqgr$b_gX5;j2gsO(\Xp&F=EFO! -%@8q0UIb1c-MS$PD[4luO&$U16b.OJ?64X(o\,qFI5j?[hFa#LnlA@pdN=`9O]tnB/o]_'pBW`Rk^_MS&^-@PkJSYF47lMOs-`:U3 -%.UK4['o9J8np,$t4@<6%-A<%#gQL:Bm@JuI)(>o.Cf%4b+tp^eKZ$QoQn4:6n0"4@>l= -%oj/XG*U@::SbL^1Gjj37ZgaBpK:3/\7ha)d5PJ)8>OTIf2Esjj%t/[%OL[e=@.j#XpL^Rg%YQRYf\)B`f5ck2\2)X`D91$fDteCJ -%"`M.bnX*bqgE61GU:NfuJY&W$R[r?pjQnKP)oM&\WVSKa7ON[9WKENF)`GL.L/U6]PaG)Z?$./'.tOc:h8j&@hAiMt`q0/cX4c6t -%lb7[GQ['m5qB]4jk("kaIK`3GhHHP=`)SJ'@d*lgbsY^UOrFV!L9*3._"WHNs8ZrluHNd1q3h/\+@,eD_$1k)EU#l -%l9f1;jP7uC*SJrp_f]7Sp;u\JS$H8MVgT&^*oDp^IZ#aOaMm/1LE6S'AnAVF -%m_Km"UA!D@PNX7$!$-4*34#e(YDBC9g(:7lFX8^5rPis"2>32iO[!LprPcp[>rmKlTL+fT/CAgH6d%b7`/GRsG++7s`q)gF_"IPE -%*1Ghu);K5q/'*T6'LqoMU;%N,dB\;iUjmD]P9B; -%1Su>)lkt<\Rh4T)-`HPh10%aA2=eJ.D,ZI]r(^aZ%_)RdQ:>-ioQ%qe>\`b1#!`[U^;qjqh\A$3)X"\b&'EHq[T9I*o1]b\J\/6T -%pAPKaY`s;mek9uGb@\5j+CH%31!?\a$t1SO+o1:Ado(cO18&!S'"qDR"3EkHo1BV'/O:CHoPr`l=Q;GKqcb\a[a-6n-hS)%/$KUgS]f9tW@nJQUrJ0`ZkV+fe1k];/Z2iq?k`=!N'SqWuAJt`f1L0/S!!AphEZ1m'`Y#]dJgsJB3cL->cpa8<3=MJWpieF?N0b[lL\BQ+#c5C+8,Qilio%kZ^37g?`g7p+09crP8N;91r5Y -%b\S&P]#I@jU26BYG*>n445bnGgaS"Q_?DM:?HTsFlkZ9NF.Kn>lUjX?*sNPc4@sUq!=9 -%(1uH*eOe];%Xj73>K$W*`C6AG".P\JI_sI,COu8fE5t/)&"83sCn[T\[f1p`\Q,q>L#k8-E4GL$jQa45JI,l;fIWj'2K).t"X\B@ -%4?G$(Wq=mkDG&?^cB'+9JRp_:5k#M_^Sq,0V7`!JnO)H_>8?r=.;4M0`7<-Q$>7o?%AtS8aL5I$HS/hAT#Jb:%4c6 -%YHZ:k<^7e;\o-E>W:_KY[Zl&YBD!5,>>Ff;4P5%:;2%G+o3D>ZX>YoufjltO[IiI8LU>`"(CiG!/;Z]8nuR3i5`#nD'HQl_u0,>**?/6c94S?#NL,l0n&fEqH`2U,$TM0Wi;GF3DJV8k_'jB0g+k()/a&(^TGj5G3b/(DS3>+XW)S+hSUWphPJ3lgZcJOG[qr?9?Wu5t-N -%a^kXJYf#FrZ,nDGGB*6oIk$4#c4ZngmYe$YZ9g,!+>Eo>Q)D66RtanEno;$`Q`X`FiBG&e'-N=[df<;$kYVjD46^\%a\aK"=,0l9,6Vo18beia`BPb=E@,*nqls37cGoKu+orkSE]hM%:*@c#/O%jqZFVTm`3F=+A%RLg/9NXQ+;J:A#AJ.Gcs_ -%`hLgdh=XJ7FC2Qn4*QIpSQ>bD0]ni-jSuCamWY=IbuTfsd[Ro5/J]j]CV -%IRbqo\a1Xi_'N,84dUI>eJnOkef.?=)B&)X<4f4S6,K#"doCX]EX%2lX#Gf+$`6/jQB!;GM5[F2dr[+XDaBdaG8S -%e3.HC2\pK@Jl*.uFZYX7oOBAZ56V:d$Im-Mei1;5tdh@W!:ncldCKRQcom#j!?U`inLk4QDO@(e.tW7HYrE9;2)c/C3<@L'L:mG7L?->,Eo/;+@;&I(]N%4-hZ9,_NOI5;^:I/PY[C0\[D0?H;!&sp\?eu42VKq8K"^'SL[1G24%hs2'1Gl$h5#EUY<0()lgWJJ*<<3l3ugni"B(Z2mg01.JOs)_a4]-GIRe]`f%!.re+ -%U0$LL4uk?'<<:FJduL4nFt;8#U7F4KDmP7&^NF=n0qu:8I:P^GNd0NRb&SnTeICkfd%c71RKL8o"H6,d[Q&p.\du4m<>ElFi,9PL -%4!Om4c'uihj5*e6I]>=:YrHo0c8?2QA\'&p*b):l<#BZ=K"+`tkTP)I[GFrXa5Q3`#,kZ1$88H<6D:9+*QhVB[m2ZZp?7OF><".1 -%g7/"^YhdI2^#/[;3:Z#rk"l'hXL]:E=%i0+h,:NTFR`"JgW_ukhE%CdN1nbd`c(&;12+`.n5h)hRNBB[jMq5dK4ZQLe[ll$SasAA -%A^U]5R"q]N:s@-@649)n9T\6Po(tDKmrq#e,->&lA1j,7X9BfjAW1aFL#1Rc]ZSd1P'[iGZL)4mjM"+pp=2$+DY, -%Ri$]U2][u^V1"8Sm#B8PTAMVY3+k&<=_U@aeP[VpP$'7"lW[*(AsuO-Xe)J$Y\U!l.AWbsLbarthTT4&4H0=@%\PEC@p:=ZN%k5f -%#Q#7di.3n`:[^i[5Wh:g`DT3082&&so<[j8Hp<\:2j/AKQ[5]!8dMMG`>2nGLJ-q3[00BZKH6EWmoq>BDi];K@(^2PB>H6M\cDgG -%YK6%&V&Ji[]DE/)BYV/>#LMc<.bp!Ief)L0VUMc>I4P74[Gu;kcNh_HO?*&.7JTg1[Rr5Q-YH(QE48mt%(Q91`8N;A$/s1#Q`e4&TkJDoMLg(KD->6*?/"!.8<%7Y?M%4#&u6k -%9\\)@"d"udHlmun>?^7!&>uC8(QR.b,C%U=h0e!pqL0JR\%Vp\FQ"bJ[F(Vk57OnGL4-n/K_4!51bn!3;oi$<"=n"LEmP`^#MBJR -%T@h*CBqal-\pK&1(g5:U>%@o(h2'B8!SMo?QCh("[gjCL`VlHTA1c"DWdrV3'3QjOAhG5-l`$HDkHX]A1\s]paD?>SMj_Of'M!:h8>HVKsa`5Ytp+Z&oM1N'N=[[6S'Hg*tJFCd'Ld&f#YIP9*4+mc-^TolY%,C"B'Bmj#7fK&`D0BP'e(S\PF6e@(Z,NCUGN722WpFV(C?6X! -%"HB51p[mrkq?RB0ErtSSH[BGc,PoCn-%aM"nOE0.c\$V+GIlGEB&5^kUX:H3i"gpJAI;/A0e6V1hRq_ENK7p[E;K/s)AMV4hB\Ol -%`V89i&T;37`2Y0eogU-Z(\/@]8ed-sRkE'*J2Y#_"MTcMQG6sEYr_"Dq"$T/H?4L/ek%;l7FJZja]0n9CXWX8(l_"/qnI;m5pc%B -%CXu\=G$+]khX<_=AkYp5\o*=&M@HD-"T4fkFg>k_RX[O3nNG_5;s:Zk/1n!55qLq0UhV@2iR_rNHUVOq+e8KHG>T*fA2YUE"Kb>/ -%mt0p37=kS$g:P9.$A)a;DcPare8=:F!VW>f1pCR$:%4fM(Rn;0,`G@i/ncGXFp`P;9BofPU1JCb!Rhd`_5@P87qRO0:)UiMIOOI1 -%Q$W&AgGB+n6IYFk65IaY6sdZf6$'.(0&CJ2G?/TWllh&U%-:LR2LXc=Hg<*pFn/;8Egt3herFqD&CUs!QB25Ed/p8G<>cJm;M_&@ -%l%&GW_7ngpVD#bOo"Ai&3Vr/K3cE8PltT%HRFtRrAM.b<1Cnm:jCclT0^(bdrReThMg^!L,p0o$F"L[;FcaGh@!r7IoR0uX^(thi -%!A)D!c%6-0i)F-L^Gqt0Rq3fh"E7e8W#>j)gURReZ-S]*iuMec1-++G6ci_MU@pma"MGn`aKCpikN8_+^CR(5D99rsG1J[O-1MH4 -%^r&\h6RS(!H\02^(7u8%SF>XGoqTp$3`/CSO!O,9'H!:1KIq4)JO(59l@k,:2bcl"Q-P28m+7!Q#uuf=bfI.['C?!%HpOG6pO9`% -%Nj2-.6m&JHm:\%c(OHZTVUibuoima+^fX8rqeM&V<+]J%(e=qO=A^-sn^GZ`U6F1ErZ.2e&F\;`oU1kDc7on^pt?Ser*1<@`AgkiruNf"qZ5mX&Frp<%0"'@74*+;kWiH@hLNU:WCs5A$A_iYG'-o)NWVsa#5J%WX6uc$QF_5 -%FDN28B_:'pf!NlYAdqfZdPGD&bJ3qlAn2_1M=e.R4GB-&S<=b2Q=&<&kf),Wo-OPuKJ/$^*m,$0eG%]0Z[uEn5%/h!G5oj+$7@[- -%-$=(W/3JnX%ZqVDY1OXrH8$/*d/_P#_=h3B\oG15[@*EPZ#6%_]?+7Id%/T1I+JVCi+P/].BFbSQQAe#DW/6X?^gAOcG3nqW&Ood -%`d'd9Uq]#FK)5E.j7&Rqol2flQEI'PB2`n@GBYAp$uk]e&2dt!/I/Ukge=Z:RjX^g1U81o%$L'Y6VZ?e":aO)2.(n>mV>X```FoG -%luU)L^K[V^ESG\81r,L]65dB?WYmm>:sl0X7dpA1Y;U?+F%"3R/(@P\\7J"g&_LsVg+S@e@ceQ-7nO0B!7;ra9dJkWg9,Xif)Rs% -%!@WU(@uU]>K/M<7(`N/r.@"#AG'0_ugL@T&$J85rZNV?-\hQii$c4t'0YEm$CQ"_)1S*+>8Z`$4bFS=W%rU_3b`/i!:g2;WBrYrJ -%LOV;,Xa>#b6MW/Fn$:[WG`\?bVtS$c[6ffFHK!bY[1?6j;6;ll$8Vba^G1i,3efOMrPGZlr4/ha6-U0jTZ3/\TYaPpB/p'-#hCf78d;R'i@"4rVUGTD1J;.FNhIiWfZo_7d#!+1"4g7KHs*]gMM@sgXXTWd!&.WX(J>qoaO\@[*E\_ -%2STd.4l@o%l1>g<^f%5#+NMr.']=Zh=2S?TO$CtFs.u$PpXu5*&h'+HT+lb7?=je]-$gT;_m2]lFAJ=l7;J(E4L[:a8sbf/WEc8m?hbsA`X5Ac;g:piCZ5EKB; -%);m*>NO12YRcT`XD<%U\<*W(he/b)5K."\ -%qKuOLYZ+^'eDjY_bI0s>)Rhe?oK1(scba&8&.R'jFtlst#*`&&b%!"o_fN?m2(*3!kZug-%F7$l5[/goM*g7[KWl(.Lqcilc`TMV -%Y2(&Z$Jaq2UZ1)VQ!78CRk':L(W]%cO)H7!;?YKt5SaXfVL[CJ!8h?/!b3C:J2-m/U\j"a>]'Y8:QVK_M`:>>=Ji_tRbWZ1^s>KCq5')b?";'9seJ1eR["$Qa'"iSA(;J="$d] -%4X2a]W].Q#W@Dm>P5nT`X/_q+EbUIJ"70c1K\KLX\a/1No]r]8nj7'ZZ8O@NLr,p2hIUe- -%#l2aeU%LH'UaQAY">D?MdgG35)Xn9*0f94 -%l@.W/2kW6:;;\hOZ#6bZ-$dE`[/1Mh%>WT1fFOApRjrs:bG^s'MDVSLfU6)Lkk"\2"$d1X -%e+#/12(&Ptmromu[&_$/GprpTad7;.>g12u,0X+rOI]J:`dJI\]^[g0IkU3gOOh^U':GB!!9F1uM+45!#:X@@P%$:+a`#c@gmO3A -%;FmBV3o.W5I;>HFeuc4-RAD$HN4`U#+V]2>\!dp5Tl=e5?]d&X^]2L7s7?9f+9%>9qnjNTiV1*>nLsq$huD0o5+2H;YC?5X^\de]^]1/1q3UE6^Nf_ODuS4PIt%@ZqBc)\q1&D+ -%5JR3ZIs_.3s78#EVdJ^Bs8+JLpA_jUq0TaIhgG5\k0&VNo?L63hHfY/WA""b[&%,"?Wb'm[Z6<&q"s4t*m?@Yn,2&AobUOP?GF!S -%;#PlMTt&W%o.RlOhsh%gZN8b!ie(i-/RW`jnM)&goNEkboSaB@[8('(\fhS\h<[[X%++"[4+@U*=T>(+8JF+l%*uc70$rtI?L6/B>1d9\^58%kMlDuESW13DpNh@88"A+n6@fs%iCR/K2E=7hR-*oD0l8#qt=Nc@>&X>!9fsH1)]!bgL)FatS\T,%" -%B,.60AZdGCn650^aZHa\rRfY7bcU*;104b*/^/:T[:AJ8^:&%#/sI^nPF)+,#&+Q^efDE_5Mg6[q[Q(H>cIqcDS('80]VY-?.TR2 -%=#L5pV`A'BWh7$ujdQ;!"[e)(@]i/2*UVLFJqdX<"agH&p[7,4-[$QjHq?d$X-04VI2Q]?Shr`&0-]R;QNk_2S<^mEKS"79%R#7#2K -%3':.!I@5L*tluV6S.-pXknR]Z/2PNWFCc3uQdH'B4\XWRYNq3nQPk -%^n9A-f$'/4ZXqsb$G?NXQ%dVV1]#j3".1QsVH`e`GBRD(-lD9sp6rS\+F>8q5;oQ(%;'^Z*e)=JoRG,$QW;E._QgX^913(>hBkRD -%m+AoGp1"D1m%Xo_cFA$O::8i^S;\DRg_M^/FjVdg]uA-ng$onH2kM^N0"tkGI!N6o39Ki$+7Ags<0&i.RC+C/\27EnMKZTG`pNE. -%1bntnj0Wj51GCiQL_S0#Wo3[W%^53n@c%s;Y:c37(>%GmH!6$E-2XpZD;7&F/Le,R4[Mk9hK-=&,Ru+23dP/Hb_@+UERrNbl")]j -%o$hBD*G8@E^6:Cfi"8q8UCjG$o')GRNOu=7U&C8_:oP!Cf@*75nTC -%)Q029NQ.;(iPt,8^]l$1l^56Ba1Z]]=&3hunGTm%]dg)3Tln>4e&d=c>%QJDIbOr2"E?t^f^KP??k,Z_b=lb.6t$BSfuS/N/8V=E -%,@9Nj0:@9u5J)&u9^X1b#u/79qgt9f%2LB:=33i-B5G"Gs2+SLptH_TNAnXZ2!TYYc/Hb6dc9Dt#IC27H1b*uE96kUYI -%oC0asPe3]%M=mZL2]\EWpeuHs'$&a\ -%>j=-H@_)[(7!?<1OY5J+7.C"-^0V+Q@.rH\"m0B''b@g;#?F:>Q%S4!RDj-SCELoeGmoG'B(S8.\Cldm)BWP[8r)*A8Z=EETPsh: -%Z[/-V.?fLQO=\c/>4oiS*`Cc1qA-]jV4@$\PjkpR-q`P3=,GViot'= -%70RQfo.6Blc,/\%)DK>*\W?lFOZNBCB[)'ISHD,]gl:)lI9r:`=k["1^U3'660k(R\N/MS'bbp_$tmR$Hc)4&#,k0nF",.@T[9R[ -%>HQ&F9gj_J[+"-WQcEk`7X_e!j4tcKlSo,;+QJ_;TAP4ii`90G4S1^WUS!G$R/9fiZ@ILm&cVZb&(J"Toa$hbQi4rWjs66m*ujZV -%0o."oiN$T52$XeV?jtuXDVc4V+hLUc4`RDSWhQ^?'s@Z!DD0(`@:HB1ogK(.,*b_!Xd9lt2?d>:B%\DR;]VB@QL442& -%NrA('?(17`P`6OA27%eWCWe$%7W-(_*5ol",*i^iQkFlj_t00fpYm6:sIXNR8)SkMGb2b -%MEneZgc2'PB%[:_5bHI^H)llMo'm@@@YldD2d;tr(12W:8LiQ%R&HN&SOn+gPC26iT,C-3]o4HKMun9.kN*<;32%.Ph1+hUQ]7i)(Z%9M?O;KBo*),QOXYD3T;"aO#*Cfci1k=Vcr4rAk`W2?P2r8-!I4"unm,?"Nc1Wmc!-Ct^L1WFe_>4$._KgV+F"R,U?cLgsN&g+! -%!9.V;r7tJ4]*:FW&;SY7M(d/Z1l%sC5.'B&C>s.T;DFHs'MhOYlo?G6"Cb\b_VM%bNN8s#4N8%S*T'M=eS4cP_QpZZEcq_>l4B(VLD;&+7iW3[gpq1Zo$)C -%O^8D?E!*Q,@kT+D$eE-ic3V=AT7J5iYamHF^(!,V2m[rm[H^-O*h52#p^S+s&<%)kFQ56!M$&So[Upr/3..(rC[>I3,Q6YGX,6W9 -%LQKM>"E"C>6B;1@bPMG1@/ -%(nL0&p_B#$Y6`.Kkl+M.**!T94VT,K;`Nel>@J25KXkq\E[kDPLWg$%h#5=HhhnW_AmA>si5nP!;"9_B\!iZsToZR> -%oF>5jSD6Hl2b/]ic](AO^m!5d92iF(,.^%Cm;ah]\6"@;@>rs0_WnXuGtmO;6^Z!QC+-1#RgiM5Oc6&u??+lN+j -%\o>e+!Zq:dTX=?sq+K9g9K4HfdY3b=qP>OP7:ohA)>"4G2PV)]%m$T3&Y$-MO4697.e,8@pA&j+Y9$qO[VJ'gLTo\,hP>&=<`0Y* -%NSJE8?()bfgu>dMGr#^CGkdZ,!FOq?[eL7lroXPV?LHil^RRL$O"ZQ$l/?E,q!O2i`,R_]fQeN]WPa2YYkK14alAD-hL1GHom'=t -%DuWT\`T^&V+$YOEl?K0hS:AScnp%/uSA<1oqVb[Dq>_meiPD^Bn3N*6b/(E0n:Hg\BkD7'R'*K1BmN)bn(!PtDFD@tf1";Y9_+UV -%`F$*S]o_.WZZS^SB!.?\9[DMjfouQiQDSot\FCV!l/QsdYk:4#'8H\OiUD+PW")>O_sqq5.Z]AM_ZB[S=MGsD%kbZF>rXk\#9W$> -%F2![?hgRT"[Z<)&YP>UE*Z!%8NL^jFC"8fAp\?mq#TO=?`^;`V&@rjuS7=hV(d&f@X^anF%,[)=hD$E@L6'A?o,*WSL9JWopD=Sd -%"6a7!I14##In0r0U_&RNL1=]P0o9mDGT9X,a#(pQlI/W`NCg#OEg7T#)Jth`m@Cmps*IEfHMpXUpjX1*%eC5SL%;m -%2PIj3%CaWs&qe.Ikr+k4R*'H\`[E`p47qM+gF>OLC08(<;NA$k@GH22!liKO,7K=/P2bR.o04#),C@9Xe(@W.)VnR\/il'M"!__? -%:Le!Sl?LRAiD_jtH3J`^S?i"s8&1(:6eUMi473na_M![1iC=n[6pgjcZ;":X\mK-*WlDn2[hi*_`07i-c8(>itVR[R'A/D`\0L[C:\P?FKZ&;dfJ@i437+"gY=I#6UQ#;Sf2!$5! -%]jd9"T(u$>@8[]-OA!2bm%,=t[80VRf5)o^DI\;/p:/?"3'\X)ef?,g%LT/Gp&p;CJO<%U;bTm_b[n9g7I$'rEs'RlXuU#';MWf\ -%r4c2>2>iJiOc5l9$=hZiFR^)?E2-Za!!/Mj7-@>l!egH,qapJT?9uKg'[45jWp3&dGS-soh=(KKd3g%O;2EIQRk"FWSVsqVik<7b -%n>$*=YW@2[0n'P2qQJcmM:0QE70@c]"i&rS]ZJo;p7&SES@VN#>XH3O"KL0u6?++G_)GM*]t -%Z+6YGW8F9h4rItL+!>2>62[X2cS^7Ai84nMP:]Qg37E.m0/rL\&L2%)^3^Q9Wb,ijE,K1^lOM[Ii3-40o>^Cs5h9,j24A-`S89JoP>2^N1-8St[i*)&G9.ubP3&fuEKlHD7fYU9Q@h18kB;<`/L'qfWAeNNQ+2s0J/1(.B(Qn0P -%JSFt8[Gd>cT0TiVSXIJ=\)j+V2\)K'->N\Wf9V"Kj2]PCt:,r\3bI%UO'Y_l&3##9V!I; -%a5Z9FFSh@U6k7`/Q,FlRLgk0JVN(>KlM;fXH)l-qMsh*:5UF"YK,C^5lcDGr\D^21!%UEU'<;.;[1$,84eI\Kl&ZV`>l,YO'EZ$o -%*aW1o&A:mNYYc'ok?DIQJ1gKqClXsb-+qH^?8,kd2Q'aa#tM094Im05$U!L0(`L#+AhA')qQW>n"4D^Bl&u/2G;nSN$ -%,BGDbYLm'*^HKAe:j2/aj[m8%BaT:,VnMaM[1]-i"b\0iS:6Cq&^C*+H^T+V6F?2AA`C7&1fNLp=`7dENDpc_V,tg'WG#4Z0V*[O:WHI`o\>=@K6#/gQ$*? -%A.Y^J;:\-J`tWJ?E"mA'...VH!OUhpW9,V]iPn;XQ3CO.WHQTmocZ**5/i]JVM,b#XFl=?F[?r/]e(:\l6#6A.YkOl.`82YgO^&! -%N+<<`Vk$5'Eu]C9ok1rr"5PQeN8=XW%ZPPUOZt'Z;,cDDT.p=oQ[)$iBIVX"":V)M/[@rOL\ATXo$B:4fKl73kVQ18SZg]0kiNW' -%@)0NE?7o;2RFciW%SFDd/rf.1lWAtaJ6?oHT\GfQ_q)2TN$;1Jb:Ls5_Z1/?Lp@kTD.]m2,&D.YP;n0O@0!oI10HqoZ0Vl0aAN6K -%&,e)!H'\O&bo=?*jBKJVnOOO`1f!\ZgKL.Tp]QT66L7Tl#79W(qQNu3!Jt%C6f[blgJVW=X&s#s.k*%R'#0QZ(iT'],j)g+hEeqX -%]@\i5m$7lF4UTpIOU/DUP:srMG%PL_?5e)dM66Pr*I1LQ3V[4A(/oW_YZkF@s-c,)dH'`73OR_(p[mZW% -%=WHpa:9-FN:dMKB51G)K>1D@KV9%\iJEqj`@qb+%?dnpcZ'3Dr(ime7R.M*GX+X.INnH_%IM4LUH]$7PkD?p[\\NorNP$fWr)n(3Tn/Xt40,M,p0U=o4rq?ZI\e'lC=lX(=5s,Iu8qanPMbj8I;"F\)Wc/mj]*l=6q6`Nk -%+'6`;URb4GkS%[N)SaZ&(*2s`__,QS@_b40OsO57]B!4(ehD]cJd;+r>97$p5P$4!FF6SPoYfe_[F8^ -%[KVl!j4*!l[LnP5+VmllnE$86#_on3S?=nljI!3q)d&&DbrCuOp%'+)Ui>4ofL`3G13U_#bW$G<*02m2rY?CYWMFu3DQI+s!PJOs -%Zs#T`pGQ3@dVn.N8H!>uZTp>:gjo?(J"'eDkF8U1^6b"K=2-?MFTL?2%M]6/g.QAs"?aV;"Eb8$lAV0]'X]mtdJg)1sP,/D94c'F'K5H=*& -%YGg`i%6q'2'1n3r-IpY^D@cm@j>BZKJ_ZZ-\Qc(@am6#BgDDtEk64p@2poS2UlWkZ=!di.T+#)TdWQr7Bm`;$@M1if7;[*BI?@+j -%4ZA;Nn+?^oe/9^TldE(rEfK[/Vma7g.2js--fD(hq=t@&]7Lr^FHe!bZ>]ut4q7=:DHpZ);Rsf+28i;qZM&NHmPnf0$8F[K1'@Ls:qP6l(>Go_&?VqIC:@BHeEuO:#6U7u^LM1hfI@q[<\YU+6u"i`n[Cr`*]I"Ac,qM;(g4p3&s">H -%9n-NQV+L&R-nLOEYa]!i^8tS4:!'>EsJ(p%lGU'b^QkuE12_IB:u$$L9eF&.gk16ODNC8Fn2]&^NX2=48`'en";X%E3H81:\_qY!c',?';*ES)ufgMQI47. -%JPol\Aeela(UGQoUTYSc+$-$R.;M0rR_2D1[M(-*TYBh"EI%$h6VU8'gt -%q#hpa2JlRE:CFd5]9-jKL.WbLaX'k@;5k&1eJ*6MN!Y^sT>4p[I,-3lQL3W565oG%"e3mt!>/%V:[2-AWe6;cRSno?iiK>+0GbhIL@/(g\ -%NB'6FVAsRb%NmU)6&c-X:5E)%!1.b/S1_Xf`X]d>'$J-LM:CP\PTO7_Q]a_'!t8il@T402&PtbJ\.p/Ap/?kN49j*ZSrj#>KTVPl -%)umk)^/_Aa;h.BWLO`2mJ[)K^e28<9+/o5;%p0O96h$GFIbJ1 -%%$V%:5asocJ^/TpX6-V4anQBmdmGMk#:=<=(O?m5[Yo*Sg1F9&U'q]+kECdCN'"p6]5]pbDX3$u0Yf!SA;Tl[g>W)P/6 -%Zl94J88Q-Oa3c=_KJZ\o^`;[bChiWL3r&RbY"K3q?-< -%GZ>_%_Dru02d3`ufm7\JC,i54pAndZ0V8uim0AO5qPIEk%?$uOnEqZ -%#9G9FB/YH30j4`qe>o[b1Od\%4<\2ZIX?TX=WJFB)D_^P0Q-'/q'3]MH-L[+4/WLF%14GO3Sm/.E4VL5o0%BQ2hlZp!H]K0bc"-6 -%#>YFd4X$PZl92HL[Ms?C$*52>Lap,jX4:#\`n';aatR1ff;^CP%-&TXM[aQg#AQ[[B_HVto=d6iRpo)=SH.nm_dJfdG["$J1%W-6 -%/-p;+]T@AgH]pl1!h%g@gAo&l((p!hFH"Ni[m=3T<+`A!IG'X-hSA?GUa8rC@%tD3Z3.W(QfZB<[(25#q=<4$lJZ\Li -%R8O$Z+SC]qB,'^_2lsF$"ZWN4J9DnfTk,U>5_E[O_F3m\0SquhYPSe&N'6_`B(U$P:Q*)k)[XKS -%a?[JFCp$d6tM/M]L*khV*sGf94n!.NBq=#^mHqRALfg\p[)E.rMO -%!e=WN-n%AK>;TC"d7_c=uWZV]sd?%aKUUCHtqur6oD<0e+e^HJLCr:)(6:'jeLI;7c8C$@k2)K.0>$AUc&!<989b2o1<_2 -%Pe]7\^ED`]N<3)=&#M^jUg-<(1a?u][Ond;E(.I_@;aJgWJJZ*itCQs'fd.T#HS;<("0@)F9`?Z1k<\f#LjX+bW!(GoPt(Tc`HTG -%Jo99kBsNC]g)8_D7/=&NBN;]uQg;sJDlSA>C$5s)`&U*82)_Pmg5`DV_fa-o-h%>EnS&?18qDE6mr)Z'BBZ'MeE9[2f&;%&-CohR -%-BiOQiaca@Ye]J,@VR/pb.SW)%h3Nk`sY`rA`&',#F2b4Z)fDRG2HaGAo+2JGm-*W6M)2\H,lrt:jCKC4@<$aLEN%AhuSYgd5lc7CcLcg-A7em$:`-+ZQ;Q\mXL_un';P!Ot5[sJrEEY@9p^I>mWo_/u -%!ml>"WB,I%Aid)[N!(YFN1@I;%.HkaR7;DD@9JQ\6,KhKB=]c,( -%NE8fac[VoDKmGO\JET]e#+,Zt$GXO)@(8*Rc@i0'CBdM/:^NA;GDIS#U+:_3`^!1b/gK#rhWUDaOAMQ,kEN2Xe(-c9h.EJ/%91I5 -%']:b(pk"H/dR*#ccj?r#BD+%1*RX;KY_04a+CaKTGePKm_c -%'H=>SN8Y`qm,('8noTjI5k!5C/qAX,_8,aS$8CtHK2,ui?sdb_5`g17",JPqDoU?'C#qKC'#2EK&>-U0#NmT@G]mV;ip9r@ql*H\ -%;aXfO`P3PWH,KtIE>ZElo%OSgQ#.3pcs4\D1mG#iO%"&Q=LSVZ4YNk2$SuCJOYuo-D@o^)l]+Z7l6b+p+;+U`SNu+1Etf0,eL[e:f9;k!U=hX<%uq`"e'@aVAWtmO2rg<6i$UGaIO(7R5J`g(2@G&WXB+0lc..G -%jlF_>Y<2ihD9U3HA+_=gKf_U;D&FgHITP%mM-R=CJ$(&D;Ig@KF8F_n[RBsBbVW,V#QIb6FmHe!FQ[c$S4%HW:jF4c!sGFLdD5?4ULP7q&WSK\1q4fRl$6;8hfenE_Q` -%G*GjNOBaliZQ4bT*_"rr!c]S:\[1SV=eP12AbRU"GEg01M!7&.mlcL!*T[,>V#QH1JO`#B#P#Wo:>o'sn3R!A.$St><.'d7I$/5, -%ME2d^+E8ih%q;b5iRj@2 -%lrf;@-sV+b\:'IV4\FlY7_qSHY2)1k*?j5+un%0C$%%-@TEBI*d7OH5npg -%&,_Q6U<.tIo"\OVi45?q0dlD5O_&UpiuGTk8"S%h&bNj[3YRJ_N2-^PdZNd9j?u0#ViG#_,:i)2_0$rK*Ece]%'gQ"m)VeG@'Deu -%h2].X'8Q"s[lZD;*a!e;_V^InprFXA0Fj_bM'jA)RIYU`7NQi>OdU@;-,E.V.eL5$/rV/)k`Ib!1UZk+JU1k-*dOlK*7uKCp;!bX -%@,[[_]16K%!t4mT1&T$CIc)A6E0a;\js(91aHo(GWukHr%ufm#\,/Pq5;L5SeFEh[qN8%3jL.;Bi/aE(1V*M'_gg\4+5-T?-%N=: -%^enIs6&XYe\)`NPP&'?RR'q(iRb`ag,6,Vi`G4VYkF&^OIkj:KJo,M:g%XL@#g->l`TqgVoK0%CWalo[KoUq7U71VP` -%nt9TR4Gi@Q#%h@*pl8@Zq>e'[)td4`W!IH@Y`fc6D"1rI,d.70\SOPb6ePb/]+1>04DI8IkXce[ViE6,#f4\;?)h-AEhW.P'nm03)61=A9)tU/*Gu39YWcK5(4Ls+jig)d -%@;+iue#/k?(B5baSf,u<*O327at"dDe''cceOOZ-bkY.?6-/N/'fEQ6?ac\*3;+u%>;]S_h:.82=(G4$7]%KU./B:B\_Y!JWRtF- -%.U\l@;@_Y#l>NoRUsXgrr;e8-24,5M:;^F4::=,5]ErU`MPk7jaN&WS[:fqE[\-7L^l3r"TIDTMS$k-B@&e2N)T$*eG>od#8t;st -%W"s5:XAud[#f0fjb0F4H<&`sUHgRTQ\-!bG%95P0RFqqp!]NlO]68@43Wua.)3kojTG156A25iC8Sdoq:h91Jj\+jZ0piL5?H1hl -%WrSkHLE$]Tig7uoR+:)s3878SSViFS;F]UL9NCSgX-'[g+',?I#Bhs8HV>_QIoRZ^$Bh']2`WM@Ir7]#O:V3.^KiZ1aI)Tq`MnO899:K`Cu -%QKRqTHHth6Q[Dqef.]!=Qn(qmS0RiVD2t"8q"SP_)IIus]V"=9VheuoS!l]j_CLFo;!7.''"DC:`.;IhoRe-HQSI)X6+Io8ABPGm -%.<#$fq?kSNP9-4E7,"nUEWHpQI8t>k]DF,CdattHM-:XLoZNWQigedp`C7/t('mD4E\W91TYpC:M;oaJ]No,'Hkuc&B')Zo"D45d -%8H9G\2DuA^.IDDLRkE*bcTPRCpW%I(Si]FDTe^tp4FO8)juSa)pB.$lgJWA`EnT`[n$/:-^:9"RH8/_bpM9ol?mNh%Z2]_3%E)>u -%(!tL3`CU[_n%C'bpNl58`FbFIBaP4APm&4H8b`s#-R`-ZmOA4F%1a5EOaq-6'8l=nI&-L>\UtWE,>::*II*%L*]7S,P -%#ROA5ajI(I,cPisQ)tqsnJ(g$q3p9m-%W3g9Xof*e0Gn5#MB*XU"n:qOBmAcM2EAg$Y@pj)mEBB#c*0cVFV])9t:9\.l?,hX_$=Z -%[19&3V6Yn>NuULY_usD8_J/HNnYj;=b9!+ -%/]DC8.Lt1?'MH!tRb'fF)&TOBlWUD`X_%k?CR7Y#F/mSp5!g==I3jm+JbNYUr>G7^"#Ob)p&Jf3b'P%CT]>qC]j,fW)*@oVba,VY -%LsPYJE(\@I9fM^'N?;W(^-3l/776\pmcUi9YT76h)NaEighm&G[#\*"b -%(Vf"C]0t>""&bAcE*.hHTL,q_XeX`'TXgJo

bT6=p=9(^$%Lnd\@Z9i<\6P'MaP!q)?k1c':T<:Y5(lW2'K4mH9(&2q(uV7Qm< -%5l-pHTHW/A#&&R!ksU7&:\?'U!&gnP)>nd*^J[%sO;d3tY7I'JG683K8>dPl!2JYDXh]e6$EN/g()Ll9EHcdmihFiZO'pO,VP&*LVD;c'Eq]%';R$Z[^;G#ZpI7B,%'I`T@YQ/ZTq -%d%rQ!;o@ER@P!'3(ccc0b_9UpMOA!&Vp'SL,%MJATnYqdMR6ILnf8M9O8"q-1;Ja:EPps,.l.R'D0SqI-k-PTk@'J7%O:!@'3>OF -%QR>H^8[R2IbXgs]6EU;Xj^]/E%N7STi[?ArDQs7,@GoXnEgopEZ:%k?:;P-`huP&7`heO\IS)8,[&Crfp8n/2M%Ln@.P!`r\Ps(! -%P5K2,D8\sP].,I5&hKM63JSB2k[maPrk/QGBapP#V9^$b.\T"n<=q%:K"fg,aGif:m@Z/QX=iO"mf\X&uooMl3Ohg-);%<<^YTh';Ugf.qF(_ -%,'QIB!f&cu:%XP6FXIGd'.nZ-e;=\m9I,O+V)rN8ZX_eqJ@.fLflT)!=3_/0_>QN!H7hjAdgm3YH7Y=_)pKU9!3`mXrg7?Z^H+V@ -%XiX$"L^4EN&I%)r?`;o@)V^FXWZZbV* -%BD%qmST8D6,E:ilh@=ar1G-Ze/CNN&jIc]5H#SEFcfH6[$j1f7KgP_nkTQg1,b]#YpIt]R^-*[P&8\b_]3g- -%4fnbiRqYq]R0A)aIiWTAa/mu^#4@ST46H2WF+D;YiBq5IR"`32]Hb$;Tj0mN2Z`feK[[:jXBK'p3.<>S6n"G?kh2upU:Q+E.HFaf -%-f4"p^f#uDR8LB$9Bs&OX[psLCTCD1M^:G/!WL6n`L>j&BBe\p>_3Andk]f?gC(Ds(n#.qUBHAp16BOmjYH]]DL?5Q>o#J->7VCQDi*eooGgbN#)6ZJ5#YW(`fPL'1c_nY -%eG4f\b(DTD6p"QYO!do?$02to*)<#t1dPP),I(9u/]uq\Mqi.;0%='Gc+-G_Prjk)F9B(&`PIg,$8#U7]N]Q4 -%O-#[uYeGF<6lhR9&_0mcJ&,nHk14F#KRS:">`o9G`ueP(<&Cr`F@fp[&3=/ecgqON43)e@h<56b]_X>tIpM7J>SNZU?\)"piRcla -%QA[Odl_/KgpXG@;l+7.>cR/atIPY$(p'rdMlRau1F3A$-m0^,2oEjnAb;A4[ocbj2FRqdE@$$TI?']il$^;*.bW%RId)g&n$^u!; -%[7f,70Pa/;"T3.g)KX;3cWo,$"sf(P1q\3_KT[ie/Nq1t6nhXnYr24:\QeTnT"EeZ<@IDPCSpgP=Yh984>nZI(RPNB1c)2)GtAk$ -%N5Qa*lm\0G.n-%/P@p&X%QrcQLpWn&C!rDT2>uiU]J.&W/L,3;YrRE[tm3D\W6-"P1!KpE*C^ub-1o(YnW+lp!T28AuJ5q`P?oY?nRTn32 -%Q`rJDelaQ11&TOcEjn-73<_H`30k-5@/ts?9,NQRCC+7F@<95jpE.Sqk0Tak -%T*jRP1o9\W6Yr32ZPb%r&HPD*77d*.AKZ?^aUW27gef9Q*2/"L+r,R4f*LF"'E+!ALC]=*j3-Ha4"eLE(@=%5 -%g'MaQqfAa^Z#^3+,D+cXT=rU2pFNHO+S`&ScinMi>+^gbH-Q`oD=Ua7^G^oAV?>FuH2?Q[&h -%-d]^T^-V\X(>5f0:!Kb#`ak00IYW1ITmi4n8DIV56k.he''_KOWUBWlS0/G_!!PV5@U32`"#7RBo"41iRO1B2AJk9`d`!&]gs[2oNkM+W_.)QK8?N?))WtCiQq+]6)*/,pJ6F1M'3L.9=5jOQ)TV-@"QpW -%mW'<#8M7i5jJ7tV13;GMYkjVYs03niX<.;e2#5n*oC:qiWB.UtLX#JC2W!I0rHUL)_#X]=93]0;.A^a]o=/ta&>8J))TR6S,8>o@ -%eKbub)(?9X<7sKZE#oPCo5X^(i-q0WGGk@kjoqDDD5#?kWA2J7e4g9j[]L%2/X'lP!(-^o416:iG"+1>Z/'uAKSg*B#3Z-]GkNCB -%!t?`BG2J:@I4MV*n7g)E%^%.^!LR_BLk0?NU\ba,4N&A_B]UhOH(Sg2:2'>`a,P`K](riMCbfM\YuO/SpiL?Ng(ANk$r7,kc5:(X -%_e\mD1$=LQqi:$mTFQ>JV?\Vlo*PA;,L]^?JC3ganAgd2hTrDPI*DaR#ADfP,n;'#NJgLhE>X/0MV.==SYaH(h&D1^ojBgi3 -%V$_4Q>_Eq[tQG2#k7$"M^?+Q -%"YV[,Y&&cKXM;M&O^AHLZYBcB3auAED)J!5F\,tgG_3A[PX_@Yg0u]\b=$92GQltU\Vt=j!LIn&Hu3k5\U`D`3[@>FbY=^gaH@DWdh/:1?JMqK+Q"2#grR4EKY)$oi:%)ardqM;^H -%i3ON1gkVQf+oHWoeW*2[Xu6^&&IV3)^9f'CW-i:\+$ch3@J0qI?6*l3d!1>1&Zq&T.WP-C%%t\4OSdIDjFVQ'!g#C*sY?`RA3J:L] -%".4Lb#,@_tCHnNI3\%*;\b4Fi83*IX?[)rUj0AE7DJ%An&\G(]"3+M9Sp>nZWGn":oh\'._oKJ=%jp9M3o]g'Bu3EIX!2/m_&BU4!H"6&=p'p<6<6Q-3Q?;&R@\Ph30PO?`6 -%%ln?YB]a7i1"9^BZ+$96J9c4s7ITe/.!4LWA%t7FiAlZCOsf:U@5WYUu-mYsmVAoV!rI-PtD_/J@Vj -%bp\)7s'tM'Qg6]8F3uA^45c1#S/d1LHhWKar35EFQ!O$Y,0/H;?+X&I#['\(5QOI"b1#f#QZ(*)[<`IP-&IiHWcO?*$r6H[H]Q?/ -%^7i3'dK!ECi"LYTLh\sh+02!mRVY&b6"J0r-Y']WKN.8:R)c$Q>]'f]P7T3t;AZX9;9Lc"R^&>K6o.1VE-YEH/V1KIXor+4&\'EA -%WhC%gD/uHU-8_V'Xbb4-7DMKrYtIEslQoeKA[*0'\a"a.[@/Q'-e"'U]a[r1<";+J<3!tPp/GG.bjl'JG+C/d\r+ILb,"Z5k*NCn -%<9RnGMU9k'2Wm[Oq[3@j;Ml5h9qbU]m4HHpOVjn8C4#P[7:F885``rg@BCkp]f4RNm=$@&Y71LCc@XC`fW8IKSh"d/$>Q\Z8rca) -%oP,,qF0ZUOlDgkmSg8ga\aH,E-)BcIICE3*HVZa[b3>N6ll^,`@gdo4V:\A;K-ariD!&C'Cp#J4Wp"3.:olD\1SiIG -%.SC>+?K,MNe)%8,\HE*OE6H$T_UU4aGZ?`<:sDrF<`0$e[e82*CI?dUSZSl\X#uSj:/k;u2L0Qoa,X_2 -%A^2hAO0WjaZ[`oe!;KQYqc+"Rj.n[aN(GKS&1Fi`)oT6gRK7l=\dE@`;2gi%rDJh&WEH&?.Gh*+Ca$#uW(_gK^ls[0@'>.bd:bQ$ -%$3VkJ:e#3VeM+J6cn`'\FfoBoW.Ueh]WkML=t36+-&l?&k$3ZA*_F6/'YBctQ"_kbYeQ;jYiT03l'4lID7(fBbBH682bpMV*:"[. -%Q$YO2`t"6=X/Oc&;+IK!'THX<<^+I#72`QS_>h:ejn$"f!TLZLN)3&cf"20'(Vkf?#u7\`QP-QATH6r$OI_jYcte'ukZksmcBW4! -%/":^jCZ#O)0>'+4G&Is^mbg7;pQ^Wd2b#FjU5nu*]8@R?9)LplZ;O@ZAX$U_AI9K^=HI?p*b9q^(QF)?5=-D.hr(mp@,!'l/LeCIkk@6H_5/n6.4:g*[(D;2D@$NK'pZ"r(Z"A7mF2BL<-7'tUdR2;=52D3aU-9Fa"WO^"NL)q*1EM?.n#4]9#VD>ieXLP8EdQUr\u6^*)]B=fI'0WPs\0e(&#fo;N(2%Bk/,!WFG4<=kt:7DF+%ZHV(1VI/dbHQg70`:\HsOrNeB:+MDc]Dl^\9BJ6T_I@]oZAXK5[Z(sLct.*/38R=(ih[4Et2 -%/@QgO_iSNQX#&<&mcI#cV;D@d;mfGLi;3BMVMu>(foH^mQfYJ.?*E\=tcpL*YB;[L*Ygo4jSP85"tPg<+F^ -%pU7a?9hE=bP&8NMCr,`kn[+(SkN:B6KG;bP%C6drZ9@q#gP1\ -%mT#O4V?p+VE67l$L#4Q_*otOOP,kqjAWujlE/.tO:.:(7893Wt:9[InJ"s8L1XJb##rI6%HVUNX]O'"2FtCO]@'O7s!"Hc[L3`u5 -%pSuh:Mb8g;>X:0J0kJ-]6ke675QbsZ7(^M'k>h1?NIs-%'WU%2)\Ahn,#[*>[lX!#-'ihlngFl,DBo0%e>:g5I7BJ'%"i9&gotG<(kRcTu)GRnp1$q3q;=KR?j%&oJ^6p>5clC1^`0?*\sJMc(VkROuJDV7`ldON\^`%"hlM.CJ$T[M(#Y1b)(t -%H!UTIDiBklFA2A+FU(U"#_Bte>]`Nn679\u9u>EV&icP?81;Ni(u1_Y/Q$5i9Qi3OO@51L:A+g_.FC^4"KHNE`)qC0``1$H%ishXrIq8RgfR9 -%^rmmdhLc)^cIK9OZ)q-a$ar[^C_:@2.-BX?iB+[(B&6SN06c]>YfJirj/\)>"2Q/i.KYZ@D@84&j+h$II]4K:&qPhdRqfb#%r`sV -%gu$IMjA=e'/*Q_LT8H;s@.`bck*L?=^slFB_2>?Gcj-:A&Z^tV/g)rP_'2hJ_XXR9UOAOEZhiE1biL?-JF`24"9VCNCZi(\P-GiG_jSWCl!h/WmhL-:An -%,k#'Hpd;Bp[MD/R_4*bkJS8#lFY;Xiki&7nRhD8E1l29/VcC-?77A.DF"<.*MNTqq-O6[7Gg^qg(_F3<]T>,I#c08qF0%-<%9^>u -%Hs\DZ@+EW^#b01LNg$1oQmh*=*7$iTO8TSd!\9'.p"qI`*FN&S2hs(!d3($`PX44439,8knP]q*?6(5s,h0%M`t5'-ELohnTb_>EHb*UL/aHR3AG>%tF1G\(q$e#07G&MRThHglLf7::_MR*(Q@*ADr^.TE*%!XZG#A%3lleC'6?_706QD>ccD,gRMF: -%VJoVW')oNLTi$]O5LCMtL%jYrpq[mY',Tj80C__,bLROP0<9P,b[9;Ia!\`=FNL'7#+13&->cbI"]Ae:SO+k%nUp?f(SGA\-,bAa -%d7Q5hZg(Pt(,#onN?CD6Wh69?bkm:']6Q.Ng^-hLjZ679[umMn=&q,G?T]AR1dYFn5:+QAAsM60"JSjn1*T[Aclpf+d(g^(.%<]/ -%5/^+2K^#i6@cTPQ'$&2(M+K"W<-J7hM3lW0%tIT@f]/C/,SPsSQG(]l6T/5VY,`Kr#n0/t,@73'1TO(n:JECL?i_pZ+?8Rh%9IS( -%dB)5?1*ge:%&%7[1Td8R(/QNGFu1&O`pQLD?1Qr,Krn$s[UZY0-GljSq@6'?%/PrjaF'G2rW/he]gT7FSO1SP5Hi)=bc+5;MCF!,X3ah#.R]^n*YXE2u4>9-@-:;LGJjJ>qLK<*/X[::hSg6Bn0G;dW:bmJ6<#=qa -%BL^$Ga\N+^OWB`Q"@]qF'W48QALEiJ^oYD1%a-70`t`Hd2+ -%Yua=?7WI+7;mAtO@9OT)g\atXTF3/Y-Kt.+..J.i''V7Xap^Qn"8L+J<+cBcZO[%>!=Q$fMFRB9'rY#2ZC8mk&=Zo%^/cn"!0eh[ -%22RirJSru;K0]l-1]C-bH8N.A\Q.loC('`Ll<&^t,QWNW+W$#hb%f./)Q,g=ag3mZ!k;c8`>L4'@XZ2R"2*fM0JJS1=@B96aBV=H -%MjU:U0L8348@l2U/`]kHPdBG4DW#YO@'$KG=]5E#Z^27t$:Cf!9:W8"+jF`VjL,fU_1M35Un!aFGE-^u:3a41EWh:3"BSTtB=LTu_!.8.IKF/$dp'#EV*fF*?L_$CR.;4JfnkeH -%7(<>Ua<[hV9Fjp"3f5C^mW3g&'VN,:f'<-qE7WojFS-B.I]WAVb_2Z]0fD3"L<;[jC5'^"c5A4m'uUCf6E=f)BP1,H+N;pSM[W7@ -%N/Eq&'K?u]65e"5?7`8jek;edG*ShV'(?3?LLKLdh9aIT2+1:Sa$&55UsK[PB,'e"/JLt!6QM<9-,r/Rbl -%I,eC*dQg9QnRS%e`&t%F@L^OlX&->MXDS2l[fY,"!;hK^^f@o&XC8D`Ak67]0 -%pW99V:/H\6=?7YmLEkeh8`\!UD\q"2APYqL-W'qa?8QBV$sf5+J)u!b6GbI[WN6s -%mOU)0K'&n\0$H1tX/Q%ScR[r^nIU>dZN18nN3JkRGY&5Mhb2n*,Gn6C^!2ToZZk\EdmQP:iT0L:>EUpF+q(W8'F[IMaeU[H*>lac -%H,#_[o?:(R1QC6i"%bMDJe9lmiT`B),7:FZ,/r"$=&mV*1+D^#e-0!1 -%Y:*hDk!J"?)!\I.!9+CERqVo!o%APlUdjSM19(<*)OR'(M%OJPMdZMc$A^2@2K4@P0ZdN^8Zko8I#bnH33^ML'DEqtAI1hJ]0g&aI1kFY]gdCMMFRkP.:$'tX;P#H&?].2 -%dNifKBqV-C+c2E>Gst[B'hT1k'k?]+F7qQKY9ec+7*?Rsm@9=G,n*GrfE.hXK;^,?mHR[knmj`U#o)Ys+3H6A!Ac`#H[*aK=\Ckr -%EbgjMN,_:t,-=2H0$BE!#0K`l$mgMd4".H)qpS??X\Sk#j1MPaCScpak/UiuQcrBrJUQ.?W&-jcRBg#(fjnfW<%H3Qs6?\!X\m:- -%%7*:9$6K""ds;qkr=1je\c09/nu5h+<+SKo.EAA(X[G`-$Jsk*TbjhO1)#+3b\I@L"(eXs!7>k[o[#CA'PcmlNY>Y\$2ME'L!fOT -%2H'`Z@E*YsMXepWML\6uJD2D:E/I=l]oqLsipVN%GBKcL$QtNOWtMDc=3UDs6kM@&.#Sh5GbsDR'2%NN6P9i#hFGNsKs^?+3(%M8 -%]MJfO>)@[O6Z(eDZNtV,?]1Cc.S@rB@ETsth'Xb9h#D%aoR'fJcbnX?9r0Zb[.'&:f$a/MP" -%-"[d0Vq*D0h]*>skSHFt6MJ6BMts)e#m)5qUPNYoF[uT;P(Xo.W1(hU^B" -%GkU9hm`AP$((E4_IENp`>Jsob^VPjSsYS"t` -%4Agd=1>G-`[F,@i0I!Pt9HLgI*/[MSfsELW47Rq@p'^X]k2o+^5Vk.*m'Wo=7k-ef8aJAG[a?Ap>@TR4=LVH8P%h&"]'^!A@JZH# -%Z19iN[-0deB-mr^AHil/!'NfA?lA*464^A-HB[lHYEf).<='b5'Ak<'/q7dNHTn0EDUS_l!`D^uV)TnX1Y%mmK[ZWbZ!=?@a4>Eb -%-SDH5-I.Vm&70$kEgJ9BSuJ1;?0]aY;.4G=I30CT+>fS258!Q!7h[i([21+Fe;bm["e=)jq^_G9]LY-#]4/2eFKOBKC2G[9Yq -%E5=D1j/Jca'I9Hi(0^m9CLQs:2NDN.%Pgr1)ur\i#:T)_e^pYA(hqTqJZj4=E)Be1o0&OZBjcXXHU-H$6M*Dd"Wu0JY>C4^d#nnG -%bfZpob8.%uUMub6[I"*-eWt&QAaA)-)C425l4t -%=%#@cpU,!hE.*@jV7!T:ZhLDMUP5gl4.^M2[=jOd"=5>1H#QfKMK,&9 -%$qNj%e/082/pjF.=LO[;+a1!t..E>%;DCEcS[-,8"thm]K:Y)g8;[INpcl(&tBK7YZ;OH=sUaD:'HQ,7\6;^"nhA&asKir[l -%_E=W0?D2Nh9Q8?jiNp[]GG\[q0V3oTfZag:`uCr[#-"9*&\jYBZdfQm)Yc$.d:V3LnhfX((\=iq\uo`J?-d2'DeVmrVo9Tg-$r>E -%c8NBA?h051huUoDKLT8O0(1dSQQ)W$l3P<-E/.2S]gZBd/2aHJ]ACFG"u,c9Yo=\1iF*eOR#(Q,P:9R%GD"5j"c;E-2P1/&/9cS,e3_iW[HJ>pOCl)AjF(q?7go'(tX)&E3'_a[X1T -%Um2Xk@CjoA0kr"kC*hhRR$om+iu4eBXX/a^'?Pu#B>aAKPuKXF0ek\g-n3)--U44pIR:#JlgPD'$f -%Y@^cSWpthi3&45XQ9sbN?Pd7N_;.4FOXmN-Q<7[m="^_?Br)J<'j%\9f^MG>[]0kfe:?nV!Rq)15>b/C',nRdfnrh'&I^b+i:jebibGVSP\niZ+)9Ms>mn6X8sq/gl4,6c*aQ -%/Hg-j2]'A!"#B%*Etb[ac2RK.PI-YmHDTV0%d>\%FI8IWb[Ol"GMUT(*Tk_/ZY`c!F,)cg_d)*,]\lWsnM&^B,r9g2KmB'M]TO"h -%gkbdVAD/RG*9!3\r$F;4VhH9b;^KJ5Acn?Hq["\jlJs(;0Fkk."lk$)Af_pa"fY?tMBXA]T%&/I?AW`ek[X^[:H7:/c5^#Q[sHK.oGOWI&UGGaT?.,6seW@W_CQC85F$+ -%TU:o*H,0uhC2E6`>,bU\36`Kg-"''qBVhnX#;gk;4Z0%Scub$CLZjWa5aII.kTdV6#h^7&,qbgA50sZ$,dk3Y8)Sc/?j,O46N5Tb -%"'/;+#"]%M#n"R\L1/fR+@Tb3Xtp/]_6uh\8e_EEGHdgKQ66Jk1;V)=jdef!/#81-qSs>Na<@\HOFV?dK0R]Yp9]Z<2@6:<<9I%8$Et^.nh_["d)Fj#65(2 -%E)pKsnEeUI-0XSSHg$Q(F9Q>@!+h5ddO<`$`CVcCUbHQYf0tc'dFF4O`C3[* -%0rru=@gD\HIn1t[c(CHcY>,t>3SW/EE0^^^,3^j3K8H)rk71`CY1]#I`8e?6*,cfY&DrS=(:]X,ITSNHOE;,B2E0Q\.td]l%fA0M -%LD:YYT=ka"WK=mhi`8of;uAo;UNYFoJMPAQkl[4?qck)-PVpr`=&'W+$aP"qr1\X8:A3\6QQAQ)(:,qd4E").\j3[N"?%<)!^h,+ -%"OnuNW[J'iCc_2mc5R[(Ji^9r&B==\[YBRK`$"FS@LUTa"XeXm^,.AJiOk06!U1*t109g3iP@Z.6dd'F@/rEXaQghNW%8(IC/P!C -%r<=p8P<:Moo48\YWucNZC8ZJHM^Y^3TWmSJI5^hILd3[16'eadTt%mS]S!5"o(n-Q(qiu;,$Y5MXa2\&&;7nr#[4Hl/Jnh5N[Gk> -%.:Y&P7&u&p1"\BeSS8/(:+LlKk)(9(*[68q@^0HW5P'J)/`d?4O5b=1,#nGZfA!!0T8B+ -%itrXo6rB!7Q7LV3+c^W"p`+oR=)as&`9@UiFb"!C@U<.*YsU)0&9YUBclJj+#IrY+N:71GG_eI'Tp1=gjtZRT"XcIO<"IC..nK%N -%Wd=pL]n-t@ilVK3oG+b0&D97c^^guVVlSaV!D7,2dDbWT,j?ba2Ec-qE1#SA?HLS5VK33p^/bocp63UQBkJq6C;XSj@G9I.MVKnV -%DO>[XP,($1kSpDuXeZ9+U_N6n*j-b;NY37cWK1h/P/EO,EUMp\Rc]&gk:lRM,u&KK;EDr`>tIs8A[DqG?WYZdLFKXKjP,qfh-j4M -%+T6L1A]8B;gpNMKpMS!K0JsNfgFB^sNRNAskId<)mJ'0hF_&Eu7T&JbH -%)\6;a)hq(tW]LV89^(:^-K-49hT(8c&3p=E&ff'sVsk8rD*,a/X(*fq'!PSW%b3"unr#+1X6XRs1T(tD:ep/)S>itVuk>'5jVL.K-''$66'>kbsA6DS"ZLqWB3dQGA?7FH`Kq;6I]dEZ6c?:`TH!VNjItb9NN -%SAp&I:u:IsP>m+m\/dOAW(HhEJ"o;8Hl++G-JP\t>BL#_aPLY>' -%ikl[0_*-Hs"9'U2U#"mH)R;E+'0oPCOs/ILN@G*0"k7tIJ[I+S$^J?::YKrfib#`M;0hSuOU3hn#K17G\mh70`6k6u=7H_j*).4u -%U`$@PnaLh+^<-Of4BXf;r,`ik*@PC_.)+c\pUr#YWT;?&KmPb&l.lMg2i,".lt6C^:Ej[VEXg6;dKPo;+BD!Y1.3VdKe[TRXD -%c?0A*^'9EOZpNM6:J/WR]?6O!jOY;*E=H$^p9"5*FRgrAILK-#LIpbq7RHuY2tr^NY#P>UR1G%E%N?F3@+a/kYQj/!UVb8;4<5j* -%4QQ,OY^``"3EK,]._JjTpI`G#=+jbZ"/:m$RO3Y,@AG;I;Cn,?)Iu9,^h9W6>,XGc[9;(Ci2U=g\\UhbZp+27";hPNSnkI@e$p%? -%TOcPEH)[',<5YG1.g<)1\Yc-te7&>k[:I#Z$LPj`8F-Z2r2Rt\(qisC>U0lU<-8coAeBW`]P-7+P$qOOUisr='B$Yl+CjCkk&5[U)K).eAl.JlV:i/-n@WE6[#l_OE-=p%XS:55T4WiNB.Ktq,]BJA`_!+Tl -%T2d4r3IY*J:jBUGr!h9SNo5\k(@4_XCnp=Y&b)!JP`VS]&.TGB<-j/-+T[cnLYnNi#_Ft -%6ffPfaU&hs"UR%k6Tkuo-Qfhug'C_8cp//T'uNsl&r?^qB`haKT[Oo91!FflRfHG5Oo\[je^I97A7gPU@Z:k-8=VCYfbb?BXAF," -%=?_Im+=kqb6^j,P8s04#aXZ>fLn%npiipJuE"=nNhR3H1_JkDB2WMs"?.n;Vj"NSV`@dc.DPk%Ze_o=H2stXK&!"Qck_rUjG&I++ -%*N,bL-S&Rjf82tia?cN8]eu73&Z*@+HsrSE@8QQ9=<2IZP30"6k-.&4?7jLdlEP/eChM=la[RoTB6gHtnJ_TE.N6'1UN%XgCGpc@i41/@&`\>bD=jF\8ihK$fGgieUDgN\Xb_3/;h4KGZ3:Am -%a-iAek/_kb(!BB_'t^G_:hIVW$M$oEW!uUcj$JY*7iW?;Zh4D7V]^,>UHAnAbXS6b3qr)lQhJ%=p"AX"L(ggQBh=+H80,JQ^l0Oeu3*VBcqc:n,[Lg4 -%driO%20,H($dtCrBt-A34)'shA4T3G,VE4C3Do+%Zf;sa#Z>'CAW(MX'Xbn>2[p3Q"6h2D`@F$jEL3]:<@=ORV:;f=V.HYt['5G< -%<#60n1aqkeH")"3NB(QNfOoq422"W.RVBpn',E%_?=E_*Yra.'E%+]9[,rFVodIQs%>*;-A#:O,3@l'\9;+u;p(2:I7L.kQfTc%n -%A@$=dnCa=""@\7cC''KO+4lAbX;:GA>'Z4*-ja$-Cr3$j&G9^/7S0LkC8Rj0)dW'P/$NDF6Y*W-nHl'f6O-_=^ce>.n+?28UJIZt -%$0jq`9@_0(\al=%?J`AbCmT9o=+/de2cmS/#=Lm'b+TPrU,=Eq+mIA]6.5`U)'5^+P;bIsUXQl%n;!@Kn2f77HJ\VY&Dg,h;re9/ -%K[l?F;%L"-Qn*OK4`j`?\OQ#adkt5,-ml1@Oh/T13b2N%AS<*i\INml7i\d$51q[^lj?Cf?\AO7=X6=PZcu)%,37LcEW)?7kWt6u -%=$!7$R^8&OK:=T-daD4rQpGij;A;-J\F;e%?Y".p&a\Lk,e'++\m4'A2gn_fBM`TauU=/8LPWbdIfnFPb9o*s%SiFr2'-J -%BLti%:Cdm`ArmbP8]AmWEQUBoHC7S3`h,M-Ci-&?='hB/TJGVs4roimS?DFl%#J;FUbLgi]#0-33tt:B"!b7N+YD.aKp2H58gWJ* -%c/N/[@qQ@p8H:]TGg&k&Z_B/N!K.[O5cELn,WHJk-gE[H9Ok73_6kK7UO(A+_UC#(W^l``LP;r+MIc>9k6ZT+53$s:PVIlHWk4o$ -%Q]i^qVh.-O`p`/f15?iAo`NRiXL(gJ[Z'sL*A9Cf_-:N"[0E.4bH$?@2h8/00FgMi-j&0=77KqSB(kHP[q``5k?NQ=U)Y:"SdBs* -%;T/<01NI,^>VQmu"IUkk8('XZ[GEld.n=?3.UC\\`0RIuV%Y2VkB`,&Fri)<+Lq$AYJ@M8>,7bH3W,-'+]`3O!lpEiHq:43Q.uIK -%:PK\]4WNX;qX7JsMfR"oT+*&e?ncS$,Bn"O/)Lh@]r(r1/e@&-Y#Gsr5p.ot)BbqtNKLI.NLm -%h]ui6ZBZhN1W.`PR#Ob9V"@mBE+=pT>"R7E,_!6@WEh)Hk-CcgM%2Uu*e_]1=b$`&#[OBAO97TKWN6(+P"Ljg2))"D>JM4,q1Tke -%BVG#9PSupl#F6:PTEnssgP!LJjV+I3BWi%(M&8pUciLHI&`oOI);*2m=;g4o.74k)SLcIckIQOeYVcG^"dH]#7`>Q-cP_FW;W:Pf -%J1+ad+&eiu"TJ[/f<2:9<;44MHQYl\c`L.Y*Rl%a9m^NbIP!p9QqP1l8S(_@AYhT68hHB`=#Ko=jIEL%j`\NTe^>[]ZBY>d/Z?JW=L9@S&#_D*%HTK#pE)f)IaG51+3o(?ce1J,u`t,rXEKgc6@ttc`mofm&]9g -%,h*69G#0HGc2d-2,`S<5LslD\$8`C_:AYh#nu.AsKAj,RU1,Y7a+!e]Ac%:L($OhbPg$Ambcj'dEJBTc=l&ks>7]/'qTdA)S6#Ee2hl$5k?"g%NF45W%L10n"4T4Zh4+T0Al@$rpoWdZM`X`i+Kh$fCn;j -%?bcO3mG$7Mr:0-uRu?$:&cVXdYF!jb`'=:rlg(mXMjGeB4]1`6oL=>\s5u&mobi,"Zf[T;pg;,-RgR$jEY.5L$cis&VS7k8e5[sLOIHQFgQ^m=89hiX%s.];KMa7_(qWshp\u."s'K\(EeD?TIYsZ/- -%#mS+?Z'/E/qF+t$?]1a,7QB1fATBjflJKReH"@:*LQ>@RV<<@Y$e1\qKZ/Fp7g7\.@h^*.tZ.2JVUhDms=o2rEAgHd[ -%0\Q].C]^S6$cZ5nRBZTs;o2pG2BWns8)'82QicqeKo4.5\WpP8L"iW-gk.&r>0oVSFE3`o&o5lZRWO"l:(JpQ7$!URQ+h?8a&^$. -%_W$ff+-S$ld<;Rl:::EDa$C6->LuL?'4r(aT.T*3VsgO5[-8d1*L?=Ok@&n',4Bu\:hL-eeC'Q.?I(tcK@oW4-4J=_^%YIo?*\/0?pEJAY#`]#-iglR4f\OZnjOUZ?qW`fEn)Ok4j]1BZmA#O,[XfZ22%43nO:?uHhDB5*N0hj8,F++m -%jj&&bX03CWF>sAIW@9E$e2n9NIhoLsE@YcTS+C/tGn6b%oW+-j\Ai -%E&0(h=i)V@^R(b+Y_cYts5=?5>UiJr7K$R%gX,8>q!]4T-!-dBG&^3#+uhIMKo/7@!O"cjFh?e)d]Sh1;AT,-\%uVD)2Vj[McWB$ -%9S"Qq78%A,*P7)q([%%TJEeS*'K,I9Kqp>9Di:3\BMW:0CBI-1&bt,%`!OJV7LT[P\1*#`KRO4YXl1"["_X-61+%*=6cK`+9!-EIF:KB0MiDg$YAf$ -%kC0st;pSiHF=_^-=$A#c5.fRV=op#de/];m>7PgX#OBCTcUg?g))*rh$0U#I60t=?:c5i`K#8V9:iRuJgd"'Z9m0M82#$_3n"@u[r8/IRpup@C"=+!PelLQ`g1_E -%2T0iF^lrDYUUe.T:sMBb)GFTJO&1GY.Fa'^=LUPJ8arUQRdOE,P=dqoBZ1`#EsNN0?B@K?P7k1DLS<\XUu6pT:[t5/f80>b$Ag00 -%N.*/fXb+beg/i&e1XYEiQ%EcqDCB.pGu`PqgiFkNJ$7r8=LXRaS$ -%DI>Y83-<)XL8RG_>EBE*=qk?L/e@'[>F;Nk(-AWM/L1,?]%'NNC^p"KkV9p[12(WO"K:`$9IFeP8Kb;#2f^LoWkVL`<_F*c=K))- -%(ZHD34i`(TSFDgWV0^X^P+ie[`,(o^L+E&[KZ)I0&Xk9(=;+:EclUX)NH5KRL9Zk%H#;Zkb-p'4LkrFm`'s,WLdkO(TBi2L%B+T5 -%Ket$U_n"%n?< -%m+WYQ$$s3S"IQ&E+>QFG!3L=jHM#KTJ$;@TXj.Fu@kuD]`a@q6:%k8]eJ/gjc&F>&X'&/a"9s*e,nXklM;KAd+(;K/oImdbnXdr. -%74m(L&Sf@673WcIIWN1C%RgPpm"XL>j6]nrf=qX'&?3lTn]@5F0RM:X<#/g9Z`L -%W)6RACfSB@ff;?,eRC=&iTr9,`dli46'Q@``ENF%_G3RP%Ohc7hpm\kg'6&g]rkX,lnGm/D.on^_dJ?JTas3@`<0:[/JiPjWamK7 -%&1@p,No,+Xh8N^;p/`_E:a/]K^(JKB)]gp'4)R!kG[Ya%U^b8-NL<# -%DWWfD3jJFfR0uX%F`9@*q3aedf2K-@W8snlQ5$1To_-_I3]qFE5.*>Z=6u\c\ -%akR/Y0B\7l[Nsd'nK"I!njtfn=Z?R5hGf]]_'OoK*+$HWErTm?RSVkBjg`@*HBkcmPP^nM(`nG[cS59klM2Z6Xq7gAnZmG8P[k`U -%C/B.c.<3-r46B8b,p0DQ%8[/Kiamf17K`VRJuPKc!m_,e(mBhRn]i$YdOH/c`>9eZk#;^U=D1A?7XjUDS$S&9iGO:>/^e??W-%_7 -%1\-?fI57ppllY`4S*;XN)hNaLG>Rfuo[c2$L63dgIYY:[DUNV]fP-Op$%h9KOKb2(D1t,b)LT%V7+_PTE`X7C`0n?%N!7NNV2[\K -%keO9<=9UT1OIBd18Mn6N/*R&i\sUu^:+p+DF(2II'1s-2MdjsXIOf9;$>aCNa)`#gdN?qT;5&hd]`d\f=edma!H2He)f"ngFe$X9 -%JPM=[.)]SS8qj:o3=LjEiR+[21XY:3D'`Ygg4tFj#*5gae.L/YL*(:_bT$b8:O+67#VCJ:!?T52"eFb(Nfg6'YP:bNoJ_@iKA-n(UC+.\T`s#$#U3<;^7T?EodR#F`gc%L*&Keu!C[)rG-M>k`$PWpffnh -%(0qd>^W.6^]/o^cN"r/sW6e1k%l\g0:A*aa,2a,rc\"OZKsno0Du;a7(_lY+gn64O:6REcB![8(n!8V=<'eg\,dMZkdQ,0D.B`;0`QgU%\X9D,gW&#lo%07Wl\:%#))NV8>E<,XR<.39gTB_@"hXkf)^:VJmY0:pqMo-d4o4)Gpi6+_`q<[Y\E("^3CfEh!kclMjk'hPWr! -%0`e]64;;*741)%NEsil5.a"@9T0UUOESs==eH+/'JJ(-8,,4@9+MN0.Q1^g\I7'?8(Db$ML_Hi_1]>"->%_ASXt=0eN:qP&CWN>/$(4@]4O>\j,7V(SO"6,"HOSJ]braK9u"/2QaY?>`,Amh:AW9bP% -%-/pGM1,KXZc^0UsZ+5"Uq"p?W&HY=KTR?*?k=(udp00QhU,,c6"n5W-0Lk+);/'d'7Bj6h)R+TVIQb)iV.0W7-<,3?1is2lMg/[! -%CH8.\?5WHrYeQs"Eja>GBndlC#ce9O:8EF5c":Dn'&euUXrAu+_?5!D4'AB4YQ.XBn6=V+$NjL,I\_UOirK[2b_pu].sB?W[R7Vk -%A.r$iYS[II`DiSdILDT=Ul8mK5j%_^$?[LUk%4ubeN2(L#,og@-,'fr_@H>'g&]2N[A?k=Zfnd%%'"hSAS'VQEu$-cYZD4Z.eb"_ -%=>[?&_^\PP7TR@J(K(dlA.O;p.'Y?$,;!]IAg6\2,W$W-+0-9Z;522d<"(>"Cqk!#%a[t>FA9V3+d0IiTQPf(Ke"IXjeG^B"/;E> -%UXU]"@pQl^E#VUoC6&IKqSR`l&W.sn,o.g6BO-@HgYrUd,Z:>S>?[\u^n7:$HJ.,E.RAWYT.fiW2AJN3(j4 -%%bOTSN1i\hV8MjT!,iPAZ@VgTcbr&/dob/>6WL1^+`8#J'Cs#g_*ZN+=.j-eH),?dZqA]hKOe+0F;)/;,GG_F[gpD*Dke,KSQ,1r -%S+T6m(P[c3P&(a6TW0qbeun.F$cYE9FIcgho'X1hna%l?!6#=n -%D#hVN6j=p,XnCn?D7e9"%YlL9TtiGk$tW2&K2TiWO;AIt!fUe%=0%2Lq[DJaSTaZ2M7D=AA):$AMoiate@K?H-.+J#0X$n=L%Nb" -%]Uf^K?(k5/[Wl^iN-'17pb?)AJ/#mSK-URDf[=fBR_QY -%hb8_K:@o*kBn0lfnEL#\I!Q#0J\5`*8W4s0?k,XPH-J`:#<"hR>+>c0UI9ma!,VOK>_,l%eFk/(F^dR2kS>!7i0/65jQEL8"2GS+\)m^<7uAg<%A+/ROcd,GgXl#,Ege_$Nge:7af -%gNqPgYZ7t>m+!dY>3aUHDDa+C$/HB?!d^,Hl:1+m6ZnRE.Bk`[/JXW%#aX+qME;DTZg^-$hp[:7;p+p#,-7*K#%p0j!"$+mSY`V_ -%T:U846@,qEjCs1TJJaFp>D!2cKW&f_NJs7,YZS*%AS[,a-X-MG0juidTSHJ%.:^,"A="K.8*ik`^=6hL0ML,9(R3AC_0ac/7i!m.gq[P'APjCe9E1[LbP=;BU$\paceJip5Fc!oYd.DV-V"P/*YX!-PEo;fVB("0V1goi_g.&Fdc9>pU??N)"\c1p>?VoH.DH5d -%T*$:>N2W(S%H_o*YPr'[J/i%Jg?6;fVs#4h$P9T)'L\N/)'s/cEZ -%VInt1l1g-K7WIage\=:/)]HD*T3Lm+mMs_P3HS?m;=`bq,KO1PhsPDS?sH@)p*m@sQ>Ci_gBDJSQKU:`Vm=ol-+I#@&]WY*HJ -%Ak1H\rB\95Br6@caFL!`VECk1/?2uq4Y>T:=g&KI[T##Y66P5Dg$qj_'hE-f/6C2\bA0!IC^d+/f,7si`:`@XfFum&k[,#P+Zttd1P_1)l6PUs?^^'e#p[EX;DN@8^hiCR3W.JZOeaph(5EqO(\M_*!M_"#.imY;j12^]H;&Ajo)tfPY -%3d@8+gd$2@A6C;fXWsrlFuef,+i7T=8C$FBk!leqHHc_,MP4E\^ck%'T0YZ`*l7,hK7:rl,VTI -%E&2iK2UI;D+Z!1t@fl:P9c4=JG(f*>G2u#QOD@'Y-CTS1\s8% -%X(VIqk'l[(N.09,f84>\h5:b>_5=kg/"8JM'>4PopZ/W9G@#^bJ3@E6I5r/6f5QgGk'3rr3-#m$4PZ.k3L5Kt,Lj(EJ#U$;KU7/i -%;_iig0HaqR5q -%(g/D&C>h]8Q;Ek_)"fX/Tp&`i,1O1p/Kl.B.&Eb^/"%Ke(q2kqXN=Bna9Oe)Vd"gNh6gRo1m"Qp!<&(,'?Zj.Rg^T4AIVnaA0\jr -%:a2dc^P>6Ukc^Lo!C2iAZp$&^LigWNGoq`p72f9?V$L1Y^b',kWYT3Z^mOlRPT*0n(_T2iD%A3,>TP4[XKZWX@ee -%G#>maY:JDL*d%"Z"O7uZeWukYf+#f9qPAdEB9sAcCboQu%lb%M19.0(_sM_"p=8.4X-K -%Mopm_V%L\!TP&-PbpjoiIOYHTbRPFG&<34'e=J-pVI8@ -%8@t2&#,Apl)eV*s5,g(i/JURI[`Bg(MsG=ol;EB3e\@a*e7L>\/oKf@6Zrp(%k0c/!#e8\mfir_1TKZ5[t=dR]M`0H`"#\QQXYE< -%N@L(/Z_o5uX_$T1W>PjMQks@fAcZ[]^`-A(>cYOB9>d,=RMls&YS#NM(hcs$K>17IquiD1)S9]dn$E[_mncJW/XR[%S[dd99Mm_PM"JI<7@OmLbWQbp]eE0V.%q$(cD+1[N1S=oke^.Zjf@XeXSOgP_#)OD=/9AD9tp0K--;XO(i8e92uK7 -%L*Xf($_C.Kf")IUoijLlc"JMg5[-[EZ9>)ba -%U"B!(3(0j9q[I!s"cC0O\7IcW!#/;H2<@0Kk/jS9WX#sY5C&gDQZ?_+G9tbuJr%9%-]@*?t@%oSen"soH -%q^pMOA-o*Uha`Sjc7JMP;8E-h*,jJ'G83S8=_.R?8`JpYl\]a+8;)4r.!QcpJsH7`aDVC`+b(Fn%]$hp99*T]WE5PBJpC;'_.6.6 -%qmXarmIZ`O:E8Oei7^J!31C,s)("@KL)e)^+\33^KZFNP`dYs7m-nhPrbIKb4-T0Whqq]=nb2PMc/nV*:JXF' -%"P_+Lq!@b4d_C#Ss7F:&s5g_VYBi!srR1]:jI\X5j^3K2iqGAb0D^1tr+d)I_oXRHGgkFBlcIKQIeE!;s4]"$0B29rLQc(m2ZD=C -%S\9?ms6NO1q6/Cgmf)79n%[t6qrP#!DpQ/TrR$Nf]tOC0mAl02o8B7!Va$gRrVW/.="eJFY5-t)F*[cIo&ff8G.2tL_E7Yfo/HE' -%_"nmsYWa['lFZ*MnuK6r?&,[`Ah`g?GCp]jrku&`Yd([];,/dm.J>9D_M+eD4g1`mi)[tY&7`'45IV4VX(]mIlMq!p,DjE -%h#e#=(sTA(GDGbcc/kGdDuOkSlMe%nhgE6^Ddu=^3rY%]IJSkmg["[[e[IK@0AgU:o")KJD]-:!H$amenLq@ahgTWl^5]P1]\_IF -%Qe-"7ItJORGP5qSDn`op4aV6khp]0N>X.`ik5O4Y'HXq2n%Z2Y[Z)`g];>Q,U%J9O]062^o&Z@KCY!h#h,aBUh7Yn)D_<[BqTZ_- -%bB=)@rpJQO0CKjrYQ"47>H)GEB* -%_=[Ef=]Z_QrVksMp!I=(QH?LrMrt>NR*ml^F0qVr25C]s%DW/LIcj2Y,?>/Z&t\9`K/,p@[apZg1u5HM^Y= -%pnKMb?6+,>D)A1S*DZT)Rp0cA1d\rVufb#5c:Z -%Y1NXMro*7uB?+*>#LMMFIs#ZLig&AlVrp"BDJoL=]5Q96P!?KPa5,Vje(`W\cd"2X3'Y$)BH'6$heb`/p4.."CKPYe59@<5-ZgeUC(O0u9Pi'KnEC'(5.X,[lLN1AcRr:;i=G!KIk4I;NSR?*51aGVQZ'UK\p1QH`E8`# -%j`pc?c+u,)iO1H@lKD!pfCYf^FkuM/4anM7+*D\'lh;IZX`Q]gnh'ap`U.#^MK`n+X7UmZnHHW+h:\6LrUR3*NXpO:\#$c#@.k-0 -%N?86HEuMK=Ed32:G;FYs,"s>#V>l=dA2Z6""(3n!^A-I%X"V1IH[55=[aGOI4?UaSDJm5fk2t4=?gkUQ2Ja1J`4,:L6V/>69>8&d -%FgdRF_jVTkrsc<"A_=oXh4D!T[$,>2M?Mn>!`\tCmL^`'gDDs?D -%qZlkEr8[$B:k[^jo"6#"M78^@r7+iNrZ<>FGU$_oJb"UUJu8D>o8"LahJMB%GfkZJOV;c=%rV-hps%pdDdT'+?X-lA^\Q^=[p+5? -%*dHSF7;4]#hgWqas*c*3B"%_'#35etG9]1^?Wm@,q);sK;G`nf1Oh'A!/@YfVg'd?XBirhV[W& -%q=WjM=8.&L/h[-9,JFuYn(kCZO+,D<^'C6WJ+in<4J\P9n*Jf`S#[&&XsmYig\j&i+,Jg.3kF>c^A")kH!\*cIql1VgHE6VX)dC< -%]=A^kq=@[Sf,&'=6%7+-hDsKVkARQ\^*@a1E-tr0jITQKH"Sre?XCIWr7enp\\2AmbXR=sS_hgihjiNZO$nEm-HtpRcaGilH?:"MU_WCu-PAp4k`uRgEAL@e7;_eq1g0$9p*$i;neM>N(9^8e$W:FT%'/@X]h+s/GUI -%4hnOQp$3'/P^#TDk5oo;FkoYG^FR['f46,o]J';,1%Fsm6<54AO-s520"5FcP"E&6eMaXfic^]/.n3jqFBoDg'T^D14:".4%6InO$+gDIqm -%$0U`qG%AHM1?"24?q`P(fAbPCZT#Y0s5(?"IX1JVjn3rmo:LD!XQ,oqV#RL?e=cbr9@c7V@q[[AE#?<=,IYr"q#9G8=5VlI?GE$p -%J2;V6+oLkaRN[m,b!,2#OVi>jjE@n`_+]NFYpM3>HIRGLQX@HrJ2.PL'!VmH'gUXtJRIjf2LBEW4Qn87FKA -%[P7dIkYBa]:@72Tme=<,L?-ujDC9RKVsF'uj/mDd4Ru3.-DNaN)0L;0kVa+I*Y\tYj5o/O?N'EEg%SikAM-4H7&BjuX[b6\id>s5 -%2tFO2qL"6(rd]4MV\?>rbtKk8i'-&F`]cj@pGAqQ">,Z,3f[([+*fid.-8Q*9)56aa>$;tNHI3M.C[\$:HV8FS'/"MIf'!$"jr8# -%@2quaS!m-m"T&,WeZ52.56's9`PqN5rFB5^hVYEX^YXA;\'(7B(N2LP]m0AKc0a3WWe9fYZ]/;UG!A,;innS]lX0hZ=O?PN+<:oe -%UOdMDOPYnHoUF%bu?N=o?Vpd[OYbs -%n@3:G9RH^ZO6aWRUlF.Qqu&^srR*:GD%,_QhoeNO[JSA,c'oZn-_I\k9Z_eAL\oW`Rm3KMY.cV4aN<9a;8j3op9k$Ga&N!(jKh&o -%'n7Iu\>Q.^De7LlOG^fC"Ie'c.U:0muBN(5MhcNN4Pc)FL6[\G0kC>?6AR-c"T#,VB+0pdIjEi6!NUMd1/4k5t="MdnB0Om%A]DhG^%r -%[Z(UK]6j"[HFMAt^[Lmp]??NO8/=j9,Q66^hAsKm(D"TEr4.km)$Kg5M^NiQ2A2T@H3-"g$2E!(gTTJJ]!u'@Va&V3%/8f5kuJio -%61WRZl\jZW?MsQP^(8edeh&Va9Sfqmq'#%Hp@Ns-?JcdOp"QN3o\K,Jqn\t1@9$G'GW14rq<%UE5@)"7Ik]J5?gu+j(t+t8 -%5;mP%^6SKjIU^g?Y(NhrGOZM4_Z.74m(`kmRB=^1Omlcu6[1R>.XU@ -%eF\aY.6`24rR9.0[r^JgqVk#K0A_1gs(iWQn9DUbFk?WWX&irss7Q2ELi0pi42617rBG/=0rr4fGW^GIjt"-A -%,P)U.k#U*o,P,M2mN-i%C]Vj@['^q_s8S).-$u>N0Rn*r`CEgLHRi5)a1C"hDT""#T'L94Wo2g5Bj,Fi#mP_P,Dq4oj@m7fB"6.[ -%K1fuu@mk[W*[,PFTI6$:&Zd#**=($dOgCE$L:W*p](//Wk@.u!dRC0;XHP(Gjgc[Yugk5+'<>09>& -%N;\3da7Y!t?i/YCC+LH\p\LYqRl<9f,6i@E?L(DQE,Ve9qT"R']Dl\cbKG%0#/?^ll;+>_^Ce0K.Fm@c1@&q`lh;IZX`XNHe_lL, -%fgai(D2mOHce&F:mGh-RR@EFI:YAd[re.1c/$JFUT!GJ?rNT/OYmAqp16]2*M0mD1J%4gK`TR9jLsRBtmmp9\-%_;,=(;nIoqQ1m -%4uRHk-+j;L'BCu(EJ>75+n\@LQ.c":H]iT)p/'c\N^,pF6L2*Yf'ra*QJXt0V#T]Qm/$D,mt#*>[r8Irs)!\Wo-'^&2eQK7jjb80R^d]oIZSn$S8?-=I&G;OUK-S@ -%l!KH4l$`#rBD'36Ch+drmA4/3pX4EG9E%;kQ@;5%n1X`srpAh77TT8Y1AF$rmt!Hc5Q'oU]n:;iP1R\d>!>sT_%BK<"]oStH<\j_83B%N0qOKN5AR55ObK/8$fa&3 -%@O>N1k,4SASnkZ]b)sX<=e4i"6GiN!(29Fc\$pMN+8fu(eg3o%FYO+!Z'oHlI^S7*r`JcG^T>b%%?Z-Vl@7qDBqY)IW;LAu5Y,#r -%/L>[Z1mT+P(nR#Rb/q2;2W`N)c-u;9pQ9H.q\QrT,jZO"26bFlb>VeWI9(B\IVGH.JnloTI8t%5#$`[Br0WB8-N!_IYGm*(s3/*J -%Zfk'?e6`?99[^G@&$B@1`T/iM[J)6\JDMh#7.eOP>RI*3R;fD]^ -%r,&'9""o*YP)TJ -%b7Lq@I$!`>V;`&%>_lD4gqGHHhI$mY7fs4Li3KZn+to?WI?iq!En'NSOQQgO%:3)@c]?:E?\jlOr`CXV(8Bp))7/alP%E\IBh/OT -%F0T+jHq[7pdmVB+XprlEKsG^qTuE(h'Tu.-haHR:3F=?(l_4j\D%l"n/\ZAR9&IiSXnH$d*T-*ImG#$00>3okO`0LR:4@,uG?.D( -%ZA*#69gNr:ErDg);V'LTo2R-#Y:C7:B>12d/!312@C(kDaBce9;6sP[I2BH<)lgB9VPl`1>[LiEM4.tJH;Znu^KPUU]$T']Zj0NP -%p!/S^l#EPs]:7D8o?0/_\IB#UC=a!`5A9N?^A'b#f>K#]Rhj#T1jAX&=oW95$(/u`UX1A[+s+7CF(:qV/YC.M$ -%Y<$I<<"1lmI;eEcom_J-df)k%.`'r3b/@r=(HF3*EDEZuhQL+hDNU*OSitt<.>N&(dIB5lVbKr^QggWZ-9IULjBMUgV^jV"rSFS; -%n\"K?8CPL%kVn7qIF4bN7ZVZF<0rQ;HIs,iXW?P.ot3sc2!07Ec;0YU#-ncL^&!b)oErs\@a8,; -%NZ?L&O+o02=4:C,W7?@$.qtljX/EhtK^Pp5[MJP@o&E+IcnUfp`I#0,EpnpU)IC;[_T'Y]efWEX<;?e\g*3jL8lb.<7OG`S,l1W) -%U>f9K[rugm?d^Bep-DWmYFiI;H@\"ieM#d-^3`PT_Sf&[(Y2/10:L0U\%2mlnQZeNmsa$[O2AA5-H/tkOG0dnXo2h\MfL8lWF$`p -%\k4'@j0b_e$eko.J!T:uA'RN?488WG\175VN0A.^9M\G_bopc8EdpJfGLB?/T'&2ag5;'A2e8O>Cp'Mt]i4%("RJiDnP*r@hGMk% -%pfaLum5^a[-Q6AWaeA5=jKuE_?(Wg]s1tQ>Efc71m+[&mk-ahG?stbD+NP!D(*5V;Q"P+tKo7:Ri\W^boe8gTW8pP%QERiu^WWJ2^%,BUVhhSWI:R2Gf!,1/r&on7U>f/)-7<4\ -%PBg8PHlrfNFjD[5?;F)VG=\\/V5b(??(G+FJ1a7CnTgiF^5B5TkTKHbpUdp'HW<#9$Gh.eG:%Sg05X7cj1@q<-\XL6(PPX'TGJd8 -%Zej"GT?k@q-!Kco>:X>R^8b2V]U7'RQ%O-9piZ=>'6a>,H^$FI<'aP-:@[GQg<2aV[ZO1dXjZt1#e\0t^g\B/\] -%(i!$hg#[fIWj.VKKV=l8=Ak-5$6D!T<$[K`5M,^Xf6Ws47a^6,/(H[ -%[(aQZ4l44kH;*B)jqC?FTfdl'qaksDQFW+SgaDH6[J<5Gm3c0m(9;Jl^.A,!+E%n);f^7@a`#UKGZdGRKm6s,9dk<@$ZiTX9''9C -%[V)%:p@cf'546%uk46&@I?$6q251F)0@UiEW(sj.$;s>S_"P#\tBB\bR@SF9d+Mt:!\SF@KLbI -%)HFKLk[_BK73Tfms(?N'SZ=]DGeUfd\BW)jnD3_BjC%&d"]';62\2s(_\:lKni!GAM)9.kCI>G-j!)/sB&/2`I\3ZuRhIF.i1"KW -%Ung(RA7/8OfR>,-2sH;+FYj8);7Yfjg1@P4&GNYagPt$jlGl?3I=A\_f^'@AB;(qI?CV.r+87^OqkUuMH6L[hP+BC.";98T*3Hr]!sq6>dp-"2^=o -%Du7\'fs05CqRqIB/"Rh<4eJdA/'-2`:PBW>Np[kC7HEKKigY""aGW+9(YO!Q?2R"bU5S=cLd0)1b!\,^]GH!Fhbcn(4==IJ.E_k" -%p;og#!_n)YW\p0fG=n!l+Ps-t^eWnS?J(VpKVph(EOu$aNO%HK_uu07-Rl^HM3n$"3qm# -%374m2$YRABFY`fq.B"Ok]EE;tii$Z#G$u&,@Nnl_(@PKDkF+4];,g3-`D&q=m;8hV#`C`)4I`IoFYGA4P+o53MT+g]hj"P,Y!^efA(EAR:k8"-%Iqg5l8'N$M<_=d:G+u^QITls:lN"?W\k^:Y2o2j^+GQ_k`HmR>eW4I(`bpC-M5aoCEBWWt84/Z0!'Sl(PtJ>o]j0p"2E3NYlCW;3a?*^2V'D[%LZoQD -%KcaT8+@PH[Q,Sslm!5A.OndJp4mKdDl-=$$X6m'L2@34%%+%;a9fBi;`(Egn[[Sn%?F&W=n23mAD*'@%nhWfh'ceclbu(!'I5@e" -%B@(p$Y9qhri8\cs#g$@*:6rWGqn%sN9.sp0;ET[K%Z2NqWd1bZ.bCV3`R-P2_Yu<'eo"ZAmtl^G!9WC2U,G9r**'((6kU7D1dmC? -%Yi!1K5Y<)!Aq(??Ug$sOs$!($;QG*r]U5sG43RVa@M[,T#:RLNm+9u=OYV\h)bUmAkbB.MMV>Uk(mpC=9sdZ"ik&!GF?l``)DBZD%hI*4b2Z$-B.uE]*ka -%/bT_7Okb0As2X-b\X?i4\+sgYYjD>HF7%H2jkDj`ZH5jBD;&6` -%fKl:h"50)Zn8t$<2_bBfM4sf3W1CZ%YEo$Z@3?U%o"#D -%duu*g!pX2u*!"NqD7:&-KD;Er4W30DO?I=;&C@#UE!U:+B'5#d^%l%H^jGV_LVWY[KnBAQ@fIJPi=da>+:t/%E<(qnB&We5+-+g6 -%TmUh%4;l@u]ljCG:RX6KcmMO-!9o[O%Kc=V>Our=+(jL4@%X"G&\&@HHoenNYK5/nIcaRS3lDQ#SHD-+n>[N0o95RhSDSGZo7&aq -%bQ%#1ooCW-5Gs`j6m$Vn:41K.Y@!m6roWS%Mj#YrVuo@s4@8eJ*[,Zp?'W=mI_RX^3OjHIIZ']gFp:S4o>6J=QegW3,UF>F(]u64I.t.YjAqmgL0fg=4-kfJC>DlJ -%T_ieG@QXZfnFCK`7cAOP23Qg!"O9_BSBE`>p;Frk`XV"ZjMZ46!K0)N\]F9\'1m+VNk0Lg%\-=CDsC]88UKKp@9-?-#j*;g-l8l7a/hPAu'a+E:jT#CS,V6t8l@Dr<8/0^,Yn -%AIu.D%*1MdUP"nZ;A5]0Z<;n7KJP2VOX8BZ-Manj-s%HBRkl84Wf0X2bsm;n?n,;QG0;BNZhoj'PKkAo,_ka*nbIXR,QVW&R -%?!%ST7ufdiqc8?^hIQa=pror6Rp#^dXur.GZ$O^XZ?A[+I/Ylm>E_gIOslT:ig5 -%hNXC)GD4#F71UYU_V:hh?aDZUW\p4JUr?Qhder:E2MkOoE,%r`c`N*NtP_YjbU\CE]l6VBhg\Jc^o6-HD[bmqQ,agM&VfnE[%]B9+2df"h%,Z%(`%!jcrK[9,;Gu=0[r0 -%7!bS\1Dq#iAI.u)FW0k<*#J2C#8O9O'A2r:MUtfD7NgT&oF)AKXCRI3K@RW6\C2h`V+\9pK3=BOc7I&h]9dOD)o(9a3,];4e!X_:rYbOs4md&IktT+O2lf -%m*KkIN@Um^"lRMt/]^OOGIW3%)"p!\_j(6@*I:o\7*8f_0LjBU,.=)^QXN@m[tsn,#qQ -%a\;0-4:.Oj_Y4Q;n)WW+`!Ns]EgCoM35>sG]]Wp]SMt\eN*a5e$1WjF0p.G5]IF5bRq[RM;0'c58:rM3&UJN -%1S+=MoRSFSjSe$!:BdZ3"ss'GC@U4\mOrO!l?$Q,YiqC!%VZ_-esLP`KbOcK8j[#&1Q`oE)ZQ[5m0\He/chZ8.1.72f`FpE7eW4] -%lbMJ\U#Iq=59^%rN*hTK)r2^1l);F7f#1,srZ>WgXt*/N.uA^@rkjjOYRY+`jE8kurA8(E%5 -%5^,m,LiE:j[HT6<@Bn;p:M\b1,92`lrMI2=h]ai@bJPO$F2BtWocT2.7r1'nT:qVhk\>`'NX\?`s*jc,@Ri7\#hYiV>$D41$[B2e -%+>"MS^7YE+lWM`@jm -%GH]nD'sfo@OnX16A#Vst6:?.1j*mDa;A%)[?hB:M,+[gQ91&fM)!er?kr1 -%::&aRJef?:1.lXScL,iYRodOXLT/h>-.Xf9:g2(^d4a>*6$LSBEgo5EYn9C2F&E&+&Q'Ft*^k%:3s6@N2'N5+h!PG`hBI`?!nR68 -%(,-p_?b01Sa8)jT"&cnh4Et":"O`^9+sZ["Bntr+?Z.8qRV?L,J3St@5p">\ouRB=B7qP?EGS(4dL3_NYW!SE!1Ns8HY29os0D9: -%$UHI0aUBDhe&]HIlGf=!mEcb9u0bgZ4_MYHj4<<@e]0+Wbe!YSbU?;Mc0c.=n%Dd2.??16]FXoKE6aQ3UeFt/!U -%7DOA':V?%N!L1$a!.DhbJt1-YUa:%\B4::R"`g"iJ]G2?Qkj)>&JCl>`96m'"\K:4FIN]Bfuk:P-9\RRH9VY6Q8H1G>JC..b41qS -%\%n\i^:lOJ8f`8/ajJ/%NU6!4$Xo#Yo+KuND+s?drlq=uc0*E??Uo>GE&XB+DL:_X9oQuQi9.ts%o=inUeYYGqY#/. -%h>l,Z6VY$gh<4/\&-4tDlb12RJ&fFhrA;BZ%*m30"l6rl+'cjkl)@nq.QPKiR"').A7[n/!O^i$\&L*">NI.q5oKkSp\8s#?c&Ae -%K^KVpG)MRCqpF0XC]+:dO4!Y5bpO@rPO_Xc9-hR*jDB*qf9N2M5X2CG@N5OG5Pf$FnhM`ti$da7Ekk^*_$7nZbWt'O -%rdJr$9-j-%*l*9!"rK/;^GLg*Hcn?Pb#)ukTKA,,]Lfe%2f2&OqK9L[Ql3Q8h+I!_R8qICGi)nB07-L3ICuH$K91YP_AgJaigWX[ -%-W+aJn;Jb\kn_*DiUjQ\A0&T=&EG?hD#7)p`ua:l36B;5p'/RB^\rPeX;MdWSU<]7l5j%,IV/'pVeCk;oq6/B\_eNe"ShrBQ7&5) -%ZEhZs,P0M\W'sjU;jDdn!noYqt(!cf440"Zn3uP -%[_O-)g7Q9i4sDPeG:`]5AHbftHg!'Bre"0&(/pOnIG>d=,=@?;!\%.51f`sZO1pW_IoHG+6.(kEUYs`G)7P5K_bMkZ9&6N4N4(TU -%Nm(r^E/pSq"YK(R>K;A:g;4l_=5t4m)dSA;'m5VuPI*a*niZAVpk[Jk$D6%YT;]&^=@P@G2XX:OPNFdi>B]r"N;26]*ZG,df0NJ! -%:T2ILW&WefUtE"5b+LYTj)CR+(5H:J$m9u3[RM=JJCU514hs?*@"`fo8oWVqrk6YN&8a"Js-iIq%T'Q(g6Q%q+>bcqJBn;p#N43n -%fqV9=$sp$Db=#j,Jb-UNV-B!0\)7pf[gfuO$s/"$Q*$/L>@s$]F`=oFK!->f74JJfi?f)),":N>E9KU(dK;\7JV.koAk,T7gB!W= -%l;OtID+(X=\BLW7;=4^9&,pljbFtm;["Ig#>Dor!/5^D%GlMBjcTaX5MMZfs)=1`G%NT'gsn$KkG(-,S2d4)-s`bZl#!4."V -%PF(#pmD]oaoWGEXL=PTtDLcYYc'2gf((n^$>G*>ZT>?H7"uL,XC\nG`XX.$(AC!LZ"gG4B.LMrC3E*dP#,C(3\KN]!^.*?71F.:X -%6U:/<7L"p/adPNQred>oTOTeQ..3.3EG)FW+)0XbRk);%'YDbB@c2FMgM[Zl&E(-;],5dbNtHR4j[Zq$J3j!o/RMUe/C0S4R?TPdkq&+J0s*2$r;r!^.p&-D#JptnU)n>f'%cV7"IoC+ab^9r;2u?PU<$9L0).j8cd[VEbL`fTsPRReX):El[_tkd+kc)(WHD -%8\&MaL)8tEccDJ4$U!FNRg&e!6Er]3pfBEIX8/>ON]$iaN%!LFc2*JQULAH))narVG+o)$:d4b(R/\&[,iE)0LR4P##Vq^hVF0"X -%kpUd?7ehYW90i"h.(EeJhqti4,6fa8@m:['!'3$(bgEj:*I\mr8dMprW\"BR>9pk^?XsI%f\c0V>iBhT[KV94BE\9qTt:A$%#^4S -%oD[A"7G/mLYrP,6pZnJ47cuef(g"Yt=b?6m+2aV5'DI]=MY'+Y2W)`+?'ZcS -%SK`?&2`eVY&b51X?6b0[P;.ZJ@bgD0A13OGU]'\)Du9T^7MO=:P`YtR+q!9h\=MuhK#HSf;41oJ'#D$rmM4'04ZG:HK0=Jg)gF&f -%=@%j8aWBBbKIa)-nN;GKV@E9F#0Z5:IiMBcK&X`?O2H\<&EJ=0aE*hm7Lk1>e!cnp*+Q6t -%cc6=/INsd0][LlM5YpQf@c:;?mu2CQ$bBd=r_;@W*B"GF*Ln@M\S[5Ddr7)OTlqp/Wc8Ei(6g'/K1.=AIBWm%2!YEb -%a9*!Q)ZRI@EDd!Z&m_F>g3Kr.",N1g$AaL\K,9G\p5O)S&02k">X8tkC?p>-mdOd\k06hjt=:NmC&;lrg!Y"d>)MS<`iTsc):hMZbST$<"6+0=pe^dGc+nl%2L:DOn -%\AETB@I8@"Kd-lGma',?It?c@WHTu1f/HspqX),5'MpJ731!Q=:#/M$q+;5YTV9V9!,O6ZHQ[rSj>lu3OJa>M^^(u%5Ro!REGX+i -%CP0.aiLrrSn])c)0+UT]<_OeO=m3`6>]3u9Y@,0nBD%p*\?HC#Utc"3HO]S4T.s')neK:LAROS`PlJ_/_m\SX>Nd`5a95/:WMG)* -%cQAQY/l9>j&dm9!?_J^3CK\LGb=Eg[?hY;lSi]>W"op(p;MR,2kI$d%NN?@l#.h4P)um;tp8q]57A]BYpTh6n&VN0966e<>Cd`lQUMM@j%t%g -%5@Y&K(-LG\H7]c;Z#1YMq>QFQ0l^!^k4thl]s1=_f)%U&O(JT$a1IY][W@V@2UFgM.:CO&^P9qLIIHdS/V(LDIr&=4M''Ql^Ae[) -%HfGB89I$YJT;!D8j/&Vj>.>siUTO9g]_)s9CUcak?M;q;RrX.f`.FX0CNmk2Yf[tADt:OnI^T&*/sa.?'E6XmY-ne@CN/DJl]q9U -%<9\`4.]55..XGgT3U]p^)8aO^Rr6?YCn.&BBK7kYaZ;jOa#j(1#?-9m6gCc`gL]tWL,J/lPq5BRL6FD1'&3/dACq>ga9:3X[<-Fa,@hl\MI0EQ9;0;KhrCAb%Aql75=S]bOk:i8 -%A(:4mq!QJ%i1GYA5=V">&;a`Um12*n&V)ncAMSbP&rn6uf3b?02d,_UZb>,l%=AP\J&7]E+n4?/(J[BiD\kblmD-bL.s -%]AW[lm_E7g]R_3*p/Lb,p7Y:D$27#E+n)kI*hX!&15!T,R@nuS"EO\6Rlc0I+'m>Y4=j,9./9*i5UY.'jFr#*g1'a)PS4E,1O?lP -%]Yq/,_"+UmJ-OKroJ+bQh)Rt+*tgPF6qHXQ4_LWnd:X9tQquVpN`K3A?M['q+p.(i9FE4OTJ,r)Id9OI/K=%us. -%-eQp`h0]Z,ht65:@beXEJFH(.J"s+fRgsAk -%::]II^Hn5q8,U)26eq6Img=UnEJVZ7Jb2YoE6]DRkoRYW/oE)H8ajRjD/)gb,8-dP:Le2;^U1s_&`C5g3n[.%Y:i\ao!m=q!h$'s -%Of$f'7)/^MSVmR7$u@'4_"[VX#^^g`,.hAK(l.+(LkkglGe60@_qhCI%@&SO;/6Xf_0fdK/\)F@Sro[R]"j8np2)(fg_!%nhrr=R -%i5Ta\j;FA*Al]d7BJ(H9L8Dmg4=AYT:]XOD9LFkghWEd3Y`n7)J-]m-5X#P5pX"P^@GI1(\&;""XL9-;+sLCQ9E?EO.I`"Bh#n8t -%!L_"-'!Tn+\X?erO1tu1gU2#1n#5C8Df@DVQ?puE)n(sHJhoFm<\nd0P2&Wl@R$7-fkgi%D,N[L)mgYOPA8gW,u[.2DICsg9CVg5 -%_FZ#AYmeVW$E'ma?_Z*UZB*Z>p1pquNrSC8b+.PL;],U72,F.A*3*)3A&b7dENPi+kOU%0jCW+u$Ui47`0F]11Xkd76!8/-AJ9E< -%XR -%QN/2B!8?Xll>;CG:ld^Z0RC*=GoIX8SOKhRGias^T^ufTTO03jrhB::dVbH^Ag49bEis>VN$-495Jg1Wgs0-#:>a[MKB+.!pk/VY -%_Ka/U6ig,4?XWS8#IRLE63u6&P%bHU[WI[:&W(e\qtBboKJ/G%1oUPB\a>l*gm6[t\q!GD@LYe-P%Vbse@pOsC7bE3S)Lp_=*>^stW/pRO$:"iHMU#_STED3=&pojpU=#5 -%B!`(H0A#rC(G&'a[*h_U7=EXAu(_\_@K:+8`(TUUJG+![:E6knFl*e2MC3OTWKX#rMnMKDL" -%C=j0BZt,E^-fa>=b3r)*bc"*0AA]mj/5ZDEmUokqjM5W\GInEjVL`^o$d#Tm."_38HY#7MI;&E<)`[#^1?NVqNu$]BdA9?18-t0d -%[nuCFaaTHAWb/YY_]r,fTh%)g[pUl^/j<1)AI\o?].Z)1mcF*b*,G2sX$7In"FdIU_Jnht:)QYbtm+5]&Z\lH>(dMl%B+`gt -%[M!*'K$c00/QPQ(7^qAI[R+R33F9n8ihS5`^eKHF(D2FF/+#c3aum+%[\No3Ke;_Z_b8_N(4'eUCt9!+G&S\t+2RD9^hXjor,KIO -%HhA`n*6Wd'h&3]94DPk%Y;nDJDZD"c<$CT-EU2/N:<-@I@[iA5_7U@M8^V6+ANdb%KV'l_:]&.+lIgWhEE(_ -%f.QHX[ZulI?[4MVNDQI4p -%)L(=qRt(Q]CVRulVe:X2Z$Z_G#KC>6S=mFMGL/P`-YPXogJ3pN+Pl$FOtk=?P[gA'lZgo&3-h35UI?E;Hik5%s*F>% -%WD`P+dig%)eD,HsR.HK*#JieeW1sqIIpXn;;ZY'cAd'rp,m/PS*;5i:A(u4jRt.Nq2E6&ai"djeqC$mD"?`u!Cg/$An1Rdnko"7+ -%03pu2YuEeaoEf39juBgX_Zs7'd6'B'P!D8(RM20lpX9heVR2q\.iLTTOf;cPcA4L*pn4jCUr&t8A>ApC@>Pl,0,0^FQfb*7hI -%@taGgYjtgclZLgEG:0PB6J"D20uLi`e`Y927P@(qiA,_-7_f!.U'hYZm*DU"Q]fI2* -%%Kj,rF2&gqAq^eO&`f3XY$4F5T`>3R*G'cr$"UM1:]:6**Ku6r"`a#Pp/b@+-1V79!=36]*!0dpqZ6=DGiC(8ThjK`IARn'be!+' -%J1r_,$rl_=dLHGX3Ah&68V4GZMfOFddND^5%-t&j=mZejgLa/\G[HO+T*kp25_9\hD2a7\Nf+%ri)/hBpo%e!efM&i>SE3,fteeR -%1^1=r"N?t7i-HA301e6m$t1"u/&+W$0Lb1N%;?!p%O?d!n`o2VRd^6INgp6V"\MaUZ"ZtVYRk,K"JBB%%g?@\0R#&0-;6#/Ur^;Sq];m.7NOfh$ZR\.A.;#;.Y),$eAfQo6L1T%R6'hWh7B8\bUD?f)W36*/D>I+/Fkl*"(TK4EPLr2dfeA18`,]IXpo)!IkeNq9) -%R9%(SpC5`Nl4psuJ+l=ZX(o>FiZH'N!$'o0_,hZ<9EN:!JBO3>9C%5#A9)Jg*!S])o?nV=-l+V='-8CoY09]_q4saL+V6+1[@)WU -%R0AtW9'n2(nZH3sK.<066]$U1:nn(2]Ygcs>&"6+23mr!Vc$fU:qZjsS.&okf-dDb3d&7I_tcIZZ[qk.W85o:ppVclQX=qd(L6AC -%H8Uko+2GH+!?A:4X_lm1(lHgHqVCPlH_;/g(3O:kij'-NP24aJ]EP-c5R1.P)8s1El6'[LoNm`J:>T"'"2n(%'h6q5BW4Rg]9Tgi -%LTt^^(*<^A?\.k1o!&$!H<[D+V"(Dnc:aCR$igo:,@o!#Y*Z(M6Ytk%P.#\V#`i&n;E\QI+t@5AkmG\FS.U9=0*GR(V4-!g-2O)N -%2K1d>H[Wk_bN=.>XffEoUX")37V!,gC%QBDpaY'j]XJd#l+&s -%Ih\%%fMje60"C+o1'jk_WmnTfrR`h:5S1j+f40JpWli5>G#b*q\6"5h@YK(C9$hFhZWlUkbHKcMaKWrO!;.2jKiFL/'n8,:p+:q9\b-jA+t%rcGc\Ej=BW-10VRm^:Z]8boAjGQfT<'8p;aEDs5h\2',C7;L(?3.R-m -%HY(QWZrN4^Esq29kW"f^.@c0gK"PDKW=H5CeZirf"'G"I)[Q -%D%"Q]:BfRSo_fUgQ>JET;Chr>:=r/4cEM[R':-!?jf?0dH)C^Ke,.Zq+4U^^$W2&kf1*5)[5P']?:BUI.D)QlBl^DcFHbVV@r+e. -%X(Zf'+LOP9b>^"N0rH2$KB3CO`>3nh$7Im%kt3b7'HL&QeSeB$pc0W6L*Qhe>I7:_focCDVN[s01ibFWI'?%&W,7`45Rbt-C+p"1 -%[=rel029J&#H!#*WJ?"uFXp+sYSI'9-K0V3(mO\_KU2F@ILcqn"mk^n(6P4["o&nfOr9t+*C>!P5*Q7Pidu+t+N`RQ^h;dc0__8l -%Zo'_F#QdFI9Mk[6)TZ!q-(#\t2ab93YUG`W"*)n@q!g#e-@- -%"k:?S0q?Q[+7LJEOc_68)Yob>95n`;k -%mUM'Yg$NjC5]$4Q0:5pu]E,g_gMf`HmqS?!QlV\AB9;-o*D?0#aE;q7rDpqp(7\p).TO:LJV2jt.tEl)Nr.#e;*Sc,[FuL -%XtQKS1XMO`^6Ec$A\pdL*_M%%#85(8ifEcU^6IW-F5V!P!TMZAl200FacPE3*3#0\N3`*Q4$VX@G)!2O@:u9c!inTgEA!`gD6](F,qkK8m81o`/FYAo\De- -%2QaLL3Y.^([1$NhDu;diTFK.2"PJmuU``NE42@#mOXD9j/IhMR4K^dI:$Rb7``>4)>R@r?j'h\2%Vsn#eU+H1DAM,K/l'k%hQ/:g;L67(uB$3RZDli+r&C_].MT63.8]+DCl[jS.5P -%8;!bJ^B$!B!1@*t]>7HNj%D]2[HNCh`lgI1I]j^QIW@A%ZUVI=m64^M?sm"jE"]4k!H=X.1*:a5:rp>M7#a:Rn!t.YAO#-bQ;aI7 -%V5R$qs6(8+=A%5/cQDSmUK!9ukYb::@BdPGJ@_U"ajV_`s$MAYV$C!\UmOOLJ6)^d3%GJtt>@!pWn[Z1WIA+6")\s0?afOg%+4_>T0/g:#fc>qj/C@-_E^*aE[r@,ZHAX+P[4ZF7rq[Wg/1h^OhjrB;H2 -%^/mn1jc#2Q/A2_+^B3R[SO#PJ)EkU5']93aFY(>$\;43WhcDMT]%#i_hn)$#RcY/N9XnS'E_D=84Qr$mn&m.6:Z-;B"8)gc^k(8$ -%R1*ZH^,o]s?F`Yd:?18<[t#qHj4-Q^@A:$Jenn=6o;ooj3Y-E+i/Rf$Xr6#3>dJ7+lQD]eLGS)h_q$BPG,uYJhQVNbW$VL)NF()' -%]qp0:kq&K-jc6/Q@o.<*D@j&Kr$Dq8p`8$!n\"Xp^*ug9FB=Y-GajK9d`Rro7jk/ld]V+ -%$]E`8hYfIFhY@KJ,i3KIp[t)pZI)!#0.T)fTnJ`fV(l?Gpkp/[ERD@L4tFEV+*7OV9!Cg2']r6[jJ'?3Amm_(,)Ed0E6/^=.b1iD -%d1V9l/bX7bIJ!A8#HC(b=Np7kda9B(XT]G86OE*]V4qjNr^"/B:ruS6VUj5f$o< -%r@R5<]P2(_iY;H'DM7$L'BgbL$J7KEdN=3bh<"nK$uP7'X#2]&c^I@e^$\Y+(S&qI0\EOf7rl1qJ_B)O?5#'5G#-E5m0:&4J_)_n -%(+`*bMqRPuo9#/J[Qr%.4J+1D()]Ep;QH`!=1Q0!H=[\Pn=e'=l"h`3fk+]1.*\a+#Kt+:+'71IV_-qSmO#8C$.$(p=9dd]>%1mR -%6,PFE\@$0WW!ejG]Ujenmd'r!hl?FR+O&dh.+\D?g@AgEeEVVN6Fe+CXJnW%Q&N-WGhneMm?74`k_S>[;o1gmN3[]bKCbcqWH6k=$Mlp`IRXQ*Bh-u:OoY3mKlk*["kTF68,BZ[MtHWAkH'K*\m -%/$f)l9%U1&XYcH%II-Q%i*$Erj8tTje\u>o1=Uk:,7G`MlON=1^j2gEm_f[,0i+cS_O!8a`A6nuNfnJ8fe\>lmI9p6Q-ZHV]r#*Y -%DoLM&^6B)P[/V2XQ/G@ci.1S"$n>VC8mG[a(nl,*J/tUVeut#G`B82V -%L/bPuN8@k*(rd',A`]u2'^bMWs[07j#`W51\;-4mT?pUH#(Va&H@/]rZJu)^a[[Cm9RAuq6WH]C*Q&^[d9pa/$ -%#Ql_,LN5"@UDXd'c3%$L_El6$iCgW`fnR%c1%7 -%RK+])[>4\\;VN&l'MQ3Y>d2lAVqBZ)j:sj.$Ic*q3ID_f<+*Z]AQBnXDu>!OGF/An21%o%nX&l>; -%D4/'`i$q_Kg`pmW;oT_sV@0+^kZ1/*bAoeRcP-B@h;tB.i@N=NC'Mp_."3)YlIlG;2r*%gkAa61p_$9kBbA&CZE@h+'/ohu=BF@7 -%n,"uN&A69WXSVAak8VWS=#O(s/B>ODHiN>$OIM<=S[/h"S5,6GdUJl:0;SpN=^r]GEP+46\%qk[4Rm1!;e1R'T7l17\5Ss*b*/FN -%k?&K1gup^H+8nu0K>uc?PfA!u!4n:3oDQ4$^[b#_pS9V@cSq5EXYr[W0&0U!fEZUEeilJA%Sgo3GpKO-K]h6G2cq[:IbK;X20B2m0]LrNA[`gjJ+,?r9IM);a1iRlF)P!Pd3RJu#O'&[r/T;2/=)`\Vpl^4r-4:L5q2u#LU#?`er -%`&XM\cok.W[CA(sgU!dWb"rXM7'cJa-'"%minpYn[I!YcC8dI_XXnKV5 -%"tm<\B"!*#iDDQ4aNQF7cFnAVfet_2o!@1=U,BNI!KXqm#_Lipn&CDH8%Ff<)<+OR/aCPh@;IG75.@*qbDsPaaA?3NVhj_\E5!*2 -%m'pr?F;lS2Cj1UkV->sTlssLYmaldh`CU7gk%sbX\< -%!bKO/Z,N3WH.qWjDC%gKh\P"`E%B&4J%bA+:\BLmKtXoqaGdhi]1J:$$2*UgA%Xq=\0E=BSC&70@k1a<1EB#21TF]O&^FK\g, -%]r($.k(^AeDRZ.10ZEGlEK0W)hgOA1ZhDrNmegXP4@0EccOb]k2s8uRgk"]FmPT2)cR3h]Y>R5i4)W_phojuHd'If<-k;\oeYV2r -%4mk7!"h76O75O8I6C/QA>=Xo\X&+@_P;cFJ@fV9=W7B&$)s4P5XS3%-`6@Ok"7*Ur2>2u2J^c!9H,Qh697D&un!P_MdPJ<"eW?Eb -%.\EXCR!J2Hd#&e1)Uf`X!eIll8$%=+'WrJJ;*edR!5&id'\*Be*8nET2)$&6WJGbRUr(_Te`%k]QXYe&=>7%(oZ2"_#JaRNXVkt0 -%c`/$Tb3%IM\_"4&igeE*RaU[30__#hVqUOrBfBumnpW[.o1k-Trh.G[1^*?+B:@nX>#oRP5Tn9%jRDq6U -%4CGO\gL6dRs1<`0c=^kgXTRdTj?p`er[6VHF>Wd,:MpjCbp\=r0M>QY-#^j_7\j#>Br^mR#(#F8b')oeC7_)8PFsWcV/UK0(F-Y1?(O_mri?bY>k -%fs-JJ$t;8IY>Te(0sJLiYQ(0"-\;]7R+L+E&9Milr^bZsJ&4)gV(j2NGF1rQq=2&Iat7cH+,BSRmF,M'pB6'C-?041%1LIL[:XWt -%,A$Si@bPGgO4qe^*pJ.EQZ@&g.c]ZSW?d1T%q^^9)0U;U-o2=AhsN;`2H2O,*hf\9OV8:=A7\jeBrK^!Kb)K^#g5++!duCk&qslbjK+b>m@T!jJD!Y+#FeP(R>L-IG>l)>n -%J-pIg`Ss3T@bI?3S0Rs)P!WP6AODgWi:Tpgc\8rch.Y9uB^euFEn')TiY2]\2;N,%$HQ!JrgY+Klij+TcQ9C]+_=HV1:LSs\@&_b -%U),Fu<&([pH4PDL,(U(##]=?cCB>2^ke0+&DQ,%GbS';+K.;edHfY(3Z0f(UgZg$IhG+DC6$LFq2WFV4SnRe<&?f:qhAKZ@!YhNl -%TLuslcLm%]B8E"ZMXXn:[Co[n1<[3Ar!*7*c<\Pbb+@&mJQ]8M_o^IG["JG1dm,[`A+$`$t."H9--1\8EnkfCZO+1j? -%;/1YpEaq$/gGW^3lR5acVjZ'QpLoG5**,Z"/tdM`VgV.u+j1olY4,>Re./3J35P((#W$A%8j+-*1*X0-r,kpEjC-J;H^d1F6(B_: -%8LC!eJR'P!o*n+D>(2q/@4Gd&Im*Y@8*aMLCJ:U4=LT^LH8"MC\'6SK!nnjWhR/IW]rg%KPF-s2]Q%F,&(X87!Yb3YM<6;CXhO;mE(ASclIC=i7.$DW8qG0N""H$?a/ -%p(>J*bn5X*KE+';jp:D`E/nnb(J*-H/9dTjFPdXK_Cn`2F]n(@ko:',@5r!a]HiDQ<]Q,Yd5H[`!Ld0$G]1U+C\N26l.7:'39Sj%=GhN2s1#+m.uoC&N2Zm+]*g[_LG5BsL":K+-C%nE#Qm[A6"f,T[!d8)/Ni<&LYr^?GGUkFb3"4S@Df3&SY -%X/1ihr.XeUXj[!Yi3G^OcMMV,;bPDSZ<-e1L\U;Zj4cYbkV0YU@Z:]_-`BO/di_SV+M'J`=SeQ(^_:H6S-K<5RFY -%<@Rm>BF_%["L^0^FT]Uhmkiu"4Z?tT=AnXSe_6A&05MN.IEn7PGH`!^bY9XZkHOZ?1oK"`N*mFm"XEKm^k4gFpSd736pAn3f7^;> -%]gCI"h1W!!M[i^&?dH4[:Mr\XXlUIsTPU9*]!LS,aIJ&jMtOVV4>ReLDVi6qB&%u`\KT/GM'.YB#0>..:1Ec6g6q3!(%rA$.#[7< -%M3A?1[5)kd\M--C.DI(*".%_:cLO:T]ZeRd)@;;V9`.rS0[5Hoo]\Jcb#;al!d[+boKE_sm4Z9!X#e+>nKfa:^5!mO;F'>68lkD6 -%qj,sO+:ujtj;S/F]Uij3F+2*L1qablOhBnriq\?HC.Vud'UR8`q90uq7elra'e1Mb)[X(0O]cUV,P1de_L?1lQYdiiYSs@TKrf?" -%N;"%[&?@c.N]!M%ODZpZM)4B!p?Jc*I2Ct)-H1+]O>RL+YV\$*p4a?3m)f!AA.7-,0gsF9G*!QY/HR>K$l@P8NAM`6S!f4Rd=hg< -%9AX9?('AWVN9s,ik$&JP`lA;pIj?epq=Dai>V#%/_LfUKBB4,#.JMZ5'MTO@5o0QC^@YWV(*$k#H'LM'tr>f-N -%p/%b%aY72?I&%*&g(>J4':+kJ!t,J.TVjKp]lhnEK"#\`;^H^bLtJbn`Y9?)r9f54.nP^(>C.$VeG -%3041E7EZN-3CgN]#$J)H>AtB#bpig?AW_Se+hj@4AR*^)JfmjmD&GPCR0t5j3UK'p,:%)Bg'Cd]WU@I[$m;V'S2@VY]OrbXi>P=W -%K-#usLGK-aarl.[q9XQQ3C=]g4Dq\8C+0Ue\"=as1dR2-Aac$Z0c(R!1@LV)nP0)g*_G17Yl9mqJ48H$P!Vo1MHT6i_%8lCIJ<-Q -%kJ4aZ5pQe9^c-Q>Or]97O&@pf\M,tkKim[3KJf.(2't1IMVPt$btt6/"SECm)nfbR=h>5,:VB^N2r1On0INg14 -%_VJE1q4&mLCUb;lS0BR%;(Q,(+^KOdZ%T#F@E.8=-%Q)-5)L\uHJ65q"G,VS3-0;rr_;s.dLa-9c7'dg-PsFl(Yh^JTkD%E#:4-h -%@/U!Hp#TEu%K!u7=\hPY8M>I':skD"UpEYk2YuTQ)R8gP)MQ0XXP9_[gFX'XTDDF>G72/SP5U*Nk&V@=r3W=%2RI4oVR#:$8ZCIiVS/?ess.(c%BX201/IZ'F^#7WK]@ -%FD&Dh=+of\11HI*pNpMP.[h%KSR&AD^ZjWE`r6rFup=+@G'+0H4TJGg.PuTcD7G`u6HR8js!IbXu3)'s#VD1YCb9+I@[$ -%ad*B^1+5a%]M/d?LG$S6XMQ>^>"'4Id#=Wi5j"H6?IRh[R"?3@\Rc=WH\G0R/OTR`$sO5l-qf0*:ff)RL37AOZ8Yk5N'9jc]f+RU -%9K>3jb8$Aifj\DKApBVVlSPC\?r,p?W<-o-RUlj'GnL6%[9Wk]=c-(\`s".KHJtFIg>3^T?Qiq6]iE9ZKpVU-#nRu;]S_).S4A1K -%9'C-JO(Of!"^DYq^W2VUug#0SR"ONc9O#[lTdQ(\Jk>+M[+)cFHJaQM+sXMC)_Xu&hkqUfJKb46ZlQ[&+6PENR/[0c4NG?;,= -%hKpU"Y7h=Eb7KD#MbkH_#Eu3cNS@Hdj*7.,A"V=/q/3HFEpcCLZ6b[`0'q8B@>=0G(!,pgV,Nna.u7L`*pXqEl]oL==,q;o.Oq]5 -%^B'&AnHU+-Y+4]j]KOq*Q.Ssu*bd3lm(c3WT=Aht5"8"Q;Tc;++@#H?T\u?U$L[B94THoR6=JY43UmYKq*["S_]Ineo*P/'q1q0M -%il(<-#[>8LDpV[H+Aulp?%e,[l4_6kH+(q"6>[;1I@omGB&HHc`UST"jkcCr7h3MX+%RGEofX\OT6n.i%JaK+TURP).1q4%!mBZ1 -%e#;Gip.BEmh=2:@_rrB7Fi7k\3P<.C]h]L\k7Ooc;KHH%!#ZN,_A:HfLKh@G%3J@RoOFts(NA`Jke*V+8qNFN;3`u3t>^`jLg?sXPXed52bJ/U98bSgo,r:9rMd%[J.Zsi89[u9]Zf&Al*Z*n.CFp5,/d9lBr?d%OHS&V^ -%Mqej`VtV0g*Mp&0MD&c$[sI-Olg;f=Sf:]Dq_V^?SC8LBa1DSYbY&t>.0!sh50GiZ"/EK_44^IiX:,*X!8Te"42n+Ud9[[`A)TAG -%,"2B&,>>9uK0U?Yl,,;$;M#@!"d*-l@655tI,/k90D9_sbSGF34=V.?/^aF,T<-1P23g-+/js81M0e`()Z><#k7-8[ODT_=[rIf9 -%hS6(l-X#*Nk7KQtNJF(eM%_]o>$%^R`0.Br5n/s)V<+RLMg/]qp-'K2!)I)baW6*I\tY*Ub$7sVVrr5$Of,Ufelu/D#Dlt).cS\/]&T?n8&'60b$tSrgG'&1:AbM -%/Ha)Mm(djA76.Xukhj1_,\/&P$Q*+B;KpaVJH_"[^gL+j&cOsoQbbX%*kl`NgU50Ub5D -%b@e_U],o8akWZ.%?f3+g1X_^C6;`8T!%UL7)9oD0B9,-"JH28^=QutT:`lM;]"g]V`_"e:7AA3N/cM#_Aq@lu3!q1pHaIRF0 -%&qkJ*CO?8k]Gj-X7te(g[b-sa@BWN)1K]pg.nmM/M^)6Ri,-cO%1?NLkt)N7&m)!YneH#JS0h!po*hO4gJ&!'kE-_dDEBd19^>EH -%b;S.cndX%0&Sf_ZpIS)F-aLc)>s+6HU$`&IC?k`%nX`1RlIssFRZXT&"&gc8> -%P[t.$pjA$>QIF'hY$-'+lO:'i-[QEu&VK7.'e@eE\%iPYE,-@Cjc>XE)^s"r..q=>-hC\^3@I%Z+42aOpA<@_C2,>_8(k^=4qY90 -%TRu]#VfN_p6a]&>\iA5q!Vh&$n55[km&X1C"#=oH\=s3J_LcJbg_'JE:!%rlHg)Lk[/>=lp!tcCc.D-IMsEYpY91sZ#\D@Y;.C,7 -%,%t]H.dd]6q&&($>0NCS^s^Z>W*\8gi2^)e8$$)'ZWfEoX@C>e#VT+,;S'aHC'*s$Sf)+['sZBgMG%dM`u0oG[Q57X14oKR*\--J -%CHXZ8p$dR5>[@Z=DYC#LWECVihb<00KEPGKeTBKf`?7C7*DTP0roph'm93@IO)osMV9n:+&&l_l=IfNaSB4=]M[YJ.e -%QPH-)/XF$Uhod$P'S(;?(VJYi%q<*<1P:8^ZtQGoOql8/$l>18CCBjm.aN!@:DU_A:!YNMXATP0FSHKHplt5Y.UuG'[FKM7Z'kh; -%-/VMDFDg[M=ct;_@MIDKjsi]*6P,O7%%]51#KdeUShCD*kZabb2S%Ym"CuK(`i*#&a]]Q6Ks4\F5un@P^"I0Mq5-i/Y=p:NRauR2 -%1.EZ"?.UU.BZmXTN&&fGf?(:`V3&G6%6j3#X_sf3nZRI:Vi9*gH_S=a^Oh[+`)kTb+&*J!_Jk=i'kTiVq+c_?GB9+jBm#qW&%cnH -%^lCq:-o^'/*PjCj("86'!bF&PK(P$`GF4_%:Z>;6>TLJok&IVAKn2n.2G$s%C;)LDJPH%5;=ZlBmm.`CZkeYBbi%i[I_TI<[QNHM -%pr>76@#[;Jn)4EMpNNa6oiX5R=1qC2]"\7jr0[?K,8dG-qWA^ln8Z6aNa&j4+YGb`3t:r1DVJTPP?QLU!:EX -%CtQII0q8/5j,SgN_PV[Ad:>3388XQa!_@Z*cqkSGVO-N69..@Sj=S1lFlMt*!qNL2iD*fmZs\[\jp59*QtukPc'0-?5.aP:jK>n_ -%FVsQ^qj,KhV2C%^EQKP1(5o9!,s6e?jDEh`dlVCi6npNA%%q(V$hW]C5V`=`Hs(ZR3seY;O/5pIcf"/C8!)kj#-OBhCB"tA -%,h"EmZY/+(!9BA%YS:%Ej1a*>/$jE7j/+`2$,6TSU]?d>V/9fcfbq'6^^;uRDh;J$nBTOahh%F_`Z`-B'5lk/'3Npt-K)to'3`4D -%*^)aP;/annd]h\7DF?Md9H2+Ndn<\)co-d-jQd"0n&tPc"q#Dm2)#7n_*_?49hEGW$0RhlK)=PE-Mp4_"u2iJqD;k>/"J]1bS5"o -%^q+EqbYAM$Y\1^5J@=3r$tekI9Xh9pm_K%*GB4ha.o8a^KS6if>2\t>U&2&>*5rmDT]HjXX?9=)-]Z08e>7NApblqWNCN%4jS?pT -%,AY`%7N$c'd%]Y`.<^3*9oC6)iXIN@?Q-QsR;$Z6[*Kf`SWLY;4BF[:'#GRN1"Oi"WQ37$PA0o!."W4Oa7)k/>T:1!!WE,gQuAu] -%8nMnIn$LQNF`>+5ai3W`-R7S'"@Xe+9=C^SVe-q'rkao=?.$m4UnYj9N7U3K5bG_QK<=bP!INU"#id3tQ#nX+PZD?& -%bAIO[$@Xf8gF'JNdr%9N,F6Nfc&&6q4@5)X/k"JiT\L@m#NV;EAHR4Vb[-m`kNg,Ak`b'n5364)4XV.%%rh5O9:r_WVol33H%@fS -%P$*nT]nZiEO=fiYP2MBLn/+CH_"Erdhlk*]>P%J*-o,JGMk>VA^Ygb>7.W4s(p_WW2E=c\)n'VL0Fpt!5fYa-AY5&2IX7f!VPI_B -%1X_LNe(::r13MtW;oebC'V(K4Es'`pa,p%TmXO9K3(XNi7f4SLHEPGe=m=c"(_knGZ7nl&-V:#5L0*'h2Gfh!\0TA0A:*JueO,?B%VhDe@mJ!JP2/-oa.;a,hPM9V^r=B?oW,H0YG+!NJ([PAtBK<8[MA+$_bQF6lQf%S)q7ju(i[ -%MI=4`9i>fN1te+SLB;o)f7P'12CGs.d"'0!B#\RoCN,GWr.;Q5h_r5J:1nlQ8LHobh[\MPerm)E^*d'=`\0Q%H&Jn%*E9M6SXT2V -%k00T8k[0QY-MC[\%uk]EC\\/BTkMYbgbL`#c_!"^k![-"/7*8[^!YW\G:M%>N-d1G+qN6SCCAmtga-M+Na%6,L^@gn9frZ*m;e"e -%rfL]rP&Y62S\\KmKd+j%5'JBOmG$F@dg;@,?[+MZJ&+4$8R=]T,*br -%`S@%,*Op/@W-ZY+s!&Ze`@PQt>8d$K1_Xl"-B*`)oI/1F<4#qZ(=^7)aCP-FDBnO71/_5mL#kfn&*Bh^lnCCV-H8;CCdsO8[3-), -%W1"pQC'sFLQSUNCeBfC/&4nD=:3/*oLObX(7eWlE[W8'hRa^[WTXn<[$#7R1MW2mlQ6c.(&MR'8I5Sb?hFn+6pCa\o2o4rH$`l"K -%"=L2:%%HFlcU)-lb)Fsd=\Ao'#X-\oQ@!^7_$nOjGYpW:Q=RokU9lV.?<6qNdlrF-$gr)QD%`7e)A\k6f,@-eLCie8Z@pgc -%BAmhbS-p(SMf.WC4D?DnB0%sg3G^U]0`l-HO*UXl:IL&Kf9BustWT./e(HBE)co!eC+bsi+;@f1! -%!nKjAaHa-N($jS:qV6:K1"8u_!^QI0n.F14fLlcF=i#j,iEWuS^?okJ_hl;bqMDa-<&44=,QK[`fK5L!0'!]C_bgi`^.Ope(2JcJ -%nN'LM6^^heD-1]6lT"bF(lUD,q_r=62\LYuNtFRkDr/9h#0R*Z$jlKh3Y3ulrk!9KFjFI=OoN?e;t&/Bi+BLA=(H@X$gu;5UTUMhXHE;pgG$nCD7!%S3o_#>$a&TW@a3Z:IS":D,&1(W!/kllZLNf;UkE&GGY%r!`jabsZ&W)ILmu0&$9l.aiKSFMCZ\ugAo9`$ -%Zs=BEW<7$"RLatsgBb6upJ;++J3@ApW:.'%bE;3Gl0YX?30Jq8E9&gAh"@'\K3)]%h%YbVXM?rD7u -%UL96^oR%DJ5Mm`YAXLG&SoW#KfeO$tGQF=30PPqE``+^qNPEM?B\6&g=*m-'5DR3_b1##76'PE/L1Y0`8F#=[%C>P8hc65u3Y5B' -%]2B3@gfqr^1)M=^VAOXOFuk`X`'E+b!G?RRpH!!9;L@%dn:r&=WT)QaH#':&5+,V%p^CgW#A&JVkb1h+3?9I/BI1KKp:qR?BV7#h -%9_&hmRNbNA7NAdG%mUgRWFNeP;s@u7aJ'E$KViDP]CR\KQ">^i[Jg):/Ko#P_G15qILd+poR_'E8OAe>2O>LE\P(##7_^s`2c"Ka -%YF)Zn->.J8.O1`@8cfE"WtsH[F4IA2G;QY5M,t*I)5,!$CoH"**e<+`MA@Bgo;G8PCMF#CelOQ>cD!8-K@&g[)EeHd=]s6+3Vek$ -%jTTrG)[2mDl@^Y,nM%1M-r!g07^Z-844=Nm[)_*`Ub/R_+d^+bS`q]K!]_phabMGqgTh0rFK:PN9h6',!jqcJlTsYU,Y:I*%34?Y -%IeGCE?j8P9p^I6c./-J\i'c$OPCW6-<7"prHioCfYb(goEjSWApF#H1__ihARQ0f"';b>N(o;_1b#^c@0NE2f!l_"QV: -%1;qf&0\9eh2mi%o#h-0@Nni9M[u?q-mO,i6D8m;GBI>H7q0i(O27Y+S;:VO(/@6:8hL.Pp>!Y -%:^gb;<=f:Gf&I5b.NuS8C`b&eF^*t&TGo6Q%0=M_XoH``(UMuH62'5Z?lX*%fr]mRMREZ_r>8rgfDQI)?GYqZoN-8hfl\4j9>Qg. -%Yl2h.!cR#(%<&XIi@WY&q"%(nYtH0(`7^1>^JRGK7lBe+(P(qs#Q]:JGWUjN=LZmP3u2NlJd2V/4"Lmm&F$_';=Y&Ur8I$cpSeHj,fh$+>OU2dO(ced4%:6q`_3C)N3rl/Aq8?YO@mOZ]@!lP.c_bWiLZGPm4;eQ9c+-fF2m&K!i@)mEZu/*m?@k<4L6%:$7%PmB?hQ#sm+8B\_agIr)KPYf#`UN6MLL&60_^ld/F03/`FOH^>AJ=^TMI#K`d[<8GT+kLqNKBAW -%TYN]_9F&W_@n<+N^+>;DE+@3@Hl& -%LoYX''c>?#W5>,p#g??.$D)6Mh_U'ki7D$2'.Z0_32((#EWITH8t(,_N\upoO_.#gC+lnijAj1#1Ec"OP$#&AoOKe_p#'=a^/pM% -%4n*5%"d&NXc6?7p')@:XLc5KI4^%MJ>)%PXg&(7!>`uP:I#jTV`/5UKL;k(L8qbn1mVVD<=>a^dUc3LZ!g&6,O'S*G/XX.sb:Af) -%f@/Qs2]^??O$W1O*:2&gnRBM1+6pI<7Z&ljqcAM8#^VSiW+"`q+NI,o\88NAR.1h01.To#2WJEQES[Kg`>.ar)=h:gfnHm0HY85W -%]g_A)++mhYl&0mcCWhZ7Oh4)Uei2[<8A:oBr$QHD9F+6"!EO2PVr\fD%+9;nc`DXiR,IaO"Z)$6Ub388'&X@n-F:`gb[J4Ahi7+2 -%MUV^(#6h;6)F5Fq^j9,gfn2';9A=c[]E5q[``FQjg/;Yf#H8Ck%*]&1./27W09J<0_AoiE]itQ@$m"[9empV+1G#C0p^"I\k@915 -%>%K=HM#Y3P9Ei2_oYJa;=j%jc>?25rhL5U*#c2f17ed*\OZ]^r;;sAtp7Pf(?'N[D';24\V5^IF.'#&oiB&)2M -%acik76Fn!0>-9BMM7S3fbbPr'#ZAMa-isaWN'!L@iPX'OF#(l8!;`I"$l%RVGAg@_X<&p\1t^`ID<8Hc0mLDAU9lLKU__U/J2f$, -%h4,AZD0*G]gC?m(lBCU?M:d%UX'L%/pi5`cgutXE/%[=kj3Z'-DmkC%1I1K, -%cFAqZ=hA7'o"NVO&X-Z-f>>Dl8iD!bnJ$-m5`4\5>86O:e4bn8PAF*VfJO>P<"'20qd>aXE=9Ao#9A0T/'El%FHF-s=I3l89UHU% -%kKf:hCm-"^#Hsu>7p2(piPYLqqQJ"%-V2G<@a(ps,&i(*?Ee[/nE?@,o;1^qaM=?Qh_9LslOFb*!!^`tGn6Q?FY]c]7u&`5gA1h$ -%WNqOGN&BKYljd<9m\\QY3L@?p`sUZ/i&0k-%QP$=T5.)Y8ff<7J6_P=r;8\.V60N>=^q!%'d)B"cU5JZ@#5&bSoK5gE#tq^hU?ba -%4cCLe;Js=,TJ-q1&uB=+UI$HGW!KA[T^#&r@S6*ic -%!dEJW#7(9XZmB$;oD2X">c8+^rRT.SNhTT^]9ZqDKtQ,DDqCIHXD&V-pg!ND% -%A&&cUIM4scd:+Yt'L3n,N7Jn:p2LYeU6V@JJL+=@>WL_V4rZd+g'!(#meI^YI9MBa>04-NPH.paA@Te1-_L`An0%Ir%]si]4tXSM -%r);?9m`-A2s/EJT=9CSHe2#b3d^7`^EXW[m_5NC2#2DT^`YTB%E;Kdi\dY4-N7.9f5;LF,%tq6 -%!m3L[H>s&m8/LdeCQ)2poq4S76%Q-C+56!FVUScUBZUbsa1+/dAD,+P'mKkPaR_.'+Qh:PfYH.R'E!:m5`\b,\E]lP4oL>NDI&Z0 -%T9O.^-YpN^UX%eLi>?N$C'*D)r_]\2q4iK2b/q_2jA=?%UWu2o*`pj;k_!!o7ZiQHP?i*"\9I6P3)@An47'[fBPtEX(UI9R>gV.+ -%H:EZ2Lr8j4YTC4:Q;AUFLZK?L$'ZLla0@B;a)V\R.&V'5"h)WVQk$uA&+\Cr?LU!O_8tZco/p-jbq>U#RA'VWeQ[sQ-!*-(6"Pn1 -%YQ:oI"LkjqT2WOKSU_:m)*Kqb_J`c0P@2.n$uJ!YXP0_MXa^!K^M*^iVI&RY"?>Tg]e*m@$oV"#3%(PTChMl'YPiR?ai(FL@\&]- -%Y62=.\!G[@J&"TFTkHnMWCV<,>ch&lAq/]r$',04+9r&-F'(c2/\sB[1TWTi=Q*kS-K3BpTB-T+7AT+d[ar+WAu1)C1,=8WAL-: -%PhSr$G-%7+Hk^EX`uP!28]DV'?*7S'mX*+lN.urd0OH@dWUg+,7rVl\7>LJC^B$VK5Fu0&1Z-7=,C#M7l8NS-gHKBRNg&lVSR2?) -%!cf?h=/bp@Y?O)\FK<28L^NB'0UY01> -%b2iYcLG'I"ZrJfVVKU[+J\iU]TZdICF:RI'^W430D$`,""h#J:J1\k.Du6-hH?90@O9NkTdKN1r-K(?&lop$/+3g,HIkH.:'<)4p -%\7lJXF&B`cAM$0U[8bk&PD9>*f7a9S&Eet*TmGGpZWdUm;;[Ee\$jfDK>(2IhZRoqD%@<,;m(lhjB_150EM_/qu!@q^b=9Q6@nMS -%grHi4^%FsRG[9$Zjtd9W!]2""Kk158s*`,kqX91mT(u_ljCL##4,a^lSo#!$anb0]66;_87hJ97%u/&J\F;t:M84tpG(<2epo\)hnY-@$3=arq%C'Q_=lN.Jmi/-N*"1TO>e_upL\-L4X(1N^h]/4:A30@8sBalWsFp@oW`Oa+WNFi'?%MdQ7 -%e*=d9GXd9e]Rn#D(5e`7Y=S^Q7fuPa#9"Rn(57k#6[M+0R5DM[7N(tDIQd;s6o301@Z-co2-B_7<0`3=CkiH(]+r*KFc6U_AaLc103)2"HKSbX/ndG`CXSclUe/c2+'6t_UgC!)-3?ePm^qt#/B#^LalR&ek$CZ5S -%n.pAek-\]jkWi\5fa..DD+uZ]hh#U`ICM(9qW^\A+h18g(n"_)PkCK8^cWiT6!9?/]*mm@4(DM"]'br91FX_7q@pTUF&;&kjl+$u -%pgX0e&hHW"$k*BLJp08#/1`[lOq5(e!$3DM"@]JGl[nT7VJ0ds-,\]:6=$?qYZ"`n45K9;fIOF-'.@5m5O=]iK-f=oUtXTO9Yi/9 -%Pg7&.El$RIBf-h5OFV[&_i)R7JkLQn4DBM%5oSD""eX7a$NBcBj(#+%_^cP9(T.9NnUUq^2ZV.VOumqZfi-7u(^F[".Km6n4K!Kf -%#LF;Pfi-C'Z<\:NE@es`Gj)\FF8S9:AAm]A4^7b]`2o&,.mc/`,YN%<->)co,^!=SK[kZLXs=BZ1(o<-8]hCl@FT+2TV$k(Up_]g)ppK/l=Q('M"s"hVK5-Z9l)a\/(\3al^b+SB-<(?>I8.@Sf=&%TB9L?/_A(W5YYi8$\`&J -%R$&&G=1B(iEc0!"C./@nOT,mqYLE7]WZmIR9gJBElHr`':s;_qD7Y=?_Yh+[pgOY-i9$6,E5Xu]7+t5O@)S=S#/k!&G,gWQ@l]/O -%`lPQb=lNRo41)RgbK5jb.iFSm,&:R@5\77^co)'3,(_h[&VdeA(#9VtaXH(4R?oF(,Y(T6bk0^B&jd":oY8K:tpZRS9,_T->Tg$#J_"rG)=kAU6%^[,K`.uYEVP(po:Am@/#W(0#PIaAmm"[M)o*pg;M;blKd%A -%!G9`&6Rf8a8eRgias>:<>MU^cUXUKb\lm;/@FP[qR$?6cqN`@qsMfsq:#(;1,Q'f^Gj?e,H[\ji@fINq8%0ZX; -%7;[DAEsJZZG\gjQ<*++4fYi`S8hP5Jg&d$B/7bPQ(Q>=67Sa>`.[5pfr_9(.,?ZLMY2A_!T5%'(uI^-VJ3HX#*Y7Y#nRY6QNY&Fs3UHAq"CYk#91<% -%*d9ZI2mM`k5l@5&!#=UK`QCLfUE\Jd^jXMG@Ga.c,R;e\[;.@WC;$h0%;I5b-"f!fK!hVL5-3(e_g\J5@Y(P#?"g%0D/q-u=&6SS -%ILdZBi\K5m,tGAIH)VY]Y&U*s]VhMtXHsIaa^8\#dq_")r6cB0TVcel2?L=5"-[6WcLO*kphSt(30kT2>)s*Wk60;$0,2W.I19Lk -%U[0XAEN4:$ln#bqc&rB;+.L<-k'\maH7R\#)$iaps-Z:4EUqI>V]A3kiu=K3*tQU@5,P!i[S>K&5)[7P7Z`t(U:L$oq]_`b@StnXI"o,K.'ng -%+tMM)E>u8ElPWdB24:[lQ;9=K#8[]E6GUUeBE==$'3XgHC`0*IT4.YcP"!lDP\F8N,W_s+fk3X5eWe&69Li[RjT.i@,b1Tk!1#dr -%;[!GlSL);Y`1le+q5(C)9)o63oO/3I![l&D5a>WeWs%U3gr\SbHe]odpI"j;4q2G@'N".3(0J>W%_.%Z0q_\09]Q=.rZ.Ea1:q:P -%BFS`[9JZ!rL`i_+=LV]SYoKD/g1r\jfDa>:]=HG](/PBiq_dh3Q4_9*hIhT?0+eEi0Ir8I1I@Z;;/";XPqUo]:.]``f"A\:3rheP -%"m6_/=WkECBZe+#++\9e!`-OhI)QIu6_2i3I;onca`_'HY;CFHA=C-nZ56MY!lM4dg'0='WAD$>9>llH0D\Iq($G(U7gKXE/;a=&/d+U.tk`(91$h?,->)jg,d-M"UZpNj$s$Y1]Y60ID4:cbQ!ZU-b9N"j_Deh@lp1rF_R -%fB`dCT'hET+$oHM!;qT!Qn10(F-Wk/.$f!W0NWit&GCe)37DIb1]b^"lUj61dfkk-e"Q^btW9NLXd<&p5cik[($h)bd,X9B*QF$m/S0I?f#D>2],J7qs1ae/\$H\a^=L@-ON7l`nb`Rj%8SM8( -%@^6nL5V9VF3pHi284'iF<8YZ'PgV:eA%Yrc\C488p^E6ri<;cC\W@7;^,FJ1HnjA:b;CtYl@>_&=9n:lk8iHd?'TJa! -%=pp'RFPSimEXP0J493-OA(?rBJt#A3Ys%\JCZdT;G8cFCI+Cb&._C0T%t.3!YI_MJ_+ZF&0TO9U@GOg8Q0`su^39F>\OIbC2a97B -%XLr<.l=_'@k?c^DSpu8\0Qgn0O6I@"7EUl:i1?T)a@ge[Z5$-RU0^.$H5+0`a#LLOJ-.#WEXcJ>f6(hnN[PYiZ<2HNc9.?N8nLP- -%B9E0Dgl0t<3#&97n0hr9JR[UK,:m:bEk%,<4-c#TPj7;O;fMu),[b;+o7==mj)f5Ln-Z?4cXe0VB1BHO#k$+sN-.s+-MCin4\3!N4V7]hfG%#cZl1C;k8@0g!-n2H*+sVb]cA)B6[^_"SeDb!#F$`&##Y>K,-!mY*@VL#VaX%+d -%Jk9aV!k\ca7u%V@N9Xf2_2<7Q_\d2LDM,hbJmgd=IE-NH^t4p'E'D#/TOrL@nB%l<`8Q(%!b?HY7[[A]#VK=^><$Yo/-k.ToHW]7nu1.AcMgX:'g>Y-KQ_HgO"d&C)+%:e^PrL3A^0kGtSEZtOd -%Xc>*f)gLpYbT5gLhSo)QRu&`>,pT_"a3@P;$eB`m+EsT4ms>rVR%nUHa@DZ!;RSB)CbAo/gs4Pq"Lh$_#2&2'L!FsHbP![+Pu3Ij -%OuujE`4c:?8aS8La-o_Sq#V'S\H=UgcI+HFL<3RT"\Y@[?;?kFkr#ro6*#9)O=TQ$$:!Qg4[MH@pro/bU%\Rc>uLf:7$jb[eq-)h -%SbX,tiYKGD#Ee23q-*neBF&SBN-T[!&bhd9*E`EWrdCD)SEd.*"<_NZhuKMR`W/J*^O0)in7lWb#S`f\FTf10Wh=lui^u07edXef -%GYS)2-GZYEh"WcU_.I)>$hOk!p#M-l/W(\6&SK-&*3AO$YRP!pLSJTB%tE$u(2TmgP/gnX6Cq;LC:S>),!YT%]b!j -%TK]tr%[)mW8:We(gG2G)%+Z*`k]KfA56:nclXA0r6E>idFG@?F@1j^,Y1eJsR/*D\&hlD>_buRfqZD(\pF[S8 -%E6T?Vh?[A7Jbt,bI3-KjNH;tHO."g@k](!]*)W3Y6eE4G0Q3a6^7l6/KVc")]YiKXaEIQO\W$hWAHok*UKbNPr;(O@"h[@M5`^%P -%FpK4OM+,"J!?,<)o?]&!i9#gJp<6nKafB8?BCao4cQIEPmsfsGDm[=6?lF:HLSU^+W^k$1"/k`Q37qd=E##5CN9Ge'M!jH1Q'ffL -%Bub-[Ya`mUe`iMiO>)((.ci'sN^:YnF]r`O7-K;EUs)U[%l8$9Md^N/uH(3r%i";cnd(mQA -%`OuZ#LV74MkL&sf`N)./UM@*%&oeCrN+KY-o/6kV;4Z#HI2T6",K;+ofe0tpZ2hn4@K';J?p8P-5VZjk=kr]F_(ZJ>-<49E -%g^@tc>-:M%IeON6Z[a,_[u'2QYU9MV=?,XY^V`@l5^j3Np;rfGp"h%_2OM6oVf)4J`R@1fa,J`-#0pGYVLVgeniIYV/[@X#cK-fr -%eIf[,@h8K&bnFKYObG]V3c]]OPBg=i"N(0=Z3Q!^O3r'=<3b.ok6h)j;H?d&Us+n_^nRi+R?VGb(B^7?/DoN]01/`VlWlc,q$%1l -%SZ*)!YtA9b)=!,H(^hs6*6R7/8Lp,0L^KN&E^Nl\#L4.:tL&R5>[FOS-E#! -%7d]cJgSUl73V;FSObeUDIVeimXFL:2hs,:)JQX'q2FDUpa^urr?(59AbN-mi&=0IpCHt."rrX+!C1Ri9bg;a./bVFd'7_Oi@/RpT -%n-8a#O)+B>N_9msQs#[#]SN5%Z#@.u#]j+W9T2Fm>.P[MU$Qb+.#sJrD,Ab9",;?"kG&Q(77$20(SOc"FSA6E0i`TV!1,Qo(-U)#q'%qWCo-.]<-\DGoC?U!.9`:I`W8 -%A3I!P`a+W,fWh_:jVB;MHhqTuSZf6/'K&C?=%3_O6KeIZ?5^RMAddAgOscMG`jm%sLkOLB,dLA'B!>k6E@n,`bXnogFnL^Od#G)[ -%55X^J;+D9kFQ5iC=:q@+e>97#`qU@B%RuB'<-amC$=qrVNo<-t7=WL^[n(Me*T]eiTQC@6LpHdK35FF#8%n/ke(p09d&+HDn:r#l -%7f<9EQZ4.R9g&J@TC9ra5gt?a2*@9l^u,4qkBn%:=6]r=JmVPqFgY7u-9oQkPS2W/U1V#;bKVOd_FcC1iQ.Rc$@CZ#=t+CEN7WS] -%q"!gtYcn;+qujui,U&FJcqnZ,R(FYO:P0CKY/h=1--aBJL,_3IsmQnTRNIM.D9;)YET?";M`KnmD\6n(THRLK*Q#6N-ri>L#X[T"/H1d[ur#6nlrL1Sdm!sVLpg$O%no1*fl9/P\cs!h.Qj,n!fBt(iX/a#7S>2bbP_\,+"'V@M/!r -%s+%>ef-'L"Lc\1<"=FtRWB;qmXk)R=$t(8mO&pS("$3IQXH:"IME<&sRE>/M[-7!pM],^2XVj,pVP$nGT7cJ2nj8^Q(U&@"Hp6mi -%UFDV)(F(mEnQ3M:`1L2Uj=2CPJOm[]j7YnBb_TNQ\2DOI-Sl*;DV#9Of&B8Gh5MMU_m\%F6q'R[,;Sq9L(P`XBY -%"rY3[.?P8.W[""$0tdhGKIP -%LiICY.QgSphSH75#%o4P/QloB<8biKF7:H"@_WqHVe78kg>.'F;s"?YqKGqiR:@qCpjLZ'oX6jSFogcXWZ!9M!/UCuCb#2Y>r)nUDV[otPJf:X]C<_m:3[`&Z/Nc7Nbs -%bX&N(6t=c4ie#U+CP+Xc3.$*;@O$]%&NRKt/OM6*r6Jl+V75en"05XKVTHa0f;6t=5'`V=.lP%$f\GFfGE4pt1A,[gCW4@HiiV]B0"GG,:Zi%7iQECfRp' -%rDPHF>!5=\B;lJm!d:o)_`K9XCKV`pd6JJW`**'K>=o$t-3%5#:,O"2=4bu4E1CTZ?h,7qqrJ41%aYR0rl5YoMeY!.J:pIf95gOABupcs]b`uo3L#-W5S'.C9:8PAe>mKe+YX>qrdbD^nL2<14T2Ol+4Vk:Tp -%$9'.+;BGT.qUZ!*?rSekaU;?,EO`m,6?m<>VR"e$_8/$F9O%*N(hCnq)NS@IPI8Wp&/_%h\dtZ@,L9gVSMX-Kj^=Z,qph$:rJNY8 -%K=1hOg[;UBK0LFUEI^RKg92)&lDP2VZ;)Il5^!RofWd5)%/5g0Wo]jS$W'>&'AQ]ak.s^LFACRQ?ZY0jTn5;hJ80@X,#l1^Pu"PEfh4PH+ki'2fr -%Y>[(odB?oC\\1<^a56M7#cm#7!%1le>@;VI6$\0sr9N\J!5]p6$=IdFBp8k51WWK_3Z!A,(GUsQCl5^Dhq%&e7E!X[DL>6f%>2>.6Js0UZkkg"S%*PhN"`6!BXZ0aEE=QpY#)RY?QMG_ARq*5nTZ>1@2LC(LQW*n6Y[*^T8GJ,3U0gO9;$`BY+3r?d'] -%JIP9tQ\$:T`\3&k7GI)D>OV2!cmFRp32d4$ql;4JC*tODUeHh3K)9<(K2nh?Jg(38.N^N-4EThaq7M?ig!ZVg`.]"nnoG.i1qI_S -%RW*drjX?L=3=+&6s.QPe?'aUMkDg:I]97afhol=FE$k7d\B=OHY]e+^@BH%*Y*+?W)DWkiqY-"^T[4?OUQuQ2b_D2"+UC'@qG*"`>DV;-Uh""Jli!cXb6),d^=/-1Jbo#e7:DOl)=9Wu"$3sqX[d_lJ$S]Ga`#)=(_&YrA'9*urMt0#?q[a>,K\cgd+eKqb=k][]KcYW2.,;%k"@Rn7:WIsboJ8/3sV<"CMO&V6Ol3FCFKjBg.NNgUTWcVh%,iTbm!ftR.CiC/QWehl4^;.0d -%C1>8IX,56"%PsRU\3[LP`6eiE(-q]IcVWS/r/_7U=;:m=C`KgQB&C9&5Z;VT^Z -%&X)[\jbi><_0J[Q0Q2dTat5=_B%>2U4fu_o.P'1)%9c+TY:Xmp7J49rG%n12qs/XAF\$IMJP4O;XkW<="_,U6ec\s]/8G8P!`^1= -%Mt//%R2"b`qZVmk#)GUG%&9OU^Y4-](?2t&P;!."[:daqjT7&;ePG&PLk;gSCP0T(-RTY`U($'`]6FA;=(H5<5kT;/NAR1FCIE5b -%,$l)'g%$@uoKrjD&_e.9>9AK)O0Ng;%12/$ONRhNQPcl>&e?@_'S=QJaNmBXa<4q@a:[M*W;VCuA(]ujpo]0Q+TfYO*.K&MHMp]u -%@H.C^r>8aVj*oW&NidMM3%h1A^o4AB7-5rG*j.(tmP9"ML/j#/AF98Ep>=K=P*Q*gDqE\YaOqd[J!C)jXf]qC[[@g,ld5sAAp`@] -%[0IS%b*g8sWj]VsqO?"ZPYXGt0n/KV*4[MQh9?iM*In(tSQ]b[Y5UHBthV4Klnn."@Oci?u4f"*(g"!KI3l@d:(LJPr'NNN#I9CFL?3-U@2K+BLt9YY9bJH:%f#b#Lfc/OZM$JKRbN>3TQkUiG+PY6WiXG>>S1m*24VjMq:(QQXJ4K?G`)d3 -%!@G:#C1l'q]j\97/ma)F/Vi:8I`:3N]9-f)-)(AYrp(_f\Qnl?\;B%\VC -%bsa`HXlMo#qk*$gf`ErLQ58ihnkoJPBSG?%N9p[Ca,rR6&jW*!1TFLjNrqo3Y&Cbb7J#O&QM$d,N^6Zg/q=l,[M -%fk(MP@65eI9&o6\IB4Oa^26c`br_9bc5<$-<8W]PX#dnBaT>79!IjjDYrB3DR'"CS+K7JPGi[PtRC;>DTq!ZD"*Eo[^u]`,DHPZP -%N6JkW9WK!r^s2nLXR/FVc0@+fBT;ajJ<'HCm:9!RI:rX'J@^S9/l`DGR5Cla+_Gepfk=?V6)`JdY@9%_o$G@Skl5AiP#?ttR.,N) -%fgEg)FUI7/rV$!aQSDQTUC.8Rm=h)tm=1%?/OQ3FKmgQddA'PDt5;' -%)O!-ZZ>/LaA6'%8%:iKtg]O%QSZIBq?Bk*XX;SS2STUS/6jM9/RSKuk,%ENR7J5Hke;uc4k#Zdan&ND^?U-FS,=hj.=,DaX.KK:e -%WM=T279Eu/'!,K0!C9uUp#YGVI^n4%B-$&iH0fF6l[c84cI,fOoj4Kc-/9g_nC+X<5u!*D^KchiA]8oq\N3VJ/Sk1H@_S.L1sB/, -%,>`O[_BR)`)0IAu,n*$UCA183jDutaT7Y/bN&W`8^:i=b^sqa^!_*=;2;o'aMlAYLDkop0`hMuq(o>FI_[aT:?SW.4PV?r8r&3D< -%Q>IuW+I#'lYi_7t0]$pJMXp('N_O75bVaB!gsT*B?s7=HC-\-f\8.qejlp6&pokf(QR;hs;Op=T^jMI6@Ia88HX&^P)(D_[GDATe -%a*RZ1h+,mLn;`A$(;(/fQKgUP3J1B=5^u;@G6*.#H))c,fF49;-Lu^cj3(!?87XTgat35'b[\=*jslW=VSsDUS8J@%1=oa_5q94R -%Km^L.">!?7!g[+F"=tom*(en5'r9!:]OK[\["@ePjTPlb'GiONLu^52T_gDuq".Bi'EERg*lUks*BmFQ6f&8BC)#]:=l7@=>r1eRe)-#^ccF"YH1K(8T5W6>EVY`m]8pTnr%dNEKG-PaPb^\C -%_H;4b)28AXXhsG/b$]OH^9Y$d.o-QPVECsp8'&iTf70lpX3C)Bn6kZW.-]Nlgu9pJVsTV.(&#*RHFUS"dRfk_1\m#WUcH20[mfjK -%9%5G<_7Ja8NeIiaK/ng]XH@%-LL47(*Y]%%Y)7/+XL8TA5g>*<<;lTL`h;!(OUf@2aWD03B_?b+"?+_ -%0hLG\AH%NV?!HGl79F\\"s2aL!^&moha0_]!A`g=Z0c[MJ-VN#/`8)VVXBT.1g?$DY99S*"<#s+aEnfJ -%i:o'[!;@`"dni:lK+p$N!@^-l>BkS,O4>-Gn8]W<1sqltQ=_(m55^^_@\*[%Kn$YXRt1"5/HXoN>m,8q/OK`mJg($4^A?HJqnU=, -%,ikdj(-idM]80bG$!*490/B0JjqP@-"CE=f>/^:*Fs@L@8IqD@[=Y?2\\K9bN4a%_)&@-$Y`<$Xj:i'$Td+50**IAtCt+/Ep?#Ka -%Z31RR'!Dk^lCg16db&Ln/mpZH(YEfUU/5P)5ncMF1Z6oMK,.?0>`e@]]%-]$qIibV@Q[%XE%Q!PjYMfW]MqoH@oHrB##kJuf.Z7^ -%cUbSC!-I%3KtRWTc[\jfmK+#H>"gH3pVe^l,Te4/$.E_^6hH8laO*](=^FWr)],\9V-#q.ik5_^hC&-FY0;/Y\B"oCGssC]"r%F. -%KnA[h16JZ!8h.UfN-s2R6BTXQJJk5NB4.P3%fqaF:dX+U&-CIh=+a'aRfmt=7(s@)EX%nHn951`JG?q5AHXPH+(DL2*R,DHT[,fSc4MAl!=rF]I++,Jp$lUt3N)G0K5.P(;e'^%3B2T]=B;k5 -%@2X7fjT(jqkdh+H3*A+N!\t2@+p%#nE(QbiC^"r,"^!F\<4=3Ip#/Vf5QY+2hPK^YL#"%$I+SO]62/nE1MXr^5&cUq4?Q6p;bN]( -%nYas^F86/-)>K>8R)kh2cbUo3.)YI4E;s;+R:Hm%eT<^dVoFqZm:GgfAWMRm2RD*)5./qgikD^7U'I(0mVk[l,kDcEZ/OtO5e8Q` -%)a>;Tb?0'I>THs5O%lbYFR7c,H/T@UParL3bNt?^WP@,1i%a6X-?)sUPHq+oE5$=SbsZ59`@[@(3p5mC:J&Pe@F^<#5T'kfI^s!0_pA(2rf7DE#f_ -%*&:*#G^gL@4-+NrgN.^BOT(_cogYrLPm/`$/Rp1**[1VpnU?-mk1XWHCBTpN3YmgV,,_!Mn*o3gg#NQjl1!4K0UsnrV,k@FXDSp' -%H'&[#2>&JUnp=-tojo/U3.$b#^!6V3L7H)T$crRjmA;6M2[b^2XJ]Rm`55_d@4!",a]B-/-[@qn2n,mBGi`XfI/q9U;*Q**`;4NK -%?FUD.!1+RVHdP'?%+TF@8o!mE+]uu(%`cVeY0(Bb3I>s4$A3FD($K! -%aj1t[Fg&0o7pRUN>.se)eAo\tApOqP//^5U_+=DokQXZ_K??W_!m#r.'H;st,D5`i*sk^4i3Xre=$bIqt:;i,>+igIPUVPQW'^g\%W:,F+Wn(Upfa%qZ4>eb5,Yrl6AO3e-RH>ii<&C -%=`<2[V5?^$.h%C^$]+e"ku(/-\9R,l[4O&-O?2LI;V,(>^6(WADbQ=\G7rik;Jp]A%/b4Z@GXKjQ?Au^W(EU`1gETo@i!uak;i_F -%T(<(d4%kTG9 -%WM4@(_f(+4[J$?\b@MX -%C88kYP:9BOpVf"dFV,<":MQBYQ.mM7%=U=ZGODTg`d5DePV>Xi^,DcYZXpUsaGc&>hAJ`)E!ck1jWk"cQJqXD!dMJ670'79=]N(+ -%*FTSjq*=]b-3:>7V!WKo%r##cNI;-d1Ou_D/_6+g["<7!MVIXQWgd"-6aHI`>q2;U-f8V*'#.ah6u!gVQn&FMDU,3H9ds3(UFbT1 -%k[4QSf4bEg'YoXOn9sJXH.HK>PR;YhD/*Zr'/(M-/8;s"go0E>Y,*p]be0DQ89`s6&7/t>(UMS5,-^bHbt_%VRiNk?nkhXkNR_lH=s`*g -%_"A%,<-AX&TQpqLY'XppA's(V*BDCWe:Re"Z'GT;"3oBXi9H)>\LZ=cE&8PJ!Zp4Xan*RVAm5lA_$Sb?,A>rFVG6:NE$l^I!r`MQ -%gnPA9B<[=(E(=E%"]Y)X!^^d7j[5V*hP6Z9@b94:.b-]m"DWQkWiT=;8h4*06L!^lHc\)hEdC]FlV>Cn=A*M;AXAV1Qrc!9[grSZFJ4C\3SUli,%mY]TZZE4=TZd/M'3)bncA5ZX -%)=I!?Yg6QJ@%)WgQ.0\?/-[L(RkZLe6b9D=Rd*2(@g2!NV6*^K:OLAL;X0CJ"&/fdLiUD)Fr&@jje+a5-b0VIB%\R1W&h -%(*-eg>r%V"q)2V?qODVJBX!t%b7fFZfMfFFj(AOXF$u)kSrS4KoeqHsQPI5NV,kX7Ihenh3bL.cUUg.TdW5_m`<*&lj8KH5\9IS# -%M`h):Mp1!q+^?S_/URPul\Nh`A4,I`iPq)b5%KM('6BR-j=Zu3)6TW*c!^=R(:eNY,u6(>>3jX0%D^T#ac6,7\!d3!iR^`g43\n> -%CcDWca.6h(a1?IPT'TAVE;JDpKPN=pjlH&n7?"U!E9:jXr,D\+NAGpPCaZ0N.8Jhn -%X6V?JfOl.;]4kFl(#\E$IB7oiSi42UMjMR]lNR!A,;-ETUG8L*[\J**C%$rtV#;hsKoqnAG%uL6DY:&\F=>)P!ou.^3]95fQEgJo -%mgh-8jF84E-Yltgjm6d>mK[.ph%p+Wc!K:Z46+d^2C7A^/`r1#S!'(W?cIij%3kqcW`dEhI#\)$=kp%8.AC\fXi=-Gb+4,TZ1OkJGR*&0kq_)5s0es -%.nF11E*o1f?Qg-Nqt`n\G:^K7(o;@9,4T`.)6ukM21bR$kn]kNrBMhuh!BFnl%*K/JZs6qjXiS#pu-BU/TUZ#V@g5m6&dL:@Xobl -%^!6FeS?/B.1]VHTL&ugKJ/O7P&WB.1h\\lSV,MMoBNSF\bJ[k<2-,I6YWpqpi$kVnluCkXfY$_Pg%p`EB5k1Eo'JVh0`DuW.,P*( -%QP6RXT>AG"]q61c$4?n64iYP_W*I%lL$oE,^YSgEUi/30kqep)@'0qQ>[e;jQ*9-!iN"qo1=#G -%=3B-mh@MJkN_p<3a$457qpN[!2*]>=l8$d7A(p1C3e(:mLEdu-d*`[G;DF=9W^Oen!hN!n:flc=%/c$-0Rk_< -%0=Nh>C+=`?\.moh7%Cc^5i;^OC?#eq424IK-rU-)Ld#1=7Ie6?PTYs5gE.64Q<8N1""X]B]E2fBJEh,PYg,i]=fP(AS78Dd=UJ94 -%n"A`I$n.LpS]h-/?)J?Z6,fh4@b1ZAZ2QNr$l`Z9DOQ)=Ka6LEJ@_ -%^<"j0Dh*&41/:To"f,qB,AJ:YBrsVTiL6=MShE -%br^/eH0&!"b"Y-fDY=>eC[f6WUXcY2gKf>[IBTl$K_.gIApD6Z^h^!A"d*6L+:TmE1Z6Ye'2U8>,6rci5:qrV%X)DE&5\;F9gFFN -%>tH0U`IGbWZg9ION!2>jGB4@8>T\60Br##c`erfin7's,dmM;c?LDbN>A>5j?qfm*f!"1E#[(e:b4)LBmK0eT4i5P[&28]8!k.K@ -%"F7TZ*sEbuT#'abgo[O@!jt-TK%hWFTWbAN[ganB#p=qqY.->%cpDN^qbl)&&)0,jV&Q&*'PpCYKVH_]@7%;#D&H)L'OOsH_sji_G8Lqd'gukE^p++1mq^k8;NZCAJ^a;/3#,0SUI]%#P@\W=@bd<=:JE9sm$BpIJBf96B6]sE5D+se)e9bJE1qo_#9R72%EV^5\<_NF3,W_u>J_R`V)@(Yn" -%l!+Sbl,e03L3^#",9@I6$3`%L$Q8=X;,A:+WU:/bU -%+2^bSW@:_7U.#H*QE(VN%29AXX)S8`HA(U"%_b9F:o!]\#F]].Td&aW7+SWeYAgHNI^tG4)K+,0fnr/<''=Wi"dp/7Qmn^:aCGc^ -%AK?/P!%IZTC&O`!0<.6:oYhRQ312N>FAjO@%aIQhn?@@cMqR_"In)hEqD1h.LDM$<9k?VX[_2NH!]`2iY7DFh6SC\M=mK)CaNBq& -%a\H'[&r^r!`MSU'nGShBm9>0tQY.gWkAe9e_Nu.\@F,K2W6!oJ[4p,--,W14fmJTR* -%[4Ak9Oq/rnPuE[*JE0kUT_atg4H+F'<60b0m.94@>.j+fSB?lMlS4HTE/Qf%h-[Sn_QL@lDIrK9L;,@[1YjoYnE-1_@mfG]o(k9G -%E6YLp#tD@'`erA@_IJqLL!L;oNqG&^VX1FpbC&9Y`E#H%4RU6WbeBqk+o\!;IB*AJhVArTCP5_-c05ToMo&AMIam1S4$,CXeKE -%lUT)u4I&T9k'*)I`;CItm?k-/q^0)hDD"G!u;u+ih-g9RVWHmbr(V!KQ`OBal6U2^7Qp!h^YZ"SRKcEGNNc6 -%:QFB#*NW`QoI$-EnA]DVA2ZV2r3N60$3VqZM(5)\'#;t#UjNmUXT\fgY2eFG87AodLH -%Ih-.?>"[H@'5?1niep8#U>^Bb]1[)6Y]s)NZEVktTUGI'?!&!a]O:0scFdQQ6#`E7]%l&[[U^Y,EQ:D?FU`hUF3)^>1=.!.DB+C4-*1 -%e*FYQSYmRnOJ1DJA:0U)ST4Rg_thT9C3YnT'=&h]Ig56=k*%HnkK@DrC"\Wu#+#G1nuP\$1DF6skb` -%_V:PmlOLnPFHr2$,/.Al0LCJc0u&DG9FH^C30n!#"\p&&^;JHh/q$tM^FE&Do&p-<<+r%gi%Ro_8sH$d@"H26+j]Ti?k%S!VX+r>)8o?JFG@HflTaBJr& -%2sq+N(*A;?Ne>s>K*B^SsH7j;6KM$hsE3+eqlBa02-1n:[Y)Pd0B%b+l)$["*`^dQa=C*C3`j==NO -%CHWQ-b(>fF1ec10KN^t:VJR[ZZNYIL,D3#hh->en'J4mmGrhon9@MqjjfN$d7AnG[$`N;0'G)s&=/Us.+K#D4p#Q[iMpS($]fGsN -%K9RSOFBZ?1gF^4;R!N*e2)GSaPLY6PEAo8!pQ*K73I\lb_>\:qWsRSk5;-&9BYd8*DYBDJOm$bL^nb1icCP?%PCB-_T!2@\dN=4^ -%k"_4Qa<[f<7_6j19b%?k@tGpV>:cADQOTNJ0t^E)?i+Bi5Ag+BCsi?Yb5[[?;*+MO&t1Y%;m+jk2+dW)c\>Ra/Dpi7.fnsEJW!G6 -%@Q"M=C`0qR$asfQb65?s]=jrFTV[:%2=OF,P)SbQ#C,ZK@9r@LFI8[/ZPFQ=)YKLca6PR4HAo*S,JMdgRM4UU8eI!m"Rgh!F**"]T,b\LpkkdGj!6g\_)U -%F/kQ%Fru!I7kC!M>"6VJI:d@;_b'!s-,F^$ELMaX`/XS/p_1P,31?(7[UE72RoV -%Up/Ci$L^dm/l4XPC#VQOL?\j*"=ZU2[gJH=CW4pb!QKksM(6fAQ,[9BbNGG44E+!SGG]GJS?8Q'%9@Ks;;1#G=1)I2VmKB3mD^sh[_!SoOU(>+\)!7U1t -%_8Gk'Q8uI*GRI)."2CLiI&F9CDUIS$QH,^R`$8%Zih^"o&DDZ40*gG4 -%bIZ#I0X`3iB,TBnkToOfb?/Y=dgSPF7@h+"W1r2:F]FKMpUo!(o[XG=7C%R>qd5,qF^\:NZ8g::TdH`JiPtb -%h(9"6dEQ^N/o5In2P3)a?b8VUN5(\&eu^S!I:5hV'faM!lKW0hssI$kcVL7@;Df1Sj&jgK1^YUdJ!ej$"-TTYbICU[>+ -%K^N=V``FTq73u2De].jUa1?epln0+72t8j^"%t3V+%h.6m=p.*PXu'oX[oPLqeTb6f4LFC++o>m&q7JL)[eP]c;q_ulpC5MFN5%2 -%k'i?Fm9\P?p65:`]Ss,S!j:'T+"e=:&eHiiY<:,hNSSPiUdZ(EQY17d(e9!Vhtq+pbYFlpq:M`KWOX0A<@cu;CA%h4YcD8<,"Mai -%=HY9!gKg-1Vr;A6``SUqDlWr&/PeTn1\b@hMT,J]?N.!Ts&X^Kq`k#G5JR6WT7?a-J,&u755hr,oW/#kqSutBnbS%=p\O49ZGuDh -%GGD25(-e$(kNS[6H\S(JRUGP6aM\$k\t?Kc??,m%9*%'6%VU$JYj+L4Trruqf*4R+?sXB>iR.o&i>s[(Cseqa/qMKQ$&Y+IRE#gB -%:+I)__/@r8qm88X+_$`H?i#GZm?AU:ZZ@r3oBj,!0%/E0nQ\M]`Qk5JP=49u%l=1R3*L'*HuSDe#8d)V54$FdYCjOrNhhIuni,de!BmV'i+>8*#\./bTE]AmHuWHW)N"d&+4/D(a>1=4Sd:u+%[_$)B\.b441Z"isQKSWgY%7ca$Sqf`2[Xj,sele,m*@'^]Y*,OX8fF`>,>2ff"D2scIBZd'/#$7=F`rn@uL\0rOV24miY1FTb(0YGS@V;%7 -%[kf:'l0(g+$3b"(")sb1pL]k0gQN)Xe_NYN=$UsQ_R'R"XtS&"a"G_kd/d9`.nC8k@ak/UWUSV-[923na@VJURN\`'K/5\UO_o5) -%dL-hYCQa"k$V'U&1?4k9@E#(Jod$6\$3pbK6sDAN^Ok'r#=*7cmLlcs,-K=i^m!@.QI,=aG0F57P"t*#g&^]s]j%'sf0_elQq8jR -%Eq\H.6up+$b>Kd``kmnd=@:'`qlO#8^4I:uU,;=")(HBX=8k`3hjp8J+SBBg9Ca-+D8@ -%8&P'FZe.3#SmJaZ@Sm>pNNq+*2EA%a,/d^1AI,5]k7^2;n,feS:.8F"oK3Fd=q9>LRWj>#8J5:dV%/3S95!((q@%J2je:hf.I=qe<95S-aobWO7=7Aenq7),7M\>l:MFC3da-^I -%C-o^7@[e_Z3"L*k'QH0p[.nMtncS,bY9mN -%)%EueiH%%lIg!Ud6kOL0j@Y$I6bpTW4-FOcX:<[%l4Q]5WfIo/$=BBd8F;Ci=^5-s)0,50DZ(]ceoBF9-@&]B,"T=.6)?T*eFY=o -%5jQH=TGTX3inVWYk[cj#b/"KskP5Lm("tsN&r=-;LYGjX)/;Q,teoT,Ia26TB`!n -%PVIQ)kMT"&-W(sh1d7)kKnpalYM6oSId@P*T$M/<0Uka!U^9iT5oTdN5[Rq&EuegcS@B<\MWgY4dMQPTkR>2"W61W,hu;"PGdc=-`Q7 -%$H@DBY=u#<*4b7!d4=JVR/[iM51C&@PA4N%0C.R`.`[J*%orQk9ek8Gp43;T^KL+!jT:hsgg@ -%'`mKB"R"p?[QC4>I1DcYWVPVcD`l(UJ1#p'7LiTN^V_>X"2]p>$hrH/]idNZR'_pV%Og7f`X#@E.,AI1=ccq9bL'@):3E]J\qI!1P6kS$D^%M<8^rmuKBpuT4 -%Y*M:g*oJp^\tq&Em)K7R(EA==M!KN&B?q8]0 -%)W*jcCFq^*`We4!I,T>@>6df#2>;>"@62=X-lYAf=NAu*pr,bP,V%Y<]0cSQ=;#YpOhmkgLW% -%@!O+\nb$a"aU7O1Omf`j]A -%WXr#SH)QbpnBKE?3>mgrbG&;<`ABQiKcsT9"gZ\)&+EtJT$:r@"MAhhod!f"s(nsLCm&\`m0EZo2mJeWmY)dl$h9+3+,X7poVOU- -%"kEalgfDI8-b)*u591@7'?,?bM$k@odj&8XbY-et);PP)0*O_BQ8Dh@O;l@s'g+I4]rD+8?mD]gg+Sm#aVHS5U/:2%5A2:t&m1gh -%mNa6u/CjZ`?Flb3,>&)M/UbT)0bt#U?n)VYj]F%:P')(*$'P+*Jf6(SS9#b8d`9lfBg!4K'Q?]d=FV1TalrO'%.C=sE'=qDc8PcN -%JA]2Z?AA[Dg%YutPQIH:!2ulM#*P'AEZ*0p/GHu8BRH-6&Sb0A)53=YFIQ$A.raU?.teO;^*;b=.3tXh9T*L885@&"q-CE3%on3j"[>Jn8De)SWJ6[r$b635bs42NVVq=s@>+=nXYU -%G8C7nKOnt-`e(U-8L[?j=,[mGC^8].$CZ*qYeu@R=L"P>iu%"c"7aWa"?(8^^UoC_;Dpe!Js4%/?2 -%gQN_&C,`cP=)1BVTk,Cj<22[ZktfX9D'0$JX37LA)>+CGLcMMahZ-9OAm-mrlFnBD:=s#'[5?!0Z4uH6j?Q%n,iApteT!9F2hGFQ -%C,Lb29I/8JgXuC.RC8r"MI*@Oj8k`jTV8H^%IVp`oYaeO\?@c.V.4;$Ea&]1-b[sXl\)9W0 -%5TlO\i.;`mrZ%=[M'\&1;aJ>n%JW$b6,Pe$AFh3#P+MZA/N05aj_)Q)g#K`rp$^H+snH72ukDmb>VdqDK8bUsl(A#uV1&5Vg'(7b"*$I'@KHkPT(QZX*iO -%7^fZ"^%i2Mr2H4-[>=9bK7\P0,+f>"f2*'.NP -%Z[sn4@B9cthdHmX4Pljkme5ecf%)E/gK_Gb]^0B`#N&GY@bH:C#D((\#[tU\UilAJY`HlhTE"\+k*N;MTnXcC;D2"VTH7gA\=-oPK3pHKl$"BThD1LS;%/WMV(4SiBQ*`ZKNn`8.-M.OL?j+LSV]na]Y':]L1B#W!Gi5KC!/H -%&1)n,=IP\?$uVX#Fbr7WBXrrP&jK-I*`]5dI2Me*2GB_Y1be347RSpab1gCZHjS(NFVm@"j99O -%^AAGk.li^`.j-@/]Hj=F?,Xgjct`1I!>hh!LqDt\6-YpqrRNhu#m80-\s(Z:nkU]J2Ge0f5-q6nS"Z.%,C9J-.huWVJ/)Md<\L\;/5oXSL-F3SaPG#Ea-j& -%S/QkZ$]fC=;p#/!iVCSPUaW2K?W*_4Z[Dp?J5!HrH,[S54#dNfgV/L5+4)$-_;Z769s_K3Br[u/tB85SCc#hGFH:M#)c+b9ja-bF/Ji].MVa\8ZC.X_6OP=*3c'sI1%jXqBm2*V>9[+B6FjnQ!^]Ik/f[MFM4)'N'[XP"o5,3Z[SHB2ZRU8K?d3*W1J1k3^,B&cHq)eqg0gi3W5RGi,U%g7r -%3_Q2JO<"mU9.-Bgk)L3;8r^2VPWR>pKH%'S9a=rJ65U7=LaXpBet+NCaW[LX3Ib)8OC?9(X2A>D'=-6__:8iUYPb,+$Rh2R6h=MR5C=c1MY%jsN&Vl?O#*Y+dt62+MO -%BN9O1%C0UQm^k4CWGa1F=8uO#5I?4>041WVMR"sEUD=F/W+^Q&/9PG-LrLkXTfV>A>9m$%^'`)?_!&b1J.iY+hTEZ"e931jJh.g] -%V;0:EE@<\JqDA4&a^X%!s(m@Dk,H%^s6C3?WT#I']df#"ICo&]FTtJ1bGGPZBP#o)r%L+_S,6#d]g+/F#V[M4b:d\'g7dFaDao\G -%lk#jjVb+hPn.8eg"%]Fk6Eq8!>eeBi9"9&m/iN)Ul*bYbMX5:k>SM(2!rkb%Zg#t53P`4dN^^uVWC$R2[> -%(2_Z(1#5.?I25YS,SYfGH?G>9Q80^n5:?NJ=dH.,=^qV_%fA7_[;utMirROo$O#'kp(i@jg/u6=i!jJ9qW]#3\.[; -%&7WJ^g_r!TALcJCe"UlMKi3>e^V^0-8p$!h#IYF>j3Z1)"LM[V%m2GVu<9'KofuT@q?Dhd('hqQ`DB.[&?mS -%+!sHuk8)Fu#5)Y@-t(ekgQD//q-d$/CeU`S52!MtUdF7K*ZOiiPkX1GpIsa#?p9eqq -%Z4A,S%;S8cR"C0\YtEHLg4(=edrDGt0A"==nF:D$($6U&NaOlMU^*V_=n9XsK0VJ1<)o90aMj'E9CU(qfS+U(WPh?bPA+`o"h=AC -%dD?M"OaNY,6HM2$$fg'p/9[r@_br]^"2j^HgBq/#EnPYk*/0-A:%Cs_GV+%n;YRT^Bo#U^NKK^(/g-XW-4k4Ts0X'':3HZ'I.L3g -%2m5BVj[Kc!YDZD12RER+^5R4,Zo,:N]TjA,@LH6_^U$G(JEA^&XqT["KUT#.@5e]jLsQX(3I.0KH5r/&kRns]=BH1& -%itE8G5mrL?nokZjQpg%XhG@IX)/fY[RJ4o8Usjr"&dr6Z$rL+W$Y-Z_()H'&f"tO)<^[O*h3_C6$BKmkI7I_IYK[E#!3Jc6.ljW9 -%5]:/jV(8/Bc>DaoNnp^/=2(X)6pSb[X)'V;#e0)h/SX:g>'?JChe4$sGa$u*IVA7>:MiWH;/hHN$XuC5YA"H^`bFC3YT]B`!=lQa -%8q2_i.#G'#Lf1A,bDl!Cpf@4.$4[GFIo['2!BR;jX[srcs6t,PleS<^muXomHDVbmCmCNL87O[2*V^QMhqB\/EE'6rS*MXS4EN,j8&j>He?$FY`cF90__Wt -%HVsu1?i`47aJuhR4QFYRV@*..O+)=aDu8/aJEnb^B'M&J(-e#c>T1n]-8r834!)ZY-_TRpBVn.MKg`k! -%ieIu/Uib7t/.ge>34r,\[(rZ&I>F$t,*:;(UT6>:5E'"Q;gs$7l!XpK_b%!:M7J'C>hqAsUB-m8c2]SN!$VWe6+Q"9&/em";Xd(P -%`I/(J4Y=\;qa&,n@sV=>0i-`9V+f\KbV5L0nqn=p_.9+M\pu3cfV0-WKle)K(gjgZX`G7/6+Tj/S[KkClXdI(53<;C:Fmd@`(E5# -%QFJGY/c6?*M^rkZ^/OS/dsik!_LS9nTOe<<1a:TJ"qVinM\fYVYkWt%)0[kHfYcTpFQ6UTR*;lc?b.(fo]+cgiJ'F -%:VY?r;8(=e(;!)9K:8lt6h7fdUUFD0K8dM3#0N,iIpHA!Q3>rV`_3r3*M+L[(Fs0%C'$/#[^4#]J>mEm(iCc5`*eNi8_;eo5!HWZ7/YI-+ -%gVGrJ'57_#O(oUu58CG!-4s>ir<%LNahX -%jRr3jG!r0LV8nMH2hmF-^N*tU[\O%ffCf-7;]`nTOi4Jr8,KYu:F+G,I!Ri11rDhueMmNeZl"o&J>FH_V1o@kooCQe61@$*R.G\G -%blUMW/>)gb\B@!Z,JM,-HUGofS&uW8olMiW+i.o*?]Bkr-XcWCked5P-c.u -%91C/&7)Wi7Rl3F_?1)PBBnhc5.GT*@2gt9>OI7NpFX)//G&iqD/^FNqibJgu4,=oF&[Yfg]C%l,+\bdKY6IZfjad4$j9P)NA`0D[ -%_!GSojC=p3U%k]/]oc;:]g9RT*eRodDE9JLMf*>l0[Nq.Ge;8AqoE^7JYVh+s'Udo`aamrcc3Wr)7`d4a`oir-q+#rbMH)D_35;' -%:RFJZ@6IH9Iu>DK'A:8D,dj8Vl.aL?(;8lON0KE>:W!^7M0I;uTjT20r=ad1RGqS&cuWt!oN-P:Rm2;s`F&Z$^3t>-mC2!Op5cua -%a%ua*5Q&FfIf8NcDu]@ZJ+;d<\OQOAf71"(qpg1ErBnWns6DoIi=E^&rGV]&+91iJ5QBlts5S$Is7a;*rBL5Ef=t,ArVRJbs8INC -%bs24+T>(9]^\n35qepr^:]L>3+MW1"LMss)Vr,[os5IVeo[h]EJ+]F?rqNdKqWm$Es8KLZJ,ep/?hr%Il!IcXTD$$Kor%,*r(kqZ -%r4a'?T0Ag(3pF+.kGMcMqAJb^]52\_cW_J,G@oct1u09A)>?B@Au]n$.N,:+VZK -%J58PArcI=5OehXW;C&j&arnM;6(Pi381%AE`uafC)u%kLL.Qt* -%3jE;(TR$&"baH@$GtFqeN8gMUTZ-Qr5:TL+O*P%9m3D@_8j]n/U\pua[r(.OIU^c[7"dqlFs -%j12Af^r3$ghP/T%4kXBVT`6n,$Z>UM]\\_,"b5c!pED10"3h1M8PG%:G;R`GKHl@?[T#J4)/udog:#IiE -%1q++569fOsY^=u^OdaOJc`"'=7u;jZ50D9NLKtb*q.JMoeB9CEp#hHA3V@do^qNNcj^8<:4giR_V%<$s,)qdcM:ao.roQ.V6#80@Mrm;Sra'VPG]XALO@3 -%VfC`?^9iK+-cp?%W23Png04]@h.Nie^/R!9[".o>ZdgMnA7u+jKRe$aceV5`UlS>bo,oUtE[.EOBL1,+((bLQ94j=7;^B(LSS'0# -%hr1Sc.*o6/gK:-TWCT'JC2a9uBGd^[N-:jQ_H!5[a3f*GJZ,!/SnUQMbmJU(SYB04BA;O9]"Af<1HL$`hN -%Aq8(t'7M/VtfGZhR -%8B_(dS^8pRGV@q#jKN0SY?9e]ZccKo^_s3X?3,2:9`")HX,.Y/*YRA7C>CoWD5h7>r+Re92pC[Ce^1_.Tk$H0KL$(u+V.n_#bbBg -%jqU2spM52b.7ddPemb]=Eh)bDa]DR6SI'XHBosRPV]*'+A,_+;J.-[VR@;(`mAZ)5$SN&Qtj+#:r.L&+3Gun'?-&B0.,%[ -%%-8k'nBajSOFu/+cnpn/V/1p$CSn-s@Z[T73h\d)!O*>L8sUh2^m"s8!.)Is?rM&htk-AcB_(hS0r -%YPMWpdBKR'(jr@Dl][Gp+e/-[W6tBLpO9(io)=OiYe$2X@)qO+`' -%;U0Q0CJb#=_fHsnjdRmUVV/\QD$3WfLO#hLgSg!co).m/1%u\kkf'=jh0@MXt3q_BJ>i$L7NLnujek&a(,q+W(p/Ra.Yp"Tie:/J!o+2Pb$LM-@FS/'B -%63sPf"Y#)Bo+G)F99^1J"%i%]qYYAPpN_j6i&6X,?cG48YNS+:o<;hRI@Z..Rp3SPK9sJ<[L#0VE]T)4ch6",,JU(no6%`=MjB!m -%dfpnIj:Sg-2MoOm9dH'&;>1/eo#^!t??LB4kR48--(RP:HX'q@TYW6L?u2")Q1nWm\-t=WWM+O%RQ@=/:P@955//)07n:k#W_&@1 -%_WOe??D,'e^er/Qm[tiqS5!.cDTj+El/ZMR,-4Sp"t.N1[,P\> -%?2G+6iFuffH#^VVd#.h#cbM^cmGR*kY1B:r_kGSqq&rmRC]\\eo06Iu6H>PF2G&nXNV]%sY(:JQ;FX0ArS_LsPH:Ge&TTn0n,-fQfS8DY)cmF.5Z\N?0a.t3jhop@nS2G/jLZG)h`a/;+-5M:cO]QT%o;-(bC01B+iqFrUF.-G"G?KecO:'Kc[T7d -%aJ+OK&JAOeofIalRLT,b_a=([h[p\\!T+V1iZ,ZW3+P%Sh\@4'4Q2nS+C`4ZcOUVUK^T6\R>C;='<-fV#o&eXmg0_sK^T6`h'VZ5 -%_F=/L^FN]6>?3s9AAgq,*C1n`nQfQJqb"URE5W:cB8;N6@=D#AaJSGii?OQU>lgbUF8.a=,c97B7hCMkMr,+9@RA@a"Hn!Sh[rI9 -%&`4D$8BI&pIr8*)1IZeB=NU,N^FQPL22=CT[,h$f5-V6+>N3]59FIr-=$+'$06o>VffUroPUa%$)&JV_d#5N[T'B(C!/ -%n/?.`Jo'N,L/dPAd]AoNg4m?eTED_V"GlsO@*?+:kh.^NdL61XWe$-m@_hjem/nIR/i@6'FP/)DbC0mQ3,+1b[kOj[m$\t:T\k@& -%)a%>IXPeA@]\N^J"gF#77m%'dON1BW7^R[8>\p(1?)/QS66hd/>-51K12l[[U&c)Fr^/VRJ7JhsQ;)&1UW]V:6Pa -%`M[*A[02l++C(pk]4\hp`_'#-d_$X8@_06+-9uF^^3I8lF10=0LZnA8ZST:KSsM4a61:$f%:/`?IBH1dHcB:Ja&Mt[j#%/K.)G%D -%cRcjr&YW+]/+3uA&Ff0HC9l5?a!]W`rricLN01]e[L/)jDDYt:hK?U0Ci4BjD\kV\GO"2S<8ur@aRkWkb.>=/)VS!4BK$PYD9juJ -%pM!EHqhi=7_.:0`X!o4XI7)-Hc@0?#2-XUnhU*Vkn` -%kS8eOk!!FTZ4LWT6L(W>(@\/P2Ua\9JAW/%e\M`9HVcV]AZRipKqQ;Y*oL2R5R]8$ckaOS@u\d\#f'P`W`-9ndh?9U-S'D+9Jn#RU;KLkR*R*BCD1Q0NaKiJeFhE4hX.$Hls>J2p3 -%g1U^-nb^$F'gW/=oV"F&buX!h3YD2RKQ.iQ=)2Yb3GlJK7B)2G9>Xhn\PF]k&Pnb(M:k%KXt"&!00gp/XE!pb1oAZ/CmH -%O!")kO%B#1nC9K;gDloXYF<07I65h\E>-n\det\-kW?(:cCNbTD8Z?qH5Edu]!@jGecMLJVS_X,T;_0X6EY-")^/*J/'&?sn"?.o -%W[KsI_$qrBjYWPnmBAANa27?q>U3:3M^LVo-V(R>8/6!)n3LqR^qGEPAt1iTHuhf@:XA66Pehc%[h[^dlEI4B4TTC#A=V^IS)Hk& -%CZnAUEncHDBe9Lg1$6U;a)f))df_dY!C,Z\u9UR -%eX<`n7U]eWl!K50mRB7<>!m@tYGi_?MphE,fa4c]gTA/`_H:u8oKMp;f`ol886.1.qekpuDs1bOT>kDHh.,58UYFC5J3_q`JdB4\ -%S%X)7/U\NN?D@dFGO5jYhD%JjV+YQu== -%jn!ST>_ffGZ6e^ak.RaO@ha%7^!*$*S4M4?&*.<`=r,0QaeQUs;00'c"[+42ouK=+A@>"rDhZ+t3@(TUb7`ZUE:J3L06&*NGZAE/ -%U^Z=U)H"+%d/;=5_(D(FFd*qbp2,@,kh=i`Nf6gumq2t>_lV\_W%*)4'ks20d, -%Ie[9B0B>'!iQ@=cr\4l>0I^iKH^!uG-i:G5D-]?]!MjA2k_gpY?HU"0T?%S'ls7T9@>g8%B3du0O9Wr84,]bP(2fhp3[Pac/VBn= -%R[IBe9H9e6*;M!qkX^j@3ftZ.?"pMhXtiAVH9A!/m6Fcg!s/;G/128if@0=lQDZc323kUo\,WjOV`lbSS;XLG-gln"\S0u;P065b -%@Q?T>-eNC[.Ou,$dt2/[G2pp6J7qDA-1M,s@]&-pc#$uY5SB2o:)[bHJo!H]o.j.EH-fQm+_fABGH0lTWmS2,iM"*.FnGO69_3U1 -%%7k.*9TaS"E]cE(/W-Oj%8saD5Dj;`4'Xbm:.2n6%o8/oMPt?W,X:W7ZVn7nG$g[Aqk:NsjWqrj5,f/!knhT*#kDkg/[Y_GWYQ/e?sTR/b_UV4OFU-Ib<:G -%nq;Us2psp4E:B,.is+8R;i_"i7'oSp2I0g9:*7m28q+"'d;=,8XU[C8PC""$GgHG\+`aVC/7BCkPn?cXZF:'XI3Qs0X;kftrR8Q%G^g&]+e`iAbcOJ&NE(VY;@@U,.K+8R_Va#H#!NjN1^IUZY/;=ho'^Q!?DA-#j8.-Y\_0MhKg0B]I['f51"T%^V%k7a]Sn[2dL!qcpkT:0\7`$$#u0:@@7*hi3]b`G2^X_b;p`193N[_+koZ^OP'\c&W@IVW -%T.2bF<1mmhOtGRhb10EJm"rks,+^3-cW.g%(W(Ci?[@rD0DkV#++O7dJ,[\W/Wp#s#2u135SX6r3-*b$a`Y3*^Ak;0s&:mWNP.m& -%V";nIfOGOkd;AOCKaY]e"*\[GY2&j_/E>Ghk/S;8QI5"sZK3_bYI -%dp(>HYHU5aB=ctOhDY&.#KCKtO<63cfflRUTPhd>7lNZS%YB_?APW0'Nt09p%R?$F -%g@Z)WfMb`[Km?$S_,VsuSO8HIo)mfo<.2$]Qtj]E9Ug/Ep^q"o -%2F2/FjTM,mST_CJ3%AYP"15j(bI]=]dEdRa_A30-!H8PbV=`6U@S48Ei`0.m/R5AY^1-Z6+:(4sJm/!iC*%ZAZ-..V5K\ -%>+o;oG[/8nIX;O`JURUPFt[0@$)Q=V$@L?LCfS4PqCVEnlEhJ1d",Pcb^4mZ33XS9 -%3Qk-7Z[9&U33)D,lQL*K,oXA]9WiIAp,Q7+n'Td%6M"/OXO%XK!/4:;16kI[U5Wt'9hE6t -%kS",%:IGDI9DS;GZ8r(?4F)fT8!]@6A&"@gm;6RTLo4nr7u_b2_]S=70Ii`QplA+H3\4RX5*<[Impi]H&`)f,Fl'\m$s:PgJ>!0> -%gt'(08VVHV7cD,:8b+)a!-,Iam[q/g8cLK.\bML)]!obG): -%DZa!pR[3FIYtVV?5*M-R*^-/YK#B6*JVN&L>,_+c9t!j>$a=MTUonH"oSqpR]VUENZCeUEX0ded:$5h -%8[q]GZSGPpHa:VLjM$S4M=B6Ec:ZA-D91dq%mff\1g&1n#*5(jdPTS+i;s0Pdg)R/9In*/'W8KA[X02YZ@G*d&YO4Y2S2gbcrFcL -%TS"5Ck'[h;Aas#/mkN46lc&hU9#BqI+@sHWWKhb1Hq=Pm)t_O*7D,g,.sJ7//BVju+4e>1SB*&e%G@eaS*se]0'"<[%:;Qj&P\jJ -%27LD^1S[e'd4b6uB%^]4gVs_jXtXi2A!nF93R_$Gg/W(75nt2e*XTX)*b+lJft/8<[,/d*0a`\5n(+KeQ?N`q-'0`F.T/?6FhY,5 -%g5C3MCEmKdc&`ZHPc%"M0E1)e55j$hs$9?E:VZ[OZ0hSRLL:)D+"nT45Q'?pR`58as7sPUs8/F;Qe_Y2-s6?oGbZqB?eQB5_lmg# -%Rn$%1$u!"Z0KZ6k.pN%T7E7O8:/BnS_,^q7CNiQ"(O4sh\X2S;dO;t41[L?Mn8#& -%*e*k?:dqb^JKqj1\Y=WYbs7M+S4RpYC&9g\Vs]FDl;H( -%.28!$l@O/Ne(.gRdT/jBU[D6l1+ET#k?f=^FD;qKnVZ?AMS)sk6I-5YFOI`bnI!ZR'X`V1XKiuEa>:cJffql0iUc,_tcoU4\_#5^JH"1)r9@IR(7$LG-_ -%W+e1,@I[S59g;Xu-t(MT#O5O[4.r$bmHpVDTXhXc'lTeQ`;Mp&4gS/O;/7V[5//qEj4`bOq:g(m=be;<-t@lE"HUf'bC*L%3qL+s -%DS8"'9hYLb;LBLU/Z*5)mI8%3G`qr,96@[):@%2Di(7ekLd^3&PN_(tNYq^fVn'hTq -%/9.nZNg:d?&TNQNFdZFX?u:<^SVmjMAnfTr,%@2pAnYZ)pJ3WN0sE8ei<*h4K48nMDcU2D/okW6`=M4t?1tYFd*rt9o3WY^[tQEF -%AD943+0!-:A0$e%jQMS^Mc@,3d&b3QV0'k?"".)aVSk%AhF>S_97SH(6L -%eH:H\M..4dbl+*fq"isW"le+'%;Mfl"+6p]aNRDU?iYK"oJ$9@_6=ll-ibZ:/S=2G#eaV%dmRRheSUIeDu=L:2(B -%4O@ZIgBAU.8)'^qp?G>KYbEsoW6nOX$.'1]#_*tDB-*0d>V'EBQU>E@B%E'CW/+;g4MIWoj[lH*mW,&#MK)drLf=iA`\)fKXPFI8n??T'e)rHb7nt"bNK'Q45HrFpB)P,&/6I"rLtS6OD!u)SF$)nH@S?9U3*9s+RU`PB?Zn!OhrcEmokABlYMKQlZBJHaYnVEYW$Z_2K0_oG6gBV4X?C$=&"h/(sHA,7.YRN -%aNP\#-o[TK?F_<&l.4BINM?9>>Wp-gK_Ra,!"'X%JUA5MERp*"$*W](U)5d/8Fg9p"e>dX0&)m!nV?F09#82A,$EO)pFRap[3!U\[W=nknT4E\8;'G&RX"e -%bMf9,p:.LeD$8C;n!b-2Fp9G)C)Ic(dZ=d,S`%=iCj9<]@6k@(%F^Is2Dc7#g#i>c6oel%*CJiN7SQ`eA++C(C@$N0bTNND#;*l+ -%7:_cOkm/__n*FdDH@Y>uT^YO=`dp'lR%INpe*!tlgg::lf%8JS4Ig&^TiN2-+0F>dBitGdF!DA]*'CjZ?q2tQoj)dgc_kk$;)Mjd -%@0M_3f8*L;_&ffNf8!nGKt-jemQ`T -%@<&".,[k,t%9-+jQ])&HXrZr)'U8s/\W'2=#+cBeeLuJaW>5 -%\4shQVm_H12(@^iVWp`i:mI5CAdi9=Vg?3:LXW5&S>dqcCeUZr_: -%8.2KkrDOR$DT,_0N9GZIJ^[G.@u3(E4/$@KQu8lA"[d7L?Ep1JGcW'ug5shHqD'+IJJ'cCB.uKKII]eX@%B;+2;4''S8"Cc\tLTL -%$VP`;lH#EieQ4m3.(/.PE#o=5Kf-40K6=f1;"e?)Ts=F1mP/L%%^T-k+TRhS6qdj*Qj#E;^tAf@%LsDP-W2E72Brb..+;u,%."J8 -%3F/c68S:9nM"JePab<@q8Q^^!F]lN9*Erag>=K*#S:>]H(nS,4&-_qrCc(h&C@:Y^f)=:7BLo,Z4k;rWQ)XoT%BsH0>;2.\P+@`NC -%0)!f-5\@V'-:/XkR`4Kf%(t_\RWnGho;4%(oPURj^!*fa"T;0@,t_5Y#+)45C58C[i,LS\L8S%p$-^)_Gl?=`/@#=\,*m`] -%APWY;5YL_=bcr_\f=c_Z5i]0N$U(WKqF"b5>%k4pM4kRp)KCuMmbsIIW\-1'l:Nf;*1_k3WPnUGq:DW&(P5]QU7gj6FD6KI]@KQG -%.,Fiel&,mP=AhC6V#m]HArFR:C+f`VkFul18Z%sB%GUk=V=kqM(ufpXnt/%a#!DmSPEP@.?gGETSU!X5j=th1fc6j)PV8.3jJb3C -%Bg)qP,83GA#.LTXp_P\K-niSA-pR2/MH>CdoMVgO2B=.Yf70(Z]Z+UHO.dQSqkhTT6H#IWo6AW4',/-W_kH2!oDc1aWJ"@D1]>L!Bc3Obb;N[_e*DjRg%Eo[:ic39s# -%;;fIdEe#271R\k8O_!e2**R`$>F7D:/>S[+6_e4.(1K$+U!gZVBR -%-UhM6%o\O.KO#sfB&L?<^EV=O$D%*fWd6L^FC(0$G4u2YB[UR -%bhg6-%;1f?CabfQ?+i%\-$g'<>H9HWL86@1;7,?.3?c4mgT-_AQ56i=\6<9L3l`6r$B(ari>!R!>&54aNmXppFaNOIVeoHLARVD9 -%7uWO(7F>L,U^m2:ZcIBS]B7re-UnY_@#acU&TPEf^!&C^lgI6TX+j<]r&Ur\4S5cI!,0II-Ngn:`K%eWIrbmrloU7 -%nMG'Z@S62k1G>%@CiWF+#JS%\C5&]V*IoJ8UG)lqMQON&X?dY.o3c!OnhXqoYmRGb"M1#5#0pbk@uDA+mBZ[^%jU[m3`S@bNgf49 -%FN$&E.pL[PdA,f$VEhlOl,JCi\HdJD#3?Rh"B9Of6pm2u`_/S=!4>8e=g1#_idPgk6,`s1WP\?dTWSh`*E3a1@66@Y?6Rj#)mE,M -%R'Ula:Si?="g#-/4(O625p]eS.Euc_4<-FrST'Jo7`.Xi">SZrY$]G?kQ$$F'l%ajdf6$1S;hL*MJ;Lg?!L$BfP=>I.0&+\KV?X:.[8ge(6j`WS#=jnMJ*:UW-aP%BR'Z@f31?r2>D0F+q<1".g -%ob\.=\XrF:+p'<'&@!C(hd@9])et(CK7uZal3f.DUfku+/0C>Gm'.]mAHq6Y83s*J"\?]u/G_^U-F`!`o?t"`_@GQhH4Ug]8./?t -%U&-N@Q/D$3,`iV)< -%kSi$5bpFRdXaICuF:U56$]Bm"4V=?t5SP3^VE*H?gte+$%hBJ.\*pZ"9RCW27cDU>NtZ!6`D^`3g9H4Wj!"Mj",j\"04&&QDU$i7 -%V)+&VM9*'^J@N$R;`mLI]AcJ[nggk8QtPNfbRdu]Q=6d6A1ZD-hH$c/"i)c7Ad_mFh%-j@HhTW`,N6HQg&ai;4iM\,RV$-R^@Eq= -%Y@j!?05S'CSeo-&_QuSlJg0aEpKa>7[9*S&Q.#r6Cr'.j.?t&?if!sG\.=fUB["b#a\[&OKi7WuOOPJ.I:`^uU!'+(1(;]HL8N]. -%MIJIX]'55?#O#b&Gm;F&HH!`%$b@`n-e%4>#d)$VQ'E:2Bc:s(o5%bj@P*(td" -%o>6W).4>0T-8FjWnfMU*6Zr8KLIKc`pk%#5C*5'G"_W5^cj_h!?apTCQ$`lm[WN20#!a,K.[: -%5jnQ5n5`'@0(s61SRM44Mj7hl_Bi9jIi12\$GTRI:LQ'.fY">*is=,pn3"IsEslkTC]_p6ib7bXd.FN*ASY=:Ane68LWJ`Za!57@ -%2F^p3bmmdK'W]h&3%`p8H-h*'H*_e=<$`]uJicViS+ecTRZm-77hAhId\I:XnC.#QS:Zr=RYQC8dV[+u,IR,_?raBDg>c^)R?KV= -%U^65F(O@pcm-)#kC/XS<@jM'Gd[13T$,RiO8F#` -%roOpE"'.!:QXIrIf->\'_K%IC1lKch5LtpZ7sdW5Bk1Z:d$.F"eo$M>*b?RPq&$30Q6pQg1A-%XlT"n$ -%f^:n&G)L",;Y!;4>bQ9i:[RXVe;_&&\`.=R`.-`ip^MgnQ,5S5[qbu5nRJaT#EdoF3*/?3Y%BSY,)8',0_1KOD2G2;W$ZOB*; -%fX;o6,OFd)YTm>X1R3&?#59F)Z&e-=,KhB]?dm/t^!J-PT_m9$N[#"+]5Qj$'>E,%!AAPCE,$0W3`W8sQB)%$5m!7qGP@Pc$afI1 -%o8%L57m-uI>PLQ2XK$afFd=6SlU"iNa+>H/JCi`PiT"5(.B<9k,&)l*iuC6IMlA\+Wa\/@r>SDfk4_;S&!ZZ -%/!"=aP;)O40ZdB[0rD"L<&ubcm0O'c(K+lV$_a#%Z?5f`5k^*k_JPgZ_>63H+e[2"d_sG%M]5e^"1;>$&:h>0eV?o>/Jr);N+hN4 -%Jr\B1a]][@aEZjG/j7sP`kdm7h^`nm**$qlIRi39@?6B,_dCUn0;RZM%JVijm@8V-;5T#hBqqjaXES*/7Vu#i`f;AM,55,'M.lB!1ARel9!12j$]K:3&Gj@Ka"jXn$F4M%B$e^B\6GEDLNBR*3"L6E<4/S& -%M[<`\OEHJ2^Vc&bLYi+^K9baQY"tr`[BJ&4ne"pgV[^uSnd:Dp-P5)BQkt]7g5K!Ag'VLCrBt*BT4!58:.AL5oVK0agj86NS8^], -%SMfS+C6`3W0L(NA,ZT!goO7uH8fdF:C0aI*hD2A/@d'PHSjhZ,Ws#5n\Y8YFG,0qoVJnWbWGW\fEl6/:,@=g8WXA6*>4 -%S5KEV>f6.$`jmmP`/u?2Yi-%cBsrTu#mZ7UX9$?<__.bO33_q*dQiC%i!DjYR))s<&Tob>;Pr)=(@(#jCP-ISeBR%.&/KF8[p=k, -%bEG3L?[S$uK^V8acDYaAe.EP*B>R=$4YdLfCC=8Omo@[HS&%Yu;E\FEbFo@XDB'+3>k^,*Ct[9kLar,r%%F("g.-t99E@j^R:f-F -%'\Fp2d2YGn*rU`IRo@p=XS5YG(7[XI`lt!'cX>Z>a(?^6q#D!l=?l/d\/B@!p5E<>)@UCqG7V-?@\u<%Qkc7KOo11Es2c(:.Q7Ao -%>/&a89IFH=gmCRG.$JgoJ$mCWk/%oE[L(LBkOgaQ3 -%[[kW[.\M%gMoNR5Z8u"D7_TCH04G[5EgWaX/HnWh3;F2jn)N>,XR)aT2$jP$XDFd4AB-rI_[=R.P?C&/!BWWhiJa-h^)(SfL#F&c -%:U*&F"Ua"WPa(CQ_F,L-13HFJ`XWO6d?A_r^%ShGArJm@bK,!@l"sc)rCQ!*"n6p4Xq0e(1IYN4X^e7Vm,j0^#Nd0kSo/r8\Q#<4 -%?#jQV`G^gR$h)\bkDOr[!8O-^Iku*a4uQ@C$&mWq]qa/ursd.:l#q'aaK?MK:M=*oct&f:aghG[S#"_c>2d\iUi"#Xo_)<=nb$mBb(:67e^SLG`qpee.cPs)(+co9/*cYe+4/qUp:;_>NjJQ6Jqn@&2u=$7h8U'SZ)Vc%,FLR -%%SJuR=S?cJ9HDpE4DQc-FTJ.7$!i")$fD/NU`/*,AkFukr<5@g8VeCq@.Fb$&W3[I2\*-q3"QB+JG"@.n'fL'HJ"`W:qRX#3n&T!2#&6^!I&fKPK9Ke@6"I5nBK1AIqq>Zh/HQC@s,Y@>/qAi&!6D,5ErZ_OQ];_)a?lLYR -%+HdZ+JdSE+H$cFCO2o@hHN=J5"dPZ@Su:R0^C_OLk%??gS%n -%G41K.dmpX1eiWGp\)X,b7KUi9VYW3V&.Z(8h*;6tUsIq'iN)fUXscV0npOcBF@8GX`#S'*97eTj(2,5K52hRDUJ\.`rX?Z'pE*T: -%X(KFj3!7!2T'-pOM+\M-Ve*R:,YthR-t_ts-'-4>NIou>/i:rp]JQWmnjA<.o3n!i"'?LU(Upl2JFq"C6=_C@#jt=R_IX,&@V'Q= -%Jld-PG[+ZZke#)oS?I%U9s[T*7qu$emp^[1fFcsu[-pT'S#M_HoH[-I5+\Ch`cj.U;D8ljdT&%N=W@/.l?q.BcCgEN^pdTu(0.M: -%3*%%O6!I3!q]QG]:?W8so<:,i:2&B\.'/XjdIMmUIo.BEN6ogP*RS^T:4Q,ZB]h-K\m--^0Mm#5EohGcYp,%%gjfR<]Z!nXL#O:1 -%]M"FY>TiCLCS%b;[n&tIm;#pi,q`4l_K.a5cc\HpY"OWlc\6`ffdu]AP_o -%aeE9[)(loLPe/5qP]i7#KSr\q3[+uC[KW6Gck -%PjWL(_=,)A-OD(p$GE4SYlk`5,-7cH=?84Cc-Mor];Q_oUk!=6RY+Y_4X:k!fUmKlhJPc#?N3rd,s^0gNj4+I]kA-,U:nfN?A;6` -%e_I';DHZ,)#9:>hn6O.JD3nnJD>JGMWNXtr6+=%i/=qH(43]b7^@.NFPFM>\!'HZFh1I"rZ'HDZd0@kl5:R6@P+GXsYA?GmQ_Xi! -%Mjg7cgNT<.p6`.!J"_$;\?H['V4.N+a9b&3MGN1aIN!#`)Y"C^g.HP.#k$3J'#oi%4k -%4WEcCII*JY(U)h5G&NEUD6*SHS7rGKcLN)hd'UjYF$5*uE9r]>7rN6b#d6!*+eO+KJNP6aIn!c_HfU,3L`dZ\(1f.@ps[!In6;#@QKN:#$@KcPJcB -%XC7kjF=8lBh8ZEp8-cXOmcDVd)o0I0qN)t3"'@o+=bSjYK5Y;JPLtf(A=FN^NQR"]^S#0QqJgX$TA9!M'kp\d7W(i(!F:1-1Qe"mR]7HXh,@7&VV?-4 -%h!*67=B(O[7dfN\j`5Wre(Y,mS9H!S-8#M/.\FZJq83+^l5me@.*jKh.'IkVEob0aY.W`+,(0!IdTXS--6mX'jsK`./Rtnh'AaG4 -%kN:ql?UQg)>C$:<,uSA*It+u;C>N0b&E]amM6JqW's3omjB;1VXX"+++rXf -%c*(?4nMmRNFXfiu]5u:u^J`OsFnQOeSLN6)!h?Un(3Bp>fs^_^YV4n:DG3%ZY\'+2io;ZEPSE@=E)kU"B[!XDQ@t_eJX?3<*J+L? -%XH2OJl7tVFc/a;rB4 -%hZ/WL3Wnn(f97Uab>,ZVQQ>.Te9g_q57P&AEu++WAM/P6P#]*J)n\id",@bq#u_i`f:_k0i,D>O%S2LqJ^-DQ'>Ql@oH4pBTA":` -%1GM^.dj-spl#-""Ng9:opLF.&(M60lEQ*de`NIi*/4ho-#4$8%r`hLU]ROb.Ijt&Gp1qhoaub2m.XHD9QK<9Not7bff$L&grSi03 -%7?+5Fq)7NXW2s!+,jhfF8j1iZ!U)%p"lCN#m$D_C/mF,EYAU9S=F6VRp4h)%0\&\bo=2q7>%4gF"-C7XWZ\@W''1]soaUfW'UI[$TR\>B'.6$o)MJMt@GCCC11XnKY6QC=d4*7DGRm8cm`5[OOP;$<*(T -%kWrc_R'Wa!G@MXMN1$8(N?X2fDV)#XS&DObI]FXl=>Kepem&FaYqs9&g>GBY,us"#O<.3cl<6Vq*hC-XpL(WPlb1/!4f_:525hQV -%GlB/bM_AK\Q]o,WCt[Z#F!#sRMN_:MXRC`\:1fL8$,QYK&T,>Y]gX=?q.[XM?Cj -%]0TV:?P3qtn/,Sj8&5P-kd8p)IB/hQ#\Yr5iAIe)=UHO0d&fM0Vk>@cfm;^q+MEMP8P@l/2QohPSEk/b^O*l=g7B;[s'OgV7aMQT-1n/A$h^0apmEN?od=2eMqsT#nf. -%GG:`*\6o1?&b_g^,ZaE1]Jgm@cermaiWYJhX;#=%s-uYRQBs*$8Fal>*IV=83KP\E^]Nn`J -%Y05n(g=cR\A1)kim"PDeFrRk+gXgeb?BT;Qg-1(YNXr:Em[$-!P,)%[e],++oY9RTbkA[J0-YL3&8L;0*n^^YJ5MeTio=/oIt*:4 -%^TYr(Ag7S2s'5Qb77lmLp7a$QM\@3mIK&1(I5n9o](]fHZHh_0]u[*l;F`>NcuT$)/IQW59uUM4\AD$80`4mKP5Xpi?5_(b*P -%Z#`5,PF\M)6J"C'ZPUnU[''YOEK^NWig?9<=lCklr9mol!$5pTQ)#U0]'T7i27%TakrhF;IUIeU0u"MV'Ld9OX(f43"0-q7ZJESS -%*c[.=2Y,VY%UGHCnVl3M0ig.U,KXP"+XKgW;Vllg@$[lDi6F7HV4DGm4lSs6;L7sNY?]HV5%:d*n*CJlr)&h^m/7q#%S7;Tm"&Yq -%:#YVlC(ku_rV_8'Rl28#]$sjg!>1Z%UcWa!4,klsX(V5D!7/kKdX0$j.Wdc]nMefWEO6KL\4)[e7XotQYT[nHn.JR"da]er=uR87:7M*h#%F*V#"-q&H.!cjk<%Z$TSd8;13Ekb=,m6qIS"+r`o -%[)@U";(ZiBOh2`1DgT4d>YB\f6D?3!`TZT2PaG\HD2Yj9kbZ@IY&kUTa&]@4-b8$']:q9nU`JPB6Tk=)V4>0H`u]3*Ks4p!@&*ol -%D9)\sp!&@/_Bg-B?h?_Sgj1gkDsJd(K'T`33?)?m%/hJW^84XifgYb:Qf/W_rCWn!G8L,a*kSQc$/9=2*U>h?VSFd+qNsChkM4(t -%Xp$Ni790#IY8HSHZi)X\Xf`*`;FE\m:g@AB>DF0Cuad`g%Rs0$IuH-nR#S -%^p'7rXhFGMPC.^Vg?*MZJS/aq#6BVIU0'iDQ1Bh![Gl!'6J@Hgr$!!&pM,0gFC+GLm'quan]2(LAVG&XI3Kub6R/u71C5!p:"1\HWEHHlVAS*.A2,(uOe^\?AhR6?pia0H6nk+(kGHTF_K*#C+PS)M>gG\l+Ioue&V03m(ebCQ+-df`Np=`8 -%U5k*U"fgK\"S[\H)TeA$CB%QAE:4Lu,cF=[D8nL+F0Z,h`r[oW__c_gAlWL.`9)e]fqe$n>cYt"q>,$OVb`d@o*rn_J37.UN""7+UARC8,R`!)'>7I7XWi6CEFr -%S_X^WBnoUAY:e$,@B7uP8g#.L,+$,+F?/7J`s@l!cu3bHNkDN,BsNT,_pX+#'ZU+>>VZ)mru]>BVuCDZKb!M_+ui#s`ab.a;&cNn -%9t5,B-h$@Z/%rjh84'F];a*Z>'?;aH9D?$nkX/?HP@oE[njGr,Q/Y5`lp61dMV5eCLBC3:>X4%^)/u5/E=j]YfoeKFbcV`0mWN46r^@(#;/Kb@F3BqXDR\+>O45@kg"\QH!^:aU@^bt,LFCjSbd:n%N[oNCr -%`%fU2SMgq2qmi=+.h1:>ITmXFeG.p/nEVCDUuP(6O##<70BA3Zt@fsh1TO&pZ-N$gK7 -%3bQJDbt(<13f3Mo2(U-fS'>PMggXGu_g\s5`\us$R_u>i^QgKc8O]mN8Dgc@IYOP$?10?/VEL??Gp-(3$7\Ho,#Y`kGl3lQC45Cj -%B5=B64Z/'CXj]8p80+hPX=Jmh0-*/DIB.F$S[#KH,(_="lEDOU*k[XWhJEQ:X1gaHMhU7:3Nc9[.9G1d_Ue-,jr*T+4l4b4)HP!H -%QBET,a?4ot>;WI3ZRW)#6D7O1[t7A4N&&/.>o(\kE3Gi$>h.%:iCgW7BgJQ2%]/-b-XUuJ*XReNEnS0`AfF*nAq@-4U) -%=(@$WY>!Bn"^SZE9HJN//(8*KQ`^fh.Y^@+ZO8m*^I2ZdKfjKb*e&;qp:S=Zmb=4?egVRPkfE;fDC%FP9qZf,rj&*n+(UEPHgI-k -%\]a+<]X4"D]NK_4>dR!oh9-hQ[p$kYkF=j#Gb$NA-CI)PMq<3^AAhqnO0kd!&q\Z^E=q>SN\u.2D`$U!WZbd/QE3]^C/r6aSUQ)D -%fb\PG8oD9;E;Kr@EgZ5=\0TK&Wn3"=06Lhq=HcuOE\i>IXNmJ-MsRce-=]Mm>Lq1^-U%.^L24E91BBu7kbl52rp[g&YO?Z144ZKV -%4RcjFnnpfN'[Q'tR:qRpdjs+b0Ib`pe4Mt"V_^-s_rNid,q,._ -%"suVZ3\5NdfnCCfJoe#Kjo>_u2eK"4?/aldN2j=@&atPi(-S%@a_e&^gQhTOj3GqX,!X,qFomPS_]#cDH]Qt% -%Id,])NPtFLq?K6T0rYC'`A.u=`7Ft&S?*P:m*'K7ZsQh8/"3Q\3K:-a=ui!qC+DO29CW8Hffjo_,!ORRNOrZBc(]Rsdm,Q1PJn,H -%>V51B-ji&rEWRjj2[1S&L'3]USH/[W7WC*G6BA,m(DeIqd9SGP`k%+u(=:]&u`*D5P'ZjCV:M -%T5!J![*`%/o1TbAqGbHm1dbj/S's&WR_ccP*]YVBjim-J+deHGM7C+]dLW!>+*74=CVqt"/irbVUum!@a?KiYAi=q0m/"m2cn^;* -%m'rF;NL(D-/BG3fT=l7%TFdt=gmU4H!SfoM#aFl2Y-c'hN3Xcb=[n=(a(,;^:e_5QZA$l4WOEU"Pum%UTYQ^S2XXi(dbN^Ao)7"1 -%/hAi%KL76T=GI?qP/[3p!)MGo&"T[k0[j"sb'rWQIJiKY@6"<#Wh.A^<&]QFaiod^P#`?bh_u325]5mSS40]k!&![JMu<=2FtXXE -%NnSF'+A;N*P7!JL"[.@i,/Y,)lYH.,/p7i,7*#^96*4LJ/b:%c;cTKHYkjM-=!tg3#$B=Y,8/e9o)GU/QY9.!XV4kOO'>f@`<*OX -%g@jLZT`e!cjQ393L2IfD$F]=:B)_\[mX@2%QZQ!EYA6d^;l,T=]"qp*,[cXn^H"D3SB`XZI)iOq_?,)jW[\Ygl9FY0g=6/jG1N6g -%;kp3KmIG!6"c1[tf,J#0G:M4[-C<.PkRa&^E;(D0[*#PFXscPtrK':(al8_SM<\ml%e"P:.?jJ/*s.2Y3Yb_lEko9_>EdmI%[Q(H -%]m.D18'AOl(1'p>6?'U2a#kk&f&u`,D-NtO]5j;apio46[i5r)\Fsmgl'%B2OKhG0"4P\@Lp]&7@fa-;n.=u-EK"_Cnq\dZ\PY(sR%[keccs;?]HFopi*r?]77*N*h-sF^8'iR#<\:A#^1e"!.8g4[\&map5JO<]V%aGK[ZZK9[ -%`piJ5?ke$bbtP3GMm]_((7S)_"a2,abbGpL808n>eJr(2c^=Jd%/12%Rua5hp-rGP?QA<2#hfnNG5U()>-prU"MgTok/XSeWA<[L -%]an`s?sPS4GCG6pN3>M#_Z:nmBLQmm(4!I2%UhYfOV4WGpXffg_8^ik>Urp2]8@!QdSBsu-ph["Rtd@UR-c:VS%7BXEq_b!mdj4, -%,m\D%ne_*iR$F#%F*XRN:Xp=R#7fjo4`n/2#sH/thF/l(-j'W!NJ4,[bgEIDK%;)XG\!2*frSqKB'"["X/T=)TUj=ON*I*+2Lsdl -%Mp#q>5baj948Rt8E9q/7mZ%0e*_VqKC*Y%M5bBgQMSjW\n@Yo,ej\Ve--W:CD#%L\bRO+a6sXjSLUj!HV=&F?Dk'VI=F"3;95A8V -%nCCIuga2p(d][ta:s%Y%*4.M"KW@b*Eg;Jhdj6Ot\dXaF(XEIHYYP].cXE)#3HrJTb`fD%Rj6F+ER:_c#gWp[HtXiaIS+YnK!#eo -%'I#R!qRU:,_e:XM%fCT><`l/ts1pe"(dEmpOlZ)9j+#>jOCMIH8o@i%6oo!d5WGICTE71OG:c'b]qmOsAR&D@!%MIBQ -%>2)&`0]J87Ofm4DEr/#8UD:<%He>bTY]sY'R/9s<&nJ5>JG$*+4-@`n7.Q+!Ht3S6-p/9YfGf0jFfA.Q\;4D+_5UD13eKb@46l[* -%V&q''.6*O`_Yu)s5QLe2V-S"ZER/8[6+CRdo2[)H+?fY4;/`YA!jFMM_R#.,8Db26$,R/e!YCUBMe$0Z<6):1qmme=c1d -%,onUb'Xd)AqZ'RoGh#f6!mPqsZ?R"e@M.K':V/mf#!Q`XZcR8u:l]o8CsIOa0gYh>]^/G2W(Ab$Qp@pq<1^l)kTcf0(O+7YM7O7q -%9`T+/':W]sW:^X)\U!H--$P([K*:7_"Od>\q(NH;P0>6L_>[Q%bkfisMR1iO2[%"<"#sTRd@am8$JtkA^GE<7M&9Z<:7I_^n7&:r -%lY6/seR&MK.02j0WBfaVq$j]j=%bFC^9*$4Pb7d]j>Var6s0<.?u\g]K&-=cR]7VFB'frT4/QA[g48sSd%fO)-:f*$>p=ZtB0jFK -%J9eQPF2+7lH,G1F1,tJQZ[V+!RUAhu^]25%:(aE\u3Ps>!A?Ip?dI!O6!YNp`KIV6GHYhR7B(-f\1/5`)[8ZDCioXNk]5eOh -%BW7_M9(Ln09+ektp:e&d;XCUthO,1^5D=T%/T'4KQco7\7jh%IHW=.,8\;d;C"kO=1(ro23B22F)B\\iW1?0JLC$u[WOW0-9cIO_ -%,J3`Q,HXH`-X>b-dO%(M]RD;$ZuEkX]+^^+%2Y5c3/?lSl$R307SjAn]5^O#EY#uqQT6j*>BgWe*Xpb-I*c6:l16]9N6EhiB5K_n -%S`OWHkoW'F+VL_A^Eo"?/VU6;DoH*UrO6qX/iXBIU@liJ=agYJJtd$cY6(#Xek4I]ABe6d*JqkrhYbmkbZ'M:/kuW&FP@pWHU="j -%BN/^PP52i4`&Qk`WqfQnYkLJ3BX[.]GC=)8J>u/W,/djMqA48X`9Zk":S^%*I7XG.YAqpAK -%Ou9Qg,6bsq4^@kNQA\(2RS%N_A"*mY;H5A'a3\DVD=).+2Gn%kOtYTOBc^EeRILL7.o5+WnqtX*/89>0;9Dl1RVDVgFoB*4jguJ9 -%pTfEmP7ZQrR?hi!Pn]#p?;+n2R-;&;s20Ntn#pO.I;;kh?DI%n>i9F6H,^n9qWM%[4$8YfqrWO$g6 -%0QMaPlZU"BB;>akg3HSK8:cmef<-_C')_&pqR?B+W(nDG"JSW^;bp6G3+ot1"GtBWGeHd]@r;iV8F>WtSSO6K.II4OX/lD9ZAKhS -%CL4sbFQZR-tEo'AQ&*HdJKp0iH`*= -%f6BtBL/>Ve5m5sIGtbo>1U-r) -%S.6lZ&]D9l%7#LuZ&C&-]d0f)a=r37OIR5#N>9n>#PVHHjl$0>6nk^XO6#qp5!NBOV$LS"B%X%)';G95-"MO6hqLGb-6QPuV=F7+ -%&6.?.Shsl:rde?S:o]hsMEQm^$+e6iXEcqsW?)^8Jt1aqjY9m%l1jgk^,?e_pB#[RTWZ-F4fFoYG9miE!Lrn/* -%nEG?[JCUAW(HEgU1-,IY\#e-u9Up%%G)313V/Ye^Sp-crJm$Gm!s3:joO(.WV2q$eZ>NB<`+WORN\#ZE.Zo1_Y$R147NWD<7r[nm -%HEE-J)XEs)@2OQD*M]MC;qdm5BDViXR^m@O9>jRdHXGcfi2R85?2Kl9++f?Z7p$G[aSKHio&%H$M+3:ZM+=0G)Q.ib?26.8C$j:D -%OA?AC.re,W:pu+V(!k,,(_s.hWN%tFG5g-TIg/.b:`6=l"Y)kBaY+ssl9Bs-ppns\+6(mJ(O2=6.N'!+]:B>ELRX.i?D'pAGIl", -%Ol]u/Pru>2>-D^H?Or':'f>5j#8HPU`GY?mK,UudE*_/`_$B_e;QR?=r9QI@%9sFSAA)0e/]\L4I3eXYbEq+f)8iI.ui*LqZI2(QAU4I[:boJ:)UpA#r3%9M^nec/sU/V3r$j([kU??^/tA)Vc._n9j$@qNiW -%AfJ_Qg&L[!eS$5]n@We60p7@'H&>'Abr\O/k#g_ka@S?>=krXK_J&RVJT?,9V`9O^*PgTR[*D/T)GLe -%S]`KNRj(Z,BeWJAh./D6#BgTZ(ja/XrRT7]OSVtV_>lpBT'M1FJ=1E.Q*(Vu6B#]BC8a/$7!Zm^nbgmCe]KYN^$8AEqt]O/[WSfF -%MToAse+-O?htD"'*kl1V1"TEGPh;9@Hdk19+ZOAo`kagoX^&?EHpMer?S0IKoShBo)3rH<;O8oL]dLib/pGr6bU%eiXNhJY4i%]S -%C+I+sS6g-.B.C/VcYP,Vd0#K+'+[XEasG1<[94dlpe'.aSq#91S9SWss!HPh&`8p.rN:53S[GdK,8J]7K:'0*.Sq<1\$dL2I[HI+ -%D;F"m&aTpckMjK>6EKVsGhG[@]D@;ED]ah&_O/e.h07e2C#q8UkVBDIf6=&:@^s8qPWdX\D>FK1OiJT%9g\`8,52qa%OXN,m/uUV -%[dl4J^J]t>Jf"3Om[?MQ)&dM70[`3G1b!)PEn#C-W<"8lMH"9!>2aMmY^S63Tk,1]A[EQ`WhPJ1$S+,f)"+!Qg_VZO>hrXBRoSVt -%$.!uI/&BRY*XktMf=0@Z[3)q"HArV]&,ts>X?,aOp[RWPRun_2"$/'3@m4K!V&7`7;%P#Ho4'Q`!7'k.Fmm"kSJWop/.9E?r:no8 -%J?W]i^_)pAl/"Dp^u.,j10B&m&,;'dSM<8OoO=lZ0KbF(1`kb`+LnFM0(hd5iWlT7HHeN\?TK=q.9kXJ)<&LJDD+ -%T)^0B&N8#qV#t0s.e$m";%CF1OQF^"f1^trjanRN[--tlB(G?#l;.aZ.-2pmjC^cgaW^'7('/1M53mo@?n1$l;\deO+Ge1'<*4f3 -%5Q(^gYD1V_l&B;s9IlGR3".#I9+<)8Ot?;k6?%h3jZ^kh9Hn/KB%^f,;:g`P$Q,(3,_A@,#N#.bjVXj9h'jbJDO)B1^W^CD1^Lso -%J(!+*Cs_EUD!ZmbRH-G-p_:!DDt1baG3@ZOj&I*(qOmuje-q*T.RD@d\DA>jPK.>NZY(@u"GOBY2OJ,2Zu6*"j]Sh0_?cAY"0j`@ -%TlH&rW:k5ToP2k5k!&dM?K=SAYRi>i0I!%cV)%B?O&98#ZYg_6HJ9Co*dn*nileM(pT=Magl4`VVqdgKb.-Rm8elf&K0du*+u444 -%=B+_P%9Re%E:jAd*`9TYl.HD5&uhPgS_,_,+"O)0'_@oK5/T-(@fFB3f8SZV=Ob32GDR[t75_.3&JP=A;S9^I:X\(C[c)0F3h&D*(RAM.=/_Q(/RkN@\p92uco),l%t4s`pm_bV7nWO?*-,fOo?DW3(E\[0_H -%$4FrMpsj%1kZQAkM]FG0"lDnX@Gj^:Ef&WObPDk -%I(pK'gdudVio(sd[j3NAXB.?\]&&m+hp)r->e+L%].t9>ocUl_^&LsO^@0hc*!fPmqU\A`8*aXkbmSY@mEEP)X&SFfQI/WaCOY^. -%=2m=q*.Q]'LbDA%0X[Ve(9;7`G>(6hcO0_KbC6p4%WfR0?PF1FVYph\fI-KLN?/lAl4PHh[Nfmpq@_k;&RhM"I:Y'SPRs;@@%ho,eXtDo>%$0D3P/(iA%"1[TmVk;l2 -%0;X6tZ2mY`C<)O\S1TR.j2k?/"piIeTl_S*WWpt'&D&gd,X%s%P%[eFfHK>ME9=DsA8G.0!sj2R6aIFF`<[,2Phoi\n*HMSo:e1t -%BKUGi\&$`,@5VE0OI8t,@*u'[c8WSIj_d:`A$+OQ2EOZO9?4*[2t"ubeN\#Y+b+%c -%4bC"%GWX."PLia#,#Cu'L-%Q1\\+?-e6`ES@jO1idX3q;DoHC`$2&;;O*`gPSO*mZWcb&W5C-'5S5A#DQl9gih4mciN5C>RXQ&?H8pmc`&"!=X,K@Zuho-IHhM_aq32bPb';R>GG>M[hQo`LZtGH)bQ -%+j9p$rY04ph9r7&W(W:GcIH7]qV"=e\6>_@H]8[p7n:j%W_BX.^L07"]_iFd2+7>Ge]QP7q0Sr#fp, -%%)T/Z$eY\]GibVLrh/qIKM.CYSWW#Z/0Q-XU-2p -%9=-Kf0ijt1Wqh]'?oui/>EmZF%H0kI9Q+s+3H@"`DY)"n6+Le7f)XKZcoA7&WK(pO5>[qiIG-YZ5!uHHbNDY*u;1BI/`+Z"dFKfLTXa4Z4+5i(:#OB%Ot1(H$iB.;r+G -%oNE==S&!t\#29[_Up9YD6L]et:=!]bKh!g]_$DPI3iT*_DMip!jbsG8KMkdjI1+]f!E+RV!E$iJ_=5"md$#_JMmIr04L\P#TB$Bfqdj(lU1Ul1h1I35Ya/"2o-c0k@ncNQ.E:SDY`a8_XEnmXkrp-1Q9AOrQ?Zs5h2T(2Q?u&% -%iicHf,TLk.iQcKu4Z*7L/iGqK]@h1i1j`o6Ziur_Uj'k!Btf!h3/KmI5HpaAS7YP:@(68P-YJJ.d#q -%E7WbR:?>Dr_J1M&YCpifF1ELX,tD6]4W>cl/C3^r4umHqY.tB&^Y'`nq5YFl[@[>!=X>KL -%q[pY]V*[!HH%"u+C[cg-`,ZZ(gfqmkMY4n@U5$ITO(aD9t0/3mO^/]_-Fk[fQ"X32bBbk^[ZGJ<*/PWQbC(3#-Dq8F^#S8X))l^ -%cpt>7P5#"UCNl`e>8%"JOW)Re&nVB@qU_MF8(_D4+E%VmD_UY1r))9UrhP?DKU9AA;C6_B.6I#lG6,=0KV52,eGobE#6QOR(t?/V -%aq4'0VPtThgUT;MViN]-"erS.^p=P4D9$T"qhfS[eN6KT.i&K.9mp9Q1.7s2^ZSd'L^/BAXEE^(hNKjVmV;2=OWq0hufsE"l:`5H!q4o?NZ_\ViNbT\"53(Na;Y9d&6VLr*C6(6h%55Fto1%%g^X4g4uj=UUh.P]kjReFDjIPo+.,1Y8X -%XX0C67Y,>A0s`5V]F\_ioMTH/@cdEbI77)hBum&?K6/Acl=$FZ>K?G;QGYkF:A"'?"kQ^(nef)JMTi(:&I4@O"8iF?WC"1Y`oO&P-GA,>#uR-_ZN0L`B/2-7,H?77Qn9` -%poNoELY[JV^pT5pIC%=UW8$%nM2aekp0sh2>7>I%qf+0UH^DNsdDIDgVI@M!@g()$UPMrF^Fkqljh&'D"W526N"MT@AiB6n7_W%N -%'hfjNU67>Hr>L!J)S*@E$ol^$kspGHL7H6>)..as`F*EJ0PC*^I/S=AhZEu+j/'L(iU)6n$SjU#/lq"n(E`cqoP0uB>XBcY/Hr&9 -%G4SYk+0gKoU0Gi#ESp?%'&;`#*ar,kfO6Oee%,_qDU.Zo6G"l1:A,hZfF5tfQ^DA#+8-k\G7:MU^EJ4k4"[n#j>=*r5?70BZW3u/ -%XB4[df`D^hVX!/SKU),0jCH2iV#XGs^Z2.7O)@+Q_9=G$Sn$VToWf\iJuLVMG!"aqdjh'tg;4T*JOCIN]*.ElE+d@$LtZr0d/fA)W,DFJg<-uV$^*cS -%ZKYmG7[7(iHek".+)sr:`P*"5bD6&a1AD3Gj<'6SD4RODp\PQZ/UC[d^1U9jih0Q2ZBAf*0&!tlRH$p2%-m.r\!94N>G_%q(>mR4 -%>PBef:EFk&\tX5dc1oPTUiAA=XJ6[? -%p9@$?j+Off,*K5T,nn'',9[$a`BWr7/oQU,EdUV[r]]$TIQ3N-.(Y4Fl(!nlQB1-QM9`Ni3Cd2jZV<-9_',q\SJ>#gAfcGk2^Nb1 -%&XN"rKB`aNdb=)0DtsZhqtUY8>&#BjI@V=#p-1rap`?:F>"#t3c!3)Mp$qG!fRC)6pJnd2;_*F7O5)G/cITr*VL6OX3eAZG5#_,& -%KV*+g@LHuXEqPX#L0"*J&i1Rf=4L(D#B5fh*P,VXhEcc\Ds>ElP6eY$eQ/"j/0;u5$ijEiE&6N0!$hZ?5Sho;(N?-!YdWlr-P3*D -%b2.qTG%$YRe0cZON)a13[]c=Q,;i:@YCll)B.[bL:gP6L0ZM8mc$.(N6rSQ?WfVP:,uCoF8?tjnSCQ4NDh7/8TI9$>h/cMf!l\)r -%+cqi]5th>lO;Vo(muG_&WrV3o.lCHC_f64.?Z4Nq^H@H*Om(6mC1DXc`'M+M<5FX?Wh7dY>1,Qn?#]R*/&PWFT,@"S&!c,d*8IZN -%Za2R\95PiX([#$(WLZ>4'TOcTXXdu__Co*k>"^ak**7LArCHhcTKr_H9uQ&i_Or%p_[/,`G"CqmRlsIp$:M:8QlWg?MV])#M!'os -%+3o"4_(EN%*1l%fKN9"KP69D[6LOARD$Ft2iN=UA3]^L@,4Cpf&Y]>7NO'AF14tmd'p$D3Elh2L=0A4F1HMC -%+cXf+n*fCYZ5+f(X'0@H^D39>T!lM8T6Qs/VSl2,#OWaaA5Bc_\4i@'58BcNl+cK?.lF1uQ=_5l.JpJ_FP:_QV`/473AF#+>S;RR -%lmfob5s1M-(/#X87D=)uVI:dTcYOO+9+ecj8\SbY#u[O$p1`,rfG0L'WsauRR8QQo(=O]uP'A6Ul&tFsLGTs?99'rJjQ_3Zb>^6V -%0WG--(,Sg9X!8GYRD:Qt,SU)<.;!iE(XRlHjfUDC-f_RQ_QJ+@VD>2(>M0K^N;fpN/7r6j%Ad3Z,%+.p:7r -%(8=dHQ."dIL)jAg_`;;HYLGSjM -%jWcHGU-%Qg9_^Ng0I%BoC9:C@fO/l]*:nd$fW6].P5SAR/:!O`VB-VLW`[M9$(2S5f=fnY3QArGjt@SnlLT9M-m]>1ch:S^&M_$BfO*:+C;V$'c> -%p3bP]7B-HG+%2GrdsbKnPLsXEja)L]C@Pj\BTLgW5F0NB#]&D,$#n.LW[t8BBU2_^6T*dE[-TK/qsLG2.NeI97Hb6/bh< -%XtYMJ4(WSt/b+7nacC:SnG/#h=*t=f1$h76U-u*;gdUW1Lq+iRjtajtLjiWSX"FkAd12J=fc0A#/Y@K6GqX#Sq8$Loq+*M<*YpqZ)%15jX`>a.LQJnoE1,rc&Po[&W"DW9^DDGmAeas0M -%`_Z2mpT^76Jr*0&Y(*afrU63os*1c,Nq:tQs4@;I?Tp^Sj,a65s8INIO#U2;o7+1HEN?H2jp#*A0.Wd%R`a$?DT\QY+NFT5J38H]67$VRI! -%)63(;'f0)i_Bktp?:UHUcldQgaL[h=qqW+@1hm!lSs8CNDeFK3j82\JkS'EDAk^O&SKX)b#J-@2XN>k_N"5&D9g63VB"OJ -%Gm6?5mbp,j(cbnS-!:N9qj)8Qhnk]<#epAr_g'9mMS"MV_'=jU]!*/nDCn[4S/%*/(L-53"SondMG-)t!\6Ura)6Gp`\>2%=$KC_ -%H4)jNf2npPSsuFQfGZQ9kT,eDFfpLP.gE1bQspQ,H)>F/$`K__/V?b.`=(^[W@fA:X$>YC%SAo`[)r;VcAWC'a6 -%V5ndJYKs7%LV?)=>NnjBD::NdhmL1p!-_O!7buH/ek,hU.HioEs-i^4D\7'!AN0:-PmRW3,G-iNVU)EUC=8+NBbZt-=>a/,LrMP$ -%4e'J@U012<>IS))BRKB$bPu7M<]e`\OKe=RJVFDe1#*F$k3pOI-2>,<99&;<2Pd%._c4X\iO;0qVQeH"Ph&&iNeg[1Z#g_k)g`5o,$&"FF8Lu2"T1:iR -%C]dKa/\pj[>R6\mCjt\P9(kYT'1eq0g,'u9'4UtnfOWqUWN0c7X1GtZ.5=mOoR@2VM6J=>jG-F$6]m-Hk=SM+GnRQE@!=h&W/,FF -%Mfh@tBd`k;HAF^%(dWAZZF9J_BWbR^N'S8Zl4?:p.e63*'HQTGaQO?(@ggHB=G?10C -%RQ]ENA'[6U5#_^5%WJ8V>I5nCpfmkTp5D&<.DN)Do;V!3*^_*8Vt3[pYt,/M,_4goTTfC(U,$d!1gS?Zn3jUVO]tLHEJ%ij4g,#X -%oOa:0*H6J@#2S'_`%nO94!>(NH+@`,iJe8h@HMD>N'SVdQ40)Y$9H4k!5S>=Q)UC=m%AcRSI=U^Asp]\Efb6G"$.k^=g!n, -%H#\'^6S-+>?nR:fKo4kJ\_+T,&F8Z1;$E3^WC5Dpj\OS^KJ$Z4o%Gd@/TUB"nDeEsQhdOhdqfA67eK1\QRLk@[&f(*k;)QMm1qNp -%2\_m9eU)pIk`R?G4G1JRmJF05I+bHCHO>o<15 -%^67C_G3[9m6"nn?kI"a9?p:h8ikY?:jO1UN4M*4+aGdg"\Am*EF5n<'W6d01(9-'`@`q_lSa/N_Q5hXE^1X_BS%lFkQRB -%5_Cb>he'UD1lk7]WA@dqB"$P7G0W^p*=J#j.qO>ANZZpJ+3o7,3Hh]W[j`WZXLMtsXjHC>+f0OJLS[6%jm>32s@6pZ)C(_RM#FQ>GT!s#Z:gX.c0@BTD/O1cHZ8=_>bpD&+e,](0_g4SB$2E,i&]kYho&;3@%6[m)$ts*[Acs(C9^!hPl6aU*3d*GK9c"mFtWKuLO=Y5)W\I^GB+l28387jtko:VBo$.)MGK -%TYB*d>9&Bt;Q;o_c,3R6Wi<5gI!O)m1_IhPfPc3HK`/1%%$'ksO-N/A'iY6WLl*k.k -%"P%c\"1A=:!-+6?.;;WA'RY`>8[Wt];;mjtF9"TdB`D1N(20_lT%c#a'Ro7R-+:ngCt*t4.5,=N;q;Nb*4;^fr:g\RklcRG:JW;` -%_,8GISp2M4(0&nWi]89"6/aY#Vj_A_%u[uT33qn%n?L]^.uY#9@C=[L%5;=hi8mJGiLmT]PQE&J1f-U5Md4Z&#em3dF=&`TLK>B# -%1:Z"9$O(a.&WFldkMO!*6BlCu4<.jX8KX!h=P5*S$+@g#k'Zq= -%<\*:W/nmjZ(^Fp%-0)dX':=;?R;bPg@h1qmEhPd+;_qs`h,>H)37)jS]Y& -%He?u:grcZCDRR6Vi_u5-rn/(E:@?$?hu7?BR&3*Cih,!R;"qOu4A!8ZZsZ>+L\i^_8W]!' -%o0bFm&I\pbEE`YXmC^URWQ=&GB/b!^9rfmjX7&.t9ANs2)Yh5^1j#bbg&'DffLp:1]sL>F%FTqX+OR,EMjBVc'NF)n%$u_mc;ZFt -%D.=M\p!(n8pQr*cJJZD%%\Hr*U<#$61s\+4ifOA=mD??ggj/OPl2H/!n;_3Tal,5QJ\s8Z;2JtQdgR'\r\@AE]Bq$gk"h\H8qZ:M -%&W&g*KHHerd8r?QY/gBGJU&-fH&*4TIFZ@YI(O:C9A5&]JOOJD@4Q\h4b3tl(AYDKWuODhp[s,3rZ#65[m?!-R+4j]!%K//_.Dg: -%0,Ic#(W[sDO&ELq#!JhI<-#L7[e1_g+4[R+Y5d1;NQA[l5j3eMqWErpnNS\^B#[VHU&-a*"/C+$%-e-UQ8NpiWlnHomG-$OMQ`.I -%;\P_K4OLR^XNIc>lu+,]ooZlf2Apcb8DYq'5umBl)ns"Tl$"%rMXn^#aZ[;KVH<+rf0JcMAN*9D)KqAISk0<\jhOKEeZ_mD9.nn47mTn2",,;.E'`FNc>dK32UH7[ldrkf]:6P^2mWl+10F4.O04m*h8!gohAB<@nfM9/e$EBPmT[2QEl1]GUSf^TP+8L&aOI(h$YePaTOE+)aM!Tc=Y%7Y+H`RBQB)]h*2&(.+O<<=T^-kT_'p<$Gk6u(ZB-+7p4#.^EcB/VZGqK]X]/bd^R+P.*=8082_g,L= -%#=VFM^h28M_*TamGi#7'pYRQH+2"p:U8`d*(egC.NY-a&m>A28K\VaZIu62JoG%7),0Gh!4u!t/QGH:nM'>C"pA!nko5Y4.c'u?pP^u-noL5ue/-5`a9B2Ik)pgGWZY&W]\#X-CBV!/_O0N7/)@+e#Xc_Y,]YOmAlCW)$(/^c:-+f4I -%&Yjq"8?p.JHJ8>DkN0XP[WXX61ng03rbT'EnK^*JM!nqMS2E5RI40qH\V5;dYgAg(5Xg9 -%1]8MUTI=:"c<_"cnYHd[Ms8PQW2a?hE#C!PIO4^i6G[eD:etl3O!>>6l(/iI4htbAhX(>FIn3OMqTu),)dsQM5UgP^KW6^.RV:<+ -%FgK0F9c$(4>-^>fXtZmqZa"GKDEn6EbPSQBqk_?p)@4mY(UIRD3*=1s5]a!]9nJ%mHS@i.MB?&7`>5q#nAiQ=fkS.u,[#;0R`[8P -%`tb@1LUZTj.>]0:WSk6DembifWRDgPR`h$Y7bf^^P%JV7OOIPjkXin3:i\P`I^4DoZm(^W&J1`kc!El0_SmU#3?sM?0h0Vg`_^b`4oIc\VKZfrle`m;\*s,XF4gATSMW'kqd[COkQ/0')slO<\qTQu))=Tp!G4\^Rg06&6N4WfA)R -%g4(#)e9c8l2&AQ$raJ/K!B$N:p?>(U[tsK6F10U7dDoZFZifp']7Fb'K]3<>UKeeXr -%.jKB^TOD?;me/bn4uo[]_e`QM"0F(`GERuj6r#"I1N(mNOO'lu%giH&[,tZSa:3Y5'6l8nhcVLooOT`nA.J`0[JZsm]`=JWsUq3Q3;h[l]lfYWH->nYAsP[a*t.#_IS\n(%t7AoV$PqJP[Y#OBL4RTiH(MjBcI$ -%a+9/"8ced/J9U8gmRm]8_b"#S*U3.s!pL9'lF/?C'M8GG!,?2.+?,u2[G8LU$Q8,]g/AiEmns[g#;!%N:(%:&99Sa?MM0 -%ghHL>F!B6njtm(9*@C![!^)gO4(H]`'%GA[`L)-^R_=M8,ET<5Q-/6si=]-=*A_bF%bu_qFDu))$.hO)Kpc'7`!M71T/=E/jg$:2N[A`EH!U0:2V>&U_7l-4RE]#i]!!.lO!&Js'Yip"obihdcTKfP1B$Fg\qb -%MGur0WgnG>#$.oqrYeoEY#06bMHnJE=luOcaqc\F3\lZHkL"\/6_Y\ -%aoXuXBtf_M+"QS#W%gV$c4IL+89!\8e6)Y6#3n?Qq.b_Fh]MrEc#D&<58=^*E2rT6Z)E,5Z;@9Xsr?2is^V^If\'-4KV#\n8A(8+M,n'ZAr$U\0m]m=P#^'9*!eh?C7>1 -%YYi<*F/X)[Fr_W*,+la%4Pu#5&7O`1e!mHUI1^$E\%,fpnB/IjVu^O_@KKWCSIpX'9ap_sl.:loQEf]rZ -%E=]u(N>.6f%^_Rg;a::]Iu2eGFI;RP_;O!PG;f'UYM_,TM2J[(:ZKb%k<&QhfO-L*E\e9.HBHUWi9XOiK`MuM95N1uSNZf?Ok^;' -%Hke>cOr>nB`4*?o;ZZ/g=Wp#J9c#ePmukXW3#S5ubjKS3q_m`K!Mfo)^1fL^qtjXO=pVS$G+3L:K'dG$!(?GC-FbQ-il-"8B5S:( -%3+fEj95WYrSSie85.X7\,r=)(Ag&A"KUDe5A(:bgg:R%to0o+ejS-hG.6Dhu#/@h.X%B#*/7tDOI;JMt=%1kO4u602Iqp\iR5j]] -%PCOpi)7[&NTghhHBW*^k*(&t1qS[n^rq7,@\l8WOCf?PoA?d^dQVrpa*iEF?0g)UCZU0>MGZ9c:9l(H/n:I""@HH;s?b*:fX:\W( -%pmIUWmK%(tg/]tmcCN_ADJ--Hab$G3Gt_'/m"#N)V8)%c(Tp\U^A48'ZU^qF%+NC`c_lti(h,GdJMc(jN- -%n*_SCBPE%67OD*K1oU*R;>5rl_4ul6(O=FRjjJ!Yq^@3`4\,!=U4j<.R+G"l7T"O6RaLI^#1tk:Ht:JQ5pTB/7&KutNAgagk -%5&N#0Df+]Ea[HRL(W(#A$01nQf/1-;#C"nW?3tENL.8s#@-mBDDsieUH#:4=I);%q$?hosI`RJtBrjFKl&-99rc$L9,m[@ijl=.U -%($oP#@'d^+R)r7-FubG(:%Wt)`a$?0V&TgBg3$1VWPE7<=Rj3QTqlJ7M!E&AHT\"bKj[S-YdZ&^hcSpTo7LG*7M)\<5qt;:Daa(P=ZsN^<7NTg_9-F[KBULW7Z/^BHVeDQQrsS\)X'Y.d2# -%n'ik5BUh*-@$6kG:+L>A-au0W@S&.ps%iF!=8)bC=_VN0I=IHG:?)9uV)7-GInZ2L1:0tJCf7(u;tj\)dH1UOGmnhY+k2l.*HOj@6Xgo#1Ra7WPm:E3Zp6&";ha:A*QqW9$`rUkC)0@c5g%OD7\Cl`s!L%B#61jQCN>+A?(pDjf5/h17l.B]Q>6mA;O=elY3.\kWNVRnU\FVfP -%q37.ilctVjm\"PBb@J>I9cZ%u+t0BIZZ(D%'LfZ\^oo1(T]@&l&s!25pW0re38:?m3&M"L[8AE1Rt\D35s/aN>HZJclYK>2h)uUZ -%T4#ee8s&DJPWQWB#YupCmL)IKA2N]N']Q]%mPdnaBV,)%fDHA[uQc.rgEVLuliB:IA3AX+<1OitgFA`&6_K6!p(*epMl6p/*"-a)>it+9Un48Di1S -%Wo(Ms=Z*]f1+RP$=".-U9WOZq^l.%%\KU,%+@>)hA-E@53WFHqK,NF)kB3VOi*Uag#*#aahob6BZ!s3IfX0G\D&QN-pDC9VDBK6kXBo=DkFK1q[i][8eU>8b'_6snE?";=9L,J1ZHBeAJ"cDT]<^&3fbG;I=9 -%!/?RPdGq6)`QlmJ!*I4.R!'\3Wk!WW^)-4s#L%Dnqjj.JDsL*A!q_poD.'ttIiE@3"*Q#+_V]aaEuG.QG?o&7a"L&m:LJ%+(QRIZ -%bBCXmAd#["j3udB(REpHobVkS15:X.ci8Gg9sR$LSW#)^EEGLZm!fK`&H^m3#:P1GOs\P4_sdfYLDN5_n*cU#%\VArOO5/oc4XF, -%Nrm=R+ZeE2?ggbRTuL"6j'M`7W+NYk)g+;MBJ@%8qii[6S?;>*ObKR'H4%n:\L=SlCE2cLK%Bg?;:;2qolY?:l!j"DI-khmHY)OQ -%9#Rukpd)(;j.;Fsi6NVk'F/KREsmMDm**RB7"ZI\SH.qkiW)X#iCY:maDTgl80R+$hj^s#?<0g.04BCE;\jheWqXuXKO1p+3S0`[ -%/;''rr\h!N/KLg,]C#=ogqT;ZHe`9@kCE!/:j$DFH.a#7G)i<;p/@oLCKN*0CB=Q4=;PY;3P8^3Q6T1X3VPm8JV6KU8d>=?&aSiD -%%K#MpF\6]4NY=HrIXf$T\:(R-.;-^nN4K;``2q6>gY%Jq:-G6$1dMKrbg*&F7,J'$l5irRfFa?Rc(t*oLEJ,%+meh4LQStlP_9K= -%:>Yjo1jDo!1/^NnAB/W97;>G8O?k6`>)@Y3rk_DgLRh\`Q@S@@US:4@DnE7$W@*Vok>FC6Pl8E9*"?j+UJ>f)%LBKn=c(>/?)Wl8 -%38H1j;(S>jRLc&Job_h`H3WNgJNg#/>(oIC3i(@Wr&h/W7ChKqU2ELZIsbu2FiqQO-d+=Bimq,7M=5;OmbkZ^kMGkrWOit_a2U6m -%'8ZdQe8u(@OUTrH>kI:q!i'!]K:rdkQsce02M)/#/G].((WE&0C2JYAP[CAA*oJMMpbdqc:\"l^lG9"cN1?X+QR=K#Za8^ffOcEZ -%haVVCJbh27Ca01H>M&O9!.Rn.gpIKG\R1#ui2^Inb+rqs_O2E=_A1j1HF]TlGn:t)fP&0Y@^-4ZbOk:((YJ1.n$P5I&^re[[\jA< -%dh3Se\;jt6cRE:RnDfDHlWBDKF^:'_7tsj/qKe>k"W[s%QLLg:7kqf`&V=J]j87]7=PK%Xtpl`4r1FuTs^fW?`7 -%m_\D6a0(r0SMdrAP?o_oTN&'asN&"no0)7"7_ga3g3T?]EcgYh$8o^BpIXkn4R4\\h&$I7F/bCSXND7>0^%r[89(Z?3? -%lhV'WMJ-f<*c&+G)guQd"-',@4+mT.:IF#)f<-$?;>d#Dpc5gss0)1_?gr%6#C9>K[srk0s4dSEofrKJIsh2j=BEQCIXb9?o!5Iu -%TDnSg>>YJ-^uTj<@/>ZXE7.1!Va>NAk"CI$?1:dBn`X"AeX6q1Y&SF2l\F,D[k82OQMGb/it"d.]GC]oY9MWQ-.T7:NjpieCj_/`=gC9BOlinN0;^4Hq:p+i@%X_ouWuH2$$K;rii2`h3ajDD"l8ll#q3? -%0`;Y=`,I1IIi-W2)Xp44%,(\5Jt$-I+dpA>_PtWq*@'(QQt-iu#^,nQb=;XZ -%@8JpaBQVb(WT'FG?UK2e*]aUcS&]u>YLOaVU]WL!%oPk\mg-NFs5E%dkBI9[5G71&pZonI&lcO'@m7U?C_GkuZYtqH<dp@*JuhP2`BR[P=*'BXE:+kk\jjrY]H`*e4P@%+o99+=$BHc -%nJW*u_#9pX&1WSO^0iar)CTGj&2af#88L05IoI(B^bfAd3I^;9XY_+0",B -%1.aB$^5b??K"HBnfN1H&,N9#V((gT-6i^_4BN/C81>UP#n/S(Oi[XB$LDPgB_fXjq-u$UB7cL,N(pWT9p\P3P%5j#&]1J2D*dr\C -%j)V`C10C<>n/C0XXN0YO=iK8p5g`h"_Fa)nfC6jei6-4Sro+W4K&sLS5C?JNjp.mi%TkL!a]CjmB)W)qA]c&7;[`4QN@ek1?Mu64@;fJXd;' -%3I@@:;#=c#Ti3oR56r.!$0gZo6)pMc#g0XO/D.EEIm=O5L=fcN3MU7oaHD+&[#_So_?8*q%O!-mco`8l%JF6Jd<,C[DBe$a];'_UNX+P-9qgG/n4#EhD7DH6>q -%nOlB-"@)YNb>#GX'Fp(G+rB>0UI7ZhYEq;N+RMAoR7<5IjeoaJo9A!X6/b_PFKi0M_F+"C=tV)6LPK:2"b`R^`dpA$co,(5A/SaK -%;[>h13&<_r8?G@QmVCB&mJWH;6H@Vg:W#FoW&fR(k)kE=o?SC#5A_B"Zlb0T%C3,(E3\(M7]?.A7Jt[#Onkq#3LKfM0g:4sgF0lq -%aC[VV#^3-KCZ4(J2.Z&ZW\tp04]S%=%+\j;l"`Tbb%HI;.5GNuFhN;\ls"TaJ[Z**.YW4q#/.lEW(h2'HW4LlH#j=qLMn'f2j-;_ -%5d?T7G,V#n!\+]TK??*M8PMS$%8W^pdnWH_72=NDUlJUU+LbB+KH,'\!Oo_M`mKCfUH)4aaUt>'Bf',8NrA]8\cPil/i"&di_2bW -%%,j<\2.(E2@)r\(I@bn>^a^E8%=of00sMmXQc_VD#",5J`Ub'Yo?(R>j74!FXq?k6Cm^$*+"$NVY!g.Ch?Q9r;$g4Q[(3;)%&L\L -%)B4*cWkFcq8Q4.IJMMjPE-!4YT,]+ -%Kl_AZF-RF96Vbfp%P_u0B`jl[<"^"@0#Q/(PuNc'pHFB"b!Xqh/oZA>Z8RXG\4!>mIo70`\FJqXiqnbU[Ut%DrZH&XOPooQ\&$<@ -%FRVS#qNWGFM$mM\gbp?IQ?"Z!Jqrpo*fWI3>&1LHIW%e.hiC:X5D]>X58#\UU>-[5s1T=W8bV9g`%Cbq)t?DnBJNZKob;0rppkP1 -%;HMoU0<(1c1j@J+XBkMG9Y2W5IS1U=,=d8uSqAH*C0ANJDl\Y[m!G;N.n$X0(#h^^K;PoSPlGNd`a^FlmYSTjAH;^cd;% -%cVSH9K!;A$%Y9&BcXHQBQ<96QlcD)h"E9aVrTl+l2+@2R\3:ZB,:M`j?#<-J+XBj656uVR=p8.C6(>(('Lf'@S07e2r.BLOoB>BB -%n,VnW8TYRB8g7i0$=NicGG6YWjLE.>];LqEf'ur1]ABK]j-'ajDK^g?F+.sPXVO2/Bg>j=h3/+T^p^=ib2$TO.'>T(p!\6M -%2Ap#M*);NeB$1H4g7k5YWOsYO!,O4`m5g[>*e6q'#qW)u0Wm>KZOZV,T4mPd+;gF8>S40Q`bQl8HJ:+^NY"57@/9L1*=WFd4UY@QpUH?Cd;,$0_s314Dg$uXV5)V/$fmoR15P"3IVps>Z -%PG[s6j2inDf6nC'HXFbdO5&W2a@2EZn,'oNcb.JtLc9-\UG4T:IV98O?IqVaOPGJiAW]j'\3\_Peg%#%6&[MGmA\op.1.oNG#,D3 -%N*VW!+Q`hk!d[!j&n\CmS$oBpBRpuTh6]S3U-Fr3&*W_Y$l4VAnKSHmn*XXd[>:k%T!6g.mY%_@DP\FtL9$;u,BSh__)uc"ap!aD -%`Y3sY68\CO)#(-^H]3hpZR6U"YWf[2AW>5V0GHfo`Z"18$o[7:BTp.$:@&RiV%Jfjr4ILjHRYAafY946K*TIIq2VU7SEa]^A!mtU -%XAKu;G91U!EEm)2\ZN.MYaQa)'b8D\]PhT=0:dkai^W:BWh-;_=!M<@XKlYT.occH(I^,Dn\!#PJgPK9t:'VJ*")J/RWW/qg%Yq2Qcu3gZs_"O!i]Js,hBZC2U1&^8WD?W73uTn&R(1gZ3'E#<$j$*tGBVAC.#3mrS^beLqKq -%/qpW**A-*$Qk,:kD]1QH?6.\eET8*fI=C=K+>,bB*2ZMY:q7Dm?S+4Fi=@>bIro\oKa2Tb,7JquFf#pO1($I;Mcj6&XcpWm6We#e -%g)>rG&SjnBn@6SaKL6[rLm@4GM3K8KGFQ8?WY]UZrA=iR98ZZ]'-VH"-A+("Jtu2Of%9kfU#.(*e!<$R?S>Kk*ZE)Y3UT-GU":OU -%Zuq\2.u4'q/EL=1P)NK%*L8JH(;8%:2N?.b3\bq=+3?(M#WFk:I5e7Z!kDI5W?E2r56VDndgsf2*eClUh)'KF5jXZb*d!T`M#gO)%>\eQo$U]?p+2_]5C-X/Jo:*qS%ReSj5[.=jrFm#YN-f9t;is*7+rcnW+b4'\Z,]u^Z)+I)p3U"dVg:$`$VS&\DD>A!C^>mC"ff\bhn(L9W -%gpo-rs*j[3,.#NR2&=g2BP;2H5Y0ei1\a"Pcb.jPk3FUbH=V=^rtG9G&(*J\a7VJ>`g2;o9_EO?;C2DT -%Uq^gM1l^u0CS!q5=05-poOA1#-/b8@hKQgTYJlt[%Uli@2N(/+'6-1?M?2i7/sJ/>MVkNE8GCE2r(,?<3tdOe_"BBd<8c`@g(J7)ZOq?On&HKW$%B8Xnabol1hG1Rbj`L -%F:^Pk;)al#MIZ\AY%E$]5rU4iBBc?\b+2VX+[-Ch]b*Ra%^9 -%F*!;U?ASC?b4IjnqKDd^MHpN]/UNUW=,nMim&=kT7)4aTEuNbir+Z@K_@j!8&XRo-;\&-naE.7$la2D0P7Y3O'MXP;B8MBhZ'%lH -%LsLH>%t,GX%qO),9@4iX@&P)$\@HgT.c-QW3:1?44(Xj)3%1Q%'V)5h(q+SoF2"29681n]im9,]aeOE!F-ScmO-@Ir*JksXN3Alj -%]#cT%hg+kLDT=@R--(5:/\l+h]3q&(N9>Mhmr='Hq:OBq2#!WZGb96sp*_AhCH\,e'2+9@?f?,?*E9An&>KTt!"s7S -%0IXa:7W_(0ebNaNf$%\ehHq&:@Q(@O'(M^$N,;,GqEW'%B^]rMTET?,TprnAg3:)T&t*$);RmK0\3IZh.`fB&.k=d+J*4c&'R6('l+"^+,;Y,7(kh:jdpX?h*.\H,'h_pd$0NDJuefAJ+ -%46LC88[8)X:XZf`\:\Y1?K8ZS!)14QLd<4Rr8H_rn#![a[*l^VCYTNW,X+$KNSq(%A$5cEd'o7"H\e+=k$k(o+3;qJ^JY%O_,F^W -%O8J^NT^r%pfl]ZCX]i77CO+C=aS%ggIBe%VI^'SS'S6.'q"Up`!C#28Hq4J@+YN,Il]8Op#Z!Dnkk--Li$+K1o:R((YBg%52f?EX -%/[MZ:RAt?Ffo)Z%"!UCepd_HK.IH@A=e1dO')7&H0:r%Pc(:I=KEPW;Mu\?R[;PYH>N'65SnF5sWM$O,R^CT[lmHUF42S(:VVSi;0AE+;+'B!;7Aop^u4*fdnCG9uhQI^0HX\>Dd -%jjfOf>=sid`eta3];Ta4l4tgmS^ugto?;)!H0pJmGSO$p/U=WkD!Sqb0.n!a1C^rblVN!1=M3=+Cod8($u'+,Z7uA36Q-5d.3XGk -%Mh1NE(3HrRnARrYAi#5JVH$BK9EILc*PUI_7T>pF?!4LtE.5P`I^3;Dpc1M56l9IJ -%OG`_!/PTr=`O%:o&W`[6L6f9pg1G=T>1O6cW%+a*>GO([6[.-S8I]CX/'t<^1Lb/Cr5A]A5h&K1aB([tLQtd'2Su_Y(9B%;E/DhK -%:H3Xt[MDaPad9TrLZTM\FWcSeX*YbcVDK3);Ap&n'8os[g71SYMo(EgcB?\_mojIG3C5HtE[Hp+d5^Ee;*qIR6lF3f -%$p\7'd;Yq.D\@&%%;$lhWtr]:eGIm[A38_dkhB^8`/;J/WZVg8L-bT"fSI`jm8Y -%AT!dYc>+Y?&Vk3M*7hR(=Wco(L;q;G>[gkVDk(GdL=R3Q;!_B92n2/P0E" -%qBjdj*54JJ$@8+cS5#YtT&]ac@pt7EEta:ck3*b5"`?no%VmOp?Ol6'f4/1$G6jJWj`SG9FACdh4GoiXR -%AJIcD'eDVPC?=;T>945E?H@/E]l1RNWYeUB^F.mena8F<$kn^>=sIL$'08p26J!qQS;LL\0jE_hD:N#_#JgqJTp>/elt]0_NkAAP -%9k+6gQQ;aD%cfVZMX)#IHn?/j8L@gP)F\oANo#S!cp5L^A]Pd4'\&:SDUN/Lo]4,0N3"9pq9`W&n=rt?'ZBS_Jt@BF1qGP6qj<^` -%nVoPI2`+W"WCEXFJgZ%K'h;+X]j<&UZGXVXd1JV<:fdLp>:\BE$Y;pUoieeE3(`WLi+/+rkIqnS1=[uJ]f,%I1ZXMm1?j:lQH]>ZLmr#G`b$JE:YsJlKL:GMY6`o&&43B"O_pVO -%`A;/>)%-uD;'Kua%;eki+JgJBi9JI)nM74deXNOm3S_J@V/MR32THbJ"s<^Q%^Y=&-oc'ia-ubqV+kDP[E\re_Y@TN[_cfWUH;a& -%6^@b3R-Vf$J"nKcLE/s#`1HlGi\!?akX;*&.!_3@Y[*k/4(sL"0XRJS7!H6Rf@\(?d3X&eJV'2m@4jV%MqMrG(M,:0 -%c/C@$fE#>NSqI3k8-e!OOD=?qlJ.+R/2LTQ>^MR4h8r8IDSD21AIU]?'#d"/U*jkL]L!?m>hT4XJa?J@YmME"=LId=R0AA66Cf@r -%+7aK*HF+e4<`>\*mC+C_`E_V+E,*MJRfY>Ifr5N.E1&Ja"MGW]$_pk/fhMHR15eoqXlBRk5)ASL8[&J*,h^&L:YoM>.IDZNOu0&U -%7Y^CGQkd#KK0r5[.WXl0R/K#_VZ>unl -%0#Jd-L>[g62!qcF\PFe8YKbOB[@l07?aN"cJLc)LVn5d3:-'/CN#;c@o+[aIk2Q8C+0VED>8Zuqn`adWn#Rr-@l]LPTT"UB()"(, -%3$oU=io0$BIpPn-=UcN,Yf0-*[k-Vk%XU4dIoh^0Ycq+H,@#"abJOl\pT:UrWqDL73m`H@]N7CO$l"\`NN.92h+1s:#':^iNAk'I -%Ji"6odRN8%SahYJ(Ie["2[YK3V.chOS>.'B*&fZ?,Mk#-:t*+`_b*dZ0PN6'm9oTqBl(+P9AG:&^0=hu,G:CC*#Lu]Q_TOZ:P5@D -%++4DU^0qaple.BQ3&iPMs4XtTNl(:aiX$JU.=<`KW+:(F$po&)Vm[Wo4l"8@9OAHLn;R.W%Em]"=?n$V;iI0jOSnCsd0RuGSObX_?AEX`C__G^ -%BIn!oOX\Qn3,Y6,H.,nY6`iRd=c3l.ojNYgQ*#UR`mRtR&kc0,gX?jg)O#[j@9%SD>^R`t$[gNbGIlP)b524L6VZ*Z+&uL'PoZ'n -%/lZ(J@j+ohnlSOjjF\r0e2T]:>:aK>=5H7nS,C.*p0'P.js\6n?reUR&,IKiPK#VVSYskf2$DoMWh)`JW+\i,(Lf:fKsp'm[Vc/h -%,j/qd^/s*jeg`)jltL?L`=*RR,a7k$l-t50!Qh"/,W^&t2`"%@.'T,p]k^FONc^AHd]_qh4Gb'1oJ -%&#TQ#8P^J@7Hdk=N.Ipll>n1L=17;M@O.7b5Tr"]D.,@/]UmNeikU91;>loq\6&Ag=/HGf6Cu?'[p,(h8Dodd%N,dRulQ&*/M -%^4HMsk*#IE[lXV=qj>f/SI>fWn0ZOAb=l=!0?MXY-m24C,mD'm7C(1IG:HD[hS'+e1EXng%U5^h3>a&tT`+k+`QQ7")N5'HU**ih -%hHnk-bC0BVLVJpVQYYe4m]r#-,Zt'9aZGM)VSSD*aUF@k;q[>m12r&pUj&$o.S+okd$r[b.?TlVc@P^/+U5%&8Y]u]2].`XYR[IG -%eJEJ_3kBMp%6!^O'(lnGJM=AqS>*68Lf&&QhQ&B<*^0l:c^:"VP$d(cHQi+BSa)=>()2;;EbeTr!d#Lk>@nLKDAd^%20Lm(pA4t-M%4o272=-ougE -%TW:EGki40,kiB!?kad]_2,ch)q$sh_c$qq9,Y+]KKVTt2TS_XKp,,Cp+H9SfPGYK`l`dqb(laH!]9-'tW&2Q@9!;^X8VdYuXW -%KC)hYRqfGe)e>LC;,Gu1PW=i*6Yf[6+JcT',bu!6N)m"@RUqYrZ"C1G>\sma9ics]A#;5`Z9K]84TH5.c_P[5fR*b>'j;p@gDTNS -%OF`Y96Fq;h#?NSKnb0SCq;.if":2/og4Z]`;rAFKbBc9g!("RXAZK/:-jDr -%`5_mrA$1')"mq7Gqt$Yb/[G/o-7@32O;';tRdk4U$#fr82Q5S'K]AmM^JBrR.Z*,t6%Xk\_Q+,[;T?]J=Y(8tR"@n=*1ZY-)@,X3 -%a??&_S'O>Lq2@7)Nc:fERd9]>bX?Kb2Lt,ckc*3Bl8IjPBlds?JTOEb/&tb%]UXPiCsZo92u$7BD9_:S;M4"2PFK-alK-=8\>sYW -%-Nl_nlY?d?$aHkoDmtnV>E&c]Z)'_*$6(gk3nN8uMFW:cI`#_,Z8+>YU?+],:%#t!^)E<[@S)J/4o(lZ>FS=UbOI1qOH1>gJ;LZ- -%".g883@=#a+)l?,"LQnRi605eB6=CEhq!T2M_Fi#`S57nn+O=t!hRrrNX/RPK,I%>s0rO;,p@=qH\C%jokorqm&C4= -%Z)a=<[PX_c9lP!!?]'9klJa-ff,:sHI!#J%l][;1>VtId<(aeoY>FppMA/>Z6hl35X&JbRm.E!\eA2m!4PI@@CWJkOCqd0\sf]ZXJ*U6^:Pl1P5'f,i9Y43CqnYXJWlL/0F@U>5M=62>hBdPs?^J@:E?9.tpA<[Yknd&4C;uWKq9p<"4C@O[MKD-5uf<2rTI"k[i -%f9Bl,qa4La.87Qr%rf,8:1q,62B#oIRb%Q):VT:gD3<7Fk[#6)W#@PF@MS*Wd?\Ed<[d>M+<)LE&!_+%l)SU;cu`fWF7DsE_DKi& -%@]DWj[;KrGWtkMVHQdH/C'Nn.1H*/dhDLX+8augU+,p(IG#/ePmqi^1Mg,f;*1=WD[MTfYCM$DQ_U>`2(*l(Vi.e_HeZ0rX@YUj+'&Uo99:"+Z\6mH`_\%tS]q-g6c: -%59c39*!7@6D`!Ye[(A7`gHm7qC.*VOoF?1r&.U4EdR[m&Y3k[Ll)Hg/@B$QL<"0rg2:K6npe1]_G6@@gq-l1QW:-cemTn8r>3--Q -%h4)#sBW3gTKhJ;E6+.R+Jk@u^l*?RV"uR@pj`U/gW=$tTX;QR$)?XOjO>YQc)hf#+V4;bWYlhJ38_XfCd`1DSgr4L/Gl)QFn*IKe -%?;bLYR!pL36[Nm3s3fLJ+jqaF67tnVIfNcBh,;JZ>=,u+OJl@YX<C\#HG(TruqBFIk4!Wl88)(>EY/)rWsX=kgE]QJ_ZK$GraUjc@c2"tNp@C[M.CPu#I -%[d59`f`$WO^Y/'?EZ*1]Bftq6N:g@KEUVJ)J%YRlfKgkFMRr<[-Q1--RjqVu6.CaT5qi>TL5Mq7SXc^,@FD#^hI47Fi5E*6'5pip -%T'V2tXW/.u#)El@@@ld6im!AAI//_#PmL8i(SuZ-]/GBPYXr5&RP[Wb+uanL3GTE%-$Jh4ZogW2Ek@ZTO9T.B9-79X8sQqTSt47s -%ROJNu)*IA%Q[B%KLmW4jj>?pX!Vp$P'hI`f"Lsb\KOYS^d6T2BOj"lZ9EcMO0eF'0!4@GZJR\*YN4I[a(RqbiWuo\^HpY7nhuRa$ -%*+L#)^R*Qs8K!l]5TP^B\A[mX.BCd,d'0!JTbF:@niAYEVq;=qRB1YU&8fCT]rqUn8ZTiYAcm,k(O*SF^".G]aC&uu[aO;oBNX*5 -%_.g:llfflNWT!=@-?"?.O12kZfT?fZRcLTtiqOlZ"63[X+\\.2aP%9oS'hae3fAb8,@5no:m&P9^,L7R\GW14b5m6!MI/PH`mJ9Ge0D'+5B -%eH<9X\+LoS$;gUXDPX/Ph9%X]h=18$4bNML('@96Rb4K_V@5V8%dV8T42#EX@it'/g[@8%ZLA9j9d8`lK7^@Rtt=#S71B`)DpgV2B\B>@Dlg@4fMlY4Wi\`:W=f2!g-7 -%&b6(6.sg,t.UN9U,W\m-;iCo%)9gRX>-en['99`[&cFhVS!hbKnDd'.6,p6Q"glZLO+j_^:;VISXP@-4V]i3_rm-GF]QRn/Hr;,Mq -%+2;Kt`WWmV-cUqfDDn,J&KFueQD[4FGGYO_/T-PTngm?X>MlShNSBMZ'!V<;�G#9J(I,`XI1-DHo]u$79)O]JgeE6:>naHl0)D -%T$WE,:$@Pe((^76H,JBCU#(er/G9&W"V?3tIEC:hP0M)8ahVbT6Wdjh)6>JnV_^oB<$IJTWgdB,F,@5a[5$`d'?d[YY19Cd9H9>B -%W,]jTSW'5SfH+T#!quQC[W>?)Sr<\npa.>e4H!>q\H4);YirORX$!+(A:TDg+4[ht@Ip_G55BXfC,6bWCSW\ae1WEE;[(XSMF))( -%>b2,m`nE>5%5h""!"j*C,gF3\(%A?@s!<\h:)$RIT#tO$Lm[rV*3cX0:FT -%>1*Gq3u['r[;FS&*%0)YDfe4pO/:quGLl0f_ch-JEci1>jV%bB<5QU8R_af\%^%J"VQfc!`J2*b@AiNo#uejq"g3ubB:BXUBrP(;4`O(n]6g&91R -%Lr"qMIMd9oC>8#o\?cl+UcUmu2M9s.CZ@][Ql?YG=fNa/.+en>/ -%dArb>p+7@-Qu*"%-=.]'@^S(FqXCiZd6H./]m#.(a)0'%mS#6DB=BGN?;@k,:q8TGf!6iAkent(>u[JEKD_eG0*T -%=gH_I]afR-_R,!G9CsS1.CS.43khH>BG[l?nb*oMH0(8d)oS9;m'3>EI^8OKe+Cg;e]$2Ca(X*@S8dS%08RR`hS=Pgo'4c9D=H#T -%j)F<"'qe,Jbk%dhARn-H<@.cVb>N7b#Y,!RDMk-gl&8?7#N22j$8J=KjFj*(Ho2\SrDPNB"K+QGEm64C^nkt'B"Y@6h^/"Xk`5(j -%8iP-^jHh/l\oD+6ULthHB"7*`ag^FJ*T!(u/UX7hSJT_t)AqU.$Ga52rr$5$@MZ^9r>o,'8?5f1c#XZ$QNib=YucfBP>m!5gsaCg -%\6K5DKpfAGPcP[2Nm_c!OT^;iVMTW:$6mKAh-RTfo7F!DY,*!9!9)A5k>.edmWPe^lJ%q(n.Ed>;^3p4*Rh7gX](bH%InKnoS\lruHH(#[BQ-_Gl_ -%:)6j=^p_T.6X7u6l0>[5dK\5*+`$aX;Q_g1T/bNl:://@QulV!"Aa%bL4sPkgKPrb@?n/NYGAVM4LW*,i"F$X>Ia7r:>CEG`[5LO -%92":NpjA4pnE6]K#oO'lN`FdV)EmX -%.`*I9I*uGZDba0Md!>bo2T[ibS`^!T]iH.FfPInV;Y=.TrOk*6]&VV99+e*t8+p..,7.=1Q0G$/B=J/>G$?1H8<-[eIiDH7)WOCFt1*8/4@=7sLB.l-oB^NhaR^9gW0M -%HGp804D((2T#sULVfM.,4Cf]]_F1K`Pk]#SYP]qJmg(SZoOb;6#'s&`1CLY)r-C=1OGbgQS_&O@K'k&n`-8T@,k9,%a=OR=`9=3- -%l=&@m]!D32G.JgXaik(*Q^5EMikrZ',>k_adQe@G85P;qK@=@nbqJ``JU%#\.^&2SUdS]CUrd.5_UXGAG]Ps.D;l@3kl9c]a+&N2 -%V58Yes8DZNc(B7ZF99Ea2GhbaGJl1;(>/qN[\:11%,d\1R>djde&>_B[W5L1C6i[M\Ri^7V8;Bm;o**%XRb@(AX.Bn+=8.QV"<>6 -%O8`;q(P.I+3KtJPsLkof]Ysq7ZiGH6h5Ce$8'E&NNnUtf4Z2+ED:aW(IdMmpiC;M -%:_GVuOt($(Y#K6fc5Is4g-P.DfspUg4jno.7MJ7-3d&n*W[N]RM/J_9!,;+)!eN'l+%mO&Lg+p+R;@;/[!hG?d=X$1iV^8#<-X.M -%Na@Ku@s-e4?Z.6nh/)_r4oWsAV=cZ*`P_9nUBJr[f8H9?g,>GIK,5UW\9N8-D*aEJ]4]_=)a4@mg(WB.'DoK.1NDS(hMcsk-G6dL\j<@b%Npr9XBQ-m[#WCTpn -%gJTnr2RI'3YKq4@U'-##_IE#tM/Q#p#FG's?_t?gl#H,&j8->3M!,VfN#ilEG*U@k)NT@OfBOtC+;C7^(Mc>))Oap1_&O;81ob"U -%V3&J/<_#)k/:hS(2,Y?.^qht'G!sS>D*0P>1b&A)NR)FdK1$fbRr\D>iSl>&Lm6n%3<6,U:GK(Z79Wj,o@i8@Oi8>7o,ULln4c9U!V`2BhV"9:*g,d'h3\Gf!i\DNLe1OD,p_Ej!C)C6cEWa@>`Wktg?&hLXcKH0VCNPr0Jn -%Qs.=O(Je#.q2C<3-clRT=cr[.m3cqRQ\rfO&^`"GSXd6b#*#^4!)RMV3+;>/[dop6b)$(RU1NTNbGoLVf -%)d>gBoqN.KYTT(_TS1i6%ocO5j>iVWF/_f[&0M1=gdJAgC%Q9e?rTU$[IAG^f$OaAL8Pk)V036Ro@6cCkATaO+g!f7"2!.(G]bH1 -%n0NZlPN#N""BS;0_Sb`CO?4?t_GoBOL.WY+7QNp>iP@T(QW9@0Q6]i?67$O#G\0bs,)^hRKVLj93siIEWmIR=>9K!KPqbcib!:#J -%+j:gn^6\[]D&mG1`P6o3Dq\)K9e!>eA##BhFI?><^BB^LOP3.tO?U,q>=/hGTV1=kY7TH&]hqd`W?`:JBkrK3]!TAjPF]btj^eN? -%kJu*TfuR?4-6&qS"e.k,*J8WYc#Ppk#A?[D/A07H;*m'E%p_4=PEBdf;\KXuZQ^q[(^&6JkL#W7XsELKXaQ,1R9*Xo8uYp;'WOa1 -%5+.R*HX%>-IVBg$.s&*-Dk$V(K:Fb`4"3gK+CII&9Kr/%+d`UmR((_nO2eTV0MJi2p9Ppd-Z*9$kdI8-dE''[]p'j9"H2g=fH7HB -%R+h -%LMF7kHnr)5-[0ZH1BKTDU0*N^7lYZgO4IrE:6:d?]/Hc(.I`nr]`))<`G\N%MV#lSF`Z7aCYHfF#89@*+1@3op1e:<'0%Nu107(G -%@5B`gW/ZYWf_b'5-A`]b`[[$W'0_S>*bg"cY7Hn2]87\1!sMPVE#`uSMZsAncEhetLhkWb\rgn(IL3XbZ$01FL'i."YrWI05SMjR -%Z0Xg5glc93%X"<,3pYk#'\40)#HjS0(<RE -%PtpRWN9Mk3[5I)46[0:;R$EG9gVl_o#8r,U<*[qjJ,s,Sf9j#&:n7XQ&5nBsJZ(=ESX5-7CXh'HG%-6JH?H^!b<+U7dqN`pE;;6)mKW!c;mSj.kqLDM^=*65S9`>msR,a.ZLGrE.b=oa)NGWW_1GOEQ1aJ -%PmGB9E,m+aJ'A3K=&2SP"T9MeD(@@oYaiX"`=X;S,j[pege0[4)@jANuFjTMja"W(\ -%61LNs4tQI0Y^;74=s?s<02C=*VbQ`BMb:$d7*DW@H`t[S%_!0l[9a[f?d?W0_D&B=2W_nW8FmO#8+COu&;eWl:k`,c/>#?4I!Ak7 -%LK/-4`\hG!d7:a#enGVD`CE%hm]FDRlPkrJ%fRc0:BX<)>9i&Ug6f[kUl71W[iq7S"mUOpKO'Ok^*oQ=fd#AOmglr=L"*OI0FHJ-EV'CpNe0bD0H?R93TL[-r6`rDbk:@?uedA$*(rQSD>6B,O+Kfs9"1\io -%1_?-O/+d%3Rq!gX`sU3pT2L8lhXPGtUXh<*Ffb/gG'1["+S>>%_D`[*l:aA2a%g%^c#6bj=(QP66g!1Ph9?nL]fgkMDp`#\"P+SM -%amhTtN_8SF&TrBgp,H<^Bcu0ep,#)`N1K7cJoOG4.S9uRO=ZWVYO\AfVC`-1n<3>nYXX1eZluFqZ%lmZ)m;.K6;s:A/`NM"Ca[t; -%=csC\,"#9W1!T%fKp\8PNML/;"KKQTg6"p*kN*T1A)sAC@$lf0A7&6dZ9frHR2Yig>(cru#,k$D/$Qi>cp,CIdNfK]#]MrVPfq') -%V3OQ-Rfc)'3epP>ZfML,8&s5G&L1A-;oW]7'4=r`/rabIU7D)8LG4+,FnB7/MM5*H8>u7KlJMu_aL.iVMLYbZm/58Kj,2CniaXGc"bj)_LU!/5AO]UghE:"PK12]O73,l8DP1HQW?Zsn8BhV(:NNEZs -%Y`XjYdZP*<_U.!T;T/DUQEO+Pj5ZJ5fjmK_`$nfsE/K4[q'J&VLC+r=?.XUj94RL53k.`MEG'tUB>s-?,i5V4o33^8;VH"fX$6F; -%3phshSP'3n_Saff>K=slCD=,Hi:!Y(KX4ETY'hXoqPOf/NXSq4c=#3,R@ntB)U&Bd@tdI=Wgn1B%m@2KfpH4/a#$uA*CIf,YRsQ$ -%,78\'iq1R%D`G0F1]4J"ODpCF`FK8*)C(Y)$2&r_p[dcB8V)k) -%c5SS8pt6:eCXD9^l4XE[=O]+fHCi\:W'/H`>A/L2[%]5N*_hb!Y(^&]Y%dOl#&V+*O%6fA.a2q0>2 -%\*f_Y"Y-_/bC9H!4+C@n7H2VTqoWnCqpHi$DRU%cF'<:D8<4/89PrQ[2F!P8,6W`[M3nthmtj"`/2X3.m#36OV;\MWlPUL+:#;8m -%m-=cSMDNF`CfF9PD%`-/QH&e-DPRdF,2R\][rGtlb9n5':4H@<`"nrKKL'gL'Vdtr?h+'DR^'lCGVSMhYldi1k8(#\`W`h-3Xjas -%iVH;BMjf]h-c),XirXkB*Vd=1rAY7!h$g`pjQLMM#o\AV2D,5/@$W*KBP1t9:ts@S>L55o6Xjg?ig"a*9mr!t!1"d0?"cB?bHXe]0Io+nB3(Y;( -%jJUNDOaT1i-^YUL7rl1E-FU2=O[%QN>?<>--=KCU;SNa.Be$GBN/=tD+V_01YtsU'1W)%QA5>/-8cFc5.^#jo@7%nkD6\*sO^&oD -%%U*,f.7cE.6I<[hO'4?LBT.p%U2+L,"al"8kMZu,Lm/COW-h^rS#"Qi`[8R)=H3L0!c78W_B%r&cWo/^]H\FeEAkV`a6TQ9 -%C0K(NS?R$hl+5cFjjhBDHSN&.[$\:;c'W13#D9IF@Bhk,SLbX9di$Z&;J;:O4-!=$mhkeWIIAZ8-lYZN0IPTjI)"lY:@;=Zq1Xf$ -%0O?i@HO>&n:;pL+-/NoY?t0]0+\pM@O2Yk@ja)9rKDW#unC-!mHp'Kjc&md'*$4F.*&*2_>O*8e#bS;_OO -%jJmbMabZn4JBPa9*P,/6d@jY[_=neGm*;II.'`:DTkQp`[#pU>1t,1qfF -%Od0"J`Nf&o4"5ThetH9rQt/720V:1&"&O2tSZMp%D]mOUMb%Z?"W>L$7GD6*U2@(*WHMB!<'!E/j^E;-N1oG$rq<&hlnZ`HK2niu -%$V%@X;bC9s0.>ptno4BVLP_=#`H<%tN_aNM`M)M7MZ*_A*OXOQ6V%utJhQdV*q>]B%&aY:W^uWt1mYDH3#"jo&6n@'ZCT8T0]k\j -%2[XD/i1qWe3ul3a*@TH:>\YnGiWd%cKu*?2IN68Cg9IF;-^#fY+I$=9+&k))k@jX^oa-4i5s'%M9QGLQBS+Y0joqVN@VOD=9#ZbJ -%o`R\NZ?m-=V2u2CSk1)JW?G'*'*b4Z1.(THgKIUbt!%PB/F/0KmEX?$!IOTDaFlFm*H4ADet%Wpt9fp+Ku -%dQWSZ'4.f)GBG;[.&Ub;,S5s"06PRGNGtuh`dO69BRgObgMDhJ?#80&cHX7'_8B1'--mVAerr`H\XhtI)*L%-8I3kJ_GHh3gd6_D -%3O=opD05I5jJ+;[CMQEeUH#87XYGmkH?Mp6<;dT4S[Fq)3sORXJ@M$gtR?O+[>VeB9Q85.c3g#I%Qc-A2n/X -%lmZjWA=,5on#X$/n4<3cD-+pb1r="*D?juQTNnGu]6^bFQ9NF.Qfl1jo-?8um$hdK"LMN"7gV+,Mntna-`:;lh7r5=e(/sfh>C_K -%h#@?s9Bk(Z't_pr-OT2lF1ce=M?umFkkGq/+&Be8-ZZNK)W%CNkqr("l(M>(7dj!#<6N[e-'V(_Bch41* -%9*?oT\0Af0)&pp^+n-WAMBcM`%V;]PDMSa!P4Rh5jrd"JEX2F@l41rB-D2S&&0Vc$9VV3b30(h&@O14X-3Na.fcj%.6KC`hL%p&# -%r%+QjeKo?,r+5;mOP6/r7)H/Cn_'@ug>F.Ym:AC=LFa]2/Jkqf_Qa+jU.c'&@`i%3-J\1R<_=t(@]G:$3fmR9148a8"0i8l]\H2c(I`-Aab9Z@:7']c3V_jE/kA8/+Un?8o&-7*7Fa$'j9#RBSc]3f5%QJu% -%YcTNDZr"Ef$FY4]kZ3_LACdj%W#*AUor1(k%!'%6XAKGoW:O!IVu!(';^UDpn:Z3-:X)gH@&c2_r/88as9poEsT -%>_uuJI;i!6E>"/?+OWQk8*!S`iooA=8g>_q_YP;"/u=YiO^Ss.3)sb_;gtN0.4rj"mVn2Th[Z:`(J8;D\r?-t4cKG%&q8T'5r&3fZQfDB7:fa(^of$eCT'-rVT'=X5#I -%nfsT&?/`IW(kT?_d,I4C0C+3M.:.^EKdne!7\8*DN`=F/aslOU[UrHCjZq_W_c94[:$6SQ-4b)pM/eQoOElC`\I'X:FlHW-/M&/^ -%Z;.7HJos:(,5gtW)3_fm)@)7Sg+K9a*'N5*8@N1"o-:W&526kG6i$pndk]d=N`l'RH5%j/Ak1TKku4BBLH(Zhg8!M;l[0@LuqdfdZJ:<_<7BfedZu*NN&P*TV\W"%UWA610drAT&1c"[4RbUXlF$c"*n&j#Ttd"Q5lZPO4C3W&`[R@ -%o2mLTE!G]K6ED*8E[o6,qB1Pf7fmQ;Oc=rXYAUu61(5NXhNZ[mRop&oW+t:jm4TC0RrU-S0f;'1`1h04OSrl^91eD=PN)(JKBho! -%I&1thSeArcgUr//)[&3/.3Qo1VX=uMsh'(U&Ep?]$Ze!hPNDRiV:caT+[HL-)-_pT[Q5\r7Z&"r5<,F!P&(&SoK59_cf]$UnWaQRBH>$De^ -%2&0Y-AQbePXm\^L`<50IAQlB?/KlVhJRV.9Um;U"d-YNV5n/J1SYa-/+l9-gk)CF(\7CSf$TWOp6`P_=p,a%mNUmLg.1D[ -%b\':JZU<)cX2FM%C5gU,bbX#5MZlondDV;u_a[:M^(HQAF6t^KTU)7JEFCk2TpSs">Nqe'\-?h@@90o66H+l:UFX<+?e@+$0]OeSVAZN#cNl6t#\gYH=Bq&M05@,-2C16MZ'+kOWQ3&3U=5HHNMI%aph7(T,'n"Mh_r$' -%Wh-A(cPd4j2C$FPC.^cd4.HFOA=[+nF?b2,\\dc5gbp"b,>a9-6)5]+CQ6KMGm&\-J]b&fVcS+/ -%GRE^^pZ`q-KWVP,@'Yh'H=/,#a^iasR%"#,>(Wq";G#/Cg4Q5QV?%?rp!@0bMFsb6mUh/MOfI*=SP$q.p4Vn-R,SiB5ZE')"(=.) -%8p2+50bpe[S>k(QEpl&W\_/@A+_\2\Dht,)'t0LI>fY>`%rD0HT<:)U(J/ -%I#h"t/<"J5p3;2;NKiJbm85:S5hl$ZDR&09nfEdC@Qf+>;UUR7:o0u=VIh(oe_`us%%"!gIdC-gfj!'0fH[36Qo2:h7JBE`N*gZn -%A;R-dMK;lZE=9KmhQ*J$X_f6s8Lm`W[oC'+Bq[EG*#nll##9e[jjUfO\N68=,7+D([hUJUB'+din$+,WUK(FN-e_;WV9M0nW5QhM -%%<7LY#a*f;(3F<.]UbMWJ"ClKX&St86C\OMert;Wj!rO\XZCBFWGqQu1`;b)6ai]TdI'\\;jei.]3/acOh?Nj.KgiW-u8:7=`2OXYukq)CE1YULNlKXkIEG0@OH]j:Tj1P/t%" -%hBeSQf.5++^l(r6-PcB@M==c?V#Fh;rXoNC"nVS.Z^144Cb/&o\;ZePWRCpW!t#3L<5QELKaLE@3fM4=$BW`gUX>oTiG`&*0gPD`TiORAK?aFAei9Cg;rY` -%*cf(.41il/;FOIQ1VZ8]8--1dp(!@HUKb$:X>G]6a -%,k?ba]I_-;'@p/QmR`\b@uZ2dKNTIZ9dnd[7Of2?R&XorsJm08$"SCZ:YcEY=ceQ3M;Q)\+ZdSLIT+^/85g+b;r7*T.M3<4WHL"%-DgkN!j-p,"!c -%W2l9=Q4u&0.9g,"3;s#=PtQa$jK`7[bH!25F!g4LE9%p') -%8JSBRBghAYe^>cX%]WXa)`iKmO@Be1NP^*0)C`?rlsq633:LSqe$1OTQUkAiN(?THTHb3&b6)`=9eer:Y;3&.]""_U!.f';G_TH\ -%s,>?/Zbb>AC/W@/Z$%&TDM>7.ge/%`[3p4.$26GFX##Q:_SgU5.61WB)bq[q/2Kkui@J9t+&NS.$-k^j4;3M7&'KVf!5d?/+;n@#r\n3(g -%J]i^`*LSrq?ilG!Rt;$5c&pA?c%)/O\%LZ52&rg-YAkqoQr_@0m4X^uBQZ->b"DJJJA>c<#/+D7)6+)06t9QXK*oai,P_^?o27%t -%#H!;,G?MWuVq7Ec047;*:-:'2!'K'%aFhCkZ[h;\lY6h,/%bi:7rd3dkW)b?iBbJD83KX]1iCEW'gadJW30V`^/EKK6R1euNcFBX -%7V^So:b=4HN3G=f#99&LL)H#W"jg%[TrM?>RT@\K^2D=5I1K#.\+S'l!+HoGMfbI[%kHg='tUY%9pa -%7<'iU\b!<]-fS.nYZ,;@)C./Vi!*7D)_L1r!a(?r>Q@k13>SBkB"jju"0AKW)?oM`YrSc>GM#nhW(9pIq=)3^9_:k;UlK>8*,]BK -%:kbo5qPi//!ZnKjiA=,k8qB2F4UEKmo(AK7psB,Rb,o//jegL>,?#hU!;t3I*kkQ&U1k&=,c3%S8(OX-NF@.nnA[;nWEZL%m?Cg\ -%6"I6q/G1pp_K@&dRUQ6@+]5N]rEb$T'R3S&rGu5/EU"d98FLB\Ls"8 -%1.d?AobtH%3d(YKN6n5HWA_u]; -%Ks93MA*cEW98+7ln\2%S2(+?k&L*i]9XO_Bd"^i"gb?:1A[E;cd$`J(`GmgO'7$*iga8FBoW8s@;Tg]KLGc@=BiG_q2$BtH#?_JB -%#e%@-NW=SdL;r\3cEoT@b>X@Bcr3'P)d)Lq&`hb"SZA\l4!m\og&,Sq^&,FZ9CS%)PXSd!?Co=WFZ6$1qMl4.Cbp6VIDdEFdP3Z^ -%U^f"L_h@.Vl])=l`V^;"^K*=g-[2(b9Yo@-on*aDRmk1hlUW#887"u(5-0j'kftJtTH$epkfg:4):6AY0p?TkF]Udu6Zf@j:Mucd -%;M]=`>fFF&Z:[.p>cSR*0Z,qlVm^os(eC/ZO?D5d(l[NG&(1IBXH1+LG@5%^PT,)*OkkXmN:Q[uW`s;]rK9PNB.VZSoUj?:bI`0D -%"2eIG#&AX`.:3K+SSrE($YuM5\p%=#@OOICGFf)p3L)-j:EP,%nDS4OmIV%um)Sso_uWttFf9cZ@Zii@$E2,UaL -%iXR&+\"Be`?JM8u;@lMR@fm2lIRrlp%<<F5!W<5st(%7(e"$%H#@c;qrjpMd:dfA71ol1K\LLd6P=9$t?QJ=l^uGXVc($0kW@i8)jRQ -%hpfsR6gX@Z6H;!+J![3Gp[km/2+SrTS#]]i&pOjS@jG1RR_F$Xl530!AiSjr1%#>bY;)0f(*SlnfMZ,VAn*TX1;+MZ9Le9*9R8PV -%\"Fr&3p8pG#.H*?J2)Z*d&QIYb;^r&L-c634YA9,)M`+aeE-"Gj)'Z1Dm09Ep -%lMt=ekLX\df+SiNYVm]28AD\cIg+H.LV[j]fkp!`2hX,W8,Gf:hKUU\6EeJ2/rq\fqrIl( -%IH^@(]>?3X+l"Rr`)&8iBlt*p,-E?,Fs)GT:Q-4?@CRiP5hY)+&LB\'7)KS)*a.qq,5i<0,062IeJ>[C``dQ*2OfXR>3fHTs -%gTF_aI][JeCY#=uf33lqrY1%7)?h.4%!h7CN'YLB5cHY#j:^iV.)q6E'6Trb%bT[TYVj;7aeDfP)+$S-Y>f`h#aWnlp-8&b=..VX@1>QJ[?P)@mC4*Mf=NQHh,1p -%7cWCVdc@Z!+X`'YCNfjEA,_eUf8rPB?;mcfB*YJo=jI0BO\.HK<_W\:k+;(*f*']M,!E3E<+s\rKD7Y*JjCuq'Q3Y5@F`7SRb"Er -%.lS:3ohO(@jeR4!Mr[>gMTI,U@jG?8eZlIP06YV0ik!CffELX?.moi/DXagM9$%O9]s3e7j`.HY'<:gHR=b*&Lur73,-7SS3(og3 -%(52gJTVkqsU1dPp.U_Ed?FMlLpK:BNhkh&E@*ocrk%rX< -%=rTT`-YbNi[R,8ilkE)jG2nan/tP(j$]mhL0'kq.C>!34H\qu/1$<;5ZKjr$HUhARWDKu+Z3!^tE7=MCfRCjff#]1j.,Ogb2U<13 -%#;duWa_fb?M?TCqkoMQ2YY`u3YA[2FrmLE^^h -%1$<-1-n86%r_NpK8dKiMnr85S="?WW4@&ktL]^=?Ipj@=PF2uK\Y(0u5ZW%q,M-bN[G?Tf#Yf*i));>>Ai5H,]8hf#7;Bdljt\B( -%>..;[!2'cYBkP^7G;^)&.^QNL%GC],8_a4.RA1c0F5[!WZ"dLM_IBKK.(gjmhiknXdnFJ;R,fVNH/-s<-)S'hD1LJNn+P"*.J38l -%kcOV[3`*Os'R0<0mDu>"0EB'!U6f,0g,0S`?E_`;%]WprLkmMH2'(C:l4M2&BOaYNXK-=Md6*e+*I[7`*b''CYC,,[\9[blEDJN6 -%RJt]/HGFa%$[0/6*k`dF%bMF5266?-2Q)Q_+#i!jl*.gcb-9K'^TuN6+tatO6F#c+qB9>([?9#)E18X!j$r&Qri,!kFAGP9PA*4S -%kRs(&6(mOKN#K!.hAB.La2+du*]>lTVhsMm"'P(HqZAHhH_\QP]Z#IU)VZCr>?op>?CaY##=uEao'r&kGOoDE&n\\A"E!D`/qSu> -%*48,T$it]H-&dH"5JLcPkU-isq04gG;UdDGb@HYY-SVhmnZ@\2O$>X:nc_4d!Y7+!)OufW[pIGeK$D`,-YZFo*,Y%(,N!me*6B^ckrd(6(j$,,+ru794R,[W5C>4g`+:%*6M'UU+@D`R)WD5cYWi&QXC< -%P=:D'EuN#67gTN*cr8XVl8oSd5dW_NY -%`![ns7dQ/?iG,M5j\SPDg32(D6[G1f@iiZ/Oo,fh=^7*.%b-%d9U6$j7_Yrl#deSd-Jli'%p,W"_cfT$hC*'Kd3_sclXp9o#$Y;G -%g)$e2.ekp@A$I6d("bY4eU90.41nW2,B@s: -%2^4TGOI+/m#rr0AfT.201I65rm1-R]c;f#<23(,qUWMj[&"<4NB0dd4\!D)6P"C!Z'ASJZ7$WFo -%L/[AlVbK1gCVP>B>?4`O1@_WKec)pu%.?a4B+l/<;SGj^@^jNnH4E4i+iblmpc30g?@:=NpC\p)V)T'=t2Z"h#1#m61(c)k?B&]&2pdSU:Kr_V$u/b?$XhZk!l[_P@FRgptfDB\/9M1\>F)O`_)!_^4"N'(Dbqr0Mj!M\fC4g3Oh]kK+&Cf)YJk!:BC8p7KL5+u$og*7j0gr+sm3GIf$DFLG[ -%WmK;hfj9'e\#nNEP^e,MrRYt:kHi2fT=t+!PLj0trO2.HmsXNn2g=`'s/d.+*a_)/o[ObMIsUjq++Nk1(O&ZY5(2tG]AGZPqHM!i -%NrT.,h`Um2YDn&0adY4B?@VrE?bC[[g#k#;n($amrq,k2?bL]t?11!1A,kJ25QCAf?TnAWeP#i;#;:Pug#m$ok79fSd?!2?IJ:u6 -%YJ9lagqA48kG+Y6qr7CC5)0h*FcroMb'j3Or-'j)c)8ae.'5 -%29,\8!N1hp#ocVaYDYE%bFs^Q"41e?Z@(hAb2[9/j-t8]IJ;"PcT_BVh)c^+nG_J.(Jiq6p#ZpuG$A_Omerb!YPpW0Nq75H -%rVl=Oi@s!RIP/AbN4^b0ci<7bgrE0"Xi8+GB*3"MFZ4,ae9fNM@I;[89M^_I;7B$?5R,l0F^%DhqsP&EoLr4t%MN4Loq)2X1W=8B[@Y -%L\20Z@$SabiQ+r5:V\$>hYgItWu[`WR]9k7N@]FE/lX6Y7\qUqV7P*f7gJ*",_>>Ne%$9Z<3lL0"`#S+'f3Hk?ns&iD2Y&im,g,o -%;4[/$%sVT2:-_*G@F@k#*'un=ei8)2d67Ffk5HWVFdpL4Z:LPpHA0q+_Au@#M-/L;&)W2K>9P7S&3;;9$3n!0/F)^uT%;AfRr)V*aWcE/MG#!a-E;)p)Rc0/>T@&ksrV`_C2)Q`$-d$G=u<^]>To#M_^ -%nOSS^OX"C;I#(f5.A]uE#h:b\F4k3W$m;s4W5dgR_22T[h)LhP*?15==$C!_K$sM4$<\o-KGppH,*L?5-cm:7?HZTgZ8)MKgh]t3 -%F((2aG9;+BmK\=TNuCb`Zl+BI5t73h(nfJN`<-aFJg -%X'jIs,mV(C.@\Ci)kib`P>k8r:8s+24,2rO$j)6=d!fe9V%VlH93q6d?JCXEpD/>_u5)>U2K1VP@&g>jICjg/fTBiP#gs0p"2N)j%('_@[R'Z=Ng"j3-Lq*ic/ERuaBOfsD*=`Y6C9.M`1ml\]%i3ms4UWT3P6KX+@D^$QfiV9bmqb*$?E%J7)*H<)UFK.^PFI?u"t0iXCdfd*ClFRs2*nHg1&EVL7S99Wc9jB=C140ptUuc,UCiAsR^c848"MB^t2q87KgNoI_+(\YbC,G)Kn<5gP;tPiQo$20*lLVUkAJ3bO:CK87,sl,?L4 -%]c^Kb:OJ"Fs1pc>1Xoh[\:_lBjGaOW,gR5b\?J/k_2]e^nj[7>jmIik3qk`;4^E@#VN8@b`6*X5ijB"C/&tq=qV/tX"N;b"Lc!`8XAJN$Y@;nUWXm9IOCW9LB8=Ga,P[cMFr&<>!X/*S1m`'_Me(F5^0P2\eC(V-%m^9]i9At'j/OKpgElQ+n_pnlkI?U\Il;-oP.PO0M-B=FCDt`JEknoJ@/m[;9f2c;$ZLFabWjB -%ZP5>[$mqhG]?@79EV%_jd,DO,"U-k\F1uXfgo4bjOumZG&,=NF^]#FE_]"3f9of&9,6L74^K\*;m.W&1u(nPOq4842LLH:nWGU5O'Io8>SS69-$WF$n.?W -%o?S@%ePteS)LKRC_&!)7@oZp!qW6NtVcnJ&,cl=I]G_3Ak+==cuD+MY`PAf+pVlOLBasW<0grQ(pA&66`>1"g9=[ -%cMW3uaA\+(iR4(?/+"Ic4el(>$S^3VI&0PYqstb.^1BtGT@jX=R$n97Zifa0LZRmJRR[u`pZE+^kE(',/c`lKTJg,2'"(Rd]_>5H -%7IM\3V`%rI=6"lAn&?p&h9i82U$cud_T'O6mLpQ,.L*ND@B?5cOB#\0L1@&p_KT1:4;_r[u+SK?s@P^mip(Jf\Bl`4[= -%@/&nWB@l')ND&k>*U\Oo28&`45h]eYR+f?_:">>cd&J1:,`CD]*\i_tGr6ise"uHVTd8J#.b`XF*/-2]YKQ.^NLg -%;ZHn[EN^2nJYW9lhY7a9fuAH$gQ3c:![V]^@Ek%ojn@gC_L45q'U%%U\HsFM2d&pTDEID]B5UrJb'dT4oIEeM*=FBo\fDnD!IJhA -%XE+,eqHTGCts_KfW=$8Ek&?E(F3IrZkmsrZcO$5ibZC`>fLCC0*K=9$PqOX -%_M;7OONhoO.$E\%/]c%f6actES,9Xe/=WEDJ1h^ViI]0f:?2K+D!pG;hcr.=$`p\FZ4#6i3P>e'FQ"DsaO''G06#>$H7p\pKqlA4 -%9:K/#&5LFK?Z;s%@)9]TXiS?\=`"1q"j+=]="F@'(>N"gY:U0gJ706[P6E2c67`L_k+S/r9tL\cCe1uLjOl5*.ibo>jNbT:%8XH" -%9cNY@"f338G7J"tLqXVjg9?&W/@H]*:ZU:MXO%&eBE[A,(SL4uk-/[$>=`;.kcir5>Ynpj:KKc.JS0qSqBkcQ/$m_E*?L0pMUIac -%LQ)1qY81ZjRK\`)+"J4kP[80UYf'?";#5LB,e,@jh7UJ&R+3#Z24a@+TDU#1j;8U -%CPi&h>=($2(O,I'pkBT#=!1"u\?TI>jiFkg#X=kJd`H)mPc*-n5j8iZQCLbJXk2a$fR/L/..u8S^2bgc]\t2h<=*.BXt'Prd*3Ng -%]m?6>::)f),V84Vcdpe/$m'CMT#`VB$ZW5?Bp<:/4.U<02^?F!Q\gHLHhr(EqHQJUCRiJ-[ -%Ib\P]cAU+%d6igDUZeoT&Pj`XF=;"?0\LWrD=V_WFr%;`7J4Z''Pb9>A'UTedG8*aaF9K/kb+'hG1ICJX1S_m9qL??[QAf3/*AQ( -%Q)eXUNm1dr+ASbQ>is!:C)eIZ^E\7b#npk_PZH*?dp>@Y=1>HlU'+g:ErX:kqrAd9Xii.1k_=Tg;*bWXkkt5IuTG")m&9IZNcc")&nkUnrS_6H3P^V=UZ;i7\D1KG<$kM>sPVZP#OTVu\HiQQuAc]WkjI'@E7J^=30'i!Pa<$]JoX0sYC6Sre@$^6g)@L-q8& -%GHp&a)?%/-K-e#r>j[&\q&lTA5o3CZ,Z)Y9M-b![!nYdR3^cOj+u_P@_b[Qr]bFd4[oeh#&G'?dBI!hN7H\O"\rHY();r6A`K#B* -%1f+:RL&Ih=O(co&H@jteX4,mp5bG]+dYM0l,cNaTrSir_(a5f4IsE"1/Y:pna!,g"NePmS,pc"@KR!CR)cfXZ]i55'0W0UVYgR^j -%!Q[al..I`N43cYF0?OS2lI5=;\rZ5*2/+lE>@0cRQM0Ru)9U)AQ&@dn=kQ:'NjGF#nlB>L]M@s2)nWltXpj#%F4aRVC%r`+SCIIa -%(],dVZ$O=EXt%1^hEe:Z*Y=4YRZj69k\,X:e/YC8?W*IYHI9p[4p6*(8XS3LVmoK]o,J%1bN,dt)mT"bD=%#\8Q).m:HlbXKCdN_ -%aOri,cG^B>L"+Pp8StZjD,mDd?Jo5SSFDBqr)B4"alHuW0\Y3)eg!khoL85NVXHqTpC`3m$'T+_'LFaSso^_i.t_o6g7@o1J%h:6B/[s5ngDN"07g/p7/+n9V>B*knma+JT -%6!%QGj57mK)ng6AMn:t+iW,DX:n3kNd6Co?cc8'IFL,&h-P_ec9[JqN5)EN9$L3)q7];Fo1g[kQ3&AAP+uI]h]t6X/#'6*q%m,ZVe_W<>$T_YMa*s4b@-8kM -%/PrY[f:&k@@_jOpm^(dsoR1;.2=,k%i8-Jh)nJlo`%1aO9db[TQeI;W4c9]S,Pu;\=$p6JaS@GAYbUM:Q*jkP$=RtROu^6Li!JO` -%Ks8];[Pn2'e_G[4[R;!87)n;t9Z$s/Bh-u:bB=32)L(sJ?"Y0$h;,`'o0$![#Z8B[O-Hl:cEF"q`f-9n?dRW#Zg3]h@--Xan#%=@ -%(b?o8$f+u8%d&>\RiN$?_r*Hi+P@=BAA5lo0CEf851$,3?Z-Nk^e4^0A[lqF%H\EC^6i@k@rj`=9,Md%`W6f)Mb`#FGp0qUZCc'A -%3rs6&iNj?i>fZ4!5i0s!hS+?[$Tq](s#)"f/]d@G(U/7\*iRX_CbKZ7aM/?FYs#*U=FA!QSq,RC$.WkXoBWEB!4d6!kB5+[<_\0_ -%Xa@&tPZ><"B&r&,MM6]j\+O!eFp -%P(]>%i^RHa]L>?5Dbsu,)a3RPf>(tYg3"%BIJ!U][Vb'=\;g)CjuSV5<7^P]O!tjg4:L(U-j.oJfLT&2nJ<`Fin$aUcq\tni%gNLUE!V!YeKpQ80(-o)oNmWW7n'JnZc^PD-=C'duE]+Bi7?(hPFZ93eqa7gC6!pgS&\gKSfS?jJb\i_le2i8Kp)#Vqk,g'*3tunk_]g -%*he>uI.t'roQW7FaU5XI!F44jKA.uTHsV1U5n!_Y;I(ZGNmKNtG%&`[G[p#04Z09)[?\0Jo,AQqAR1%9@gK0olhe1e;gX[^=L",Z -%$*?1m%-[o2TJ_8K.e=.8o&'CtQ)@f'gkNTsUQE0HXXB4(;rM?cf(7[pGL>s=*U8)[U=OXLP@H\gmG\VZo@KRn]@_T06MPH6[^SN[ -%h?oVX7KU8?[@65n^9)%T'm!;+2K2g,Q"W*opH$1(3#Jgej.+po?BnX&Q1tKrA?3G,cS\KT[Mfo&cd.u\W^hd\e$4+ZM;2Mj^P]9` -%'2nl/**)?udPL)-Ca'm-q>cqoh2C#Ih]jo;(Y43#e(9`;R$$Q<5!2rDBmQC\hEYt8<7?9`8c92&XUmmV29DG(E0O?eV:`KdgOd'N -%L>&L>OrT@(E?f*M!l,;Q\JEtp(8CNN,joU(@:W>64CQ/rPaV>e)hC=gKR#-``u-&1PdOuTmkItt:6C0s$tQo%Ho8d[D;53?!5:c5 -%H@]aQE$<8+G.cr[3)(#OC-g#&2FeTUcA*Xk+4&'S[KHZN8J#bm7Sf[oN-QGKn52];.tjYRi_eqtTBfk.NBi`q8f]-&*]1d[Q^A3J@m -%9iA1KI:IB+jrhj$]S)O,o!tsmA%Thlr3o0lG,1eO,'HYR7kN$%c4`/h`!dPc7RMK@Nm\Y$d@XV8eOu=k)R$^#90*dZK^Rollop'AlJ=#n`s7P0AcX%`>:a#;=fs@2u\tn]HU:31>I8i*clD\ -%bG.V]n?>^n)_G3Kr-UUa,JR(je7#Tl;(r3r[/b'@Z;NI -%Rbc#lc%:I)#LMW[a`jl"Ca'f__Sg8-@r=#?Dpj>="+YD][;Jo..@n-,3Z0aT5"h]>:oYq[R*M]@I0lG15ZIklK8g69R)f?'"Nnkg -%p!!c_=LZ$e0IBf*8**LInM!EN)Q-60,98G60#EWfITgb!Tn60/"Wi[t?DATT-%b"Ec;%GrQZ+[P%9b?*pT)^/EW%"#Z7n-7DUH.>@dIL -%A7A/f(R#(>6pWj@CNrClnH*L\KXg5RadmPKc -%X]/$eBItEI)PBP!0u&?ERtkfk4d_[81WCI4qdql@-AMiX6?U-(q(P[ZAsD%Y<]34PG_p<+fH%F-L_Nege[Q-omn`8tFma(4WdrUh -%gqUeMkVLQ67T_#QQ?59aQ6dC:TWW,8J(\as%%iB6YOYm0p+n#P3g[j+,k4c,^`M46cuCSdj,6p%g[pCSh6R(jg.OqG0ZVbqbJ^Nh1o+$6fB0HQ9R`GgjpPf#:U(I/I+=Z+7>IAbV'+8k?U^$*(4Hf',=aieUPo&fUXInpO'kO3odpMk9Soq/mCrFB1f9b7-odoSb]nUpSN21KR= -%i4EpAHMQP*lXr-YXJCf[W4c=8PY(:]**MGAR"\NrKJBdr4G,J*3"STD\Cg -%4I0`3p,R+f>#%bqs2#efD`IelaQkgGJCZMh?dDOH -%NV>[8hB.gYnE]kK^\2#^r7OkpnGE7-fC<)6IJE*rJ+`Anht\1>l>QU:bCB:OrXWrHS)=&\I]NJ(J+-86r."Nh++4U5ocO4mRt(!q -%J,)lirce@J?i=o.a+*^ts5K[LPLk^]+iEia;[LJ,]2WNhnK1oRH^Ms6p!\O8nkJYPo.5 -%`j`_XZ[_u#s6Ronr(hh(5P8g\I.Z=pq>^C0s60?pq5aOpj)t=ps82ilB4(Z+fC2_Rp>1;r&,s'MB!Ad3M;'kP;>Fr,mPAAZ,th;-0Isa,_J?R&1"8X+AjCf8T_DVR?.7)B."EkMA8s -%%rKn,pY'Ddpoa9Rn+6/g2/Z76?amrQju<(Mf4nk+);23morGgmTDf/spMAO6I0TF^@fECrqAn3df3)VVsg]Dgoqci$Z;j"J@jA@?>SigDptr65nE`6Z*m$6*]5.Pu%j\D58QhYH'$e0=ma"nahM;kE\t1hp.'E1XQ>ubbh]WJp6&IEW*h7jHWZe)"QXuR3OI[k3$$rQ#"bnX,32+ -%n!1q3]o[m8=uWlrJY\q:[U\JQS3<&l\V%c'Ll*=NS?*J_5O=GPS??5Ph -%PP:^W^L,AQH%T(p_4]ISQd$Dq,0r0'>-(.S:]FnAaq*5EH/)V>au:,hY&XL>NgVJ_`^PHYh'OfOFRdje2%&F7pj`08j<*i6T=8h' -%2_2m+:48!s\C9G)2hKAeH#2#mnk$U1SN2#qVk;6ReLJmOa?(!F9(ZH&j2d?'9*Q[)"BVF^?U5Fh>hV'5:!u0(7cV<,/RPb.poHT= -%a*nu8ZqC%!^@1^ij4i^>9%@_7CccS(Q/K":Sldp&WA'$@p\f(,WmBikA8qLr;c,n4D8>=i0&=0dm-?+&;S9+/n22S2#Of7th1E(l -%F%4"?HHfR+B(`GY?*!%#ec!Z5UNT\[rgt:Hp>Gr#,ASVOcTlDZcJ/RGG"TnL5i7s%t2N%_,J\XHfSPQH7_2q -%N7Ifl%t$++6/oaX@G%%/n6,K]YNqr2r:Y$Kae*GLB(LnZ*T%/:'DH%PJ,ZX68p!,?hfB[TlM3S9qNjqSX?!mF_Rt6aVp@.45<35t -%nu[95Cg&rsDKm<%h\*D/IsgLWaG7IaABL4EY\)ZS]mXdRpa.LUD"Ve81NMrT>1G_6]3_R!@,[E(8+pkgebS#T2/2s^oW&.j#$mY5 -%X+%hmD]\pn@[$"(HbIZo4"nB^jZYZ5Gte.Kla3.qiS_fkqcAc8%*[TSm?.BQkfr<0*-CL0d/LR9'`)qpec>C?4jq>9fegHVk/)`9N[IXfecj&^/h%7YSQK)b#0/^i*d\jgd, -%]\R)^!F.L&D]N%DWh,[&MtR)An9'%W0Q6e#!H_qq)`fHn!I-'P1./km?!ocj.51A`5HtufsE?/mp`V.gp#*A^*E-]B53ia,lJ`.q[mF4Z@UGAf]DTGZqQM'nNN'psYI0sSj-[$>a#6\,X6--SK2s!##2YX$e'l3^ -%rl8CGp/L%`ra)l.siXR$;Ll,jE=qc!"/f+6)@*9R.1k6q8P3_dE_6AbH*1oftt -%*T-)QnX`AaW5Veq;,MW"q@e(jGND#uIXKnj!uk.q.6D"VWI*!'^5-s#k;<'qK`0O?gJLUi3/b\T;kBD=+!mUGR^X$CP -%r3DfiFtO`!JM/N4nuL6U],k500roRZ)a<_fPqWi0m34DlGOF+Z>e&u3DY)89F0O*U?9c*82bjKFgK?V`5KJhrDP,Uk@U)ikhZX1o -%ou!5,Q,7'%LcrraR8K__hTO9`Y9-l:%>4AnqIA+u^QnSsgcK.m0'l^ffI3jbEJK=k=-Hk2]_kfVgTK5SbJu3*YLi&%FR5s?/P:_>>B.SBI/;EVc[-I` -%KT\J7mCelhM8AZ$2braBXiUj:.W]!_D9=ZhCXq/4manj?srL^!U9)ri=EFa&WYbl*Oj<`:_/g,eY^q>F#\3 -%<3=d3n#g]Jjb#'R2(ZiE[dH4n:f\iGBT;jOa%W'Y\4ueGa]`u6f?fNGr4%%afpp$ncN!&!mA-(Ss8IpbMhs+!I:DU5ZEZ@B"Qk9ZQ8al-)-%b1J`j%DO.JCPE:^S6`XA%n%A,ao<*&+b&k`bm&<+r. -%]`se^PTiiBY<$VWU#Y#jZ"@[;=KK[/FYnjXfDQ)h(Nd\-'e@jYjL"/]ZDti'^s0lI5F=LG:]7L1$[5`nr(c[^UFZ2,Otr^!MkkR4,-Z5q".Y,4(.5"GRa`^6MtDC^c6F]4*8D_nF_30gH7S0uTk3&s1p-S,eV>ct9oHK@IbHTVU;&XWYj&NZ -%ir6K,5&,it\k&TI;eJlHoR=G!A7tQ7@+(uKn$,a)*")NnO>_eVC=r?ZtJf_G%JUb$&gV%>cV4(Ni)$nV%lE-dJ/= -%Ufk>rp0uS=;3T&pBrELYn+Gd#*djlt6$qbMQ'p`arA&;EjlqiD4f!.i3%aEpBHO)%#'.Qg,$Mrm=-AHe#Hh*khYX9hqqJNA_kr3tp3)V&^4o -%'A@j0O*B,u/aGtdWRlIK`:86pC%6Je.eK4DGi!Bo:23S]"uF)\SPp/F$#[ce#HgS3Mf38H^?b(`KiqA@DTflV7s0;7ET^G4cmNVC -%SC[kte>tH@%5,n,G>G92E*qu!&XtGP(;%.jH7_fJqlW*,T*m.]/a"jljhT82gK-oKR+*%`lJ(-a4s&.RDOi,&Vm!!>E+Aq7pCc?u -%CV/l=Rdk;9?I4WPTDIqd:4$qtbCgdUCU#c"8+^_kGW>5*qmkIBSN=JtrSfgZ/R6!\`-!X-mA#RqP2Gro)>1.ZV`"r6%NjGDjY<0k -%n"*cCS7^[AX)o78]Q]RXPHaVq^-$H3f$2C9NugE&jQ'mDE:0@tC/D0g44D2fQS6.'n6,5.Yg;0U=Xs-r&"iTj:FT2Va7/%Nl6g\5 -%?uraI4:M/b[r:-9*R7%(%P5b_mXO+FdpUh.A!+1\rhT]I-hR>po6hG)6e;jmDaWZOhdXCbiEanGG+'/#Y!//a`l"Zla1Ntg^TSG( -%>GY*GnCbWcNo"dUlLE\7Fre17QLDu!Bf*PrYEh=lr:!IHik#DBlh2_=Qkps0:N.u!5>fBr/72Ct:[IJW;!?``.rkK'VQG>d<7?5L)#5i]IEa"]BI%W,W%Ib(Y0.6e3?n_34PqtKI1GPKgi -%o2fiV)/dPtn6J#f?`?8/qV2s@S&@Au.L\o)>(#/@FoCUUlSn:fbK9XQa;)&u:-U&1-8/UdZ[_fZd9"$cInP7DALTWj&Mu6q+ -%c[7g`hk\SArp\C!c*KLMFi-hH2OmGrr1<,`F7.sF]8iJtG4jq)&"?(OIBU#FqK`iTnlQUM.^4o4]@ -%F6-['G&!$#]8H@[r9,fd$feCj]4]WN^8obV097K!$@\E/`clLi8)Iuq1h$ar5)rH>re8GIbZj04"?:pJ)])F*4`P.>W]<%AFAiioYB!a -%lbacKgblQ.\Gn%G0kJhU?gYaK*a:e)IV@*+oj4rmi\.fl`Ei5`IP\H;7pD8=iEH_*1W<8WU:?YTR81a"O[="mO?g^!ur>5::#C!>B5.G2"Zp*rF9H>9b2'9MBlhBR[4R(U@ -%mbPBtik*I-:@6NC<1Y/M[i4o;E93*%0&1i;\(qQQ_FJcd=>H^kdkVHO3PSap`PC0-^--N1lKt58\t&YAD?N&hh&ASN1TGdkg7o50 -%L!$e@3r=hP#C\dZou?C2p[18eh_<,sE;0'cWu'*RpjVt7cf^>Sf=FSZ]T?gSl](J;qG1>$B'\ISG*\:3!!3KqGk)pk^0HDOMXkGRU.hrg7Q]dhH5mZCDAR:5,S5O2Gi21+Q33=[j;j#s*%CHNH"2K)ChC7t/5R8!NHPOJ43LtCaK;34:qTpKE@%>)ZFb/iD"?KJ-%r.$RlZa?](TU7D?ti)F!4B&Af7Ep-[+Ei)K1SM:+9)tsC3LZZ:+-N8B(:k"#Af3VY/;^DZ+5,sH2.2X$]H*\Q -%#d\ZAEB[P+AD6[DJ\s"43S63b#p]VM#*DBJmii2ek_IqPJO%L+)B>=?=Ga9#!F]Dp>"_t"JUr?-*eHd-e4F:Im%?StUt-So=AUpI -%6scC:IXoS]1RTpc(R?Bj;UZ*6QO1CRZe\/&'"s3?)GGp^H(jXd&NBjDNMB&L\fr]QM49T?:e]He16p:j.TZ$i.JF*^MaK$e\fJF7 -%T`gDD&m$M"bGU&&-a&*%LE]?DdH';![=t$]i9H2WA5kF'Zj0nHd -%"+:SSC_H?$Ja>r^%TqoD#7<9)M+hLQ4S3?]UI5%!_T8[og?6jOQg'IY5Sc[7?*b1k(f2#X771Dg7]Sr9.Z$hp$Z&-jI33c.T-P)YJf4?uF,'W#[M(B@VC<]\T(@l=C&k)$neHKXK&pd1t4\OK([f&*FRmJJ,K534 -%W%f0U@p$Ziet@Pq(%CmX4m*E$_iOEmrV)G%3E@i[qub=-r9J8CpPEEOl_CW'%]+OOYt6Cg[)^u`Q`+-N0qYDsZ1VT2Lt/`!6^HJdUpgobXgO_$sRLX;u?rMBuH$sEB9SLWgmJ6f4eqT.+&Q7a+KYTgc#f2ek\de(Or_k=/-/,-.6 -%_1*8D-dXsP6c"kXT[b>sf2tokXn@+kBg8,XGc0'L5MLhgnQX%\X4k`-uXnIhW.>$S8k,k'-M#SNB1cP1(i:+3& -%+,iiI&_3MeDJ:Kt]CX>F\S&p;^NH&*$c.#V,Ik\5eZ1'!TYIN[^RBN@F+nA10Q$d:2Xnaoj'r?u0AcV@48sTfM;4V>3m'*YlOU/9 -%J,HuFg_8eII(ae\,Gr*>$`\CRs%mjcnVc:HJ\PM#r@KuPFBu6=1O_pl\i[H(53;Y*\a/t&4l,&"f>?S65=%8Ve"tr=T>k;$o<.95 -%gX-'%XL@b1DXJQn8"jn?r;l&BZ6()H\uI(U]Cs6k6*^:5/+u0J]se_dV;@1+0lSQ_]_;j/fHK/8k2r6R"+O?XH6G6AaqAgIRir4, -%00!56m^mXa,lH'Z9CU86?OiX>droul&4h8`I+VNaFo;e5\Ft3UTQ91d6jM#g[R&oW+*)GkCrXUL;m3\n:oG(gn3P*8F*;.#n(L.= -%[Cn_r0nZ'IDBZBae[1<&EL!Vb+NOkeF)t,NMm_?]&F%)"A$Pa^n)rj"_QU#sXb4i'`qq@HiUec(<:T"H]*2,]Eb;RYmt80](RG2. -%`m5Qj.8s=@/fas$hZ"/D(IF[AReBKmb_b8iLV[9hLQ.D0m<0HPJEco;-9ABGlPHV7luMO-mEhcgmPTDd4as-Fi"8\8HCoO.iIT`j -%[u7ZjqKD;gAMD`d*^\@3^HIEgAM]tLU^E*';1$YHg/ -%=4A-IIseA#k,(3HhgOeM?ihdln>Gkb6UR_Hpgg[X7fA0bqS+':\ef;^@DuRPr``U3&VfZKrY+Ko%4BID-o#f9a%m%'Cp*q[gURi) -%R=".S+(sW4mJcdf38b`ORbU4J]^D^Q5s=tY`],#u];=`J^:ocIfXcIDD],3\RSFc">FnA-3kV%Hn\^GjqH)=K%M#.=HYbp[#A1-! -%1P[FsI\hK\lGg%e"MJP=N0TpAlc@Xg5,alE?p$0 -%m-cB!$pL8t-P#d7-RL*=C`ZCEi4YA`O"0]l7qi"jqH2%:?#7f1)i5#?JS!K*$g&,9J]ZQXJHhHeO=7;_d -%1D;!:r\L_WEaHdHYA5Ek^8,jfo+A`OZQohs"D>#u5keO7MY(0D-Kr1`g5:nM6pQ?'B1Wf%:_OXtKd%=Pm-_-b%>7SMceAIt@9[j@ -%g"GO:PqMU@pu5Xmmjs9"kTl(`(X\V?*ul(j/[(A5.ZH5l7:,I\Y\XDtI+$3nLd8$nK_LKKqA:?C`TP%KaZ_t/1Qn%*d-QZQ0aM)& -%lu>Hsp,'mA`CCnGF<^aGk+`-?A!+Nf:=st6CYJki-I#S/.9jJZH'JdM8;Mr^_&j"_%=k;8!T_>1dL]PUE0Pi?R2!AOt*+7 -%Q,_.>#0Maq\uXWO=bn#Ig1:^Tc^$9c%B7>I."7;?'\9i?>!82?Z"mB.3`+?s]\"Xo+;q\l_qI_aZ&8bsT:X,!JBXEu0mj2q!VAL% -%NAsQOmJm7+0t79Jp?[A4L8T^h`AJ^4Z:b]h\4-8*SjBrL<%0^aJ0@O35'XO&0E[mP_9:*WGk`nU)Y@/EJq*tTY6EY(\k"oV$6p$t -%cuTie(<\QIc_?,F/2!\X!$?dWOD-9&iYj-o:5Nm2SYh]I)(8?R:F8c*kRCV,T*=;(ODcunG$tr*#:+#Z!Am]M_[Xd2Tr(!0kV9omaKQL8o$f!#m406&M%V5id2bjOC#8WOIGS%!<_\jBRbR -%a;CHJ3l6O__@A'%37P!%P)gf"6XjC^ebVmCemTSB!!P?@.r^b9)^&$P6\0eZ7Mc8aXpH/m,*+^^Ee0$d)J?k716g6$/R0%tL"Sb6 -%#_O'JdD,7:^'\Q+=KJggnq)cLaYYI"8k:!K:K9su^`^uWd?jSokZ1M\JoLof@dtZ-U9(^SmHcq4!MJ.]EV%;0NRFI<2kLS#1kf'J -%e7Do@a0qcH+?S\+X&pS(Uate40Pj2K3U!o_Jl%!E]sN?h#C4IAmV-FH5hE(oN8ZdupoFQ/7kub-PfJGqe9pKaP,k]a]O7#O/7&F2 -%cfQ_(A\eSgc1e'J%,I3AL0#^a0LhNZnc^]Pi",ql-WIbh=paXTe]\5,_))IN@#lYs+S6M>Y8iOJ-US/Q`IUG)YR8+[Tj/2T(j9DR -%S-,h6Z?/`^H(V>fW#\Es3eV\[+XMhd"9bELd"]?#'(?\_R\Bms0np;:$hXRO/O=GN*K#^9dJ?Il]'aUA4LIJ!E=%(!;Y+W=#2N>V -%/h;VJ"j4C4)2p@6:h/aB1>s%M0a1C^P_U -%.S2)kAk*N=,9(+#'sT$9.UlPX+PCmB6B$4GD:u(*8jW`\i/6_>PkJ'1;Gn0M5jOKL;B;Ad^Tgs]dGkkd4oqJ&'J'e'VK6lA\q5kr -%PR.,oc>m"#!2n37(?IY,/HKZqYJRsYAA$"%"nX7)/c_e1#4GMXTGdABlGkS[n6?#eB!0,8Ub%7VW3f[g)i'q_,0Gbk>[ilgDU;0] -%1+Y*[1ha)0.#l28.]a8oan'dS+XRX$cm.,P'u5d)/V0h\,@OQX^p?aXON*Gf2O?[Z7mUHjd".2DdNf829#tSJns)?Q,g50JK#.XD -%Kg]Z0=M9rX(Y0pIaXZ[H4#GD+AU;uUM2C7B-/_T2$Ia)T*RRR"&$Tp(l?M7t%!o9.$Hb,ng.F:6n6E^(!YAb;-7%B4#D-6Q&iO=k -%6lR7RW8$LF&SS02W_K%\@"jWD3Yno)gk'(56N)Lq+e!$P-O[6.GSgPc`RZodaiU-id9)D>7N=&[P(?%J#\jVS:$NOLK0&-QCmSig -%K1$*4HS+*Y$i$6CG*YY6@ER+C'ibWpn]7GUnOjOc(#@@ChrEp6("aYr9:aF1;J^O/MkOY-Xscj5FP.D]N`]KS$#ICDL%D[F`3+`Q -%iG0jV*Mg6=Q'oWdkib"?D+uV>[NgF]%[AAL#,M4/`C!r=^nQc'bd!IU=<$./"i!+0oE#Q"/lA=f#g:PPY@T3\,H(T+aKQ(a-U?=7 -%js#%G-hBd\OO#I/9t"V!-fXsT$tToWYooOa$js#(&P5Kup.UekVD.$0[1Le73f@C*iR/_l7KNiX7T2[[jXZm6RMnjiD6$p%00h6T -%!u)Va0d24XD-Ab@Ymnf^!*_.cWZ?p&O@7b?55_Vd9UbMZdm9.Vo0mUG)TDjS"iWAl -%Fp5%K#nYdsE!O3]^VKk*XX6R!H[VOU9ZI$C`le"N4&!/6l%LtG$GT0.;1h@#,(SQ.>pYOpg0Gf&R/!O;5]j=nAn4p$nRh=@%Pqq/3jgnS=)+B^'TH^Hr5#OSM-\t\X$ -%%3sM3O5S\j!0+r"_,TFM3FI2V$b&77]kh81au,fD_.j%ZXm2!S#-3I?HMk1%[EaPlJlpT4DkZ[mO[_2'<`_T'+m+=ogeeEK:]M(s -%%2r(WF>?B[P6D5Lo;#->M67iTZDe)$AWs(+CX@WK)J?kK4t-DFgBFm.:'cOrbh<^p;JN)'I\+SY6li8er@^qs^uu#QRIM@9D/6U]E$)Cc=T2el-dHf=SD*2@90)?&/u>4dV8s -%BekVRp$F2N?CW!Kb6`r4ZouAlba\F$,((/GKm`!<5a1T7O"0($3kumbSXuTQ3mF)?,?dY#i1sb`k>P-#R97$M,QoJX=,\f?)C!%) -%[lEA<>$H'5"F]bpMea*?/llF8aun-MPGtCBoWf9&:Y;uFK2jH[CQ&-"a%^"U5qBNo!:Qt.CeFa8KEtC!6CJP27<)T.!,c!H[NW&) -%Hp+$J=u9RHH*i@fkZ5BgNo%Q"f(iMn$;0=l*LRl)]M=Y%+AL-@+@(XH#WONhfIHuo)3^,,H#JJp,&A"`/V'Ocp/HE[0H)r`%"_OD -%6mm4ce!/.i9/@o.E6E!NDBt[-iJ^H2ZX>oE"s4Q":#G)$3W0<=P!:$L3Q8NoP_k4J4/Q\uo8s.:B_)O)V"o.992R4oianTlAf+T[ -%$U>o>mh-cmi@(G?m=f>d&_T=gnnQP#dZPT]4q]lbZK6fkW@c,KJ5LEWB_Y%+qS8ela-B`Ggus^%kYbf.ijVRN4"UPD*iTL0*=]n0GN -%brdt+9S3di%AF9';!e!T`VMe>XHJX5rPsgsnKe):@]h-Y,Zp-OhBl708rC7>7s]ddqoEFc44l4c"%93fS1BH9ro[NN:Zs;-qY+>` -%6MB+1CE2G]4^I!f'nQDYg63?6,q#OVe)TOeZLj>RL[(/I4Ln:d;rsRjmq[ajpsn8Yr=6[2NtI]n%6jSnOCPQL-)el`qd\iI7=.!" -%$'`T2(5i2=rOG%58Wp5@6tMFN$T_GPY.Ya$P?OO^V(Ap4FP`';(*ga=!Lkb-e7nFX04uW]EfpW2>V:2r%:#5 -%%_VUn3#emB=,S!E'#.T_JDi'qD-kp[(452?R%6q1o_YRLh:!L-:o$_Z\,sF7%^>:pCVF#B'oTb+Z.aP]nL2_u*#0p=Ln?Wl[]C7X -%jfKkH!DP[epY"@i@^/6oZ9'=F%DCiWEBLb7]G._ap40(o7]^FPTp`/fo@4X!S6sl1(2G_+GK'>NSFTGIT78X(`a[JQ9H>0#Q)luh -%g#B7M2ZT<;i`G/qc(-Z#6(8Zj/7^unG84C[k6tbpYo<&L@sRPGi#fZO/k3Rna*Et@Xfst -%1'n+6:YZ\9.::pn]:lh9:S8M-Wd2;A7.W>>H9fBi$R[d_@YK3r%^-_S%Vm7bd^*`c(?aFZ0(KoSQaJlm0l"G(6S6&;H$[eEXD&uR -%Nu+s%^J'8_7hlU0qR4cQn$Hkp!Ih:_h1mkEB(@GD,,aVRd=Ad79#ID%ca$3eRra]u4I^nn%_&0.4 -%Hq(lDEtp6+X?_kWf!o/QYuiXhUrY^qTl%D%62>V"(1'"eE4\<%B3U!(pS^^kgoZ!^jo2kCqR$2lD>B[AKWi!NO)t_D&9p93bm"Ebf -%/O&""*J0#8&:",ioN9>U3PXh$$bcd#%%2UbtVt%Uo*K)dZG9)eXD\)YEgUTZsNE:r9jH[ -%^2+I`RK*`1\ZnNg:Vg\0S8^H@UgO.FPS-Y>RZ>6:,6`RGB2?iUVf1UX_EZ>K*.-Lg1%tV0(W23HS#0f7Ji2hY!KGn6$L`Ib@Vg(4 -%+O-JE?%XT8WYK!/+Y6V;Uhi62I,C[jk.gbIrhaID4*2>>T*5nE4M>p7cf -%;#5AHc]69tjk:i3qYg*/.O"(<2^oTX6O2-I1H@0C$3lRA(c\[Ff3T]:3hLU;\[OK(MKS`.@_Gn;:?o^J=2c[U241ZFX"A[Y5Ar('5'E1L@`3*'H2IJ(;qEHtNT[-lDjj47Oa6k7%U -%G&E^MD"oa_HZ/Xl*q/b$@fj+Z,P0!iI;o%]&,4Ot3&it1/iQo>7C\sCL>r*n:S+CFDK"eOrL>WacK+0aK^7W,=AqQsK#.8ApkcUXN"2G, -%eU$5=>urrXMaW5BhO'pl+Rsbs@WA_FIk*Htn'>[?F'fH=B]92Rhi.J$p;C=9erH^DMn@DM++?m5nP^sL--9,`cT^o%oX#Fc -%F\Bq&\E\N`4TA+S&'f#4QVtH%c&s1>q*fK[+'LZc[>M!Ap>c+<*`\R42pNH"\,D6,WFFfMWqjIIhk%K,-Z:l!];PCP[:![/Nf>,M -%!E-4;hmmO3n(PBlhnK&:I7(5Bq/IcF#I?((SEeoT87t.bhU'G1UVPFmn1^c`iI3DuO@h\)2"-[q'_)Yu(8<[qY`bg"BLK -%1E/N:U#@*RqQKCeK^bq)T3A2CIh[..7d#dt=UGkCd@s50AgQ1gCYQ4"PKkc&Q_Lr)WgMs$27p87Q;k4]"^lnRLSI./X,(\_%RsiW -%s3kE3MFW[^ET3bjdPAoDPKcjMQY6p^8)UYdmL!h70Lu>K6ru8)Q>E09YMt4JG"+t*7">B)*DcaAKS+OC!BWXHAf-OAqTq6Oa:o=7 -%]So!MSu,b+_5g7ji-.)uj%'J%=^r6hABO[)QOt_#b\-'A]"ssZEJupkjT$ninj%f9<+d&!6%DaN\%.sH!FLjsak'-qQW_6L3&BW1 -%\-CtT&=9;Bp&k[gj>$c"_-KN1$^"_R-M@J-U,0C1o-3gJ*1Z/9MWtZO+M,q?9.V/R]7=\B2oRpp\\=W]#eH[+3,29;].Up;!H$%8#S>-K_&a.T71=X-0*#f;["3HL`F\6;h2L?i -%_@H`f-3M?+2NXY*#*Ks_g'`a<*Q2,mF3ksQ-dZXD9$eW3N5<7YN_E[8kOMbRZ]ZmNOLT0./A@'MLDW[Yo)oabE'>Ur/R\(E)-(fJ -%6NMfP1'autHD;Y:+N,;98dUL#4jKci*J,6o>FIN,=[Lm!/%#La`+V7C8#oO*ZJ4rK/EpX-]gQfQE>;0<4He"MB;DAYB -%J?'6?0*FHoFOj;_X5LAG!(!.Udr_M*_4TL<'"=eQiNE[f\3u+)$FAd]NM?aL>j5.QFM>KTUVQ5QR]j -%#g+!+HQ+]2!"NV6"NE%)>i.%#d8b.65SlKp,%XF.PdEedMB-diD?U(%H3un^I7&T3RBed*3+9dZI4kF#=VOi"SOR%VRc5t(-iadI -%0_WhEfL,AR]?r#iNOl$c/+.1E=7 -%Fgl":#TTd[P9:i[rPF(Im[T;pq#JuW-M4_PX$P(t$HQ6.3IaRD;BN(Lt,(r+Y-'W_C5?I[j5(%.M'+p0[8LnT_"GYJO'+F(lZbU>(LO\q70L`Z'G-VhV5&<>(8_%dO08)["A -%6'9h5W977a_]dAJ`9B"W4.u!e_T!DYY00,1M9d\?/JN`1&6t5JcVD"%Ko(q1%B>s24,>^/7WF1c[OjoZ%6ukmjd7Y,S:P?8l5HtP -%#hI`#I#a;T_1B-84HLkP,V1JH2cUDA/>eB*%<4A1$3UBc,L]CX_OT89P3=8?mfngJ0`Hu5Qc1j4N)<1Oc!&P%PQ@F*Khjtr(Pq5t -%e/OX+:jY_6:Y8U>!t`,V)htupp^6JL>7lJB*/[^I0HOFb[5_V8!luWn:Eu'\fW5f.[c7[1$"@Qba<*P,5u7X1Wj<-8e-$[e*da"T -%'A&CT1YW[[qljdbn<`s=!?&m#=hIX*F`VMq$o%N[%OAKaBV6$ZLB=bbd5M%h8G;nZ!E`e^Eqk5nbm*'5]AIsenf@T&sQG,8Au!TS]D7(T;6(@3?nSTX$=q;?=Xra"ZE^*XcI43Q0Xf\.B^S.eq-D!9\S7)$4e;mb:a+rIF@5qM$+oWC,TPE&j.!_35L@ -%_*Qq.ab4&1.Y1B;#!aXJL'^F&kUIc@=@WY+&"t't#F'"UV+6dW?g`U38-3Ng9f?"q]o=a41_q7/+5!CR:*QCP0RL5,g0dW"N#SL@ -%R8F!YmQSYtgR@I6_?_Jj$+MA"R_aiCLn$.$rW3C4d4%lrAlesV(WI:KhGXGP5L0O/aF=cW&3snW73/rD!P,0>3DLhT)q`^-AU^>ZA*du3V -%Y!5(5cPuHW(B4;oYN6G.pq&X\qj6JUYJhY5o>WKH6(@h3rd)d>&_0\$)_IOLX8hi5034r>8G!o!pUi$=hss;k?GB8$V@d4cF)_rd -%mnmKKds9kYbI$`kX$m/up9OLAjOXH1_=Bf*N)uL8X'DR:g$_AVB$^9V,X45JIf"7PV*8D"eno0Bd:'XuV1B!LA^^uVIk"?i']nWP>]Cms'9ZW1k#+eQUDHEB5YQ)N30&\#F-IJ2HF.B(;E -%*P1@fm2J8134*J_Uoo]7#6X0ML7B$[>889*'g&k-`l"h%\<"Zh9[4h_j5]S]rig"SBBqc$G\FHl-M_F)q7O\ -%q=FJ"99Da%YP50c*c!KM3`BE&-ib-LD:GKsG(CQ7D#n,BB>AjQS$?N#q^Ji7qY?Qd'k9Zo%e!$Iq=gQ7:.A:]pTP!`k1NI\5@/RB -%19NWTfofd?PB&'3lEc2[7K.1[*_ip2(OS6?[2:Zn!tE;n=WPWg3>D.ZLAWYGXdIl/h8Ck5cM:orU7&$(mgad7"oHhPq0k,e7JQ81 -%I9Qk4<&fjSSkBN"^2diFVj&7;HHk[5n<]=r]TX.ifl'(sX#BO4q,fFrLG:$H%18H\=XIY0l4kNW]]&6Bhn=cXm-U[/DA;\W"Sl%9 -%Z0[ATi%(rjB#3QJ_>dlB=H/&WnKFO,?ed"9kDZ7`5BLoZ0rS+i[q+G&=hVBM?fPbE>Q=MdlEOI7"mZu_(R8`3Kr0oce(:aj(&aA; -%PP/@u[2Xs//!!fHk-MV)k"Gn'7-QFAG&3QSQ^"(1%(Q#>0'?p-r*0A>pkO@\QUhK1>.pXnP/XD6pZeneYVU!KNG9?0Dr[TL': -%kfspL[[k%9B/mVu'_?FY7VjR(aXF'nQXhl1,AE0fnkeQ.70VN'CH"`+$l7-@_=NZJ.G=O8N\efWPNihLq< -%*G7:T);6Vc=tj^c_9\Nr]%Il9U<%ma859'^B;][<>TT+mF2?"5oj`XKhp&i[?r:!C`pt^eqMa0SiTrT0e+DE9LFKn0.F_klq587O -%D\&;Ip%1gAgXK>Qo$4*!UO_R8B`7Z'kHEW[i2>>?=#L\fi\[u9u>S[ab"A:,&j[@h!_BWIcA1tDs('^C9oW,n9+G_Idb6>";'h21P[mt_\)_4i$IuVc*t+=WNREB -%Ce3I;(bUu^0aWGQjl#u2NmOgZI*%c-7MD]Y?_+VK^*Vt7Q>(JO'kkBA=a;kZMqhQkVEMDMOmL'`:E'L*ZcauBqn\E6h9*cE@@$c< -%+.l9Q6(b51rhMt[F:1$4"$@$"J -%ZI&aZ:#,o2RDUGHZQ$pq(d)[7Up`C)bKi9GYUjh`>s<8hLXYd4VjfmkhQp_B"GMHPqDg77S?%E/l_SF3T*H"@]PVb$)5oat]6kbH -%UXu%=e)JTJoN?qj'5$srVhK,0i4r6ZH18*0G]78;LKMFdhX&93a6aP@LEo6eC<\l&chb_nI=C(om8JSAhOAX1+74+7gl["h=,]d\ -%28W@7gg%oD?:+34)22pIh=-+_]VMX7i*uG3AjWS5cfKpTFM*rR%RJZke)PI(AL2Dg1WdCNjabh1,4T[6&SN?i+ipR[IIP -%;RVFob%.mJSDC"l?er;9mkoLO\uj_rXIRtA4&rj/g.6Bh@!Z>Dj&0i+4Z";mQNiPD>:Q=>`uPn^M-KRp;O -%:bPIt9n6i62(F_Fa5`@r:NI5*MJ)HnYic;e8_8jP#5VP?jjf,SA9T@J$kj0PZO#S0Cgq,m[LS;la3_fGntVeL6f;KZB:Wi!i#qS= -%)fT;Yn7"()"?;&c;kR=McpC\5F_"aS_&Y+-('FSRkI$5*&)=W0`lbo"kZt-nF?"\$Z$QO+/-P_hK_=>.TR^\SZTNR"YXp!eq -%6$+ZI#Wq+;RfQd0^;O=Y+;[OD*`HKG'(b^FJ'^$+<6J0U7)7"43IIXJ/07\lF0;#]WT2MJuu31G^r#OH=TZ3&cB!RUgdj -%o^KX'6_8I?XG/\QQ9Rm5DrH3KiFj:)0&\e"<9,cT)"jZN85.=n.1T3hD>FC[&"m/s@Uf4(QqCj8occoNsA1ZEO%% -%:#b:NE!A,%!-OH$[Y+&#@4qG=RFu4\")t[U,V8N!8)-Ib9@1eQlS+l%2?QO(dg@)Z[a'+&iM8lE?i?!4''d*!BI+l;[-;O6!PX?b>EL25ZV!QSWH-:CE4a!_KLG?g?/,c -%NEron1uX4U78=iS%"UYDT]5BM$8k)&")]Mk:^'7G#5k1E?%BJKqiF0mP3b,>Q#86A;@-]$>mk&g!aos^hl[]qG(cmr&$nQX)4n7S -%8M(4dE6LXi==/*cJh'lLeBA(%2uk:9%r#IG1)VhSrbbGB3:'!(/lOmY+^?(YkCR4J$:7+i@U8+T#5"ST=LT*Nm*.VNRXm#7b -%p]Ai#=YPD\PakFB-;-*O!CI\K'*2Q%#g)*r:d<%ek;$"%#bQXu=_WKB+fKs+Li)KG;LXDsTf$CoJ;$Jl7a!$BbA?jRNZT\N2`Dm! -%/Vi!KktZj2lrHZ'LN!pV)?>C+5mc=VBmqj*W#dL,9M"D9&S]'R8dZ\++"GHbX4T??Po*98VAVZ*L[,q)oYCO$eQXC-HU%_$T$drh -%:n8K_NW^$:,I8TH<8T6Th;gh1e5]'sK-SJF+$U%Ci((,cL_B -%+s8#cQ2$CC#]R`$n+mA&i"QIn;G'2>MRsH3J5=OA*si3,%J0U'5eui[QsD0pGBU^(a!(7MIJl%2/,R`Gs,aF6+o`NJEE?99!\Z_' -%^:^YRm!g\`Yl""$IN'm9/+1TAS\adp'\3&/iS@t(r>gB72ARe[3q_;9hEu0U@"lJoJ+f/*@kjac!ZbCNWY^[A?ID`.,\-o*GkMRp -%ZsU#&`,37mX`5'Z9b>qO;pUYOqJX^#AIs4N%mf"f!J0le>'=X'8;27,f+Zkh5:S3S_0:c'.17E:*aT-+n23TUBW_/S(=2jsl1Nrr -%0.rpOje_5[[>P.kFQ-.NYIkkPRn9Q5VSi81o@()@JfK4M?X1ZMrM3VXmPTW@^@Q6,#O2K%;!dWl(B3]m'3Sj.\4T!rfZ+?4UK"hj -%N1SV0==e&b.Mi+`kf)G8rRJ`AY;^@M#c4Y,^0WP^@kX&r/Z!>?Hf_o+Z.R62C0+G6bHI36NhA>i/SP;NRPRbMESkW\m%*(PZ*`t# -%'jsS%ch;7G=?W62m?>t7KLV=M\r$\o9@K%*\)obKm)*>9V/+sjGrpUd(n9t>0H$YG7J.:"Ap?Dh" -%4co3M3-N0HA`)\L+.)Zb25#0*)WG_]=@IlaV^KJnR3,0KZq9;'?[k]Ij+cU6Z7E0N%X)47qgRM^p=2K5%q2uYHXOk3^_Sj$, -%[suq`?8-MB#2RpS[s0Kbc-$B=p:pS_kC?amR.^:((JfNL8aMn<':gN`#GV6)#I3_jZe*<./Vk<#MOH>'l:l41M?'NkX?I0S5kF6bT+*m]3B -%h6V)lD/jW,ZWN(HNFgBe4"%$nHgb22ZhN2fER`k@G#2#1M^(&!(Y=_=0WJ&kq2Bd[76O#)%@fgYoh=KeBr,NUgNR;'*9r'DFY]+#N0?eo>\?GHk?#+3P[O -%j7o&TnJT8SeN_j`0HYSqFmGqW+13a@9>#"fYl7%>^?!-'P?[0kWL3T&.ABfsAEJZMW"jCT3^R -%mb^"9Do;L%D3E'a/P"9Mh$8A@If&QHMUV]@/Uf[+n\WC84#bCLf-Y)!PD[ei@m$YXn"Ffg0:P*Y]B'^9%SJZmn1[%dIt6k"*060> -%Gg'[tMAt'sZ`o6cn\<>$s3fk@W7@k_)DG%0&$-*>9^j$)$0V(1kuBJh3M2am!Mc@PlGplWLUs]j+GoR`(m"3rpiH6R]KZ0[i-#b[G'a$BY\\3Kf#/ -%\u\(=]e;SulQ?_%6;[QF+?j@$N'V2-9 -%gEt&CT=h_R.o'X=K;Kk@cE*5nfqFiU_@q1Xl/6Lg-T6-r5g6])j:;e[Ch_*fJt^fWd:22?n:!Y.P:Si\a"Al"O]0K0I$U!. -%NE=K.n:b?P*57R$D/ke"CjI>eDi/>HY#^g_O8.;!\OVQ7=GLifF74QS<,*>2id/KdE.o1<]BP!o`Fk@BS9 -%<,0jK6#,fO4B/>E'Wi[>Pkru\Q*M&l[3Z(,&t;-UY(ucfRBB4H,U" -%I-RsHe%^,e"F]PK84=1m*4hoEZWL+7EqMc&1-J+p=H#\"lJ^B0.>/611chF@Z:-kc$u&RG"IfF<6BGm-*6(#6Jm*\CQ2kfa%7cE_ -%a"Z%!#SQgoWcSXs/dp#?nc6lFN*GD""oskqGROh=GgJ6lWphm;!eOSb7P]+*he!o@a#'#q..e*(Kh\X];J(\AU&rNB8-l"X:Ml3U -%Lt8&NK>POOifVhQ,I%fKY/[Ute/53OU\Tcf/ieI7+q8Wg/Q_EZ7!8]8/`G]pBgQ>#*7L)5#M(>n\As,.NohJA'hM6[cOl0jQeMVo -%'J!G"6%MP4H#?Jq8d@P9smm -%LQ!)S;CcQT#!kKDW0Tk&:t'Y7@%q$PF]$la=@Q'.!/r7<6%U9?3V5Lg(pL`fOrLbr.iB[J2.M?OGRb(f)1nD)3.QXMOID>n_XMpi -%HEB9_>U_B--Hm6%k$Y-o\/6t6'!db24<_0IJ2MVC#.PL`4A!NF1o69rS&O0/[Sf9^ -%M'jtfI5f7lKc42gh7+.;F-M@\MI8b<"TU*gk. -%bQ7Yf!JT3hWclA#dod3_f8u>=/ZD$>6\K -%BumETPF3TtR>0/WF&WXrgC^:L!G%8f:bp"$*Ha;nYAbRuMCtc!*0[V23j-GYJSDps-4O]g?3lW;S]r%g,D-E(/)*d/F^e0,OefcT -%9uoTB_I9La`jLrY#!qpH&6JoVL2e\Sp0c4k.g_jH6kWq/n$>3UXb>AZ61:8.H6HBo7-eNCa?4jDmJ)Y3Zo+O9FU`r@ZJK\*c*.AL -%*tZN9F_"Y!:T>;@<*YU/W)R"/:"#9kV9)'%nekhO'gRkL9XJ38q*"mrZ'Wk/^+JDq/=eDYWEC:+Z1t3YEn+C.c:DIm(I93Mf%$KAe=;HLkNc)M(Z%eU2OK'U8dR9 -%)_D&6Rb5"jJAERWC64-@]&nO2jn#TRC@+n+S(9-PG,GY,i2$X9_"6n%+2S/&2Ts*4( -%dL,!t'i%Po'fRkpO>Bd-Nc\+b3DpZZn0-M5*`b6878k4L2]dS!%t$>:=]cHSct+OcaGhDt/D=j^$__(r$tYd-*IJZ_4TP"5.PV5G -%RrHRm7FA!NgEo7._o(T#38Oe^D]NsZJuJ2EHjM)'4br"n&k.C3'^%-mU@707]uY8Xn`H[qfuBP6N=kjIf^^3Y[b= -%mU@$W95F$Z.e82UZEQa*pT2$OiTd@\lDX`:anR4dqE$CGb(/E*q0(ts=W#Rgt%2dH[&6i(Da23BYI6N+aAVK4@J@7i[bi?'VOpe?osi -%,(j[3E!gU;b])1o\]iGNe1ST<@B]gdR'TW93_a0N-_;S@lq/-83]qRo:(@B`BJTi3)oms!^nF:q2Fit"1d$O(a3fg0W\'t4 -%ABJS/%5OBJTtk^"3?6!nGVb6_>S^Ir\u!Mg&M)1[G7n@FdT#'5Xo8kK@VHH0LTdE9atn_OgNCF[7(UGn$f]O3V+`"I.YW+890Y)dXK+jCC4S04A\M3*hX")++iPGV8 -%C>sOHG(mY`N&[s]RS^^2O3eW:.7B!UfN`Sj[13R.D;)h/MKl.0)+W!W#*.,b$+-&+;74:AJ0Nd1qKOa&om;0bO'8+bS_SB6_6],[Z$%&f[J\Ml35 -%gWYR>=2*"VT`oZ(MG_sQ1_0:Kl%#!U&KSGt?1pG82J&m1kb&njCMf8o_SC\A*ChJ1!1kPQk,98XI:RN>CC,c(L26;7RO?B3;o>%. -%fa7'TY0p;=]f>ckTIX9K_\+!VNt,1_[G(8R-cju$52U9_%1t0/eeRqbO[1*/^/g!'#Bdm]0]b?OH-p` -%@G=HsY6iH9*7.2Np>H5`@>&]GTdf^>=ob90bak?T+CV2AdJ$!!WCO,NbfC=S/([5[6j"*e%rlhk`'d+,&V3RLU$('g;P74-ai@aJ -%T95O.Vn6?G>$f-rnO1e*=P\D11N5J8Tom[(E\p>*gQ'XG0F(fD -%$Ls?+Tp7\(KcDoWkRR=(K>loPo0b<(@&9!CF!JC/?VZ6IQKd$D&j;cq^]BoI/a?1!2)r(8aB>K3U'_?`$+oo"kXuCEJL5<93)+DG+-PS-&TdclP]io8U-kX`a6snn"phEX*i[I!5$^f!ZCA\gUG@@gU'3nODZP0frf%q -%3!>m^rlXPQ[3hG+2s],)C0'LU/_`06e#m2?p)TWECXt4\^T%gc)aK3:\n/V5XptCM,HNl$:pmBbmFsHJ:npV&VEo,"nW[(I"@2gp -%+?;tA,RBN?[ap;6^-(A)6%bR:4mfPKinDU)@`"N_c%0gT5UY<`7Noh$Ab+k-/nG6$11p@]E+qPPp"cLq:#qf6oYb%^^Ql'&tI+d;DV=Hi,fjN$4>l\]Ih$` -%*!-[N@`!RXfQ#UCa$Z)j(bFbu1Vd#Qn[8`!8FU,_@VeuMRk/Sn)87Rf0EATiTads3K/"FuQ>%d<,+Q*gE&M,Hkd!FkU2tVoOFJm4 -%!Ue1rGu+2Q!%5Sm:(rS$QcCk:i$\8c1l2#;IYJ,"S,49bMeeeEQXK<+-5/\<$3p@u==")GrbZ\qJhu,40e&\'4D"X6)I-+(;Wh`":[d#iqC,soM")HA,j-nq"h)Nfj[5\@s!SuGr114UE'oHWYNi#qK=(a*eT=Wq.6Y/N%7PftM\Off!C10==Q -%.I)(;UHM.&5naSH=!cV^:Z]QRa,qT]Ba@Fh:S^g(9l1rhHN=FEk?bCX(mZ$"[]RY;RYV'^JL&,U?$95aOdiO\-+tY9C!rBU,##G! -%I)V?qD(jD5!%BAB(!^/S?-0QU%q!]e\WeI-Nb/K&BABV*IQC%QFrZ![XoRQIF`A&a2pcLql3-^pRJ](@QE9H0:T#>nDA!Y>d,bt*MI8fR9nd$LMHBJ.;cM3&mY -%5YkIGG+98PaTX+!d@m+qYiP>J\L6[,A@aM#$b9X.#Q_Yn,qIB29S@_;R9kV]P5pot0uQu@/5`^KfGK9DBYnRSB>p,#d(r,kIY>Cn -%%\!Ju/Z8`+N$qB\o4lQO="7=Z97fQTU:Z;G#\q=+o,V@_/?/^*c-iEI0V"9L#+)d[!-%+R'h_77J5h@DeWO`=B;KPnd6bH;XcT\) -%c87:*J6+:lm7a"\&Oj)]'\ef@LX@K^QDRi0TA60j$^>;BF -%-MrP_`*og_S"^%K80q*/NSGJ%=!ZDY3ljSG(faYKWiOJf`CA+2Rj_8l:L8dr&1DNWl4==K5n.KhcsZSS01Mipj;!C.9+Q'[h5V@G -%Ii74C=oqZ]hTK;Vg8cq4a)L5BR.,E^n#FVRRMm0Ljm_m*Uqnn:jXq*TlM.q9aqk2-8Fb>$[apnq/$fpAVkF_!S'F(9fh!&8E)i'H -%B56aK,pQY^L-f73mg*kR7h!/V"VZIF9S.e'>Ctcti4u]/40Rn'Z=&AbT(3l+nd*)<0i?o"b>Hk>*,d@+(9C]8iX^9Kc=]GI[J9kLnYs=_#D-Ai3T'63V$6H^m=paoK_<_tX!?:iR!@'$N@5:PB06lO[L+%D/oR6h2m18Y.dL8N.o?n)M#"2u)'h5_.?&-5L]&V<7u9dH9lD&reT_,;Rq#RE2\%Qagh -%MJ(NBFG]<^^iW*Q$p>QiU*(p_pj=6LL"HB5hP$VNAgR[iW5OXmipYFYr"G#Cad#J`c,\p0:6'>U!e@Q#1!LP#6`3q?8ONpp$$V)= -%RQh4TZ['&GHVdPG%RKQt@(nb@2!@\^WQ7SN-#0,D8[SSj[keY!AH:I9#/S^132-U+0oV4^`F3#07,S-.N9gNE,Psr4!aQTr\Dga( -%]+KSKoRoW%,?ck^]3M^eRY!#Ac%)_XnQcVu:B2ak-?knb$ofjTp4e6_OH&+6a2an8Jh1m12iKA>P_T?7Cj*^ipj*_rJskEH)R1gV -%iR!+_+,()q\)EVj4,0RDWXep'acljm+d'q*$"a#F:jcI]$Z;nqD!]n?]h:B;TiF2\eAb19'LcNb!$"D8l;mtinsRfji,B78JhTa: -%e:RrN$?(Ql3hl'Eibf1J`#sFoJjVd7MBPe)^<\tf$U"Br*WK9>bO#'ZL]kDX>d50r.+BSenoRqM!HAf4*8&3G"Rf9!^]oRo9lh$! -%JOB86peK_U7.J.Tcs-k/LI0uU.`SNA6"c(BKb-[Jd&\4k:U:iAKa3l].km_MZ',Zj:T;fH&Bfr@'_/j\joXL,/e1D(TEuVOUY@M% -%'[I=SFcT'#/;'=i.+,7Q?dk]A2#dh -%5<@_T7$]/4>mR&l^1dl3(E?Z.^bp6ph8.g_&1L_0/>\j=HlZnM6Mp:b'U_?o*28!9m>BrC[cPaPVm+M^nh>YEk-\Vs,c+p'VfLu:X@eRfA[#U5d]1hC3XalKuC_^=B$(4NPaR%8&"LL'2+Q76JB0ZkBt;#qIdgD:&GMV'6E -%FBm`]\>@/Qb$tZIk%q]\EbWp`;9J$_AZIg+KM9`,M&$([?gpTZ)GQ.p?ULCl=MK6W*A`-/9T\nW(/UC'FK2M6mN3O2Grj -%N;5i%Qd3;X-:OZh+e+(3I9e8]I#P5Zfe"=C8iW[:kpX]I3*+.O4!@oVA,!&B/Bd$?4-BrPJ)c;Xt -%Lq@;?:qA#_M;\>!Ya26pm73'5RafOP>'-H1*K&-pC4_j'PPnCqIc$eJ`>Bq:'Bt$$Z`q4V[%F4R%uF*:Z"%JdG8B:FFG]I@4Cb&m -%c?3^IM-CYYCL#$os2G;O&H6Q]I"m1;)tc(PQVtKJVdT`lR!;%FOie$OI@;%'DbpL=p7ipam0IEXa]F>>O_'0<^0G,AM:;MF]pds# -%9;pN6/=l9Y3e\J>N$1GJ1\po-%*K/!/&2uFq*f7L!ME/8+.ipFb[Y+8XDg:)n5(D+8"[]_`$NV4L,b>U"&"mIi#%oZ,%5lQ!]<7" -%/b*Hd3u0)gVC):XNo("iTZMXlfJGSSV8P>AJM>IAKZSW4#.Om*2\)h7E?YQ:b'1s<_!uNnF2]FEXBC;&duhH`8&GlI.tAXtKG8eO -%8%c^t3a#=%_XI"!SDgdY*"0ibggL5^B[,8j1r?"f8"b,/IKaeaV_.+)Of;8,SMVC5Ob:)s+oggA,DJ0*`i=I2U.@gONe -%%#;)nXS7D9:L`%3#or)9ksu^IeG)MsS$?:l@9G9[;rbXe]?/)^_Q4:?6b;m(fiVsP73`&F=JaBf3l$?JV4'nKa:Fm$?09' -%Xj)6FK@;_nt(b)!@l7$J1Kp!,-hsB$"R^QRlND#1JjST0l4i(mZ&2 -%mKLU^6)T((&*JY%=F>d!(t#E3muLc.LXLc`EU,V%bK@)+3^`caTUar5$!3X%%SB@9koN+1Bo?h`FrS@kOeiD"S^=!Cj6j55$2;]Y -%-'WZ(Mo"nH\97;Qd&,E:8G8AC;SaA+S`G&OA3Ah,U8&U`PINrF@1?C.c".IKbM50V3aGA_U&tGJT%\CNgBtANNZ?ARn1_![+E,8h -%Bo4;sBWX^'gm!dkIDV_r&RQ^-Ci[`'`O?,lOi]+:Yr75YF7Pg+blu9m*KUdi$1E@T`TST=V@4&jeFI3=]>Ndf!kf1]\;Cn\a&u\W -%i(*mu)8T=0,],$nVNUfbS4-s,;,LXim-qs'e/1rf'W1ej!1(H-Q;c\`/3X,MOQ8;"#\\fDq1tPC9'H]B0PL/t#T=s>*rO,XYWkB_ -%W*:_u^GC^4/D/e`%hqUK8VTL=(]';XFCXYnp+h818]it0UAPb=!9&0)mYdm,!T,A%5tE73;:Ik"7$9B>Z=.&+P\+kN'@$W=o`S%B -%5g;N0J&$W$R7*:R'7cJR,_@2;0.b4&?nDZl+,S280F:;G)4$9s^7<1g/\NM>-\^363*@q,8d#BQHK3qWnZ\gh5ebBo'X0uQcX9\7 -%"ElcLZfDiDSk-(;UBsdEII^i+g_`VNE.E.qKbPZaZ^c\%659S'dR5Blr!gs26a!=4bZKP2r'6R%J=%2>8tAZf*'eBX^qGqj74IIo -%W=eXFd9AXcVm-sIH]7!>,d0Cg1k;3t@1>UoKLJS"?jqBC,#jP`_EJV>R0c=d)OHL,*QLt%_^WJ[,TS[emf>GUkX,tBI55sb7KGk( -%8Bsc^]VlC^&qGDFJUP/_)?eh9*"epqM3>]-+]VC]@80>h7i(-g)%#.s5"t,9XOa5[9'n71+'m8_PZI;F,c\,"up%E4cr@ -%80S"I<"A:)73mRXP[8?`h3X:L`X%rl&/r5>L2^-q:1<99A]9t&%aG_`fQ<>h3oNJ+8->:#,1;t9d`UJU$CW)'P[iTDC^H<>24AdD.T7A=F0OeLg:r1`i)B6,KONFJOpBjXKgIcB:KP2c30-JO1EqnNFZGUjJYCLmmur -%;D'#Q'O:2K4Vj(K/Jb.^Le+S'iHU"V'>G.9%$6m,:cG3fOd7sR8pj:)Hm9oMnW"3L<+uV23Y,4fBTc>Vl4LlWP#ClC"FVGa\[2kE -%:*:XR1h[Zfk3,b0Sba1C8p0-'Kie?O]F0/;6eW;rNRKmKtt6:_RlAdeu%g4U'+,3<0h;S5Ft$Hg8q]AY$[#aV9Z?FWG#H!` -%I0'JuA4D_[VLN@S7^7)Jk'<,UN@K-krC^'D!S8W;raJi%URK!m705>T&k_FjS9H(i->*HO*n$;a'88P?W0@.8rO,h)_Tt\"q>@%q -%,Ke1d=jb,YH*5@ -%4rTH^VMl68E`WgL=(^A\Q*/`7jREGN;9B7rV_LieWX_ep*f;4ou'Hu%2a$YUh+2p#9*%@l)PH`RmuP2 -%UuDO6hUXIMFd[HhAB`7:A&cd! -%nHt`7B3eT.ghZ6D^`*X$'4NdERWJoM_G=9*60f4q&V;r1@a^/@#uQG75d'ro9M,U)Qe`m\5]q+t\f4=J.J4R$])sCC>i=R7CC*R\ -%N[n7P,gZt5cVbCT`oP@;nOQbSk"9].a67XHdi0q,51=^nn?Y@#*AY:u-N8@_YJ24o:e5p&N]o<7,oQ=DoV0a#PVG[SfeZu#([6iGdY_LG"p9FG -%^KHofj=I3I7HBNd6tHD?!B -%#Gh_63<0Jl.)-FOr[D-;O[kY'*`s^5YWfujalONL-`,9fYGE?\,0<"b&Z"/Q0N]"L3S(F5I`42dOn2>#RmLR@Yo(b&$DG$$6S)-d -%rIbCK(<86uF59^c!^)G\Qh)iYbcZ[\8Fu_l;Ma=Fc/1..KCZN6R!&_*5_/ckEFnDGY)8WYUeh@0@.=oW:qVCl5Q3NT\jZK'X! -%A*(?]W-);(Q-4.\%Dqtr$Mg'iom5H>\2O3I2JC4tE7ioJ$*T;b/(_!:3u19`.fktIQ]FH.@]q[qYptfmU.&\$NLM]&&;:IXJ(/eQ -%D2Zb!D@-oo[X:'1D]4bYjT+]7#;1e$Op^A9C;$g98n6YYf6])m"fZ;ZdFRjG92u6V`@-QYU@SD&NuLHm@7Xt1B`)3fA_^7#d-00t -%^T/OSC^b[.nOd@R*e#i`N13_s.F+Ba*WJ`n:`LZV%D=?]DGBg.dAMjmi*S`+q#AG8P>"C>^K*^mY@j9W8B4U&^K=&&5Nl;GJW;JP -%@^Y6r.1P?Q+qQ^W*I+^5rTKUNiFRYmALHQ7lRf.Q?4=l -%JjYiYZV`_HKLt_<%Cn7meS@la4/[_iT*,!%U^d1k_c\!8\P$RQA`j+((27kP)5K+gd?4k)jJ\eTm.Sd_Tdh7@mU1__+M[dC"EnI@ -%D-!LU["c$7Z;S+hkr.$K?nEt2M"pGPb:tT,)H#h5BMQJ0FfR5bb$YlHP%&NJ/%k]BEJZ#W]%(+YYIIV\Wb+L$:9WS^=447:ST8R0 -%A]uGZ*&MW/(A91b.QF^,kZg;@pfO,'K( -%bpS!D.F]7XLp"is63UPW_L8H,44Wc+B1k5TBW"a&b%N+UkWiTgkIOY\TDQMj>,A_!'`Y91oiCoh1;X7%IVq.1[d]=iqVqkOSKU&6 -%RMA.p2M_8!s%2NG)BB?dM!_k:>Ffc72.:pEXu3gK1.";'1hkHcBS=?.@lhR%)lQ!TDe6l1>.Pm8:M7cDA$gDpdFp1Y[;i8'6Yu.] -%p#CZL.Zh.VOEo/;#qFeDU]K"9/eWt4'<@(,%E)lKFMmZk1P6/\Cb_lQ`,+G9gRN_+p8?:(ZnDAlNI/&Fr]M)rWfU)o8l+Y062.L( -%>8qd%0MYM25;;J;7\?+NN2?O@\PX%BX2/Ls`akJ*Ib=NiMSCCQ^?9G5s$Wq%VQ;Q?2rh6g2V -%:TH4&+lEm@Y//s3%n@j$U<5uA>]3>GPYJ`./.J("f[r'-gOBD'7712I -%jh$^RYP*nP'9D>_RB"l;S^`OjQK=S'W"!#h$6NP+bgis,b(4!WrBH];W;'/j-S[gLAu#/^RnW\dK;U=i*p172faKI.sK7;bl2hJCl?*Xbl=age"s+c)dq**g';[oq6eL/8kCtb&*Ltl$Jd.kuc -%0V%*jE`9@V,0/`$<2og^/tP%GAEhOYO\EjId8BX05+p11%P#uX];>!\:"/T1F]TTCJNr7XG!<8O+a.Kfn,N0n-&S$qW)".bj61Et5Dl%1JjYgA2U"b92"qsaNCqs3+Du*75o1cGEhLp0U2teGJ21SAO -%>''J:@>Ql!(osb:cF)#n?<\$7b)2u\epE%HVEc.04J\1^PAf$l?XtbKnmW*VEbR@u&`RbY.iX]#Hu8ib0PU1!lCg-`j2Tt$%f\.9 -%Enk@,2Kn0PP^7.1[0DA,+ofhI'?W7?c&?tfoPQe)Xq%E3_D7`u:5M!,Ep]PLb@Td):pZ27_*?9&VRUklM`X%V]o?t-3N[*qp4(#h -%rXF;BZC'5V&L$nP<8,^Oq%"[h9ur82!F8VAKp-&0jiW=(3[P8r\>h(U^o:c2%MAo"KS\mh:0&Jb@pYiKd2" -%ftf7Yoaa$lQ,`hns)p*d[kYSr.IZGFmFQ%HH\>WVj.QAT%TD?q[CG+)m$jQR`@ZBbmR`<'e[(mkG'hZ+6KBk*q!+pOE?jWi-\""+ -%N#4OMBXe*XbW'.SN^H8E/5i#$$?5h85/4edr2Yif0H#R4BCKY6f_f-sr]QWuot_?[#1Y$)]S!2j0'b-Hhr.t_Ie$bCXeu#'F.d54 -%D(ojIR/`GWruU=;j=nW(<6G39))^U-ro.P=J#TPld6_2iQTMprLG=Q,QQt]s63R8i:Hf^W[".jI8G`-J4E.$`loe[ -%rhCiuQ@^s@a?P!FA4Ikd7kH)L7jReH2pn!L;2FKmS*82NI_Xi0j8\>"'!<1OB,&\DCncc9 -%oL-f]6Gc1G*DQO.-]04J[=:YH(d^GBe))D>oX@];AJ5mYo;FT3$/V*\_<'Ml.GDG/t%gMX2EHP8V,)GOZ34r;1 -%@-'rig(Kh!^"3qX9d$LqhQ=NKE[:;D"4n'HNf6) -%L8d\eE,/([/7[fS=gg%?O!Jl**+^0gPf*Nq<(R&;TE[IAJ-9$)^d3SB77]-1hb&HL8&cN,"VtbNpOBqYc>+)g1"3/r>H2\,3%KGF]tB7UHBKC@=pf!)qLkjdONQ]?g)F.!Y"q"KtMFY?OTggN)5I"-#0$oV,%Dm;heuk$]9C>FETYs\NB&raokL&tdBLuI?*p+Mr^8:gLVO%V1p@[c^\dmK(5C=t\_ai,&8*sib=\bbCJT]f[d2.6KM/0g(_KDRaKLADT.)61*8`('akTT2-H1=Or!.$STO5-oEbG.&5G=>1F"a3>XfLag;; -%IHQ>\*3Sn+EkB6YT'O/i,>nmJI9tk[oP8DILo9aRAKL51Wq-]8B>a*^mP6 -%?Z$KWHr&AXlNA4CR-tFL`Vm_dppJmRc,Fo$d@I^F5=-V2>$3-3l&UEqo"6r]A"(J-\J`hea%^j7[*=A,%jN<9NsBRJV]I+es@D$4!.CG&uVSU-_JPfEGHlpMcNbE+8U)QXb8b]eo_fn -%=*c`<7kpSY-mn"E>N>.Dh8*/gqApq=TjN/Q55eae-&R]seuja\7MCe@h$d.%9X\"%[8KJ28imp2GmRjrPf:mj-f=K.Tl)Oc:uOrs -%^iNmNCMbn6F@sk_NK9B?#D3V%.ggb38OA0FWHr_bOm7>Q"TCN"I+6Y6*lNt7mWMb@'b\A+_k/,-2#6?qn2K@/_e3G*Kq8>r2k@+M -%gd5T+CA#sIot"\e/DJMfQE[CW/=s1I*&epa`#^4+a7qDg<0)ij4@6Ts8/U,j(2et/dta$ -%[F)JlBs5)mcn7?I5!V%ml64UL3#g8rJ4<:KSQTgR&Mf?8tRC!X/fYYQ)+OM2!\nUjE3f@&!b2H$>M"A$X%%< -%B#ZIQEgMYbknBAfL'mQSK4pOaX6$CbWeKZ%MdZ@]Y9s]h7I81SYh7K-:h4QJN(0)&1)-l?,\%/b&Rh\T5p]sW,Qe2>*['hXhgu5m -%"L+rN7J65GY`aeM.lh;'5;)nQFOWlUKg@Gp<"]g76.4AJI\[nq_35%&6nT&])>g/C8Qm=[(.9u5\P+!BVYYW22d.jKV3P&GU7msZ -%(B"hF.q`Ef>uJ`Y'j[rR].QQ@bK!s84oYrTjD*Ge,W`p&i);!*cpc//M4mp&)jrgYX%nVN_^qN#_\muDA4V^V]fh"aJgY#CZS3._ -%#a%oJ?iBi*#L30r+Id-=(=j8;$pi'V4rfVIL454FrDooL2Ef*!2pQ-)3d%o2*0OG*ss7p)5#+Ls_9kuB-gQ(oEA7i]n<;&*F -%qu6N[!rVf^&)UQSQ;p*S\kO!+ESBquLIY7$pIj(];R6Kl`B`F.]i>r7`LT -%Ut9J]=,9('OihW$DR?^B\,M\7dLQ)>m1@10J1T!EN&LK+8Gs?'i7ZCFLrY+hGV],bc/q6lg&+E>'\LW#N(/DU=T!BtT0K1M$MmnR -%[#"1iDPJD4@/RL/3be*'C"7u;U`H&7g=+5b[f^p0lm=.:ec$mo1JZjeOgR_:rPM(ko&S&Y#-[S^^b8SR7HR\`>Q"oVLe!38+40@&F^$_,*kZANj&%R>R8o6]0hPlbE%Q5&&`faY@>I$U9_d$d=11`kmLmTkL.OkP) -%/ZBY=D:uKdL)Z%b8Jf,$n/(ZXtY0k:\=0>ae-)=d9Lhc4F -%[jE1T2+!c1QY:*0Mb;Ns/N!&72N]NuIgqK/5=C,+:EZJah\4eOchaXO?W8DF7@qI>KFpL"78/Hb'p\Ti3t`1:TTuD_+.$$B3U-fk -%UTO4#'AZH4S4a&>ZQ-2+W\kNl,]gV]R8&J-lHt1$'g`X%.rBRM@pCSS7gfBIFTe8Jf%\C'W& -%&4M3:k!/&hFO7&@e/1c4*^$bRE0&ES&J[%Lc%4-ORalp7XIQ]tB_?&f$E\bgNm"gbg,ZM]PKKte2R5;19jRr#S[Nu]fp&@UTjM^q -%bN!$CgM9rY]_gnN54g/_q.Y_Po0iol7D5`^)7qF6Ujctj_5EDYPub(fRj'=G)`DFoT[jGKcB;+Hfjf8/rA^u5WW$-+ruq"aIG.O% -%BB]VrO57,?XIR$G7?["rS)[)%Gf96?N1j?j0Gl:h8p8ud80Y1X7(\/mK!Rb\V?kTmd"4*bR#8KGImu^mpL(Ch$4KGLR8&6h>mlXc -%<\W_E^hL/.0H+B"[hTXXA&nnGTZOtap;uU!4dZF$Lj`H#%#QlgUN(W/ZY\338?kA,+/uun>jbAe/(h%b^F$jA4%Kbcmc%`q -%P2[lQ*KIYQp5f_.07ZW&`#i/WrMV`6X%(?2=roOk=jp"b5JUmN\FA[c54)*l#&foLJ63M:BX\lA6jb`Y.&2nHXAY$t1H7glJY_>3:(WYX1`?Is_aqq/H4UTDU1P&`CL=r\G/WN\EAPp&c,;%B6e]fYW57X>)LFM@QcQ>:s!Tc=a20c.8]F);$P8BJ^3.PLPIjT[:^j^WL7llqb?)C,_VNA%!ok'iO`V*_iS>HdJ,Fp(8\%8:tS2@U3(^$_f*j -%#J72k$3ZhA-upH%'[;N8(FUVt(/q=H;s-D7RNu^kJg7!Vp58i[g7tK6US`jNQigZ,q!'U&Rq#X00Ak3\c@]r29tZ$=?f9$JnfId>72/q -%PUe8N3`gjO)+D^KnnBC+Sru$2^gUp@NhWqAUhguHM`@ZZC_4,eEPh(t'(8HDbe$2s:;%rRVI)brVIJ[b+iSK[9?C%8B\geBSXW2EGj.O'04]W-*G&Z;[cEgMQnGr`caoaAUt@U;a`F*U;:<"t*j#&-!W2=K9jl3W1279i^/Z,tZPI6(4NgEXFah^S9:&]i/*tF$b%u@8t/LT:YA5u^GW"I2^JJQHG -%28[m&F(qb;,,pYA>:<$?iTdr-56i9`I8M7*3(m^icWZe81,hToEboI4.sr#r4tqYiHpqd^[-OW6f$S>CN3K:a.,N&35iq5!A@7UoV.K*V@'q?1 -%+Snkn#`^%h!XV[I%E.*LUn)@FN<@83am,V.hR(ZL7i[d(4";gC.P7$+NOj(Qdcg`-Op&(-e'd8;LqhZ(UHNLCc]iK$"QOY_R]XCo -%H2._88K7'-==S$q$N/'=)^RAJeR\i*0IG_KRk'A/sQ<-mi>".Q(g2rRKb+i,i[m"S)-QG0V7__hR -%$JYDl!Z&])CELq:Yg#p3oE:]FXMDlU,>JM(ieW+0:'`i=OFSQN#WSP'@$ZjA?^dI7,MWDAEC.I'T[pS`[2:Xc-JFStb`(=k1)/L. -%C2+:4:dIdqXs#A)#M"jS/WSiqli,2nn&&rnstiKt8kNp0(oc;C%"KO`d_*-4H`0df(CDFTjIMi_duXU^J$L:*u'lc9]O2<(V[ -%'.2"[`)T6jX$A!XXt!Zb3UV]lj%cO5mZZ_DY5[,7/gEfZ,$4p`.,Oj5d8pLX9TBYCXY[)W@Rr&kq>>HEuDd*IUopq2sRmo3ceRJ2* -%20qj6*b5.=QY/8H?6%tE:k._$VD>dRAHqhQK\"iVmUo;`$>\\lJU:G-bFY?e]H<3fr5%N0ZuD@9^#(8M2UhKB@c]Wq,jm.l]rh7H -%OXDmjY?u,eHq_F1&+=c<8$fs3cYSXp:(C'`PPmm`pFb\#'Sha3gVWa]0ndR<:bD*Hp):%&/2A-NWU00)#"QA]c[,<`r$mo`*XFF` -%"5u/#?Ydpoq-<1[Kf+tjOahS.g+EPLiqhMY4ubX:ai'h/*aG;h_al0l]iXqkg/TBXc*p2l+]COlcLelBhYX4LSWd2?GknU+*_5eW -%O;M1B*St[5ek'9n<3?u7;fAeBrGo0,NGXTSLrMtIn&*'53'F78V;"0D$%^EeC7VZ^\^i$'SDK.,__5rpWjTAPFm&[hOkm';F_gG, -%p+_"&9m20JZ_Y+=J)p;m-K=)+NTN,2gmKFJd-`9qe">h/^H^6?530,B5*''rT3KYsrKc:(;(/cuo#2\mSYBH[!`.FV&*R7?!^>EA+'_5-a8ua'kHCVWe&U:k -%=ZdflVn7[Y9a6`GAA'cst[.850?Is=WHBGd%$Jh;6G1iFXKfqB6_qdJ!Vk]GUdnXi=N`N&1O4dbk6[&d5H$6+Kqh;N2X-XW7V_=BD -%a1>#c0=9K[LM4#-dckfsoJ5Y7fUZ>rNr#*a7$uZlgMpVO:8QWKa.CG>gSE;RRo#g55@J`(\-T1I%poAAe7gmu4%3%@iC^Gcp`&V- -%*qnn0NW8OM[Y['\2thYGm7bhmn!g9bFLn[A'K,a_mIEeA5IR>"Kp/3SO*3QIf[A$orEO^?P>8Fp_QfC=DN?/(qekWi:o!\\Y&kYF -%k.3&[=CGo$7QN[D:'3PF\ikpU&4mOA:ZY?ZSZW(XYLNm)D,rmQEMbUXkVjI3FZPA.VPp:N86lCAbI]fO]iU%aD:RKP3pe+p](*KE -%;p'=?f7tlMIr"cN,?0!`bZJ4$k=;U4mkq)(p;";*UO#Z#ZPD)?N?s6:C#"oUK`:;qA+e^?1&W.H+/b])^F$nDlZ_s(+19]0jf<:< -%@VZk/qq*U)IC;!m&C%u@0AC3l=1i"I[EI)i]jt#&;=^#rD^OO\HfI2eC\q_E.k.B5@5Xn]>!JtpU_RBe^Wg\FND71EH0RJ/o<6L9 -%e=Q6]Y[['mfD)pkmE]Kl<&4FKFXq(-=C:X0N+SYP@iBnu6 -%'s8h/\8tlq4ro*kf&OmGDI?Cb96TDiUA-WpXrXB0_J9'\CFq#1c.gPQo<3s@f932o`a3pThqBW+n;8Ma@*h#-lc:]8bCR'dj=%L0 -%auqm9jcCe6/r@fVqYKlOD2Us*p?]AGf&c+@iL:4\`T#MK(S5Z"E;GQ(/k@;'m%2fg=p0uEi0qj/EBVs:9!7iF\b8U(kPV+j8,q@L -%bJYKL@1]Pi,TPRNKM"QEZ'VG%#0"q\1pT]/#5fO`>)nJtfT!!s7$'T5G\hc:GIi-DJ*\n5<[-OH,OQSq+uko,Ic'p'>N5At4SA%F -%(\,7JIEZkZX2S7=2a#[L6H.F012Ch]O+'#3(\r:0iB=hn%IRmmVUh!ULNdjJp1V']M3LUF>Y*R(*WdtEpdFWcXRLd;t,;?N2AZ!?NG)_\8+8=S9cCnT0V2IV8) -%4Ql[*Y;r;Z)QeXS>'rZWe'$OJm=ART>0U#mmW#Ln\DEq(?8TC*p<2;9'kKSfLb@)$1JcM41p62j7k=$OIipe^6VWhUeEk#9/8kid -%7NS'.7I;r&g1be2ImD>Zp[<,p-!3$Wqo2'd]g(ED%"kU99;[>_H*kKDZle.XBC.C$@]C\p5qSZRbZ^NVmfrXKRS9&mDD]gbH,tZ$ -%H$-R&h:Pi[%1[&fOkhuHpOS,^E0/WVf86&+2>/r5T00\6,Kn2eU_s)l\8`'@L7oU1NEo,gY8fpKTCQA4h9J#dQ\Vgb6X_eJ=UYVY -%kiZCLn.Bb%YE'TlePHqHWlH@_&_Wrb&j$LY8*GN__mYqFUg#okCQmMT3/S$+[`8B=_LrFM5cWWlnp`F(2`\% -%QcEfu8N2uR\Q@Zf9//6&4Tb*OM5=bG0e[YGo!,XYI7^RpHXDpoqNg`$8W8KO[8UeT#fV^Zc8Kq+/fI5,]XE+(WOLTc-utY"D>2HF -%E&ks8g?dQ*T.T29.>?LP7Z"O;E;++QQo7UZVnnOm,ker0^PAYeg[HfNTk#-l`l/dP)Y2:c$?2cVb@*\i$A -%TiXCh,@NLGlI6O<-l9 -%81r6*lX\.>PTdRs#PH*3c"QM1'2tI:;du]UejKZU?V,#dT!"nZGC>nSX#l,Nlt')@k!%e$;?$4[4"FUgi(cLt6d:To_4_I$@tg:j -%s(*s)`W3*AcHg"V?K"gCcg[aH9l6+-l;Q].HnSEZhJ>-AY0P+SFahSgNFqkce"(An(q^36lioj#gp$"+6kGb`k]r>:((YfgW?_+% -%k$km9*sTW;_hFuLnL@8tf[Pa9mfLW=Ls+i:Lg)F'[0o^f@hocrcopg@FcQX`6uUAD?KO2`:O$/Y/fRk^GWk.m?eC'%Dr7?+K6l4p -%C6?hrej!$W2NhPC:,FcCF2I60ZX9uuGKA&A@-^-HV\1=hm6p"-=2C!8X/ -%5E5r<>cKCg%oVL<^-on@Lb9uQ"F#2"P[<;?:"`fj+UVI1>(#qO?Uq$&*\OIRn_/8e`Ksa$PfHi7IjckqAG6UP;Ehh.np<)-0O$:3 -%Z;uo-LY7,L]@1qBj'eN;hB>`HM%$DtnU8/3"$f6%T/C]c@^f*%Hf(@QPoD657]k?0[o(qL;AS$Ic+L:_!a86dB^#1*k6Dg\,F_uO -%*L6LgiFR&JH^S@jLN<1X258]`(:gjT_VT:*?!(ESj"[:rpSJoTFP33l=LR_8D=r:=AKs;T#3GS2j6d9'L;B43/.:Y=$0LF7#a=ks -%4N+I`I\W;o2i[V8bEKYbnb'A5HlB*Bh8eijL!/li,)80HSHD0%?Y*M%WGm7I(JZ;&:`8c.9UE1V':)3n[(7bE)'NimP/n'@#3_P* -%7GH2n9HekHdN8iq"j:I!rG[7mn4c.?OMJC!/<3;LgoaAi!#1.-f!klTO7:TOk?DDSDBJ5B_q'IX3a"7fl-iq5-JQ:3*)f'U=$)[)MA:TN_+br6$Nt)*L\YSB*B\E+&rU#cC#gaD/7IQV9 -%SAOmh)HWFAa0Jhe1&Om-Qo9nP7'?@M,?/`BK^e1a;>)"_J]9Ze/mSnOh,GpmMf[]3BP<>NQ4XMZ1)J-AeMA7nJN'V#rb`=QXQ;.Q -%Wj#a5r;;Pn1;q'iogH%K>ZcuQN_jdIC.k(@F,FNdIU=-q?qFh<[X'!"Ne[bY_H&5"4FDqQq0N^YXJ`>=d`!t0F4j%ncRY==`emlA -%H$&R]^m0/T-').tK6snbK5F>$Fr95g/6_TCSe9XoY`cXGiCKgcoPM6_\UVA1\c4SMQMY:n.WqfoCj0]PQ8lelkq.6d9AFoYNK+QK -%b&MEY8OWNcBAYhseR_;>U\4J?g&$P`RFgnYfB]?(MlG=35-aeW=bMsDIH-tg/16Z]iu^VroE28D/;eRETTYM:M3B>[tNa\eG+`?TSkY?W3L -%R>Vq`G!&?5:#oem%ciW)J"4XV$.M4HI/Bf!B30L$5[LfD!Y5Q_CH((acDMtm/A\= -%o[N(A5l/D'UWVP5GBsd:h\&/6`21T,"#"0[@ -%.bG^uWc=quZTlM"jM;_bQn^Re*i`[(49JuL)[erWZG&c&a^pM?2S21(Dn,Ts]Y)]Nl@eMK9A\JAo"e69e'l6>>(DpJ(+)4F]OdZN -%RA*[dXWYg8Ksj^g-2.IE#EPqG`]6oRL:]\l,aT82RgY9dZ%*HW,PrZFJf_?*AfRqgBrNl>R"60#fX>;6S@DnE6">O.7IlJm>bole"u)DXc].paYK4TJ/EgTHJR)t/kJH=jB&'A:[XEu1KJ&>5;qO4l6h'T_,[&tF?&N`5>d3uJ(;>l% -%@h)\Lb1<>pkOS,OaJE*U:B@:p##G4jRR7qfbmW@A)!0(qqnbTQ0"aJXl8-QE,Du_=rDQ?i0CjW9MWsW)S'Ku -%M`EaR[W!SY[<;WMk(6huaE*'$OtSPOSRJ\\r/r1mmXL]4_U=s/\X<\O]$HYE92Y*0FO2IFP=$-T?t$HGi)OV3*76CIM0ADA^:mh" -%;e]"eflY1C*#d.8.u*)kQa1)/X@J:MOn:@a@[QXVC%dWf2KHpMNGLX$h1_LN\s?is\6tIVYCcG?C]bq"p9eV;)n9K8"O1n1AF)Xr -%7r94]Jb1ZtR[]X87uo[72oP.2r`$1a-0q_GIe+e7.D`XZ5XlD -%*[$f)8YIIie&V'jcq5eVW"HCQYeTSe,25Nn]`@?P4p-G$"k4W5PK]6g$cqErF'2?K$_8`:9[%U>'2o_$>b58teao6R?7FV8Hh[Cb -%98'BCV!so<9G>XZYd"W/'3[,'J1QTnj,^gV6UETgqW@=,/KuP3M%>-Es6+%bs0&$[@aoOQP%\"o;bcoL1)f8 -%hZ+;3jmD'=ml=t9^!n:Qd*AfNOdOi -%5n,Mc_\K`\&SC-Z_H:`/R6 -%?=^'+W-)jR@h`JWqj=5IVuWh%*u=1pWsq"TMb3OCLe1o\^C:MdHf49h3BM5G"5g;[ -%&*I1K"jmNAlS6RO?oPhP7gVd=j9nB./-jLXC!>PTYs$tIbdW=F12hI#9Vl&bqTAe$$Xc;Es)sO?*>YN:j\MH]B7.gb["[Cd!<^si -%W8]([+?*s*%MPAWn0lSmCj@(5K-TXcdtTHGb&VrOKIR0F0-`Ci6$b=BK$Lu1]ZKVUKW6%*P81sPOa^2GO3e^oZ-:]i/3eVG'$GGq -%SRotIfZg%a!$bZEiHm\nKnRLaeaaNbKCL@Lc2VLH#=-!"u#S*AJYU&HV'VQnR=(S/-G$='$KF"_t/as -%-([aAbGsC5?`mL[)_8O4.UVrm&WqY%k3b"X8ofI[PQ8OBk,UoYaSh?af7h3lpX'hmGgafVi]ch9#BP`fptOHN%:X43S"08<0BaDM -%BkP+Ga:M.CX*'p_plh*P$gJCHY9-#4*I7U"hG!taCX^RWAKOOEo8NkEgR,3QN_iV2=k"flcT_*-m-Jfd$*RR\`KRM+[QD2o\cUpF -%cecDsb]dL,G-ZF2jgfC[[LhhIq"aa)QGOO5@oqX5p$f2OmDVlu]3D!,/)sGKc>W\1[I8E)%[cJf@&D9*JOJFUq,$`r2&"G%<3:ME -%)LUR0n5-O\R;*?D[If6SFlcl"+*jegpIr!f>ipL6g2nr?IAg?D9Js*MQMs^g%`jQSq2'm,Fb>>Us%p+@E5i\'\3\JHckg.4o";k% -%a$\Cgn9lmoIVBkk"-?9C";6e0s"-ofHa?l`Bb -%#0nPXGp.Dj#<7(Uf,<*-C^tNN,Au9HT'\4LHs%7J7WA(V/*87q`?IN200G_68:Z%m`ncY4387;R;`6b-_fZ@BE^=rY[F<8,Q0&dP -%c#J'S?^0]-B6,7=(PHF:V#_7"D2c)G%+"&9B<,D&q?oTMrRff2*JZa-_2iS!df&9r%O>i.&cF0N'5'Su@D'7_= -%bR`$S5A\-gRMB%=DDM_]Ha+;A5,1"(ME*Q-c#fk?XLGd6ZNb&Xhg)\]B5;/6Ee_68 -%Hd?.=DeH+!f`oUAoldbmlr81iCj8+4CThR3cF/(NI5u4Yj4GDCTj56KBBu>AX^9=[%W!-2`T$Q,k;[5-gY);R)j^#;[P:j]"ch:[ -%f230! -%*b$+8OYGf[LDY5\oN.;BJJdR/*aB72mP$HLS;;16h-VX@HoW]hLD]3&-$(fZ\D#g>3Q1\ZaEhaB3"O;DEQ#A$m-%=Zj*%]&b<_(s -%<#W`7ru>M'EqboT(jBtiho-2f$8)X%pQ$K;kJef.6B#,]U0&1?SC6%Fo1069>2s9(t[3'nMXV?".9ZSY1I'2"u-UZ/+oZj5D'g9bLs9O -%@bd[U1+-NNEi5D2od(g%+ZGYb%V>HlEG'1sc\iWQ7,7_@@XL0mAjhTa@n4cT7>r#F5`G$8C&JHLggtSUrW$D4040/41!]Z.rF1S& -%LUkps7#WpC6S0<5^'"rQ#@^s0@a:#X`YgVAFKtcAc$TP&l%j?1$R!V_N3b970-;odpYP4V&EAf4r`k8!$b=#?`&Pk`E'NMi_5>th -%F+`saieo&$j`jG$GJ`MP^=E(DIgRpUrIWupLiHANpeh^aMLV_QaMknF`43M"[g^3bmR=Q+6B%CH2dIb>*.-Z>T=F&GqZatuoB\+< -%1!W,:=3V?;o:a&:Cq.[[F6IS>*:1jETu.UqZ-2`[k]#ju/.3K$_'Ass3daST&?+CM-h!Cm+jeBX-Cq'oqGp.:>dAQUMk\tm]fJ:h4g7-$Q -%6AO=.@(7J(\?Zp>=G8&r_bGOq91=UdfPnkCh%%fjHkG1mU;PLnh*6Z)B37_iJ.B'-=\*>;&3=(4L@b3:k!b'ONT$GWoJEtd5TK_j/^:o)'Ig>bOTgVR0TM\:P06H%$5DY+.NZ1\)4CE.oKXYEggV -%*Nk2.h)ciS7>EC(8:7X+K+:u:e)sS5-9>DJL>,*a/;+Kll7bGR%X5K;o:a((p18O5E!71u\9hL*3aC>X#0LOlk]#Vpb4toW5_gj_ -%a[C,$#p$2"@=A\,^=7NHU%VXMflAOlYK9F9=5P5Y![RUodn:c;HiM69!7^.b>VhS=;fW$%21NlHjOgnR.T:#0?cIm-VG["=^4pjC -%ja4i+<+bU6of&E-(#t4Wk`d&Q3NZ>@O/(C3fNWh`5_F+R`inWg6sJuBGF^_\F;Ngl2h9NCYgZYZ[o5IImHkh>:lQ'f9?2!LAW7,dh"L^.t>l\"Ss3-sH+9Xp]G -%rRJZHjh>DYGf7UBOBhaJV8R_Q:aFZPIS7IO0BnJG'--JSN48Ird'f$XCk.B44SX`#kR`cuBH*'CN-ELnq;d$XXrS.n(l)-E\nph\X%rlVK/]FIulTCZi7M_&Kp`_?[h;na)-Z:o"kOV[cAlEFK'@T,3A -%d63i:7,,OcgLYqDBWUlIc3>22O\'qTZd57a@.M:[Qolu2Pm><2k';67,HJiOE(S^3btNGI40O7\j5#a&*ganO\%WPm.``FAXY7S" -%_2Dk1O>,OLEPs!`Qd*<)=[5!6EhgOEVZX'\VJ395:jC:MNC%+rGlC>QJ0u;=Z'i5dikQ7L+V>a-R"Gh*,t98u#fGG;(Nu`pH`S+J -%qoB`6gPZn'Wm&JnV1g=+e@OB2@/Zh,*A67Aq8G@-CtgA(=YoBE0NXj:Oo%e?)Z6EYI^R$43CTI2UY9oaV -%n3]^"C^_bY9#ogru#p`eiK#)_Y4ZVgM>HnWmG$l[a?HN&`HZHO'9UZ6aD"anC`+*os?p -%liVjq)=;BirSH>^i\OTsF)g8hH/NlsR]p#Pfrn2],r-Qa -%I7NjgEjo^+[[eZ1YomkLU%mjn2MuZ#pfgRZ";78]NqV)!,7L)N6U/R/Pj:G"hdCh3].'9=t2%^CaN:XBMRk2#0 -%Ha@da%)?.[H`^BU:?C*hF)fZU.5@/Y`g^n-r'KQMSMk9-5NSZh7l&i5=# -%fiOeV%*61(1lBXhq(Q*fRK5I\PR+e4Zbg#AcE0678;G;G;RL,1nQmW)a5SB)hX$3)Fon8"2gffjbsZ&GPE4apiN0IbC*f%4#>aZH -%X7##Ihjl3&n#S^c`_u,f]=#<7CJ[%GBRPg@Z-(bo>PtOIeiEYS^\Bd*2^TKu(\M22/=FX[eiF`e5`Y"$>R89o]Ut&U61-SaMdL=0n2?_L[>MuNC2Q>S"d_`GEe2%J/J9]2 -%]=k"eWu&XC\B7PKLk4bB)R((3/CkMmk.AECmJc.*aIUpHLAuBM0(E:.9DO)2Vot)HUtV>HI$)7 -%?\D^TK/_i#V6?XA*T';#e!4C!RI\+-rtUiWgW'!InY1@^^K$0ijn#N: -%(8^bGc?LmHc5#jj&pr*`gdg`%!U\Fu21tV^:=I?!^3$4?=BVK3GU^qngE3'^OQrRuhEJ]dGP_HLnhf@B$nQ`!XjV;o)Qpg#l/"E\)ps"3&Q/UnoBHfmc&>2)3q/[\sVXmpWtdiY/Ud&cZLiOR:Y3R.gA]o.uViU:;,NK%*'C,9jfH5R3FB:u3+`u[t\Vh_7pgh5S/d$YsC*^i-dm+H4Xjq9>]^KljTebl1uLjaV'h[Ve7;NIW( -%B+"Zd5MV7/a)EI)no+J4s5@,"jiR3#)ZaX=#50g@rVB97Z<*Ie=>hqjH7JcGmm=`/Ge-;lG`NuAC/1InLOB!\/tVGNp;50#^(#,G -%5+W\!eG3/?$0^:]%il6`humqBcYjIcp\&a7pu[&eND2pHA[GMDgLr!QhpM(5<(F:+O(>7V#;sjq=Y1tKANjR2uc_Y8,O\EVo-MQN`C.tu":DEp#"$P@NM*FQpM1.!gaYOh'#6j_1La@23.gb%F/hBe'T -%kbEr)l/A^G&H/)ujUg&#^(/'6SPSfPTbANBZ0'V:'0:P()CkbT1gr@!krt-&W6mPq1n5n>.43)8=ZP5ag.gcT0C@TmYV75UN5o' -%p*#'QWG2Q_He,Kj8mqT[GJ6#W;1?nPRq/_*/oS%T_<_p*94H7n%N"D3pRmqF#%InCqkIET3\mNWE;Ir)2=J!Bo'NL")mJ7i@R1j7 -%kI56a\(DIC%-2VI]A?M"Y]5:b(A6cnPCj-H4*Ms,eY#`@4I[,D[Vo*;`a5X>&Qlb+na$aJAi]ti#j%mYL32b**^c8gWSHKh7BIcbHF&'f*qg\]QdZj6 -%qrq/(1E[IcnRU9)^7WY.PW/^*2nEGphgM#n"t>T&NKeW87Z_*WI=&I[h99d`UQJjS\)!7cS]U'qI5jI5cYDQ77*3R7hE`m,Ibi5] -%S?/![MA`YTIG.g-Z369q2q:O*atg?6^o-4,3@[KcN-B\j/66I2?kZX2Jee*`"`_"1jYLXj's0[eEoh0%9uYa-:/$ -%G,gtRd-)GTNVjQ]ottpZkMK:0.0etr6qp9$f(\C8`&VP@;Vo[0;H`2EJ!HLUT4W-^J\8penC -%4"N'@Qf%d3p2[V#"(kTV[pN4O8o*$K8F&WJrqR$:"+:u6-_ET00Z+H=Cj(MdH5Xiem2Z4Eq*&OE.3\uK=[QGAirnc<[hgJK&&-81 -%DmWY\I!mB)rf[XR='[AMcr&GEKH*DU_c9AX35Nt5s)+lq(C!YP>Cl9/;@oI2iTN-)J=",fZ&n_#Fli8b.A>JgTco,O2NCb3eW4Mh -%Q!Ynt;Z6cdKe55uid*J'Fj^'06oqZ/Q38=;5[p*FfmHsn%CASSXfmjU;B$B9)0pS?G'S8?+7mgtr,umL-2\:VGOLDQmn:,dYFNlF -%>A$7kj^p[Oe*MFkptT-Ci8'1G"N1;g;ksJ%\s'g:j#Pr,nTV=!n's/S(@/"D/,eRIC26%_>KXX/AN04_pXs'HD>MXA9GK]Jq84[k -%.51ROLHNR;cU]->;mX<[BTQ]+`3Xeu\4smW -%g1+cs5hLmQZX;tQ!&55"3H'Or$q5Y>HolKnM>m9^eE%!`2\2"UfhNOn7q\m]:cgVXM>@.eZ1p*I`PqSr^gT3$fIc;:E`Z3%;Go&4 -%j_3X:86t;"SrjMl]-HX[]6MWCcZ,VDmAK5ub/LcT0`,Vhs%^&[3C0R9'o%Z.d9L#1md.UeRh_"XY)m)n)8D!V$6@`,nSP_g6ot?P -%Wpn[5FDt=7hK(HKdcJt>)YQ^Tf0BD7Yn1os[R1q5Q)hn%f#EF)FYN0m/6GR@Q@#tJ$;0@J[X)1G]5cAQh(Qnm&@(,p#B;LbH8C^T -%Lc7c@T2mIumhD7!H0ga\)FY[\ls.4>[Q\">J^)&_Cko=0r[:%AWabk< -%He1FR:"8l0ZZ?;A/#c%o?g.914".Yq9\'>B@ob74gWjoNWP0$)SLa,RF`m`BaE".:eh[Ks6CM\gY^9O"buI!WenT;^B;X_U%ShY3 -%>%sT9Y[U-Cl.=Kjns7cXM?BZk"bX'MYf1)9*UkP/ -%bUrQ>SRSaASHI3gK8O-fK6fPe(fGf\0ccG#K=X2S>7F11.YDaq,\2,?6UEW,*E8u)NEqt_C9h%0KG9`8]Y*W:(13\h6_&l\FV3oP -%`Fd`\]A,pC(idH:3D))Z6B9HOfYcq;204%DH8K`Dc=M9P/F5=6d3jJgKUs=Zo3tfj7dn@"8YquebB -%c*_BK:<_*SSI?u;3l"B`(A49Hkqh=blt,QicahN'e!-M0<3Z+*=TLBrZE.Scn"u#S[@?U5+WX;;X_]g9\5drO2_NErhGG->8[?>] -%0@in9ZaJp_H5\"A5W^5J(Yq]N&#shp1!bqZjf-G`BM`a[$1Tb,6/bYgq:H9CqtplE#s3H7BHLp3+nak?[gr_L@F?SfO@UX5^Z')1 -%%uIY*RRF]d"*n:"cC]7B>edn+GFLJ$qb"??G=\h59QpGN1]>PO?P_tDJMK9L;U8q5_e2U)GkXphW]liCc)AU<#pmnd<%V%'W^njc -%U3\PX;t%AH)YSkV2U#cKF0^9P(TYqA9UeIKZajSR":n:#UY%r.C::g+Y^/#eY%00/")EBk%fquB@<,TpqF[M8%ndiAG5TTu2?Us* -%_5pd\0&Y/']#JpkNG"WX4M%FnnbrA!b@^)cf\O,1O&K];)s9baDT!iV?R_(n^KdrTb86$I7GHE&"f6"F%A[:FF^3V5RMft[m9G9k -%g:i!K6ba)FiHh]m%O;)d;#J;G/J`9Of9[\?q`q!1T0@^dY2F4YD4]i=aNBM-NI4`r[eAu1mh2t%GM!A,'epUZn]p*q$Q -%'N_UWhT?;A[\?e8Gi;-F=M,X]YGZE=dP^6tTSa!eYC'9e$?&,D&+pDkTNdRZ?%A19)h&2t11$<=[IW!lY7H!T"iWfZHW_I^p"V]bW0iJn_`r9-g`SV%p"CdYP -%ScA="RH)"=aToMn;9XNuh[>EFAk&9%kl2)-k!&47*&AkUZ37EMZHp\>"tDr=D2gO -%0D0I,\JpX6:qrh7>sI$ZkrPiKHC2;KbnfE$QDPOHE(rsFm"0&h%c7(KhGHVW>r!5%8 -%4)m,:QkMj\ -%5re!Q#,LiP&JPX_W/18be!;jG@*[(C-r,kg/e.#E=7'ilEEK!.B0'_pKDn"pl%=.Nb^"QEY.piVqB0TPkikm:[We9^M6ROg+ -%_h9Df7BK28^bLu$B:jFmd4H4S@Ud9o8X3?2(rJD?o6rj8-e;6jOjf[>nl-5r)2 -%3/np/meN^DSgQb;8$D+n<_e1_>XGgi/r-#aU=/jB57.hOR8Cu=24P,idW4^>NdcZ37T/=i#^ULSO+tj"u1%o>-cN& -%R,K*a)sC_lQ:&(1*FY]8W*dndKJM(dr/p>=$"'Vc0+@UL7NQ$kLlI?4U=B%-8EfY5+usuj45cSP*C^Aq]$]hR#<-:.VA7@V1"80C -%#2Z@(j:I+tX,L/JB:(dX^'[F9fjgaQhg$3*&6JDEmmd#oaTFr)Pm`S=+)uc&bt2t.Nn3W>)kN,EVVRSV^"K>KVR]p/+["H1rjTM* -%8a^t#p%c>_UgLB^1Z9=U=S+RY5Q&g@H0'D!,SKak!Fi%_,'1-.l1?bR]Xi#+0sS=pil7&4Yp:J$_aO'L%^c6](,fYKd=3/rJ_Sti -%:d7%eL>'AbD(,NtA$u+"HP[P[O(>bos#]!,m+rKrd?;-*T6Xq6^LBuW^6SR$?;:%EMr9mH4?Qu+l,pAl"T@Lq^9_t4b-gu%j6YBA -%&gFX<,-f0j1IAEV+:5?c4[Vot=$7,d)o?h%8,-Z1c3%!>^'bemLm3PW.]V;?%7(IrU]VZ>i:&>UEZ_G"ID[RdKTEniANY)o -%`!Z$F)Is"QaFR<]'%#PpPmmqlYS'B6:pV;@9hUCBY;HrYVf+hM5o``2]Fmj;hYJ9POk^*6Ej:YNF%.JY0`RG -%Xl7[;1oNP1iEI&*8,\(BrJ-`ad)j[9FR((:%>MRbm5n5rJIpt.67%.U@IXmIqpUaRa@dMp`P=%^Y!/b?*H[FuH-Q&WSuJ#40k@$b -%!MVk28ODL7n"'':e1T&*ZdV&u4q)eq-3ot[MQK8$e1Q3'J`cpKA,*PrabBJhq_\<^;5FSR@k>U(q!W7DGAD,I:$<&84!2B82K9%3 -%_/pC%I7-cD'-qLL8RoD%@X5WpW0\0/ZsiFcmPu3EFTGr>&tub\4:IeC54`I@NeFVq]U4+pm;X2#7kDgrIT0^R1P9csJC@CS4bL\$IUGRA;nP&ghr[PB)^M_^f*3YZ(Nh1[p+FK0\4MjrCZ:ho) -%+Kl[29RAXuMN[ScoEk]^%noqjB0)Wsh]behTWd@n87tI!>@2`5XDXMA9VdK*8Rr_LSYi!!BSS4HUu[Z"6RC&chlnS6g_>JDlc)Vf -%K"7fug[uS4f#$a@Gk-0JD[2jser9u+\RGo.MYk=OY/fqIe9uWP>Ib;`Gug-ZDsbP;kpeNe4qM^;nB$KLRuk/R29D24K/F8H+lp*1 -%LoZPgLUZ[9$lc_7lam[i"P$n(>n@+tl6s>8&>BL5GX&VpbF_Jr2Tbcjd6aH];"lX$4G8^h6H\Lt*`J=h;@"0m$8KqTUiu/>n]'6R -%p8WLb7D)biiZO/>lde++$?mFUj1%npY:%)f5eEtUg3@kIp%?L<=I:Tg[aYZ%?)Dpsd)SIPQ4%\J>n7/&_`E[u<^MC[E\&2QU/>7% -%??(W9!4K9CgFj@)fg'T0NV*]_j?HM'KQ%j&1%5`@W!]sHJrc=hok#f38ld%fb5@Z -%MC_RI&b]Pt*XdtcAdOaX(;lQbojTm:mN"Q;oQmst.W"79(Z%)bp3JM&(fU>D!5F>NL"a$%3UqOhi!`qBMhKffT8,tC2fA/S+=[9[ -%Pl#\TFNB;o>f+(n>0mE__O88T&r)6bL@S&FbWd-rKPdEN$+8)<0-K^3!5gCRK8!;-Q\Rpg=BIFGF$Wc)J5G6]S[(pgK>Bb"UPcUd -%pUgSPpc')8jR6H`3[e1:fi(ko+2j9_;;)C$q9h5^%ZCqtA8[ -%]=HK8BcMmg$]SY5mf64jr7tUR7L&@4rW1?m'*!gTr!?0:G7$?c]nKQ#d;2BCc9TL-TS;e%5[Gjag]cQ@_.q3$.CAuZZ">Y=qGQls -%^P)J-B')"2*T^W%;;F^,0eR\DZdp(%-PFE0j-L39@[QZhS?N@#k-s5-) -%2YIF95]ZSUS">tmA*(A=9UkjAcYT-:'LW[M$Q*]1%fdiDW#h4Y_+V1rADP?;o$?b\,0shV$o0GjfSbkeIO)KJ@e:bu>c0je\X*-p -%Hi9LQo^"Q-h$M#^4DWa3puLF(^?FCf`j/;o!8!62$GlA9GX`rcB%)aJl(WT6D%u%+M/Rh:^'Z`j[l1(cY`C.FV#COf#fEX:7tp!p -%987dm4A:fh`C8G -%YIDhMl\@.a(uA4/:OknGYI4'hWf8!CS30C\,tjNC=lV'd)OAg->>dJ@\-.sO7Edq^m5K59S@L^E".>WD7GK@A]j$!!SK=Y(&uW#@ -%dRi[+d<_aU/t;tuV>cA'\8e,F$^A_H\p5="hqB$",^Tui1WR;mP3<0YkCc;e%(a4TnHOf'FMC*i=_5t4RkpB@bScTA@jFM!0HDf= -%N[5-VPXs5\NR\&Pr*"(@Zp7FafFQH@YWWc9(d'Ph5qB]Q68Wk@ZqT@r-g][&3\tH;j`Ue+#fGcr%fRi9,&#$ULCjA8#_*NGDk`J> -%OA28=UmWA"?;ed$^%K*`+OinJRUs1uC)cL8p43knF`gt2anFWG;fj[PDK>E#1u/k,9)tN`e.DR11=Wi;0IBZ#4_mVEXQ[qYdGGJ0 -%Zf/M\JeJne9]7=6UE=#!_T1;Q1!uUciTN@"5\DtA0gOWf%YD3=Y*KorJV&re82dXC.Ki\b25'?`Paekq*%f:jk -%`PE#'n3F)2fkM8*Y=ge:oO6>\!D1f4)uEFo+bWVbM#77WeU?cl;;!VIVls_FS)&5:O=P60r=&QqU.mSl]X[9>m9rjs/i9NcW(ImS -%kK1D3Ih%&4HPm!>1I2Qlb/Qrei(O[bLO.oK^u.lt"GcMUP$r;V#_I\dD\NW*"@7"rPYj+o'*Q/1Hn6->B7_6cGfhEOS-af*E$&mO -%%*euAE3Lsi?uRFuJj[-W,@GI;#_GG=@j>B#-4#2*WuM:qo5SeI1kWQ40E?_]_'c.XPFar4jRGNT9J)P9K/5e)*(HPnL;B9##S-[8 -%&MQ2>5]H;Qp-rDF^"i%-gJipeXM.Jg%UjMqhr",BT4WRaG-1iu$:fmk-f#!j;bbQ*5hlnY(9"gJ@iqa#u*\*@O=G -%H#o^'\gS,J=K>I[lB4m-J]?g)NJ5BAcSOC$AJZa%=-gFkZcT."N#^3^\3'!JW&[YF20/,M\-W]:m[_$#iF:MJ$1_WQ/q8-'IU\BU -%c8[3tr'3gJ24&61S2i;kD6Mdaj5R[>g<68)Mm,9$JrV9bh/&??G"OQEgG>8CfrIpJ&BkT;gKFn6E_#T69OEm+^[h1nnbOA0-aETF -%l*a06o;je2[g'_,GnTB8'IhD4_(19[R)40!k1<2uiVKFj3s8hKpR.tD%+\'!"<#`:29e`ITE;U[D!-3/Q?JnSIGopLL6peAl@QsH -%,EU)e`HpeD4[^E>WE?M)UN.`gMk)f9q8RTddlkJGmS/I&@OP>#dH[?S[[oe514N5o^"2'I1ZgI-2gt_"Y>a1]#VM&.T3KLIHb$i0 -%B=\H0h9(dfk,EFG06a0Elnm86V3qN*?_r#GIRBE6[r]6)i^7moZiFI%^K`#NhdLI8BP=hSBJb`%ZNjho2g"JAWuL,K+K[2*9`3[0 -%SpLmH,ic&qrc^6]C[G@"s*cNUeXi6&et]Wd/`cU5S!t>qV07&_\'jWMk20`3 -%F2r3VgKV)O*Y)s=++>L[eY)Y!opRR#/h+Zug0#Y8R9Uj^!6`V,7[4Ft>3sZL@&D01b!UXKmkG53,O+ZI_cKHM)QVr&ON9 -%NGk@McMHarJ&a15F(.lk=SPqc]qpRV(F_TImQW?;SR:V-ZT[%%[^31l:rQ8S^qhdhic6c%mZoM,F4JZoSrH),[T?B\YQ%ol.:(eI -%bi_0^hX+\hl_a!)=uDc)![\1M_1J3_.dq*iDIIc@>qN3;j!Dh[njWF4Z[R?]]3)$#Im/f-66YJ!+hm=+IoUs+N=,+@;gfsc%4mupNTC2HjV#P`gkga*@q955X -%Yl36SjVS$Crl#$Z$,=^O%sOHLAe3jEm4`bR[?JnE)n!54]j/1Z=[%6II9b(E(Ar=TKPD%HlhBk^c\K_gbN_kdCF -%Y?sD`WGi`eB2m&1F*i3,leZ-9lM$i4jig>e,MQ%!9Jb(0oDX\Gm)l7cM -%[mpa)bZ8`BGgGOt?Yl!)-#tV2^H&KV9Tr?WF,6T9@/p"5"no=(=2P>)_=[e4elIONpG%p?Clb14M5mA>E -%)CqkH8\Mu3R;Y:M51cqfgb>7eVU"j5,S420.&VEUPG?h4/,VKmr5%D>8(e;k\7+lVl5q+gH]5:ZfdUlClqVfum0^W*&,q(TM,B9rtn09)H>.l8Nm@:2Qn)#t]SuSJfHa;!W>*fUqMDbqE?k"/[8M#S`.pMHc#O=L:>]oRc?gYN -%/]34MhbA]0+:P>.^03UQIM\I/C1o!,m!Uk=[5L32FR+\<(L,_U?$DEAX3KYd[t=nm?mjX(K.e8EQB%[:3OBkQndchTci(")LX`>Sab>YV&=N]3h!4M5P&\dY-A>dK3E["jiX`8?:A%(CD/ -%YMYSN2q^!no3d/irphrOru&\"#+[X(@SoTIoB%M!ODQZFA+^"bWRC[pbTtRt^]; -%Q0Xugo@']io#E,CdUhR@hQ+@=BQjXf1tkLEkGM/DX_-grPSa\4\J'l8MEdg -%r8("Ob5-R`f2n!8$X%d_HsN3tqUE?NAq;6*oAVL=^9aBPO>`I)l.;U"@q($sjaLe,4igM@-$!g\8FeGJ"_C?FLkJdB)V"*GOBs0j%/WmGa2Wpoi!fW#-$!g\a@$lL@?ej< -%0d9s+Bf6D0m!4s_jn9u;OVGd+7>W!',Efj^SjeJU)^CM$ -%fOn&*a2Wr%c/i;/,%$3>)1OF`2P8CeTGQOfNVON0Yl+m;T-Z@e@4i425>,`T92/3nr@FrDN12@Fg4#@;Hq$.Tg%MbJjth=I38+#3 -%UujJ^r\2IfZ_Z`iYeBHhrXCc'Gb8[H=]4i/!=hi4r@FrDN4e7_gWu%OcV2OR,hpY.Ra6:&4oaV^YSg9<8[b8)V"*ieq$jdZ?N0!B -%@&"r[PANNWC-KPH9Xt$PWVHr8RrJ7-;Y-<%@l;C%Z_Z_>I[`%=p9URW1\*5`D*L[.4u<)%PAEHVC-JD:(6`T"956ZNQF)LWT-Z@e -%@J)#'Ib&9u>JfSeJeU/imFZ[An:bZU33CAMB_f7#8/ -%C6+@dradNAlp'%V==*)m@Fo`(+;RVk.TB![a:O%9T*rl4m5Bb&d1G]M(GkQ2rpYaM];)SOtpY8.5R3HKFa,c!^+S[0U2n:IAqL?"PD'bdfSX!201NrG\]RmXfu!=6/XKBo>%)q]aTf(:P?5d -%O'6+25sb]UY&Bo1m;O=ilq&(pF(!K8UC3B'O64"k-a6aiHn:=!ON\hskX.lSXpg[EH/bKY;A$`r>cbZ5,_h(\(A`c@juA_K:C-Pm -%O?1krs59`L)'FG$pc8qc6?ABKB$I@@qGuB6$8=6)9FEfV6(iL_Fb!>JiFjf"0:iT*a33JQ4=f2?'O7"77QfZH,#ZdCRaGm*$^L9k -%aT8B*#ERm_"a'sTQZRaWMmQ`)QYrS[27I!ddT=YoE.,t6g^1+0:aSV4^oR['[Us'-otePMZAp/4VEXEZNL%ZEXn^[dR.Z5%nh&p' -%n2QdsS;QrTNP@U?8p2pmoUH>8WR/c*QuAjbAf-k$9N6"W-HJ<#qh-uLjcCUd\3u++T!0oBK&B8GSl#5P=.p`;'TFs[%`OS*Oskl+ -%M%*-Z4!$W&'>cG8/&?t!)*)lU50`h<\dc[?&7Laq;i\*XomTfMYAR$8U%%)i&%L)P0?1a]uCur+:reJ`f*O(2VE? -%E?BIP7:K>L&P.:mK.?G>jFJh3ET0XUM2WHg1*@auecUR2-l*eY+9s)=#WY)r,kMSd0,uO?$_rC8K:.$,-pCZ8WWED5rij]/E7lgQ -%Hlqm@KN2I$03n8fl+7htR$clpf7U`4NtiC%KT=aZL]l&&"0u*60.7-(">'d+-[_c$bnnggFUFcT=@3ujcru/i;?l(9='`QSJ8Ga& -%,SA:TmmZcsYot.PO^M1r`/:]Ac&u[unQ:huVC;;'a+[=kkTaBpfUBk/%]qh4K!,sD1]@pYk/552\D4k-N0AJEEjJ9!$O1]ERVd%o^hL"#rWb2;Z`\T!^SIs,Ut5l;4M\ncWDh'fo[<:%Bq8??U>Tekm6On-)cmUR;h2mBd6o8`^.8^Ldn=RQd*^CF, -%5PRS?Zmj6LnG%S#5XF?n@?+st@FM<2:5rj$BP!dZ/u?Z&n9c.>es'DVaZ%!BnGM5s9b&Rs>/'LY+_*fD8WQl9Hq7:UWM)tH#ojP2 -%1L,O-&mW6(Ze$uf%uHHYB+WFa#b07r5dT^]!DoZT6bIdU#D*lcm8EKu3M.Hl34PTF#=65#F=]V`TqH%\4]8SHFmF<0(k^RcBsB$a -%TH!#H5)7(E-H]gpA21('"J;nV$.DQ``h9sWKGpin3C;ea(_?m:\Yt@+dNM'!6UX2m+sr:Cc?L+,a]2M%4c.0+H=QjZM*8!%`b?_thT'?(3'9[Pc/3MQ;+-POlAAn=&o`cpl^R]G\uE-.r[ -%<)Z:LF=F!s+fE#SH8EK@Seb@ScF$WP`s&HSVF7J!>Sq/pO^)7I*l\jGLJsQ!6,br"`=gY0C_?1&#eHHR@)D)>63eq&@T?7nYgX:_ -%80/h@NC&aJ0L\TEAJCZNNn4<_l!a=D657FhR)#E)"?>[O]]#Zh2,I\ijn-<9_5mR6T'$=?E(WV/*(P0Y'Zn,c/. -%U>Zj_!MZhd0Jo-Y7*6C5a4c9V/#rP^p;A@KPH<-DjJG&j<8:tDr?r'FTgCAR)L;D>EC*6qRN'+PIlHG6j'A4R_+oT&+O>4SFSC.Y3WtVo-t4,YpKn4>ARZCi`_2nHBe:[R0QU -%-E=nd\ekZ0Uf;?I)ck8$#UN5Hp-GH-ZshF?S(FkV((uTa_5?7iD]HciK1L#+K5RP?_Asr5XWd.F89#G*kU,?8[#j?iP?`1aKc;*k -%jQGQs?oVO.7Kf$Q!&P[oN04W=Z_;=S$]0SuaI*TI@tC"\Z"P-gkX/4^OIR:9,n[CmK4se>,bDFQjYhh2$n.Dip!ZH>g4UR%MPS4S -%5&GDh,R*Q\po[a/nn_923g/b5X;T/A:*["ZT$(nBRlJ,?Q'.jN/m;"OF1?br$T9L0/=//,QaSb62Hg,?_hG*#Cu-K*-(a0=4PKKX -%,^S/IIiNO/>Z8@[-S`V]=CDZ_.mEVO!@f9-*=r]?XB(AqY4J9%!k'N/V:).!lH-W$nH0YUtA2lYI$_&UEP'2j(i5^i;X9IR,j1JU$O%ck0Q"dnqHtbK_,+dQ+VAM>A@I6]@-NNeF`Crl:q5M -%?#BMB[o55VlMoA9C9)LO=FI:.iu@<]?11#mFfTS1pD6\G96C"%FQl^aomb.>&V'~> -%AI9_PrivateDataEnd diff --git a/usr.sbin/bind/doc/arm/isc-logo.pdf b/usr.sbin/bind/doc/arm/isc-logo.pdf deleted file mode 100644 index 71d3fdd062447c2e82f90331d6f99e95ff648d2c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 21981 zcmZ^LW0WS_vTeD#Y+GHn^_AIOwr$&Hmu=hCW!tuG+kU3%+O>*=h1o4Y=jJiHu~n!JUsM2jjT-^O$pimjL6fAnprv;*%Q)> zTIx9(2^$&M7#aZp&<>9FMtWAzt{F}#-0_B-NI@TO)Kx1+^)d3L$uNGvU=WsKx`?Xa zV;1ft!Hf(hE-T>PY+EB5tju22pWCwTqBZ?hc4pbhCd`(?TOBdu_nQz&AmRC*f z7}+GOYdY*+Pu6vZ%nvVzcOTSBCmB|Dj|4ue zork8B*;7%eG)uL~>gMKni37@`iDwNH^Mlqc#Wlf;tP>3y)Mjj6*%omn6G_Fb%QcJg zj~mJo0We1O{f%xvjMY^XZ9CVejyPYsF_H!&9%erP@;a5Ly^;=+0fltgW20vG8xTvH z&~FJkCgfFXI&AgDi_2pZ@fsY)&jAS;Kg{EY(O4>5s#*I;*ajtQS(-A+s8^qti!Fxs zQM?PX7&%?!*>9|hl*k-XX!;aAq1TuOqx~bym5%HRe-KYL=|9W!q*j!q;_RVkw=C7l zD|y1qkZvxhQ-vi(2t7EJdxo0+B&Cr^NovXVqP{1lzLka}yCa^$r$qCi42lhtiQOd3#! zI9g1_%PNfMNS=-4I2O|VVkYMS4V&V>Dq%;K!t5+w>C*E{U3f5GB>2)FwW_TuY=YGpw99tnZOTkC-bc!9b%y-}VYe z6y=ftzLn+a;rix(lKa-tC|)TU5z*~D$%%wslfWScO{U-l#-SP2*6%@-Xq#;g<95j* zeX;nHwynRNQOC`qC_Z!^>G{~nA(o_B#V<9bM*wu7#lw%GwIG58ySFBCo5Qw@A#4>j zON&Gtrpyd;uGLf_fr(?4ioFed0ExVy9AOd-7t%$__CmOb(~vjZ{uH&F5M4sQ6AL^&z*1Z$xEhbf6_*G}bQ{m^6pRYrjA*M27UUO9R(`Bz z(O^CP))-*4(u5o^DE?3yCe_)*bi zP|N)QeKqD@0|p@xY!&jGMfgD$-!_m%bSvVBmC_VW7J&+qgO{Ki`LBxexQ++7SdY>6^G}-*PwCg;8-#lkj z$xL%7_KT7g5z4n;#d(qHrbMsd-W0u0uTr^`NC;pCIT5EB&q=hq zOWj|Osbqmlso$AY%!Th*MZze3tM-9z=~_b;g0$v1a$DhES#jmcD~Zw6Ah}B*@=!oa z&B^4o+N{O8$iIc*BMKn+DDjvs8p@I$57*g`yd#13hUGQn9Ve2Mlcag#zpVfx4WwGy zp3>rEHlN0hO=>;`LlLCh_7|AsdF9kXR(bpgiq>?SRPS5KD}^psSYX&-F&|_&Qeyjt zH2?m{UQBDq)prh@Qf!|G*CcpR_v4JrzFk5(^IGLU>L>i9y4AxV> ztod0QMXhmh&Tv@PV0mvDv`%$Y#j&KnW=OR%E+TuyYg0V%QGQTFp}RLIB{>ZI4?%Ho+*U(IDP)MkeM@ey4wMR+kZR`bxoW3VbYLQIiX0xLK{=$8n^7-p=6x(; z-JTS&YhsskESe+q9rnXt@$PeK;z`Hm9^yXl=0<46=fTH^_?61rY1HoU^WOgHSYNGf{JFE19wSw;h)A{4w=uPVVjt^lLHo(Z*@E;EK z=j<=u^%vXv>&V2+#svM(80&vInWCGm5xuOQi4nb&k)fHMpp7e`2E(7*OsuSgj4Yg5 z(Dd>)j(->$A;TXldn0Q{Lgv5d+n-@02OB4Q10#n@@U#z4WyQG@;u^&_NLG;($P z<0oWeX=ATot7l+D$n+QDA0H7{M=^!J(U=(jH6m*B2a$>C?~6b5?~jwU)KLP&aO!#-w4uteS%nTg}HK6~Rl038);U5I2Kah<7&HKL?f5rTV ziv9~iNY7Ev(#GW9SpS;Yf9*N`Z~OnI4^1y4D@Di%0Q{32=RbxT^a@6{diHvbW;WK) z^s)ldiZaq7BuotKtPE^_4nolM!bZ+!21Y_sYCoVE|6UZWe;^qDo!tM1!OXz;|3dt| zaQ}h$_Zt0g5FG6P9|)Ge7VbX~|E`Sx4T6z_f%X4QHbQd-t73MQ}x&f7i%;e`PFo`!!f@d{p}d~VJp zljRUiI_D)WEboITAajW8(9ir{jW?nI#R;EJ>zVBM zPVgTDfnTtGDk5Kxb1q7jY~%`@G)7w=_Yb^bZ%!{~Q)lW$U9xh*$c$;9P(9-3G7K5B zK4B%_K2X2}C?da8;?49={qc;Z3h^;NwK;9K)=bRPN&LK@)2XuQ!c@qvl3@E7^+bCe zX>MIhxIvW~lIhQe+NIyNf!3l0_gR|%LP+aMc=4J3tmgK?Y51a)TFKvu*0A4rX4%gU zztw+xoeJ;juJ!uB{5)Hwf1(Ueis%4z5hFS_K)#{~FEiZ0M11*c`NVhePwRAVCBCoq znP(@x+@yyf^^0!n*gj*x!tqUgDCBM_uF5swGq$( zegCm3V^#l7g@y3hHtN&)+?IF6q!p%vl<_RqGgY{iNL_oYMAOyFaU1Q=SM^b4xFTA8 zt`bwlAEB3}j3;>*-ojW7X~4)HtEU>{$yC>ep)opV(m!VttE7^s_uFK{6c&haYbdg1 z)CUjY(C5X5`>u;|syd{4Z)BYx$Y43G+(6hIbMuoYCV-Jdn_XvWDAEqUDY*QPqTm#M?k=jpbI|8cN{=I-;AM-74*AGWZLec{kr=B=j7z&jg7ulTmhXA@!P zQJN*m&%Zp_mmW8s`R&SM3&cm^`Rfp}pehQW^V7pA*^O^pCK+qSFssbX>7qw?s{JFdIe6&ZiaO(~oDA)Rp738>4AsExXX}4gHu#F!xeVVq;>jfj8~QZ1sVH z0N8w;^=M@w(A!+(G|+!Su$)4&gK8sOMOA!hIud=KE{%Gt2oyAOsEJ>-DR=s*`TOlQ z?*q;%OsszBs!ee4 z{Yh0@9|xMcbgj}*4`{0%C+-I5m6kz;oi8TT(rsuyxMDCT)jw%-=o*a342TEVk;pY4 zQhKD;=!K!XUOU_)X~l5%d283Ymg1R0&+pEHqLnZ6p{97~2-AXR8uka$r@ z8b^X54jgpszgq7%I_%o7)hGv80f)0$)9UCOZH>00>_q{Y@-Dc)Te7irdXB&$rpg;C z{kp;r8{$AgfEiDmpKdN@#<^t?aiLXjHF7?>nPY!f(z&Ver;tKcJiV{!mM&4Nye|T9 zG?z&a>eW_@LEYSBym+|}Ok1oQR-m+MrFao*G|=iE>ku$P)r1P4=a zf{Tar(_R;xnWUMz=@aK)+|Iy$)IHbty)>;aLne@iRh!R|8?IL!5aDnj>7+Qv9s=xR`oq ztIRWr<(?eY%ZD420-KrFaMEsm#qN<#Up#HUCf%t^rUJcd;;)F*k#R&M&?`ubi9?04 zLRBJh*LR-Uy?hb=1}S?K4@_sOn{&N_vqPjO#6B+E88IbCI*bKwlvTKGj)pxy@ z9}-imbEYyj7F4Y z74`uj7$IKPF zyA<}=W$rB#iHC5`nVpNT`V|()Mtf~mnqRHj zPIhYZo$d|`y;f=S{@pV7@id9pk-VXRI3XKZ8`Ytzkp!V9wo#bji)Wm>F*ML~HQG;} zZ#g()6zW%Y%k%Z!P(mw=fx}r8S4%a{32}vmx?OJ52YYER+8KA)4QGm zlb0ZnbE&%o4Qk1_q7ec3zKi$t7ha-k&#uZ=1y^yH!O0$CYO{Ea<;q{p89`QsT$amv zr#-WX!rDy_W+!7rm7GYO3 ze*A~0*Utx-``m*gZh<*ZP?OP6Iwe@cuw*wy;=``E#NYh5Ul1~wtrScyW9Ar15)&9k z4{WruXk}Xm%E1+uwoRuZy+z5L5a)oVSW;iscWCVPxr`3_ymQWBt2pn1&3K%+e8!pRa0}MI$cEGm}m#yT;MK|T?3G5wkaIZo?k{|Ay5K2B~n`J zq4lD#qwpRxR-2vmLi7ujIZ9(q$bDW`xMjwMiVy!tVF>drt5jH?I@J-F%h>74Fv%5# zbmz(Pib-)26;~TGU@H~OH1&$>1>H2%0gejqq16)NrCk@}WY*Z^q@Eiy-#t0p!>@UU z@ojDgAh!a4yey!~r7XsCeEl%C}b7eaLKy4Z`f0y>@O9s4yfD`|yzK-)Man6zk zDiU<>eL(NHtFnvx7Cox|{2e9HS@(NLk?lqXQVvX9yDOhQ6f^JiH@E&TetjT|R2tw> zf7yys636~3Ny>#H*g~FIc{m-SNO*=??0)Lr(3mPpUKuUkRfW4DW}M^Xug53{2l%5uDfreoStrAqFsd06f&jfl^mW7)d|f)XOD#zbkDT1 z@Y=d4yQ@IGz?EKn=Mapaf&3N<4(%XqYuk~-I~F4DqSohaB)&mSz__{vKC4$ZRULKu ziW@YqG`u{+yW!#Of~(%NQZO>}%>`NHEps!1{LYLfuI@~~zX#~iw$qiTS&6ABA1sWL zV6E8uTH+v?IYPxCkV4S5WklWGx(^Mcs+j?ug`ck{JsBb3`2g)#ns9#IL;hZ=&_v_k zxN1H3h0`a$j77>uzNk|0*uQvZ)XAhF*wmzMK=F04;SYH+=LP1-nO#hUv?_%~Qk`pd zjlE;qWVKlC%QT4coHI&Vp^&js0Sj#RZT^x=7b@Z+%%@M{%WNe&stgkPmc>2Fx{y~& zDx)Yzyx)2trjk#`kk>KfUICKaeh3UcFb0J)y67xs_ttNfM8yPUAPjAHGFX+%$*S23 z-5gEaYI5N%1H??%6QuBN z9+r^d+H^_28>T$K9dvVo-olP&0V6pdX+^auKQFghjn*ET=R!ioHQ+6f${)Ol3E)^0 z<6M?t+GXiUbMG?6np^ytSKaQ5xG@nZh=$E=O%Q4buxHXv;p|2LuaIz=_i1MgFSV?! zSwz6Pz5Ms%O!*9U*vp5&Yr)yuvqU zbI~{bfM~jfbwo){7iHFidCx=a)CsLe0jg%}4ONv2{`RgT`n_U-d?5M5YAlTK0Zi^G z9Jeuk;yYgC&$4xnQuAvf9JgVL?yPi>L}vy z71w)JDo5Fo@SlFKZWKGeW)y?YIC}I; zHU+NWefaYVY<+MZ;brBmmV!A%TB${ZtrFNNW9Suc@<=Kfx!$h}aCqh~{pxQX4C$~c zvie|~K+p>yHArY4_l6@E>j0uZIQ+#yBs@340J;+384F%nTnF1v<3_?!*q7V4!i#?%Cz>RIq;F8co?A4oCnF z@zcbk;RF~9s&%<0tft;xV{J|#x8x|+UKtVNJD>LtShfPJ7NHC?7UVdxO*C6gJCp6Vl0k=>nn`zVjARe&HPZ;Huhj!T z>1F3$bca^A7*}dQvG9B7kC^~T`%>xknaaT1TVm`gf8#f%#qi|*W&D6l!y6||inc`Yk&pi%j7#=nlm;}QX~=qRj_yPx$y=$5llMlAvTTlO7| z1Q`8y`7*%f+uQyi%w3i|Cf1XUpMz%(Re{UgCr2@i7#5gByQqCad_QXgu(-Wz?e{*1 z5;mBytnc89+jK*lBo%6#HE){PVKG>{pl`sxK&fcAHy$W}&YJ~FxOGr+mepLBiB-64 z>aBEnVM-x{4yfOZI4q{Q=7FHNbY$5Qn*aOJfu!J^{@Z1FJ|?BE8jtkq#*q{~=kk4!FCHV#B_a=9{h(2Ek$iUE)O%F`ae0mvk&?6uyRm^K|?i@{PevIu;}uye{r63z#0mA z_{P|dV+5pB>&f&%YGMT+>%DEv;uHniKA0*SMB@p{IvgoV@sUiaF+4G6%*!R>@agbD zurQdy)l9UX|H zyF>#wo2vXo7f+;6(XRTmRGyiV)pT{coYk*~1T+r?*pB2+@H}Jy!+-cIX-^8{IwFU)m>Va=- z|1795TWS7a_-PBI`bwy(vyZvFlY!fUdwe+?-5w6SHFBe3T&4ZA3}vfYA1?8Rbe^i$ z*FXIR7rHXME^fuHKdEqwJwTmO2w3YGHN+E}0v4 z2ZPsQTgr6hx6(+sbpXwt9I_&a@Hm(6^w)=+#nw`4V`nVwd+xIBf$M4j8!n4B501u_ zFc-Ul8iI+nB+O2vlLzct8?*a)1fagXj6(x2!cA6l%QjhrZTbQYM55&SoGWibu=AF& z%Ma;0Rlwld0^_DW#B(3LjTp`v4efMV&}ZL9g^k&<2#08BjHafru#O5;gyCYL#*ZIB z60~-^zOrlj!nmrAnq_xOb4|eDH;$f!826VdE}AqBHqPH=l!cJ2Beg2_5rqEY(t9y=1k{~C#5aEb1E=S3O9n4k850jR0^vi6sly`$=P;-0BY zur!jivvO{^z%;kYRgW1=$Ur1rAm~&nXtkUH0Xp#JN4CWJ%qsAjQE=gk!;@RT0V}Bk z5K#Pog0^jo4OlQ)O20Z3bf`$HFJ$atsMmx0d5yJmt` z{)hly*Px=pb``%jic4T$W`k;L^8?XBy$Q0of5|k+uuFD`eBjt+ngo7J%u5Y<&r^`| zA-I(HPQE5*v!6D+R|8Q=2)_Ci{Gu(0re-j#z>ne1HZo8~St;t?lGCd)0UCo6+wv)b zf!-rdgP0$G-s%8{btgC2rg@rCuDLW)2| z!!$~Cf?Sg|*Yr7*bhP9>Q6>lke5G7<5;1Pyif4p=#AXQR8@6c~%W9M{3YPluH_n8l z0e8LwnVhTB7ds0q6Wia6Nzw5X_>Nx$o0RK^&4r>`R0}^_z}fNzgStMHF+Gg4)0YTF zSgqn52*Ee@l;|91=t>N1$W)|cC z#kSw?*c&Vi%=5HP4RD!!W=_XA>5>}5uH05G4?d((wSEgKUbOX?sQ`|qbL>NQZl%y> zthULCm4m@?+b1p3`g!1^Pf1`tEQ#FY)p%*ol%nXkG#_@!W8NZd{gV?z5q9)hH$;#J z)tZ0ugH=^RgnYB>zCdP6ghP;mS2n#iMP>)%yMIiZLcyz+ygLRuH)FyeVU8^y85I!Z zKUU0gj0iw{Lnx6iy+~q>5N%O*$q1NkT}zcGM>K^u)EgszB(o}LpGs>FmbXk*u9Flj zUi{S-4#xT|BD&_&*dZ&69pyT(aWE%}EKrJP3wBCC=6IwcKD-dqb7v%RjhQH9W(KY6;J8_f1O!)#!q$&y_3#8I_XaX z8EDJB@`p@v{hXg50#!7{{bm8q!N*L$S3l6x4{rd@e5I*?3I$c|>5UG*iNLL$bFZ0l zQ|5NGTmVF4I7E9nj7-h0V{$T?XebVf=osiY9%)vp#H}YH3Q>cRnV?D+lR}UpiuBcMR+_GdxM7Mfg#Z22)-{hjR+Ub6% zR~Af}#e@+-rKwD z27f3Y>lqSM=d8dz(*9FKQqqQ|1#c>KOAie7@x4y0YlrTes!iD!(}&O4NXifKGCcZ_;=%YvcnTo=9E)^d( zjr_&&EaX$QH9NX9ECrXEBxZyn=7rYmcZ`G|tC|aq!|6&noy~szxA|Ul#5KcWD_DMe zjs}eoRM$K1%lULtjf@gq#;A{tnLOY$&%pF)2Wyy>E&3npPwM1LWYwpyn{Qkbk?J$S zUe1ql&Zf-_zym-oGmu^@uaTu=Vu$_1jX}wM-AaUuwHOT|nctx#w-uuN>Bwg+u2xH* zkHWw$KdR_3rXcHKGs%F+LD++TJ&$}VvrivSULW7&nuT1|;#nv&CXE7PsBX~>S=pHq z@3AV&5X}+gR6S&8jCp-tK-p6yOon7Vc%OND`TS*jI`KBiM}XZGvxDTs{!+siXHK-m zZ{-PmW|RHg=>uvJ+?M`4>+}Rus4%#aoMXQ_XS4y8LQre^5^K|^K6mh_cHR&vrgy`% z@Mw^z9FF3WL15=g?ikE`!zCrhUk2V1er3XK@t!7R7rJc+ztBy( z3#539GH5_CI)zgu=NR~cnB;L|Y%!T8lQ35SZUKx@l^*Q|kJ`xjyIluJDjCk(`Ds{4>PzYuVjNT*x&j)1N*eYkcKR*~9 zyp?HaK!V4sSc(&b7*t$)a6zN{DM$1dDtEt3_&O>^htVy0$qx}GOQ+Gapl|k~DV++b zSq_{bOlS5*eJeEs%MA^EuwtD8fZq^*I=Ah!X5B`$GoqeZ6q<1i#w$S1$HY)8?RBa_ zRs%df$SmHagCRb9(^LRtN+BxXwFV%mVMHieI|pa0&z-bI?anZXR<*f{gUEnjcs)f! z&pyjT5R_vD64MI;VV|Bgxq>6>lBgUS1D^7jN&Yw*7b4;OQ7HKM@GHJ5wg!8(T{e!T z$oS~?LE!gsxe=+a1al$G_Xx0iOs&9F=&e}~D&Wy(kudW03lHeIHUwvmnCA&MbYCA% z_s))_$4tp>sqCG-8;Oi*f{6}0EqY*#XGdvyUjJglUqIXno60QmrQ4!9a(hO<;AKoz zZ7K6n1L@(qXrVjhf!x=sJTl$YvoS5tQ}B6Y;_-f#2{cuMs}lquu&G+{FMrb<=0mo@ zZL4LVw<)vpKB#uzZxFmjRh%{;%~ESFCAXP1{vdfVgytp3K+te2&|>1{&&`c+X&dcJ z@Qq}htIHS&RyXlNs+j~`>}x;2lTSCY;fKRX+vtW|hpYCxM=5)il#ta8!gk32o@eZc z0Vv>f_2IG9Nrc>ez$BN9lN9n?_i#HT1HqvOG1Yuj1-D4=F%(_383asqR5;7H`ASyr&HBa!uH zV1s0>j>)XcESLyS%LJ3mRnw(-5lJ!56^UvMfa}7nr|r<4H_NrdA@kD8_FOjG#i^zz z;c2s`o8@B~?4je^Wmt934c~C(PUVurVA9J3?tH^e)|Y%^3&+tZjlX5lf`uj1zAV1$ zr#!`DPi{G0}zIee5nd@Wc3fa>Cc$mXFlsheXP;9#iy&IZQf^_NI*CXIw2Ur%+ z5#Ij1v0v0|3DA!)h5bm3c5z3(c#cnPH0&6gF<{UZt=p82_YXZFekW}34`#qsOQ23y z+_zB+T%ttddDzxGFLe9v<8ZlG(UCR7AvW#W%g2Vnwry{YtqS_Q020OQH8U0T z$X-c;kcSlDy|_DsUJl4+y{u0o|`jB6m%|U`!EF7MVEN?CyuJfR#W;_{Q1FL zN5d*5C8|ixVwqZ`X>SB{FeIPWtWRcM)!{HOSBlBEM(bGW)WDtPB?RDSA|wrMUC+5O zD^0cs={?+wN8=iE8)L!GtuKio-o>*oy`aaZ44H*@sBh)0D`1gDH!Ahg=o;qd@c2>p z=-4RUGWZ;h`kV0OHD;>FK2`xpo+2u{bsBQKm!NX<`8N-1plmf6u0hHS*A=%FQK+))U?+FXrTARyVo4ZZk{LZY_d1owhzS&)eY;xw%EXHbwu z;@_vVY$@s-LgzRiDQ+$KS*l0W<>78TB1+nyvbv(-4HLxHW80J28LKc*LHfPSD-KLx zC|#czGSC`Vk`gsLmREQLm(NBJbw>61rg=uU!(m&l`bX?dA%n0n#rJ?bnxICX>{9_W z%86PXSGy+B+F;SWgN-||YCCpa6_(mE-7_A0F&$J;c>k^5kBpQ zS&DFhWMCj`zkSwMwE>|m-(#q$d=}y-M4&hIRq;rZ+zZ+j-xjG3km7kJycXg_9iak7L6b`rJArj z6eIOH5q#g$H3b|oV)f;vU~pr)c9<-oq(u~}%)kaDScA%^8yTBIc99oL&lWnF0~oR& zp__FQ67^=L2Ey>NXKKAT=$`h0gJdcSwAAUd*SB$bL;d)+4(ol;HF%7?wjQphDouEi zXrb2R`BXRCv*kn3KG^P=-?c>;`T8u(=9lDEVq7Y{Jw`hq zmQ0D8$0wQoH#B8#mt%`co2%(n3EQ#Phq_4g#u61>+O#|1F69oU^hD087sgdvZ3p0wYW&E zji&2nU{UBG8_wn?R#)os+$=OiQW+_>uozS{pG)`+MnaET*xeFXUaAfu}3f2{Dz9eV$Hw&uh-!dns;qy9w8Tlcwcs2aV2%GUR+2QgA8(H=DW4@+slplO%V__v9P^wgk~2GMN(JPAdK?daUMuNsA+|z>UaEh zxmjl#?+4$kUf!F2$PNaS_n<#K#-_`8f&dUJB2bT&q+*{5z`Me*=<*fn2GM5Ip3;#F z%xT8VWDkW!q6D6grnpm5#AH>CKC*6F>rTp%v*kR*n`xQd>cJFhisXz&G^y+D^Ddr zqg4~Wz=G!Cyd$kDJzqY01HJRwM3P{0;;|3DQ!LQ+h#3X#7qLshuV57ahkVy1*q|jo z^FF$L?*bxynL`+BI93m59JS2u&BJCG(jJvw0z!^a8pOn&K83{;YlVeddxq_ubY*-T z^<5wr7YzUiNx^Igd-WlSwj7o;w|JwlXmBWw*-W)FzRen`hW)j1&434Rrt**KxN#@k z_{T%9grZt_OqhL$&sX7JeP%71zgc*GkA3f$Bf_tdglSdo9~46@M=;6F`sS{kHCn^c zh;GaPWI`izEnHoVB|i6N`9R>=Xx&|A^#B8xAo;?`go1P`Jx8=)MQ&Pv7&B3 zU)4s>w`P~$(*4*2X*45a-)9|tNs}3Yg|`x;Ewc#N>=mr3K7n(*!G2Mve(E+$D&0OM zw>{h95{1q`h0yX;v*@-+5_`A1_YZ1w;C^{beJe=zzA$g;bE`w5!Ib$(A$Qa9m*7K> zxX(!@skv#(ju&4XtMMG+-5#mqvk{X~+8okvGVl(rNxlTpu7W!}<2{bQC*;K>M^bIO zY3Cv)fVY>MzG(MVaM*0zuYK8mmHN#*OTGVCcd!>9J-TU`oXuSSgD z?=lZtbbhH7acFee$MZ-;r^ai*6Hvog)suM(v+s0C+U&@MFn4Hbt}oJ3hO2m^%V%pX zY$O5eG3-YTX&f4MXE_&u>!K7_K#g^-&Ky9FJ#S`b^>g{aksfHQTZod=%L-eSIDacu z$Ov!M(-}WNYpOIhWG#<{AEJ$75_lJ?0C%53R4-fkoIg3pzH2M1BX0&&zqvA2IoX(5 z*5#Y)Hz$C^E9sO0f#)$Do7HsQm+A0$=THnuI#h6omJ#fpH{?ony_C|6|Hltz5U+YM z@wj79#<0T@A}^T^jA!?KFpC!h1hq*s_B{}7*0d(lVZJoU%T*J4WejLRg+R*`Yl;fB z%zQEZRkPj0*Ms9O@7RkwsmFm3GL>2`>+A!Gdn3)Vi| zU@Zv>1a~DmxsbA{NZNBD$CFeGk2`e$rKdAZUS#z*gA@3|RwXc9qW*GT1u&*ghSlOR zHS<|CWxe~xY>8E1la8=OiCTWx@$Dd-kr?d(VX9!&N`3&|342srzhf}owoP*?c(AsE zi81~YLSt$`@<@@14^`S>yo>m}HBjKRdwMMiP^lWbxpr_NtW#;UE~Z3k^2+u4HNeJt zPQ_7?Rd@eq{s}j+at8^g%c61s< zRsT7kKoauCBi_je` zZ4TCTi|37kaOt?=@X4`s%3d7(@)~`KPebP`3GR$>&j9IE39NIoO?Fu4h)oM86Devw zD^^GfO5m$^GL+4ah<{GZX)q-FrgH^1eftD!J^dYoT@NmPdL;*uXDtQZkF1TNxCt8c z_r)~WnWnIoXVGn)vMYu)tWq`uOluGwgBGbiNOKef_P8#UVs8}0X&TH1b>)@zZ6dH) zREdvkna)KZ_`~IgAjU35n{eT}|7oOQ?{yz0d-kB~>7q_DSTlD=x^B{y>1UKK&p z46+jv_Bqc~9^Bp=F%*d%aAjDnAiOfZqHV|}kD4CldtY?ax?{?l^%~bZh8;nSWb~nN=Q-mXwop<`n2VcjJC7*WE<2$aLDT|2iDUS$%4F|~A z37S|o2Fb@Ep7>Y%rdDCu*UMSS>LbBbp8SH&GC*yuLPPj*>FO03BvOup>@#r3?NN!~ zft-pYerx_|qh$;5##iiNcKg%`cQ)_Y6+tW2T`|&`#;EfV;NwUq_4(*tVv3o@^sCbx zGQ?XOVD$p?9F6R={y4=Nf8gEm`Tpi{=-rNUsx#CT<%9Rd_389}_PliSRlY~><0EIa zSm^Wd@^R<$^|19x9}O|!|Chw>|JDrtt=IcUmnF~03eEVpx{h9+6Z$Wun>@WdBO~`BQaQbJ0~P-*+#K|RUy`#yhse>1OneeRs|`P_Rx@AJ8z*PL_beRMT~&IEEtp!Wt_zQG}Yo&Dx-y=K7cPyUf-E z&8Y~O>!eh3hv~MsIz!i}BZMke!-V)3`r7|s9tOV3ydD%5Q)%_n#zXO0Vz#*nSz@Qf zWt;d}{7{v|TVL$g$R})x`v*&Z0s8+LNc3t;|2A?>fB?(LsFx(@$f2&y2fw^^jXFuF z@*nJDb0Pl=5%7ON5`|rbnsK5OwXq0)b_?FYLPQ;E^~04aWgEEF8SMbm(Bk78>0PKrRwUe^NEsw<1W4 zWy8q!=c0Dmu}fso<#CHp{x}IZdpeOGMEm)jMDz5dfNW!sUhDutAaO90AV0FNFU)GG z(OGINmKwXI#&W4KUTRF28iS=~?_%Thw_S^_`PHtKu3Pk^3E7YGUmUFka-|)hXbb=a z_ct~`I4sVI&0qBj0>Hh9805}oOM^m?)lBx+r_j8p%U{_`gslSyLSP0U1)1hfq4F<(`YM_VM4mcWaJ} z3=PidA*tWCQ@yledRu(AlDWT#olRprX}5m{kSZsaGA<`WM!p4~_)ktxw$`2Kc+siN zzm~J{v*K+h=NrnITF`PIMfJ2yzk$(92|~m?oZDcl#tq9K>GP5rce5m)xOIg&{ zcgk{Jt2ez0m~D;F_~wxv(@34-X3ddNk|w5_XVzxX_T^7-pN^4>7%0&^R`u6JyUI|x zbmcbp0PW6()T`bsDfNrbL#!8y`$PMZ_D;9`F+S6FM*F4k#G}csZ;8Q0ePP@hR{QtM z^;f9uxWIgVPU}n$9-|*%r0nC44f8$&^@(?3X>vwu7{f@<%}4CV`}xN2*4LWOheKR$ zHQ$Je2NM!8W;)e6h6!=@wXVXoAB9H`;T4*R95Ja8T34$yEaXL$$DZlre&67E$<8eF zZKDM1-3))nlYFnpuL=Pa)qCZ-``4wOZg`=Fe_!-9O>jn2*z|g#%x?SGd9I^;fqk&QE~eg37gLXwr;N1H zl{=zqf_WW;1F@*JUF|i8W{@gUR^XqlBuw_ySBRNZj*s|v4IzvzDE9AbvPr$h)<=&h z?n9wCPmYL3eLE#U-Riq(Sdi!H3r~Wox7Oyk;%(lL?O|<51ve=(j&1`=Y>{<5pE*P% zX-6nlcfQBG$X2oZsC|#urkdgImi-+**c}Zwm7mYHTNh@Q___``t_L4gP-F9~RJG_) z*Yo9qZ_)P^J%i^Rv&U~PR4`0&%-{1~DfF^&+_5)|Jk$62WtVjH-gx^|J$t*5K7Ie% zLNSWlJmqTn&_oPNuI}K3Zs7y4YLlvF6G8>PyWI$<*_Ox5`U4O$=U0<6*SMa$vu$V6 ztAb?p)akqKmf!RR6><*~uTR(Zo+|o$AM^C78Gg;D0h0i_QHtqfs|9Ahm^n3^JMzmz z2))?#QDCy`ly2;3c%8_4O>Go0BO#5$-|$tG2EI85?%KT9fVc0;Fmv08+{2?6HSh0`~|3Oh# zh2nSOde13SvD=oD#*0|+Fk`cm$J~&4Suqlg==I_KDP32Y|HofbJhbr z)?qvwaBi}YmeY;yM;=1m98{ugcXBcL?u{j1To{!>zbqGq>8yLVdzWBINyv#_)**j0 zzqgjN?k6DJssxqN^pWj0jXS$GLMtp(u+yWwGemngw|DehVGmqEP4t#jiJAjOnLEml zYZDSoH)ZBW^4xIh*5+zBRXTKfhK!7@gsHv=tQAy!BXX%eN%s zZ@LEw!|OL{IUSaG`8nnTS^4E@mFPzGM}+c5?5!5HE0(M%)AfRhZA#gKHd_K}PgUL3 zc9Up}?uZpD+m@G`1PQGca6}b(5mAC@=}ZHw9B6_Ceh%7tl{t?ru?e{wd7DdSn*uyu zNw@KE=lM@f#nqN^ag2NBW^r)oLb2>InuM<4i=k?36K5Bh2ZuQ_-Gl^l0FiA_bB+UY zyK?Ol9e>?;dE-!^>dcg7eY0usS?a{F;xQ~ZFNTDt!leY@^6(^ zlC-TXEqKJ#lU_IKVu#SNN_u+)9k=#AbZ?A{M%9;r^T%IC%)R}vuTG%ona8IT*_uG+ zxv_%X4{i%PVtgfIs55H#!JzAFPH6H_Yhq=f*A6Qg#*1#MhZxQ(p6PQny7G zsBi4f;w!HyGp3zCOjRU^Y7qRzH(pMwD3IwLe7w1wCw^v6)%jT2i?bHeO}?SYhUo*v zW%n~jo@M;mUAg}|`SS@zPV0p!{ki5*eM0&;Of_=sLp!9_^!mWWJ}ehP>lsF=jZ+Q# zv{U7%8#VRRHNhOmE~nN>S*{vc;eiL82vgC8cNN|F7{(o^-q@C5bOiO(G+b^>1^cBg zov3nI6E?QXLWJdhKni_^7)Rr`Id@wT@UlLBj=BoMQ?W$o<83^ zy0bBDS6gp-hmIQ}C+Wo5ytwa0>T=Z^3p5R~Z)ywo%pFHHXscWI?AV}j{W7cLzVeeu zJny*d!CectT`oL&rWDW|r_AETmmhxK;{PhqWu2Wxx?qFH_RVD8@jQJ;O4FS9bCTzU zUg_dX$rcWxNj}}Ndexs`A~sg#?=y&)bo~ORHG_d)PZf%ye^#t}D&0t;$Gl6K3J~oG zlk^;;@_ZGP|K`qP?snC-b@=eOQ8MSk+^#>b^t_u1nY_929#i;nEcBv-WfPQH_u!8M zA#P8i-ci5!@l>6WL_4=<0WV%;8-3?6PvFj59kBfp>w=M)M~FKmP=TmxW(4R_89~8I z(HVeO#UK>HU({f^Np=Q-1eQ2bAnioL;b5sAI2M7%V3BOSF~j5kQd!Z0eJKh=b`?uH zI2vkTsSO2-2{EAikg86c2 z#LJf)1n8&&M1OyZZ?NLe5;>uP6i+Z}Lt-HCpDzH5!JsgJC$KC-;@GJO_6wjd%a8~J zI}Ni!21jDiU`A!742584SysxBXe^krSt*0V*;$~KG9((ksvi=E1s(8PKRg_aBv!}} zI5ZZFM_0(;NIdR$83Ko5N5sGNBcOi2E&_)@t?CC3{T&wsmVjG@3kr_=-Da@R5&rl2 zB5>GMSRt@@&=V`|17!p-^j~2!cwH2jNLVSuqj0NaI06`d|Lg}Y7%(ym1gob4FiTn( zSV{{6fEBqIV1+Aos0P3c=$;IKz2d?0S_UM*K}{Ep)gltGaHK98MbyEeFuGW6v=$0O mgrm^fI(UM{zxQxr*WC&VCI<#DE) { - - # Fix a db2latex oops. LaTeX2e does not like having tables with - # duplicate names. Perhaps the dblatex project will fix this - # someday, but we can get by with just deleting the offending - # LaTeX commands for now. - - s/\\addtocounter\{table\}\{-1\}//g; - - # Line break in the middle of quoting one period looks weird. - - s/{\\texttt{{\.\\dbz{}}}}/\\mbox{{\\texttt{{\.\\dbz{}}}}}/; - - # Add any further tweaking here. - - # Write out whatever we have now. - print; -} diff --git a/usr.sbin/bind/doc/arm/man.dig.html b/usr.sbin/bind/doc/arm/man.dig.html deleted file mode 100644 index a33516d0f06..00000000000 --- a/usr.sbin/bind/doc/arm/man.dig.html +++ /dev/null @@ -1,665 +0,0 @@ - - - - - -dig - - - - - - - -

- - - - - - - -
dig
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

dig — DNS lookup utility

-
-
-

Synopsis

-

dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]

-

dig [-h]

-

dig [global-queryopt...] [query...]

-
-
-

DESCRIPTION

-

dig - (domain information groper) is a flexible tool - for interrogating DNS name servers. It performs DNS lookups and - displays the answers that are returned from the name server(s) that - were queried. Most DNS administrators use dig to - troubleshoot DNS problems because of its flexibility, ease of use and - clarity of output. Other lookup tools tend to have less functionality - than dig. -

-

- Although dig is normally used with - command-line - arguments, it also has a batch mode of operation for reading lookup - requests from a file. A brief summary of its command-line arguments - and options is printed when the -h option is given. - Unlike earlier versions, the BIND 9 implementation of - dig allows multiple lookups to be issued - from the - command line. -

-

- Unless it is told to query a specific name server, - dig will try each of the servers listed - in - /etc/resolv.conf. -

-

- When no command line arguments or options are given, will perform an - NS query for "." (the root). -

-

- It is possible to set per-user defaults for dig via - ${HOME}/.digrc. This file is read and - any options in it - are applied before the command line arguments. -

-

- The IN and CH class names overlap with the IN and CH top level - domains names. Either use the -t and - -c options to specify the type and class or - use the -q the specify the domain name or - use "IN." and "CH." when looking up these top level domains. -

-
-
-

SIMPLE USAGE

-

- A typical invocation of dig looks like: -

-
 dig @server name type
-

- where: - -

-
-
server
-

- is the name or IP address of the name server to query. This can - be an IPv4 - address in dotted-decimal notation or an IPv6 - address in colon-delimited notation. When the supplied - server argument is a - hostname, - dig resolves that name before - querying that name - server. If no server - argument is provided, - dig consults /etc/resolv.conf - and queries the name servers listed there. The reply from the - name - server that responds is displayed. -

-
name
-

- is the name of the resource record that is to be looked up. -

-
type
-

- indicates what type of query is required — - ANY, A, MX, SIG, etc. - type can be any valid query - type. If no - type argument is supplied, - dig will perform a lookup for an - A record. -

-
-

-

-
-
-

OPTIONS

-

- The -b option sets the source IP address of the query - to address. This must be a valid - address on - one of the host's network interfaces or "0.0.0.0" or "::". An optional - port - may be specified by appending "#<port>" -

-

- The default query class (IN for internet) is overridden by the - -c option. class is - any valid - class, such as HS for Hesiod records or CH for Chaosnet records. -

-

- The -f option makes dig - operate - in batch mode by reading a list of lookup requests to process from the - file filename. The file contains a - number of - queries, one per line. Each entry in the file should be organized in - the same way they would be presented as queries to - dig using the command-line interface. -

-

- If a non-standard port number is to be queried, the - -p option is used. port# is - the port number that dig will send its - queries - instead of the standard DNS port number 53. This option would be used - to test a name server that has been configured to listen for queries - on a non-standard port number. -

-

- The -4 option forces dig - to only - use IPv4 query transport. The -6 option forces - dig to only use IPv6 query transport. -

-

- The -t option sets the query type to - type. It can be any valid query type - which is - supported in BIND 9. The default query type is "A", unless the - -x option is supplied to indicate a reverse lookup. - A zone transfer can be requested by specifying a type of AXFR. When - an incremental zone transfer (IXFR) is required, - type is set to ixfr=N. - The incremental zone transfer will contain the changes made to the zone - since the serial number in the zone's SOA record was - N. -

-

- The -q option sets the query name to - name. This useful do distinguish the - name from other arguments. -

-

- Reverse lookups — mapping addresses to names — are simplified by the - -x option. addr is - an IPv4 - address in dotted-decimal notation, or a colon-delimited IPv6 address. - When this option is used, there is no need to provide the - name, class and - type arguments. dig - automatically performs a lookup for a name like - 11.12.13.10.in-addr.arpa and sets the - query type and - class to PTR and IN respectively. By default, IPv6 addresses are - looked up using nibble format under the IP6.ARPA domain. - To use the older RFC1886 method using the IP6.INT domain - specify the -i option. Bit string labels (RFC2874) - are now experimental and are not attempted. -

-

- To sign the DNS queries sent by dig and - their - responses using transaction signatures (TSIG), specify a TSIG key file - using the -k option. You can also specify the TSIG - key itself on the command line using the -y option; - hmac is the type of the TSIG, default HMAC-MD5, - name is the name of the TSIG key and - key is the actual key. The key is a - base-64 - encoded string, typically generated by - dnssec-keygen(8). - - Caution should be taken when using the -y option on - multi-user systems as the key can be visible in the output from - ps(1) - or in the shell's history file. When - using TSIG authentication with dig, the name - server that is queried needs to know the key and algorithm that is - being used. In BIND, this is done by providing appropriate - key and server statements in - named.conf. -

-
-
-

QUERY OPTIONS

-

dig - provides a number of query options which affect - the way in which lookups are made and the results displayed. Some of - these set or reset flag bits in the query header, some determine which - sections of the answer get printed, and others determine the timeout - and retry strategies. -

-

- Each query option is identified by a keyword preceded by a plus sign - (+). Some keywords set or reset an - option. These may be preceded - by the string no to negate the meaning of - that keyword. Other - keywords assign values to options like the timeout interval. They - have the form +keyword=value. - The query options are: - -

-
-
+[no]tcp
-

- Use [do not use] TCP when querying name servers. The default - behavior is to use UDP unless an AXFR or IXFR query is - requested, in - which case a TCP connection is used. -

-
+[no]vc
-

- Use [do not use] TCP when querying name servers. This alternate - syntax to +[no]tcp is - provided for backwards - compatibility. The "vc" stands for "virtual circuit". -

-
+[no]ignore
-

- Ignore truncation in UDP responses instead of retrying with TCP. - By - default, TCP retries are performed. -

-
+domain=somename
-

- Set the search list to contain the single domain - somename, as if specified in - a - domain directive in - /etc/resolv.conf, and enable - search list - processing as if the +search - option were given. -

-
+[no]search
-

- Use [do not use] the search list defined by the searchlist or - domain - directive in resolv.conf (if - any). - The search list is not used by default. -

-
+[no]showsearch
-

- Perform [do not perform] a search showing intermediate - results. -

-
+[no]defname
-

- Deprecated, treated as a synonym for +[no]search -

-
+[no]aaonly
-

- Sets the "aa" flag in the query. -

-
+[no]aaflag
-

- A synonym for +[no]aaonly. -

-
+[no]adflag
-

- Set [do not set] the AD (authentic data) bit in the query. The - AD bit - currently has a standard meaning only in responses, not in - queries, - but the ability to set the bit in the query is provided for - completeness. -

-
+[no]cdflag
-

- Set [do not set] the CD (checking disabled) bit in the query. - This - requests the server to not perform DNSSEC validation of - responses. -

-
+[no]cl
-

- Display [do not display] the CLASS when printing the record. -

-
+[no]ttlid
-

- Display [do not display] the TTL when printing the record. -

-
+[no]recurse
-

- Toggle the setting of the RD (recursion desired) bit in the - query. - This bit is set by default, which means dig - normally sends recursive queries. Recursion is automatically - disabled - when the +nssearch or - +trace query options are - used. -

-
+[no]nssearch
-

- When this option is set, dig - attempts to find the - authoritative name servers for the zone containing the name - being - looked up and display the SOA record that each name server has - for the - zone. -

-
+[no]trace
-

- Toggle tracing of the delegation path from the root name servers - for - the name being looked up. Tracing is disabled by default. When - tracing is enabled, dig makes - iterative queries to - resolve the name being looked up. It will follow referrals from - the - root servers, showing the answer from each server that was used - to - resolve the lookup. -

-
+[no]cmd
-

- Toggles the printing of the initial comment in the output - identifying - the version of dig and the query - options that have - been applied. This comment is printed by default. -

-
+[no]short
-

- Provide a terse answer. The default is to print the answer in a - verbose form. -

-
+[no]identify
-

- Show [or do not show] the IP address and port number that - supplied the - answer when the +short option - is enabled. If - short form answers are requested, the default is not to show the - source address and port number of the server that provided the - answer. -

-
+[no]comments
-

- Toggle the display of comment lines in the output. The default - is to - print comments. -

-
+[no]stats
-

- This query option toggles the printing of statistics: when the - query - was made, the size of the reply and so on. The default - behavior is - to print the query statistics. -

-
+[no]qr
-

- Print [do not print] the query as it is sent. - By default, the query is not printed. -

-
+[no]question
-

- Print [do not print] the question section of a query when an - answer is - returned. The default is to print the question section as a - comment. -

-
+[no]answer
-

- Display [do not display] the answer section of a reply. The - default - is to display it. -

-
+[no]authority
-

- Display [do not display] the authority section of a reply. The - default is to display it. -

-
+[no]additional
-

- Display [do not display] the additional section of a reply. - The default is to display it. -

-
+[no]all
-

- Set or clear all display flags. -

-
+time=T
-

- - Sets the timeout for a query to - T seconds. The default - timeout is 5 seconds. - An attempt to set T to less - than 1 will result - in a query timeout of 1 second being applied. -

-
+tries=T
-

- Sets the number of times to try UDP queries to server to - T instead of the default, 3. - If - T is less than or equal to - zero, the number of - tries is silently rounded up to 1. -

-
+retry=T
-

- Sets the number of times to retry UDP queries to server to - T instead of the default, 2. - Unlike - +tries, this does not include - the initial - query. -

-
+ndots=D
-

- Set the number of dots that have to appear in - name to D for it to be - considered absolute. The default value is that defined using - the - ndots statement in /etc/resolv.conf, or 1 if no - ndots statement is present. Names with fewer dots are - interpreted as - relative names and will be searched for in the domains listed in - the - search or domain directive in - /etc/resolv.conf. -

-
+bufsize=B
-

- Set the UDP message buffer size advertised using EDNS0 to - B bytes. The maximum and minimum sizes - of this buffer are 65535 and 0 respectively. Values outside - this range are rounded up or down appropriately. - Values other than zero will cause a EDNS query to be sent. -

-
+edns=#
-

- Specify the EDNS version to query with. Valid values - are 0 to 255. Setting the EDNS version will cause a - EDNS query to be sent. +noedns clears the - remembered EDNS version. -

-
+[no]multiline
-

- Print records like the SOA records in a verbose multi-line - format with human-readable comments. The default is to print - each record on a single line, to facilitate machine parsing - of the dig output. -

-
+[no]fail
-

- Do not try the next server if you receive a SERVFAIL. The - default is - to not try the next server which is the reverse of normal stub - resolver - behavior. -

-
+[no]besteffort
-

- Attempt to display the contents of messages which are malformed. - The default is to not display malformed answers. -

-
+[no]dnssec
-

- Requests DNSSEC records be sent by setting the DNSSEC OK bit - (DO) - in the OPT record in the additional section of the query. -

-
+[no]sigchase
-

- Chase DNSSEC signature chains. Requires dig be compiled with - -DDIG_SIGCHASE. -

-
+trusted-key=####
-
-

- Specifies a file containing trusted keys to be used with - +sigchase. Each DNSKEY record must be - on its own line. -

-

- If not specified dig will look for - /etc/trusted-key.key then - trusted-key.key in the current directory. -

-

- Requires dig be compiled with -DDIG_SIGCHASE. -

-
-
+[no]topdown
-

- When chasing DNSSEC signature chains perform a top-down - validation. - Requires dig be compiled with -DDIG_SIGCHASE. -

-
-

- -

-
-
-

MULTIPLE QUERIES

-

- The BIND 9 implementation of dig - supports - specifying multiple queries on the command line (in addition to - supporting the -f batch file option). Each of those - queries can be supplied with its own set of flags, options and query - options. -

-

- In this case, each query argument - represent an - individual query in the command-line syntax described above. Each - consists of any of the standard options and flags, the name to be - looked up, an optional query type and class and any query options that - should be applied to that query. -

-

- A global set of query options, which should be applied to all queries, - can also be supplied. These global query options must precede the - first tuple of name, class, type, options, flags, and query options - supplied on the command line. Any global query options (except - the +[no]cmd option) can be - overridden by a query-specific set of query options. For example: -

-
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-
-

- shows how dig could be used from the - command line - to make three lookups: an ANY query for www.isc.org, a - reverse lookup of 127.0.0.1 and a query for the NS records of - isc.org. - - A global query option of +qr is - applied, so - that dig shows the initial query it made - for each - lookup. The final query has a local query option of - +noqr which means that dig - will not print the initial query when it looks up the NS records for - isc.org. -

-
-
-

IDN SUPPORT

-

- If dig has been built with IDN (internationalized - domain name) support, it can accept and display non-ASCII domain names. - dig appropriately converts character encoding of - domain name before sending a request to DNS server or displaying a - reply from the server. - If you'd like to turn off the IDN support for some reason, defines - the IDN_DISABLE environment variable. - The IDN support is disabled if the variable is set when - dig runs. -

-
-
-

FILES

-

/etc/resolv.conf -

-

${HOME}/.digrc -

-
-
-

SEE ALSO

-

host(1), - named(8), - dnssec-keygen(8), - RFC1035. -

-
-
-

BUGS

-

- There are probably too many query options. -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
Manual pages Home host
-
- - diff --git a/usr.sbin/bind/doc/arm/man.dnssec-keygen.html b/usr.sbin/bind/doc/arm/man.dnssec-keygen.html deleted file mode 100644 index 0a54c1c2817..00000000000 --- a/usr.sbin/bind/doc/arm/man.dnssec-keygen.html +++ /dev/null @@ -1,269 +0,0 @@ - - - - - -dnssec-keygen - - - - - - - -
- - - - - - - -
dnssec-keygen
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

dnssec-keygen — DNSSEC key generation tool

-
-
-

Synopsis

-

dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

-
-
-

DESCRIPTION

-

dnssec-keygen - generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 - and RFC 4034. It can also generate keys for use with - TSIG (Transaction Signatures), as defined in RFC 2845. -

-
-
-

OPTIONS

-
-
-a algorithm
-
-

- Selects the cryptographic algorithm. The value of - algorithm must be one of RSAMD5 (RSA) or RSASHA1, - DSA, DH (Diffie Hellman), or HMAC-MD5. These values - are case insensitive. -

-

- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement - algorithm, - and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. -

-

- Note 2: HMAC-MD5 and DH automatically set the -k flag. -

-
-
-b keysize
-

- Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be - between - 512 and 2048 bits. Diffie Hellman keys must be between - 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be - between 1 and 512 bits. -

-
-n nametype
-

- Specifies the owner type of the key. The value of - nametype must either be ZONE (for a DNSSEC - zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with - a host (KEY)), - USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are - case insensitive. -

-
-c class
-

- Indicates that the DNS record containing the key should have - the specified class. If not specified, class IN is used. -

-
-e
-

- If generating an RSAMD5/RSASHA1 key, use a large exponent. -

-
-f flag
-

- Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. -

-
-g generator
-

- If generating a Diffie Hellman key, use this generator. - Allowed values are 2 and 5. If no generator - is specified, a known prime from RFC 2539 will be used - if possible; otherwise the default is 2. -

-
-h
-

- Prints a short summary of the options and arguments to - dnssec-keygen. -

-
-k
-

- Generate KEY records rather than DNSKEY records. -

-
-p protocol
-

- Sets the protocol value for the generated key. The protocol - is a number between 0 and 255. The default is 3 (DNSSEC). - Other possible values for this argument are listed in - RFC 2535 and its successors. -

-
-r randomdev
-

- Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

-
-s strength
-

- Specifies the strength value of the key. The strength is - a number between 0 and 15, and currently has no defined - purpose in DNSSEC. -

-
-t type
-

- Indicates the use of the key. type must be - one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate - data, and CONF the ability to encrypt data. -

-
-v level
-

- Sets the debugging level. -

-
-
-
-

GENERATED KEYS

-

- When dnssec-keygen completes - successfully, - it prints a string of the form Knnnn.+aaa+iiiii - to the standard output. This is an identification string for - the key it has generated. -

-
    -

  • nnnn is the key name. -

    • -

  • aaa is the numeric representation - of the - algorithm. -

    • -

  • iiiii is the key identifier (or - footprint). -

    • -
-

dnssec-keygen - creates two files, with names based - on the printed string. Knnnn.+aaa+iiiii.key - contains the public key, and - Knnnn.+aaa+iiiii.private contains the - private - key. -

-

- The .key file contains a DNS KEY record - that - can be inserted into a zone file (directly or with a $INCLUDE - statement). -

-

- The .private file contains - algorithm-specific - fields. For obvious security reasons, this file does not have - general read permission. -

-

- Both .key and .private - files are generated for symmetric encryption algorithms such as - HMAC-MD5, even though the public and private key are equivalent. -

-
-
-

EXAMPLE

-

- To generate a 768-bit DSA key for the domain - example.com, the following command would be - issued: -

-

dnssec-keygen -a DSA -b 768 -n ZONE example.com -

-

- The command would print a string of the form: -

-

Kexample.com.+003+26160 -

-

- In this example, dnssec-keygen creates - the files Kexample.com.+003+26160.key - and - Kexample.com.+003+26160.private. -

-
-
-

SEE ALSO

-

dnssec-signzone(8), - BIND 9 Administrator Reference Manual, - RFC 2535, - RFC 2845, - RFC 2539. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
host Home dnssec-signzone -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.dnssec-signzone.html b/usr.sbin/bind/doc/arm/man.dnssec-signzone.html deleted file mode 100644 index be2e3219482..00000000000 --- a/usr.sbin/bind/doc/arm/man.dnssec-signzone.html +++ /dev/null @@ -1,323 +0,0 @@ - - - - - -dnssec-signzone - - - - - - - -
- - - - - - - -
dnssec-signzone
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

dnssec-signzone — DNSSEC zone signing tool

-
-
-

Synopsis

-

dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

-
-
-

DESCRIPTION

-

dnssec-signzone - signs a zone. It generates - NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - keyset file for each child zone. -

-
-
-

OPTIONS

-
-
-a
-

- Verify all generated signatures. -

-
-c class
-

- Specifies the DNS class of the zone. -

-
-k key
-

- Treat specified key as a key signing key ignoring any - key flags. This option may be specified multiple times. -

-
-l domain
-

- Generate a DLV set in addition to the key (DNSKEY) and DS sets. - The domain is appended to the name of the records. -

-
-d directory
-

- Look for keyset files in - directory as the directory -

-
-g
-

- Generate DS records for child zones from keyset files. - Existing DS records will be removed. -

-
-s start-time
-

- Specify the date and time when the generated RRSIG records - become valid. This can be either an absolute or relative - time. An absolute start time is indicated by a number - in YYYYMMDDHHMMSS notation; 20000530144500 denotes - 14:45:00 UTC on May 30th, 2000. A relative start time is - indicated by +N, which is N seconds from the current time. - If no start-time is specified, the current - time minus 1 hour (to allow for clock skew) is used. -

-
-e end-time
-

- Specify the date and time when the generated RRSIG records - expire. As with start-time, an absolute - time is indicated in YYYYMMDDHHMMSS notation. A time relative - to the start time is indicated with +N, which is N seconds from - the start time. A time relative to the current time is - indicated with now+N. If no end-time is - specified, 30 days from the start time is used as a default. -

-
-f output-file
-

- The name of the output file containing the signed zone. The - default is to append .signed to - the - input filename. -

-
-h
-

- Prints a short summary of the options and arguments to - dnssec-signzone. -

-
-i interval
-
-

- When a previously-signed zone is passed as input, records - may be resigned. The interval option - specifies the cycle interval as an offset from the current - time (in seconds). If a RRSIG record expires after the - cycle interval, it is retained. Otherwise, it is considered - to be expiring soon, and it will be replaced. -

-

- The default cycle interval is one quarter of the difference - between the signature end and start times. So if neither - end-time or start-time - are specified, dnssec-signzone - generates - signatures that are valid for 30 days, with a cycle - interval of 7.5 days. Therefore, if any existing RRSIG records - are due to expire in less than 7.5 days, they would be - replaced. -

-
-
-I input-format
-

- The format of the input zone file. - Possible formats are "text" (default) - and "raw". - This option is primarily intended to be used for dynamic - signed zones so that the dumped zone file in a non-text - format containing updates can be signed directly. - The use of this option does not make much sense for - non-dynamic zones. -

-
-j jitter
-
-

- When signing a zone with a fixed signature lifetime, all - RRSIG records issued at the time of signing expires - simultaneously. If the zone is incrementally signed, i.e. - a previously-signed zone is passed as input to the signer, - all expired signatures have to be regenerated at about the - same time. The jitter option specifies a - jitter window that will be used to randomize the signature - expire time, thus spreading incremental signature - regeneration over time. -

-

- Signature lifetime jitter also to some extent benefits - validators and servers by spreading out cache expiration, - i.e. if large numbers of RRSIGs don't expire at the same time - from all caches there will be less congestion than if all - validators need to refetch at mostly the same time. -

-
-
-n ncpus
-

- Specifies the number of threads to use. By default, one - thread is started for each detected CPU. -

-
-N soa-serial-format
-
-

- The SOA serial number format of the signed zone. - Possible formats are "keep" (default), - "increment" and - "unixtime". -

-
-
"keep"
-

Do not modify the SOA serial number.

-
"increment"
-

Increment the SOA serial number using RFC 1982 - arithmetics.

-
"unixtime"
-

Set the SOA serial number to the number of seconds - since epoch.

-
-
-
-o origin
-

- The zone origin. If not specified, the name of the zone file - is assumed to be the origin. -

-
-O output-format
-

- The format of the output file containing the signed zone. - Possible formats are "text" (default) - and "raw". -

-
-p
-

- Use pseudo-random data when signing the zone. This is faster, - but less secure, than using real random data. This option - may be useful when signing large zones or when the entropy - source is limited. -

-
-r randomdev
-

- Specifies the source of randomness. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

-
-t
-

- Print statistics at completion. -

-
-v level
-

- Sets the debugging level. -

-
-z
-

- Ignore KSK flag on key when determining what to sign. -

-
zonefile
-

- The file containing the zone to be signed. -

-
key
-

- Specify which keys should be used to sign the zone. If - no keys are specified, then the zone will be examined - for DNSKEY records at the zone apex. If these are found and - there are matching private keys, in the current directory, - then these will be used for signing. -

-
-
-
-

EXAMPLE

-

- The following command signs the example.com - zone with the DSA key generated by dnssec-keygen - (Kexample.com.+003+17247). The zone's keys must be in the master - file (db.example.com). This invocation looks - for keyset files, in the current directory, - so that DS records can be generated from them (-g). -

-
% dnssec-signzone -g -o example.com db.example.com \
-Kexample.com.+003+17247
-db.example.com.signed
-%
-

- In the above example, dnssec-signzone creates - the file db.example.com.signed. This - file should be referenced in a zone statement in a - named.conf file. -

-

- This example re-signs a previously signed zone with default parameters. - The private keys are assumed to be in the current directory. -

-
% cp db.example.com.signed db.example.com
-% dnssec-signzone -o example.com db.example.com
-db.example.com.signed
-%
-
-
-

SEE ALSO

-

dnssec-keygen(8), - BIND 9 Administrator Reference Manual, - RFC 2535. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
-dnssec-keygen Home named-checkconf -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.host.html b/usr.sbin/bind/doc/arm/man.host.html deleted file mode 100644 index cf2a4d7b8fc..00000000000 --- a/usr.sbin/bind/doc/arm/man.host.html +++ /dev/null @@ -1,249 +0,0 @@ - - - - - -host - - - - - - - -
- - - - - - - -
host
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

host — DNS lookup utility

-
-
-

Synopsis

-

host [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

-
-
-

DESCRIPTION

-

host - is a simple utility for performing DNS lookups. - It is normally used to convert names to IP addresses and vice versa. - When no arguments or options are given, - host - prints a short summary of its command line arguments and options. -

-

name is the domain name that is to be - looked - up. It can also be a dotted-decimal IPv4 address or a colon-delimited - IPv6 address, in which case host will by - default - perform a reverse lookup for that address. - server is an optional argument which - is either - the name or IP address of the name server that host - should query instead of the server or servers listed in - /etc/resolv.conf. -

-

- The -a (all) option is equivalent to setting the - -v option and asking host to make - a query of type ANY. -

-

- When the -C option is used, host - will attempt to display the SOA records for zone - name from all the listed - authoritative name - servers for that zone. The list of name servers is defined by the NS - records that are found for the zone. -

-

- The -c option instructs to make a DNS query of class - class. This can be used to lookup - Hesiod or - Chaosnet class resource records. The default class is IN (Internet). -

-

- Verbose output is generated by host when - the - -d or -v option is used. The two - options are equivalent. They have been provided for backwards - compatibility. In previous versions, the -d option - switched on debugging traces and -v enabled verbose - output. -

-

- List mode is selected by the -l option. This makes - host perform a zone transfer for zone - name. Transfer the zone printing out - the NS, PTR - and address records (A/AAAA). If combined with -a - all records will be printed. -

-

- The -i - option specifies that reverse lookups of IPv6 addresses should - use the IP6.INT domain as defined in RFC1886. - The default is to use IP6.ARPA. -

-

- The -N option sets the number of dots that have to be - in name for it to be considered - absolute. The - default value is that defined using the ndots statement in - /etc/resolv.conf, or 1 if no ndots - statement is - present. Names with fewer dots are interpreted as relative names and - will be searched for in the domains listed in the search - or domain directive in - /etc/resolv.conf. -

-

- The number of UDP retries for a lookup can be changed with the - -R option. number - indicates - how many times host will repeat a query - that does - not get answered. The default number of retries is 1. If - number is negative or zero, the - number of - retries will default to 1. -

-

- Non-recursive queries can be made via the -r option. - Setting this option clears the RD — recursion - desired — bit in the query which host makes. - This should mean that the name server receiving the query will not - attempt to resolve name. The - -r option enables host - to mimic - the behavior of a name server by making non-recursive queries and - expecting to receive answers to those queries that are usually - referrals to other name servers. -

-

- By default host uses UDP when making - queries. The - -T option makes it use a TCP connection when querying - the name server. TCP will be automatically selected for queries that - require it, such as zone transfer (AXFR) requests. -

-

- The -4 option forces host to only - use IPv4 query transport. The -6 option forces - host to only use IPv6 query transport. -

-

- The -t option is used to select the query type. - type can be any recognized query - type: CNAME, - NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, - host automatically selects an appropriate - query - type. By default it looks for A records, but if the - -C option was given, queries will be made for SOA - records, and if name is a - dotted-decimal IPv4 - address or colon-delimited IPv6 address, host will - query for PTR records. If a query type of IXFR is chosen the starting - serial number can be specified by appending an equal followed by the - starting serial number (e.g. -t IXFR=12345678). -

-

- The time to wait for a reply can be controlled through the - -W and -w options. The - -W option makes host - wait for - wait seconds. If wait - is less than one, the wait interval is set to one second. When the - -w option is used, host - will - effectively wait forever for a reply. The time to wait for a response - will be set to the number of seconds given by the hardware's maximum - value for an integer quantity. -

-

- The -s option tells host - not to send the query to the next nameserver - if any server responds with a SERVFAIL response, which is the - reverse of normal stub resolver behavior. -

-

- The -m can be used to set the memory usage debugging - flags - record, usage and - trace. -

-
-
-

IDN SUPPORT

-

- If host has been built with IDN (internationalized - domain name) support, it can accept and display non-ASCII domain names. - host appropriately converts character encoding of - domain name before sending a request to DNS server or displaying a - reply from the server. - If you'd like to turn off the IDN support for some reason, defines - the IDN_DISABLE environment variable. - The IDN support is disabled if the variable is set when - host runs. -

-
-
-

FILES

-

/etc/resolv.conf -

-
-
-

SEE ALSO

-

dig(1), - named(8). -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
dig Home dnssec-keygen -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.named-checkconf.html b/usr.sbin/bind/doc/arm/man.named-checkconf.html deleted file mode 100644 index 9904584738c..00000000000 --- a/usr.sbin/bind/doc/arm/man.named-checkconf.html +++ /dev/null @@ -1,130 +0,0 @@ - - - - - -named-checkconf - - - - - - - -
- - - - - - - -
named-checkconf
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

named-checkconf — named configuration file syntax checking tool

-
-
-

Synopsis

-

named-checkconf [-v] [-j] [-t directory] {filename} [-z]

-
-
-

DESCRIPTION

-

named-checkconf - checks the syntax, but not the semantics, of a named - configuration file. -

-
-
-

OPTIONS

-
-
-t directory
-

- Chroot to directory so that - include - directives in the configuration file are processed as if - run by a similarly chrooted named. -

-
-v
-

- Print the version of the named-checkconf - program and exit. -

-
-z
-

- Perform a test load of all master zones found in - named.conf. -

-
-j
-

- When loading a zonefile read the journal if it exists. -

-
filename
-

- The name of the configuration file to be checked. If not - specified, it defaults to /etc/named.conf. -

-
-
-
-

RETURN VALUES

-

named-checkconf - returns an exit status of 1 if - errors were detected and 0 otherwise. -

-
-
-

SEE ALSO

-

named(8), - named-checkzone(8), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
-dnssec-signzone Home named-checkzone -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.named-checkzone.html b/usr.sbin/bind/doc/arm/man.named-checkzone.html deleted file mode 100644 index 490b0d42665..00000000000 --- a/usr.sbin/bind/doc/arm/man.named-checkzone.html +++ /dev/null @@ -1,294 +0,0 @@ - - - - - -named-checkzone - - - - - - - -
- - - - - - - -
named-checkzone
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

named-checkzone, named-compilezone — zone file validity checking or converting tool

-
-
-

Synopsis

-

named-checkzone [-d] [-j] [-q] [-v] [-c class] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-M mode] [-n mode] [-o filename] [-s style] [-S mode] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

-

named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

-
-
-

DESCRIPTION

-

named-checkzone - checks the syntax and integrity of a zone file. It performs the - same checks as named does when loading a - zone. This makes named-checkzone useful for - checking zone files before configuring them into a name server. -

-

- named-compilezone is similar to - named-checkzone, but it always dumps the - zone contents to a specified file in a specified format. - Additionally, it applies stricter check levels by default, - since the dump output will be used as an actual zone file - loaded by named. - When manually specified otherwise, the check levels must at - least be as strict as those specified in the - named configuration file. -

-
-
-

OPTIONS

-
-
-d
-

- Enable debugging. -

-
-q
-

- Quiet mode - exit code only. -

-
-v
-

- Print the version of the named-checkzone - program and exit. -

-
-j
-

- When loading the zone file read the journal if it exists. -

-
-c class
-

- Specify the class of the zone. If not specified "IN" is assumed. -

-
-i mode
-
-

- Perform post-load zone integrity checks. Possible modes are - "full" (default), - "full-sibling", - "local", - "local-sibling" and - "none". -

-

- Mode "full" checks that MX records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks MX records which refer to in-zone hostnames. -

-

- Mode "full" checks that SRV records - refer to A or AAAA record (both in-zone and out-of-zone - hostnames). Mode "local" only - checks SRV records which refer to in-zone hostnames. -

-

- Mode "full" checks that delegation NS - records refer to A or AAAA record (both in-zone and out-of-zone - hostnames). It also checks that glue address records - in the zone match those advertised by the child. - Mode "local" only checks NS records which - refer to in-zone hostnames or that some required glue exists, - that is when the nameserver is in a child zone. -

-

- Mode "full-sibling" and - "local-sibling" disable sibling glue - checks but are otherwise the same as "full" - and "local" respectively. -

-

- Mode "none" disables the checks. -

-
-
-f format
-

- Specify the format of the zone file. - Possible formats are "text" (default) - and "raw". -

-
-F format
-

- Specify the format of the output file specified. - Possible formats are "text" (default) - and "raw". - For named-checkzone, - this does not cause any effects unless it dumps the zone - contents. -

-
-k mode
-

- Perform "check-names" checks with the - specified failure mode. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". -

-
-m mode
-

- Specify whether MX records should be checked to see if they - are addresses. Possible modes are "fail", - "warn" (default) and - "ignore". -

-
-M mode
-

- Check if a MX record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". -

-
-n mode
-

- Specify whether NS records should be checked to see if they - are addresses. - Possible modes are "fail" - (default for named-compilezone), - "warn" - (default for named-checkzone) and - "ignore". -

-
-o filename
-

- Write zone output to filename. - This is mandatory for named-compilezone. -

-
-s style
-

- Specify the style of the dumped zone file. - Possible styles are "full" (default) - and "relative". - The full format is most suitable for processing - automatically by a separate script. - On the other hand, the relative format is more - human-readable and is thus suitable for editing by hand. - For named-checkzone - this does not cause any effects unless it dumps the zone - contents. - It also does not have any meaning if the output format - is not text. -

-
-S mode
-

- Check if a SRV record refers to a CNAME. - Possible modes are "fail", - "warn" (default) and - "ignore". -

-
-t directory
-

- Chroot to directory so that - include - directives in the configuration file are processed as if - run by a similarly chrooted named. -

-
-w directory
-

- chdir to directory so that - relative - filenames in master file $INCLUDE directives work. This - is similar to the directory clause in - named.conf. -

-
-D
-

- Dump zone file in canonical format. - This is always enabled for named-compilezone. -

-
-W mode
-

- Specify whether to check for non-terminal wildcards. - Non-terminal wildcards are almost always the result of a - failure to understand the wildcard matching algorithm (RFC 1034). - Possible modes are "warn" (default) - and - "ignore". -

-
zonename
-

- The domain name of the zone being checked. -

-
filename
-

- The name of the zone file. -

-
-
-
-

RETURN VALUES

-

named-checkzone - returns an exit status of 1 if - errors were detected and 0 otherwise. -

-
-
-

SEE ALSO

-

named(8), - named-checkconf(8), - RFC 1035, - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
-named-checkconf Home named -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.named.html b/usr.sbin/bind/doc/arm/man.named.html deleted file mode 100644 index 21afccef273..00000000000 --- a/usr.sbin/bind/doc/arm/man.named.html +++ /dev/null @@ -1,293 +0,0 @@ - - - - - -named - - - - - - - -
- - - - - - - -
named
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

named — Internet domain name server

-
-
-

Synopsis

-

named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

-
-
-

DESCRIPTION

-

named - is a Domain Name System (DNS) server, - part of the BIND 9 distribution from ISC. For more - information on the DNS, see RFCs 1033, 1034, and 1035. -

-

- When invoked without arguments, named - will - read the default configuration file - /etc/named.conf, read any initial - data, and listen for queries. -

-
-
-

OPTIONS

-
-
-4
-

- Use IPv4 only even if the host machine is capable of IPv6. - -4 and -6 are mutually - exclusive. -

-
-6
-

- Use IPv6 only even if the host machine is capable of IPv4. - -4 and -6 are mutually - exclusive. -

-
-c config-file
-

- Use config-file as the - configuration file instead of the default, - /etc/named.conf. To - ensure that reloading the configuration file continues - to work after the server has changed its working - directory due to to a possible - directory option in the configuration - file, config-file should be - an absolute pathname. -

-
-d debug-level
-

- Set the daemon's debug level to debug-level. - Debugging traces from named become - more verbose as the debug level increases. -

-
-f
-

- Run the server in the foreground (i.e. do not daemonize). -

-
-g
-

- Run the server in the foreground and force all logging - to stderr. -

-
-m flag
-

- Turn on memory usage debugging flags. Possible flags are - usage, - trace, - record, - size, and - mctx. - These correspond to the ISC_MEM_DEBUGXXXX flags described in - <isc/mem.h>. -

-
-n #cpus
-

- Create #cpus worker threads - to take advantage of multiple CPUs. If not specified, - named will try to determine the - number of CPUs present and create one thread per CPU. - If it is unable to determine the number of CPUs, a - single worker thread will be created. -

-
-p port
-

- Listen for queries on port port. If not - specified, the default is port 53. -

-
-s
-
-

- Write memory usage statistics to stdout on exit. -

-
-

Note

-

- This option is mainly of interest to BIND 9 developers - and may be removed or changed in a future release. -

-
-
-
-t directory
-
-

Chroot - to directory after - processing the command line arguments, but before - reading the configuration file. -

-
-

Warning

-

- This option should be used in conjunction with the - -u option, as chrooting a process - running as root doesn't enhance security on most - systems; the way chroot(2) is - defined allows a process with root privileges to - escape a chroot jail. -

-
-
-
-u user
-
-

Setuid - to user after completing - privileged operations, such as creating sockets that - listen on privileged ports. -

-
-

Note

-

- On Linux, named uses the kernel's - capability mechanism to drop all root privileges - except the ability to bind(2) to - a - privileged port and set process resource limits. - Unfortunately, this means that the -u - option only works when named is - run - on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or - later, since previous kernels did not allow privileges - to be retained after setuid(2). -

-
-
-
-v
-

- Report the version number and exit. -

-
-x cache-file
-
-

- Load data from cache-file into the - cache of the default view. -

-
-

Warning

-

- This option must not be used. It is only of interest - to BIND 9 developers and may be removed or changed in a - future release. -

-
-
-
-
-
-

SIGNALS

-

- In routine operation, signals should not be used to control - the nameserver; rndc should be used - instead. -

-
-
SIGHUP
-

- Force a reload of the server. -

-
SIGINT, SIGTERM
-

- Shut down the server. -

-
-

- The result of sending any other signals to the server is undefined. -

-
-
-

CONFIGURATION

-

- The named configuration file is too complex - to describe in detail here. A complete description is provided - in the - BIND 9 Administrator Reference Manual. -

-
-
-

FILES

-
-
/etc/named.conf
-

- The default configuration file. -

-
/var/run/named.pid
-

- The default process-id file. -

-
-
-
-

SEE ALSO

-

RFC 1033, - RFC 1034, - RFC 1035, - named-checkconf(8), - named-checkzone(8), - rndc(8), - lwresd(8), - named.conf(5), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
-named-checkzone Home rndc -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.rndc-confgen.html b/usr.sbin/bind/doc/arm/man.rndc-confgen.html deleted file mode 100644 index 272af9db068..00000000000 --- a/usr.sbin/bind/doc/arm/man.rndc-confgen.html +++ /dev/null @@ -1,222 +0,0 @@ - - - - - -rndc-confgen - - - - - - -
- - - - - - - -
rndc-confgen
-Prev Manual pages 
-
-
-
-
-
-

Name

-

rndc-confgen — rndc key generation tool

-
-
-

Synopsis

-

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-
-
-

DESCRIPTION

-

rndc-confgen - generates configuration files - for rndc. It can be used as a - convenient alternative to writing the - rndc.conf file - and the corresponding controls - and key - statements in named.conf by hand. - Alternatively, it can be run with the -a - option to set up a rndc.key file and - avoid the need for a rndc.conf file - and a controls statement altogether. -

-
-
-

OPTIONS

-
-
-a
-
-

- Do automatic rndc configuration. - This creates a file rndc.key - in /etc (or whatever - sysconfdir - was specified as when BIND was - built) - that is read by both rndc - and named on startup. The - rndc.key file defines a default - command channel and authentication key allowing - rndc to communicate with - named on the local host - with no further configuration. -

-

- Running rndc-confgen -a allows - BIND 9 and rndc to be used as - drop-in - replacements for BIND 8 and ndc, - with no changes to the existing BIND 8 - named.conf file. -

-

- If a more elaborate configuration than that - generated by rndc-confgen -a - is required, for example if rndc is to be used remotely, - you should run rndc-confgen without - the - -a option and set up a - rndc.conf and - named.conf - as directed. -

-
-
-b keysize
-

- Specifies the size of the authentication key in bits. - Must be between 1 and 512 bits; the default is 128. -

-
-c keyfile
-

- Used with the -a option to specify - an alternate location for rndc.key. -

-
-h
-

- Prints a short summary of the options and arguments to - rndc-confgen. -

-
-k keyname
-

- Specifies the key name of the rndc authentication key. - This must be a valid domain name. - The default is rndc-key. -

-
-p port
-

- Specifies the command channel port where named - listens for connections from rndc. - The default is 953. -

-
-r randomfile
-

- Specifies a source of random data for generating the - authorization. If the operating - system does not provide a /dev/random - or equivalent device, the default source of randomness - is keyboard input. randomdev - specifies - the name of a character device or file containing random - data to be used instead of the default. The special value - keyboard indicates that keyboard - input should be used. -

-
-s address
-

- Specifies the IP address where named - listens for command channel connections from - rndc. The default is the loopback - address 127.0.0.1. -

-
-t chrootdir
-

- Used with the -a option to specify - a directory where named will run - chrooted. An additional copy of the rndc.key - will be written relative to this directory so that - it will be found by the chrooted named. -

-
-u user
-

- Used with the -a option to set the - owner - of the rndc.key file generated. - If - -t is also specified only the file - in - the chroot area has its owner changed. -

-
-
-
-

EXAMPLES

-

- To allow rndc to be used with - no manual configuration, run -

-

rndc-confgen -a -

-

- To print a sample rndc.conf file and - corresponding controls and key - statements to be manually inserted into named.conf, - run -

-

rndc-confgen -

-
-
-

SEE ALSO

-

rndc(8), - rndc.conf(5), - named(8), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up 
-rndc.conf Home 
-
- - diff --git a/usr.sbin/bind/doc/arm/man.rndc.conf.html b/usr.sbin/bind/doc/arm/man.rndc.conf.html deleted file mode 100644 index fdc0899e303..00000000000 --- a/usr.sbin/bind/doc/arm/man.rndc.conf.html +++ /dev/null @@ -1,255 +0,0 @@ - - - - - -rndc.conf - - - - - - - -
- - - - - - - -
rndc.conf
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

rndc.conf — rndc configuration file

-
-
-

Synopsis

-

rndc.conf

-
-
-

DESCRIPTION

-

rndc.conf is the configuration file - for rndc, the BIND 9 name server control - utility. This file has a similar structure and syntax to - named.conf. Statements are enclosed - in braces and terminated with a semi-colon. Clauses in - the statements are also semi-colon terminated. The usual - comment styles are supported: -

-

- C style: /* */ -

-

- C++ style: // to end of line -

-

- Unix style: # to end of line -

-

rndc.conf is much simpler than - named.conf. The file uses three - statements: an options statement, a server statement - and a key statement. -

-

- The options statement contains five clauses. - The default-server clause is followed by the - name or address of a name server. This host will be used when - no name server is given as an argument to - rndc. The default-key - clause is followed by the name of a key which is identified by - a key statement. If no - keyid is provided on the rndc command line, - and no key clause is found in a matching - server statement, this default key will be - used to authenticate the server's commands and responses. The - default-port clause is followed by the port - to connect to on the remote name server. If no - port option is provided on the rndc command - line, and no port clause is found in a - matching server statement, this default port - will be used to connect. - The default-source-address and - default-source-address-v6 clauses which - can be used to set the IPv4 and IPv6 source addresses - respectively. -

-

- After the server keyword, the server - statement includes a string which is the hostname or address - for a name server. The statement has three possible clauses: - key, port and - addresses. The key name must match the - name of a key statement in the file. The port number - specifies the port to connect to. If an addresses - clause is supplied these addresses will be used instead of - the server name. Each address can take an optional port. - If an source-address or source-address-v6 - of supplied then these will be used to specify the IPv4 and IPv6 - source addresses respectively. -

-

- The key statement begins with an identifying - string, the name of the key. The statement has two clauses. - algorithm identifies the encryption algorithm - for rndc to use; currently only HMAC-MD5 - is - supported. This is followed by a secret clause which contains - the base-64 encoding of the algorithm's encryption key. The - base-64 string is enclosed in double quotes. -

-

- There are two common ways to generate the base-64 string for the - secret. The BIND 9 program rndc-confgen - can - be used to generate a random key, or the - mmencode program, also known as - mimencode, can be used to generate a - base-64 - string from known input. mmencode does - not - ship with BIND 9 but is available on many systems. See the - EXAMPLE section for sample command lines for each. -

-
-
-

EXAMPLE

-
-      options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-
-

-

-
-      server localhost {
-        key             samplekey;
-      };
-
-

-

-
-      server testserver {
-        key		testkey;
-        addresses	{ localhost port 5353; };
-      };
-
-

-

-
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
-      };
-
-

-

-
-      key testkey {
-        algorithm	hmac-md5;
-        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
-      };
-
-

-

-

- In the above example, rndc will by - default use - the server at localhost (127.0.0.1) and the key called samplekey. - Commands to the localhost server will use the samplekey key, which - must also be defined in the server's configuration file with the - same name and secret. The key statement indicates that samplekey - uses the HMAC-MD5 algorithm and its secret clause contains the - base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. -

-

- If rndc -s testserver is used then rndc will - connect to server on localhost port 5353 using the key testkey. -

-

- To generate a random secret with rndc-confgen: -

-

rndc-confgen -

-

- A complete rndc.conf file, including - the - randomly generated key, will be written to the standard - output. Commented-out key and - controls statements for - named.conf are also printed. -

-

- To generate a base-64 secret with mmencode: -

-

echo "known plaintext for a secret" | mmencode -

-
-
-

NAME SERVER CONFIGURATION

-

- The name server must be configured to accept rndc connections and - to recognize the key specified in the rndc.conf - file, using the controls statement in named.conf. - See the sections on the controls statement in the - BIND 9 Administrator Reference Manual for details. -

-
-
-

SEE ALSO

-

rndc(8), - rndc-confgen(8), - mmencode(1), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
-rndc Home rndc-confgen -
-
- - diff --git a/usr.sbin/bind/doc/arm/man.rndc.html b/usr.sbin/bind/doc/arm/man.rndc.html deleted file mode 100644 index 291538cd92f..00000000000 --- a/usr.sbin/bind/doc/arm/man.rndc.html +++ /dev/null @@ -1,202 +0,0 @@ - - - - - -rndc - - - - - - - -
- - - - - - - -
rndc
-Prev Manual pages Next -
-
-
-
-
-
-

Name

-

rndc — name server control utility

-
-
-

Synopsis

-

rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-
-
-

DESCRIPTION

-

rndc - controls the operation of a name - server. It supersedes the ndc utility - that was provided in old BIND releases. If - rndc is invoked with no command line - options or arguments, it prints a short summary of the - supported commands and the available options and their - arguments. -

-

rndc - communicates with the name server - over a TCP connection, sending commands authenticated with - digital signatures. In the current versions of - rndc and named, - the only supported authentication algorithm is HMAC-MD5, - which uses a shared secret on each end of the connection. - This provides TSIG-style authentication for the command - request and the name server's response. All commands sent - over the channel must be signed by a key_id known to the - server. -

-

rndc - reads a configuration file to - determine how to contact the name server and decide what - algorithm and key it should use. -

-
-
-

OPTIONS

-
-
-b source-address
-

- Use source-address - as the source address for the connection to the server. - Multiple instances are permitted to allow setting of both - the IPv4 and IPv6 source addresses. -

-
-c config-file
-

- Use config-file - as the configuration file instead of the default, - /etc/rndc.conf. -

-
-k key-file
-

- Use key-file - as the key file instead of the default, - /etc/rndc.key. The key in - /etc/rndc.key will be used to - authenticate - commands sent to the server if the config-file - does not exist. -

-
-s server
-

server is - the name or address of the server which matches a - server statement in the configuration file for - rndc. If no server is supplied on the - command line, the host named by the default-server clause - in the options statement of the rndc - configuration file will be used. -

-
-p port
-

- Send commands to TCP port - port - instead - of BIND 9's default control channel port, 953. -

-
-V
-

- Enable verbose logging. -

-
-y key_id
-

- Use the key key_id - from the configuration file. - key_id - must be - known by named with the same algorithm and secret string - in order for control message validation to succeed. - If no key_id - is specified, rndc will first look - for a key clause in the server statement of the server - being used, or if no server statement is present for that - host, then the default-key clause of the options statement. - Note that the configuration file contains shared secrets - which are used to send authenticated control commands - to name servers. It should therefore not have general read - or write access. -

-
-

- For the complete set of commands supported by rndc, - see the BIND 9 Administrator Reference Manual or run - rndc without arguments to see its help - message. -

-
-
-

LIMITATIONS

-

rndc - does not yet support all the commands of - the BIND 8 ndc utility. -

-

- There is currently no way to provide the shared secret for a - key_id without using the configuration file. -

-

- Several error messages could be clearer. -

-
-
-

SEE ALSO

-

rndc.conf(5), - named(8), - named.conf(5), - ndc(8), - BIND 9 Administrator Reference Manual. -

-
-
-

AUTHOR

-

Internet Systems Consortium -

-
-
-
-
- - - - - - - - - - - -
-Prev Up Next -
-named Home rndc.conf -
-
- - diff --git a/usr.sbin/bind/doc/misc/Makefile.in b/usr.sbin/bind/doc/misc/Makefile.in deleted file mode 100644 index 30b04597ea4..00000000000 --- a/usr.sbin/bind/doc/misc/Makefile.in +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.3.18.3 2007/08/28 07:20:03 tbox Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -@BIND9_MAKE_RULES@ - -PERL = @PERL@ - -MANOBJS = options - -doc man:: ${MANOBJS} - -docclean manclean maintainer-clean:: - rm -f options - -# Do not make options depend on ../../bin/tests/cfg_test, doing so -# will cause excessively clever versions of make to attempt to build -# that program right here, right now, if it is missing, which will -# cause make doc to bomb. - -CFG_TEST = ../../bin/tests/cfg_test - -options: FORCE - if test -x ${CFG_TEST} && \ - ${CFG_TEST} --named --grammar | \ - ${PERL} ${srcdir}/format-options.pl >$@.new ; then \ - mv -f $@.new $@ ; \ - else \ - rm -f $@.new ; \ - fi diff --git a/usr.sbin/bind/doc/misc/dnssec b/usr.sbin/bind/doc/misc/dnssec deleted file mode 100644 index 964b729282f..00000000000 --- a/usr.sbin/bind/doc/misc/dnssec +++ /dev/null @@ -1,84 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000-2002 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -DNSSEC Release Notes - -This document summarizes the state of the DNSSEC implementation in -this release of BIND9. - - -OpenSSL Library Required - -To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of -the OpenSSL library. As of BIND 9.2, the library is no longer -included in the distribution - it must be provided by the operating -system or installed separately. - -To build BIND 9 with OpenSSL, use "configure --with-openssl". If -the OpenSSL library is installed in a nonstandard location, you can -specify a path as in "configure --with-openssl=/var". - - -Key Generation and Signing - -The tools for generating DNSSEC keys and signatures are now in the -bin/dnssec directory. Documentation for these programs can be found -in doc/arm/Bv9ARM.4.html and the man pages. - -The random data used in generating DNSSEC keys and signatures comes -from either /dev/random (if the OS supports it) or keyboard input. -Alternatively, a device or file containing entropy/random data can be -specified. - - -Serving Secure Zones - -When acting as an authoritative name server, BIND9 includes KEY, SIG -and NXT records in responses as specified in RFC2535 when the request -has the DO flag set in the query. - - -Secure Resolution - -Basic support for validation of DNSSEC signatures in responses has -been implemented but should still be considered experimental. - -When acting as a caching name server, BIND9 is capable of performing -basic DNSSEC validation of positive as well as nonexistence responses. -This functionality is enabled by including a "trusted-keys" clause -in the configuration file, containing the top-level zone key of the -the DNSSEC tree. - -Validation of wildcard responses is not currently supported. In -particular, a "name does not exist" response will validate -successfully even if it does not contain the NXT records to prove the -nonexistence of a matching wildcard. - -Proof of insecure status for insecure zones delegated from secure -zones works when the zones are completely insecure. Privately -secured zones delegated from secure zones will not work in all cases, -such as when the privately secured zone is served by the same server -as an ancestor (but not parent) zone. - -Handling of the CD bit in queries is now fully implemented. Validation -is not attempted for recursive queries if CD is set. - - -Secure Dynamic Update - -Dynamic update of secure zones has been implemented, but may not be -complete. Affected NXT and SIG records are updated by the server when -an update occurs. Advanced access control is possible using the -"update-policy" statement in the zone definition. - - -Secure Zone Transfers - -BIND 9 does not implement the zone transfer security mechanisms of -RFC2535 section 5.6, and we have no plans to implement them in the -future as we consider them inferior to the use of TSIG or SIG(0) to -ensure the integrity of zone transfers. - - -$ISC: dnssec,v 1.19 2004/03/05 05:04:53 marka Exp $ diff --git a/usr.sbin/bind/doc/misc/format-options.pl b/usr.sbin/bind/doc/misc/format-options.pl deleted file mode 100644 index ecdb5311981..00000000000 --- a/usr.sbin/bind/doc/misc/format-options.pl +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/perl -# -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: format-options.pl,v 1.2 2004/03/05 05:04:53 marka Exp $ - -print <) { - s/\t/ /g; - if (length >= 79) { - m!^( *)!; - my $indent = $1; - s!^(.{0,75}) (.*)$!\1\n$indent \2!; - } - print; -} diff --git a/usr.sbin/bind/doc/misc/ipv6 b/usr.sbin/bind/doc/misc/ipv6 deleted file mode 100644 index 5b1fe4ab264..00000000000 --- a/usr.sbin/bind/doc/misc/ipv6 +++ /dev/null @@ -1,113 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000, 2001 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -Currently, there are multiple interesting problems with ipv6 -implementations on various platforms. These problems range from not -being able to use ipv6 with bind9 (or in particular the ISC socket -library, contained in libisc) to listen-on lists not being respected, -to strange warnings but seemingly correct behavior of named. - -COMPILE-TIME ISSUES -------------------- - -The socket library requires a certain level of support from the -operating system. In particular, it must follow the advanced ipv6 -socket API to be usable. The systems which do not follow this will -currently not get any warnings or errors, but ipv6 will simply not -function on them. - -These systems currently include, but are not limited to: - - AIX 3.4 (with ipv6 patches) - - -RUN-TIME ISSUES ---------------- - -In the original drafts of the ipv6 RFC documents, binding an ipv6 -socket to the ipv6 wildcard address would also cause the socket to -accept ipv4 connections and datagrams. When an ipv4 packet is -received on these systems, it is mapped into an ipv6 address. For -example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4. The intent of -this mapping was to make transition from an ipv4-only application into -ipv6 easier, by only requiring one socket to be open on a given port. - -Later, it was discovered that this was generally a bad idea. For one, -many firewalls will block connection to 1.2.3.4, but will let through -::ffff:1.2.3.4. This, of course, is bad. Also, access control lists -written to accept only ipv4 addresses were suddenly ignored unless -they were rewritten to handle the ipv6 mapped addresses as well. - -Partly because of these problems, the latest IPv6 API introduces an -explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6 -mapped address usage. - -In bind9, we first check if both the advanced API and the IPV6_V6ONLY -socket option are available. If both of them are available, bind9 -named will bind to the ipv6 wildcard port for both TCP and UDP. -Otherwise named will make a warning and try to bind to all available -ipv6 addresses separately. - -In any case, bind9 named binds to specific addresses for ipv4 sockets. - -The followings are historical notes when we always bound to the ipv6 -wildcard port regardless of the availability of the API support. -These problems should not happen with the closer checks above. - - -IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail ---------------------------------------------------------------- - -The only OS which seems to do this is (some kernel versions of) linux. -If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific -ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding -will fail. - -What this means to bind9 is that the application will log warnings -about being unable to bind to a socket because the address is already -in use. Since the ipv6 socket will accept ipv4 packets and map them, -however, the ipv4 addresses continue to function. - -The effect is that the config file listen-on directive will not be -respected on these systems. - - -IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed ----------------------------------------------------------------- - -In this case, the system allows opening an ipv6 wildcard address -socket and then binding to a more specific ipv4 address later. An -example of this type of system is Digital Unix with ipv6 patches -applied. - -What this means to bind9 is that the application will respect -listen-on in regards to ipv4 sockets, but it will use mapped ipv6 -addresses for any that do not match the listen-on list. This, in -effect, makes listen-on useless for these machines as well. - - -IPV6 Sockets Do Not Accept IPV4 -------------------------------- - -On these systems, opening an IPV6 socket does not implicitly open any -ipv4 sockets. An example of these systems are NetBSD-current with the -latest KAME patch, and other systems which use the latest KAME patches -as their ipv6 implementation. - -On these systems, listen-on is fully functional, as the ipv6 socket -only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4 -packets. - - -RELEVANT RFCs -------------- - -3513: Internet Protocol Version 6 (IPv6) Addressing Architecture - -3493: Basic Socket Interface Extensions for IPv6 - -3542: Advanced Sockets Application Program Interface (API) for IPv6 - - -$ISC: ipv6,v 1.6.18.3 2004/08/10 04:28:41 jinmei Exp $ diff --git a/usr.sbin/bind/doc/misc/migration b/usr.sbin/bind/doc/misc/migration deleted file mode 100644 index d2f3d4607a5..00000000000 --- a/usr.sbin/bind/doc/misc/migration +++ /dev/null @@ -1,257 +0,0 @@ -Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000, 2001, 2003 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - - BIND 8 to BIND 9 Migration Notes - -BIND 9 is designed to be mostly upwards compatible with BIND 8, but -there is still a number of caveats you should be aware of when -upgrading an existing BIND 8 installation to use BIND 9. - - -1. Configuration File Compatibility - -1.1. Unimplemented Options and Changed Defaults - -BIND 9 supports most, but not all of the named.conf options of BIND 8. -For a complete list of implemented options, see doc/misc/options. - -If your named.conf file uses an unimplemented option, named will log a -warning message. A message is also logged about each option whose -default has changed unless the option is set explicitly in named.conf. - -The default of the "transfer-format" option has changed from -"one-answer" to "many-answers". If you have slave servers that do not -understand the many-answers zone transfer format (e.g., BIND 4.9.5 or -older) you need to explicitly specify "transfer-format one-answer;" in -either the options block or a server statement. - -1.2. Handling of Configuration File Errors - -In BIND 9, named refuses to start if it detects an error in -named.conf. Earlier versions would start despite errors, causing the -server to run with a partial configuration. Errors detected during -subsequent reloads do not cause the server to exit. - -Errors in master files do not cause the server to exit, but they -do cause the zone not to load. - -1.3. Logging - -The set of logging categories in BIND 9 is different from that -in BIND 8. If you have customised your logging on a per-category -basis, you need to modify your logging statement to use the -new categories. - -Another difference is that the "logging" statement only takes effect -after the entire named.conf file has been read. This means that when -the server starts up, any messages about errors in the configuration -file are always logged to the default destination (syslog) when the -server first starts up, regardless of the contents of the "logging" -statement. In BIND 8, the new logging configuration took effect -immediately after the "logging" statement was read. - -1.4. Notify messages and Refresh queries - -The source address and port for these is now controlled by -"notify-source" and "transfer-source", respectively, rather that -query-source as in BIND 8. - -1.5. Multiple Classes. - -Multiple classes have to be put into explicit views for each class. - - -2. Zone File Compatibility - -2.1. Strict RFC1035 Interpretation of TTLs in Zone Files - -BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding -omitted TTLs in zone files. Omitted TTLs are replaced by the value -specified with the $TTL directive, or by the previous explicit TTL if -there is no $TTL directive. - -If there is no $TTL directive and the first RR in the file does not -have an explicit TTL field, the zone file is illegal according to -RFC1035 since the TTL of the first RR is undefined. Unfortunately, -BIND 4 and many versions of BIND 8 accept such files without warning -and use the value of the SOA MINTTL field as a default for missing TTL -values. - -BIND 9.0 and 9.1 completely refused to load such files. BIND 9.2 -emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the -files anyway (provided the SOA is the first record in the file), but -will issue the warning message "no TTL specified; using SOA MINTTL -instead". - -To avoid problems, we recommend that you use a $TTL directive in each -zone file. - -2.2. Periods in SOA Serial Numbers Deprecated - -Some versions of BIND allow SOA serial numbers with an embedded -period, like "3.002", and convert them into integers in a rather -unintuitive way. This feature is not supported by BIND 9; serial -numbers must be integers. - -2.3. Handling of Unbalanced Quotes - -TXT records with unbalanced quotes, like 'host TXT "foo', were not -treated as errors in some versions of BIND. If your zone files -contain such records, you will get potentially confusing error -messages like "unexpected end of file" because BIND 9 will interpret -everything up to the next quote character as a literal string. - -2.4. Handling of Line Breaks - -Some versions of BIND accept RRs containing line breaks that are not -properly quoted with parentheses, like the following SOA: - - @ IN SOA ns.example. hostmaster.example. - ( 1 3600 1800 1814400 3600 ) - -This is not legal master file syntax and will be treated as an error -by BIND 9. The fix is to move the opening parenthesis to the first -line. - -2.5. Unimplemented BIND 8 Extensions - -$GENERATE: The "$$" construct for getting a literal $ into a domain -name is deprecated. Use \$ instead. - -2.6. TXT records are no longer automatically split. - -Some versions of BIND accepted strings in TXT RDATA consisting of more -than 255 characters and silently split them to be able to encode the -strings in a protocol conformant way. You may now see errors like this - dns_rdata_fromtext: local.db:119: ran out of space -if you have TXT RRs with too longs strings. Make sure to split the -string in the zone data file at or before a single one reaches 255 -characters. - -3. Interoperability Impact of New Protocol Features - -3.1. EDNS0 - -BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It -also sets DO EDNS flag bit in queries to indicate that it wishes to -receive DNSSEC responses. - -Most older servers that do not support EDNS0, including prior versions -of BIND, will send a FORMERR or NOTIMP response to these queries. -When this happens, BIND 9 will automatically retry the query without -EDNS0. - -Unfortunately, there exists at least one non-BIND name server -implementation that silently ignores these queries instead of sending -an error response. Resolving names in zones where all or most -authoritative servers use this server will be very slow or fail -completely. We have contacted the manufacturer of the name server in -case, and they are working on a solution. - -When BIND 9 communicates with a server that does support EDNS0, such as -another BIND 9 server, responses of up to 4096 bytes may be -transmitted as a single UDP datagram which is subject to fragmentation -at the IP level. If a firewall incorrectly drops IP fragments, it can -cause resolution to slow down dramatically or fail. - -3.2. Zone Transfers - -Outgoing zone transfers now use the "many-answers" format by default. -This format is not understood by certain old versions of BIND 4. -You can work around this problem using the option "transfer-format -one-answer;", but since these old versions all have known security -problems, the correct fix is to upgrade the slave servers. - -Zone transfers to Windows 2000 DNS servers sometimes fail due to a -bug in the Windows 2000 DNS server where DNS messages larger than -16K are not handled properly. Obtain the latest service pack for -Windows 2000 from Microsoft to address this issue. In the meantime, -the problem can be worked around by setting "transfer-format one-answer;". -http://support.microsoft.com/default.aspx?scid=kb;en-us;297936 - -4. Unrestricted Character Set - - BIND 9.2 only - -BIND 9 does not restrict the character set of domain names - it is -fully 8-bit clean in accordance with RFC2181 section 11. - -It is strongly recommended that hostnames published in the DNS follow -the RFC952 rules, but BIND 9 will not enforce this restriction. - -Historically, some applications have suffered from security flaws -where data originating from the network, such as names returned by -gethostbyaddr(), are used with insufficient checking and may cause a -breach of security when containing unexpected characters; see - -for details. Some earlier versions of BIND attempt to protect these -flawed applications from attack by discarding data containing -characters deemed inappropriate in host names or mail addresses, under -the control of the "check-names" option in named.conf and/or "options -no-check-names" in resolv.conf. BIND 9 provides no such protection; -if applications with these flaws are still being used, they should -be upgraded. - - BIND 9.3 onwards implements check-names. - -5. Server Administration Tools - -5.1 Ndc Replaced by Rndc - -The "ndc" program has been replaced by "rndc", which is capable of -remote operation. Unlike ndc, rndc requires a configuration file. -The easiest way to generate a configuration file is to run -"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8), -and rndc.conf(5) for details. - -5.2. Nsupdate Differences - -The BIND 8 implementation of nsupdate had an undocumented feature -where an update request would be broken down into multiple requests -based upon the discovered zones that contained the records. This -behaviour has not been implemented in BIND 9. Each update request -must pertain to a single zone, but it is still possible to do multiple -updates in a single invocation of nsupdate by terminating each update -with an empty line or a "send" command. - - -6. No Information Leakage between Zones - -BIND 9 stores the authoritative data for each zone in a separate data -structure, as recommended in RFC1035 and as required by DNSSEC and -IXFR. When a BIND 9 server is authoritative for both a child zone and -its parent, it will have two distinct sets of NS records at the -delegation point: the authoritative NS records at the child's apex, -and a set of glue NS records in the parent. - -BIND 8 was unable to properly distinguish between these two sets of NS -records and would "leak" the child's NS records into the parent, -effectively causing the parent zone to be silently modified: responses -and zone transfers from the parent contained the child's NS records -rather than the glue configured into the parent (if any). In the case -of children of type "stub", this behaviour was documented as a feature, -allowing the glue NS records to be omitted from the parent -configuration. - -Sites that were relying on this BIND 8 behaviour need to add any -omitted glue NS records, and any necessary glue A records, to the -parent zone. - -Although stub zones can no longer be used as a mechanism for injecting -NS records into their parent zones, they are still useful as a way of -directing queries for a given domain to a particular set of name -servers. - - -7. Umask not Modified - -The BIND 8 named unconditionally sets the umask to 022. BIND 9 does -not; the umask inherited from the parent process remains in effect. -This may cause files created by named, such as journal files, to be -created with different file permissions than they did in BIND 8. If -necessary, the umask should be set explicitly in the script used to -start the named process. - - -$ISC: migration,v 1.45.18.2 2007/09/07 06:34:21 marka Exp $ diff --git a/usr.sbin/bind/doc/misc/migration-4to9 b/usr.sbin/bind/doc/misc/migration-4to9 deleted file mode 100644 index d339ce0ca7c..00000000000 --- a/usr.sbin/bind/doc/misc/migration-4to9 +++ /dev/null @@ -1,57 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2001 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -$ISC: migration-4to9,v 1.4 2004/03/05 05:04:53 marka Exp $ - - BIND 4 to BIND 9 Migration Notes - -To transition from BIND 4 to BIND 9 you first need to convert your -configuration file to the new format. There is a conversion tool in -contrib/named-bootconf that allows you to do this. - - named-bootconf.sh < /etc/named.boot > /etc/named.conf - -BIND 9 uses a system assigned port for the UDP queries it makes rather -than port 53 that BIND 4 uses. This may conflict with some firewalls. -The following directives in /etc/named.conf allows you to specify -a port to use. - - query-source address * port 53; - transfer-source * port 53; - notify-source * port 53; - -BIND 9 no longer uses the minimum field to specify the TTL of records -without a explicit TTL. Use the $TTL directive to specify a default TTL -before the first record without a explicit TTL. - - $TTL 3600 - @ IN SOA ns1.example.com. hostmaster.example.com. ( - 2001021100 - 7200 - 1200 - 3600000 - 7200 ) - -BIND 9 does not support multiple CNAMEs with the same owner name. - - Illegal: - www.example.com. CNAME host1.example.com. - www.example.com. CNAME host2.example.com. - -BIND 9 does not support "CNAMEs with other data" with the same owner name, -ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support. - - Illegal: - www.example.com. CNAME host1.example.com. - www.example.com. MX 10 host2.example.com. - -BIND 9 is less tolerant of errors in master files, so check your logs and -fix any errors reported. The named-checkzone program can also be to check -master files. - -Outgoing zone transfers now use the "many-answers" format by default. -This format is not understood by certain old versions of BIND 4. -You can work around this problem using the option "transfer-format -one-answer;", but since these old versions all have known security -problems, the correct fix is to upgrade the slave servers. diff --git a/usr.sbin/bind/doc/misc/options b/usr.sbin/bind/doc/misc/options deleted file mode 100644 index a17c52274eb..00000000000 --- a/usr.sbin/bind/doc/misc/options +++ /dev/null @@ -1,481 +0,0 @@ - -This is a summary of the named.conf options supported by -this version of BIND 9. - -options { - avoid-v4-udp-ports { ; ... }; - avoid-v6-udp-ports { ; ... }; - blackhole { ; ... }; - coresize ; - datasize ; - deallocate-on-exit ; // obsolete - directory ; - dump-file ; - fake-iquery ; // obsolete - files ; - has-old-clients ; // obsolete - heartbeat-interval ; - host-statistics ; // not implemented - host-statistics-max ; // not implemented - hostname ( | none ); - interface-interval ; - listen-on [ port ] { ; ... }; - listen-on-v6 [ port ] { ; ... }; - match-mapped-addresses ; - memstatistics-file ; - multiple-cnames ; // obsolete - named-xfer ; // obsolete - pid-file ( | none ); - port ; - querylog ; - recursing-file ; - random-device ; - recursive-clients ; - serial-queries ; // obsolete - serial-query-rate ; - server-id ( | none |; - stacksize ; - statistics-file ; - statistics-interval ; // not yet implemented - tcp-clients ; - tcp-listen-queue ; - tkey-dhkey ; - tkey-gssapi-credential ; - tkey-domain ; - transfers-per-ns ; - transfers-in ; - transfers-out ; - treat-cr-as-space ; // obsolete - use-id-pool ; // obsolete - use-ixfr ; - version ( | none ); - flush-zones-on-shutdown ; - allow-query-cache { ; ... }; - allow-recursion { ; ... }; - allow-v6-synthesis { ; ... }; // obsolete - sortlist { ; ... }; - topology { ; ... }; // not implemented - auth-nxdomain ; // default changed - minimal-responses ; - recursion ; - rrset-order { [ class ] [ type ] [ name - ] ; ... }; - provide-ixfr ; - request-ixfr ; - fetch-glue ; // obsolete - rfc2308-type1 ; // not yet implemented - additional-from-auth ; - additional-from-cache ; - query-source ; - query-source-v6 ; - cleaning-interval ; - min-roots ; // not implemented - lame-ttl ; - max-ncache-ttl ; - max-cache-ttl ; - transfer-format ( many-answers | one-answer ); - max-cache-size ; - check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file ; - suppress-initial-notify ; // not yet implemented - preferred-glue ; - dual-stack-servers [ port ] { ( [port - ] | [port ] | [port ] ); ... }; - edns-udp-size ; - max-udp-size ; - root-delegation-only [ exclude { ; ... } ]; - disable-algorithms { ; ... }; - dnssec-enable ; - dnssec-validation ; - dnssec-lookaside trust-anchor ; - dnssec-must-be-secure ; - dnssec-accept-expired ; - ixfr-from-differences ; - acache-enable ; - acache-cleaning-interval ; - max-acache-size ; - clients-per-query ; - max-clients-per-query ; - empty-server ; - empty-contact ; - empty-zones-enable ; - disable-empty-zone ; - zero-no-soa-ttl-cache ; - allow-query { ; ... }; - allow-transfer { ; ... }; - allow-update { ; ... }; - allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - masterfile-format ( text | raw ); - notify ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; - also-notify [ port ] { ( | - ) [ port ]; ... }; - notify-delay ; - dialup ; - forward ( first | only ); - forwarders [ port ] { ( | ) - [ port ]; ... }; - maintain-ixfr-base ; // obsolete - max-ixfr-log-size ; // obsolete - max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; - max-transfer-idle-in ; - max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; - min-refresh-time ; - multi-master ; - sig-validity-interval ; - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( | * ) - ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; - use-alt-transfer-source ; - zone-statistics ; - key-directory ; - check-wildcard ; - check-integrity ; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-sibling ; - zero-no-soa-ttl ; - update-check-ksk ; -}; - -controls { - inet ( | | * ) [ port ( | * - ) ] allow { ; ... } [ keys { ; ... } ]; - unix perm owner group - [ keys { ; ... } ]; -}; - -acl { ; ... }; - -masters [ port ] { ( | [port - ] | [port ] ) [ key ]; ... }; - -logging { - channel { - file ; - syslog ; - null; - stderr; - severity ; - print-time ; - print-severity ; - print-category ; - }; - category { ; ... }; -}; - -view { - match-clients { ; ... }; - match-destinations { ; ... }; - match-recursive-only ; - key { - algorithm ; - secret ; - }; - zone { - type ( master | slave | stub | hint | forward | - delegation-only ); - file ; - journal ; - ixfr-base ; // obsolete - ixfr-tmp-file ; // obsolete - masters [ port ] { ( | - [port ] | [port ] ) [ key ]; ... }; - pubkey ; // - obsolete - update-policy { ( grant | deny ) ( name | - subdomain | wildcard | self | selfsub | selfwild ) ; ... }; - database ; - delegation-only ; - check-names ( fail | warn | ignore ); - ixfr-from-differences ; - allow-query { ; ... }; - allow-transfer { ; ... }; - allow-update { ; ... }; - allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - masterfile-format ( text | raw ); - notify ; - notify-source ( | * ) [ port ( | * - ) ]; - notify-source-v6 ( | * ) [ port ( - | * ) ]; - also-notify [ port ] { ( | - ) [ port ]; ... }; - notify-delay ; - dialup ; - forward ( first | only ); - forwarders [ port ] { ( | - ) [ port ]; ... }; - maintain-ixfr-base ; // obsolete - max-ixfr-log-size ; // obsolete - max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; - max-transfer-idle-in ; - max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; - min-refresh-time ; - multi-master ; - sig-validity-interval ; - transfer-source ( | * ) [ port ( | - * ) ]; - transfer-source-v6 ( | * ) [ port ( - | * ) ]; - alt-transfer-source ( | * ) [ port ( - | * ) ]; - alt-transfer-source-v6 ( | * ) [ port ( - | * ) ]; - use-alt-transfer-source ; - zone-statistics ; - key-directory ; - check-wildcard ; - check-integrity ; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-sibling ; - zero-no-soa-ttl ; - update-check-ksk ; - }; - dlz { - database ; - }; - server { - bogus ; - provide-ixfr ; - request-ixfr ; - support-ixfr ; // obsolete - transfers ; - transfer-format ( many-answers | one-answer ); - keys ; - edns ; - edns-udp-size ; - max-udp-size ; - notify-source ( | * ) [ port ( | * - ) ]; - notify-source-v6 ( | * ) [ port ( - | * ) ]; - query-source ; - query-source-v6 ; - transfer-source ( | * ) [ port ( | - * ) ]; - transfer-source-v6 ( | * ) [ port ( - | * ) ]; - }; - trusted-keys { - ; ... }; - allow-query-cache { ; ... }; - allow-recursion { ; ... }; - allow-v6-synthesis { ; ... }; // obsolete - sortlist { ; ... }; - topology { ; ... }; // not implemented - auth-nxdomain ; // default changed - minimal-responses ; - recursion ; - rrset-order { [ class ] [ type ] [ name - ] ; ... }; - provide-ixfr ; - request-ixfr ; - fetch-glue ; // obsolete - rfc2308-type1 ; // not yet implemented - additional-from-auth ; - additional-from-cache ; - query-source ; - query-source-v6 ; - cleaning-interval ; - min-roots ; // not implemented - lame-ttl ; - max-ncache-ttl ; - max-cache-ttl ; - transfer-format ( many-answers | one-answer ); - max-cache-size ; - check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file ; - suppress-initial-notify ; // not yet implemented - preferred-glue ; - dual-stack-servers [ port ] { ( [port - ] | [port ] | [port ] ); ... }; - edns-udp-size ; - max-udp-size ; - root-delegation-only [ exclude { ; ... } ]; - disable-algorithms { ; ... }; - dnssec-enable ; - dnssec-validation ; - dnssec-lookaside trust-anchor ; - dnssec-must-be-secure ; - dnssec-accept-expired ; - ixfr-from-differences ; - acache-enable ; - acache-cleaning-interval ; - max-acache-size ; - clients-per-query ; - max-clients-per-query ; - empty-server ; - empty-contact ; - empty-zones-enable ; - disable-empty-zone ; - zero-no-soa-ttl-cache ; - allow-query { ; ... }; - allow-transfer { ; ... }; - allow-update { ; ... }; - allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - masterfile-format ( text | raw ); - notify ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; - also-notify [ port ] { ( | - ) [ port ]; ... }; - notify-delay ; - dialup ; - forward ( first | only ); - forwarders [ port ] { ( | ) - [ port ]; ... }; - maintain-ixfr-base ; // obsolete - max-ixfr-log-size ; // obsolete - max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; - max-transfer-idle-in ; - max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; - min-refresh-time ; - multi-master ; - sig-validity-interval ; - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( | * ) - ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; - use-alt-transfer-source ; - zone-statistics ; - key-directory ; - check-wildcard ; - check-integrity ; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-sibling ; - zero-no-soa-ttl ; - update-check-ksk ; - database ; -}; - -lwres { - listen-on [ port ] { ( | ) - [ port ]; ... }; - view ; - search { ; ... }; - ndots ; -}; - -key { - algorithm ; - secret ; -}; - -zone { - type ( master | slave | stub | hint | forward | delegation-only ); - file ; - journal ; - ixfr-base ; // obsolete - ixfr-tmp-file ; // obsolete - masters [ port ] { ( | [port - ] | [port ] ) [ key ]; ... }; - pubkey ; // obsolete - update-policy { ( grant | deny ) ( name | subdomain | - wildcard | self | selfsub | selfwild ) ; ... }; - database ; - delegation-only ; - check-names ( fail | warn | ignore ); - ixfr-from-differences ; - allow-query { ; ... }; - allow-transfer { ; ... }; - allow-update { ; ... }; - allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - masterfile-format ( text | raw ); - notify ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; - also-notify [ port ] { ( | - ) [ port ]; ... }; - notify-delay ; - dialup ; - forward ( first | only ); - forwarders [ port ] { ( | ) - [ port ]; ... }; - maintain-ixfr-base ; // obsolete - max-ixfr-log-size ; // obsolete - max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; - max-transfer-idle-in ; - max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; - min-refresh-time ; - multi-master ; - sig-validity-interval ; - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( | * ) - ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; - use-alt-transfer-source ; - zone-statistics ; - key-directory ; - check-wildcard ; - check-integrity ; - check-mx ( fail | warn | ignore ); - check-mx-cname ( fail | warn | ignore ); - check-srv-cname ( fail | warn | ignore ); - check-sibling ; - zero-no-soa-ttl ; - update-check-ksk ; -}; - -dlz { - database ; -}; - -server { - bogus ; - provide-ixfr ; - request-ixfr ; - support-ixfr ; // obsolete - transfers ; - transfer-format ( many-answers | one-answer ); - keys ; - edns ; - edns-udp-size ; - max-udp-size ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; - query-source ; - query-source-v6 ; - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; -}; - -trusted-keys { ; ... }; - diff --git a/usr.sbin/bind/doc/misc/rfc-compliance b/usr.sbin/bind/doc/misc/rfc-compliance deleted file mode 100644 index 9695f261f6f..00000000000 --- a/usr.sbin/bind/doc/misc/rfc-compliance +++ /dev/null @@ -1,62 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2001 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -$ISC: rfc-compliance,v 1.4 2004/03/05 05:04:53 marka Exp $ - -BIND 9 is striving for strict compliance with IETF standards. We -believe this release of BIND 9 complies with the following RFCs, with -the caveats and exceptions listed in the numbered notes below. Note -that a number of these RFCs do not have the status of Internet -standards but are proposed or draft standards, experimental RFCs, -or Best Current Practice (BCP) documents. - - RFC1034 - RFC1035 [1] [2] - RFC1123 - RFC1183 - RFC1535 - RFC1536 - RFC1706 - RFC1712 - RFC1750 - RFC1876 - RFC1982 - RFC1995 - RFC1996 - RFC2136 - RFC2163 - RFC2181 - RFC2230 - RFC2308 - RFC2535 [3] [4] - RFC2536 - RFC2537 - RFC2538 - RFC2539 - RFC2671 - RFC2672 - RFC2673 - RFC2782 - RFC2915 - RFC2930 - RFC2931 [5] - RFC3007 - - -[1] Queries to zones that have failed to load return SERVFAIL rather -than a non-authoritative response. This is considered a feature. - -[2] CLASS ANY queries are not supported. This is considered a feature. - -[3] Wildcard records are not supported in DNSSEC secure zones. - -[4] Servers authoritative for secure zones being resolved by BIND 9 -must support EDNS0 (RFC2671), and must return all relevant SIGs and -NXTs in responses rather than relying on the resolving server to -perform separate queries for missing SIGs and NXTs. - -[5] When receiving a query signed with a SIG(0), the server will only -be able to verify the signature if it has the key in its local -authoritative data; it will not do recursion or validation to -retrieve unknown keys. diff --git a/usr.sbin/bind/doc/misc/roadmap b/usr.sbin/bind/doc/misc/roadmap deleted file mode 100644 index 5f930eb5121..00000000000 --- a/usr.sbin/bind/doc/misc/roadmap +++ /dev/null @@ -1,47 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000, 2001 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -$ISC: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $ - -Road Map to the BIND 9 Source Tree - -bin/named The name server. This relies heavily on the - libraries in lib/isc and lib/dns. - client.c Handling of incoming client requests - query.c Query processing -bin/rndc The remote name daemon control program -bin/dig The "dig" program -bin/dnssec The DNSSEC signer and other DNSSEC tools -bin/nsupdate The "nsupdate" program -bin/tests Test suites and miscellaneous test programs -bin/tests/system System tests; see bin/tests/system/README -lib/dns The DNS library - resolver.c The "full resolver" (performs recursive lookups) - validator.c The DNSSEC validator - db.c The database interface - sdb.c The simple database interface - rbtdb.c The red-black tree database -lib/dns/rdata Routines for handling the various RR types -lib/dns/sec Cryptographic libraries for DNSSEC -lib/isc The ISC library - task.c Task library - unix/socket.c Unix implementation of socket library -lib/isccfg Routines for reading and writing ISC-style - configuration files like named.conf and rndc.conf -lib/isccc The command channel library, used by rndc. -lib/tests Support code for the test suites. -lib/lwres The lightweight resolver library. -doc/draft Current internet-drafts pertaining to the DNS -doc/rfc RFCs pertaining to the DNS -doc/misc Miscellaneous documentation -doc/arm The BIND 9 Administrator Reference Manual -doc/man Man pages -contrib Contributed and other auxiliary code -contrib/idn/mdnkit The multilingual domain name evaluation kit -contrib/sdb Sample drivers for the simple database interface -make Makefile fragments, used by configure - -The library interfaces are mainly documented in the form of comments -in the header files. For example, the task subsystem is documented in -lib/isc/include/isc/task.h diff --git a/usr.sbin/bind/doc/misc/sdb b/usr.sbin/bind/doc/misc/sdb deleted file mode 100644 index 39f802b5b56..00000000000 --- a/usr.sbin/bind/doc/misc/sdb +++ /dev/null @@ -1,169 +0,0 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000, 2001 Internet Software Consortium. -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -Using the BIND 9 Simplified Database Interface - -This document describes the care and feeding of the BIND 9 Simplified -Database Interface, which allows you to extend BIND 9 with new ways -of obtaining the data that is published as DNS zones. - - -The Original BIND 9 Database Interface - -BIND 9 has a well-defined "back-end database interface" that makes it -possible to replace the component of the name server responsible for -the storage and retrieval of zone data, called the "database", on a -per-zone basis. The default database is an in-memory, red-black-tree -data structure commonly referred to as "rbtdb", but it is possible to -write drivers to support any number of alternative database -technologies such as in-memory hash tables, application specific -persistent on-disk databases, object databases, or relational -databases. - -The original BIND 9 database interface defined in is -designed to efficiently support the full set of database functionality -needed by a name server that implements the complete DNS protocols, -including features such as zone transfers, dynamic update, and DNSSEC. -Each of these aspects of name server operations places its own set of -demands on the data store, with the result that the database API is -quite complex and contains operations that are highly specific to the -DNS. For example, data are stored in a binary format, the name space -is tree structured, and sets of data records are conceptually -associated with DNSSEC signature sets. For these reasons, writing a -driver using this interface is a highly nontrivial undertaking. - - -The Simplified Database Interface - -Many BIND users wish to provide access to various data sources through -the DNS, but are not necessarily interested in completely replacing -the in-memory "rbt" database or in supporting features like dynamic -update, DNSSEC, or even zone transfers. - -Often, all you want is limited, read-only DNS access to an existing -system. For example, you may have an existing relational database -containing hostname/address mappings and wish to provide forvard and -reverse DNS lookups based on this information. Or perhaps you want to -set up a simple DNS-based load balancing system where the name server -answers queries about a single DNS name with a dynamically changing -set of A records. - -BIND 9.1 introduced a new, simplified database interface, or "sdb", -which greatly simplifies the writing of drivers for these kinds of -applications. - - -The sdb Driver - -An sdb driver is an object module, typically written in C, which is -linked into the name server and registers itself with the sdb -subsystem. It provides a set of callback functions, which also serve -to advertise its capabilities. When the name server receives DNS -queries, invokes the callback functions to obtain the data to respond -with. - -Unlike the full database interface, the sdb interface represents all -domain names and resource records as ASCII text. - - -Writing an sdb Driver - -When a driver is registered, it specifies its name, a list of callback -functions, and flags. - -The flags specify whether the driver wants to use relative domain -names where possible. - -The callback functions are as follows. The only one that must be -defined is lookup(). - - - create(zone, argc, argv, driverdata, dbdata) - Create a database object for "zone". - - - destroy(zone, driverdata, dbdata) - Destroy the database object for "zone". - - - lookup(zone, name, dbdata, lookup) - Return all the records at the domain name "name". - - - authority(zone, dbdata, lookup) - Return the SOA and NS records at the zone apex. - - - allnodes(zone, dbdata, allnodes) - Return all data in the zone, for zone transfers. - -For more detail about these functions and their parameters, see -bind9/lib/dns/include/dns/sdb.h. For example drivers, see -bind9/contrib/sdb. - - -Rebuilding the Server - -The driver module and header file must be copied to (or linked into) -the bind9/bin/named and bind9/bin/named/include directories -respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS -lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver, -add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS). If -the driver needs additional header files or libraries in nonstandard -places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be -updated. - -Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers, -e.g. timedb_init() and timedb_clear() for the timedb sample sdb -driver) must be inserted into the server, in bind9/bin/named/main.c. -Registration should be in setup(), before the call to -ns_server_create(). Unregistration should be in cleanup(), -after the call to ns_server_destroy(). A #include should be added -corresponding to the driver header file. - -You should try doing this with one or more of the sample drivers -before attempting to write a driver of your own. - - -Configuring the Server - -To make a zone use a new database driver, specify a "database" option -in its "zone" statement in named.conf. For example, if the driver -registers itself under the name "acmedb", you might say - - zone "foo.com" { - database "acmedb"; - }; - -You can pass arbitrary arguments to the create() function of the -driver by adding any number of whitespace-separated words after the -driver name: - - zone "foo.com" { - database "acmedb -mode sql -connect 10.0.0.1"; - }; - - -Hints for Driver Writers - - - If a driver is generating data on the fly, it probably should - not implement the allnodes() function, since a zone transfer - will not be meaningful. The allnodes() function is more relevant - with data from a database. - - - The authority() function is necessary if and only if the lookup() - function will not add SOA and NS records at the zone apex. If - SOA and NS records are provided by the lookup() function, - the authority() function should be NULL. - - - When a driver is registered, an opaque object can be provided. This - object is passed into the database create() and destroy() functions. - - - When a database is created, an opaque object can be created that - is associated with that database. This object is passed into the - lookup(), authority(), and allnodes() functions, and is - destroyed by the destroy() function. - - -Future Directions - -A future release may support dynamic loading of sdb drivers. - - -$ISC: sdb,v 1.6 2004/03/05 05:04:54 marka Exp $ diff --git a/usr.sbin/bind/doc/xsl/Makefile.in b/usr.sbin/bind/doc/xsl/Makefile.in deleted file mode 100644 index 2feb70d4aee..00000000000 --- a/usr.sbin/bind/doc/xsl/Makefile.in +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright (C) 2005 Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $ISC: Makefile.in,v 1.2.2.1 2005/07/19 05:55:47 marka Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -SUBDIRS = -TARGETS = - -@BIND9_MAKE_RULES@ - -distclean:: - rm -f isc-docbook-chunk.xsl isc-docbook-html.xsl \ - isc-docbook-latex.xsl isc-manpage.xsl diff --git a/usr.sbin/bind/doc/xsl/copyright.xsl b/usr.sbin/bind/doc/xsl/copyright.xsl deleted file mode 100644 index 00448718edb..00000000000 --- a/usr.sbin/bind/doc/xsl/copyright.xsl +++ /dev/null @@ -1,75 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. - - - - - - - - Copyright (C) - - - - - - - - - - - - - - - diff --git a/usr.sbin/bind/doc/xsl/isc-docbook-chunk.xsl.in b/usr.sbin/bind/doc/xsl/isc-docbook-chunk.xsl.in deleted file mode 100644 index 3c764eaaf8b..00000000000 --- a/usr.sbin/bind/doc/xsl/isc-docbook-chunk.xsl.in +++ /dev/null @@ -1,65 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - ansi - - - - - - - - - - - - - - - - - - - $Id$ - - - - - - diff --git a/usr.sbin/bind/doc/xsl/isc-docbook-html.xsl.in b/usr.sbin/bind/doc/xsl/isc-docbook-html.xsl.in deleted file mode 100644 index f06c83ffb6d..00000000000 --- a/usr.sbin/bind/doc/xsl/isc-docbook-html.xsl.in +++ /dev/null @@ -1,58 +0,0 @@ - - - - - - - - - - - - - - - - ansi - - - - - - - - - - - - - - - - - - - $Id$ - - - - - - diff --git a/usr.sbin/bind/doc/xsl/isc-docbook-latex-mappings.xml b/usr.sbin/bind/doc/xsl/isc-docbook-latex-mappings.xml deleted file mode 100644 index 1a3281f144f..00000000000 --- a/usr.sbin/bind/doc/xsl/isc-docbook-latex-mappings.xml +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - - - % - % ------------------------------------------------------------- - % Refentry - % ------------------------------------------------------------- - \section{%title%} - \label{%id%}\hypertarget{%id%}{}% - - - diff --git a/usr.sbin/bind/doc/xsl/isc-docbook-latex.xsl.in b/usr.sbin/bind/doc/xsl/isc-docbook-latex.xsl.in deleted file mode 100644 index 11775ad2209..00000000000 --- a/usr.sbin/bind/doc/xsl/isc-docbook-latex.xsl.in +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - 10pt,twoside,openright - - - - - - - - - - ansi - - - - - - - - - , - - - - - - - - % - - - - - - - - - - - \par - - - - - [ - - ] - - - - - - \begin{titlepage} - \null\vfil - \vskip 60pt - \begin{center}% - { %\LARGE - \Huge - \bfseries - - - - - - \par}% - \vskip 3em% - { %\large - \Large - \lineskip .75em% - - - - - - \par} - %\vskip 1.5em% - \vfil - \includegraphics{isc-logo} - \end{center}\par - \vfil\null - \end{titlepage} - - - - - - - - \begin{center} - - \end{center} - - \begin{center} - - \end{center} - - \tableofcontents - - - - - \mbox{ - - } - - - - - diff --git a/usr.sbin/bind/doc/xsl/isc-docbook-text.xsl b/usr.sbin/bind/doc/xsl/isc-docbook-text.xsl deleted file mode 100644 index b48af384f57..00000000000 --- a/usr.sbin/bind/doc/xsl/isc-docbook-text.xsl +++ /dev/null @@ -1,50 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/usr.sbin/bind/doc/xsl/isc-manpage.xsl.in b/usr.sbin/bind/doc/xsl/isc-manpage.xsl.in deleted file mode 100644 index 9705f6bfa11..00000000000 --- a/usr.sbin/bind/doc/xsl/isc-manpage.xsl.in +++ /dev/null @@ -1,145 +0,0 @@ - - - - - - - - - - - - - - - - .\" - - - - - - ansi - - - - - - - .\" - .\" $Id$ - .\" - .hy 0 - .ad l - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .RS .B " - - - - - : - - - :" - - .RE - - - - - .HP - - - - - - - - - - - - - - .nf - - .fi - - - - - diff --git a/usr.sbin/bind/doc/xsl/pre-latex.xsl b/usr.sbin/bind/doc/xsl/pre-latex.xsl deleted file mode 100644 index 95595bb9413..00000000000 --- a/usr.sbin/bind/doc/xsl/pre-latex.xsl +++ /dev/null @@ -1,55 +0,0 @@ - - - - - - - - - - - - - - - - --- - - - - - - - - - - - - - - - - - - - - - - -- 2.20.1