From cba78608de638f8cc6d1d48a2b3072e82386b70d Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Sat, 12 Jul 2008 08:12:46 +0000 Subject: Vendor import of BIND 9.3.5 --- CHANGES | 426 +- COPYRIGHT | 6 +- FAQ | 841 +-- FAQ.xml | 1242 ++-- Makefile.in | 8 +- README | 8 - bin/check/check-tool.c | 10 +- bin/check/check-tool.h | 8 +- bin/check/named-checkconf.8 | 38 +- bin/check/named-checkconf.c | 8 +- bin/check/named-checkconf.docbook | 21 +- bin/check/named-checkconf.html | 25 +- bin/check/named-checkzone.8 | 68 +- bin/check/named-checkzone.docbook | 19 +- bin/check/named-checkzone.html | 23 +- bin/dig/Makefile.in | 8 +- bin/dig/dig.1 | 209 +- bin/dig/dig.c | 117 +- bin/dig/dig.docbook | 41 +- bin/dig/dig.html | 52 +- bin/dig/dighost.c | 150 +- bin/dig/host.1 | 17 +- bin/dig/host.c | 12 +- bin/dig/host.docbook | 18 +- bin/dig/host.html | 20 +- bin/dig/include/dig/dig.h | 11 +- bin/dig/nslookup.1 | 141 +- bin/dig/nslookup.c | 11 +- bin/dig/nslookup.docbook | 23 +- bin/dig/nslookup.html | 32 +- bin/dnssec/Makefile.in | 8 +- bin/dnssec/dnssec-keygen.8 | 85 +- bin/dnssec/dnssec-keygen.c | 8 +- bin/dnssec/dnssec-keygen.docbook | 21 +- bin/dnssec/dnssec-keygen.html | 30 +- bin/dnssec/dnssec-signzone.8 | 130 +- bin/dnssec/dnssec-signzone.c | 69 +- bin/dnssec/dnssec-signzone.docbook | 58 +- bin/dnssec/dnssec-signzone.html | 65 +- bin/named/Makefile.in | 8 +- bin/named/aclconf.c | 8 +- bin/named/client.c | 35 +- bin/named/config.c | 10 +- bin/named/control.c | 8 +- bin/named/controlconf.c | 91 +- bin/named/include/named/builtin.h | 8 +- bin/named/include/named/config.h | 8 +- bin/named/include/named/interfacemgr.h | 8 +- bin/named/include/named/log.h | 8 +- bin/named/include/named/main.h | 8 +- bin/named/include/named/query.h | 8 +- bin/named/include/named/zoneconf.h | 8 +- bin/named/interfacemgr.c | 8 +- bin/named/log.c | 8 +- bin/named/logconf.c | 8 +- bin/named/lwaddr.c | 8 +- bin/named/lwdclient.c | 8 +- bin/named/lwdgabn.c | 8 +- bin/named/lwdgnba.c | 10 +- bin/named/lwdgrbn.c | 4 +- bin/named/lwdnoop.c | 23 +- bin/named/lwresd.8 | 120 +- bin/named/lwresd.docbook | 122 +- bin/named/lwresd.html | 93 +- bin/named/named.8 | 102 +- bin/named/named.conf.5 | 34 +- bin/named/named.conf.docbook | 40 +- bin/named/named.conf.html | 45 +- bin/named/named.docbook | 44 +- bin/named/named.html | 45 +- bin/named/query.c | 110 +- bin/named/server.c | 143 +- bin/named/sortlist.c | 8 +- bin/named/tsigconf.c | 8 +- bin/named/unix/Makefile.in | 8 +- bin/named/unix/include/named/os.h | 8 +- bin/named/unix/os.c | 24 +- bin/named/update.c | 33 +- bin/nsupdate/Makefile.in | 8 +- bin/nsupdate/nsupdate.8 | 133 +- bin/nsupdate/nsupdate.c | 97 +- bin/nsupdate/nsupdate.docbook | 60 +- bin/nsupdate/nsupdate.html | 97 +- bin/rndc/Makefile.in | 10 +- bin/rndc/rndc-confgen.8 | 51 +- bin/rndc/rndc-confgen.docbook | 11 +- bin/rndc/rndc-confgen.html | 18 +- bin/rndc/rndc.8 | 53 +- bin/rndc/rndc.conf.5 | 15 +- bin/rndc/rndc.conf.docbook | 13 +- bin/rndc/rndc.conf.html | 20 +- bin/rndc/rndc.docbook | 42 +- bin/rndc/rndc.html | 46 +- bin/rndc/unix/Makefile.in | 8 +- configure.in | 76 +- doc/arm/Bv9ARM-book.xml | 177 +- doc/arm/Bv9ARM.ch01.html | 62 +- doc/arm/Bv9ARM.ch02.html | 28 +- doc/arm/Bv9ARM.ch03.html | 40 +- doc/arm/Bv9ARM.ch04.html | 84 +- doc/arm/Bv9ARM.ch05.html | 10 +- doc/arm/Bv9ARM.ch06.html | 217 +- doc/arm/Bv9ARM.ch07.html | 20 +- doc/arm/Bv9ARM.ch08.html | 44 +- doc/arm/Bv9ARM.ch09.html | 123 +- doc/arm/Bv9ARM.html | 153 +- doc/arm/Bv9ARM.pdf | 9295 ++++++++++++++-------------- doc/arm/Makefile.in | 20 +- doc/misc/Makefile.in | 28 +- doc/misc/dnssec | 6 +- doc/misc/format-options.pl | 29 +- doc/misc/migration | 12 +- doc/misc/options | 521 +- doc/misc/sort-options.pl | 50 + doc/rfc/index | 11 + doc/rfc/rfc4193.txt | 899 +++ doc/rfc/rfc4255.txt | 507 ++ doc/rfc/rfc4343.txt | 563 ++ doc/rfc/rfc4367.txt | 955 +++ doc/rfc/rfc4398.txt | 955 +++ doc/rfc/rfc4408.txt | 2691 ++++++++ doc/rfc/rfc4431.txt | 227 + doc/rfc/rfc4470.txt | 451 ++ doc/rfc/rfc4634.txt | 6051 ++++++++++++++++++ doc/rfc/rfc4641.txt | 1963 ++++++ lib/Makefile.in | 8 +- lib/bind/api | 2 +- lib/bind/configure.in | 50 +- lib/bind/dst/dst_api.c | 5 +- lib/bind/dst/hmac_link.c | 26 +- lib/bind/include/Makefile.in | 8 +- lib/bind/include/isc/eventlib.h | 4 +- lib/bind/include/isc/platform.h.in | 36 + lib/bind/inet/inet_network.c | 4 +- lib/bind/irs/dns_ho.c | 6 +- lib/bind/irs/gai_strerror.c | 4 +- lib/bind/irs/irp_ng.c | 6 +- lib/bind/irs/irs_data.c | 6 +- lib/bind/isc/ctl_clnt.c | 15 +- lib/bind/isc/ctl_srvr.c | 6 +- lib/bind/make/rules.in | 8 +- lib/bind/nameser/ns_parse.c | 4 +- lib/bind/port_after.h.in | 7 + lib/bind/port_before.h.in | 10 + lib/bind/resolv/res_data.c | 8 +- lib/bind/resolv/res_init.c | 41 +- lib/bind/resolv/res_send.c | 28 +- lib/bind9/Makefile.in | 8 +- lib/bind9/api | 2 +- lib/bind9/check.c | 19 +- lib/bind9/getaddresses.c | 8 +- lib/bind9/include/Makefile.in | 8 +- lib/bind9/include/bind9/Makefile.in | 8 +- lib/bind9/include/bind9/check.h | 8 +- lib/bind9/include/bind9/getaddresses.h | 8 +- lib/bind9/include/bind9/version.h | 8 +- lib/bind9/version.c | 8 +- lib/dns/acl.c | 8 +- lib/dns/adb.c | 12 +- lib/dns/api | 6 +- lib/dns/dbtable.c | 8 +- lib/dns/dispatch.c | 511 +- lib/dns/dnssec.c | 40 +- lib/dns/dst_parse.c | 8 +- lib/dns/gen-unix.h | 8 +- lib/dns/include/dns/acl.h | 8 +- lib/dns/include/dns/cache.h | 8 +- lib/dns/include/dns/callbacks.h | 8 +- lib/dns/include/dns/compress.h | 8 +- lib/dns/include/dns/db.h | 8 +- lib/dns/include/dns/diff.h | 8 +- lib/dns/include/dns/dispatch.h | 13 +- lib/dns/include/dns/dnssec.h | 8 +- lib/dns/include/dns/events.h | 8 +- lib/dns/include/dns/journal.h | 8 +- lib/dns/include/dns/lib.h | 8 +- lib/dns/include/dns/master.h | 8 +- lib/dns/include/dns/masterdump.h | 8 +- lib/dns/include/dns/ncache.h | 8 +- lib/dns/include/dns/opcode.h | 8 +- lib/dns/include/dns/order.h | 8 +- lib/dns/include/dns/rbt.h | 8 +- lib/dns/include/dns/rdataslab.h | 8 +- lib/dns/include/dns/request.h | 8 +- lib/dns/include/dns/sdb.h | 8 +- lib/dns/include/dns/time.h | 8 +- lib/dns/include/dns/tsig.h | 8 +- lib/dns/include/dns/validator.h | 19 +- lib/dns/include/dns/version.h | 8 +- lib/dns/include/dns/zt.h | 8 +- lib/dns/journal.c | 172 +- lib/dns/keytable.c | 8 +- lib/dns/lib.c | 8 +- lib/dns/lookup.c | 32 +- lib/dns/master.c | 52 +- lib/dns/message.c | 21 +- lib/dns/name.c | 20 +- lib/dns/openssl_link.c | 12 +- lib/dns/openssldh_link.c | 99 +- lib/dns/openssldsa_link.c | 103 +- lib/dns/order.c | 8 +- lib/dns/rbt.c | 25 +- lib/dns/rbtdb.c | 78 +- lib/dns/rdata/generic/dlv_32769.c | 40 +- lib/dns/rdata/generic/ds_43.c | 40 +- lib/dns/rdata/generic/gpos_27.c | 8 +- lib/dns/rdata/generic/hinfo_13.c | 8 +- lib/dns/rdata/generic/isdn_20.c | 8 +- lib/dns/rdata/generic/minfo_14.c | 8 +- lib/dns/rdata/generic/null_10.c | 8 +- lib/dns/rdata/generic/nxt_30.h | 8 +- lib/dns/rdata/generic/opt_41.c | 8 +- lib/dns/rdata/generic/proforma.c | 8 +- lib/dns/rdata/generic/rp_17.c | 8 +- lib/dns/rdata/generic/soa_6.c | 8 +- lib/dns/rdata/generic/txt_16.c | 8 +- lib/dns/rdata/generic/unspec_103.c | 8 +- lib/dns/rdata/generic/x25_19.c | 8 +- lib/dns/rdata/hs_4/a_1.c | 8 +- lib/dns/rdata/in_1/a_1.c | 8 +- lib/dns/rdata/in_1/aaaa_28.c | 8 +- lib/dns/rdata/in_1/apl_42.c | 69 +- lib/dns/rdata/in_1/apl_42.h | 8 +- lib/dns/rdata/in_1/nsap_22.c | 8 +- lib/dns/rdata/in_1/wks_11.c | 8 +- lib/dns/request.c | 8 +- lib/dns/resolver.c | 222 +- lib/dns/rootns.c | 26 +- lib/dns/sdb.c | 26 +- lib/dns/tkey.c | 14 +- lib/dns/tsig.c | 20 +- lib/dns/ttl.c | 8 +- lib/dns/validator.c | 203 +- lib/dns/version.c | 8 +- lib/dns/view.c | 7 +- lib/dns/xfrin.c | 17 +- lib/dns/zone.c | 186 +- lib/dns/zt.c | 8 +- lib/isc/api | 2 +- lib/isc/buffer.c | 8 +- lib/isc/event.c | 8 +- lib/isc/heap.c | 8 +- lib/isc/hmacmd5.c | 8 +- lib/isc/include/isc/buffer.h | 8 +- lib/isc/include/isc/entropy.h | 8 +- lib/isc/include/isc/event.h | 8 +- lib/isc/include/isc/file.h | 8 +- lib/isc/include/isc/ipv6.h | 8 +- lib/isc/include/isc/lex.h | 8 +- lib/isc/include/isc/lib.h | 8 +- lib/isc/include/isc/list.h | 8 +- lib/isc/include/isc/log.h | 8 +- lib/isc/include/isc/mem.h | 8 +- lib/isc/include/isc/netaddr.h | 8 +- lib/isc/include/isc/netscope.h | 8 +- lib/isc/include/isc/parseint.h | 8 +- lib/isc/include/isc/platform.h.in | 11 +- lib/isc/include/isc/quota.h | 8 +- lib/isc/include/isc/ratelimiter.h | 8 +- lib/isc/include/isc/region.h | 8 +- lib/isc/include/isc/result.h | 8 +- lib/isc/include/isc/socket.h | 8 +- lib/isc/include/isc/string.h | 14 +- lib/isc/include/isc/timer.h | 8 +- lib/isc/include/isc/util.h | 8 +- lib/isc/include/isc/version.h | 8 +- lib/isc/inet_aton.c | 8 +- lib/isc/inet_ntop.c | 8 +- lib/isc/lfsr.c | 8 +- lib/isc/lib.c | 8 +- lib/isc/mem.c | 33 +- lib/isc/mutexblock.c | 8 +- lib/isc/netaddr.c | 8 +- lib/isc/netscope.c | 8 +- lib/isc/nls/msgcat.c | 8 +- lib/isc/nothreads/condition.c | 8 +- lib/isc/nothreads/mutex.c | 8 +- lib/isc/pthreads/condition.c | 8 +- lib/isc/pthreads/include/isc/mutex.h | 8 +- lib/isc/pthreads/mutex.c | 8 +- lib/isc/quota.c | 8 +- lib/isc/ratelimiter.c | 8 +- lib/isc/region.c | 8 +- lib/isc/result.c | 8 +- lib/isc/symtab.c | 8 +- lib/isc/taskpool.c | 8 +- lib/isc/timer.c | 51 +- lib/isc/timer_p.h | 8 +- lib/isc/unix/Makefile.in | 8 +- lib/isc/unix/app.c | 20 +- lib/isc/unix/dir.c | 8 +- lib/isc/unix/entropy.c | 7 +- lib/isc/unix/errno2result.c | 8 +- lib/isc/unix/file.c | 8 +- lib/isc/unix/ifiter_getifaddrs.c | 10 +- lib/isc/unix/ifiter_ioctl.c | 13 +- lib/isc/unix/include/isc/dir.h | 8 +- lib/isc/unix/include/isc/strerror.h | 8 +- lib/isc/unix/include/isc/time.h | 8 +- lib/isc/unix/keyboard.c | 8 +- lib/isc/unix/net.c | 29 +- lib/isc/unix/os.c | 8 +- lib/isc/unix/resource.c | 77 +- lib/isc/unix/socket.c | 99 +- lib/isc/unix/stdtime.c | 8 +- lib/isc/unix/strerror.c | 8 +- lib/isc/unix/syslog.c | 10 +- lib/isc/version.c | 8 +- lib/isccc/api | 2 +- lib/isccc/cc.c | 19 +- lib/isccc/include/isccc/Makefile.in | 8 +- lib/isccc/include/isccc/lib.h | 8 +- lib/isccc/include/isccc/version.h | 8 +- lib/isccc/lib.c | 8 +- lib/isccc/sexpr.c | 8 +- lib/isccc/symtab.c | 10 +- lib/isccc/version.c | 8 +- lib/isccfg/api | 2 +- lib/isccfg/include/isccfg/Makefile.in | 8 +- lib/isccfg/include/isccfg/cfg.h | 8 +- lib/isccfg/include/isccfg/log.h | 8 +- lib/isccfg/include/isccfg/namedconf.h | 8 +- lib/isccfg/include/isccfg/version.h | 8 +- lib/isccfg/log.c | 8 +- lib/isccfg/namedconf.c | 56 +- lib/isccfg/version.c | 8 +- lib/lwres/Makefile.in | 8 +- lib/lwres/api | 6 +- lib/lwres/context.c | 28 +- lib/lwres/gai_strerror.c | 8 +- lib/lwres/getaddrinfo.c | 9 +- lib/lwres/getipnode.c | 22 +- lib/lwres/include/lwres/Makefile.in | 8 +- lib/lwres/include/lwres/lwres.h | 8 +- lib/lwres/include/lwres/platform.h.in | 8 +- lib/lwres/include/lwres/version.h | 8 +- lib/lwres/lwres_gabn.c | 8 +- lib/lwres/lwres_gnba.c | 9 +- lib/lwres/lwres_grbn.c | 8 +- lib/lwres/man/lwres.3 | 11 +- lib/lwres/man/lwres.docbook | 11 +- lib/lwres/man/lwres.html | 18 +- lib/lwres/man/lwres_buffer.3 | 13 +- lib/lwres/man/lwres_buffer.docbook | 11 +- lib/lwres/man/lwres_buffer.html | 132 +- lib/lwres/man/lwres_config.3 | 11 +- lib/lwres/man/lwres_config.docbook | 11 +- lib/lwres/man/lwres_config.html | 62 +- lib/lwres/man/lwres_context.3 | 11 +- lib/lwres/man/lwres_context.docbook | 11 +- lib/lwres/man/lwres_context.html | 63 +- lib/lwres/man/lwres_gabn.3 | 13 +- lib/lwres/man/lwres_gabn.docbook | 11 +- lib/lwres/man/lwres_gabn.html | 44 +- lib/lwres/man/lwres_gai_strerror.3 | 55 +- lib/lwres/man/lwres_gai_strerror.docbook | 11 +- lib/lwres/man/lwres_gai_strerror.html | 21 +- lib/lwres/man/lwres_getaddrinfo.3 | 29 +- lib/lwres/man/lwres_getaddrinfo.docbook | 11 +- lib/lwres/man/lwres_getaddrinfo.html | 31 +- lib/lwres/man/lwres_gethostent.3 | 49 +- lib/lwres/man/lwres_gethostent.docbook | 11 +- lib/lwres/man/lwres_gethostent.html | 98 +- lib/lwres/man/lwres_getipnode.3 | 65 +- lib/lwres/man/lwres_getipnode.docbook | 11 +- lib/lwres/man/lwres_getipnode.html | 36 +- lib/lwres/man/lwres_getnameinfo.3 | 31 +- lib/lwres/man/lwres_getnameinfo.docbook | 11 +- lib/lwres/man/lwres_getnameinfo.html | 21 +- lib/lwres/man/lwres_getrrsetbyname.3 | 37 +- lib/lwres/man/lwres_getrrsetbyname.docbook | 11 +- lib/lwres/man/lwres_getrrsetbyname.html | 31 +- lib/lwres/man/lwres_gnba.3 | 13 +- lib/lwres/man/lwres_gnba.docbook | 11 +- lib/lwres/man/lwres_gnba.html | 53 +- lib/lwres/man/lwres_hstrerror.3 | 31 +- lib/lwres/man/lwres_hstrerror.docbook | 11 +- lib/lwres/man/lwres_hstrerror.html | 32 +- lib/lwres/man/lwres_inetntop.3 | 11 +- lib/lwres/man/lwres_inetntop.docbook | 11 +- lib/lwres/man/lwres_inetntop.html | 19 +- lib/lwres/man/lwres_noop.3 | 13 +- lib/lwres/man/lwres_noop.docbook | 11 +- lib/lwres/man/lwres_noop.html | 44 +- lib/lwres/man/lwres_packet.3 | 61 +- lib/lwres/man/lwres_packet.docbook | 11 +- lib/lwres/man/lwres_packet.html | 22 +- lib/lwres/man/lwres_resutil.3 | 13 +- lib/lwres/man/lwres_resutil.docbook | 11 +- lib/lwres/man/lwres_resutil.html | 34 +- lib/lwres/unix/include/lwres/net.h | 8 +- lib/lwres/version.c | 8 +- make/includes.in | 8 +- make/rules.in | 10 +- version | 4 +- 395 files changed, 27867 insertions(+), 9960 deletions(-) mode change 100755 => 100644 doc/arm/Bv9ARM.pdf create mode 100755 doc/misc/sort-options.pl create mode 100644 doc/rfc/rfc4193.txt create mode 100644 doc/rfc/rfc4255.txt create mode 100644 doc/rfc/rfc4343.txt create mode 100644 doc/rfc/rfc4367.txt create mode 100644 doc/rfc/rfc4398.txt create mode 100644 doc/rfc/rfc4408.txt create mode 100644 doc/rfc/rfc4431.txt create mode 100644 doc/rfc/rfc4470.txt create mode 100644 doc/rfc/rfc4634.txt create mode 100644 doc/rfc/rfc4641.txt create mode 100644 lib/bind/include/isc/platform.h.in diff --git a/CHANGES b/CHANGES index acf2817b5b757..d76e389248c5b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,419 @@ + --- 9.3.5 released --- + + --- 9.3.5rc2 released --- + +2338. [bug] check_ds() could be called with a non DS rdataset. + [RT #17598] + +2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] + + --- 9.3.5rc1 released --- + +2328. [maint] Add AAAA addresses for A.ROOT-SERVERS.NET, + F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET, + J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and + M.ROOT-SERVERS.NET. + +2323. [port] tru64: namespace clash. [RT #17547] + +2322. [port] MacOS: work around the limitation of setrlimit() + for RLIMIT_NOFILE. [RT #17526] + +2321. [bug] Silence Coverity warnings in lib/dns/master.c, + lib/dns/rbtdb.c, lib/isccfg/namedconf.c, + lib/dns/tsig.c and bin/dnssec/dnssec-signzone.c. + +2319. [bug] Silence Coverity warnings in + lib/dns/rdata/in_1/apl_42.c. [RT #17469] + +2318. [port] sunos fixes for libbind. [RT #17514] + +2314. [bug] Uninitialized memory use on error path in + bin/named/lwdnoop.c. [RT #17476] + +2313. [cleanup] Silence Coverity warnings. Handle private stacks. + [RT #17447] [RT #17478] + +2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. + [RT #17458] + +2311. [func] Update ACL regression test. [RT #17462] + +2310. [bug] dig, host, nslookup: flush stdout before emitting + debug/fatal messages. [RT #17501] + +2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. + [RT #17495] + +2307. [bug] Remove infinite loop from lib/dns/sdb.c. [RT #17496] + +2305. [security] inet_network() buffer overflow. CVE-2008-0122. + +2304. [bug] Check returns from all dns_rdata_tostruct() calls. + [RT #17460] + +2303. [bug] Remove unnecessary code from bin/named/lwdgnba.c. + [RT #17471] + +2302. [bug] Fix memset() calls in lib/tests/t_api.c. [RT #17472] + +2301. [bug] Remove resource leak and fix error messages in + bin/tests/system/lwresd/lwtest.c. [RT #17474] + +2300. [bug] Fixed failure to close open file in + bin/tests/names/t_names.c. [RT #17473] + +2299. [bug] Remove unnecessary NULL check in + bin/nsupdate/nsupdate.c. [RT #17475] + +2298. [bug] isc_mutex_lock() failure not caught in + bin/tests/timers/t_timers.c. [RT #17468] + +2297. [bug] isc_entropy_createfilesource() failure not caught in + bin/tests/dst/t_dst.c. [RT #17467] + +2296. [port] Allow docbook stylesheet location to be specified to + configure. [RT #17457] + +2295. [bug] Silence static overrun error in bin/named/lwaddr.c. + [RT #17459] + +2293. [func] Add ACL regression test. [RT #17375] + +2292. [bug] Log if the working directory is not writable. + [RT #17312] + +2291. [bug] PR_SET_DUMPABLE may be set too late. Also report + failure to set PR_SET_DUMPABLE. [RT #17312] + +2290. [bug] Let AD in the query signal that the client wants AD + set in the response. [RT #17301] + +2288. [port] win32: mark service as running when we have finished + loading. [RT #17441] + +2287. [bug] Use 'volatile' if the compiler supports it. [RT #17413] + +2284. [bug] Memory leak in UPDATE prerequisite processing. + [RT #17377] + +2283. [bug] TSIG keys were not attaching to the memory + context. TSIG keys should use the rings + memory context rather than the clients memory + context. [RT #17377] + +2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, + to protect applications from receiving spurious + SIGPIPE signals when using the resolver. + +2277. [bug] Empty zone names were not correctly being caught at + in the post parse checks. [RT #17357] + + --- 9.3.5b1 released --- + +2273. [bug] Adjust log level to WARNING when saving inconsistant + stub/slave master and journal files. [RT# 17279] + +2272. [bug] Handle illegal dnssec-lookaside trust-anchor names. + [RT #17262] + +2270. [bug] dns_db_closeversion() version->writer could be reset + before it is tested. [RT #17290] + +2269. [contrib] dbus memory leaks and missing va_end calls. [RT #17232] + +2265. [bug] Test that the memory context's basic_table is non NULL + before freeing. [RT #17265] + +2262. [bug] Error status from all but the last view could be + lost. [RT #17292] + +2258. [bug] Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken. + [RT #17241] + +2257. [bug] win32: Use the full path to vcredist_x86.exe when + calling it. [RT #17222] + +2256. [bug] win32: Correctly register the installation location of + bindevt.dll. [RT #17159] + +2255. [maint] L.ROOT-SERVERS.NET is now 199.7.83.42. + +2254. [bug] timer.c:dispatch() failed to lock timer->lock + when reading timer->idle allowing it to see + intermediate values as timer->idle was reset by + isc_timer_touch(). [RT #17243] + +2251. [doc] Update memstatistics-file documentation to reflect + reality. Note there is behaviour change for BIND 9.5. + [RT #17113] + +2249. [bug] Only set Authentic Data bit if client requested + DNSSEC, per RFC 3655 [RT #17175] + +2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] + +2247. [doc] Sort doc/misc/options. [RT #17067] + +2246. [bug] Make the startup of test servers (ans.pl) more + robust. [RT #17147] + +2245. [bug] Validating lack of DS records at trust anchors wasn't + working. [RT #17151] + +2238. [bug] It was possible to trigger a REQUIRE when a + validation was cancelled. [RT #17106] + +2237. [bug] libbind: res_init() was not thread aware. [RT #17123] + +2236. [bug] dnssec-signzone failed to preserve the case of + of wildcard owner names. [RT #17085] + +2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] + +2229. [bug] Null pointer dereference on query pool creation + failure. [RT #17133] + +2232. [bug] dns_adb_findaddrinfo() could fail and return + ISC_R_SUCCESS. [RT #17137] + +2230. [bug] We could INSIST reading a corrupted journal. + [RT #17132] + +2228. [contrib] contrib: Change 2188 was incomplete. + +2227. [cleanup] Tidied up the FAQ. [RT #17121] + +2226. [bug] Fix build error. [RT #17124] + +2225. [bug] More support for systems with no IPv4 addresses. + [RT #17111] + +2224. [bug] Defer journal compaction if a xfrin is in progress. + [RT #17119] + +2223. [bug] Make a new journal when compacting. [RT #17119] + +2221. [bug] Set the event result code to reflect the actual + record returned to caller when a cache update is + rejected due to a more credible answer existing. + [RT #17017] + +2220. [bug] win32: Address a race condition in final shutdown of + the Windows socket code. [RT #17028] + +2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). + [RT #16976] + +2216. [cleanup] Fix a number of errors reported by Coverity. + [RT #17094] + +2214. [bug] Deregister OpenSSL lock callback when cleaning + up. [RT #17098] + +2213. [bug] SIG0 diagnostic failure messages were looking at the + wrong status code. [RT #17101] + +2210. [bug] Deleting class specific records via UPDATE could + fail. [RT #17074] + +2209. [port] osx: linking against user supplied static OpenSSL + libraries failed as the system ones were still being + found. [RT #17078] + +2208. [port] win32: make sure both build methods produce the + same output. [RT #17058] + +2205. [bug] libbind: change #2119 broke thread support. [RT #16982] + +2200. [bug] The search for cached NSEC records was stopping to + early leading to excessive DLV queries. [RT #16930] + +2199. [bug] win32: don't call WSAStartup() while loading dlls. + [RT #16911] + +2198. [bug] win32: RegCloseKey() could be called when + RegOpenKeyEx() failed. [RT #16911] + +2197. [bug] Add INSIST to catch negative responses which are + not setting the event result code appropriately. + [RT #16909] + +2196. [port] win32: yield processor while waiting for once to + to complete. [RT #16958] + +2194. [bug] Close journal before calling 'done' in xfrin.c. + +2189. [bug] Handle socket() returning EINTR. [RT #15949] + +2188. [contrib] queryperf: autoconf changes to make the search for + libresolv or libbind more robust. [RT #16299] + +2187. [bug] query_addds(), query_addwildcardproof() and + query_addnxrrsetnsec() should take a version + arguement. [RT #16368] + +2186. [port] cygwin: libbind: check for struct sockaddr_storage + independently of IPv6. [RT #16482] + +2185. [port] sunos: libbind: check for ssize_t, memmove() and + memchr(). [RT #16463] + +2183. [bug] dnssec-signzone didn't handle offline private keys + well. [RT #16832] + +2182. [bug] dns_dispatch_createtcp() and dispatch_createudp() + could return ISC_R_SUCCESS when they ran out of + memory. [RT #16365] + +2181. [port] sunos: libbind: add paths.h from BIND 8. [RT #16462] + +2180. [cleanup] Remove bit test from 'compress_test' as they + are no longer needed. [RT #16497] + +2178. [bug] 'rndc reload' of a slave or stub zone resulted in + a reference leak. [RT #16867] + +2177. [bug] Array bounds overrun on read (rcodetext) at + debug level 10+. [RT #16798] + +2176. [contrib] dbus update to handle race condition during + initialisation (Bugzilla 235809). [RT #16842] + +2175. [bug] win32: windows broadcast condition variable support + was broken. [RT #16592] + +2174. [bug] I/O errors should always be fatal when reading + master files. [RT #16825] + +2173. [port] win32: When compiling with MSVS 2005 SP1 we also + need to ship Microsoft.VC80.MFCLOC. + +2172. [bug] query_addsoa() was being called with a non zone db. + [RT #16834] + +2171. [bug] Handle breaks in DNSSEC trust chains where the parent + servers are not DS aware (DS queries to the parent + return a referral to the child). + +2169. [bug] host, nslookup: when reporting NXDOMAIN report the + given name and not the last name searched for. + [RT #16763] + +2168. [bug] nsupdate: in non-interactive mode treat syntax errors + as fatal errors. [RT #16785] + +2166. [bug] When running in batch mode, dig could misinterpret + a server address as a name to be looked up, causing + unexpected output. [RT #16743] + +2161. [bug] 'rndc flush' could report a false success. [RT #16698] + +2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned + from getifaddrs(). [RT #16708] + +2156. [bug] Fix node reference leaks in lookup.c:lookup_find(), + resolver.c:validated() and resolver.c:cache_name(). + Fix a memory leak in rbtdb.c:free_noqname(). + Make lookup.c:lookup_find() robust against + event leaks. [RT #16685] + +2155. [contrib] SQLite sdb module from jaboydjr@netwalk.com. + [RT #16694] + +2152. [cleanup] Use sizeof(buf) instead of fixed number in + dighost.c:get_trusted_key(). [RT #16678] + +2151. [bug] Missing newline in usage message for journalprint. + [RT #16679] + +2150. [bug] 'rrset-order cyclic' uniformly distribute the + starting point for the first response for a given + RRset. [RT #16655] + +2147. [bug] libbind: remove potential buffer overflow from + hmac_link.c. [RT #16437] + +2146. [cleanup] Silence Linux's spurious "obsolete setsockopt + SO_BSDCOMPAT" message. [RT #16641] + +2145. [bug] Check DS/DLV digest lengths for known digests. + [RT #16622] + +2144. [cleanup] Suppress logging of SERVFAIL from forwarders. + [RT #16619] + +2143. [bug] We failed to restart the IPv6 client when the + kernel failed to return the destination the + packet was sent to. [RT #16613] + +2142. [bug] Handle master files with a modification time that + matches the epoch. [RT# 16612] + +2140. [bug] libbind: missing unlock on pthread_key_create() + failures. [RT #16654] + +2139. [bug] dns_view_find() was being called with wrong type + in adb.c. [RT #16670] + +2136. [bug] nslookup/host looped if there was no search list + and the host didn't exist. [RT #16657] + +2132. [bug] Missing unlock on out of memory in + dns_dispatchmgr_setudp(). + +2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635] + +2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563] + +2120. [doc] Fix markup on nsupdate man page. [RT #16556] + +2119. [compat] libbind: allow res_init() to succeed enough to + return the default domain even if it was unable + to allocate memory. + +2118. [bug] Handle response with long chains of domain name + compression pointers which point to other compression + pointers. [RT #16427] + +2117. [bug] DNSSEC fixes: named could fail to cache NSEC records + which could lead to validation failures. named didn't + handle negative DS responses that were in the process + of being validated. Check CNAME bit before accepting + NODATA proof. To be able to ignore a child NSEC there + must be SOA (and NS) set in the bitmap. [RT #16399] + +2116. [bug] 'rndc reload' could cause the cache to continually + be cleaned. [RT #16401] + +2115. [bug] 'rndc reconfig' could trigger a INSIST if the + number of masters for a zone was reduced. [RT #16444] + +2114. [bug] dig/host/nslookup: searches for names with multiple + labels were failing. [RT #16447] + +2113. [bug] nsupdate: if a zone is specified it should be used + for server discover. [RT# 16455] + +2111. [bug] Fix a number of errors reported by Coverity. + [RT #16507] + +2110. [bug] "minimal-response yes;" interacted badly with BIND 8 + priming queries. [RT #16491] + +2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502] + + --- 9.3.4-P1 released --- + +2203. [security] Query id generation was cryptographically weak. + [RT # 16915] + +2193. [port] win32: BINDInstall.exe is now linked statically. + [RT #16906] + +2192. [port] win32: use vcredist_x86.exe to install Visual + Studio's redistributable dlls if building with + Visual Stdio 2005 or later. --- 9.3.4 released --- @@ -264,7 +680,7 @@ hex strings with comments. [RT #15814] 1974. [doc] List each of the zone types and associated zone - options seperately in the ARM. + options separately in the ARM. 1972. [contrib] DBUS dynamic forwarders integation from Jason Vas Dias . @@ -1241,7 +1657,7 @@ 1568. [bug] nsupdate now reports that the update failed in interactive mode. [RT# 10236] -1567. [bug] B.ROOT-SERVERS.NET is now 192.228.79.201. +1567. [maint] B.ROOT-SERVERS.NET is now 192.228.79.201. 1566. [port] Support for the cmsg framework on Solaris and HP/UX. This also solved the problem that match-destinations @@ -1284,7 +1700,7 @@ [RT #6427] 1555. [func] 'rrset-order cyclic' no longer has a random starting - point. [RT #7572] + point per query. [RT #7572] 1554. [bug] dig, host, nslookup failed when no nameservers were specified in /etc/resolv.conf. [RT #8232] @@ -2184,7 +2600,7 @@ 1399. [bug] Use serial number arithmetic when testing SIG timestamps. [RT #4268] -1397. [bug] J.ROOT-SERVERS.NET is now 192.58.128.30. +1397. [maint] J.ROOT-SERVERS.NET is now 192.58.128.30. 1389. [bug] named could fail to rotate long log files. [RT #3666] @@ -5732,7 +6148,7 @@ and has been removed. 170. [cleanup] Remove inter server consistancy checks from zone, - these should return as a seperate module in 9.1. + these should return as a separate module in 9.1. dns_zone_checkservers(), dns_zone_checkparents(), dns_zone_checkchildren(), dns_zone_checkglue(). diff --git a/COPYRIGHT b/COPYRIGHT index 8bbcf244d658f..552a5e26e046d 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,7 +1,7 @@ -Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. -Permission to use, copy, modify, and distribute this software for any +Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. @@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -$Id: COPYRIGHT,v 1.6.2.2.8.4 2006/01/04 00:37:22 marka Exp $ +$Id: COPYRIGHT,v 1.6.2.2.8.7 2008/01/02 23:45:32 tbox Exp $ Portions Copyright (C) 1996-2001 Nominum, Inc. diff --git a/FAQ b/FAQ index ba87de21652d5..e6b2ff27cefa3 100644 --- a/FAQ +++ b/FAQ @@ -1,100 +1,74 @@ Frequently Asked Questions about BIND 9 -Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC") +Copyright © 2004-2008 Internet Systems Consortium, Inc. ("ISC") Copyright © 2000-2003 Internet Software Consortium. -------------------------------------------------------------------------------- +----------------------------------------------------------------------- -Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads? +1. Compilation and Installation Questions -A: Linux threads do not fully implement the Posix threads (pthreads) standard. In - particular, setuid() operates only on the current thread, not the full process. - Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on - all other supported platforms. setuid() cannot be called before creating - threads, since the server does not start listening on reserved ports until - after threads have started. +Q: I'm trying to compile BIND 9, and "make" is failing due to files not + being found. Why? - In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve - capabilities across a setuid() call is present. This allows BIND 9 to call - setuid() early, while retaining the ability to bind reserved ports. This is a - Linux-specific hack. +A: Using a parallel or distributed "make" to build BIND 9 is not + supported, and doesn't work. If you are using one of these, use normal + make or gmake instead. - On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of - a security risk than a root process that has not dropped privileges. +Q: Isn't "make install" supposed to generate a default named.conf? - If Linux threads ever work correctly, this restriction will go away. +A: Short Answer: No. - Configuring BIND9 with the --disable-threads option (the default) causes a - non-threaded version to be built, which will allow -u to be used. + Long Answer: There really isn't a default configuration which fits any + site perfectly. There are lots of decisions that need to be made and + there is no consensus on what the defaults should be. For example + FreeBSD uses /etc/namedb as the location where the configuration files + for named are stored. Others use /var/named. -Q: Why do I get the following errors: + What addresses to listen on? For a laptop on the move a lot you may + only want to listen on the loop back interfaces. - general: errno2result.c:109: unexpected error: - general: unable to convert errno to isc_result: 14: Bad address - client: UDP client handler shutting down due to fatal receive error: unexpected error + Who do you offer recursive service to? Is there are firewall to + consider? If so is it stateless or stateful. Are you directly on the + Internet? Are you on a private network? Are you on a NAT'd network? The + answers to all these questions change how you configure even a caching + name server. -A: This is the result of a Linux kernel bug. - - See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 +2. Configuration and Setup Questions -Q: Why does named log the warning message "no TTL specified - using SOA MINTTL - instead"? +Q: Why does named log the warning message "no TTL specified - using SOA + MINTTL instead"? -A: Your zone file is illegal according to RFC1035. It must either have a line - like: +A: Your zone file is illegal according to RFC1035. It must either have a + line like: $TTL 86400 - at the beginning, or the first record in it must have a TTL field, like the - "84600" in this example: + at the beginning, or the first record in it must have a TTL field, like + the "84600" in this example: example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) -Q: Why do I see 5 (or more) copies of named on Linux? - -A: Linux threads each show up as a process under ps. The approximate number of - threads running is n+4, where n is the number of CPUs. Note that the amount of - memory used is not cumulative; if each process is using 10M of memory, only a - total of 10M is used. - - Newer versions of Linux's ps command hide the individual threads and require -L - to display them. - -Q: Why does BIND 9 log "permission denied" errors accessing its configuration - files or zones on my Linux system even though it is running as root? - -A: On Linux, BIND 9 drops most of its root privileges on startup. This including - the privilege to open files owned by other users. Therefore, if the server is - running as root, the configuration files and zone files should also be owned by - root. - -Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: - ran out of space"? - -A: This is often caused by TXT records with missing close quotes. Check that all - TXT records containing quoted strings have both open and close quotes. +Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master + file bar: ran out of space"? -Q: How do I produce a usable core file from a multithreaded named on Linux? - -A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable - (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel, - apply the kernel patch found in contrib/linux/coredump-patch and rebuild the - kernel. This patch will cause multithreaded programs to dump the correct - thread. +A: This is often caused by TXT records with missing close quotes. Check + that all TXT records containing quoted strings have both open and close + quotes. Q: How do I restrict people from looking up the server version? -A: Put a "version" option containing something other than the real version in the - "options" section of named.conf. Note doing this will not prevent attacks and - may impede people trying to diagnose problems with your server. Also it is - possible to "fingerprint" nameservers to determine their version. +A: Put a "version" option containing something other than the real version + in the "options" section of named.conf. Note doing this will not + prevent attacks and may impede people trying to diagnose problems with + your server. Also it is possible to "fingerprint" nameservers to + determine their version. Q: How do I restrict only remote users from looking up the server version? -A: The following view statement will intercept lookups as the internal view that - holds the version information will be matched last. The caveats of the previous - answer still apply, of course. +A: The following view statement will intercept lookups as the internal + view that holds the version information will be matched last. The + caveats of the previous answer still apply, of course. view "chaos" chaos { match-clients { ; }; @@ -105,120 +79,46 @@ A: The following view statement will intercept lookups as the internal view that }; }; -Q: What do "no source of entropy found" or "could not open entropy source foo" - mean? - -A: The server requires a source of entropy to perform certain operations, mostly - DNSSEC related. These messages indicate that you have no source of entropy. On - systems with /dev/random or an equivalent, it is used by default. A source of - entropy can also be defined using the random-device option in named.conf. - -Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? - -A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed - under /usr. Check that the correct named is running. - -Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm - sure I have the keys set up correctly, but the server is rejecting the TSIG. - Why? - -A: This may be a clock skew problem. Check that the the clocks on the client and - server are properly synchronised (e.g., using ntp). - -Q: I'm trying to compile BIND 9, and "make" is failing due to files not being - found. Why? - -A: Using a parallel or distributed "make" to build BIND 9 is not supported, and - doesn't work. If you are using one of these, use normal make or gmake instead. - -Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error - messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's - wrong? - -A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND - 8.2.4. It can be safely ignored - the notify has been acted on by the slave - despite the error message. - -Q: I keep getting log messages like the following. Why? - - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update - failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) +Q: What do "no source of entropy found" or "could not open entropy source + foo" mean? -A: DNS updates allow the update request to test to see if certain conditions are - met prior to proceeding with the update. The message above is saying that - conditions were not met and the update is not proceeding. See doc/rfc/ - rfc2136.txt for more details on prerequisites. +A: The server requires a source of entropy to perform certain operations, + mostly DNSSEC related. These messages indicate that you have no source + of entropy. On systems with /dev/random or an equivalent, it is used by + default. A source of entropy can also be defined using the + random-device option in named.conf. -Q: I keep getting log messages like the following. Why? +Q: I'm trying to use TSIG to authenticate dynamic updates or zone + transfers. I'm sure I have the keys set up correctly, but the server is + rejecting the TSIG. Why? - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied - -A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update - protocol. Windows 2000 machines have a habit of sending dynamic update requests - to DNS servers without being specifically configured to do so. If the update - requests are coming from a Windows 2000 machine, see http:// - support.microsoft.com/support/kb/articles/q246/8/04.asp for information about - how to turn them off. +A: This may be a clock skew problem. Check that the the clocks on the + client and server are properly synchronised (e.g., using ntp). Q: I see a log message like the following. Why? couldn't open pid file '/var/run/named.pid': Permission denied -A: You are most likely running named as a non-root user, and that user does not - have permission to write in /var/run. The common ways of fixing this are to - create a /var/run/named directory owned by the named user and set pid-file to " - /var/run/named/named.pid", or set pid-file to "named.pid", which will put the - file in the directory specified by the directory option (which, in this case, - must be writable by the named user). - -Q: When I do a "dig . ns", many of the A records for the root servers are missing. - Why? - -A: This is normal and harmless. It is a somewhat confusing side effect of the way - BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid - promoting glue into answers. - - When BIND 9 first starts up and primes its cache, it receives the root server - addresses as additional data in an authoritative response from a root server, - and these records are eligible for inclusion as additional data in responses. - Subsequently it receives a subset of the root server addresses as additional - data in a non-authoritative (referral) response from a root server. This causes - the addresses to now be considered non-authoritative (glue) data, which is not - eligible for inclusion in responses. +A: You are most likely running named as a non-root user, and that user + does not have permission to write in /var/run. The common ways of + fixing this are to create a /var/run/named directory owned by the named + user and set pid-file to "/var/run/named/named.pid", or set pid-file to + "named.pid", which will put the file in the directory specified by the + directory option (which, in this case, must be writable by the named + user). - The server does have a complete set of root server addresses cached at all - times, it just may not include all of them as additional data, depending on - whether they were last received as answers or as glue. You can always look up - the addresses with explicit queries like "dig a.root-servers.net A". +Q: I can query the nameserver from the nameserver but not from other + machines. Why? -Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why? +A: This is usually the result of the firewall configuration stopping the + queries and / or the replies. -A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages - larger than 16K are not handled properly. This can be worked around by setting - the option "transfer-format one-answer;". Also check whether your zone contains - domain names with embedded spaces or other special characters, like "John\ - 032Doe\213s\032Computer", since such names have been known to cause Windows - 2000 slaves to incorrectly reject the zone. - -Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? - -A: A zone can be updated either by editing zone files and reloading the server or - by dynamic update, but not both. If you have enabled dynamic update for a zone - using the "allow-update" option, you are not supposed to edit the zone file by - hand, and the server will not attempt to reload it. - -Q: I can query the nameserver from the nameserver but not from other machines. - Why? +Q: How can I make a server a slave for both an internal and an external + view at the same time? When I tried, both views on the slave were + transferred from the same view on the master. -A: This is usually the result of the firewall configuration stopping the queries - and / or the replies. - -Q: How can I make a server a slave for both an internal and an external view at - the same time? When I tried, both views on the slave were transferred from the - same view on the master. - -A: You will need to give the master and slave multiple IP addresses and use those - to make sure you reach the correct view on the other machine. +A: You will need to give the master and slave multiple IP addresses and + use those to make sure you reach the correct view on the other machine. Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) internal: @@ -246,8 +146,8 @@ A: You will need to give the master and slave multiple IP addresses and use thos transfer-source 10.0.1.4; query-source address 10.0.1.4; - You put the external address on the alias so that all the other dns clients on - these boxes see the internal view by default. + You put the external address on the alias so that all the other dns + clients on these boxes see the internal view by default. A: BIND 9.3 and later: Use TSIG to select the appropriate view. @@ -283,64 +183,38 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view. ... }; -Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. - -A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use - certain interrupts as a source of random events. You can make this permanent by - setting rand_irqs in /etc/rc.conf. - - /etc/rc.conf - rand_irqs="3 14 15" - - See also http://people.freebsd.org/~dougb/randomness.html - -Q: Why is named listening on UDP port other than 53? - -A: Named uses a system selected port to make queries of other nameservers. This - behaviour can be overridden by using query-source to lock down the port and/or - address. See also notify-source and transfer-source. - -Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other - data" when transferring a zone. What does this mean? +Q: I get error messages like "multiple RRs of singleton type" and "CNAME + and other data" when transferring a zone. What does this mean? -A: These indicate a malformed master zone. You can identify the exact records - involved by transferring the zone using dig then running named-checkzone on it. +A: These indicate a malformed master zone. You can identify the exact + records involved by transferring the zone using dig then running + named-checkzone on it. dig axfr example.com @master-server > tmp named-checkzone example.com tmp - A CNAME record cannot exist with the same name as another record except for the - DNSSEC records which prove its existance (NSEC). + A CNAME record cannot exist with the same name as another record except + for the DNSSEC records which prove its existence (NSEC). - RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data - should be present; this ensures that the data for a canonical name and its - aliases cannot be different. This rule also insures that a cached CNAME can be - used without checking with an authoritative server for other RR types." + RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other + data should be present; this ensures that the data for a canonical name + and its aliases cannot be different. This rule also insures that a + cached CNAME can be used without checking with an authoritative server + for other RR types." -Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is - the last line of named.conf. +Q: I get error messages like "named.conf:99: unexpected end of input" + where 99 is the last line of named.conf. -A: Some text editors (notepad and wordpad) fail to put a line title indication - (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a - blank line to the end of the file. Named expects to see EOF immediately after - EOL and treats text files where this is not met as truncated. - -Q: I get warning messages like "zone example.com/IN: refresh: failure trying - master 1.2.3.4#53: timed out". - -A: Check that you can make UDP queries from the slave to the master - - dig +norec example.com soa @1.2.3.4 - - You could be generating queries faster than the slave can cope with. Lower the - serial query rate. - - serial-query-rate 5; // default 20 +A: Some text editors (notepad and wordpad) fail to put a line title + indication (e.g. CR/LF) on the last line of a text file. This can be + fixed by "adding" a blank line to the end of the file. Named expects to + see EOF immediately after EOL and treats text files where this is not + met as truncated. Q: How do I share a dynamic zone between multiple views? -A: You choose one view to be master and the second a slave and transfer the zone - between views. +A: You choose one view to be master and the second a slave and transfer + the zone between views. Master 10.0.1.1: key "external" { @@ -354,7 +228,7 @@ A: You choose one view to be master and the second a slave and transfer the zone }; view "internal" { - match-clients { !external; 10.0.1/24; }; + match-clients { !key external; 10.0.1/24; }; server 10.0.1.1 { /* Deliver notify messages to external view. */ keys { external; }; @@ -368,7 +242,7 @@ A: You choose one view to be master and the second a slave and transfer the zone }; view "external" { - match-clients { external; any; }; + match-clients { key external; any; }; zone "example.com" { type slave; file "external/example.db"; @@ -379,18 +253,19 @@ A: You choose one view to be master and the second a slave and transfer the zone }; }; -Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master - file primaries/wireless.ietf56.ietf.org: no owner". +Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading + master file primaries/wireless.ietf56.ietf.org: no owner". -A: This error is produced when a line in the master file contains leading white - space (tab/space) but the is no current record owner name to inherit the name - from. Usually this is the result of putting white space before a comment. - Forgeting the "@" for the SOA record or indenting the master file. +A: This error is produced when a line in the master file contains leading + white space (tab/space) but the is no current record owner name to + inherit the name from. Usually this is the result of putting white + space before a comment, forgetting the "@" for the SOA record, or + indenting the master file. Q: Why are my logs in GMT (UTC). -A: You are running chrooted (-t) and have not supplied local timzone information - in the chroot area. +A: You are running chrooted (-t) and have not supplied local timezone + information in the chroot area. FreeBSD: /etc/localtime Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo @@ -398,71 +273,51 @@ A: You are running chrooted (-t) and have not supplied local timzone information See also tzset(3) and zic(8). -Q: I get the error message "named: capset failed: Operation not permitted" when - starting named. - -A: The capability module, part of "Linux Security Modules/LSM", has not been - loaded into the kernel. See insmod(8). - -Q: I get "rndc: connect failed: connection refused" when I try to run rndc. +Q: I get "rndc: connect failed: connection refused" when I try to run + rndc. A: This is usually a configuration error. - First ensure that named is running and no errors are being reported at startup - (/var/log/messages or equivalent). Running "named -g " from a - title can help at this point. - - Secondly ensure that named is configured to use rndc either by "rndc-confgen - -a", rndc-confgen or manually. The Administrators Reference manual has details - on how to do this. + First ensure that named is running and no errors are being reported at + startup (/var/log/messages or equivalent). Running "named -g " from a title can help at this point. - Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/ - rndc.conf for the default server. Update /etc/rndc.conf if necessary so that - the default server listed in /etc/rndc.conf matches the addresses used in - named.conf. "localhost" has two address (127.0.0.1 and ::1). + Secondly ensure that named is configured to use rndc either by + "rndc-confgen -a", rndc-confgen or manually. The Administrators + Reference manual has details on how to do this. - If you use "rndc-confgen -a" and named is running with -t or -u ensure that / - etc/rndc.conf has the correct ownership and that a copy is in the chroot area. - You can do this by re-running "rndc-confgen -a" with appropriate -t and -u - arguments. + Old versions of rndc-confgen used localhost rather than 127.0.0.1 in / + etc/rndc.conf for the default server. Update /etc/rndc.conf if + necessary so that the default server listed in /etc/rndc.conf matches + the addresses used in named.conf. "localhost" has two address + (127.0.0.1 and ::1). -Q: I don't get RRSIG's returned when I use "dig +dnssec". - -A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). - -Q: I get "Error 1067" when starting named under Windows. - -A: This is the service manager saying that named exited. You need to examine the - Application log in the EventViewer to find out why. - - Common causes are that you failed to create "named.conf" (usually "C:\windows\ - dns\etc\named.conf") or failed to specify the directory in named.conf. - - options { - Directory "C:\windows\dns\etc"; - }; + If you use "rndc-confgen -a" and named is running with -t or -u ensure + that /etc/rndc.conf has the correct ownership and that a copy is in the + chroot area. You can do this by re-running "rndc-confgen -a" with + appropriate -t and -u arguments. Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while receiving responses: permission denied" error messages. -A: These indicate a filesystem permission error preventing named creating / - renaming the temporary file. These will usually also have other associated - error messages like +A: These indicate a filesystem permission error preventing named creating + / renaming the temporary file. These will usually also have other + associated error messages like "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" - Named needs write permission on the directory containing the file. Named writes - the new cache file to a temporary file then renames it to the name specified in - named.conf to ensure that the contents are always complete. This is to prevent - named loading a partial zone in the event of power failure or similar - interrupting the write of the master file. + Named needs write permission on the directory containing the file. + Named writes the new cache file to a temporary file then renames it to + the name specified in named.conf to ensure that the contents are always + complete. This is to prevent named loading a partial zone in the event + of power failure or similar interrupting the write of the master file. - Note file names are relative to the directory specified in options and any - chroot directory ([/][]). + Note file names are relative to the directory specified in options and + any chroot directory ([/][]). - If named is invoked as "named -t /chroot/DNS" with the following named.conf - then "/chroot/DNS/var/named/sl" needs to be writable by the user named is - running as. + If named is invoked as "named -t /chroot/DNS" with the following + named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the + user named is running as. options { directory "/var/named"; @@ -474,35 +329,153 @@ A: These indicate a filesystem permission error preventing named creating / masters { 192.168.4.12; }; }; -Q: How do I intergrate BIND 9 and Solaris SMF +Q: I want to forward all DNS queries from my caching nameserver to another + server. But there are some domains which have to be served locally, via + rbldnsd. -A: Sun has a blog entry describing how to do this. + How do I achieve this ? - http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris +A: options { + forward only; + forwarders { ; }; + }; + + zone "sbl-xbl.spamhaus.org" { + type forward; forward only; + forwarders { port 530; }; + }; + + zone "list.dsbl.org" { + type forward; forward only; + forwarders { port 530; }; + }; + + +Q: Can you help me understand how BIND 9 uses memory to store DNS zones? + + Some times it seems to take several times the amount of memory it needs + to store the zone. + +A: When reloading a zone named my have multiple copies of the zone in + memory at one time. The zone it is serving and the one it is loading. + If reloads are ultra fast it can have more still. + + e.g. Ones that are transferring out, the one that it is serving and the + one that is loading. + + BIND 8 destroyed the zone before loading and also killed off outgoing + transfers of the zone. + + The new strategy allows slaves to get copies of the new zone regardless + of how often the master is loaded compared to the transfer time. The + slave might skip some intermediate versions but the transfers will + complete and it will keep reasonably in sync with the master. + + The new strategy also allows the master to recover from syntax and + other errors in the master file as it still has an in-core copy of the + old contents. + +3. General Questions + +Q: I keep getting log messages like the following. Why? + + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': + update failed: 'RRset exists (value dependent)' prerequisite not + satisfied (NXRRSET) + +A: DNS updates allow the update request to test to see if certain + conditions are met prior to proceeding with the update. The message + above is saying that conditions were not met and the update is not + proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. + +Q: I keep getting log messages like the following. Why? + + Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied + +A: Someone is trying to update your DNS data using the RFC2136 Dynamic + Update protocol. Windows 2000 machines have a habit of sending dynamic + update requests to DNS servers without being specifically configured to + do so. If the update requests are coming from a Windows 2000 machine, + see http://support.microsoft.com/support/kb/articles/q246/8/04.asp for + information about how to turn them off. + +Q: When I do a "dig . ns", many of the A records for the root servers are + missing. Why? + +A: This is normal and harmless. It is a somewhat confusing side effect of + the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 + makes to avoid promoting glue into answers. + + When BIND 9 first starts up and primes its cache, it receives the root + server addresses as additional data in an authoritative response from a + root server, and these records are eligible for inclusion as additional + data in responses. Subsequently it receives a subset of the root server + addresses as additional data in a non-authoritative (referral) response + from a root server. This causes the addresses to now be considered + non-authoritative (glue) data, which is not eligible for inclusion in + responses. + + The server does have a complete set of root server addresses cached at + all times, it just may not include all of them as additional data, + depending on whether they were last received as answers or as glue. You + can always look up the addresses with explicit queries like "dig + a.root-servers.net A". + +Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? + +A: A zone can be updated either by editing zone files and reloading the + server or by dynamic update, but not both. If you have enabled dynamic + update for a zone using the "allow-update" option, you are not supposed + to edit the zone file by hand, and the server will not attempt to + reload it. + +Q: Why is named listening on UDP port other than 53? + +A: Named uses a system selected port to make queries of other nameservers. + This behaviour can be overridden by using query-source to lock down the + port and/or address. See also notify-source and transfer-source. + +Q: I get warning messages like "zone example.com/IN: refresh: failure + trying master 1.2.3.4#53: timed out". + +A: Check that you can make UDP queries from the slave to the master + + dig +norec example.com soa @1.2.3.4 + + You could be generating queries faster than the slave can cope with. + Lower the serial query rate. + + serial-query-rate 5; // default 20 + +Q: I don't get RRSIG's returned when I use "dig +dnssec". + +A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). Q: Can a NS record refer to a CNAME. -A: No. The rules for glue (copies of the *address* records in the parent zones) - and additional section processing do not allow it to work. +A: No. The rules for glue (copies of the *address* records in the parent + zones) and additional section processing do not allow it to work. - You would have to add both the CNAME and address records (A/AAAA) as glue to - the parent zone and have CNAMEs be followed when doing additional section - processing to make it work. No namesever implementation supports either of - these requirements. + You would have to add both the CNAME and address records (A/AAAA) as + glue to the parent zone and have CNAMEs be followed when doing + additional section processing to make it work. No nameserver + implementation supports either of these requirements. -Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean? +Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" + mean? -A: If the IN-ADDR.ARPA name covered refers to a internal address space you are - using then you have failed to follow RFC 1918 usage rules and are leaking - queries to the Internet. You should establish your own zones for these - addresses to prevent you quering the Internet's name servers for these - addresses. Please see http://as112.net/ for details of the problems you are - causing and the counter measures that have had to be deployed. +A: If the IN-ADDR.ARPA name covered refers to a internal address space you + are using then you have failed to follow RFC 1918 usage rules and are + leaking queries to the Internet. You should establish your own zones + for these addresses to prevent you querying the Internet's name servers + for these addresses. Please see http://as112.net/ for details of the + problems you are causing and the counter measures that have had to be + deployed. - If you are not using these private addresses then a client has queried for - them. You can just ignore the messages, get the offending client to stop - sending you these messages as they are most probably leaking them or setup your - own zones empty zones to serve answers to these queries. + If you are not using these private addresses then a client has queried + for them. You can just ignore the messages, get the offending client to + stop sending you these messages as they are most probably leaking them + or setup your own zones empty zones to serve answers to these queries. zone "10.IN-ADDR.ARPA" { type master; @@ -535,42 +508,138 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are Future versions of named are likely to do this automatically. +Q: Will named be affected by the 2007 changes to daylight savings rules in + the US. + +A: No, so long as the machines internal clock (as reported by "date -u") + remains at UTC. The only visible change if you fail to upgrade your OS, + if you are in a affected area, will be that log messages will be a hour + out during the period where the old rules do not match the new rules. + + For most OS's this change just means that you need to update the + conversion rules from UTC to local time. Normally this involves + updating a file in /etc (which sets the default timezone for the + machine) and possibly a directory which has all the conversion rules + for the world (e.g. /usr/share/zoneinfo). When updating the OS do not + forget to update any chroot areas as well. See your OS's documentation + for more details. + + The local timezone conversion rules can also be done on a individual + basis by setting the TZ environment variable appropriately. See your + OS's documentation for more details. + +Q: Is there a bugzilla (or other tool) database that mere mortals can have + (read-only) access to for bind? + +A: No. The BIND 9 bug database is kept closed for a number of reasons. + These include, but are not limited to, that the database contains + proprietory information from people reporting bugs. The database has in + the past and may in future contain unfixed bugs which are capable of + bringing down most of the Internet's DNS infrastructure. + + The release pages for each version contain up to date lists of bugs + that have been fixed post release. That is as close as we can get to + providing a bug database. + +4. Operating-System Specific Questions + +4.1. HPUX + +Q: I get the following error trying to configure BIND: + + checking if unistd.h or sys/types.h defines fd_set... no + configure: error: need either working unistd.h or sys/select.h + +A: You have attempted to configure BIND with the bundled C compiler. This + compiler does not meet the minimum compiler requirements to for + building BIND. You need to install a ANSI C compiler and / or teach + configure how to find the ANSI C compiler. The later can be done by + adjusting the PATH environment variable and / or specifying the + compiler via CC. + + ./configure CC= ... + +4.2. Linux + +Q: Why do I get the following errors: + + general: errno2result.c:109: unexpected error: + general: unable to convert errno to isc_result: 14: Bad address + client: UDP client handler shutting down due to fatal receive error: unexpected error + +A: This is the result of a Linux kernel bug. + + See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 + +Q: Why do I see 5 (or more) copies of named on Linux? + +A: Linux threads each show up as a process under ps. The approximate + number of threads running is n+4, where n is the number of CPUs. Note + that the amount of memory used is not cumulative; if each process is + using 10M of memory, only a total of 10M is used. + + Newer versions of Linux's ps command hide the individual threads and + require -L to display them. + +Q: Why does BIND 9 log "permission denied" errors accessing its + configuration files or zones on my Linux system even though it is + running as root? + +A: On Linux, BIND 9 drops most of its root privileges on startup. This + including the privilege to open files owned by other users. Therefore, + if the server is running as root, the configuration files and zone + files should also be owned by root. + +Q: I get the error message "named: capset failed: Operation not permitted" + when starting named. + +A: The capability module, part of "Linux Security Modules/LSM", has not + been loaded into the kernel. See insmod(8), modprobe(8). + + The relevant modules can be loaded by running: + + modprobe commoncap + modprobe capability + Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core - Why can't named update slave zone database files? - Why can't named create DDNS journal files or update the master zones from - journals? + Why can't named create DDNS journal files or update the master zones + from journals? Why can't named create custom log files? A: Red Hat Security Enhanced Linux (SELinux) policy security protections : - Red Hat have adopted the National Security Agency's SELinux security policy ( - see http://www.nsa.gov/selinux ) and recommendations for BIND security , which - are more secure than running named in a chroot and make use of the bind-chroot - environment unecessary . + Red Hat have adopted the National Security Agency's SELinux security + policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND + security , which are more secure than running named in a chroot and + make use of the bind-chroot environment unnecessary . - By default, named is not allowed by the SELinux policy to write, create or - delete any files EXCEPT in these directories: + By default, named is not allowed by the SELinux policy to write, create + or delete any files EXCEPT in these directories: $ROOTDIR/var/named/slaves $ROOTDIR/var/named/data $ROOTDIR/var/tmp - where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed. + where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is + installed. - The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var - /named directory, the default location for master zone database files. + The SELinux policy particularly does NOT allow named to modify the + $ROOTDIR/var/named directory, the default location for master zone + database files. - SELinux policy overrules file access permissions - so even if all the files - under /var/named have ownership named:named and mode rw-rw-r--, named will - still not be able to write or create files except in the directories above, - with SELinux in Enforcing mode. + SELinux policy overrules file access permissions - so even if all the + files under /var/named have ownership named:named and mode rw-rw-r--, + named will still not be able to write or create files except in the + directories above, with SELinux in Enforcing mode. - So, to allow named to update slave or DDNS zone files, it is best to locate - them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as: + So, to allow named to update slave or DDNS zone files, it is best to + locate them in $ROOTDIR/var/named/slaves, with named.conf zone + statements such as: zone "slave.zone." IN { type slave; @@ -584,8 +653,8 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : }; - To allow named to create its cache dump and statistics files, for example, you - could use named.conf options statements such as: + To allow named to create its cache dump and statistics files, for + example, you could use named.conf options statements such as: options { ... @@ -595,10 +664,11 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : }; - You can also tell SELinux to allow named to update any zone database files, by - setting the SELinux tunable boolean parameter 'named_write_master_zones=1', - using the system-config-securitylevel GUI, using the 'setsebool' command, or in - /etc/selinux/targeted/booleans. + You can also tell SELinux to allow named to update any zone database + files, by setting the SELinux tunable boolean parameter + 'named_write_master_zones=1', using the system-config-securitylevel + GUI, using the 'setsebool' command, or in /etc/selinux/targeted/ + booleans. You can disable SELinux protection for named entirely by setting the 'named_disable_trans=1' SELinux tunable boolean parameter. @@ -610,66 +680,119 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} - If you want to retain use of the SELinux policy for named, and put named files - in different locations, you can do so by changing the context of the custom - file locations . + If you want to retain use of the SELinux policy for named, and put + named files in different locations, you can do so by changing the + context of the custom file locations . - To create a custom configuration file location, eg. '/root/named.conf', to use - with the 'named -c' option, do: + To create a custom configuration file location, e.g. '/root/ + named.conf', to use with the 'named -c' option, do: # chcon system_u:object_r:named_conf_t /root/named.conf - To create a custom modifiable named data location, eg. '/var/log/named' for a - log file, do: + To create a custom modifiable named data location, e.g. '/var/log/ + named' for a log file, do: # chcon system_u:object_r:named_cache_t /var/log/named - To create a custom zone file location, eg. /root/zones/, do: + To create a custom zone file location, e.g. /root/zones/, do: # chcon system_u:object_r:named_zone_t /root/zones/{.,*} - See these man-pages for more information : selinux(8), named_selinux(8), chcon - (1), setsebool(8) + See these man-pages for more information : selinux(8), named_selinux + (8), chcon(1), setsebool(8) -Q: I want to forward all DNS queries from my caching nameserver to another server. - But there are some domains which have to be served locally, via rbldnsd. +Q: Listening on individual IPv6 interfaces does not work. - How do I achieve this ? +A: This is usually due to "/proc/net/if_inet6" not being available in the + chroot file system. Mount another instance of "proc" in the chroot file + system. -A: options { - forward only; - forwarders { ; }; - }; + This can be be made permanent by adding a second instance to /etc/ + fstab. - zone "sbl-xbl.spamhaus.org" { - type forward; forward only; - forwarders { port 530; }; + proc /proc proc defaults 0 0 + proc /var/named/proc proc defaults 0 0 + +4.3. Windows + +Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. + Why? + +A: This may be caused by a bug in the Windows 2000 DNS server where DNS + messages larger than 16K are not handled properly. This can be worked + around by setting the option "transfer-format one-answer;". Also check + whether your zone contains domain names with embedded spaces or other + special characters, like "John\032Doe\213s\032Computer", since such + names have been known to cause Windows 2000 slaves to incorrectly + reject the zone. + +Q: I get "Error 1067" when starting named under Windows. + +A: This is the service manager saying that named exited. You need to + examine the Application log in the EventViewer to find out why. + + Common causes are that you failed to create "named.conf" (usually "C:\ + windows\dns\etc\named.conf") or failed to specify the directory in + named.conf. + + options { + Directory "C:\windows\dns\etc"; }; - zone "list.dsbl.org" { - type forward; forward only; - forwarders { port 530; }; +4.4. FreeBSD + +Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. + +A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to + use certain interrupts as a source of random events. You can make this + permanent by setting rand_irqs in /etc/rc.conf. + + /etc/rc.conf + rand_irqs="3 14 15" + + See also http://people.freebsd.org/~dougb/randomness.html + +4.5. Solaris + +Q: How do I integrate BIND 9 and Solaris SMF + +A: Sun has a blog entry describing how to do this. + + http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris + +4.6. Apple Mac OS X + +Q: How do I run BIND 9 on Apple Mac OS X? + +A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do: + + % sudo rndc-confgen > /etc/rndc.conf + + Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: + + key "rndc-key" { + algorithm hmac-md5; + secret "uvceheVuqf17ZwIcTydddw=="; }; + Then start the relevant service: -Q: Will named be affected by the 2007 changes to daylight savings rules in the US. + % sudo service org.isc.named start -A: No, so long as the machines internal clock (as reported by "date -u") remains - at UTC. The only visible change if you fail to upgrade your OS, if you are in a - affected area, will be that log messages will be a hour out during the period - where the old rules do not match the new rules. + This is persistent upon a reboot, so you will have to do it only once. - For most OS's this change just means that you need to update the conversion - rules from UTC to local time. Normally this involves updating a file in /etc - (which sets the default timezone for the machine) and possibly a directory - which has all the conversion rules for the world (e.g. /usr/share/zoneinfo). - When updating the OS do not forget to update any chroot areas as well. See your - OS's documetation for more details. +A: Alternatively you can just generate /etc/rndc.key by running: - The local timezone conversion rules can also be done on a individual basis by - setting the TZ envirionment variable appropriately. See your OS's documentation - for more details. + % sudo rndc-confgen -a + + Then start the relevant service: + + % sudo service org.isc.named start + + Named will look for /etc/rndc.key when it starts if it doesn't have a + controls section or the existing controls are missing keys sub-clauses. + This is persistent upon a reboot, so you will have to do it only once. diff --git a/FAQ.xml b/FAQ.xml index f67f723b9f4cd..818390b5a8014 100644 --- a/FAQ.xml +++ b/FAQ.xml @@ -1,10 +1,10 @@ - +
Frequently Asked Questions about BIND 9 @@ -27,6 +27,7 @@ 2005 2006 2007 + 2008 Internet Systems Consortium, Inc. ("ISC") @@ -38,69 +39,63 @@ + + Compilation and Installation Questions + - Why doesn't -u work on Linux 2.2.x when I build with - --enable-threads? + I'm trying to compile BIND 9, and "make" is failing due to + files not being found. Why? - Linux threads do not fully implement the Posix threads - (pthreads) standard. In particular, setuid() operates only - on the current thread, not the full process. Because of - this limitation, BIND 9 cannot use setuid() on Linux as it - can on all other supported platforms. setuid() cannot be - called before creating threads, since the server does not - start listening on reserved ports until after threads have - started. - - - In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability - to preserve capabilities across a setuid() call is present. - This allows BIND 9 to call setuid() early, while retaining - the ability to bind reserved ports. This is a Linux-specific - hack. - - - On a 2.2 kernel, BIND 9 does drop many root privileges, so - it should be less of a security risk than a root process - that has not dropped privileges. - - - If Linux threads ever work correctly, this restriction will - go away. - - - Configuring BIND9 with the --disable-threads option (the - default) causes a non-threaded version to be built, which - will allow -u to be used. + Using a parallel or distributed "make" to build BIND 9 is + not supported, and doesn't work. If you are using one of + these, use normal make or gmake instead. - + - Why do I get the following errors: -general: errno2result.c:109: unexpected error: -general: unable to convert errno to isc_result: 14: Bad address -client: UDP client handler shutting down due to fatal receive error: unexpected error + Isn't "make install" supposed to generate a default named.conf? - This is the result of a Linux kernel bug. + Short Answer: No. - See: - http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 + Long Answer: There really isn't a default configuration which fits + any site perfectly. There are lots of decisions that need to + be made and there is no consensus on what the defaults should be. + For example FreeBSD uses /etc/namedb as the location where the + configuration files for named are stored. Others use /var/named. + + + What addresses to listen on? For a laptop on the move a lot + you may only want to listen on the loop back interfaces. + + + Who do you offer recursive service to? Is there are firewall + to consider? If so is it stateless or stateful. Are you + directly on the Internet? Are you on a private network? Are + you on a NAT'd network? The answers + to all these questions change how you configure even a + caching name server. + + + + Configuration and Setup Questions + Why does named log the warning message no TTL specified - @@ -126,48 +121,9 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) - - - - - Why do I see 5 (or more) copies of named on Linux? - - - - - Linux threads each show up as a process under ps. The - approximate number of threads running is n+4, where n is - the number of CPUs. Note that the amount of memory used - is not cumulative; if each process is using 10M of memory, - only a total of 10M is used. - - - Newer versions of Linux's ps command hide the individual threads - and require -L to display them. - - - - - - - - Why does BIND 9 log permission denied errors accessing - its configuration files or zones on my Linux system even - though it is running as root? - - - - - On Linux, BIND 9 drops most of its root privileges on - startup. This including the privilege to open files owned - by other users. Therefore, if the server is running as - root, the configuration files and zone files should also - be owned by root. - - - - + + Why do I get errors like dns_zone_load: zone foo/IN: loading @@ -184,25 +140,7 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) - - - How do I produce a usable core file from a multithreaded - named on Linux? - - - - - If the Linux kernel is 2.4.7 or newer, multithreaded core - dumps are usable (that is, the correct thread is dumped). - Otherwise, if using a 2.2 kernel, apply the kernel patch - found in contrib/linux/coredump-patch and rebuild the kernel. - This patch will cause multithreaded programs to dump the - correct thread. - - - - - + How do I restrict people from looking up the server version? @@ -221,6 +159,7 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) + How do I restrict only remote users from looking up the @@ -249,6 +188,7 @@ view "chaos" chaos { + What do no source of entropy found or could not @@ -268,21 +208,7 @@ view "chaos" chaos { - - - I installed BIND 9 and restarted named, but it's still BIND 8. Why? - - - - - BIND 9 is installed under /usr/local by default. BIND 8 - is often installed under /usr. Check that the correct named - is running. - - - - - + I'm trying to use TSIG to authenticate dynamic updates or @@ -299,87 +225,6 @@ view "chaos" chaos { - - - - I'm trying to compile BIND 9, and "make" is failing due to - files not being found. Why? - - - - - Using a parallel or distributed "make" to build BIND 9 is - not supported, and doesn't work. If you are using one of - these, use normal make or gmake instead. - - - - - - - - I have a BIND 9 master and a BIND 8.2.3 slave, and the - master is logging error messages like notify to 10.0.0.1#53 - failed: unexpected end of input. What's wrong? - - - - - This error message is caused by a known bug in BIND 8.2.3 - and is fixed in BIND 8.2.4. It can be safely ignored - the - notify has been acted on by the slave despite the error - message. - - - - - - - - I keep getting log messages like the following. Why? - - - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone - 'example.com/IN': update failed: 'RRset exists (value - dependent)' prerequisite not satisfied (NXRRSET) - - - - - DNS updates allow the update request to test to see if - certain conditions are met prior to proceeding with the - update. The message above is saying that conditions were - not met and the update is not proceeding. See doc/rfc/rfc2136.txt - for more details on prerequisites. - - - - - - - - I keep getting log messages like the following. Why? - - - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied - - - - - Someone is trying to update your DNS data using the RFC2136 - Dynamic Update protocol. Windows 2000 machines have a habit - of sending dynamic update requests to DNS servers without - being specifically configured to do so. If the update - requests are coming from a Windows 2000 machine, see - - http://support.microsoft.com/support/kb/articles/q246/8/04.asp - - for information about how to turn them off. - - - - @@ -402,81 +247,7 @@ view "chaos" chaos { - - - - - When I do a "dig . ns", many of the A records for the root - servers are missing. Why? - - - - - This is normal and harmless. It is a somewhat confusing - side effect of the way BIND 9 does RFC2181 trust ranking - and of the efforts BIND 9 makes to avoid promoting glue - into answers. - - - When BIND 9 first starts up and primes its cache, it receives - the root server addresses as additional data in an authoritative - response from a root server, and these records are eligible - for inclusion as additional data in responses. Subsequently - it receives a subset of the root server addresses as - additional data in a non-authoritative (referral) response - from a root server. This causes the addresses to now be - considered non-authoritative (glue) data, which is not - eligible for inclusion in responses. - - - The server does have a complete set of root server addresses - cached at all times, it just may not include all of them - as additional data, depending on whether they were last - received as answers or as glue. You can always look up the - addresses with explicit queries like "dig a.root-servers.net A". - - - - - - - - Zone transfers from my BIND 9 master to my Windows 2000 - slave fail. Why? - - - - - This may be caused by a bug in the Windows 2000 DNS server - where DNS messages larger than 16K are not handled properly. - This can be worked around by setting the option "transfer-format - one-answer;". Also check whether your zone contains domain - names with embedded spaces or other special characters, - like "John\032Doe\213s\032Computer", since such names have - been known to cause Windows 2000 slaves to incorrectly - reject the zone. - - - - - - - - Why don't my zones reload when I do an "rndc reload" or SIGHUP? - - - - - A zone can be updated either by editing zone files and - reloading the server or by dynamic update, but not both. - If you have enabled dynamic update for a zone using the - "allow-update" option, you are not supposed to edit the - zone file by hand, and the server will not attempt to reload - it. - - - - + @@ -491,7 +262,7 @@ view "chaos" chaos { - + @@ -579,56 +350,13 @@ Slave 10.0.1.2: - + - I have FreeBSD 4.x and "rndc-confgen -a" just sits there. - - - - - /dev/random is not configured. Use rndcontrol(8) to tell - the kernel to use certain interrupts as a source of random - events. You can make this permanent by setting rand_irqs - in /etc/rc.conf. - - - -/etc/rc.conf -rand_irqs="3 14 15" - - - See also - - http://people.freebsd.org/~dougb/randomness.html - - - - - - - - - Why is named listening on UDP port other than 53? - - - - - Named uses a system selected port to make queries of other - nameservers. This behaviour can be overridden by using - query-source to lock down the port and/or address. See - also notify-source and transfer-source. - - - - - - - - I get error messages like multiple RRs of singleton type - and CNAME and other data when transferring a zone. What - does this mean? + I get error messages like multiple RRs of singleton type + and CNAME and other data when transferring a zone. What + does this mean? @@ -644,7 +372,7 @@ named-checkzone example.com tmp A CNAME record cannot exist with the same name as another record - except for the DNSSEC records which prove its existance (NSEC). + except for the DNSSEC records which prove its existence (NSEC). RFC 1034, Section 3.6.2: If a CNAME RR is present at a node, @@ -655,7 +383,7 @@ named-checkzone example.com tmp - + @@ -674,33 +402,7 @@ named-checkzone example.com tmp - - - - - I get warning messages like zone example.com/IN: refresh: - failure trying master 1.2.3.4#53: timed out. - - - - - Check that you can make UDP queries from the slave to the master - - - -dig +norec example.com soa @1.2.3.4 - - - You could be generating queries faster than the slave can - cope with. Lower the serial query rate. - - - -serial-query-rate 5; // default 20 - - - - + @@ -726,7 +428,7 @@ Master 10.0.1.1: }; view "internal" { - match-clients { !external; 10.0.1/24; }; + match-clients { !key external; 10.0.1/24; }; server 10.0.1.1 { /* Deliver notify messages to external view. */ keys { external; }; @@ -740,7 +442,7 @@ Master 10.0.1.1: }; view "external" { - match-clients { external; any; }; + match-clients { key external; any; }; zone "example.com" { type slave; file "external/example.db"; @@ -767,8 +469,8 @@ Master 10.0.1.1: This error is produced when a line in the master file contains leading white space (tab/space) but the is no current record owner name to inherit the name from. Usually - this is the result of putting white space before a comment. - Forgeting the "@" for the SOA record or indenting the master + this is the result of putting white space before a comment, + forgetting the "@" for the SOA record, or indenting the master file. @@ -782,7 +484,7 @@ Master 10.0.1.1: - You are running chrooted (-t) and have not supplied local timzone + You are running chrooted (-t) and have not supplied local timezone information in the chroot area. @@ -795,22 +497,7 @@ Master 10.0.1.1: - - - - - I get the error message named: capset failed: Operation - not permitted when starting named. - - - - - The capability module, part of "Linux Security Modules/LSM", - has not been loaded into the kernel. See insmod(8). - - - - + @@ -850,46 +537,7 @@ Master 10.0.1.1: - - - - - I don't get RRSIG's returned when I use "dig +dnssec". - - - - - You need to ensure DNSSEC is enabled (dnssec-enable yes;). - - - - - - - - I get Error 1067 when starting named under Windows. - - - - - This is the service manager saying that named exited. You - need to examine the Application log in the EventViewer to - find out why. - - - Common causes are that you failed to create "named.conf" - (usually "C:\windows\dns\etc\named.conf") or failed to - specify the directory in named.conf. - - - -options { - Directory "C:\windows\dns\etc"; -}; - - - - + @@ -941,106 +589,101 @@ zone "example.net" { - + - How do I intergrate BIND 9 and Solaris SMF - - - - - Sun has a blog entry describing how to do this. + I want to forward all DNS queries from my caching nameserver to + another server. But there are some domains which have to be + served locally, via rbldnsd. - - http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris - + How do I achieve this ? + + + +options { + forward only; + forwarders { <ip.of.primary.nameserver>; }; +}; + +zone "sbl-xbl.spamhaus.org" { + type forward; forward only; + forwarders { <ip.of.rbldns.server> port 530; }; +}; + +zone "list.dsbl.org" { + type forward; forward only; + forwarders { <ip.of.rbldns.server> port 530; }; +}; + - Can a NS record refer to a CNAME. + Can you help me understand how BIND 9 uses memory to store + DNS zones? + + + Some times it seems to take several times the amount of + memory it needs to store the zone. - No. The rules for glue (copies of the *address* records - in the parent zones) and additional section processing do - not allow it to work. + When reloading a zone named my have multiple copies of + the zone in memory at one time. The zone it is serving + and the one it is loading. If reloads are ultra fast it + can have more still. - You would have to add both the CNAME and address records - (A/AAAA) as glue to the parent zone and have CNAMEs be - followed when doing additional section processing to make - it work. No namesever implementation supports either of - these requirements. + e.g. Ones that are transferring out, the one that it is + serving and the one that is loading. + + + BIND 8 destroyed the zone before loading and also killed + off outgoing transfers of the zone. + + + The new strategy allows slaves to get copies of the new + zone regardless of how often the master is loaded compared + to the transfer time. The slave might skip some intermediate + versions but the transfers will complete and it will keep + reasonably in sync with the master. + + + The new strategy also allows the master to recover from + syntax and other errors in the master file as it still + has an in-core copy of the old contents. - + + + + General Questions + - What does RFC 1918 response from Internet for - 0.0.0.10.IN-ADDR.ARPA mean? - - - - - If the IN-ADDR.ARPA name covered refers to a internal address - space you are using then you have failed to follow RFC 1918 - usage rules and are leaking queries to the Internet. You - should establish your own zones for these addresses to prevent - you quering the Internet's name servers for these addresses. - Please see http://as112.net/ - for details of the problems you are causing and the counter - measures that have had to be deployed. + I keep getting log messages like the following. Why? - If you are not using these private addresses then a client - has queried for them. You can just ignore the messages, - get the offending client to stop sending you these messages - as they are most probably leaking them or setup your own zones - empty zones to serve answers to these queries. + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone + 'example.com/IN': update failed: 'RRset exists (value + dependent)' prerequisite not satisfied (NXRRSET) - - -zone "10.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -zone "16.172.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -... - -zone "31.172.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -zone "168.192.IN-ADDR.ARPA" { - type master; - file "empty"; -}; - -empty: -@ 10800 IN SOA <name-of-server>. <contact-email>. ( - 1 3600 1200 604800 10800 ) -@ 10800 IN NS <name-of-server>. - + + - - Future versions of named are likely to do this automatically. - + DNS updates allow the update request to test to see if + certain conditions are met prior to proceeding with the + update. The message above is saying that conditions were + not met and the update is not proceeding. See doc/rfc/rfc2136.txt + for more details on prerequisites. @@ -1048,32 +691,420 @@ empty: - I'm running BIND on Red Hat Enterprise Linux or Fedora Core - - - - Why can't named update slave zone database files? - - - Why can't named create DDNS journal files or update - the master zones from journals? + I keep getting log messages like the following. Why? - Why can't named create custom log files? + Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied - - Red Hat Security Enhanced Linux (SELinux) policy security - protections : - + Someone is trying to update your DNS data using the RFC2136 + Dynamic Update protocol. Windows 2000 machines have a habit + of sending dynamic update requests to DNS servers without + being specifically configured to do so. If the update + requests are coming from a Windows 2000 machine, see + + http://support.microsoft.com/support/kb/articles/q246/8/04.asp + + for information about how to turn them off. + + + + + + + + When I do a "dig . ns", many of the A records for the root + servers are missing. Why? + + + + + This is normal and harmless. It is a somewhat confusing + side effect of the way BIND 9 does RFC2181 trust ranking + and of the efforts BIND 9 makes to avoid promoting glue + into answers. + + + When BIND 9 first starts up and primes its cache, it receives + the root server addresses as additional data in an authoritative + response from a root server, and these records are eligible + for inclusion as additional data in responses. Subsequently + it receives a subset of the root server addresses as + additional data in a non-authoritative (referral) response + from a root server. This causes the addresses to now be + considered non-authoritative (glue) data, which is not + eligible for inclusion in responses. + + + The server does have a complete set of root server addresses + cached at all times, it just may not include all of them + as additional data, depending on whether they were last + received as answers or as glue. You can always look up the + addresses with explicit queries like "dig a.root-servers.net A". + + + + + + + + Why don't my zones reload when I do an "rndc reload" or SIGHUP? + + + + + A zone can be updated either by editing zone files and + reloading the server or by dynamic update, but not both. + If you have enabled dynamic update for a zone using the + "allow-update" option, you are not supposed to edit the + zone file by hand, and the server will not attempt to reload + it. + + + + + + + + Why is named listening on UDP port other than 53? + + + + + Named uses a system selected port to make queries of other + nameservers. This behaviour can be overridden by using + query-source to lock down the port and/or address. See + also notify-source and transfer-source. + + + + + + + + I get warning messages like zone example.com/IN: refresh: + failure trying master 1.2.3.4#53: timed out. + + + + + Check that you can make UDP queries from the slave to the master + + + +dig +norec example.com soa @1.2.3.4 + + + You could be generating queries faster than the slave can + cope with. Lower the serial query rate. + + + +serial-query-rate 5; // default 20 + + + + + + + + I don't get RRSIG's returned when I use "dig +dnssec". + + + + + You need to ensure DNSSEC is enabled (dnssec-enable yes;). + + + + + + + + Can a NS record refer to a CNAME. + + + + + No. The rules for glue (copies of the *address* records + in the parent zones) and additional section processing do + not allow it to work. + + + You would have to add both the CNAME and address records + (A/AAAA) as glue to the parent zone and have CNAMEs be + followed when doing additional section processing to make + it work. No nameserver implementation supports either of + these requirements. + + + + + + + + What does RFC 1918 response from Internet for + 0.0.0.10.IN-ADDR.ARPA mean? + + + + + If the IN-ADDR.ARPA name covered refers to a internal address + space you are using then you have failed to follow RFC 1918 + usage rules and are leaking queries to the Internet. You + should establish your own zones for these addresses to prevent + you querying the Internet's name servers for these addresses. + Please see http://as112.net/ + for details of the problems you are causing and the counter + measures that have had to be deployed. + + + If you are not using these private addresses then a client + has queried for them. You can just ignore the messages, + get the offending client to stop sending you these messages + as they are most probably leaking them or setup your own zones + empty zones to serve answers to these queries. + + + +zone "10.IN-ADDR.ARPA" { + type master; + file "empty"; +}; + +zone "16.172.IN-ADDR.ARPA" { + type master; + file "empty"; +}; + +... + +zone "31.172.IN-ADDR.ARPA" { + type master; + file "empty"; +}; + +zone "168.192.IN-ADDR.ARPA" { + type master; + file "empty"; +}; + +empty: +@ 10800 IN SOA <name-of-server>. <contact-email>. ( + 1 3600 1200 604800 10800 ) +@ 10800 IN NS <name-of-server>. + + + + Future versions of named are likely to do this automatically. + + + + + + + + + Will named be affected by the 2007 changes to daylight savings + rules in the US. + + + + + No, so long as the machines internal clock (as reported + by "date -u") remains at UTC. The only visible change + if you fail to upgrade your OS, if you are in a affected + area, will be that log messages will be a hour out during + the period where the old rules do not match the new rules. + + + For most OS's this change just means that you need to + update the conversion rules from UTC to local time. + Normally this involves updating a file in /etc (which + sets the default timezone for the machine) and possibly + a directory which has all the conversion rules for the + world (e.g. /usr/share/zoneinfo). When updating the OS + do not forget to update any chroot areas as well. + See your OS's documentation for more details. + + + The local timezone conversion rules can also be done on + a individual basis by setting the TZ environment variable + appropriately. See your OS's documentation for more + details. + + + + + + + + Is there a bugzilla (or other tool) database that mere + mortals can have (read-only) access to for bind? + + + + + No. The BIND 9 bug database is kept closed for a number + of reasons. These include, but are not limited to, that + the database contains proprietory information from people + reporting bugs. The database has in the past and may in + future contain unfixed bugs which are capable of bringing + down most of the Internet's DNS infrastructure. + + + The release pages for each version contain up to date + lists of bugs that have been fixed post release. That + is as close as we can get to providing a bug database. + + + + + + + Operating-System Specific Questions + + HPUX + + + + I get the following error trying to configure BIND: +checking if unistd.h or sys/types.h defines fd_set... no +configure: error: need either working unistd.h or sys/select.h + + + + + You have attempted to configure BIND with the bundled C compiler. + This compiler does not meet the minimum compiler requirements to + for building BIND. You need to install a ANSI C compiler and / or + teach configure how to find the ANSI C compiler. The later can + be done by adjusting the PATH environment variable and / or + specifying the compiler via CC. + + + ./configure CC=<compiler> ... + + + + + + + Linux + + + + + Why do I get the following errors: +general: errno2result.c:109: unexpected error: +general: unable to convert errno to isc_result: 14: Bad address +client: UDP client handler shutting down due to fatal receive error: unexpected error + + + + + This is the result of a Linux kernel bug. + + + See: + http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 + + + + + + + + Why do I see 5 (or more) copies of named on Linux? + + + + + Linux threads each show up as a process under ps. The + approximate number of threads running is n+4, where n is + the number of CPUs. Note that the amount of memory used + is not cumulative; if each process is using 10M of memory, + only a total of 10M is used. + + + Newer versions of Linux's ps command hide the individual threads + and require -L to display them. + + + + + + + + Why does BIND 9 log permission denied errors accessing + its configuration files or zones on my Linux system even + though it is running as root? + + + + + On Linux, BIND 9 drops most of its root privileges on + startup. This including the privilege to open files owned + by other users. Therefore, if the server is running as + root, the configuration files and zone files should also + be owned by root. + + + + + + + + I get the error message named: capset failed: Operation + not permitted when starting named. + + + + + The capability module, part of "Linux Security Modules/LSM", + has not been loaded into the kernel. See insmod(8), modprobe(8). + + + The relevant modules can be loaded by running: + +modprobe commoncap +modprobe capability + + + + + + + + I'm running BIND on Red Hat Enterprise Linux or Fedora Core - + + + Why can't named update slave zone database files? + + + Why can't named create DDNS journal files or update + the master zones from journals? + + + Why can't named create custom log files? + + + + + + Red Hat Security Enhanced Linux (SELinux) policy security + protections : + Red Hat have adopted the National Security Agency's SELinux security policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND security , which are more secure than running named in a chroot and make use of - the bind-chroot environment unecessary . + the bind-chroot environment unnecessary . @@ -1174,7 +1205,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d - To create a custom configuration file location, eg. + To create a custom configuration file location, e.g. '/root/named.conf', to use with the 'named -c' option, do: @@ -1185,7 +1216,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d - To create a custom modifiable named data location, eg. + To create a custom modifiable named data location, e.g. '/var/log/named' for a log file, do: @@ -1195,7 +1226,7 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d - To create a custom zone file location, eg. /root/zones/, do: + To create a custom zone file location, e.g. /root/zones/, do: # chcon system_u:object_r:named_zone_t /root/zones/{.,*} @@ -1209,68 +1240,203 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d + - I want to forward all DNS queries from my caching nameserver to - another server. But there are some domains which have to be - served locally, via rbldnsd. + Listening on individual IPv6 interfaces does not work. + + - How do I achieve this ? + This is usually due to "/proc/net/if_inet6" not being available + in the chroot file system. Mount another instance of "proc" + in the chroot file system. + + + This can be be made permanent by adding a second instance to + /etc/fstab. + + +proc /proc proc defaults 0 0 +proc /var/named/proc proc defaults 0 0 + + + + + + + + Windows + + + + + Zone transfers from my BIND 9 master to my Windows 2000 + slave fail. Why? - + + This may be caused by a bug in the Windows 2000 DNS server + where DNS messages larger than 16K are not handled properly. + This can be worked around by setting the option "transfer-format + one-answer;". Also check whether your zone contains domain + names with embedded spaces or other special characters, + like "John\032Doe\213s\032Computer", since such names have + been known to cause Windows 2000 slaves to incorrectly + reject the zone. + + + + + + + + I get Error 1067 when starting named under Windows. + + + + + This is the service manager saying that named exited. You + need to examine the Application log in the EventViewer to + find out why. + + + Common causes are that you failed to create "named.conf" + (usually "C:\windows\dns\etc\named.conf") or failed to + specify the directory in named.conf. + + + options { - forward only; - forwarders { <ip.of.primary.nameserver>; }; -}; - -zone "sbl-xbl.spamhaus.org" { - type forward; forward only; - forwarders { <ip.of.rbldns.server> port 530; }; -}; - -zone "list.dsbl.org" { - type forward; forward only; - forwarders { <ip.of.rbldns.server> port 530; }; -}; - + Directory "C:\windows\dns\etc"; +}; + + + + + FreeBSD + - Will named be affected by the 2007 changes to daylight savings - rules in the US. + I have FreeBSD 4.x and "rndc-confgen -a" just sits there. - No, so long as the machines internal clock (as reported - by "date -u") remains at UTC. The only visible change - if you fail to upgrade your OS, if you are in a affected - area, will be that log messages will be a hour out during - the period where the old rules do not match the new rules. + /dev/random is not configured. Use rndcontrol(8) to tell + the kernel to use certain interrupts as a source of random + events. You can make this permanent by setting rand_irqs + in /etc/rc.conf. + + +/etc/rc.conf +rand_irqs="3 14 15" + - For most OS's this change just means that you need to - update the conversion rules from UTC to local time. - Normally this involves updating a file in /etc (which - sets the default timezone for the machine) and possibly - a directory which has all the conversion rules for the - world (e.g. /usr/share/zoneinfo). When updating the OS - do not forget to update any chroot areas as well. - See your OS's documetation for more details. + See also + + http://people.freebsd.org/~dougb/randomness.html + + + + + + + + Solaris + + + + + How do I integrate BIND 9 and Solaris SMF + + - The local timezone conversion rules can also be done on - a individual basis by setting the TZ envirionment variable - appropriately. See your OS's documentation for more - details. + Sun has a blog entry describing how to do this. + + + + http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris + + + + + + + + Apple Mac OS X + + + + + How do I run BIND 9 on Apple Mac OS X? + + + + + If you run Tiger(Mac OS 10.4) or later then this is all you need to do: + + + +% sudo rndc-confgen > /etc/rndc.conf + + + Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: + + + +key "rndc-key" { + algorithm hmac-md5; + secret "uvceheVuqf17ZwIcTydddw=="; +}; + + + Then start the relevant service: + + + +% sudo service org.isc.named start + + + This is persistent upon a reboot, so you will have to do it only once. + + + + + + Alternatively you can just generate /etc/rndc.key by running: + + + +% sudo rndc-confgen -a + + + Then start the relevant service: + + + +% sudo service org.isc.named start + + + Named will look for /etc/rndc.key when it starts if it + doesn't have a controls section or the existing controls are + missing keys sub-clauses. This is persistent upon a + reboot, so you will have to do it only once. + + + + +
diff --git a/Makefile.in b/Makefile.in index 7f3a6888baa02..eb1a36acfe67a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1998-2002 Internet Software Consortium. +# Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.41.2.2.2.4 2006/05/19 00:04:00 marka Exp $ +# $Id: Makefile.in,v 1.41.2.2.2.7 2007/08/28 07:19:07 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/README b/README index 4763e53b8943f..709df1267ae46 100644 --- a/README +++ b/README @@ -42,14 +42,6 @@ BIND 9 Stichting NLnet - NLnet Foundation Nominum, Inc. -BIND 9.3.4 - - BIND 9.3.4 is a security release. - -BIND 9.3.3 - - BIND 9.3.3 is a maintenance release, containing fixes for - a number of bugs in 9.3.2. BIND 9.3.2 diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c index 1b67ca88596f5..f4d573db916a9 100644 --- a/bin/check/check-tool.c +++ b/bin/check/check-tool.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,12 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.4.12.7 2004/11/30 01:15:40 marka Exp $ */ +/* $Id: check-tool.c,v 1.4.12.11 2007/09/13 05:18:07 each Exp $ */ #include #include -#include #include "check-tool.h" #include @@ -29,6 +28,7 @@ #include #include #include +#include #include #include diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h index 105cd258ca3d6..cbe18afa25b04 100644 --- a/bin/check/check-tool.h +++ b/bin/check/check-tool.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */ +/* $Id: check-tool.h,v 1.2.12.8 2007/08/28 07:19:07 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 7d0633582dbfa..148e6c59d5dff 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,5 +1,5 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkconf.8,v 1.11.12.8 2006/06/29 13:02:30 marka Exp $ +.\" $Id: named-checkconf.8,v 1.11.12.13 2007/06/20 02:26:23 marka Exp $ .\" .hy 0 .ad l .\" Title: named\-checkconf .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 14, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -39,27 +39,37 @@ named\-checkconf \- named configuration file syntax checking tool \fBnamed\-checkconf\fR checks the syntax, but not the semantics, of a named configuration file. .SH "OPTIONS" -.TP 3n +.PP \-t \fIdirectory\fR -chroot to +.RS 4 +Chroot to \fIdirectory\fR so that include directives in the configuration file are processed as if run by a similarly chrooted named. -.TP 3n +.RE +.PP \-v +.RS 4 Print the version of the \fBnamed\-checkconf\fR program and exit. -.TP 3n +.RE +.PP \-z -Perform a check load the master zonefiles found in +.RS 4 +Perform a test load of all master zones found in \fInamed.conf\fR. -.TP 3n +.RE +.PP \-j +.RS 4 When loading a zonefile read the journal if it exists. -.TP 3n +.RE +.PP filename +.RS 4 The name of the configuration file to be checked. If not specified, it defaults to \fI/etc/named.conf\fR. +.RE .SH "RETURN VALUES" .PP \fBnamed\-checkconf\fR @@ -67,9 +77,13 @@ returns an exit status of 1 if errors were detected and 0 otherwise. .SH "SEE ALSO" .PP \fBnamed\fR(8), +\fBnamed\-checkzone\fR(8), BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index f50461d792561..cc0101c31e609 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.12.12.11 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: named-checkconf.c,v 1.12.12.14 2007/08/28 07:19:07 tbox Exp $ */ #include diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook index c2529f642fe07..b955becd80919 100644 --- a/bin/check/named-checkconf.docbook +++ b/bin/check/named-checkconf.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,12 +35,14 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") 2000 2001 2002 + 2003 Internet Software Consortium. @@ -77,7 +79,7 @@ -t directory - chroot to directory so that include + Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. @@ -98,7 +100,7 @@ -z - Perform a check load the master zonefiles found in + Perform a test load of all master zones found in named.conf. @@ -142,6 +144,9 @@ named 8 , + + named-checkzone8 + , BIND 9 Administrator Reference Manual. diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index 2283c51626154..0617e0bbc64fd 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -1,6 +1,6 @@ - + named-checkconf - +
-
+

Name

named-checkconf — named configuration file syntax checking tool

@@ -32,18 +32,18 @@

named-checkconf [-v] [-j] [-t directory] {filename} [-z]

-

DESCRIPTION

+

DESCRIPTION

named-checkconf checks the syntax, but not the semantics, of a named configuration file.

-

OPTIONS

+

OPTIONS

-t directory

- chroot to directory so that include + Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named.

@@ -54,7 +54,7 @@

-z

- Perform a check load the master zonefiles found in + Perform a test load of all master zones found in named.conf.

-j
@@ -69,21 +69,22 @@
-

RETURN VALUES

+

RETURN VALUES

named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), + named-checkzone(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 index f50085c78456b..b6402626dc7a0 100644 --- a/bin/check/named-checkzone.8 +++ b/bin/check/named-checkzone.8 @@ -1,5 +1,5 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named-checkzone.8,v 1.11.2.1.8.11 2006/10/05 02:50:17 marka Exp $ +.\" $Id: named-checkzone.8,v 1.11.2.1.8.16 2007/06/20 02:26:23 marka Exp $ .\" .hy 0 .ad l .\" Title: named\-checkzone .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 13, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -43,25 +43,36 @@ does when loading a zone. This makes \fBnamed\-checkzone\fR useful for checking zone files before configuring them into a name server. .SH "OPTIONS" -.TP 3n +.PP \-d +.RS 4 Enable debugging. -.TP 3n +.RE +.PP \-q +.RS 4 Quiet mode \- exit code only. -.TP 3n +.RE +.PP \-v +.RS 4 Print the version of the \fBnamed\-checkzone\fR program and exit. -.TP 3n +.RE +.PP \-j +.RS 4 When loading the zone file read the journal if it exists. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Specify the class of the zone. If not specified "IN" is assumed. -.TP 3n +.RE +.PP \-k \fImode\fR +.RS 4 Perform \fB"check\-names"\fR checks with the specified failure mode. Possible modes are @@ -69,37 +80,52 @@ checks with the specified failure mode. Possible modes are \fB"warn"\fR (default) and \fB"ignore"\fR. -.TP 3n +.RE +.PP \-n \fImode\fR +.RS 4 Specify whether NS records should be checked to see if they are addresses. Possible modes are \fB"fail"\fR, \fB"warn"\fR (default) and \fB"ignore"\fR. -.TP 3n +.RE +.PP \-o \fIfilename\fR +.RS 4 Write zone output to \fIfilename\fR. -.TP 3n +.RE +.PP \-t \fIdirectory\fR -chroot to +.RS 4 +Chroot to \fIdirectory\fR so that include directives in the configuration file are processed as if run by a similarly chrooted named. -.TP 3n +.RE +.PP \-w \fIdirectory\fR +.RS 4 chdir to \fIdirectory\fR so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in \fInamed.conf\fR. -.TP 3n +.RE +.PP \-D +.RS 4 Dump zone file in canonical format. -.TP 3n +.RE +.PP zonename +.RS 4 The domain name of the zone being checked. -.TP 3n +.RE +.PP filename +.RS 4 The name of the zone file. +.RE .SH "RETURN VALUES" .PP \fBnamed\-checkzone\fR @@ -107,10 +133,14 @@ returns an exit status of 1 if errors were detected and 0 otherwise. .SH "SEE ALSO" .PP \fBnamed\fR(8), +\fBnamed\-checkconf\fR(8), RFC 1035, BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook index a24e92b49963b..9ea37e19c7e37 100644 --- a/bin/check/named-checkzone.docbook +++ b/bin/check/named-checkzone.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,12 +36,14 @@ 2004 2005 2006 + 2007 Internet Systems Consortium, Inc. ("ISC") 2000 2001 2002 + 2003 Internet Software Consortium. @@ -168,7 +170,7 @@ -t directory - chroot to directory so that include + Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named. @@ -233,6 +235,9 @@ named 8 , + + named-checkconf8 + , RFC 1035, BIND 9 Administrator Reference Manual. diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html index 8f5195a6d8f85..295da1362673f 100644 --- a/bin/check/named-checkzone.html +++ b/bin/check/named-checkzone.html @@ -1,6 +1,6 @@ - + named-checkzone - +
-
+

Name

named-checkzone — zone file validity checking tool

@@ -32,7 +32,7 @@

named-checkzone [-d] [-j] [-q] [-v] [-c class] [-k mode] [-n mode] [-o filename] [-t directory] [-w directory] [-D] {zonename} {filename}

-

DESCRIPTION

+

DESCRIPTION

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named @@ -42,7 +42,7 @@

-

OPTIONS

+

OPTIONS

-d

@@ -85,7 +85,7 @@

-t directory

- chroot to directory so that include + Chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named.

@@ -111,22 +111,23 @@
-

RETURN VALUES

+

RETURN VALUES

named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

-

SEE ALSO

+

SEE ALSO

named(8), + named-checkconf(8), RFC 1035, BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index 65c14ce882221..c68e6d8f316b1 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $ +# $Id: Makefile.in,v 1.25.12.15 2007/08/28 07:19:07 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/bin/dig/dig.1 b/bin/dig/dig.1 index 735f31c2a570b..a5f5ff3c04a38 100644 --- a/bin/dig/dig.1 +++ b/bin/dig/dig.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dig.1,v 1.14.2.4.2.11 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dig.1,v 1.14.2.4.2.18 2007/05/16 06:10:54 marka Exp $ .\" .hy 0 .ad l .\" Title: dig .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -50,7 +50,7 @@ Although \fBdig\fR is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the \fB\-h\fR -option is given. Unlike earlier versions, the BIND9 implementation of +option is given. Unlike earlier versions, the BIND 9 implementation of \fBdig\fR allows multiple lookups to be issued from the command line. .PP @@ -65,21 +65,28 @@ It is possible to set per\-user defaults for \fBdig\fR via \fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments. +.PP +The IN and CH class names overlap with the IN and CH top level domains names. Either use the +\fB\-t\fR +and +\fB\-c\fR +options to specify the type and class or use "IN." and "CH." when looking up these top level domains. .SH "SIMPLE USAGE" .PP A typical invocation of \fBdig\fR looks like: .sp -.RS 3n +.RS 4 .nf dig @server name type .fi .RE .sp where: -.TP 3n +.PP \fBserver\fR +.RS 4 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied \fIserver\fR argument is a hostname, @@ -91,11 +98,15 @@ argument is provided, consults \fI/etc/resolv.conf\fR and queries the name servers listed there. The reply from the name server that responds is displayed. -.TP 3n +.RE +.PP \fBname\fR +.RS 4 is the name of the resource record that is to be looked up. -.TP 3n +.RE +.PP \fBtype\fR +.RS 4 indicates what type of query is required \(em ANY, A, MX, SIG, etc. \fItype\fR can be any valid query type. If no @@ -103,6 +114,7 @@ can be any valid query type. If no argument is supplied, \fBdig\fR will perform a lookup for an A record. +.RE .SH "OPTIONS" .PP The @@ -114,14 +126,14 @@ The default query class (IN for internet) is overridden by the \fB\-c\fR option. \fIclass\fR -is any valid class, such as HS for Hesiod records or CH for CHAOSNET records. +is any valid class, such as HS for Hesiod records or CH for Chaosnet records. .PP The \fB\-f\fR option makes \fBdig \fR operate in batch mode by reading a list of lookup requests to process from the file -\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to +\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to \fBdig\fR using the command\-line interface. .PP @@ -146,7 +158,7 @@ to only use IPv6 query transport. The \fB\-t\fR option sets the query type to -\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the +\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the \fB\-x\fR option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, \fItype\fR @@ -154,7 +166,7 @@ is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was \fIN\fR. .PP -Reverse lookups \- mapping addresses to names \- are simplified by the +Reverse lookups \(em mapping addresses to names \(em are simplified by the \fB\-x\fR option. \fIaddr\fR @@ -202,19 +214,26 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k no to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form \fB+keyword=value\fR. The query options are: -.TP 3n +.PP \fB+[no]tcp\fR -Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. -.TP 3n +.RS 4 +Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. +.RE +.PP \fB+[no]vc\fR +.RS 4 Use [do not use] TCP when querying name servers. This alternate syntax to \fI+[no]tcp\fR is provided for backwards compatibility. The "vc" stands for "virtual circuit". -.TP 3n +.RE +.PP \fB+[no]ignore\fR +.RS 4 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. -.TP 3n +.RE +.PP \fB+domain=somename\fR +.RS 4 Set the search list to contain the single domain \fIsomename\fR, as if specified in a \fBdomain\fR @@ -222,36 +241,54 @@ directive in \fI/etc/resolv.conf\fR, and enable search list processing as if the \fI+search\fR option were given. -.TP 3n +.RE +.PP \fB+[no]search\fR +.RS 4 Use [do not use] the search list defined by the searchlist or domain directive in \fIresolv.conf\fR (if any). The search list is not used by default. -.TP 3n +.RE +.PP \fB+[no]defname\fR +.RS 4 Deprecated, treated as a synonym for \fI+[no]search\fR -.TP 3n +.RE +.PP \fB+[no]aaonly\fR +.RS 4 Sets the "aa" flag in the query. -.TP 3n +.RE +.PP \fB+[no]aaflag\fR +.RS 4 A synonym for \fI+[no]aaonly\fR. -.TP 3n +.RE +.PP \fB+[no]adflag\fR +.RS 4 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness. -.TP 3n +.RE +.PP \fB+[no]cdflag\fR +.RS 4 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. -.TP 3n +.RE +.PP \fB+[no]cl\fR +.RS 4 Display [do not display] the CLASS when printing the record. -.TP 3n +.RE +.PP \fB+[no]ttlid\fR +.RS 4 Display [do not display] the TTL when printing the record. -.TP 3n +.RE +.PP \fB+[no]recurse\fR +.RS 4 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means \fBdig\fR normally sends recursive queries. Recursion is automatically disabled when the @@ -259,75 +296,109 @@ normally sends recursive queries. Recursion is automatically disabled when the or \fI+trace\fR query options are used. -.TP 3n +.RE +.PP \fB+[no]nssearch\fR +.RS 4 When this option is set, \fBdig\fR attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. -.TP 3n +.RE +.PP \fB+[no]trace\fR +.RS 4 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, \fBdig\fR makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. -.TP 3n +.RE +.PP \fB+[no]cmd\fR -toggles the printing of the initial comment in the output identifying the version of +.RS 4 +Toggles the printing of the initial comment in the output identifying the version of \fBdig\fR and the query options that have been applied. This comment is printed by default. -.TP 3n +.RE +.PP \fB+[no]short\fR +.RS 4 Provide a terse answer. The default is to print the answer in a verbose form. -.TP 3n +.RE +.PP \fB+[no]identify\fR +.RS 4 Show [or do not show] the IP address and port number that supplied the answer when the \fI+short\fR option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. -.TP 3n +.RE +.PP \fB+[no]comments\fR +.RS 4 Toggle the display of comment lines in the output. The default is to print comments. -.TP 3n +.RE +.PP \fB+[no]stats\fR -This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics. -.TP 3n +.RS 4 +This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics. +.RE +.PP \fB+[no]qr\fR +.RS 4 Print [do not print] the query as it is sent. By default, the query is not printed. -.TP 3n +.RE +.PP \fB+[no]question\fR +.RS 4 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. -.TP 3n +.RE +.PP \fB+[no]answer\fR +.RS 4 Display [do not display] the answer section of a reply. The default is to display it. -.TP 3n +.RE +.PP \fB+[no]authority\fR +.RS 4 Display [do not display] the authority section of a reply. The default is to display it. -.TP 3n +.RE +.PP \fB+[no]additional\fR +.RS 4 Display [do not display] the additional section of a reply. The default is to display it. -.TP 3n +.RE +.PP \fB+[no]all\fR +.RS 4 Set or clear all display flags. -.TP 3n +.RE +.PP \fB+time=T\fR +.RS 4 Sets the timeout for a query to \fIT\fR -seconds. The default time out is 5 seconds. An attempt to set +seconds. The default timeout is 5 seconds. An attempt to set \fIT\fR to less than 1 will result in a query timeout of 1 second being applied. -.TP 3n +.RE +.PP \fB+tries=T\fR +.RS 4 Sets the number of times to try UDP queries to server to \fIT\fR instead of the default, 3. If \fIT\fR is less than or equal to zero, the number of tries is silently rounded up to 1. -.TP 3n +.RE +.PP \fB+retry=T\fR +.RS 4 Sets the number of times to retry UDP queries to server to \fIT\fR instead of the default, 2. Unlike \fI+tries\fR, this does not include the initial query. -.TP 3n +.RE +.PP \fB+ndots=D\fR +.RS 4 Set the number of dots that have to appear in \fIname\fR to @@ -339,30 +410,44 @@ or \fBdomain\fR directive in \fI/etc/resolv.conf\fR. -.TP 3n +.RE +.PP \fB+bufsize=B\fR +.RS 4 Set the UDP message buffer size advertised using EDNS0 to \fIB\fR bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. -.TP 3n +.RE +.PP \fB+[no]multiline\fR +.RS 4 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the \fBdig\fR output. -.TP 3n +.RE +.PP \fB+[no]fail\fR -Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour. -.TP 3n +.RS 4 +Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior. +.RE +.PP \fB+[no]besteffort\fR +.RS 4 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers. -.TP 3n +.RE +.PP \fB+[no]dnssec\fR +.RS 4 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query. -.TP 3n +.RE +.PP \fB+[no]sigchase\fR +.RS 4 Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE. -.TP 3n +.RE +.PP \fB+trusted\-key=####\fR +.RS 4 Specifies a file containing trusted keys to be used with \fB+sigchase\fR. Each DNSKEY record must be on its own line. .sp @@ -375,9 +460,12 @@ then in the current directory. .sp Requires dig be compiled with \-DDIG_SIGCHASE. -.TP 3n +.RE +.PP \fB+[no]topdown\fR -When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE. +.RS 4 +When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE. +.RE .SH "MULTIPLE QUERIES" .PP The BIND 9 implementation of @@ -394,7 +482,7 @@ A global set of query options, which should be applied to all queries, can also \fB+[no]cmd\fR option) can be overridden by a query\-specific set of query options. For example: .sp -.RS 3n +.RS 4 .nf dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr .fi @@ -425,8 +513,11 @@ isc.org. \fBnamed\fR(8), \fBdnssec\-keygen\fR(8), RFC1035. -.SH "BUGS " +.SH "BUGS" .PP There are probably too many query options. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 619e0298064bf..763613dfca79b 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.157.2.13.2.31 2006/07/22 23:52:57 marka Exp $ */ +/* $Id: dig.c,v 1.157.2.13.2.35 2007/08/28 07:19:07 tbox Exp $ */ #include #include @@ -625,42 +625,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) { } } -/* - * Reorder an argument list so that server names all come at the end. - * This is a bit of a hack, to allow batch-mode processing to properly - * handle the server options. - */ -static void -reorder_args(int argc, char *argv[]) { - int i, j; - char *ptr; - int end; - - debug("reorder_args()"); - end = argc - 1; - while (argv[end][0] == '@') { - end--; - if (end == 0) - return; - } - debug("arg[end]=%s", argv[end]); - for (i = 1; i < end - 1; i++) { - if (argv[i][0] == '@') { - debug("arg[%d]=%s", i, argv[i]); - ptr = argv[i]; - for (j = i + 1; j < end; j++) { - debug("Moving %s to %d", argv[j], j - 1); - argv[j - 1] = argv[j]; - } - debug("moving %s to end, %d", ptr, end - 1); - argv[end - 1] = ptr; - end--; - if (end < 1) - return; - } - } -} - static isc_uint32_t parse_uint(char *arg, const char *desc, isc_uint32_t max) { isc_result_t result; @@ -1054,7 +1018,8 @@ static const char *single_dash_opts = "46dhimnv"; static const char *dash_opts = "46bcdfhikmnptvyx"; static isc_boolean_t dash_option(char *option, char *next, dig_lookup_t **lookup, - isc_boolean_t *open_type_class) + isc_boolean_t *open_type_class, isc_boolean_t *need_clone, + int argc, char **argv, isc_boolean_t *firstarg) { char opt, *value, *ptr; isc_result_t result; @@ -1245,7 +1210,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, keysecret[sizeof(keysecret)-1]=0; return (value_from_next); case 'x': - *lookup = clone_lookup(default_lookup, ISC_TRUE); + if (*need_clone) + *lookup = clone_lookup(default_lookup, ISC_TRUE); + *need_clone = ISC_TRUE; if (get_reverse(textname, sizeof(textname), value, ip6_int, ISC_FALSE) == ISC_R_SUCCESS) { strncpy((*lookup)->textname, textname, @@ -1259,6 +1226,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, if (!(*lookup)->rdclassset) (*lookup)->rdclass = dns_rdataclass_in; (*lookup)->new_search = ISC_TRUE; + if (*firstarg) { + printgreeting(argc, argv, *lookup); + *firstarg = ISC_FALSE; + } ISC_LIST_APPEND(lookup_list, *lookup, link); } else { fprintf(stderr, "Invalid IP address %s\n", value); @@ -1349,6 +1320,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, char rcfile[256]; #endif char *input; + int i; + isc_boolean_t need_clone = ISC_TRUE; /* * The semantics for parsing the args is a bit complex; if @@ -1396,7 +1369,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, bargv[0] = argv[0]; argv0 = argv[0]; - reorder_args(bargc, (char **)bargv); + for(i = 0; i < bargc; i++) + debug(".digrc argv %d: %s", + i, bargv[i]); parse_args(ISC_TRUE, ISC_TRUE, bargc, (char **)bargv); } @@ -1405,7 +1380,12 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, #endif } - lookup = default_lookup; + if (is_batchfile && !config_only) { + /* Processing '-f batchfile'. */ + lookup = clone_lookup(default_lookup, ISC_TRUE); + need_clone = ISC_FALSE; + } else + lookup = default_lookup; rc = argc; rv = argv; @@ -1421,13 +1401,17 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, } else if (rv[0][0] == '-') { if (rc <= 1) { if (dash_option(&rv[0][1], NULL, - &lookup, &open_type_class)) { + &lookup, &open_type_class, + &need_clone, argc, argv, + &firstarg)) { rc--; rv++; } } else { if (dash_option(&rv[0][1], rv[1], - &lookup, &open_type_class)) { + &lookup, &open_type_class, + &need_clone, argc, argv, + &firstarg)) { rc--; rv++; } @@ -1495,21 +1479,29 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, continue; } } + if (!config_only) { - lookup = clone_lookup(default_lookup, - ISC_TRUE); + if (need_clone) + lookup = clone_lookup(default_lookup, + ISC_TRUE); + need_clone = ISC_TRUE; strncpy(lookup->textname, rv[0], sizeof(lookup->textname)); lookup->textname[sizeof(lookup->textname)-1]=0; lookup->trace_root = ISC_TF(lookup->trace || lookup->ns_search_only); lookup->new_search = ISC_TRUE; + if (firstarg) { + printgreeting(argc, argv, lookup); + firstarg = ISC_FALSE; + } ISC_LIST_APPEND(lookup_list, lookup, link); debug("looking up %s", lookup->textname); } /* XXX Error message */ } } + /* * If we have a batchfile, seed the lookup list with the * first entry, then trust the callback in dighost_shutdown @@ -1544,15 +1536,20 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, bargv[0] = argv[0]; argv0 = argv[0]; - reorder_args(bargc, (char **)bargv); + for(i = 0; i < bargc; i++) + debug("batch argv %d: %s", i, bargv[i]); parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv); + return; } + return; } /* * If no lookup specified, search for root */ if ((lookup_list.head == NULL) && !config_only) { - lookup = clone_lookup(default_lookup, ISC_TRUE); + if (need_clone) + lookup = clone_lookup(default_lookup, ISC_TRUE); + need_clone = ISC_TRUE; lookup->trace_root = ISC_TF(lookup->trace || lookup->ns_search_only); lookup->new_search = ISC_TRUE; @@ -1564,10 +1561,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only, firstarg = ISC_FALSE; } ISC_LIST_APPEND(lookup_list, lookup, link); - } else if (!config_only && firstarg) { - printgreeting(argc, argv, lookup); - firstarg = ISC_FALSE; } + if (!need_clone) + destroy_lookup(lookup); } /* @@ -1581,7 +1577,7 @@ dighost_shutdown(void) { int bargc; char *bargv[16]; char *input; - + int i; if (batchname == NULL) { isc_app_shutdown(); @@ -1609,7 +1605,8 @@ dighost_shutdown(void) { bargv[0] = argv0; - reorder_args(bargc, (char **)bargv); + for(i = 0; i < bargc; i++) + debug("batch argv %d: %s", i, bargv[i]); parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv); start_lookup(); } else { @@ -1624,7 +1621,6 @@ dighost_shutdown(void) { int main(int argc, char **argv) { isc_result_t result; - dig_server_t *s, *s2; ISC_LIST_INIT(lookup_list); ISC_LIST_INIT(server_list); @@ -1645,16 +1641,7 @@ main(int argc, char **argv) { result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); check_result(result, "isc_app_onrun"); isc_app_run(); - s = ISC_LIST_HEAD(default_lookup->my_server_list); - while (s != NULL) { - debug("freeing server %p belonging to %p", - s, default_lookup); - s2 = s; - s = ISC_LIST_NEXT(s, link); - ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link); - isc_mem_free(mctx, s2); - } - isc_mem_free(mctx, default_lookup); + destroy_lookup(default_lookup); if (batchname != NULL) { if (batchfp != stdin) fclose(batchfp); diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index 87c98ae7b1f09..82b2516cbbe6f 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,8 @@ 2004 2005 + 2006 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -101,7 +103,7 @@ Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the option is given. -Unlike earlier versions, the BIND9 implementation of +Unlike earlier versions, the BIND 9 implementation of dig allows multiple lookups to be issued from the command line. @@ -123,6 +125,13 @@ It is possible to set per-user defaults for dig via are applied before the command line arguments. + + The IN and CH class names overlap with the IN and CH top level + domains names. Either use the and + options to specify the type and class or + use "IN." and "CH." when looking up these top level domains. + + @@ -179,14 +188,14 @@ may be specified by appending "#<port>" The default query class (IN for internet) is overridden by the option. class is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records. +class, such as HS for Hesiod records or CH for Chaosnet records. The option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains a number of -queries, one per line. Each entry in the file should be organised in +queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to dig using the command-line interface. @@ -209,7 +218,7 @@ use IPv4 query transport. The option forces The option sets the query type to type. It can be any valid query type which is -supported in BIND9. The default query type "A", unless the +supported in BIND 9. The default query type is "A", unless the option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, @@ -220,7 +229,7 @@ since the serial number in the zone's SOA record was -Reverse lookups - mapping addresses to names - are simplified by the +Reverse lookups — mapping addresses to names — are simplified by the option. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the @@ -283,7 +292,7 @@ The query options are: Use [do not use] TCP when querying name servers. The default -behaviour is to use UDP unless an AXFR or IXFR query is requested, in +behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. @@ -384,7 +393,7 @@ resolve the lookup. -toggles the printing of the initial comment in the output identifying +Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default. @@ -412,7 +421,7 @@ print comments. This query option toggles the printing of statistics: when the query -was made, the size of the reply and so on. The default behaviour is +was made, the size of the reply and so on. The default behavior is to print the query statistics. @@ -455,7 +464,7 @@ Set or clear all display flags. Sets the timeout for a query to -T seconds. The default time out is 5 seconds. +T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. @@ -509,7 +518,7 @@ of the dig output. Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver -behaviour. +behavior. @@ -551,7 +560,7 @@ Chase DNSSEC signature chains. Requires dig be compiled with -When chasing DNSSEC signature chains perform a top down validation. +When chasing DNSSEC signature chains perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE. diff --git a/bin/dig/dig.html b/bin/dig/dig.html index 06771b3a1c265..054c1974656bd 100644 --- a/bin/dig/dig.html +++ b/bin/dig/dig.html @@ -1,5 +1,5 @@ - + dig - +
-
+

Name

dig — DNS lookup utility

@@ -34,7 +34,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -49,7 +49,7 @@ Although dig is normally used with arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. -Unlike earlier versions, the BIND9 implementation of +Unlike earlier versions, the BIND 9 implementation of dig allows multiple lookups to be issued from the command line.

@@ -67,9 +67,15 @@ It is possible to set per-user defaults for dig${HOME}/.digrc. This file is read and any options in it are applied before the command line arguments.

+

+ The IN and CH class names overlap with the IN and CH top level + domains names. Either use the -t and + -c options to specify the type and class or + use "IN." and "CH." when looking up these top level domains. +

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -107,7 +113,7 @@ ANY, A, MX, SIG, etc.

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid address on @@ -117,13 +123,13 @@ may be specified by appending "#<port>"

The default query class (IN for internet) is overridden by the -c option. class is any valid -class, such as HS for Hesiod records or CH for CHAOSNET records. +class, such as HS for Hesiod records or CH for Chaosnet records.

The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains a number of -queries, one per line. Each entry in the file should be organised in +queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to dig using the command-line interface.

@@ -143,7 +149,7 @@ use IPv4 query transport. The -6 option forces

The -t option sets the query type to type. It can be any valid query type which is -supported in BIND9. The default query type "A", unless the +supported in BIND 9. The default query type is "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, @@ -153,7 +159,7 @@ since the serial number in the zone's SOA record was N.

-Reverse lookups - mapping addresses to names - are simplified by the +Reverse lookups — mapping addresses to names — are simplified by the -x option. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the @@ -188,7 +194,7 @@ being used. In BIND, this is done by providing appropriate

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -209,7 +215,7 @@ The query options are:

+[no]tcp

Use [do not use] TCP when querying name servers. The default -behaviour is to use UDP unless an AXFR or IXFR query is requested, in +behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.

+[no]vc
@@ -295,7 +301,7 @@ resolve the lookup.

+[no]cmd

-toggles the printing of the initial comment in the output identifying +Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.

@@ -319,7 +325,7 @@ print comments.
+[no]stats

This query option toggles the printing of statistics: when the query -was made, the size of the reply and so on. The default behaviour is +was made, the size of the reply and so on. The default behavior is to print the query statistics.

+[no]qr
@@ -355,7 +361,7 @@ Set or clear all display flags.

Sets the timeout for a query to -T seconds. The default time out is 5 seconds. +T seconds. The default timeout is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied.

@@ -402,7 +408,7 @@ of the dig output.

Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver -behaviour. +behavior.

+[no]besteffort

@@ -437,7 +443,7 @@ Chase DNSSEC signature chains. Requires dig be compiled with

+[no]topdown

-When chasing DNSSEC signature chains perform a top down validation. +When chasing DNSSEC signature chains perform a top-down validation. Requires dig be compiled with -DDIG_SIGCHASE.

@@ -446,7 +452,7 @@ Requires dig be compiled with -DDIG_SIGCHASE.

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports specifying multiple queries on the command line (in addition to @@ -487,7 +493,7 @@ will not print the initial query when it looks up the NS records for

-

FILES

+

FILES

/etc/resolv.conf

@@ -496,7 +502,7 @@ will not print the initial query when it looks up the NS records for

-

SEE ALSO

+

SEE ALSO

host(1), named(8), @@ -505,7 +511,7 @@ will not print the initial query when it looks up the NS records for

-

BUGS

+

BUGS

There are probably too many query options.

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 398711d4f1cd1..f3b0d9954b969 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.221.2.19.2.36 2006/12/07 01:26:33 marka Exp $ */ +/* $Id: dighost.c,v 1.221.2.19.2.46 2008/01/17 23:45:26 tbox Exp $ */ /* * Notice to programmers: Do not use this code as an example of how to @@ -462,6 +462,7 @@ void fatal(const char *format, ...) { va_list args; + fflush(stdout); fprintf(stderr, "%s: ", progname); va_start(args, format); vfprintf(stderr, format, args); @@ -479,6 +480,7 @@ debug(const char *format, ...) { va_list args; if (debugging) { + fflush(stdout); va_start(args, format); vfprintf(stderr, format, args); va_end(args); @@ -591,7 +593,7 @@ set_nameserver(char *opt) { opt, isc_result_totext(result)); flush_server_list(); - + for (i = 0; i < count; i++) { isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]); isc_netaddr_format(&netaddr, tmp, sizeof(tmp)); @@ -723,6 +725,8 @@ make_empty_lookup(void) { looknew->section_authority = ISC_TRUE; looknew->section_additional = ISC_TRUE; looknew->new_search = ISC_FALSE; + looknew->done_as_is = ISC_FALSE; + looknew->need_search = ISC_FALSE; ISC_LINK_INIT(looknew, link); ISC_LIST_INIT(looknew->q); ISC_LIST_INIT(looknew->my_server_list); @@ -794,6 +798,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { looknew->section_additional = lookold->section_additional; looknew->retries = lookold->retries; looknew->tsigctx = NULL; + looknew->need_search = lookold->need_search; + looknew->done_as_is = lookold->done_as_is; if (servers) clone_server_list(lookold->my_server_list, @@ -854,7 +860,7 @@ setup_text_key(void) { result = isc_base64_decodestring(keysecret, &secretbuf); if (result != ISC_R_SUCCESS) goto failure; - + secretsize = isc_buffer_usedlength(&secretbuf); result = dns_name_fromtext(&keyname, namebuf, @@ -964,7 +970,7 @@ setup_system(void) { domain = NULL; } } - + if (ndots == -1) { ndots = lwconf->ndots; debug("ndots is %d.", ndots); @@ -1023,7 +1029,7 @@ clear_searchlist(void) { void set_search_domain(char *domain) { dig_searchlist_t *search; - + clear_searchlist(); search = make_searchlist_entry(domain); ISC_LIST_APPEND(search_list, search, link); @@ -1209,9 +1215,7 @@ clear_query(dig_query_t *query) { */ static isc_boolean_t try_clear_lookup(dig_lookup_t *lookup) { - dig_server_t *s; dig_query_t *q; - void *ptr; REQUIRE(lookup != NULL); @@ -1232,7 +1236,16 @@ try_clear_lookup(dig_lookup_t *lookup) { * At this point, we know there are no queries on the lookup, * so can make it go away also. */ - debug("cleared"); + destroy_lookup(lookup); + return (ISC_TRUE); +} + +void +destroy_lookup(dig_lookup_t *lookup) { + dig_server_t *s; + void *ptr; + + debug("destroy"); s = ISC_LIST_HEAD(lookup->my_server_list); while (s != NULL) { debug("freeing server %p belonging to %p", s, lookup); @@ -1257,7 +1270,6 @@ try_clear_lookup(dig_lookup_t *lookup) { dst_context_destroy(&lookup->tsigctx); isc_mem_free(mctx, lookup); - return (ISC_TRUE); } /* @@ -1336,7 +1348,7 @@ start_lookup(void) { current_lookup->qrdtype_sigchase = current_lookup->qrdtype; current_lookup->qrdtype = dns_rdatatype_ns; - + current_lookup->rdclass_sigchase = current_lookup->rdclass; current_lookup->rdclass_sigchaseset @@ -1415,7 +1427,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) INSIST(!free_now); debug("following up %s", query->lookup->textname); - + for (result = dns_message_firstname(msg, section); result == ISC_R_SUCCESS; result = dns_message_nextname(msg, section)) { @@ -1450,7 +1462,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) dns_rdataset_current(rdataset, &rdata); query->lookup->nsfound++; - (void)dns_rdata_tostruct(&rdata, &ns, NULL); + result = dns_rdata_tostruct(&rdata, &ns, NULL); + check_result(result, "dns_rdata_tostruct"); dns_name_format(&ns.name, namestr, sizeof(namestr)); dns_rdata_freestruct(&ns); @@ -1499,6 +1512,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section) static isc_boolean_t next_origin(dns_message_t *msg, dig_query_t *query) { dig_lookup_t *lookup; + dig_searchlist_t *search; UNUSED(msg); @@ -1513,13 +1527,22 @@ next_origin(dns_message_t *msg, dig_query_t *query) { * about finding the next entry. */ return (ISC_FALSE); - if (query->lookup->origin == NULL) + if (query->lookup->origin == NULL && !query->lookup->need_search) /* * Then we just did rootorg; there's nothing left. */ return (ISC_FALSE); - lookup = requeue_lookup(query->lookup, ISC_TRUE); - lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link); + if (query->lookup->origin == NULL && query->lookup->need_search) { + lookup = requeue_lookup(query->lookup, ISC_TRUE); + lookup->origin = ISC_LIST_HEAD(search_list); + lookup->need_search = ISC_FALSE; + } else { + search = ISC_LIST_NEXT(query->lookup->origin, link); + if (search == NULL && query->lookup->done_as_is) + return (ISC_FALSE); + lookup = requeue_lookup(query->lookup, ISC_TRUE); + lookup->origin = search; + } cancel_lookup(query->lookup); return (ISC_TRUE); } @@ -1641,11 +1664,16 @@ setup_lookup(dig_lookup_t *lookup) { * take the first entry in the searchlist iff either usesearch * is TRUE or we got a domain line in the resolv.conf file. */ - /* XXX New search here? */ - if ((count_dots(lookup->textname) >= ndots) || !usesearch) - lookup->origin = NULL; /* Force abs lookup */ - else if (lookup->origin == NULL && lookup->new_search && usesearch) - lookup->origin = ISC_LIST_HEAD(search_list); + if (lookup->new_search) { + if ((count_dots(lookup->textname) >= ndots) || !usesearch) { + lookup->origin = NULL; /* Force abs lookup */ + lookup->done_as_is = ISC_TRUE; + lookup->need_search = usesearch; + } else if (lookup->origin == NULL && usesearch) { + lookup->origin = ISC_LIST_HEAD(search_list); + lookup->need_search = ISC_FALSE; + } + } if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); @@ -1891,7 +1919,7 @@ send_done(isc_task_t *_task, isc_event_t *event) { for (b = ISC_LIST_HEAD(sevent->bufferlist); b != NULL; - b = ISC_LIST_HEAD(sevent->bufferlist)) + b = ISC_LIST_HEAD(sevent->bufferlist)) ISC_LIST_DEQUEUE(sevent->bufferlist, b, link); query = event->ev_arg; @@ -1971,7 +1999,7 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) { &l->interval, global_task, connect_timeout, l, &l->timer); check_result(result, "isc_timer_create"); -} +} static void connect_done(isc_task_t *task, isc_event_t *event); @@ -1993,7 +2021,7 @@ send_tcp_connect(dig_query_t *query) { query->waiting_connect = ISC_TRUE; query->lookup->current_query = query; get_address(query->servname, port, &query->sockaddr); - + if (specified_source && (isc_sockaddr_pf(&query->sockaddr) != isc_sockaddr_pf(&bind_address))) { @@ -2462,7 +2490,8 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg, goto next_rdata; /* Now we have an SOA. Work with it. */ debug("got an SOA"); - (void)dns_rdata_tostruct(&rdata, &soa, NULL); + result = dns_rdata_tostruct(&rdata, &soa, NULL); + check_result(result, "dns_rdata_tostruct"); serial = soa.serial; dns_rdata_freestruct(&soa); if (!query->first_soa_rcvd) { @@ -2660,7 +2689,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { } } - result = dns_message_peekheader(b, &id, &msgflags); + result = dns_message_peekheader(b, &id, &msgflags); if (result != ISC_R_SUCCESS || l->sendmsg->id != id) { match = ISC_FALSE; if (l->tcp_mode) { @@ -2774,7 +2803,7 @@ recv_done(isc_task_t *task, isc_event_t *event) { check_next_lookup(l); UNLOCK_LOOKUP; return; - } + } if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) { dig_query_t *next = ISC_LIST_NEXT(query, link); if (l->current_query == query) @@ -2856,7 +2885,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { } if (!l->doing_xfr || l->xfr_q == query) { - if (msg->rcode != dns_rcode_noerror && l->origin != NULL) { + if (msg->rcode != dns_rcode_noerror && + (l->origin != NULL || l->need_search)) { if (!next_origin(msg, query)) { printmessage(query, msg, ISC_TRUE); received(b->used, &sevent->address, query); @@ -2925,11 +2955,11 @@ recv_done(isc_task_t *task, isc_event_t *event) { isc_buffer_usedregion(b, &r); result = isc_buffer_allocate(mctx, &buf, r.length); - + check_result(result, "isc_buffer_allocate"); result = isc_buffer_copyregion(buf, &r); check_result(result, "isc_buffer_copyregion"); - + result = dns_message_parse(msg_temp, buf, 0); isc_buffer_free(&buf); @@ -2946,7 +2976,6 @@ recv_done(isc_task_t *task, isc_event_t *event) { chase_msg2->msg = msg; } #endif - } #ifdef DIG_SIGCHASE @@ -3210,7 +3239,7 @@ destroy_libs(void) { #endif debug("Destroy memory"); - + #endif if (memdebugging != 0) isc_mem_stats(mctx, stderr); @@ -3254,7 +3283,7 @@ dump_database_section(dns_message_t *msg, int section) dns_message_currentname(msg, section, &msg_name); for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) { + rdataset = ISC_LIST_NEXT(rdataset, link)) { dns_name_print(msg_name, stdout); printf("\n"); print_rdataset(msg_name, rdataset, mctx); @@ -3277,7 +3306,7 @@ dump_database(void) { if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY) == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_AUTHORITY); - + if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL) == ISC_R_SUCCESS) dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL); @@ -3309,7 +3338,7 @@ search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) { if ((siginfo.covered == covers) || (covers == dns_rdatatype_any)) { dns_rdata_reset(&sigrdata); - dns_rdata_freestruct(&siginfo); + dns_rdata_freestruct(&siginfo); return (rdataset); } dns_rdata_reset(&sigrdata); @@ -3516,7 +3545,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { isc_mem_free(mctx, tempname); return (ISC_R_FAILURE); } - + x = cp--; while (cp >= tempname && *cp == 'X') { isc_random_get(&which); @@ -3528,12 +3557,12 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { tempnamekey = isc_mem_allocate(mctx, tempnamekeylen); if (tempnamekey == NULL) return (ISC_R_NOMEMORY); - + memset(tempnamekey, 0, tempnamekeylen); strncpy(tempnamekey, tempname, tempnamelen); strcat(tempnamekey ,".key"); - + if (isc_file_exists(tempnamekey)) { isc_mem_free(mctx, tempnamekey); isc_mem_free(mctx, tempname); @@ -3554,7 +3583,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) { cleanup: isc_mem_free(mctx, tempname); - + return (result); } @@ -3593,7 +3622,7 @@ get_trusted_key(isc_mem_t *mctx) filename); return (ISC_R_FAILURE); } - while (fgets(buf, 1500, fp) != NULL) { + while (fgets(buf, sizeof(buf), fp) != NULL) { result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp); if (result != ISC_R_SUCCESS) { fclose(fp); @@ -3701,9 +3730,8 @@ prepare_lookup(dns_name_t *name) dns_rdataset_current(chase_nsrdataset, &rdata); - (void)dns_rdata_tostruct(&rdata, &ns, NULL); - - + result = dns_rdata_tostruct(&rdata, &ns, NULL); + check_result(result, "dns_rdata_tostruct"); #ifdef __FOLLOW_GLUE__ @@ -3730,7 +3758,7 @@ prepare_lookup(dns_name_t *name) srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } @@ -3760,7 +3788,7 @@ prepare_lookup(dns_name_t *name) srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); } @@ -3772,7 +3800,7 @@ prepare_lookup(dns_name_t *name) dns_name_print(&ns.name, stdout); printf("\n"); srv = make_server(namestr, namestr); - + ISC_LIST_APPEND(lookup->my_server_list, srv, link); #endif @@ -3919,7 +3947,7 @@ free_name(dns_name_t *name, isc_mem_t *mctx) { * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key * and the RRset is valid * return ISC_R_NOTFOUND if not contains trusted key - or if the RRset isn't valid + or if the RRset isn't valid * return ISC_R_FAILURE if problem * */ @@ -3944,7 +3972,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(rdataset, &rdata); INSIST(rdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -3954,7 +3982,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset, if (dst_key_compare(tk_list.key[i], dnsseckey) == ISC_TRUE) { dns_rdata_reset(&rdata); - + printf(";; Ok, find a Trusted Key in the " "DNSKEY RRset: %d\n", dst_key_id(dnsseckey)); @@ -3999,7 +4027,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset, do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4095,12 +4123,12 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, result = dns_rdataset_first(keyrdataset); check_result(result, "empty KEY dataset"); - dns_rdata_init(&keyrdata); + dns_rdata_init(&keyrdata); do { dns_rdataset_current(keyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); - + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); @@ -4127,8 +4155,8 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, " new DS rdata\n"); return (result); } - - + + if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0) { printf(";; OK a DS valids a DNSKEY" @@ -4136,7 +4164,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, printf(";; Now verify that this" " DNSKEY validates the " "DNSKEY RRset\n"); - + result = sigchase_verify_sig_key(name, keyrdataset, dnsseckey, @@ -4147,7 +4175,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdata_reset(&newdsrdata); dns_rdata_reset(&dsrdata); dst_key_free(&dnsseckey); - + return (result); } } else { @@ -4372,7 +4400,7 @@ sigchase_td(dns_message_t *msg) chase_sigrdataset = NULL; have_response = ISC_FALSE; have_delegation_ns = ISC_FALSE; - + dns_name_init(&tmp_name, NULL); result = child_of_zone(&chase_name, &chase_current_name, &tmp_name); @@ -4454,7 +4482,7 @@ sigchase_td(dns_message_t *msg) prepare_lookup(&chase_authority_name); - + have_response = ISC_FALSE; have_delegation_ns = ISC_FALSE; delegation_follow = ISC_TRUE; @@ -4769,7 +4797,7 @@ sigchase_bu(dns_message_t *msg) } printf(";; An NSEC prove the non-existence of a answers," " Now we want validate this NSEC\n"); - + dup_name(&rdata_name, &chase_name, mctx); free_name(&rdata_name, mctx); chase_rdataset = rdataset; @@ -5021,7 +5049,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset, ret = dns_rdataset_first(nsecset); check_result(ret,"dns_rdataset_first"); - + dns_rdataset_current(nsecset, &nsec); ret = dns_nsec_typepresent(&nsec, type); diff --git a/bin/dig/host.1 b/bin/dig/host.1 index 3a0432cc1d39a..2d1687a687c33 100644 --- a/bin/dig/host.1 +++ b/bin/dig/host.1 @@ -1,5 +1,5 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -.\" Copyright (C) 2000-2002 Internet Software Consortium. +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: host.1,v 1.11.2.1.4.8 2006/06/29 13:02:30 marka Exp $ +.\" $Id: host.1,v 1.11.2.1.4.12 2007/05/09 03:32:36 marka Exp $ .\" .hy 0 .ad l .\" Title: host .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -130,7 +130,7 @@ makes. This should mean that the name server receiving the query will not attemp \fB\-r\fR option enables \fBhost\fR -to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. +to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. .PP By default \fBhost\fR @@ -152,7 +152,7 @@ The \fB\-t\fR option is used to select the query type. \fItype\fR -can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, +can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, \fBhost\fR automatically selects an appropriate query type. By default it looks for A records, but if the \fB\-C\fR @@ -187,4 +187,7 @@ will effectively wait forever for a reply. The time to wait for a response will \fBdig\fR(1), \fBnamed\fR(8). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/dig/host.c b/bin/dig/host.c index 7d8ce9b80b1ae..5eb6c1bf25995 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.76.2.5.2.16 2006/05/23 04:43:47 marka Exp $ */ +/* $Id: host.c,v 1.76.2.5.2.19 2007/08/28 07:19:07 tbox Exp $ */ #include #include @@ -410,8 +410,10 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { if (msg->rcode != 0) { char namestr[DNS_NAME_FORMATSIZE]; dns_name_format(query->lookup->name, namestr, sizeof(namestr)); - printf("Host %s not found: %d(%s)\n", namestr, - msg->rcode, rcodetext[msg->rcode]); + printf("Host %s not found: %d(%s)\n", + (msg->rcode != dns_rcode_nxdomain) ? namestr : + query->lookup->textname, msg->rcode, + rcodetext[msg->rcode]); return (ISC_R_SUCCESS); } diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook index 2b6e92b76d460..a399043403ba9 100644 --- a/bin/dig/host.docbook +++ b/bin/dig/host.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,12 +36,14 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") 2000 2001 2002 + 2003 Internet Software Consortium. @@ -160,7 +162,7 @@ desired — bit in the query which host makes. This should mean that the name server receiving the query will not attempt to resolve name. The option enables host to mimic -the behaviour of a name server by making non-recursive queries and +the behavior of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers. @@ -180,7 +182,7 @@ use IPv4 query transport. The option forces The option is used to select the query type. -type can be any recognised query type: CNAME, +type can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, host automatically selects an appropriate query type. By default it looks for A records, but if the diff --git a/bin/dig/host.html b/bin/dig/host.html index 4c1621510441c..07c930550f454 100644 --- a/bin/dig/host.html +++ b/bin/dig/host.html @@ -1,6 +1,6 @@ - + host - +
-
+

Name

host — DNS lookup utility

@@ -32,7 +32,7 @@

host [-aCdlnrTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-4] [-6] {name} [server]

-

DESCRIPTION

+

DESCRIPTION

host is a simple utility for performing DNS lookups. @@ -114,7 +114,7 @@ desired — bit in the query which hostname. The -r option enables host to mimic -the behaviour of a name server by making non-recursive queries and +the behavior of a name server by making non-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.

@@ -131,7 +131,7 @@ use IPv4 query transport. The -6 option forces

The -t option is used to select the query type. -type can be any recognised query type: CNAME, +type can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, host automatically selects an appropriate query type. By default it looks for A records, but if the @@ -155,13 +155,13 @@ value for an integer quantity.

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), named(8). diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index 91dae5cf2e241..1e6ea7b8acc98 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.h,v 1.71.2.6.2.14 2006/12/07 01:26:33 marka Exp $ */ +/* $Id: dig.h,v 1.71.2.6.2.18 2007/08/28 07:19:07 tbox Exp $ */ #ifndef DIG_H #define DIG_H @@ -116,6 +116,8 @@ struct dig_lookup { section_additional, servfail_stops, new_search, + need_search, + done_as_is, besteffort, dnssec; #ifdef DIG_SIGCHASE @@ -281,6 +283,9 @@ check_result(isc_result_t result, const char *msg); void setup_lookup(dig_lookup_t *lookup); +void +destroy_lookup(dig_lookup_t *lookup); + void do_lookup(dig_lookup_t *lookup); diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1 index 7b1d4d2f7f72d..4121c8d4ac0ce 100644 --- a/bin/dig/nslookup.1 +++ b/bin/dig/nslookup.1 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,13 +12,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nslookup.1,v 1.1.6.7 2006/06/29 13:02:30 marka Exp $ +.\" $Id: nslookup.1,v 1.1.6.12 2007/05/16 06:10:54 marka Exp $ .\" .hy 0 .ad l .\" Title: nslookup .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -42,10 +42,10 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use .SH "ARGUMENTS" .PP Interactive mode is entered in the following cases: -.TP 3n +.TP 4 1. when no arguments are given (the default name server will be used) -.TP 3n +.TP 4 2. when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server. .sp @@ -54,17 +54,22 @@ when the first argument is a hyphen (\-) and the second argument is the host nam Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. .PP Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: -.sp .RS 3n .nf nslookup \-query=hinfo \-timeout=10 .fi .RE +.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE .SH "INTERACTIVE COMMANDS" -.TP 3n -host [server] +.PP +\fBhost\fR [server] +.RS 4 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name. .sp To look up a host not in the current domain, append a period to the name. -.TP 3n +.RE +.PP \fBserver\fR \fIdomain\fR -.TP 3n +.RS 4 +.RE +.PP \fBlserver\fR \fIdomain\fR +.RS 4 Change the default server to \fIdomain\fR; \fBlserver\fR @@ -72,107 +77,158 @@ uses the initial server to look up information about \fIdomain\fR, while \fBserver\fR uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. -.TP 3n +.RE +.PP \fBroot\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBfinger\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBls\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBview\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBhelp\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fB?\fR +.RS 4 not implemented -.TP 3n +.RE +.PP \fBexit\fR +.RS 4 Exits the program. -.TP 3n +.RE +.PP \fBset\fR \fIkeyword\fR\fI[=value]\fR +.RS 4 This command is used to change state information that affects the lookups. Valid keywords are: -.RS 3n -.TP 3n +.RS 4 +.PP \fBall\fR +.RS 4 Prints the current values of the frequently used options to \fBset\fR. Information about the current default server and host is also printed. -.TP 3n +.RE +.PP \fBclass=\fR\fIvalue\fR +.RS 4 Change the query class to one of: -.RS 3n -.TP 3n +.RS 4 +.PP \fBIN\fR +.RS 4 the Internet class -.TP 3n +.RE +.PP \fBCH\fR +.RS 4 the Chaos class -.TP 3n +.RE +.PP \fBHS\fR +.RS 4 the Hesiod class -.TP 3n +.RE +.PP \fBANY\fR +.RS 4 wildcard .RE -.IP "" 3n +.RE +.IP "" 4 The class specifies the protocol group of the information. .sp (Default = IN; abbreviation = cl) -.TP 3n +.RE +.PP \fB\fI[no]\fR\fR\fBdebug\fR -Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. +.RS 4 +Turn on or off the display of the full response packet and any intermediate response packets when searching. .sp (Default = nodebug; abbreviation = [no]deb) -.TP 3n +.RE +.PP \fB\fI[no]\fR\fR\fBd2\fR -Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. +.RS 4 +Turn debugging mode on or off. This displays more about what nslookup is doing. .sp (Default = nod2) -.TP 3n +.RE +.PP \fBdomain=\fR\fIname\fR +.RS 4 Sets the search list to \fIname\fR. -.TP 3n +.RE +.PP \fB\fI[no]\fR\fR\fBsearch\fR +.RS 4 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. .sp (Default = search) -.TP 3n +.RE +.PP \fBport=\fR\fIvalue\fR +.RS 4 Change the default TCP/UDP name server port to \fIvalue\fR. .sp (Default = 53; abbreviation = po) -.TP 3n +.RE +.PP \fBquerytype=\fR\fIvalue\fR -.TP 3n +.RS 4 +.RE +.PP \fBtype=\fR\fIvalue\fR +.RS 4 Change the type of the information query. .sp (Default = A; abbreviations = q, ty) -.TP 3n +.RE +.PP \fB\fI[no]\fR\fR\fBrecurse\fR +.RS 4 Tell the name server to query other servers if it does not have the information. .sp (Default = recurse; abbreviation = [no]rec) -.TP 3n +.RE +.PP \fBretry=\fR\fInumber\fR +.RS 4 Set the number of retries to number. -.TP 3n +.RE +.PP \fBtimeout=\fR\fInumber\fR +.RS 4 Change the initial timeout interval for waiting for a reply to number seconds. -.TP 3n +.RE +.PP \fB\fI[no]\fR\fR\fBvc\fR +.RS 4 Always use a virtual circuit when sending requests to the server. .sp (Default = novc) .RE -.IP "" 3n +.RE +.IP "" 4 +.RE .SH "FILES" .PP \fI/etc/resolv.conf\fR @@ -185,4 +241,5 @@ Always use a virtual circuit when sending requests to the server. .PP Andrew Cherenson .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c index 5ae64d0d59406..32fcdbf325f65 100644 --- a/bin/dig/nslookup.c +++ b/bin/dig/nslookup.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nslookup.c,v 1.90.2.4.2.12 2006/06/09 23:50:53 marka Exp $ */ +/* $Id: nslookup.c,v 1.90.2.4.2.15 2007/08/28 07:19:07 tbox Exp $ */ #include @@ -409,8 +409,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { char nametext[DNS_NAME_FORMATSIZE]; dns_name_format(query->lookup->name, nametext, sizeof(nametext)); - printf("** server can't find %s: %s\n", nametext, - rcodetext[msg->rcode]); + printf("** server can't find %s: %s\n", + (msg->rcode != dns_rcode_nxdomain) ? nametext : + query->lookup->textname, rcodetext[msg->rcode]); debug("returning with rcode == 0"); return (ISC_R_SUCCESS); } diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook index 741ad345a27ab..090545468651b 100644 --- a/bin/dig/nslookup.docbook +++ b/bin/dig/nslookup.docbook @@ -1,10 +1,10 @@ -]> - + - + nslookup - +

-
+

Name

nslookup — query Internet name servers interactively

@@ -31,7 +31,7 @@

nslookup [-option] [name | -] [server]

-

DESCRIPTION

+

DESCRIPTION

Nslookup is a program to query Internet domain name servers. Nslookup @@ -43,7 +43,7 @@ domain.

-

ARGUMENTS

+

ARGUMENTS

Interactive mode is entered in the following cases:

@@ -75,9 +75,9 @@ nslookup -query=hinfo -timeout=10

-

INTERACTIVE COMMANDS

+

INTERACTIVE COMMANDS

-
host [server]
+
host [server]

Look up information for host using the current default server or @@ -151,9 +151,8 @@ the lookups. Valid keywords are:

[no]debug

- Turn debugging mode on. A lot more information is - printed about the packet sent to the server and the - resulting answer. + Turn on or off the display of the full response packet and + any intermediate response packets when searching.

(Default = nodebug; abbreviation = [no]deb) @@ -162,9 +161,8 @@ the lookups. Valid keywords are:

[no]d2

- Turn debugging mode on. A lot more information is - printed about the packet sent to the server and the - resulting answer. + Turn debugging mode on or off. This displays more about + what nslookup is doing.

(Default = nod2) @@ -241,13 +239,13 @@ the lookups. Valid keywords are:

-

FILES

+

FILES

/etc/resolv.conf

-

SEE ALSO

+

SEE ALSO

dig(1), host(1), @@ -255,7 +253,7 @@ the lookups. Valid keywords are:

-

Author

+

Author

Andrew Cherenson

diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index b9b7bea37c267..25437c3a0d5b5 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. +# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.19.12.12 2005/05/02 00:25:54 marka Exp $ +# $Id: Makefile.in,v 1.19.12.15 2007/08/28 07:19:07 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8 index 35bb0efda57ae..877ac07829094 100644 --- a/bin/dnssec/dnssec-keygen.8 +++ b/bin/dnssec/dnssec-keygen.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.19.12.10 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dnssec-keygen.8,v 1.19.12.13 2007/05/09 03:32:36 marka Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-keygen .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -37,10 +37,11 @@ dnssec\-keygen \- DNSSEC key generation tool .SH "DESCRIPTION" .PP \fBdnssec\-keygen\fR -generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC . It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. +generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. .SH "OPTIONS" -.TP 3n +.PP \-a \fIalgorithm\fR +.RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. @@ -48,38 +49,58 @@ must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. .sp Note 2: HMAC\-MD5 and DH automatically set the \-k flag. -.TP 3n +.RE +.PP \-b \fIkeysize\fR +.RS 4 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits. -.TP 3n +.RE +.PP \-n \fInametype\fR +.RS 4 Specifies the owner type of the key. The value of \fBnametype\fR must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -.TP 3n +.RE +.PP \-e +.RS 4 If generating an RSAMD5/RSASHA1 key, use a large exponent. -.TP 3n +.RE +.PP \-f \fIflag\fR +.RS 4 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY. -.TP 3n +.RE +.PP \-g \fIgenerator\fR +.RS 4 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBdnssec\-keygen\fR. -.TP 3n +.RE +.PP \-k +.RS 4 Generate KEY records rather than DNSKEY records. -.TP 3n +.RE +.PP \-p \fIprotocol\fR +.RS 4 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. -.TP 3n +.RE +.PP \-r \fIrandomdev\fR +.RS 4 Specifies the source of randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -87,17 +108,24 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-s \fIstrength\fR +.RS 4 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC. -.TP 3n +.RE +.PP \-t \fItype\fR +.RS 4 Indicates the use of the key. \fBtype\fR must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data. -.TP 3n +.RE +.PP \-v \fIlevel\fR +.RS 4 Sets the debugging level. +.RE .SH "GENERATED KEYS" .PP When @@ -105,23 +133,21 @@ When completes successfully, it prints a string of the form \fIKnnnn.+aaa+iiiii\fR to the standard output. This is an identification string for the key it has generated. -.TP 3n +.TP 4 \(bu \fInnnn\fR is the key name. -.TP 3n +.TP 4 \(bu \fIaaa\fR is the numeric representation of the algorithm. -.TP 3n +.TP 4 \(bu \fIiiiii\fR is the key identifier (or footprint). -.sp -.RE .PP \fBdnssec\-keygen\fR -creates two file, with names based on the printed string. +creates two files, with names based on the printed string. \fIKnnnn.+aaa+iiiii.key\fR contains the public key, and \fIKnnnn.+aaa+iiiii.private\fR @@ -133,13 +159,13 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o .PP The \fI.private\fR -file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission. +file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission. .PP Both \fI.key\fR and \fI.private\fR -files are generated for symmetric encryption algorithm such as HMAC\-MD5, even though the public and private key are equivalent. +files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent. .SH "EXAMPLE" .PP To generate a 768\-bit DSA key for the domain @@ -156,7 +182,7 @@ In this example, creates the files \fIKexample.com.+003+26160.key\fR and -\fIKexample.com.+003+26160.private\fR +\fIKexample.com.+003+26160.private\fR. .SH "SEE ALSO" .PP \fBdnssec\-signzone\fR(8), @@ -168,4 +194,7 @@ RFC 2539. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 7feaf7c3d977f..9e0b8c7cb965f 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2000-2003 Internet Software Consortium. + * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */ +/* $Id: dnssec-keygen.c,v 1.48.2.1.10.14 2007/08/28 07:19:07 tbox Exp $ */ #include diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index e1eee228ee659..6ef1f090e628f 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -76,7 +77,7 @@ DESCRIPTION dnssec-keygen generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. @@ -282,7 +283,7 @@ - dnssec-keygen creates two file, with names based + dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private @@ -294,13 +295,13 @@ statement). - The .private file contains algorithm specific + The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission. Both .key and .private - files are generated for symmetric encryption algorithm such as + files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent. @@ -324,7 +325,7 @@ In this example, dnssec-keygen creates the files Kexample.com.+003+26160.key and - Kexample.com.+003+26160.private + Kexample.com.+003+26160.private. diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html index 7a15099bae01a..6d3cc83f5ddf4 100644 --- a/bin/dnssec/dnssec-keygen.html +++ b/bin/dnssec/dnssec-keygen.html @@ -1,5 +1,5 @@ - + dnssec-keygen - +
-
+

Name

dnssec-keygen — DNSSEC key generation tool

@@ -32,16 +32,16 @@

dnssec-keygen {-a algorithm} {-b keysize} {-n nametype} [-c class] [-e] [-f flag] [-g generator] [-h] [-k] [-p protocol] [-r randomdev] [-s strength] [-t type] [-v level] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -144,7 +144,7 @@
-

GENERATED KEYS

+

GENERATED KEYS

When dnssec-keygen completes successfully, it prints a string of the form Knnnn.+aaa+iiiii @@ -164,7 +164,7 @@

- dnssec-keygen creates two file, with names based + dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private @@ -176,18 +176,18 @@ statement).

- The .private file contains algorithm specific + The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.

Both .key and .private - files are generated for symmetric encryption algorithm such as + files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.

-

EXAMPLE

+

EXAMPLE

To generate a 768-bit DSA key for the domain example.com, the following command would be @@ -205,11 +205,11 @@

In this example, dnssec-keygen creates the files Kexample.com.+003+26160.key and - Kexample.com.+003+26160.private + Kexample.com.+003+26160.private.

-

SEE ALSO

+

SEE ALSO

dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -219,7 +219,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index 734eca6f80708..e1e88c8466cef 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.11 2006/06/29 13:02:30 marka Exp $ +.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.14 2007/05/09 03:32:36 marka Exp $ .\" .hy 0 .ad l .\" Title: dnssec\-signzone .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -41,51 +41,72 @@ signs a zone. It generates NSEC and RRSIG records and produces a signed version \fIkeyset\fR file for each child zone. .SH "OPTIONS" -.TP 3n +.PP \-a +.RS 4 Verify all generated signatures. -.TP 3n +.RE +.PP \-c \fIclass\fR +.RS 4 Specifies the DNS class of the zone. -.TP 3n +.RE +.PP \-k \fIkey\fR +.RS 4 Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times. -.TP 3n +.RE +.PP \-l \fIdomain\fR +.RS 4 Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records. -.TP 3n +.RE +.PP \-d \fIdirectory\fR +.RS 4 Look for \fIkeyset\fR files in \fBdirectory\fR as the directory -.TP 3n +.RE +.PP \-g +.RS 4 Generate DS records for child zones from keyset files. Existing DS records will be removed. -.TP 3n +.RE +.PP \-s \fIstart\-time\fR +.RS 4 Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used. -.TP 3n +.RE +.PP \-e \fIend\-time\fR +.RS 4 Specify the date and time when the generated RRSIG records expire. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default. -.TP 3n +.RE +.PP \-f \fIoutput\-file\fR +.RS 4 The name of the output file containing the signed zone. The default is to append \fI.signed\fR -to the input file. -.TP 3n +to the input filename. +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR. -.TP 3n +.RE +.PP \-i \fIinterval\fR -When a previously signed zone is passed as input, records may be resigned. The +.RS 4 +When a previously\-signed zone is passed as input, records may be resigned. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced. .sp @@ -96,17 +117,25 @@ or are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced. -.TP 3n +.RE +.PP \-n \fIncpus\fR +.RS 4 Specifies the number of threads to use. By default, one thread is started for each detected CPU. -.TP 3n +.RE +.PP \-o \fIorigin\fR +.RS 4 The zone origin. If not specified, the name of the zone file is assumed to be the origin. -.TP 3n +.RE +.PP \-p +.RS 4 Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. -.TP 3n +.RE +.PP \-r \fIrandomdev\fR +.RS 4 Specifies the source of randomness. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -114,42 +143,68 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-t +.RS 4 Print statistics at completion. -.TP 3n +.RE +.PP \-v \fIlevel\fR +.RS 4 Sets the debugging level. -.TP 3n +.RE +.PP \-z +.RS 4 Ignore KSK flag on key when determining what to sign. -.TP 3n +.RE +.PP zonefile +.RS 4 The file containing the zone to be signed. -.TP 3n +.RE +.PP key -The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory. +.RS 4 +Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing. +.RE .SH "EXAMPLE" .PP The following command signs the \fBexample.com\fR -zone with the DSA key generated in the +zone with the DSA key generated by \fBdnssec\-keygen\fR -man page. The zone's keys must be in the zone. If there are +(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for \fIkeyset\fR -files associated with child zones, they must be in the current directory. -\fBexample.com\fR, the following command would be issued: -.PP -\fBdnssec\-signzone \-o example.com db.example.com Kexample.com.+003+26160\fR -.PP -The command would print a string of the form: +files, in the current directory, so that DS records can be generated from them (\fB\-g\fR). +.sp +.RS 4 +.nf +% dnssec\-signzone \-g \-o example.com db.example.com \\ +Kexample.com.+003+17247 +db.example.com.signed +% +.fi +.RE .PP -In this example, +In the above example, \fBdnssec\-signzone\fR creates the file \fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a \fInamed.conf\fR file. +.PP +This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory. +.sp +.RS 4 +.nf +% cp db.example.com.signed db.example.com +% dnssec\-signzone \-o example.com db.example.com +db.example.com.signed +% +.fi +.RE .SH "SEE ALSO" .PP \fBdnssec\-keygen\fR(8), @@ -159,4 +214,7 @@ RFC 2535. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 4ac840df06b89..10e1133660c41 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.139.2.2.4.23 2006/01/04 23:50:19 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.139.2.2.4.29 2008/01/30 01:51:54 marka Exp $ */ #include @@ -159,37 +159,6 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) { check_result(result, "dns_master_dumpnodetostream"); } -static void -dumpdb(dns_db_t *db) { - dns_dbiterator_t *dbiter = NULL; - dns_dbnode_t *node; - dns_fixedname_t fname; - dns_name_t *name; - isc_result_t result; - - dbiter = NULL; - result = dns_db_createiterator(db, ISC_FALSE, &dbiter); - check_result(result, "dns_db_createiterator()"); - - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); - node = NULL; - - for (result = dns_dbiterator_first(dbiter); - result == ISC_R_SUCCESS; - result = dns_dbiterator_next(dbiter)) - { - result = dns_dbiterator_current(dbiter, &node, name); - check_result(result, "dns_dbiterator_current()"); - dumpnode(name, node); - dns_db_detachnode(db, &node); - } - if (result != ISC_R_NOMORE) - fatal("iterating database: %s", isc_result_totext(result)); - - dns_dbiterator_destroy(&dbiter); -} - static signer_key_t * newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) { signer_key_t *key; @@ -974,7 +943,7 @@ active_node(dns_dbnode_t *node) { fatal("rdataset iteration failed: %s", isc_result_totext(result)); } else { - /* + /* * Delete RRSIGs for types that no longer exist. */ result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2); @@ -1382,7 +1351,7 @@ loadzonekeys(dns_db_t *db) { for (i = 0; i < nkeys; i++) { signer_key_t *key; - key = newkeystruct(keys[i], ISC_TRUE); + key = newkeystruct(keys[i], dst_key_isprivate(keys[i])); ISC_LIST_APPEND(keylist, key, link); } dns_db_detachnode(db, &node); @@ -1506,7 +1475,7 @@ writeset(const char *prefix, dns_rdatatype_t type) { unsigned char dsbuf[DNS_DS_BUFFERSIZE]; unsigned char keybuf[DST_KEY_MAXSIZE]; unsigned int filenamelen; - const dns_master_style_t *style = + const dns_master_style_t *style = (type == dns_rdatatype_dnskey) ? masterstyle : dsstyle; isc_buffer_init(&namebuf, namestr, sizeof(namestr)); @@ -1692,13 +1661,13 @@ print_stats(isc_time_t *timer_start, isc_time_t *timer_finish) { printf("Signatures successfully verified: %10d\n", nverified); printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed); runtime_ms = runtime_us / 1000; - printf("Runtime in seconds: %7u.%03u\n", - (unsigned int) (runtime_ms / 1000), + printf("Runtime in seconds: %7u.%03u\n", + (unsigned int) (runtime_ms / 1000), (unsigned int) (runtime_ms % 1000)); if (runtime_us > 0) { sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us; printf("Signatures per second: %7u.%03u\n", - (unsigned int) sig_ms / 1000, + (unsigned int) sig_ms / 1000, (unsigned int) sig_ms % 1000); } } @@ -1720,7 +1689,6 @@ main(int argc, char *argv[]) { isc_boolean_t free_output = ISC_FALSE; int tempfilelen; dns_rdataclass_t rdclass; - dns_db_t *udb = NULL; isc_task_t **tasks = NULL; isc_buffer_t b; int len; @@ -1776,7 +1744,7 @@ main(int argc, char *argv[]) { "positive"); break; - case 'l': + case 'l': dns_fixedname_init(&dlv_fixed); len = strlen(isc_commandline_argument); isc_buffer_init(&b, isc_commandline_argument, len); @@ -1904,7 +1872,7 @@ main(int argc, char *argv[]) { result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, 0, 24, 0, 0, 0, 8, mctx); check_result(result, "dns_master_stylecreate"); - + gdb = NULL; TIME_NOW(&timer_start); @@ -1926,8 +1894,8 @@ main(int argc, char *argv[]) { DST_TYPE_PRIVATE, mctx, &newkey); if (result != ISC_R_SUCCESS) - fatal("cannot load dnskey %s: %s", argv[i], - isc_result_totext(result)); + fatal("cannot load dnskey %s: %s", argv[i], + isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); while (key != NULL) { @@ -1935,7 +1903,7 @@ main(int argc, char *argv[]) { if (dst_key_id(dkey) == dst_key_id(newkey) && dst_key_alg(dkey) == dst_key_alg(newkey) && dns_name_equal(dst_key_name(dkey), - dst_key_name(newkey))) + dst_key_name(newkey))) { if (!dst_key_isprivate(dkey)) fatal("cannot sign zone with " @@ -1964,7 +1932,7 @@ main(int argc, char *argv[]) { mctx, &newkey); if (result != ISC_R_SUCCESS) fatal("cannot load dnskey %s: %s", dskeyfile[i], - isc_result_totext(result)); + isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); while (key != NULL) { @@ -1972,7 +1940,7 @@ main(int argc, char *argv[]) { if (dst_key_id(dkey) == dst_key_id(newkey) && dst_key_alg(dkey) == dst_key_alg(newkey) && dns_name_equal(dst_key_name(dkey), - dst_key_name(newkey))) + dst_key_name(newkey))) { /* Override key flags. */ key->issigningkey = ISC_TRUE; @@ -2074,11 +2042,6 @@ main(int argc, char *argv[]) { isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); postsign(); - if (udb != NULL) { - dumpdb(udb); - dns_db_detach(&udb); - } - result = isc_stdio_close(fp); check_result(result, "isc_stdio_close"); removefile = ISC_FALSE; diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 35f35cc7339dc..d3f9fc5c5b838 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -188,7 +189,7 @@ The name of the output file containing the signed zone. The default is to append .signed to the - input file. + input filename. @@ -207,7 +208,7 @@ -i interval - When a previously signed zone is passed as input, records + When a previously-signed zone is passed as input, records may be resigned. The option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the @@ -315,9 +316,11 @@ key - The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. + Specify which keys should be used to sign the zone. If + no keys are specified, then the zone will be examined + for DNSKEY records at the zone apex. If these are found and + there are matching private keys, in the current directory, + then these will be used for signing. @@ -328,26 +331,31 @@ EXAMPLE - The following command signs the example.com - zone with the DSA key generated in the dnssec-keygen - man page. The zone's keys must be in the zone. If there are - keyset files associated with child zones, - they must be in the current directory. - example.com, the following command would be - issued: + The following command signs the example.com + zone with the DSA key generated by dnssec-keygen + (Kexample.com.+003+17247). The zone's keys must be in the master + file (db.example.com). This invocation looks + for keyset files, in the current directory, + so that DS records can be generated from them (-g). +% dnssec-signzone -g -o example.com db.example.com \ +Kexample.com.+003+17247 +db.example.com.signed +% - dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160 + In the above example, dnssec-signzone creates + the file db.example.com.signed. This + file should be referenced in a zone statement in a + named.conf file. - The command would print a string of the form: - - - In this example, dnssec-signzone creates - the file db.example.com.signed. This file - should be referenced in a zone statement in a - named.conf file. + This example re-signs a previously signed zone with default parameters. + The private keys are assumed to be in the current directory. +% cp db.example.com.signed db.example.com +% dnssec-signzone -o example.com db.example.com +db.example.com.signed +% diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index bd926312e8682..b3d00ce0f0563 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -1,5 +1,5 @@ - + dnssec-signzone - +
-
+

Name

dnssec-signzone — DNSSEC zone signing tool

@@ -32,7 +32,7 @@

dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-k key] [-l domain] [-i interval] [-n nthreads] [-o origin] [-p] [-r randomdev] [-s start-time] [-t] [-v level] [-z] {zonefile} [key...]

-

DESCRIPTION

+

DESCRIPTION

dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -43,7 +43,7 @@

-

OPTIONS

+

OPTIONS

-a

@@ -98,7 +98,7 @@

The name of the output file containing the signed zone. The default is to append .signed to the - input file. + input filename.

-h

@@ -108,7 +108,7 @@

-i interval

- When a previously signed zone is passed as input, records + When a previously-signed zone is passed as input, records may be resigned. The interval option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the @@ -172,38 +172,45 @@

key

- The keys used to sign the zone. If no keys are specified, the - default all zone keys that have private key files in the - current directory. + Specify which keys should be used to sign the zone. If + no keys are specified, then the zone will be examined + for DNSKEY records at the zone apex. If these are found and + there are matching private keys, in the current directory, + then these will be used for signing.

-

EXAMPLE

+

EXAMPLE

- The following command signs the example.com - zone with the DSA key generated in the dnssec-keygen - man page. The zone's keys must be in the zone. If there are - keyset files associated with child zones, - they must be in the current directory. - example.com, the following command would be - issued: + The following command signs the example.com + zone with the DSA key generated by dnssec-keygen + (Kexample.com.+003+17247). The zone's keys must be in the master + file (db.example.com). This invocation looks + for keyset files, in the current directory, + so that DS records can be generated from them (-g).

+
% dnssec-signzone -g -o example.com db.example.com \
+Kexample.com.+003+17247
+db.example.com.signed
+%

- dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160 + In the above example, dnssec-signzone creates + the file db.example.com.signed. This + file should be referenced in a zone statement in a + named.conf file.

- The command would print a string of the form: -

-

- In this example, dnssec-signzone creates - the file db.example.com.signed. This file - should be referenced in a zone statement in a - named.conf file. + This example re-signs a previously signed zone with default parameters. + The private keys are assumed to be in the current directory.

+
% cp db.example.com.signed db.example.com
+% dnssec-signzone -o example.com db.example.com
+db.example.com.signed
+%
-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), BIND 9 Administrator Reference Manual, @@ -211,7 +218,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index 50fb93bf11d99..a2c92bcfbe27b 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1998-2002 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.74.12.11 2004/09/06 21:47:25 marka Exp $ +# $Id: Makefile.in,v 1.74.12.14 2007/08/28 07:19:08 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/bin/named/aclconf.c b/bin/named/aclconf.c index 102a891033a49..4a6cce72fbc45 100644 --- a/bin/named/aclconf.c +++ b/bin/named/aclconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aclconf.c,v 1.27.12.7 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: aclconf.c,v 1.27.12.10 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/client.c b/bin/named/client.c index b0ce793b98eaa..6d4cc91a4e4ca 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.176.2.13.4.31 2006/07/22 01:09:38 marka Exp $ */ +/* $Id: client.c,v 1.176.2.13.4.38 2007/08/28 07:19:08 tbox Exp $ */ #include @@ -1149,7 +1149,7 @@ client_addopt(ns_client_t *client) { rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE); /* - * No ENDS options in the default case. + * No EDNS options in the default case. */ rdata->data = NULL; rdata->length = 0; @@ -1348,6 +1348,14 @@ client_request(isc_task_t *task, isc_event_t *event) { } } + /* + * Hash the incoming request here as it is after + * dns_dispatch_importrecv(). + */ + dns_dispatch_hash(&client->now, sizeof(client->now)); + dns_dispatch_hash(isc_buffer_base(buffer), + isc_buffer_usedlength(buffer)); + /* * It's a request. Parse it. */ @@ -1413,7 +1421,7 @@ client_request(isc_task_t *task, isc_event_t *event) { } /* - * Do we understand this version of ENDS? + * Do we understand this version of EDNS? * * XXXRTH need library support for this! */ @@ -1485,6 +1493,7 @@ client_request(isc_task_t *task, isc_event_t *event) { "failed to get request's " "destination: %s", isc_result_totext(result)); + ns_client_next(client, ISC_R_SUCCESS); goto cleanup; } } @@ -1573,21 +1582,29 @@ client_request(isc_task_t *task, isc_event_t *event) { char tsigrcode[64]; isc_buffer_t b; dns_name_t *name = NULL; + dns_rcode_t status; + isc_result_t tresult; - isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); - RUNTIME_CHECK(dns_tsigrcode_totext(client->message->tsigstatus, - &b) == ISC_R_SUCCESS); - tsigrcode[isc_buffer_usedlength(&b)] = '\0'; /* There is a signature, but it is bad. */ if (dns_message_gettsig(client->message, &name) != NULL) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(name, namebuf, sizeof(namebuf)); + status = client->message->tsigstatus; + isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); + tresult = dns_tsigrcode_totext(status, &b); + INSIST(tresult == ISC_R_SUCCESS); + tsigrcode[isc_buffer_usedlength(&b)] = '\0'; ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, "request has invalid signature: " "TSIG %s: %s (%s)", namebuf, isc_result_totext(result), tsigrcode); } else { + status = client->message->sig0status; + isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); + tresult = dns_tsigrcode_totext(status, &b); + INSIST(tresult == ISC_R_SUCCESS); + tsigrcode[isc_buffer_usedlength(&b)] = '\0'; ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, "request has invalid signature: %s (%s)", diff --git a/bin/named/config.c b/bin/named/config.c index 7b5b99e6720e5..88e7bc9e34078 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,12 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.11.2.4.8.32 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: config.c,v 1.11.2.4.8.36 2007/09/13 05:18:08 each Exp $ */ #include #include -#include #include #include @@ -28,6 +27,7 @@ #include #include #include +#include #include #include @@ -159,7 +159,7 @@ options {\n\ " "#\n\ -# Zones in the \"_bind\" view are NOT counted is the count of zones.\n\ +# Zones in the \"_bind\" view are NOT counted in the count of zones.\n\ #\n\ view \"_bind\" chaos {\n\ recursion no;\n\ diff --git a/bin/named/control.c b/bin/named/control.c index c9d17abe02763..c4b5419f71a4f 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,15 +15,15 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */ +/* $Id: control.c,v 1.7.2.2.2.16 2007/09/13 23:45:58 tbox Exp $ */ #include -#include #include #include #include +#include #include #include diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index b6bcc166200c0..d8a7bcf2fcf93 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: controlconf.c,v 1.28.2.9.2.10 2006/02/28 06:32:53 marka Exp $ */ +/* $Id: controlconf.c,v 1.28.2.9.2.13 2008/01/17 23:45:27 tbox Exp $ */ #include @@ -337,9 +337,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { listener = conn->listener; secret.rstart = NULL; - /* Is the server shutting down? */ - if (listener->controls->shuttingdown) - goto cleanup; + /* Is the server shutting down? */ + if (listener->controls->shuttingdown) + goto cleanup; if (conn->ccmsg.result != ISC_R_SUCCESS) { if (conn->ccmsg.result != ISC_R_CANCELED && @@ -356,9 +356,6 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { { ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer); ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer); - if (secret.rstart != NULL) - isc_mem_put(listener->mctx, secret.rstart, - REGION_SIZE(secret)); secret.rstart = isc_mem_get(listener->mctx, key->secret.length); if (secret.rstart == NULL) goto cleanup; @@ -367,7 +364,8 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { result = isccc_cc_fromwire(&ccregion, &request, &secret); if (result == ISC_R_SUCCESS) break; - else if (result == ISCCC_R_BADAUTH) { + isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret)); + if (result == ISCCC_R_BADAUTH) { /* * For some reason, request is non-NULL when * isccc_cc_fromwire returns ISCCC_R_BADAUTH. @@ -388,7 +386,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { /* We shouldn't be getting a reply. */ if (isccc_cc_isreply(request)) { log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup; + goto cleanup_request; } isc_stdtime_get(&now); @@ -399,17 +397,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { _ctrl = isccc_alist_lookup(request, "_ctrl"); if (_ctrl == NULL) { log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup; + goto cleanup_request; } if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) { if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) { log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW); - goto cleanup; + goto cleanup_request; } } else { log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup; + goto cleanup_request; } /* @@ -418,7 +416,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS && now > exp) { log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED); - goto cleanup; + goto cleanup_request; } /* @@ -428,16 +426,16 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { result = isccc_cc_checkdup(listener->controls->symtab, request, now); if (result != ISC_R_SUCCESS) { if (result == ISC_R_EXISTS) - result = ISCCC_R_DUPLICATE; + result = ISCCC_R_DUPLICATE; log_invalid(&conn->ccmsg, result); - goto cleanup; + goto cleanup_request; } if (conn->nonce != 0 && (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS || conn->nonce != nonce)) { log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH); - goto cleanup; + goto cleanup_request; } /* @@ -451,7 +449,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { result = isccc_cc_createresponse(request, now, now + 60, &response); if (result != ISC_R_SUCCESS) - goto cleanup; + goto cleanup_request; if (eresult != ISC_R_SUCCESS) { isccc_sexpr_t *data; @@ -459,7 +457,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { if (data != NULL) { const char *estr = isc_result_totext(eresult); if (isccc_cc_definestring(data, "err", estr) == NULL) - goto cleanup; + goto cleanup_response; } } @@ -470,20 +468,20 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { if (data != NULL) { char *str = (char *)isc_buffer_base(&text); if (isccc_cc_definestring(data, "text", str) == NULL) - goto cleanup; + goto cleanup_response; } } _ctrl = isccc_alist_lookup(response, "_ctrl"); if (_ctrl == NULL || isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL) - goto cleanup; + goto cleanup_response; ccregion.rstart = conn->buffer + 4; ccregion.rend = conn->buffer + sizeof(conn->buffer); result = isccc_cc_towire(response, &ccregion, &secret); if (result != ISC_R_SUCCESS) - goto cleanup; + goto cleanup_response; isc_buffer_init(&b, conn->buffer, 4); len = sizeof(conn->buffer) - REGION_SIZE(ccregion); isc_buffer_putuint32(&b, len - 4); @@ -492,31 +490,27 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { result = isc_socket_send(conn->sock, &r, task, control_senddone, conn); if (result != ISC_R_SUCCESS) - goto cleanup; + goto cleanup_response; conn->sending = ISC_TRUE; - if (secret.rstart != NULL) - isc_mem_put(listener->mctx, secret.rstart, - REGION_SIZE(secret)); - if (request != NULL) - isccc_sexpr_free(&request); - if (response != NULL) - isccc_sexpr_free(&response); + isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret)); + isccc_sexpr_free(&request); + isccc_sexpr_free(&response); return; + cleanup_response: + isccc_sexpr_free(&response); + + cleanup_request: + isccc_sexpr_free(&request); + isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret)); + cleanup: - if (secret.rstart != NULL) - isc_mem_put(listener->mctx, secret.rstart, - REGION_SIZE(secret)); isc_socket_detach(&conn->sock); isccc_ccmsg_invalidate(&conn->ccmsg); conn->ccmsg_valid = ISC_FALSE; maybe_free_connection(conn); maybe_free_listener(listener); - if (request != NULL) - isccc_sexpr_free(&request); - if (response != NULL) - isccc_sexpr_free(&response); } static void @@ -540,7 +534,7 @@ newconnection(controllistener_t *listener, isc_socket_t *sock) { conn = isc_mem_get(listener->mctx, sizeof(*conn)); if (conn == NULL) return (ISC_R_NOMEMORY); - + conn->sock = sock; isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg); conn->ccmsg_valid = ISC_TRUE; @@ -651,7 +645,7 @@ ns_controls_shutdown(ns_controls_t *controls) { static isc_result_t cfgkeylist_find(const cfg_obj_t *keylist, const char *keyname, - const cfg_obj_t **objp) + const cfg_obj_t **objp) { const cfg_listelt_t *element; const char *str; @@ -681,7 +675,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, char *newstr = NULL; const char *str; const cfg_obj_t *obj; - controlkey_t *key = NULL; + controlkey_t *key; for (element = cfg_list_first(keylist); element != NULL; @@ -700,7 +694,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, key->secret.length = 0; ISC_LINK_INIT(key, link); ISC_LIST_APPEND(*keyids, key, link); - key = NULL; newstr = NULL; } return (ISC_R_SUCCESS); @@ -708,8 +701,6 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx, cleanup: if (newstr != NULL) isc_mem_free(mctx, newstr); - if (key != NULL) - isc_mem_put(mctx, key, sizeof(*key)); free_controlkeylist(keyids, mctx); return (ISC_R_NOMEMORY); } @@ -802,7 +793,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist, if (result != ISC_R_SUCCESS) \ goto cleanup; \ } while (0) - + static isc_result_t get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { isc_result_t result; @@ -822,14 +813,14 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { CHECK(cfg_map_get(config, "key", &key)); keyid = isc_mem_get(mctx, sizeof(*keyid)); - if (keyid == NULL) + if (keyid == NULL) CHECK(ISC_R_NOMEMORY); keyid->keyname = isc_mem_strdup(mctx, cfg_obj_asstring(cfg_map_getname(key))); keyid->secret.base = NULL; keyid->secret.length = 0; ISC_LINK_INIT(keyid, link); - if (keyid->keyname == NULL) + if (keyid->keyname == NULL) CHECK(ISC_R_NOMEMORY); CHECK(bind9_check_key(key, ns_g_lctx)); @@ -885,7 +876,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { cfg_parser_destroy(&pctx); return (result); } - + /* * Ensures that both '*global_keylistp' and '*control_keylistp' are * valid or both are NULL. @@ -939,7 +930,7 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp, *listenerp = NULL; return; } - + /* * There is already a listener for this sockaddr. * Update the access list and key information. @@ -1267,7 +1258,7 @@ ns_controls_configure(ns_controls_t *cp, const cfg_obj_t *config, isc_sockaddr_setport(&addr, NS_CONTROL_PORT); isc_sockaddr_format(&addr, socktext, sizeof(socktext)); - + update_listener(cp, &listener, NULL, NULL, &addr, NULL, socktext); diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h index 15564bf3fb0d6..257a9aa3300d4 100644 --- a/bin/named/include/named/builtin.h +++ b/bin/named/include/named/builtin.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */ +/* $Id: builtin.h,v 1.1.204.6 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NAMED_BUILTIN_H #define NAMED_BUILTIN_H 1 diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h index 8e5b94a7fc35a..0e9a378f17e11 100644 --- a/bin/named/include/named/config.h +++ b/bin/named/include/named/config.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001, 2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h,v 1.4.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: config.h,v 1.4.12.9 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NAMED_CONFIG_H #define NAMED_CONFIG_H 1 diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h index 54bd91cbd4c59..96e54a31df0f1 100644 --- a/bin/named/include/named/interfacemgr.h +++ b/bin/named/include/named/interfacemgr.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */ +/* $Id: interfacemgr.h,v 1.23.24.10 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NAMED_INTERFACEMGR_H #define NAMED_INTERFACEMGR_H 1 diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h index e8ad1ca15ff15..35b6837d78a92 100644 --- a/bin/named/include/named/log.h +++ b/bin/named/include/named/log.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: log.h,v 1.19.12.6 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NAMED_LOG_H #define NAMED_LOG_H 1 diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h index e37b5198fd03c..9514616c2d30c 100644 --- a/bin/named/include/named/main.h +++ b/bin/named/include/named/main.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: main.h,v 1.8.2.2.8.7 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h index 6f348d530e7cb..4c7f4e74f9dfa 100644 --- a/bin/named/include/named/query.h +++ b/bin/named/include/named/query.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */ +/* $Id: query.h,v 1.28.2.3.8.9 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index 3e63053f38989..032bad7b36a2e 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.h,v 1.16.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: zoneconf.h,v 1.16.2.2.8.6 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NS_ZONECONF_H #define NS_ZONECONF_H 1 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c index a3410567e6311..f3d1d0b88c34d 100644 --- a/bin/named/interfacemgr.c +++ b/bin/named/interfacemgr.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: interfacemgr.c,v 1.59.2.5.8.18 2006/07/19 00:16:28 marka Exp $ */ +/* $Id: interfacemgr.c,v 1.59.2.5.8.21 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/log.c b/bin/named/log.c index 9032af795d4f2..9f6893a0cc532 100644 --- a/bin/named/log.c +++ b/bin/named/log.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.33.2.1.10.6 2005/05/24 23:58:17 marka Exp $ */ +/* $Id: log.c,v 1.33.2.1.10.9 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/logconf.c b/bin/named/logconf.c index 1bf3b5589e23a..200c031d57a31 100644 --- a/bin/named/logconf.c +++ b/bin/named/logconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: logconf.c,v 1.30.2.3.10.4 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: logconf.c,v 1.30.2.3.10.7 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/lwaddr.c b/bin/named/lwaddr.c index 1bd8d82875e74..724216b2ed000 100644 --- a/bin/named/lwaddr.c +++ b/bin/named/lwaddr.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */ +/* $Id: lwaddr.c,v 1.3.208.3 2008/01/11 23:45:30 tbox Exp $ */ #include @@ -79,7 +79,7 @@ lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na) { } else { la->family = LWRES_ADDRTYPE_V6; la->length = 16; - memcpy(la->address, &na->type.in, 16); + memcpy(la->address, &na->type.in6, 16); } return (ISC_R_SUCCESS); } diff --git a/bin/named/lwdclient.c b/bin/named/lwdclient.c index 7975a4991e13a..a2516503762a6 100644 --- a/bin/named/lwdclient.c +++ b/bin/named/lwdclient.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */ +/* $Id: lwdclient.c,v 1.13.12.8 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c index 539c25bf3d15b..f8c0f3bb5f7db 100644 --- a/bin/named/lwdgabn.c +++ b/bin/named/lwdgabn.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgabn.c,v 1.13.12.5 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: lwdgabn.c,v 1.13.12.8 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/lwdgnba.c b/bin/named/lwdgnba.c index 21ef804ac9335..1770f3933f3b4 100644 --- a/bin/named/lwdgnba.c +++ b/bin/named/lwdgnba.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */ +/* $Id: lwdgnba.c,v 1.13.2.1.2.10 2008/01/14 23:45:30 tbox Exp $ */ #include @@ -218,8 +218,6 @@ ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) { b, &client->pkt, &req); if (result != LWRES_R_SUCCESS) goto out; - if (req->addr.address == NULL) - goto out; client->options = 0; if (req->addr.family == LWRES_ADDRTYPE_V4) { diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c index 3ad9e9e38d5ac..8c4868b1f2620 100644 --- a/bin/named/lwdgrbn.c +++ b/bin/named/lwdgrbn.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdgrbn.c,v 1.11.208.5 2006/01/04 23:50:19 marka Exp $ */ +/* $Id: lwdgrbn.c,v 1.11.208.6 2006/12/07 04:52:50 marka Exp $ */ #include @@ -183,8 +183,6 @@ iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node, isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens)); if (newrdatas != NULL) isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas)); - if (newlens != NULL) - isc_mem_put(mctx, newlens, used * sizeof(*oldlens)); return (result); } diff --git a/bin/named/lwdnoop.c b/bin/named/lwdnoop.c index 30d95ee8d8e20..5708f3a9491c7 100644 --- a/bin/named/lwdnoop.c +++ b/bin/named/lwdnoop.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */ +/* $Id: lwdnoop.c,v 1.6.208.3 2008/01/22 23:26:39 tbox Exp $ */ #include @@ -42,7 +42,7 @@ ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) { result = lwres_nooprequest_parse(client->clientmgr->lwctx, b, &client->pkt, &req); if (result != LWRES_R_SUCCESS) - goto out; + goto send_error; client->pkt.recvlength = LWRES_RECVLENGTH; client->pkt.authtype = 0; /* XXXMLG */ @@ -55,7 +55,7 @@ ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) { lwres = lwres_noopresponse_render(client->clientmgr->lwctx, &resp, &client->pkt, &lwb); if (lwres != LWRES_R_SUCCESS) - goto out; + goto cleanup_req; r.base = lwb.base; r.length = lwb.used; @@ -63,7 +63,7 @@ ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) { client->sendlength = r.length; result = ns_lwdclient_sendreply(client, &r); if (result != ISC_R_SUCCESS) - goto out; + goto cleanup_lwb; /* * We can now destroy request. @@ -74,13 +74,12 @@ ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) { return; - out: - if (req != NULL) - lwres_nooprequest_free(client->clientmgr->lwctx, &req); + cleanup_lwb: + lwres_context_freemem(client->clientmgr->lwctx, lwb.base, lwb.length); - if (lwb.base != NULL) - lwres_context_freemem(client->clientmgr->lwctx, - lwb.base, lwb.length); + cleanup_req: + lwres_nooprequest_free(client->clientmgr->lwctx, &req); + send_error: ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); } diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8 index 1333a5d5092eb..91d0e8a791670 100644 --- a/bin/named/lwresd.8 +++ b/bin/named/lwresd.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwresd.8,v 1.13.208.6 2006/06/29 13:02:30 marka Exp $ +.\" $Id: lwresd.8,v 1.13.208.10 2007/05/16 06:10:54 marka Exp $ .\" .hy 0 .ad l .\" Title: lwresd .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ lwresd \- lightweight resolver daemon .SH "SYNOPSIS" .HP 7 -\fBlwresd\fR [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] +\fBlwresd\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-4\fR] [\fB\-6\fR] .SH "DESCRIPTION" .PP \fBlwresd\fR @@ -60,42 +60,106 @@ entries are present, or if forwarding fails, \fBlwresd\fR resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints. .SH "OPTIONS" -.TP 3n +.PP +\-4 +.RS 4 +Use IPv4 only even if the host machine is capable of IPv6. +\fB\-4\fR +and +\fB\-6\fR +are mutually exclusive. +.RE +.PP +\-6 +.RS 4 +Use IPv6 only even if the host machine is capable of IPv4. +\fB\-4\fR +and +\fB\-6\fR +are mutually exclusive. +.RE +.PP +\-c \fIconfig\-file\fR +.RS 4 +Use +\fIconfig\-file\fR +as the configuration file instead of the default, +\fI/etc/lwresd.conf\fR. +\-c +can not be used with +\-C. +.RE +.PP \-C \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/resolv.conf\fR. -.TP 3n +\-C +can not be used with +\-c. +.RE +.PP \-d \fIdebug\-level\fR +.RS 4 Set the daemon's debug level to \fIdebug\-level\fR. Debugging traces from \fBlwresd\fR become more verbose as the debug level increases. -.TP 3n +.RE +.PP \-f +.RS 4 Run the server in the foreground (i.e. do not daemonize). -.TP 3n +.RE +.PP \-g +.RS 4 Run the server in the foreground and force all logging to \fIstderr\fR. -.TP 3n +.RE +.PP +\-i \fIpid\-file\fR +.RS 4 +Use +\fIpid\-file\fR +as the PID file instead of the default, +\fI/var/run/lwresd.pid\fR. +.RE +.PP +\-m \fIflag\fR +.RS 4 +Turn on memory usage debugging flags. Possible flags are +\fIusage\fR, +\fItrace\fR, and +\fIrecord\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in +\fI\fR. +.RE +.PP \-n \fI#cpus\fR +.RS 4 Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBlwresd\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.TP 3n +.RE +.PP \-P \fIport\fR +.RS 4 Listen for lightweight resolver queries on port \fIport\fR. If not specified, the default is port 921. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Send DNS lookups to port \fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number. -.TP 3n +.RE +.PP \-s +.RS 4 Write memory usage statistics to \fIstdout\fR on exit. @@ -103,9 +167,11 @@ on exit. .B "Note:" This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. .RE -.TP 3n +.RE +.PP \-t \fIdirectory\fR -\fBchroot()\fR +.RS 4 +\fBChroot\fR to \fIdirectory\fR after processing the command line arguments, but before reading the configuration file. @@ -114,25 +180,34 @@ after processing the command line arguments, but before reading the configuratio This option should be used in conjunction with the \fB\-u\fR option, as chrooting a process running as root doesn't enhance security on most systems; the way -\fBchroot()\fR +\fBchroot(2)\fR is defined allows a process with root privileges to escape a chroot jail. .RE -.TP 3n +.RE +.PP \-u \fIuser\fR -\fBsetuid()\fR +.RS 4 +\fBSetuid\fR to \fIuser\fR after completing privileged operations, such as creating sockets that listen on privileged ports. -.TP 3n +.RE +.PP \-v +.RS 4 Report the version number and exit. +.RE .SH "FILES" -.TP 3n +.PP \fI/etc/resolv.conf\fR +.RS 4 The default configuration file. -.TP 3n +.RE +.PP \fI/var/run/lwresd.pid\fR +.RS 4 The default process\-id file. +.RE .SH "SEE ALSO" .PP \fBnamed\fR(8), @@ -142,4 +217,7 @@ The default process\-id file. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook index c1f500bb83002..354a4ab85d58a 100644 --- a/bin/named/lwresd.docbook +++ b/bin/named/lwresd.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -52,11 +53,13 @@ lwresd + + @@ -64,6 +67,8 @@ + + @@ -107,15 +112,51 @@ OPTIONS + + + -4 + + + Use IPv4 only even if the host machine is capable of IPv6. + and are mutually + exclusive. + + + + + + -6 + + + Use IPv6 only even if the host machine is capable of IPv4. + and are mutually + exclusive. + + + + + + + -c config-file + + + Use config-file as the + configuration file instead of the default, + /etc/lwresd.conf. + -c can not be used with -C. + + + + -C config-file - Use config-file as the - configuration file instead of the default, - /etc/resolv.conf. - + Use config-file as the + configuration file instead of the default, + /etc/resolv.conf. + -C can not be used with -c. + @@ -127,7 +168,7 @@ class="parameter">debug-level. Debugging traces from lwresd become more verbose as the debug level increases. - + @@ -136,7 +177,7 @@ Run the server in the foreground (i.e. do not daemonize). - + @@ -146,7 +187,32 @@ Run the server in the foreground and force all logging to stderr. - + + + + + + -i pid-file + + + Use pid-file as the + PID file instead of the default, + /var/run/lwresd.pid. + + + + + + -m flag + + + Turn on memory usage debugging flags. Possible flags are + usage, + trace, and + record. + These correspond to the ISC_MEM_DEBUGXXXX flags described in + <isc/mem.h>. + @@ -161,7 +227,7 @@ number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. - + @@ -172,7 +238,7 @@ Listen for lightweight resolver queries on port port. If not specified, the default is port 921. - + @@ -186,7 +252,7 @@ way of testing the lightweight resolver daemon with a name server that listens for queries on a non-standard port number. - + @@ -196,7 +262,7 @@ Write memory usage statistics to stdout on exit. - + This option is mainly of interest to BIND 9 developers @@ -210,17 +276,17 @@ -t directory - chroot() to Chroot to directory after processing the command line arguments, but before reading the configuration file. - + This option should be used in conjunction with the option, as chrooting a process running as root doesn't enhance security on most - systems; the way chroot() is + systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail. @@ -232,11 +298,11 @@ -u user - setuid() to Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports. - + @@ -245,7 +311,7 @@ Report the version number and exit. - + @@ -263,7 +329,7 @@ The default configuration file. - + @@ -272,7 +338,7 @@ The default process-id file. - + @@ -286,15 +352,15 @@ named 8 - , + , lwres 3 - , + , resolver 5 - . + . diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html index 6ab78242e73f5..45837e8ed4a19 100644 --- a/bin/named/lwresd.html +++ b/bin/named/lwresd.html @@ -1,5 +1,5 @@ - + lwresd - +
-
+

Name

lwresd — lightweight resolver daemon

Synopsis

-

lwresd [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v]

+

lwresd [-c config-file] [-C config-file] [-d debug-level] [-f] [-g] [-i pid-file] [-m flag] [-n #cpus] [-P port] [-p port] [-s] [-t directory] [-u user] [-v] [-4] [-6]

-

DESCRIPTION

+

DESCRIPTION

lwresd is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver @@ -67,29 +67,64 @@

-

OPTIONS

+

OPTIONS

+
-4
+

+ Use IPv4 only even if the host machine is capable of IPv6. + -4 and -6 are mutually + exclusive. +

+
-6
+

+ Use IPv6 only even if the host machine is capable of IPv4. + -4 and -6 are mutually + exclusive. +

+
-c config-file
+

+ Use config-file as the + configuration file instead of the default, + /etc/lwresd.conf. + <term>-c</term> can not be used with <term>-C</term>. +

-C config-file

- Use config-file as the - configuration file instead of the default, - /etc/resolv.conf. -

+ Use config-file as the + configuration file instead of the default, + /etc/resolv.conf. + <term>-C</term> can not be used with <term>-c</term>. +

-d debug-level

Set the daemon's debug level to debug-level. Debugging traces from lwresd become more verbose as the debug level increases. -

+

-f

Run the server in the foreground (i.e. do not daemonize). -

+

-g

Run the server in the foreground and force all logging to stderr. -

+

+
-i pid-file
+

+ Use pid-file as the + PID file instead of the default, + /var/run/lwresd.pid. +

+
-m flag
+

+ Turn on memory usage debugging flags. Possible flags are + usage, + trace, and + record. + These correspond to the ISC_MEM_DEBUGXXXX flags described in + <isc/mem.h>. +

-n #cpus

Create #cpus worker threads @@ -98,13 +133,13 @@ number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -

+

-P port

Listen for lightweight resolver queries on port port. If not specified, the default is port 921. -

+

-p port

Send DNS lookups to port port. If not @@ -112,13 +147,13 @@ way of testing the lightweight resolver daemon with a name server that listens for queries on a non-standard port number. -

+

-s

Write memory usage statistics to stdout on exit. -

+

Note

@@ -130,17 +165,17 @@

-t directory

- chroot() to directory after + Chroot to directory after processing the command line arguments, but before reading the configuration file. -

+

Warning

This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most - systems; the way chroot() is + systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail.

@@ -148,31 +183,31 @@
-u user

- setuid() to user after completing + Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports. -

+

-v

Report the version number and exit. -

+

-

FILES

+

FILES

/etc/resolv.conf

The default configuration file. -

+

/var/run/lwresd.pid

The default process-id file. -

+

-

SEE ALSO

+

SEE ALSO

named(8), lwres(3), @@ -180,7 +215,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/named.8 b/bin/named/named.8 index 7172393534dec..a8d49747fe685 100644 --- a/bin/named/named.8 +++ b/bin/named/named.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.8,v 1.17.208.9 2006/06/29 13:02:30 marka Exp $ +.\" $Id: named.8,v 1.17.208.14 2007/06/20 02:26:23 marka Exp $ .\" .hy 0 .ad l .\" Title: named .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -33,7 +33,7 @@ named \- Internet domain name server .SH "SYNOPSIS" .HP 6 -\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] +\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR] .SH "DESCRIPTION" .PP \fBnamed\fR @@ -44,22 +44,27 @@ When invoked without arguments, will read the default configuration file \fI/etc/named.conf\fR, read any initial data, and listen for queries. .SH "OPTIONS" -.TP 3n +.PP \-4 +.RS 4 Use IPv4 only even if the host machine is capable of IPv6. \fB\-4\fR and \fB\-6\fR are mutually exclusive. -.TP 3n +.RE +.PP \-6 +.RS 4 Use IPv6 only even if the host machine is capable of IPv4. \fB\-4\fR and \fB\-6\fR are mutually exclusive. -.TP 3n +.RE +.PP \-c \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, @@ -68,32 +73,53 @@ as the configuration file instead of the default, option in the configuration file, \fIconfig\-file\fR should be an absolute pathname. -.TP 3n +.RE +.PP \-d \fIdebug\-level\fR +.RS 4 Set the daemon's debug level to \fIdebug\-level\fR. Debugging traces from \fBnamed\fR become more verbose as the debug level increases. -.TP 3n +.RE +.PP \-f +.RS 4 Run the server in the foreground (i.e. do not daemonize). -.TP 3n +.RE +.PP \-g +.RS 4 Run the server in the foreground and force all logging to \fIstderr\fR. -.TP 3n +.RE +.PP +\-m \fIflag\fR +.RS 4 +Turn on memory usage debugging flags. Possible flags are +\fIusage\fR, +\fItrace\fR, and +\fIrecord\fR. These correspond to the ISC_MEM_DEBUGXXXX flags described in +\fI\fR. +.RE +.PP \-n \fI#cpus\fR +.RS 4 Create \fI#cpus\fR worker threads to take advantage of multiple CPUs. If not specified, \fBnamed\fR will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Listen for queries on port \fIport\fR. If not specified, the default is port 53. -.TP 3n +.RE +.PP \-s +.RS 4 Write memory usage statistics to \fIstdout\fR on exit. @@ -101,9 +127,11 @@ on exit. .B "Note:" This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release. .RE -.TP 3n +.RE +.PP \-t \fIdirectory\fR -\fBchroot()\fR +.RS 4 +\fBChroot\fR to \fIdirectory\fR after processing the command line arguments, but before reading the configuration file. @@ -112,12 +140,14 @@ after processing the command line arguments, but before reading the configuratio This option should be used in conjunction with the \fB\-u\fR option, as chrooting a process running as root doesn't enhance security on most systems; the way -\fBchroot()\fR +\fBchroot(2)\fR is defined allows a process with root privileges to escape a chroot jail. .RE -.TP 3n +.RE +.PP \-u \fIuser\fR -\fBsetuid()\fR +.RS 4 +\fBSetuid\fR to \fIuser\fR after completing privileged operations, such as creating sockets that listen on privileged ports. @@ -126,19 +156,23 @@ after completing privileged operations, such as creating sockets that listen on On Linux, \fBnamed\fR uses the kernel's capability mechanism to drop all root privileges except the ability to -\fBbind()\fR +\fBbind(2)\fR to a privileged port and set process resource limits. Unfortunately, this means that the \fB\-u\fR option only works when \fBnamed\fR is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after -\fBsetuid()\fR. +\fBsetuid(2)\fR. .RE -.TP 3n +.RE +.PP \-v +.RS 4 Report the version number and exit. -.TP 3n +.RE +.PP \-x \fIcache\-file\fR +.RS 4 Load data from \fIcache\-file\fR into the cache of the default view. @@ -146,17 +180,22 @@ into the cache of the default view. .B "Warning:" This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release. .RE +.RE .SH "SIGNALS" .PP In routine operation, signals should not be used to control the nameserver; \fBrndc\fR should be used instead. -.TP 3n +.PP SIGHUP +.RS 4 Force a reload of the server. -.TP 3n +.RE +.PP SIGINT, SIGTERM +.RS 4 Shut down the server. +.RE .PP The result of sending any other signals to the server is undefined. .SH "CONFIGURATION" @@ -166,17 +205,23 @@ The configuration file is too complex to describe in detail here. A complete description is provided in the BIND 9 Administrator Reference Manual. .SH "FILES" -.TP 3n +.PP \fI/etc/named.conf\fR +.RS 4 The default configuration file. -.TP 3n +.RE +.PP \fI/var/run/named.pid\fR +.RS 4 The default process\-id file. +.RE .SH "SEE ALSO" .PP RFC 1033, RFC 1034, RFC 1035, +\fBnamed\-checkconf\fR(8), +\fBnamed\-checkzone\fR(8), \fBrndc\fR(8), \fBlwresd\fR(8), \fBnamed.conf\fR(5), @@ -185,4 +230,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001, 2003 Internet Software Consortium. +.br diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 1ace4da31cd1e..15a8cf723c45c 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,13 +12,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.1.4.10 2006/09/13 02:56:20 marka Exp $ +.\" $Id: named.conf.5,v 1.1.4.14 2007/06/20 02:26:23 marka Exp $ .\" .hy 0 .ad l .\" Title: \fInamed.conf\fR .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Aug 13, 2004 .\" Manual: BIND9 .\" Source: BIND9 @@ -46,14 +46,14 @@ C++ style: // to end of line Unix style: # to end of line .SH "ACL" .sp -.RS 3n +.RS 4 .nf acl \fIstring\fR { \fIaddress_match_element\fR; ... }; .fi .RE .SH "KEY" .sp -.RS 3n +.RS 4 .nf key \fIdomain_name\fR { algorithm \fIstring\fR; @@ -63,7 +63,7 @@ key \fIdomain_name\fR { .RE .SH "MASTERS" .sp -.RS 3n +.RS 4 .nf masters \fIstring\fR [ port \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] | @@ -73,7 +73,7 @@ masters \fIstring\fR [ port \fIinteger\fR ] { .RE .SH "SERVER" .sp -.RS 3n +.RS 4 .nf server ( \fIipv4_address\fR | \fIipv6_address\fR ) { bogus \fIboolean\fR; @@ -93,7 +93,7 @@ server ( \fIipv4_address\fR | \fIipv6_address\fR ) { .RE .SH "TRUSTED\-KEYS" .sp -.RS 3n +.RS 4 .nf trusted\-keys { \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... @@ -102,7 +102,7 @@ trusted\-keys { .RE .SH "CONTROLS" .sp -.RS 3n +.RS 4 .nf controls { inet ( \fIipv4_address\fR | \fIipv6_address\fR | * ) @@ -115,7 +115,7 @@ controls { .RE .SH "LOGGING" .sp -.RS 3n +.RS 4 .nf logging { channel \fIstring\fR { @@ -134,7 +134,7 @@ logging { .RE .SH "LWRES" .sp -.RS 3n +.RS 4 .nf lwres { listen\-on [ port \fIinteger\fR ] { @@ -148,7 +148,7 @@ lwres { .RE .SH "OPTIONS" .sp -.RS 3n +.RS 4 .nf options { avoid\-v4\-udp\-ports { \fIport\fR; ... }; @@ -284,7 +284,7 @@ options { .RE .SH "VIEW" .sp -.RS 3n +.RS 4 .nf view \fIstring\fR \fIoptional_class\fR { match\-clients { \fIaddress_match_element\fR; ... }; @@ -389,7 +389,7 @@ view \fIstring\fR \fIoptional_class\fR { .RE .SH "ZONE" .sp -.RS 3n +.RS 4 .nf zone \fIstring\fR \fIoptional_class\fR { type ( master | slave | stub | hint | @@ -460,7 +460,9 @@ zone \fIstring\fR \fIoptional_class\fR { .SH "SEE ALSO" .PP \fBnamed\fR(8), +\fBnamed\-checkconf\fR(8), \fBrndc\fR(8), -\fBBIND 9 Administrator Reference Manual\fR(). +BIND 9 Administrator Reference Manual .SH "COPYRIGHT" -Copyright \(co 2004\-2006 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index fb8a5ef61a162..ff9ae4bce1a6f 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -1,10 +1,10 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 2006 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -522,20 +523,21 @@ zone string optional_class - -SEE ALSO - - -named8 -, - -rndc8 -, - -BIND 9 Administrator Reference Manual -. - - + + SEE ALSO + + + named8 + , + + named-checkconf8 + , + + rndc8 + , + BIND 9 Administrator Reference Manual + + - + named.conf - +
-
+

Name

named.conf — configuration file for named

@@ -31,7 +31,7 @@

named.conf

-

DESCRIPTION

+

DESCRIPTION

named.conf is the configuration file for named. Statements are enclosed @@ -50,14 +50,14 @@

-

ACL

+

ACL


acl string { address_match_element; ... };

-

KEY

+

KEY


key domain_name {
algorithm string;
@@ -66,7 +66,7 @@ key

-

MASTERS

+

MASTERS


masters string [ port integer ] {
masters | ipv4_address [port integer] |
@@ -75,7 +75,7 @@ masters

-

SERVER

+

SERVER


server ( ipv4_address | ipv6_address ) {
bogus boolean;
@@ -95,7 +95,7 @@ server

-

TRUSTED-KEYS

+

TRUSTED-KEYS


trusted-keys {
domain_name flags protocol algorithm key; ... 
@@ -103,7 +103,7 @@ trusted-keys

-

CONTROLS

+

CONTROLS


controls {
inet ( ipv4_address | ipv6_address | * )
@@ -115,7 +115,7 @@ controls

-

LOGGING

+

LOGGING


logging {
channel string {
@@ -133,7 +133,7 @@ logging

-

LWRES

+

LWRES


lwres {
listen-on [ port integer ] {
@@ -146,7 +146,7 @@ lwres

-

OPTIONS

+

OPTIONS


options {
avoid-v4-udp-ports { port; ... };
@@ -290,7 +290,7 @@ options

-

VIEW

+

VIEW


view string optional_class {
match-clients { address_match_element; ... };
@@ -408,7 +408,7 @@ view

-

ZONE

+

ZONE


zone string optional_class {
type ( master | slave | stub | hint |
@@ -484,18 +484,19 @@ zone

-

FILES

+

FILES

/etc/named.conf

-

SEE ALSO

+

SEE ALSO

-named(8), -rndc(8), -BIND 9 Administrator Reference Manual. -

+ named(8), + named-checkconf(8), + rndc(8), + BIND 9 Administrator Reference Manual +

diff --git a/bin/named/named.docbook b/bin/named/named.docbook index f7cae12b13575..43401d0274474 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 2006 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -60,6 +61,7 @@ + @@ -160,6 +162,20 @@ + + -m flag + + + Turn on memory usage debugging flags. Possible flags are + usage, + trace, and + record. + These correspond to the ISC_MEM_DEBUGXXXX flags described in + <isc/mem.h>. + + + + -n #cpus @@ -205,7 +221,7 @@ -t directory - chroot() to Chroot to directory after processing the command line arguments, but before reading the configuration file. @@ -215,7 +231,7 @@ This option should be used in conjunction with the option, as chrooting a process running as root doesn't enhance security on most - systems; the way chroot() is + systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail. @@ -227,7 +243,7 @@ -u user - setuid() to Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports. @@ -236,13 +252,13 @@ On Linux, named uses the kernel's capability mechanism to drop all root privileges - except the ability to bind() to a + except the ability to bind(2) to a privileged port and set process resource limits. Unfortunately, this means that the option only works when named is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges - to be retained after setuid(). + to be retained after setuid(2). @@ -358,6 +374,14 @@ RFC 1033, RFC 1034, RFC 1035, + + named-checkconf + 8 + , + + named-checkzone + 8 + , rndc 8 diff --git a/bin/named/named.html b/bin/named/named.html index 6e77e5b9c3b67..f90b087b25c32 100644 --- a/bin/named/named.html +++ b/bin/named/named.html @@ -1,5 +1,5 @@ - + named - +
-
+

Name

named — Internet domain name server

Synopsis

-

named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

+

named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-t directory] [-u user] [-v] [-x cache-file]

-

DESCRIPTION

+

DESCRIPTION

named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -46,7 +46,7 @@

-

OPTIONS

+

OPTIONS

-4

@@ -87,6 +87,15 @@ Run the server in the foreground and force all logging to stderr.

+
-m flag
+

+ Turn on memory usage debugging flags. Possible flags are + usage, + trace, and + record. + These correspond to the ISC_MEM_DEBUGXXXX flags described in + <isc/mem.h>. +

-n #cpus

Create #cpus worker threads @@ -117,7 +126,7 @@

-t directory

- chroot() to directory after + Chroot to directory after processing the command line arguments, but before reading the configuration file.

@@ -127,7 +136,7 @@ This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most - systems; the way chroot() is + systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail.

@@ -136,7 +145,7 @@
-u user

- setuid() to user after completing + Setuid to user after completing privileged operations, such as creating sockets that listen on privileged ports.

@@ -145,13 +154,13 @@

On Linux, named uses the kernel's capability mechanism to drop all root privileges - except the ability to bind() to a + except the ability to bind(2) to a privileged port and set process resource limits. Unfortunately, this means that the -u option only works when named is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges - to be retained after setuid(). + to be retained after setuid(2).

@@ -177,7 +186,7 @@
-

SIGNALS

+

SIGNALS

In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -198,7 +207,7 @@

-

CONFIGURATION

+

CONFIGURATION

The named configuration file is too complex to describe in detail here. A complete description is @@ -207,7 +216,7 @@

-

FILES

+

FILES

/etc/named.conf

@@ -220,11 +229,13 @@

-

SEE ALSO

+

SEE ALSO

RFC 1033, RFC 1034, RFC 1035, + named-checkconf(8), + named-checkzone(8), rndc(8), lwresd(8), named.conf(5), @@ -232,7 +243,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/named/query.c b/bin/named/query.c index c0a76a8bdd11b..858df8cd975b6 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.198.2.13.4.43 2006/08/31 03:57:11 marka Exp $ */ +/* $Id: query.c,v 1.198.2.13.4.53 2008/01/17 23:45:27 tbox Exp $ */ #include @@ -479,7 +479,7 @@ ns_query_init(ns_client_t *client) { client->query.authdb = NULL; client->query.authzone = NULL; client->query.authdbset = ISC_FALSE; - client->query.isreferral = ISC_FALSE; + client->query.isreferral = ISC_FALSE; query_reset(client, ISC_FALSE); result = query_newdbversion(client, 3); if (result != ISC_R_SUCCESS) { @@ -561,13 +561,13 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) result = dns_zone_getdb(zone, &db); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) goto fail; /* * This limits our searching to the zone where the first name * (the query target) was looked for. This prevents following - * CNAMES or DNAMES into other zones and prevents returning + * CNAMES or DNAMES into other zones and prevents returning * additional data from other zones. */ if (!client->view->additionalfromauth && @@ -644,7 +644,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, ISC_LOG_DEBUG(3), "%s approved", msg); } - } else { + } else { ns_client_aclmsg("query", name, qtype, client->view->rdclass, msg, sizeof(msg)); @@ -745,7 +745,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; - + result = ns_client_checkaclsilent(client, client->view->queryacl, ISC_TRUE); @@ -1192,7 +1192,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { * recursing to add address records, which in turn can cause * recursion to add KEYs. */ - if (type == dns_rdatatype_srv && trdataset != NULL) { + if (type == dns_rdatatype_srv && trdataset != NULL) { /* * If we're adding SRV records to the additional data * section, it's helpful if we add the SRV additional data @@ -1735,7 +1735,9 @@ query_addbestns(ns_client_t *client) { } static void -query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) { +query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, + dns_dbversion_t *version) +{ dns_name_t *rname; dns_rdataset_t *rdataset, *sigrdataset; isc_result_t result; @@ -1756,12 +1758,12 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) { /* * Look for the DS record, which may or may not be present. */ - result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, + result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0, client->now, rdataset, sigrdataset); /* * If we didn't find it, look for an NSEC. */ if (result == ISC_R_NOTFOUND) - result = dns_db_findrdataset(db, node, NULL, + result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec, 0, client->now, rdataset, sigrdataset); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) @@ -1800,7 +1802,8 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) { static void query_addwildcardproof(ns_client_t *client, dns_db_t *db, - dns_name_t *name, isc_boolean_t ispositive) + dns_dbversion_t *version, dns_name_t *name, + isc_boolean_t ispositive) { isc_buffer_t *dbuf, b; dns_name_t *fname; @@ -1881,7 +1884,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, if (fname == NULL || rdataset == NULL || sigrdataset == NULL) goto cleanup; - result = dns_db_find(db, name, NULL, dns_rdatatype_nsec, options, + result = dns_db_find(db, name, version, dns_rdatatype_nsec, options, 0, &node, fname, rdataset, sigrdataset); if (node != NULL) dns_db_detachnode(db, &node); @@ -1922,7 +1925,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, name = wname; goto again; } - } + } cleanup: if (rdataset != NULL) query_putrdataset(client, &rdataset); @@ -1933,8 +1936,9 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db, } static void -query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep, - dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp) +query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, + dns_dbversion_t *version, dns_name_t **namep, + dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp) { dns_name_t *name; dns_rdataset_t *sigrdataset; @@ -1971,8 +1975,7 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep, return; /* XXX */ - query_addwildcardproof(client, db, - client->query.qname, + query_addwildcardproof(client, db, version, client->query.qname, ISC_TRUE); /* @@ -2193,7 +2196,7 @@ static isc_result_t rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { struct in_addr ina; struct in6_addr in6a; - + switch (rdata->type) { case dns_rdatatype_a: INSIST(rdata->length == 4); @@ -2246,7 +2249,7 @@ setup_query_sortlist(ns_client_t *client) { isc_netaddr_t netaddr; dns_rdatasetorderfunc_t order = NULL; const void *order_arg = NULL; - + isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); switch (ns_sortlist_setup(client->view->sortlist, &netaddr, &order_arg)) { @@ -2296,11 +2299,11 @@ query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) { cleanup: if (nsec != NULL) - query_putrdataset(client, &nsec); - if (nsecsig != NULL) - query_putrdataset(client, &nsecsig); - if (fname != NULL) - query_releasename(client, &fname); + query_putrdataset(client, &nsec); + if (nsecsig != NULL) + query_putrdataset(client, &nsecsig); + if (fname != NULL) + query_releasename(client, &fname); } static inline void @@ -2434,7 +2437,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) goto resume; } - + /* * Not returning from recursion. */ @@ -2527,7 +2530,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) if (is_zone) authoritative = ISC_TRUE; - + if (event == NULL && client->query.restarts == 0) { if (is_zone) { dns_zone_attach(zone, &client->query.authzone); @@ -2723,7 +2726,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) dbuf, DNS_SECTION_AUTHORITY); client->query.gluedb = NULL; if (WANTDNSSEC(client) && dns_db_issecure(db)) - query_addds(client, db, node); + query_addds(client, db, node, version); } else { /* * We might have a better answer or delegation @@ -2824,7 +2827,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) client->query.attributes &= ~NS_QUERYATTR_CACHEGLUEOK; if (WANTDNSSEC(client)) - query_addds(client, db, node); + query_addds(client, db, node, version); } } goto cleanup; @@ -2861,8 +2864,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) */ if (WANTDNSSEC(client)) { if (dns_rdataset_isassociated(rdataset)) - query_addnxrrsetnsec(client, db, &fname, - &rdataset, &sigrdataset); + query_addnxrrsetnsec(client, db, version, + &fname, &rdataset, + &sigrdataset); } goto cleanup; case DNS_R_EMPTYWILD: @@ -2907,7 +2911,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) query_addrrset(client, &fname, &rdataset, &sigrdataset, NULL, DNS_SECTION_AUTHORITY); - query_addwildcardproof(client, db, + query_addwildcardproof(client, db, version, client->query.qname, ISC_FALSE); } @@ -3212,6 +3216,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * an error unless we were searching for * glue. Ugh. */ + if (!is_zone) { + authoritative = ISC_FALSE; + dns_rdatasetiter_destroy(&rdsiter); + if (RECURSIONOK(client)) { + result = query_recurse(client, + qtype, + NULL, + NULL); + if (result == ISC_R_SUCCESS) + client->query.attributes |= + NS_QUERYATTR_RECURSING; + else + QUERY_ERROR(DNS_R_SERVFAIL); } + goto addauth; + } /* * We were searching for SIG records in * a nonsecure zone. Send a "no error, @@ -3249,6 +3268,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) noqname = rdataset; else noqname = NULL; + /* + * BIND 8 priming queries need the additional section. + */ + if (is_zone && qtype == dns_rdatatype_ns && + dns_name_equal(client->query.qname, dns_rootname)) + client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; + query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf, DNS_SECTION_ANSWER); if (noqname != NULL) @@ -3285,7 +3311,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * DNSSEC wildcard proofs. */ if (need_wildcardproof && dns_db_issecure(db)) - query_addwildcardproof(client, db, + query_addwildcardproof(client, db, version, dns_fixedname_name(&wildcardname), ISC_TRUE); cleanup: @@ -3404,6 +3430,7 @@ ns_query_start(ns_client_t *client) { dns_rdataset_t *rdataset; ns_client_t *qclient; dns_rdatatype_t qtype; + isc_boolean_t want_ad; CTRACE("ns_query_start"); @@ -3422,10 +3449,10 @@ ns_query_start(ns_client_t *client) { if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) client->query.attributes |= NS_QUERYATTR_WANTRECURSION; - + if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) client->attributes |= NS_CLIENTATTR_WANTDNSSEC; - + if (client->view->minimalresponses) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); @@ -3536,6 +3563,15 @@ ns_query_start(ns_client_t *client) { if (message->flags & DNS_MESSAGEFLAG_CD) client->query.attributes &= ~NS_QUERYATTR_SECURE; + /* + * Set 'want_ad' if the client has set AD in the query. + * This allows AD to be returned on queries without DO set. + */ + if ((message->flags & DNS_MESSAGEFLAG_AD) != 0) + want_ad = ISC_TRUE; + else + want_ad = ISC_FALSE; + /* * This is an ordinary query. */ @@ -3555,7 +3591,7 @@ ns_query_start(ns_client_t *client) { * Set AD. We must clear it if we add non-validated data to a * response. */ - if (client->view->enablednssec) + if (WANTDNSSEC(client) || want_ad) message->flags |= DNS_MESSAGEFLAG_AD; qclient = NULL; diff --git a/bin/named/server.c b/bin/named/server.c index f29321e510601..a01e5e79cfe3a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,11 +15,12 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.339.2.15.2.70 2006/05/24 04:30:24 marka Exp $ */ +/* $Id: server.c,v 1.339.2.15.2.78 2008/01/17 23:45:27 tbox Exp $ */ #include #include +#include #include #include @@ -290,6 +291,13 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key, keystruct.datalen = r.length; keystruct.data = r.base; + if ((keystruct.algorithm == DST_ALG_RSASHA1 || + keystruct.algorithm == DST_ALG_RSAMD5) && + r.length > 1 && r.base[0] == 1 && r.base[1] == 3) + cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING, + "trusted key '%s' has a weak exponent", + keynamestr); + CHECK(dns_rdata_fromstruct(NULL, keystruct.common.rdclass, keystruct.common.rdtype, @@ -375,7 +383,7 @@ configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config, *target = keytable; /* Transfer ownership. */ keytable = NULL; result = ISC_R_SUCCESS; - + cleanup: return (result); } @@ -391,7 +399,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) isc_boolean_t value; isc_result_t result; isc_buffer_t b; - + dns_fixedname_init(&fixed); name = dns_fixedname_name(&fixed); for (element = cfg_list_first(mbs); @@ -409,7 +417,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) } result = ISC_R_SUCCESS; - + cleanup: return (result); } @@ -538,7 +546,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) { return (result); obj = cfg_tuple_get(ent, "name"); - if (cfg_obj_isstring(obj)) + if (cfg_obj_isstring(obj)) str = cfg_obj_asstring(obj); else str = "*"; @@ -931,7 +939,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (lame_ttl > 1800) lame_ttl = 1800; dns_resolver_setlamettl(view->resolver, lame_ttl); - + /* * Set the resolver's EDNS UDP size. */ @@ -944,7 +952,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (udpsize > 4096) udpsize = 4096; dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize); - + /* * Set supported DNSSEC algorithms. */ @@ -968,7 +976,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, (void)ns_config_get(maps, "forward", &forwardtype); (void)ns_config_get(maps, "forwarders", &forwarders); if (forwarders != NULL) - CHECK(configure_forward(config, view, dns_rootname, + CHECK(configure_forward(config, view, dns_rootname, forwarders, forwardtype)); /* @@ -988,7 +996,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, /* * If we still have no hints, this is a non-IN view with no * "hints zone" configured. Issue a warning, except if this - * is a root server. Root servers never need to consult + * is a root server. Root servers never need to consult * their hints, so it's no point requiring users to configure * them. */ @@ -1111,7 +1119,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->transfer_format = dns_one_answer; else INSIST(0); - + /* * Set sources where additional data and CNAME/DNAME * targets for authoritative answers may be found. @@ -1179,7 +1187,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, result = ns_config_get(maps, "provide-ixfr", &obj); INSIST(result == ISC_R_SUCCESS); view->provideixfr = cfg_obj_asboolean(obj); - + obj = NULL; result = ns_config_get(maps, "dnssec-enable", &obj); INSIST(result == ISC_R_SUCCESS); @@ -1608,7 +1616,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, "name")); else vname = ""; - + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "zone '%s': wrong class for view '%s'", @@ -1968,7 +1976,7 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { } ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE); - + clean: ns_listenlist_detach(&list); return; @@ -2042,7 +2050,7 @@ setstring(ns_server_t *server, char **field, const char *value) { *field = copy; return (ISC_R_SUCCESS); -} +} /* * Replace the current value of '*field', a dynamically allocated @@ -2084,7 +2092,7 @@ set_limit(const cfg_obj_t **maps, const char *configname, result = isc_resource_setlimit(resourceid, value); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, result == ISC_R_SUCCESS ? - ISC_LOG_DEBUG(3) : ISC_LOG_WARNING, + ISC_LOG_DEBUG(3) : ISC_LOG_WARNING, "set maximum %s to %" ISC_PRINT_QUADFORMAT "d: %s", description, value, isc_result_totext(result)); } @@ -2113,7 +2121,7 @@ portlist_fromconf(dns_portlist_t *portlist, unsigned int family, element = cfg_list_next(element)) { const cfg_obj_t *obj = cfg_listelt_value(element); in_port_t port = (in_port_t)cfg_obj_asuint32(obj); - + result = dns_portlist_add(portlist, family, port); if (result != ISC_R_SUCCESS) break; @@ -2151,7 +2159,7 @@ load_configuration(const char *filename, ns_server_t *server, /* Ensure exclusive access to configuration data. */ result = isc_task_beginexclusive(server->task); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + RUNTIME_CHECK(result == ISC_R_SUCCESS); /* * Parse the global default pseudo-config file. @@ -2203,6 +2211,15 @@ load_configuration(const char *filename, ns_server_t *server, } CHECK(result); + /* + * Check that the working directory is writable. + */ + if (access(".", W_OK) != 0) { + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_ERROR, + "the working directory is not writable"); + } + /* * Check the validity of the configuration. */ @@ -2664,7 +2681,7 @@ load_configuration(const char *filename, ns_server_t *server, ns_os_writepidfile(lwresd_g_defaultpidfile, first_time); else ns_os_writepidfile(ns_g_defaultpidfile, first_time); - + obj = NULL; if (options != NULL && cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS) @@ -2798,7 +2815,7 @@ load_zones(ns_server_t *server, isc_boolean_t stop) { */ CHECK(dns_zonemgr_forcemaint(server->zonemgr)); cleanup: - isc_task_endexclusive(server->task); + isc_task_endexclusive(server->task); return (result); } @@ -2826,7 +2843,7 @@ load_new_zones(ns_server_t *server, isc_boolean_t stop) { */ dns_zonemgr_resumexfrs(server->zonemgr); cleanup: - isc_task_endexclusive(server->task); + isc_task_endexclusive(server->task); return (result); } @@ -2880,7 +2897,7 @@ run_server(isc_task_t *task, isc_event_t *event) { ISC_LOG_NOTICE, "running"); } -void +void ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) { REQUIRE(NS_SERVER_VALID(server)); @@ -3012,7 +3029,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->interface_timer = NULL; server->heartbeat_timer = NULL; - + server->interface_interval = 0; server->heartbeat_interval = 0; @@ -3035,7 +3052,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { server->hostname_set = ISC_FALSE; server->hostname = NULL; - server->version_set = ISC_FALSE; + server->version_set = ISC_FALSE; server->version = NULL; server->server_usehostname = ISC_FALSE; server->server_id = NULL; @@ -3191,7 +3208,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) { result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, ns_g_taskmgr, &dispatch->addr, 4096, 1000, 32768, 16411, 16433, - attrs, attrmask, &dispatch->dispatch); + attrs, attrmask, &dispatch->dispatch); if (result != ISC_R_SUCCESS) goto cleanup; @@ -3294,7 +3311,7 @@ next_token(char **stringp, const char *delim) { break; } while (*res == '\0'); return (res); -} +} /* * Find the zone specified in the control channel command 'args', @@ -3352,14 +3369,14 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) { } else { rdclass = dns_rdataclass_in; } - + if (viewtxt == NULL) viewtxt = "_default"; result = dns_viewlist_find(&server->viewlist, viewtxt, rdclass, &view); if (result != ISC_R_SUCCESS) goto fail1; - + result = dns_zt_find(view->zonetable, dns_fixedname_name(&name), 0, NULL, zonep); /* Partial match? */ @@ -3378,7 +3395,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) { isc_result_t result; dns_zone_t *zone = NULL; dns_zonetype_t type; - + result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); @@ -3391,7 +3408,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) { result = ISC_R_NOTFOUND; dns_zone_detach(&zone); return (result); -} +} /* * Act on a "reload" command from the command channel. @@ -3402,7 +3419,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { dns_zone_t *zone = NULL; dns_zonetype_t type; const char *msg = NULL; - + result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); @@ -3414,11 +3431,12 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { type = dns_zone_gettype(zone); if (type == dns_zone_slave || type == dns_zone_stub) { dns_zone_refresh(zone); + dns_zone_detach(&zone); msg = "zone refresh queued"; } else { result = dns_zone_load(zone); dns_zone_detach(&zone); - switch (result) { + switch (result) { case ISC_R_SUCCESS: msg = "zone reload successful"; break; @@ -3440,7 +3458,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_buffer_putmem(text, (const unsigned char *)msg, strlen(msg) + 1); return (result); -} +} /* * Act on a "reconfig" command from the command channel. @@ -3478,17 +3496,17 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) { isc_buffer_putmem(text, msg1, sizeof(msg1)); return (ISC_R_SUCCESS); } - + dns_zone_detach(&zone); if (sizeof(msg2) <= isc_buffer_availablelength(text)) isc_buffer_putmem(text, msg2, sizeof(msg2)); return (ISC_R_FAILURE); -} +} isc_result_t ns_server_togglequerylog(ns_server_t *server) { server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE; - + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, "query logging is now %s", @@ -3592,15 +3610,15 @@ ns_server_dumpstats(ns_server_t *server) { CHECKMF(isc_stdio_open(server->statsfile, "a", &fp), "could not open statistics dump file", server->statsfile); - + ncounters = DNS_STATS_NCOUNTERS; fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now); - + for (i = 0; i < ncounters; i++) fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT "u\n", dns_statscounter_names[i], server->querystats[i]); - + zone = NULL; for (result = dns_zone_first(server->zonemgr, &zone); result == ISC_R_SUCCESS; @@ -3611,7 +3629,7 @@ ns_server_dumpstats(ns_server_t *server) { char zonename[DNS_NAME_FORMATSIZE]; dns_view_t *view; char *viewname; - + dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename)); view = dns_zone_getview(zone); @@ -3631,7 +3649,7 @@ ns_server_dumpstats(ns_server_t *server) { if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; CHECK(result); - + fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now); cleanup: @@ -3659,7 +3677,7 @@ static isc_result_t add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { struct viewlistentry *vle; isc_result_t result = ISC_R_SUCCESS; - + /* * Prevent duplicate views. */ @@ -3722,7 +3740,7 @@ dumpdone(void *arg, isc_result_t result) { struct dumpcontext *dctx = arg; char buf[1024+32]; const dns_master_style_t *style; - + if (result != ISC_R_SUCCESS) goto cleanup; if (dctx->mdctx != NULL) @@ -3879,7 +3897,7 @@ ns_server_dumpdb(ns_server_t *server, char *args) { dctx->dumpzones = ISC_TRUE; dctx->dumpcache = ISC_FALSE; ptr = next_token(&args, " \t"); - } + } nextview: for (view = ISC_LIST_HEAD(server->viewlist); @@ -3954,7 +3972,8 @@ isc_result_t ns_server_flushcache(ns_server_t *server, char *args) { char *ptr, *viewname; dns_view_t *view; - isc_boolean_t flushed = ISC_FALSE; + isc_boolean_t flushed; + isc_boolean_t found; isc_result_t result; /* Skip the command name. */ @@ -3967,23 +3986,28 @@ ns_server_flushcache(ns_server_t *server, char *args) { result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); + flushed = ISC_TRUE; + found = ISC_FALSE; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (viewname != NULL && strcasecmp(viewname, view->name) != 0) continue; + found = ISC_TRUE; result = dns_view_flushcache(view); if (result != ISC_R_SUCCESS) - goto out; - flushed = ISC_TRUE; + flushed = ISC_FALSE; } - if (flushed) + if (flushed && found) { result = ISC_R_SUCCESS; - else - result = ISC_R_FAILURE; - out: - isc_task_endexclusive(server->task); + } else { + if (!found) + result = ISC_R_NOTFOUND; + else + result = ISC_R_FAILURE; + } + isc_task_endexclusive(server->task); return (result); } @@ -3991,7 +4015,8 @@ isc_result_t ns_server_flushname(ns_server_t *server, char *args) { char *ptr, *target, *viewname; dns_view_t *view; - isc_boolean_t flushed = ISC_FALSE; + isc_boolean_t flushed; + isc_boolean_t found; isc_result_t result; isc_buffer_t b; dns_fixedname_t fixed; @@ -4021,21 +4046,25 @@ ns_server_flushname(ns_server_t *server, char *args) { result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); flushed = ISC_TRUE; + found = ISC_FALSE; for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; view = ISC_LIST_NEXT(view, link)) { if (viewname != NULL && strcasecmp(viewname, view->name) != 0) continue; + found = ISC_TRUE; result = dns_view_flushname(view, name); if (result != ISC_R_SUCCESS) flushed = ISC_FALSE; } - if (flushed) + if (flushed && found) result = ISC_R_SUCCESS; + else if (!found) + result = ISC_R_NOTFOUND; else result = ISC_R_FAILURE; - isc_task_endexclusive(server->task); + isc_task_endexclusive(server->task); return (result); } @@ -4086,7 +4115,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) { char *journal; const char *vname, *sep; isc_boolean_t frozen; - + result = zone_from_args(server, args, &zone); if (result != ISC_R_SUCCESS) return (result); diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c index 0feba3bbee82a..d6691c89a991e 100644 --- a/bin/named/sortlist.c +++ b/bin/named/sortlist.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sortlist.c,v 1.5.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: sortlist.c,v 1.5.12.9 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c index a90438d85efe0..a9005e25bd3f0 100644 --- a/bin/named/tsigconf.c +++ b/bin/named/tsigconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsigconf.c,v 1.21.208.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: tsigconf.c,v 1.21.208.9 2007/08/28 07:19:08 tbox Exp $ */ #include diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in index 60ce968865dcb..fc68927a3ba1e 100644 --- a/bin/named/unix/Makefile.in +++ b/bin/named/unix/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1999-2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1999-2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $ +# $Id: Makefile.in,v 1.6.12.6 2007/08/28 07:19:08 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h index 03baee57ea484..1c4bec0707272 100644 --- a/bin/named/unix/include/named/os.h +++ b/bin/named/unix/include/named/os.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.14.2.2.8.9 2004/09/29 06:36:44 marka Exp $ */ +/* $Id: os.h,v 1.14.2.2.8.12 2007/08/28 07:19:08 tbox Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index 361d1b63639f7..f8026660391ea 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.46.2.4.8.24 2006/02/03 23:51:37 marka Exp $ */ +/* $Id: os.c,v 1.46.2.4.8.30 2008/01/17 23:45:27 tbox Exp $ */ #include #include @@ -324,7 +324,7 @@ ns_os_daemonize(void) { /* * Wait for the child to finish loading for the first time. * This would be so much simpler if fork() worked once we - * were multi-threaded. + * were multi-threaded. */ (void)close(dfd[1]); do { @@ -494,15 +494,19 @@ ns_os_changeuser(void) { ns_main_earlyfatal("setuid(): %s", strbuf); } -#if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS) - linux_minprivs(); -#endif #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE) /* * Restore the ability of named to drop core after the setuid() * call has disabled it. */ - prctl(PR_SET_DUMPABLE,1,0,0,0); + if (prctl(PR_SET_DUMPABLE,1,0,0,0) < 0) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("prctl(PR_SET_DUMPABLE) failed: %s", + strbuf); + } +#endif +#if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS) + linux_minprivs(); #endif } @@ -663,7 +667,7 @@ ns_os_shutdownmsg(char *command, isc_buffer_t *text) { ptr = next_token(&input, " \t"); if (ptr == NULL) return; - + if (strcmp(ptr, "-p") != 0) return; diff --git a/bin/named/update.c b/bin/named/update.c index fa0ddb01049ac..6733d76902b1c 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.88.2.5.2.29 2006/01/06 00:01:42 marka Exp $ */ +/* $Id: update.c,v 1.88.2.5.2.35 2008/01/17 23:45:27 tbox Exp $ */ #include @@ -112,7 +112,7 @@ } \ update_log(client, zone, LOGLEVEL_PROTOCOL, \ "update %s: %s (%s)", _what, \ - msg, isc_result_totext(result)); \ + msg, isc_result_totext(result)); \ if (result != ISC_R_SUCCESS) goto failure; \ } while (0) @@ -401,7 +401,7 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) { result = dns_rdataset_next(rdataset)) { rr_t rr = { 0, DNS_RDATA_INIT }; - + dns_rdataset_current(rdataset, &rr.rdata); rr.ttl = rdataset->ttl; result = (*ctx->rr_action)(ctx->rr_action_data, &rr); @@ -841,10 +841,14 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, /* A new unique name begins here. */ node = NULL; result = dns_db_findnode(db, name, ISC_FALSE, &node); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND) { + dns_diff_clear(&trash); return (DNS_R_NXRRSET); - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { + dns_diff_clear(&trash); return (result); + } /* A new unique type begins here. */ while (t != NULL && dns_name_equal(&t->name, name)) { @@ -852,7 +856,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, dns_rdataset_t rdataset; dns_diff_t d_rrs; /* Database RRs with this name and type */ - dns_diff_t u_rrs; /* Update RRs with + dns_diff_t u_rrs; /* Update RRs with this name and type */ *typep = type = t->rdata.type; @@ -872,6 +876,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, &rdataset, NULL); if (result != ISC_R_SUCCESS) { dns_db_detachnode(db, &node); + dns_diff_clear(&trash); return (DNS_R_NXRRSET); } @@ -1117,7 +1122,7 @@ typedef struct { static isc_result_t add_rr_prepare_action(void *data, rr_t *rr) { - isc_result_t result = ISC_R_SUCCESS; + isc_result_t result = ISC_R_SUCCESS; add_rr_prepare_ctx_t *ctx = data; dns_difftuple_t *tuple = NULL; isc_boolean_t equal; @@ -1631,6 +1636,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_db_detachnode(db, &node); for (i = 0; i < nkeys; i++) { + if (!dst_key_isprivate(keys[i])) + continue; /* Calculate the signature, creating a RRSIG RDATA. */ CHECK(dns_dnssec_sign(name, &rdataset, keys[i], &inception, &expire, @@ -1710,7 +1717,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db, CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node)); dns_rdataset_init(&rdataset); CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0, - (isc_stdtime_t) 0, &rdataset, NULL)); + (isc_stdtime_t) 0, &rdataset, NULL)); CHECK(dns_rdataset_first(&rdataset)); dns_rdataset_current(&rdataset, &rdata); CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); @@ -2306,7 +2313,7 @@ update_action(isc_task_t *task, isc_event_t *event) { else if (client->signer == NULL) CHECK(checkupdateacl(client, NULL, "update", zonename, ISC_FALSE)); - + if (dns_zone_getupdatedisabled(zone)) FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled"); @@ -2701,7 +2708,7 @@ update_action(isc_task_t *task, isc_event_t *event) { * The reason for failure should have been logged at this point. */ if (ver != NULL) { - update_log(client, zone, LOGLEVEL_DEBUG, + update_log(client, zone, LOGLEVEL_DEBUG, "rolling back"); dns_db_closeversion(db, &ver, ISC_FALSE); } @@ -2753,7 +2760,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { static void forward_fail(isc_task_t *task, isc_event_t *event) { - ns_client_t *client = (ns_client_t *)event->ev_arg; + ns_client_t *client = (ns_client_t *)event->ev_arg; UNUSED(task); diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in index 2652628768da8..3474f7cfa06c0 100644 --- a/bin/nsupdate/Makefile.in +++ b/bin/nsupdate/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.15.12.10 2004/07/20 07:01:49 marka Exp $ +# $Id: Makefile.in,v 1.15.12.13 2007/08/28 07:19:08 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8 index 7e254e0e2eaeb..5d608e3565afd 100644 --- a/bin/nsupdate/nsupdate.8 +++ b/bin/nsupdate/nsupdate.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nsupdate.8,v 1.24.2.2.2.9 2006/06/29 13:02:30 marka Exp $ +.\" $Id: nsupdate.8,v 1.24.2.2.2.13 2007/05/09 03:32:36 marka Exp $ .\" .hy 0 .ad l .\" Title: nsupdate .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -55,7 +55,7 @@ operate in debug mode. This provides tracing information about the update reques .PP Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to \fBnsupdate\fR -and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable +and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable \fBkey\fR and \fBserver\fR @@ -106,15 +106,15 @@ use a TCP connection. This may be preferable when a batch of update requests is .PP The \fB\-t\fR -option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. +option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. .PP The \fB\-u\fR -option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval and number of UDP retries. +option sets the UDP retry interval. The default is 3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. .PP The \fB\-r\fR -option sets the number of UDP retries. The default is 3. If zero only one update request will be made. +option sets the number of UDP retries. The default is 3. If zero, only one update request will be made. .SH "INPUT FORMAT" .PP \fBnsupdate\fR @@ -127,8 +127,9 @@ Every update request consists of zero or more prerequisites and zero or more upd command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server. .PP The command formats and their meaning are as follows: -.TP 3n -.HP 7 \fBserver\fR {servername} [port] +.PP +\fBserver\fR {servername} [port] +.RS 4 Sends all dynamic update requests to the name server \fIservername\fR. When no server statement is provided, \fBnsupdate\fR @@ -137,31 +138,39 @@ will send updates to the master server of the correct zone. The MNAME field of t is the port number on \fIservername\fR where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used. -.TP 3n -.HP 6 \fBlocal\fR {address} [port] +.RE +.PP +\fBlocal\fR {address} [port] +.RS 4 Sends all dynamic update requests using the local \fIaddress\fR. When no local statement is provided, \fBnsupdate\fR will send updates using an address and port chosen by the system. \fIport\fR can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. -.TP 3n -.HP 5 \fBzone\fR {zonename} +.RE +.PP +\fBzone\fR {zonename} +.RS 4 Specifies that all updates are to be made to the zone \fIzonename\fR. If no \fIzone\fR statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. -.TP 3n -.HP 6 \fBclass\fR {classname} +.RE +.PP +\fBclass\fR {classname} +.RS 4 Specify the default class. If no \fIclass\fR -is specified the default class is +is specified, the default class is \fIIN\fR. -.TP 3n -.HP 4 \fBkey\fR {name} {secret} -Specifies that all updates are to be TSIG signed using the +.RE +.PP +\fBkey\fR {name} {secret} +.RS 4 +Specifies that all updates are to be TSIG\-signed using the \fIkeyname\fR \fIkeysecret\fR pair. The @@ -170,17 +179,23 @@ command overrides any key specified on the command line via \fB\-y\fR or \fB\-k\fR. -.TP 3n -.HP 16 \fBprereq nxdomain\fR {domain\-name} +.RE +.PP +\fBprereq nxdomain\fR {domain\-name} +.RS 4 Requires that no resource record of any type exists with name \fIdomain\-name\fR. -.TP 3n -.HP 16 \fBprereq yxdomain\fR {domain\-name} +.RE +.PP +\fBprereq yxdomain\fR {domain\-name} +.RS 4 Requires that \fIdomain\-name\fR exists (has as at least one resource record, of any type). -.TP 3n -.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type} +.RE +.PP +\fBprereq nxrrset\fR {domain\-name} [class] {type} +.RS 4 Requires that no resource record exists of the specified \fItype\fR, \fIclass\fR @@ -188,8 +203,10 @@ and \fIdomain\-name\fR. If \fIclass\fR is omitted, IN (internet) is assumed. -.TP 3n -.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} +.RE +.PP +\fBprereq yxrrset\fR {domain\-name} [class] {type} +.RS 4 This requires that a resource record of the specified \fItype\fR, \fIclass\fR @@ -198,8 +215,10 @@ and must exist. If \fIclass\fR is omitted, IN (internet) is assumed. -.TP 3n -.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} +.RE +.PP +\fBprereq yxrrset\fR {domain\-name} [class] {type} {data...} +.RS 4 The \fIdata\fR from each set of prerequisites of this form sharing a common @@ -212,8 +231,10 @@ are combined to form a set of RRs. This set of RRs must exactly match the set of \fIdomain\-name\fR. The \fIdata\fR are written in the standard text representation of the resource record's RDATA. -.TP 3n -.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] +.RE +.PP +\fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]] +.RS 4 Deletes any resource records named \fIdomain\-name\fR. If \fItype\fR @@ -224,22 +245,31 @@ is provided, only matching resource records will be removed. The internet class is not supplied. The \fIttl\fR is ignored, and is only allowed for compatibility. -.TP 3n -.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} +.RE +.PP +\fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...} +.RS 4 Adds a new resource record with the specified \fIttl\fR, \fIclass\fR and \fIdata\fR. -.TP 3n -.HP 5 \fBshow\fR +.RE +.PP +\fBshow\fR +.RS 4 Displays the current message, containing all of the prerequisites and updates specified since the last send. -.TP 3n -.HP 5 \fBsend\fR +.RE +.PP +\fBsend\fR +.RS 4 Sends the current message. This is equivalent to entering a blank line. -.TP 3n -.HP 7 \fBanswer\fR +.RE +.PP +\fBanswer\fR +.RS 4 Displays the answer. +.RE .PP Lines beginning with a semicolon are comments and are ignored. .SH "EXAMPLES" @@ -251,7 +281,7 @@ could be used to insert and delete resource records from the zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for \fBexample.com\fR. .sp -.RS 3n +.RS 4 .nf # nsupdate > update delete oldhost.example.com A @@ -263,11 +293,11 @@ zone. Notice that the input in each example contains a trailing blank line so th .PP Any A records for \fBoldhost.example.com\fR -are deleted. and an A record for +are deleted. And an A record for \fBnewhost.example.com\fR -it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds) +with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds). .sp -.RS 3n +.RS 4 .nf # nsupdate > prereq nxdomain nickname.example.com @@ -280,17 +310,23 @@ it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (8640 The prerequisite condition gets the name server to check that there are no resource records of any type for \fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.) .SH "FILES" -.TP 3n +.PP \fB/etc/resolv.conf\fR +.RS 4 used to identify default name server -.TP 3n +.RE +.PP \fBK{name}.+157.+{random}.key\fR +.RS 4 base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8). -.TP 3n +.RE +.PP \fBK{name}.+157.+{random}.private\fR +.RS 4 base\-64 encoding of HMAC\-MD5 key created by \fBdnssec\-keygen\fR(8). +.RE .SH "SEE ALSO" .PP \fBRFC2136\fR(), @@ -306,4 +342,7 @@ base\-64 encoding of HMAC\-MD5 key created by .PP The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000\-2003 Internet Software Consortium. +.br diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 107d85f980399..6c9fdc15e8fba 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.103.2.15.2.23 2006/06/09 07:29:24 marka Exp $ */ +/* $Id: nsupdate.c,v 1.103.2.15.2.30 2008/01/17 23:45:27 tbox Exp $ */ #include @@ -159,6 +159,9 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); static void ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +static void +error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); + #define STATUS_MORE (isc_uint16_t)0 #define STATUS_SEND (isc_uint16_t)1 #define STATUS_QUIT (isc_uint16_t)2 @@ -192,6 +195,16 @@ fatal(const char *format, ...) { exit(1); } +static void +error(const char *format, ...) { + va_list args; + + va_start(args, format); + vfprintf(stderr, format, args); + va_end(args); + fprintf(stderr, "\n"); +} + static void debug(const char *format, ...) { va_list args; @@ -1025,7 +1038,7 @@ evaluate_key(char *cmdline) { secret = isc_mem_allocate(mctx, secretlen); if (secret == NULL) fatal("out of memory"); - + isc_buffer_init(&secretbuf, secret, secretlen); result = isc_base64_decodestring(secretstr, &secretbuf); if (result != ISC_R_SUCCESS) { @@ -1091,8 +1104,8 @@ evaluate_class(char *cmdline) { } r.base = word; - r.length = strlen(word); - result = dns_rdataclass_fromtext(&rdclass, &r); + r.length = strlen(word); + result = dns_rdataclass_fromtext(&rdclass, &r); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not parse class name: %s\n", word); return (STATUS_SYNTAX); @@ -1276,8 +1289,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) { failure: if (name != NULL) dns_message_puttempname(updatemsg, &name); - if (rdata != NULL) - dns_message_puttemprdata(updatemsg, &rdata); + dns_message_puttemprdata(updatemsg, &rdata); return (STATUS_SYNTAX); } @@ -1311,7 +1323,7 @@ show_message(dns_message_t *msg) { ddebug("show_message()"); bufsz = INITTEXT; - do { + do { if (bufsz > MAXTEXT) { fprintf(stderr, "could not allocate large enough " "buffer to display message\n"); @@ -1396,8 +1408,11 @@ user_interaction(void) { isc_uint16_t result = STATUS_MORE; ddebug("user_interaction()"); - while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) + while ((result == STATUS_MORE) || (result == STATUS_SYNTAX)) { result = get_next_command(); + if (!interactive && result == STATUS_SYNTAX) + fatal("syntax error"); + } if (result == STATUS_SEND) return (ISC_TRUE); return (ISC_FALSE); @@ -1490,7 +1505,7 @@ update_completed(isc_task_t *task, isc_event_t *event) { char buf[64]; isc_buffer_t b; dns_rdataset_t *rds; - + isc_buffer_init(&b, buf, sizeof(buf) - 1); result = dns_rcode_totext(answer->rcode, &b); check_result(result, "dns_rcode_totext"); @@ -1506,7 +1521,7 @@ update_completed(isc_task_t *task, isc_event_t *event) { int bufsz; bufsz = INITTEXT; - do { + do { if (bufsz > MAXTEXT) { fprintf(stderr, "could not allocate large " "enough buffer to display message\n"); @@ -1605,7 +1620,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { ddebug("recvsoa()"); requests--; - + REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE); reqev = (dns_requestevent_t *)event; request = reqev->request; @@ -1643,8 +1658,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) { setzoneclass(dns_rdataclass_none); return; } - isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); + isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t)); + reqinfo = NULL; isc_event_free(&event); reqev = NULL; @@ -1703,12 +1719,25 @@ recvsoa(isc_task_t *task, isc_event_t *event) { rcvmsg->rcode != dns_rcode_nxdomain) fatal("response to SOA query was unsuccessful"); + if (userzone != NULL && rcvmsg->rcode == dns_rcode_nxdomain) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(userzone, namebuf, sizeof(namebuf)); + error("specified zone '%s' does not exist (NXDOMAIN)", + namebuf); + dns_message_destroy(&rcvmsg); + dns_request_destroy(&request); + dns_message_destroy(&soaquery); + ddebug("Out of recvsoa"); + done_update(); + return; + } + lookforsoa: if (pass == 0) section = DNS_SECTION_ANSWER; else if (pass == 1) section = DNS_SECTION_AUTHORITY; - else + else goto droplabel; result = dns_message_firstname(rcvmsg, section); @@ -1737,7 +1766,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { break; } } - + result = dns_message_nextname(rcvmsg, section); } @@ -1802,7 +1831,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) { dns_message_destroy(&rcvmsg); ddebug("Out of recvsoa"); return; - + droplabel: result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION); INSIST(result == ISC_R_SUCCESS); @@ -1859,15 +1888,6 @@ start_update(void) { if (answer != NULL) dns_message_destroy(&answer); - result = dns_message_firstname(updatemsg, section); - if (result == ISC_R_NOMORE) { - section = DNS_SECTION_PREREQUISITE; - result = dns_message_firstname(updatemsg, section); - } - if (result != ISC_R_SUCCESS) { - done_update(); - return; - } if (userzone != NULL && userserver != NULL) { send_update(userzone, userserver, localaddr); @@ -1879,7 +1899,8 @@ start_update(void) { &soaquery); check_result(result, "dns_message_create"); - soaquery->flags |= DNS_MESSAGEFLAG_RD; + if (userserver == NULL) + soaquery->flags |= DNS_MESSAGEFLAG_RD; result = dns_message_gettempname(soaquery, &name); check_result(result, "dns_message_gettempname"); @@ -1889,10 +1910,24 @@ start_update(void) { dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa); - firstname = NULL; - dns_message_currentname(updatemsg, section, &firstname); - dns_name_init(name, NULL); - dns_name_clone(firstname, name); + if (userzone != NULL) { + dns_name_init(name, NULL); + dns_name_clone(userzone, name); + } else { + result = dns_message_firstname(updatemsg, section); + if (result == ISC_R_NOMORE) { + section = DNS_SECTION_PREREQUISITE; + result = dns_message_firstname(updatemsg, section); + } + if (result != ISC_R_SUCCESS) { + done_update(); + return; + } + firstname = NULL; + dns_message_currentname(updatemsg, section, &firstname); + dns_name_init(name, NULL); + dns_name_clone(firstname, name); + } ISC_LIST_INIT(name->list); ISC_LIST_APPEND(name->list, rdataset, link); diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook index 7a2b4cfb7dd75..f45ec143bbd55 100644 --- a/bin/nsupdate/nsupdate.docbook +++ b/bin/nsupdate/nsupdate.docbook @@ -1,11 +1,11 @@ -]> - + @@ -34,6 +34,8 @@ 2004 2005 + 2006 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -111,7 +113,7 @@ HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. -For instance suitable +For instance, suitable key and server @@ -183,16 +185,16 @@ option makes use a TCP connection. This may be preferable when a batch of update requests is made. -The option sets the maximum time a update request can +The option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout. The option sets the UDP retry interval. The default is -3 seconds. If zero the interval will be computed from the timeout interval +3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries. The option sets the number of UDP retries. The default is -3. If zero only one update request will be made. +3. If zero, only one update request will be made. @@ -225,11 +227,9 @@ name server. The command formats and their meaning are as follows: - server servername port - @@ -251,11 +251,9 @@ used. - local address port - @@ -273,10 +271,8 @@ If no port number is specified, the system will assign one. - zone zonename - @@ -292,30 +288,26 @@ will attempt determine the correct zone to update based on the rest of the input - class classname - Specify the default class. -If no class is specified the default class is +If no class is specified, the default class is IN. - key name secret - -Specifies that all updates are to be TSIG signed using the +Specifies that all updates are to be TSIG-signed using the keyname keysecret pair. The key command overrides any key specified on the command line via @@ -325,10 +317,8 @@ overrides any key specified on the command line via - prereq nxdomain domain-name - @@ -340,10 +330,8 @@ Requires that no resource record of any type exists with name - prereq yxdomain domain-name - @@ -355,12 +343,10 @@ exists (has as at least one resource record, of any type). - prereq nxrrset domain-name class type - @@ -378,12 +364,10 @@ is omitted, IN (internet) is assumed. - prereq yxrrset domain-name class type - @@ -401,13 +385,11 @@ is omitted, IN (internet) is assumed. - prereq yxrrset domain-name class type data - @@ -435,13 +417,11 @@ RDATA. - update delete domain-name ttl class type data - @@ -462,14 +442,12 @@ is ignored, and is only allowed for compatibility. - update add domain-name ttl class type data - @@ -483,9 +461,7 @@ and - show - @@ -496,9 +472,7 @@ updates specified since the last send. - send - @@ -508,9 +482,7 @@ Sends the current message. This is equivalent to entering a blank line. - answer - @@ -552,10 +524,10 @@ master name server for Any A records for oldhost.example.com are deleted. -and an A record for +And an A record for newhost.example.com -it IP address 172.16.1.1 is added. -The newly-added record has a 1 day TTL (86400 seconds) +with IP address 172.16.1.1 is added. +The newly-added record has a 1 day TTL (86400 seconds). # nsupdate > prereq nxdomain nickname.example.com diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html index 4df8280ce8634..009942d11b4e2 100644 --- a/bin/nsupdate/nsupdate.html +++ b/bin/nsupdate/nsupdate.html @@ -1,5 +1,5 @@ - + nsupdate - +
-
+

Name

nsupdate — Dynamic DNS update utility

@@ -32,7 +32,7 @@

nsupdate [-d] [[-y keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-v] [filename]

-

DESCRIPTION

+

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 @@ -77,7 +77,7 @@ HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. -For instance suitable +For instance, suitable key and server @@ -147,20 +147,20 @@ option makes use a TCP connection. This may be preferable when a batch of update requests is made.

-

The -t option sets the maximum time a update request can +

The -t option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.

The -u option sets the UDP retry interval. The default is -3 seconds. If zero the interval will be computed from the timeout interval +3 seconds. If zero, the interval will be computed from the timeout interval and number of UDP retries.

The -r option sets the number of UDP retries. The default is -3. If zero only one update request will be made. +3. If zero, only one update request will be made.

-

INPUT FORMAT

+

INPUT FORMAT

nsupdate reads input from @@ -189,7 +189,9 @@ The command formats and their meaning are as follows:

-

server {servername} [port]

+server + {servername} + [port]

Sends all dynamic update requests to the name server @@ -207,7 +209,9 @@ If no port number is specified, the default DNS port number of 53 is used.

-

local {address} [port]

+local + {address} + [port]

Sends all dynamic update requests using the local @@ -221,7 +225,8 @@ can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.

-

zone {zonename}

+zone + {zonename}

Specifies that all updates are to be made to the zone @@ -233,32 +238,37 @@ statement is provided, will attempt determine the correct zone to update based on the rest of the input.

-

class {classname}

+class + {classname}

Specify the default class. -If no class is specified the default class is +If no class is specified, the default class is IN.

-

key {name} {secret}

+key + {name} + {secret}

-Specifies that all updates are to be TSIG signed using the +Specifies that all updates are to be TSIG-signed using the keyname keysecret pair. The key command overrides any key specified on the command line via -y or -k.

-

prereq nxdomain {domain-name}

+prereq nxdomain + {domain-name}

Requires that no resource record of any type exists with name domain-name.

-

prereq yxdomain {domain-name}

+prereq yxdomain + {domain-name}

Requires that @@ -266,7 +276,10 @@ Requires that exists (has as at least one resource record, of any type).

-

prereq nxrrset {domain-name} [class] {type}

+prereq nxrrset + {domain-name} + [class] + {type}

Requires that no resource record exists of the specified @@ -279,7 +292,10 @@ If is omitted, IN (internet) is assumed.

-

prereq yxrrset {domain-name} [class] {type}

+prereq yxrrset + {domain-name} + [class] + {type}

This requires that a resource record of the specified @@ -293,7 +309,11 @@ If is omitted, IN (internet) is assumed.

-

prereq yxrrset {domain-name} [class] {type} {data...}

+prereq yxrrset + {domain-name} + [class] + {type} + {data...}

The @@ -317,7 +337,11 @@ are written in the standard text representation of the resource record's RDATA.

-

update delete {domain-name} [ttl] [class] [type [data...]]

+update delete + {domain-name} + [ttl] + [class] + [type [data...]]

Deletes any resource records named @@ -334,7 +358,12 @@ is not supplied. The is ignored, and is only allowed for compatibility.

-

update add {domain-name} {ttl} [class] {type} {data...}

+update add + {domain-name} + {ttl} + [class] + {type} + {data...}

Adds a new resource record with the specified @@ -344,20 +373,20 @@ and data.

-

show

+show

Displays the current message, containing all of the prerequisites and updates specified since the last send.

-

send

+send

Sends the current message. This is equivalent to entering a blank line.

-

answer

+answer

Displays the answer. @@ -370,7 +399,7 @@ Lines beginning with a semicolon are comments and are ignored.

-

EXAMPLES

+

EXAMPLES

The examples below show how nsupdate @@ -395,10 +424,10 @@ master name server for Any A records for oldhost.example.com are deleted. -and an A record for +And an A record for newhost.example.com -it IP address 172.16.1.1 is added. -The newly-added record has a 1 day TTL (86400 seconds) +with IP address 172.16.1.1 is added. +The newly-added record has a 1 day TTL (86400 seconds). 

 # nsupdate
@@ -423,7 +452,7 @@ RRSIG, DNSKEY and NSEC records.)
-

FILES

+

FILES

/etc/resolv.conf

@@ -442,7 +471,7 @@ base-64 encoding of HMAC-MD5 key created by

-

SEE ALSO

+

SEE ALSO

RFC2136, RFC3007, @@ -456,7 +485,7 @@ base-64 encoding of HMAC-MD5 key created by

-

BUGS

+

BUGS

The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in index e6773151126b8..ffa0e8fb508da 100644 --- a/bin/rndc/Makefile.in +++ b/bin/rndc/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000-2002 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.32.2.3.8.8 2004/07/20 07:01:50 marka Exp $ +# $Id: Makefile.in,v 1.32.2.3.8.12 2007/08/28 07:19:08 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -47,6 +47,8 @@ RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${I CONFLIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} +SRCS= rndc.c rndc-confgen.c + SUBDIRS = unix TARGETS = rndc@EXEEXT@ rndc-confgen@EXEEXT@ diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8 index c6a421879b4be..fc69c3f0b0376 100644 --- a/bin/rndc/rndc-confgen.8 +++ b/bin/rndc/rndc-confgen.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc-confgen.8,v 1.3.2.5.2.8 2006/06/29 13:02:31 marka Exp $ +.\" $Id: rndc-confgen.8,v 1.3.2.5.2.10 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: rndc\-confgen .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Aug 27, 2001 .\" Manual: BIND9 .\" Source: BIND9 @@ -56,8 +56,9 @@ file and a \fBcontrols\fR statement altogether. .SH "OPTIONS" -.TP 3n +.PP \-a +.RS 4 Do automatic \fBrndc\fR configuration. This creates a file @@ -100,31 +101,43 @@ option and set up a and \fInamed.conf\fR as directed. -.TP 3n +.RE +.PP \-b \fIkeysize\fR +.RS 4 Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. -.TP 3n +.RE +.PP \-c \fIkeyfile\fR +.RS 4 Used with the \fB\-a\fR option to specify an alternate location for \fIrndc.key\fR. -.TP 3n +.RE +.PP \-h +.RS 4 Prints a short summary of the options and arguments to \fBrndc\-confgen\fR. -.TP 3n +.RE +.PP \-k \fIkeyname\fR +.RS 4 Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is \fBrndc\-key\fR. -.TP 3n +.RE +.PP \-p \fIport\fR +.RS 4 Specifies the command channel port where \fBnamed\fR listens for connections from \fBrndc\fR. The default is 953. -.TP 3n +.RE +.PP \-r \fIrandomfile\fR +.RS 4 Specifies a source of random data for generating the authorization. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input. @@ -132,14 +145,18 @@ or equivalent device, the default source of randomness is keyboard input. specifies the name of a character device or file containing random data to be used instead of the default. The special value \fIkeyboard\fR indicates that keyboard input should be used. -.TP 3n +.RE +.PP \-s \fIaddress\fR +.RS 4 Specifies the IP address where \fBnamed\fR listens for command channel connections from \fBrndc\fR. The default is the loopback address 127.0.0.1. -.TP 3n +.RE +.PP \-t \fIchrootdir\fR +.RS 4 Used with the \fB\-a\fR option to specify a directory where @@ -148,8 +165,10 @@ will run chrooted. An additional copy of the \fIrndc.key\fR will be written relative to this directory so that it will be found by the chrooted \fBnamed\fR. -.TP 3n +.RE +.PP \-u \fIuser\fR +.RS 4 Used with the \fB\-a\fR option to set the owner of the @@ -157,6 +176,7 @@ option to set the owner of the file generated. If \fB\-t\fR is also specified only the file in the chroot area has its owner changed. +.RE .SH "EXAMPLES" .PP To allow @@ -185,4 +205,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2001, 2003 Internet Software Consortium. +.br diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook index e0c5a68cf6f65..6b49fd7ca0734 100644 --- a/bin/rndc/rndc-confgen.docbook +++ b/bin/rndc/rndc-confgen.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html index 058cd56d1637f..cc04b7843b649 100644 --- a/bin/rndc/rndc-confgen.html +++ b/bin/rndc/rndc-confgen.html @@ -1,5 +1,5 @@ - + rndc-confgen - +

-
+

Name

rndc-confgen — rndc key generation tool

@@ -32,7 +32,7 @@

rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

-

DESCRIPTION

+

DESCRIPTION

rndc-confgen generates configuration files for rndc. It can be used as a @@ -48,7 +48,7 @@

-

OPTIONS

+

OPTIONS

-a
@@ -148,7 +148,7 @@
-

EXAMPLES

+

EXAMPLES

To allow rndc to be used with no manual configuration, run @@ -167,7 +167,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc.conf(5), @@ -176,7 +176,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8 index 04bd133f376f5..9b7a4e13793d9 100644 --- a/bin/rndc/rndc.8 +++ b/bin/rndc/rndc.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.8,v 1.24.206.6 2006/06/29 13:02:30 marka Exp $ +.\" $Id: rndc.8,v 1.24.206.12 2007/12/14 22:37:11 marka Exp $ .\" .hy 0 .ad l .\" Title: rndc .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -47,20 +47,22 @@ is invoked with no command line options or arguments, it prints a short summary communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of \fBrndc\fR and -\fBnamed\fR -named the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server. +\fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server. .PP \fBrndc\fR reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use. .SH "OPTIONS" -.TP 3n +.PP \-c \fIconfig\-file\fR +.RS 4 Use \fIconfig\-file\fR as the configuration file instead of the default, \fI/etc/rndc.conf\fR. -.TP 3n +.RE +.PP \-k \fIkey\-file\fR +.RS 4 Use \fIkey\-file\fR as the key file instead of the default, @@ -69,30 +71,41 @@ as the key file instead of the default, will be used to authenticate commands sent to the server if the \fIconfig\-file\fR does not exist. -.TP 3n +.RE +.PP \-s \fIserver\fR +.RS 4 \fIserver\fR is the name or address of the server which matches a server statement in the configuration file for -\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used. -.TP 3n +\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the options statement of the +\fBrndc\fR +configuration file will be used. +.RE +.PP \-p \fIport\fR +.RS 4 Send commands to TCP port \fIport\fR instead of BIND 9's default control channel port, 953. -.TP 3n +.RE +.PP \-V +.RS 4 Enable verbose logging. -.TP 3n -\-y \fIkeyid\fR +.RE +.PP +\-y \fIkey_id\fR +.RS 4 Use the key -\fIkeyid\fR +\fIkey_id\fR from the configuration file. -\fIkeyid\fR +\fIkey_id\fR must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no -\fIkeyid\fR +\fIkey_id\fR is specified, \fBrndc\fR will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access. +.RE .PP For the complete set of commands supported by \fBrndc\fR, see the BIND 9 Administrator Reference Manual or run @@ -113,12 +126,16 @@ Several error messages could be clearer. .SH "SEE ALSO" .PP \fBrndc.conf\fR(5), +\fBrndc\-confgen\fR(8), \fBnamed\fR(8), -\fBnamed.conf\fR(5) +\fBnamed.conf\fR(5), \fBndc\fR(8), BIND 9 Administrator Reference Manual. .SH "AUTHOR" .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5 index 3a06a44cd0b82..d71cc50395c34 100644 --- a/bin/rndc/rndc.conf.5 +++ b/bin/rndc/rndc.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: rndc.conf.5,v 1.21.206.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: rndc.conf.5,v 1.21.206.9 2007/05/09 03:32:36 marka Exp $ .\" .hy 0 .ad l .\" Title: \fIrndc.conf\fR .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: June 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -101,7 +101,7 @@ program, also known as does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each. .SH "EXAMPLE" .sp -.RS 3n +.RS 4 .nf options { default\-server localhost; @@ -128,7 +128,7 @@ To generate a random secret with .PP A complete \fIrndc.conf\fR -file, including the randomly generated key, will be written to the standard output. Commented out +file, including the randomly generated key, will be written to the standard output. Commented\-out \fBkey\fR and \fBcontrols\fR @@ -158,4 +158,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook index 16b9caf43cbe7..a1cc80a0f6c80 100644 --- a/bin/rndc/rndc.conf.docbook +++ b/bin/rndc/rndc.conf.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -166,7 +167,7 @@ A complete rndc.conf file, including the randomly generated key, will be written to the standard - output. Commented out and + output. Commented-out and statements for named.conf are also printed. diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html index fefe616d8dc23..2bf728e106c6b 100644 --- a/bin/rndc/rndc.conf.html +++ b/bin/rndc/rndc.conf.html @@ -1,5 +1,5 @@ - + rndc.conf - +
-
+

Name

rndc.conf — rndc configuration file

@@ -32,7 +32,7 @@

rndc.conf

-

DESCRIPTION

+

DESCRIPTION

rndc.conf is the configuration file for rndc, the BIND 9 name server control @@ -105,7 +105,7 @@

-

EXAMPLE

+

EXAMPLE

     options {
         default-server  localhost;
@@ -139,7 +139,7 @@
 

         A complete rndc.conf file, including the
         randomly generated key, will be written to the standard
-        output.  Commented out key and
+        output.  Commented-out key and
         controls statements for
         named.conf are also printed.
     

@@ -151,7 +151,7 @@
-

NAME SERVER CONFIGURATION

+

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -161,7 +161,7 @@

-

SEE ALSO

+

SEE ALSO

rndc(8), rndc-confgen(8), @@ -170,7 +170,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index afb88f5f6ea22..66658a9c02bbe 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") @@ -77,7 +78,7 @@ rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of - rndc and named named + rndc and named, the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command @@ -124,14 +125,13 @@ -s server - - server is - the name or address of the server which matches a - server statement in the configuration file for - rndc. If no server is supplied on the - command line, the host named by the default-server clause - in the option statement of the configuration file will be - used. + server is + the name or address of the server which matches a + server statement in the configuration file for + rndc. If no server is supplied on the + command line, the host named by the default-server clause + in the options statement of the rndc + configuration file will be used. @@ -157,15 +157,15 @@ - -y keyid + -y key_id - Use the key keyid + Use the key key_id from the configuration file. - keyid must be + key_id must be known by named with the same algorithm and secret string in order for control message validation to succeed. - If no keyid + If no key_id is specified, rndc will first look for a key clause in the server statement of the server being used, or if no server statement is present for that @@ -210,6 +210,10 @@ rndc.conf 5 , + + rndc-confgen + 8 + , named 8 @@ -217,7 +221,7 @@ named.conf 5 - + , ndc 8 diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 4dfd3188142d2..36a5eea5acfec 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -1,5 +1,5 @@ - + rndc - +
-
+

Name

rndc — name server control utility

@@ -32,7 +32,7 @@

rndc [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

-

DESCRIPTION

+

DESCRIPTION

rndc controls the operation of a name server. It supersedes the ndc utility @@ -46,7 +46,7 @@ rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of - rndc and named named + rndc and named, the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command @@ -61,7 +61,7 @@

-

OPTIONS

+

OPTIONS

-c config-file

@@ -79,14 +79,13 @@ does not exist.

-s server
-

- server is - the name or address of the server which matches a - server statement in the configuration file for - rndc. If no server is supplied on the - command line, the host named by the default-server clause - in the option statement of the configuration file will be - used. +

server is + the name or address of the server which matches a + server statement in the configuration file for + rndc. If no server is supplied on the + command line, the host named by the default-server clause + in the options statement of the rndc + configuration file will be used.

-p port

@@ -98,14 +97,14 @@

Enable verbose logging.

-
-y keyid
+
-y key_id

- Use the key keyid + Use the key key_id from the configuration file. - keyid must be + key_id must be known by named with the same algorithm and secret string in order for control message validation to succeed. - If no keyid + If no key_id is specified, rndc will first look for a key clause in the server statement of the server being used, or if no server statement is present for that @@ -123,7 +122,7 @@

-

LIMITATIONS

+

LIMITATIONS

rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -137,17 +136,18 @@

-

SEE ALSO

+

SEE ALSO

rndc.conf(5), + rndc-confgen(8), named(8), - named.conf(5) + named.conf(5), ndc(8), BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

diff --git a/bin/rndc/unix/Makefile.in b/bin/rndc/unix/Makefile.in index 0409a188838f3..c233e3812db16 100644 --- a/bin/rndc/unix/Makefile.in +++ b/bin/rndc/unix/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1.12.3 2004/03/08 04:04:24 marka Exp $ +# $Id: Makefile.in,v 1.1.12.6 2007/08/28 07:19:08 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/configure.in b/configure.in index 050a2722314c6..d4ea2bd2fe90a 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.294.2.23.2.73 $) +AC_REVISION($Revision: 1.294.2.23.2.82 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.13) @@ -237,6 +237,7 @@ AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param AC_C_CONST AC_C_INLINE +AC_C_VOLATILE AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME)) # @@ -420,6 +421,21 @@ case "$use_openssl" in *-hp-hpux*) DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto" ;; + *-apple-darwin*) + # + # Apple's ld seaches for serially for dynamic + # then static libraries. This means you can't + # use -L to override dynamic system libraries + # with static ones when linking. Instead + # we specify a absolute path. + # + if test -f "$use_openssl/lib/libcrypto.dylib" + then + DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" + else + DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a" + fi + ;; *) DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" ;; @@ -466,16 +482,6 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)], [AC_MSG_RESULT(assuming it does work on target platform)] ) - AC_CHECK_FUNC(DH_generate_parameters, - AC_DEFINE(HAVE_DH_GENERATE_PARAMETERS, 1, - [Define if libcrypto has DH_generate_parameters])) - AC_CHECK_FUNC(RSA_generate_key, - AC_DEFINE(HAVE_RSA_GENERATE_KEY, 1, - [Define if libcrypto has RSA_generate_key])) - AC_CHECK_FUNC(DSA_generate_parameters, - AC_DEFINE(HAVE_DSA_GENERATE_PARAMETERS, 1, - [Define if libcrypto has DSA_generate_parameters])) - AC_ARG_ENABLE(openssl-version-check, [AC_HELP_STRING([--enable-openssl-version-check], [Check OpenSSL Version @<:@default=yes@:>@])]) @@ -1847,6 +1853,13 @@ case "$hack_shutup_stdargcast" in ;; esac +AC_CHECK_HEADERS(strings.h, + ISC_PLATFORM_HAVESTRINGSH="#define ISC_PLATFORM_HAVESTRINGSH 1" +, + ISC_PLATFORM_HAVESTRINGSH="#undef ISC_PLATFORM_HAVESTRINGSH" +) +AC_SUBST(ISC_PLATFORM_HAVESTRINGSH) + # # Check for if_nametoindex() for IPv6 scoped addresses support # @@ -1962,24 +1975,35 @@ fi AC_SUBST($1) ]) -# -# Look for Docbook-XSL stylesheets. Location probably varies by -# system. Guessing where it might be found, based on where SGML stuff -# lives on some systems. FreeBSD is the only one I'm sure of at the -# moment. -# - -docbook_xsl_trees="/usr/pkg/share/xsl /usr/local/share/xsl /usr/share/xsl" +# Look for Docbook-XSL stylesheets. Location probably varies by system. +# If it's not explicitly specified, guess where it might be found, based on +# where SGML stuff lives on some systems (FreeBSD is the only one we're sure +# of at the moment). +# +AC_MSG_CHECKING(for Docbook-XSL path) +AC_ARG_WITH(docbook-xsl, +[ --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets], + docbook_path="$withval", docbook_path="auto") +case "$docbook_path" in +auto) + AC_MSG_RESULT(auto) + docbook_xsl_trees="/usr/pkg/share/xsl/docbook /usr/local/share/xsl/docbook /usr/share/xsl/docbook" + ;; +*) + docbook_xsl_trees="$withval" + AC_MSG_RESULT($docbook_xsl_trees) + ;; +esac # # Look for stylesheets we need. # -NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_HTML, docbook/html/docbook.xsl, $docbook_xsl_trees) -NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_XHTML, docbook/xhtml/docbook.xsl, $docbook_xsl_trees) -NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_MAN, docbook/manpages/docbook.xsl, $docbook_xsl_trees) -NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_HTML, docbook/html/chunk.xsl, $docbook_xsl_trees) -NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_XHTML, docbook/xhtml/chunk.xsl, $docbook_xsl_trees) +NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_HTML, html/docbook.xsl, $docbook_xsl_trees) +NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_XHTML, xhtml/docbook.xsl, $docbook_xsl_trees) +NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_MAN, manpages/docbook.xsl, $docbook_xsl_trees) +NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_HTML, html/chunk.xsl, $docbook_xsl_trees) +NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_XHTML, xhtml/chunk.xsl, $docbook_xsl_trees) # # Same dance for db2latex diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index bccb088a664a6..67f8c8973624e 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -1,11 +1,11 @@ -]> - + BIND 9 Administrator Reference Manual @@ -28,6 +28,8 @@ 2004 2005 2006 + 2007 + 2008 Internet Systems Consortium, Inc. ("ISC") @@ -79,8 +81,8 @@ addresses security considerations, and Section 8 contains troubleshooting help. The main body of the document is followed by several - Appendices which contain useful reference - information, such as a Bibliography and + appendices which contain useful reference + information, such as a bibliography and historic information related to BIND and the Domain Name System. @@ -148,7 +150,7 @@ describe: The Domain Name System (<acronym>DNS</acronym>) The purpose of this document is to explain the installation -and upkeep of the BIND software package, and we +and upkeep of the BIND (Berkeley Internet Name Domain) software package, and we begin by reviewing the fundamentals of the Domain Name System (DNS) as they relate to BIND. @@ -516,7 +518,8 @@ zone "eng.example.com" { Load Balancing A primitive form of load balancing can be achieved in -the DNS by using multiple A records for one name. +the DNS by using multiple records +(such as multiple A records) for one name. For example, if you have three WWW servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the @@ -636,6 +639,8 @@ can be extended with the use of options. -t type -W timeout -R retries + -4 + -6 hostname server @@ -719,6 +724,11 @@ of a server. The remote name daemon control (rndc) program allows the system administrator to control the operation of a name server. + Since BIND 9.2, rndc + supports all the commands of the BIND 8 ndc + utility except ndc start and + ndc restart, which were also + not supported in ndc's channel mode. If you run rndc without any options it will display a usage message as follows: @@ -1121,7 +1131,8 @@ to allow internal networks that are behind filters or in RFC 1918 space (reserved IP space, as documented in RFC 1918) to resolve DNS on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network. -Here is an example of a split DNS setup: + + Example split DNS setup Let's say a company named Example, Inc. (example.com) has several corporate sites that have an internal network with reserved @@ -1292,6 +1303,7 @@ nameserver 172.16.72.2 nameserver 172.16.72.3 nameserver 172.16.72.4 + TSIG This is a short guide to setting up Transaction SIGnatures @@ -1417,7 +1429,7 @@ allow-update { key host1-host2. ;}; outside of the allowed range, the response will be signed with the TSIG extended error code set to BADTIME, and the time values will be adjusted so that the response can be successfully - verified. In any of these cases, the message's rcode is set to + verified. In any of these cases, the message's rcode (response code) is set to NOTAUTH (not authenticated). @@ -1476,7 +1488,7 @@ allow-update { key host1-host2. ;}; Cryptographic authentication of DNS information is possible through the DNS Security (DNSSEC-bis) - extensions, defined in RFC 4033, RFC4034 and RFC4035. This + extensions, defined in RFC 4033, RFC4034, and RFC4035. This section describes the creation and use of DNSSEC signed zones. @@ -1525,7 +1537,7 @@ allow-update { key host1-host2. ;}; Two output files will be produced: Kchild.example.+005+12345.key and Kchild.example.+005+12345.private (where - 12345 is an example of a key tag). The key file names contain + 12345 is an example of a key tag). The key filenames contain the key name (child.example.), algorithm (3 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case). The private key (in the .private file) is @@ -1570,7 +1582,7 @@ allow-update { key host1-host2. ;}; dnssec-signzone will also produce a keyset and dsset files and optionally a dlvset file. These - are used to provide the parent zone administators with the + are used to provide the parent zone administrators with the DNSKEYs (or their corresponding DS records) that are the secure entry point to the zone. @@ -1857,7 +1869,7 @@ ambiguity, and need to be disambiguated. ip_port An IP port number. -number is limited to 0 through 65535, with values +The number is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases, an asterisk (`*') character can be used as a placeholder to select a random high-numbered port. @@ -1996,7 +2008,7 @@ other 1.2.3.* hosts fall through. Comment Syntax The BIND 9 comment syntax allows for comments to appear -anywhere that white space may appear in a BIND configuration +anywhere that whitespace may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style. @@ -2010,7 +2022,7 @@ in the C, C++, or shell/perl style. Definition and Usage -Comments may appear anywhere that white space may appear in +Comments may appear anywhere that whitespace may appear in a BIND configuration file. C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely @@ -2305,7 +2317,7 @@ statement: controls { };. <command>include</command> Statement Grammar - include filename; + include filename; <command>include</command> Statement Definition and Usage @@ -2321,7 +2333,7 @@ statement: controls { };. <command>key</command> Statement Grammar -key key_id { +key key_id { algorithm string; secret string; }; @@ -2765,7 +2777,7 @@ statement in the named.conf file: The lwres statement configures the name server to also act as a lightweight resolver server. (See -.) There may be be multiple +.) There may be multiple lwres statements configuring lightweight resolver servers with different properties. @@ -2809,7 +2821,7 @@ to be easily used by multiple stub and slave zones. This is the grammar of the options statement in the named.conf file: -options { +options { version version_string; hostname hostname_string; server-id server_id_string; @@ -2822,6 +2834,7 @@ statement in the named.conf file: dump-file path_name; memstatistics-file path_name; pid-file path_name; + recursing-file path_name; statistics-file path_name; zone-statistics yes_or_no; auth-nxdomain yes_or_no; @@ -2994,11 +3007,24 @@ the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db. -memstatistics-file -The pathname of the file the server writes memory -usage statistics to on exit. If not specified, -the default is named.memstats. - + + + memstatistics-file + + + The pathname of the file the server writes memory + usage statistics to on exit. If specified the + statistics will be written to the file on exit. + + + In BIND 9.5 and later this will + default to named.memstats. + BIND 9.5 will also introduce + memstatistics to control the + writing. + + + pid-file The pathname of the file the server writes its process ID @@ -3007,10 +3033,22 @@ The pid-file is used by programs that want to send signals to the running name server. Specifying pid-file none disables the use of a PID file — no file will be written and any existing one will be removed. Note that none -is a keyword, not a file name, and therefore is not enclosed in +is a keyword, not a filename, and therefore is not enclosed in double quotes. + + recursing-file + + + The pathname of the file the server dumps + the queries that are currently recursing when instructed + to do so with rndc recursing. + If not specified, the default is named.recursing. + + + + statistics-file The pathname of the file the server appends statistics to when instructed to do so using rndc stats. @@ -3318,7 +3356,7 @@ in the statistics-file. See also use-ixfr This option is obsolete. -If you need to disable IXFR to a particular server or servers see +If you need to disable IXFR to a particular server or servers, see the information on the provide-ixfr option in . See also . @@ -3491,7 +3529,7 @@ and RFC 821 as modified by RFC 1123. MX records. It also applies to the domain names in the RDATA of NS, SOA and MX records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname (the owner name ends in -IN-ADDR.ARPA, IP6.ARPA, IP6.INT). +IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). @@ -4086,7 +4124,7 @@ stop listening on interfaces that have gone away. every statistics-interval minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged. -Not yet implemented in BIND9. +Not yet implemented in BIND 9. @@ -4330,7 +4368,7 @@ and clamp the SOA refresh and retry times to the specified values. edns-udp-size sets the advertised EDNS UDP buffer size in bytes. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). The default value is 4096. The usual reason for -setting edns-udp-size to a non-default value it to get UDP answers to +setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. @@ -4480,7 +4518,7 @@ to be incremented, and may additionally cause the <command>server</command> Statement Grammar -server ip_addr { +server ip_addr { bogus yes_or_no ; provide-ixfr yes_or_no ; request-ixfr yes_or_no ; @@ -4586,7 +4624,7 @@ For more details, see the description of <command>trusted-keys</command> Statement Grammar -trusted-keys { +trusted-keys { string number number number string ; string number number number string ; ... }; @@ -4626,7 +4664,7 @@ For more details, see the description of <command>view</command> Statement Grammar -view view_name +view view_name class { match-clients { address_match_list } ; match-destinations { address_match_list } ; @@ -4722,7 +4760,7 @@ view "external" { <command>zone</command> Statement Grammar -zone zone_name class { +zone zone_name class { type master; allow-query { address_match_list } ; allow-transfer { address_match_list } ; @@ -4870,7 +4908,7 @@ and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to -use a two-level naming scheme for zone file names. For example, +use a two-level naming scheme for zone filenames. For example, a slave server for the zone example.com might place the zone contents into a file called ex/example.com where ex/ is @@ -4958,7 +4996,7 @@ used to share information about various systems databases, such as users, groups, printers and so on. The keyword HS is a synonym for hesiod. -Another MIT development is CHAOSnet, a LAN protocol created +Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the CHAOS class. @@ -5225,7 +5263,7 @@ shared secret is the same as the identity of the key used to authenticate the TKEY exchange. When the identity field specifies a wildcard name, it is subject to DNS wildcard expansion, so the rule will apply to multiple identities. The identity field must -contain a fully qualified domain name. +contain a fully-qualified domain name. The nametype field has 4 values: name, subdomain, @@ -5270,7 +5308,7 @@ specified as * in this case. In all cases, the name field must -specify a fully qualified domain name. +specify a fully-qualified domain name. If no types are explicitly specified, this rule matches all types except SIG, NS, SOA, and NXT. Types may be specified by name, including @@ -5514,7 +5552,7 @@ are currently valid in the DNS: CH -CHAOSnet, a LAN protocol created at MIT in the mid-1970s. +Chaosnet, a LAN protocol created at MIT in the mid-1970s. Rarely used for its historical purpose, but reused for BIND's built-in server information zones, e.g., version.bind. @@ -5776,7 +5814,7 @@ in the example.com domain: The $ORIGIN lines in the examples -are for providing context to the examples only-they do not necessarily +are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin. Other Zone File Directives @@ -5855,16 +5893,16 @@ or start-stop/step. If the first form is used, then step is set to lhs - lhs describes the + This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs side are replaced by the iterator value. -To get a $ in the output you need to escape the $ +To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. -Modifiers are introduced by a { immediately following the +Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} which subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available @@ -5900,7 +5938,7 @@ PTR, CNAME, DNAME, A, AAAA and NS. rhs - A domain name. It is processed + rhs is a domain name. It is processed similarly to lhs. @@ -5954,7 +5992,7 @@ unless recursion has been previously disabled. For more information on how to use ACLs to protect your server, see the AUSCERT advisory at ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos -<command>chroot</command> and <command>setuid</command> (for +<sect1><title><command>Chroot</command> and <command>Setuid</command> (for UNIX servers) On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying the "" @@ -5981,7 +6019,7 @@ like directory and pid-file to account for this. -Unlike with earlier versions of BIND, you will typically +Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root. However, depending on your operating system, you may need @@ -6054,16 +6092,18 @@ all. Incrementing and Changing the Serial Number - Zone serial numbers are just numbers-they aren't date - related. A lot of people set them to a number that represents a - date, usually of the form YYYYMMDDRR. A number of people have been - testing these numbers for Y2K compliance and have set the number - to the year 2000 to see if it will work. They then try to restore - the old serial number. This will cause problems because serial - numbers are used to indicate that a zone has been updated. If the - serial number on the slave server is lower than the serial number - on the master, the slave server will attempt to update its copy of - the zone. + + Zone serial numbers are just numbers — they aren't + date related. A lot of people set them to a number that + represents a date, usually of the form YYYYMMDDRR. + Occasionally they will make a mistake and set them to a + "date in the future" then try to correct them by setting + them to the "current date". This causes problems because + serial numbers are used to indicate that a zone has been + updated. If the serial number on the slave server is + lower than the serial number on the master, the slave + server will attempt to update its copy of the zone. + Setting the serial number to a lower number on the master server than the slave server means that the slave will not perform @@ -6137,7 +6177,7 @@ employee on loan to the CSRG, worked on BIND for 2 years, fro to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently -handled by Mike Karels and O. Kure. +handled by Mike Karels and Øivind Kure. BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then a DEC employee, became BIND's primary caretaker. He was assisted @@ -6145,13 +6185,27 @@ by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others. - BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul + In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer. BIND versions from 4.9.3 onward have been developed and maintained by the Internet Software Consortium with support being provided -by ISC's sponsors. As co-architects/programmers, Bob Halley and +by ISC's sponsors. + + As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997. + + BIND version 9 was released in September 2000 and is a + major rewrite of nearly all aspects of the underlying + BIND architecture. + + + BIND version 4 is officially deprecated and BIND version + 8 development is considered maintenance-only in favor + of BIND version 9. No additional development is done + on BIND version 4 or BIND version 8 other than for + security-related patches. + BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals. @@ -6168,7 +6222,8 @@ scalable Internet routing. There are three types of addresses: Unicast an identifier for a single interface; Anycast, an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global -Unicast address scheme. For more information, see RFC 2374. +Unicast address scheme. For more information, see RFC 3587, +"Global Unicast Address Format." The aggregatable global Unicast address format is as follows: diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index 3f3aebb10c422..92c6708760116 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -1,5 +1,5 @@ - + -Chapter 1. Introduction - +Chapter 1. Introduction + @@ -45,17 +45,17 @@

Table of Contents

-
Scope of Document
-
Organization of This Document
-
Conventions Used in This Document
-
The Domain Name System (DNS)
+
Scope of Document
+
Organization of This Document
+
Conventions Used in This Document
+
The Domain Name System (DNS)
-
DNS Fundamentals
-
Domains and Domain Names
-
Zones
-
Authoritative Name Servers
-
Caching Name Servers
-
Name Servers in Multiple Roles
+
DNS Fundamentals
+
Domains and Domain Names
+
Zones
+
Authoritative Name Servers
+
Caching Name Servers
+
Name Servers in Multiple Roles
@@ -67,7 +67,7 @@ hierarchical databases.

-Scope of Document

+Scope of Document

The Berkeley Internet Name Domain (BIND) implements a domain name server for a number of operating systems. This document provides basic information about the installation and @@ -78,7 +78,7 @@

-Organization of This Document

+Organization of This Document

In this document, Section 1 introduces the basic DNS and BIND concepts. Section 2 describes resource requirements for running BIND in various @@ -96,14 +96,14 @@ addresses security considerations, and Section 8 contains troubleshooting help. The main body of the document is followed by several - Appendices which contain useful reference - information, such as a Bibliography and + appendices which contain useful reference + information, such as a bibliography and historic information related to BIND and the Domain Name System.

-Conventions Used in This Document

+Conventions Used in This Document

In this document, we use the following general typographic conventions:

@@ -169,15 +169,15 @@ describe:

-The Domain Name System (DNS)

+The Domain Name System (DNS)

The purpose of this document is to explain the installation -and upkeep of the BIND software package, and we +and upkeep of the BIND (Berkeley Internet Name Domain) software package, and we begin by reviewing the fundamentals of the Domain Name System (DNS) as they relate to BIND.

-DNS Fundamentals

+DNS Fundamentals

The Domain Name System (DNS) is the hierarchical, distributed database. It stores information for mapping Internet host names to IP addresses and vice versa, mail routing information, and other data @@ -192,7 +192,7 @@ libraries, liblwres and

-Domains and Domain Names

+Domains and Domain Names

The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree, @@ -229,7 +229,7 @@ the DNS protocol, please refer to the standards documents listed in

-Zones

+Zones

To properly operate a name server, it is important to understand the difference between a zone and a domain.

@@ -269,7 +269,7 @@ actually asking for slave service for some collection of zones.

-Authoritative Name Servers

+Authoritative Name Servers

Each zone is served by at least one authoritative name server, which contains the complete data for the zone. @@ -282,7 +282,7 @@ easy to identify when debugging DNS configurations using tools like dig (the section called “Diagnostic Tools”).

-The Primary Master

+The Primary Master

The authoritative server where the master copy of the zone data is maintained is called the primary master server, or simply the @@ -293,7 +293,7 @@ the zone file or <

-Slave Servers

+Slave Servers

The other authoritative servers, the slave servers (also known as secondary servers) load the zone contents from another server using a replication process @@ -304,7 +304,7 @@ may itself act as a master to a subordinate slave server.

-Stealth Servers

+Stealth Servers

Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute a delegation of the zone from the parent. @@ -329,7 +329,7 @@ with the outside world.

-Caching Name Servers

+Caching Name Servers

The resolver libraries provided by most operating systems are stub resolvers, meaning that they are not capable of performing the full DNS resolution process by themselves by talking @@ -348,7 +348,7 @@ Time To Live (TTL) field associated with each resource record.

-Forwarding

+Forwarding

Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the queries @@ -371,7 +371,7 @@ of.

-Name Servers in Multiple Roles

+Name Servers in Multiple Roles

The BIND name server can simultaneously act as a master for some zones, a slave for other zones, and as a caching (recursive) server for a set of local clients.

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index d1e3445d9c15f..34220264a27ce 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -1,5 +1,5 @@ - +Chapter 2. BIND Resource Requirements - + - + @@ -45,16 +45,16 @@

Table of Contents

-
Hardware requirements
-
CPU Requirements
-
Memory Requirements
-
Name Server Intensive Environment Issues
-
Supported Operating Systems
+
Hardware requirements
+
CPU Requirements
+
Memory Requirements
+
Name Server Intensive Environment Issues
+
Supported Operating Systems

-Hardware requirements

+Hardware requirements

DNS hardware requirements have traditionally been quite modest. For many installations, servers that have been pensioned off from active duty have performed admirably as DNS servers.

@@ -66,7 +66,7 @@ multiprocessor systems for installations that need it.

-CPU Requirements

+CPU Requirements

CPU requirements for BIND 9 range from i486-class machines for serving of static zones without caching, to enterprise-class machines if you intend to process many dynamic updates and DNSSEC @@ -74,7 +74,7 @@ signed zones, serving many thousands of queries per second.

-Memory Requirements

+Memory Requirements

The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size option can be used to limit the amount of memory used by the cache, @@ -88,7 +88,7 @@ fast as they are being inserted.

-Name Server Intensive Environment Issues

+Name Server Intensive Environment Issues

For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and any second-level internal name servers query a main name server, which @@ -102,7 +102,7 @@ as none of the name servers share their cached data.

-Supported Operating Systems

+Supported Operating Systems

ISC BIND 9 compiles and runs on a large number of Unix-like operating system and on Windows NT / 2000. For an up-to-date list of supported systems, see the README file in the top level directory diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 399c8269d2ded..f9090f4011510 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -1,5 +1,5 @@ - + Chapter 3. Name Server Configuration - + @@ -47,14 +47,14 @@

Sample Configurations
-
A Caching-only Name Server
-
An Authoritative-only Name Server
+
A Caching-only Name Server
+
An Authoritative-only Name Server
-
Load Balancing
-
Name Server Operations
+
Load Balancing
+
Name Server Operations
-
Tools for Use With the Name Server Daemon
-
Signals
+
Tools for Use With the Name Server Daemon
+
Signals
@@ -66,7 +66,7 @@ option setting.

Sample Configurations

-A Caching-only Name Server

+A Caching-only Name Server

The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All queries from outside clients are refused using the allow-query @@ -89,7 +89,7 @@ zone "0.0.127.in-addr.arpa" {

-An Authoritative-only Name Server

+An Authoritative-only Name Server

This sample configuration is for an authoritative-only server that is the master server for "example.com" and a slave for the subdomain "eng.example.com".

@@ -128,9 +128,10 @@ zone "eng.example.com" {

-Load Balancing

+Load Balancing

A primitive form of load balancing can be achieved in -the DNS by using multiple A records for one name.

+the DNS by using multiple records +(such as multiple A records) for one name.

For example, if you have three WWW servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the following means that clients will connect to each machine one third @@ -189,10 +190,10 @@ of the time:

-Name Server Operations

+Name Server Operations

-Tools for Use With the Name Server Daemon

+Tools for Use With the Name Server Daemon

There are several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the name server daemon. We describe several in this @@ -226,7 +227,7 @@ options, see the dig man page.

and ease of use. By default, it converts between host names and Internet addresses, but its functionality can be extended with the use of options.

-

host [-aCdlrTwv] [-c class] [-N ndots] [-t type] [-W timeout] [-R retries] hostname [server]

+

host [-aCdlrTwv] [-c class] [-N ndots] [-t type] [-W timeout] [-R retries] [-4] [-6] hostname [server]

For more information and a list of available commands and options, see the host man page.

@@ -280,6 +281,11 @@ of a server.

The remote name daemon control (rndc) program allows the system administrator to control the operation of a name server. + Since BIND 9.2, rndc + supports all the commands of the BIND 8 ndc + utility except ndc start and + ndc restart, which were also + not supported in ndc's channel mode. If you run rndc without any options it will display a usage message as follows:

rndc [-c config] [-s server] [-p port] [-y key] command [command...]

@@ -473,7 +479,7 @@ a rndc.key file and not modify

-Signals

+Signals

Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can be sent using the kill command.

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index adf2036930d63..12f30fe38325d 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1,5 +1,5 @@ - +Chapter 4. Advanced DNS Features - + @@ -49,28 +49,29 @@
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
-
Split DNS
+
Split DNS
+
Example split DNS setup
TSIG
-
Generate Shared Keys for Each Pair of Hosts
-
Copying the Shared Secret to Both Machines
-
Informing the Servers of the Key's Existence
-
Instructing the Server to Use the Key
-
TSIG Key Based Access Control
-
Errors
+
Generate Shared Keys for Each Pair of Hosts
+
Copying the Shared Secret to Both Machines
+
Informing the Servers of the Key's Existence
+
Instructing the Server to Use the Key
+
TSIG Key Based Access Control
+
Errors
-
TKEY
-
SIG(0)
+
TKEY
+
SIG(0)
DNSSEC
-
Generating Keys
-
Signing the Zone
-
Configuring Servers
+
Generating Keys
+
Signing the Zone
+
Configuring Servers
-
IPv6 Support in BIND 9
+
IPv6 Support in BIND 9
-
Address Lookups Using AAAA Records
-
Address to Name Lookups Using Nibble Format
+
Address Lookups Using AAAA Records
+
Address to Name Lookups Using Nibble Format
@@ -168,7 +169,7 @@ of the server statement.

-Split DNS

+Split DNS

Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a Split DNS setup. There are several reasons an organization @@ -184,7 +185,9 @@ to allow internal networks that are behind filters or in RFC 1918 space (reserved IP space, as documented in RFC 1918) to resolve DNS on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network.

-

Here is an example of a split DNS setup:

+
+

+Example split DNS setup

Let's say a company named Example, Inc. (example.com) has several corporate sites that have an internal network with reserved @@ -351,6 +354,7 @@ nameserver 172.16.72.3 nameserver 172.16.72.4

+

TSIG

@@ -372,13 +376,13 @@ for TSIG.

-y command line options.

-Generate Shared Keys for Each Pair of Hosts

+Generate Shared Keys for Each Pair of Hosts

A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must be the same on both hosts.

-Automatic Generation

+Automatic Generation

The following command will generate a 128-bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys are easier to read. Note that the maximum key length is 512 bits; @@ -395,7 +399,7 @@ be used as the shared secret.

-Manual Generation

+Manual Generation

The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming the length is a multiple of 4 and only valid characters are used), @@ -406,13 +410,13 @@ a similar program to generate base-64 encoded data.

-Copying the Shared Secret to Both Machines

+Copying the Shared Secret to Both Machines

This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc.

-Informing the Servers of the Key's Existence

+Informing the Servers of the Key's Existence

Imagine host1 and host 2 are both servers. The following is added to each server's named.conf file:

@@ -433,7 +437,7 @@ response is signed by the same key.

 
 

 

-Instructing the Server to Use the Key

+Instructing the Server to Use the Key

 
Since keys are shared between two hosts only, the server must
 be told when keys are to be used. The following is added to the named.conf file
 for host1, if the IP address of host2 is
@@ -456,7 +460,7 @@ sign request messages to host1.

 
 

 

-TSIG Key Based Access Control

+TSIG Key Based Access Control

 
BIND allows IP addresses and ranges to be specified in ACL
 definitions and
 allow-{ query | transfer | update } directives.
@@ -474,7 +478,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Errors

+Errors

 
The processing of TSIG signed messages can result in
       several errors. If a signed message is sent to a non-TSIG
       aware server, a FORMERR (format error) will be returned, since
@@ -491,13 +495,13 @@ allow-update { key host1-host2. ;};
       outside of the allowed range, the response will be signed with
       the TSIG extended error code set to BADTIME, and the time values
       will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode is set to
+      verified. In any of these cases, the message's rcode (response code) is set to
       NOTAUTH (not authenticated).

 
 
 

 

-TKEY

+TKEY

 
TKEY is a mechanism for automatically
     generating a shared secret between two hosts.  There are several
     "modes" of TKEY that specify how the key is
@@ -524,7 +528,7 @@ allow-update { key host1-host2. ;};
 
 

 

-SIG(0)

+SIG(0)

 
BIND 9 partially supports DNSSEC SIG(0)
     transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
     uses public/private keys to authenticate messages.  Access control
@@ -543,7 +547,7 @@ allow-update { key host1-host2. ;};
 DNSSEC
 
Cryptographic authentication of DNS information is possible
     through the DNS Security (DNSSEC-bis)
-    extensions, defined in RFC 4033, RFC4034 and RFC4035.  This
+    extensions, defined in RFC 4033, RFC4034, and RFC4035.  This
     section describes the creation and use of DNSSEC signed
     zones.

 
In order to set up a DNSSEC secure zone, there are a series
@@ -567,7 +571,7 @@ allow-update { key host1-host2. ;};
     zone key of another zone above this one in the DNS tree.

 

 

-Generating Keys

+Generating Keys

 
The dnssec-keygen program is used to
       generate keys.

 
A secure zone must contain one or more zone keys.  The
@@ -584,7 +588,7 @@ allow-update { key host1-host2. ;};
 
Two output files will be produced:
       Kchild.example.+005+12345.key and
       Kchild.example.+005+12345.private (where
-      12345 is an example of a key tag).  The key file names contain
+      12345 is an example of a key tag).  The key filenames contain
       the key name (child.example.), algorithm (3
       is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
       The private key (in the .private file) is
@@ -600,7 +604,7 @@ allow-update { key host1-host2. ;};
 
 

 

-Signing the Zone

+Signing the Zone

 
The dnssec-signzone program is used to
       sign a zone.

 
Any keyset files corresponding
@@ -621,13 +625,13 @@ allow-update { key host1-host2. ;};
       input file for the zone.

 
dnssec-signzone will also produce a
       keyset and dsset files and optionally a dlvset file.  These
-      are used to provide the parent zone administators with the
+      are used to provide the parent zone administrators with the
       DNSKEYs (or their corresponding DS
       records) that are the secure entry point to the zone.

 
 

 

-Configuring Servers

+Configuring Servers

 

 	  To enable named to respond appropriately
 	  to DNS requests from DNSSEC aware clients,
@@ -713,7 +717,7 @@ options {
 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 
BIND 9 fully supports all currently defined forms of IPv6
     name to address and address to name lookups.  It will also use
     IPv6 addresses to make queries when running on an IPv6 capable
@@ -742,7 +746,7 @@ options {
     see the section called “IPv6 addresses (AAAA)”.

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 
The AAAA record is a parallel to the IPv4 A record.  It
       specifies the entire address in a single record.  For
       example,

@@ -757,7 +761,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 
When looking up an address in nibble format, the address
       components are simply reversed, just as in IPv4, and
       ip6.arpa. is appended to the resulting name.
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 51abc5857ff8e..b7a622321da51 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1,5 +1,5 @@
 
-
+
 
 
 
 Chapter 5. The BIND 9 Lightweight Resolver
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 
Traditionally applications have been linked with a stub resolver
 library that sends recursive DNS queries to a local caching name
 server.

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 1474685df1de8..dd8d8ca33f670 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
 
-
+
 
 
 
 Chapter 6. BIND 9 Configuration Reference
-
+
 
 
 
@@ -48,46 +48,46 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
 Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and Usage

-
include Statement Grammar

-
include Statement Definition and Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and Usage 

-
options Statement Grammar

+
include Statement Grammar

+
include Statement Definition and Usage

+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and Usage

+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and Usage 

+
options Statement Grammar

 
options Statement Definition and Usage

 
server Statement Grammar

 
server Statement Definition and Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
 	    and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
 Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 

 
 
@@ -165,7 +165,7 @@ ambiguity, and need to be disambiguated.
@@ -244,7 +244,7 @@ are restricted to slave and stub zones.

Address Match Lists

-Syntax

+Syntax
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -253,7 +253,7 @@ are restricted to slave and stub zones.

 
 

 

-Definition and Usage

+Definition and Usage

 
Address match lists are primarily used to determine access
 control for various server operations. They are also used in
 the listen-on and sortlist
@@ -303,14 +303,14 @@ other 1.2.3.* hosts fall through.

 
 

 

-Comment Syntax

+Comment Syntax

 
The BIND 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a BIND configuration
+anywhere that whitespace may appear in a BIND configuration
 file. To appeal to programmers of all kinds, they can be written
 in the C, C++, or shell/perl style.

 

 

-Syntax

+Syntax

 
/* This is a BIND comment as in C */

 

 

@@ -323,8 +323,8 @@ in the C, C++, or shell/perl style.

 
 

 

-Definition and Usage

-
Comments may appear anywhere that white space may appear in
+Definition and Usage

+
Comments may appear anywhere that whitespace may appear in
 a BIND configuration file.

 
C-style comments start with the two characters /* (slash,
 star) and end with */ (star, slash). Because they are completely
@@ -444,7 +444,7 @@ a per-server basis.

     configuration.

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name { 
     address_match_list 
 };
@@ -495,7 +495,7 @@ IPv6 addresses, just like localhost
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    inet ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                 keys {  key_list  };
@@ -600,12 +600,12 @@ statement: controls { };.
 
 

 

-include Statement Grammar

-
include filename;

+include Statement Grammar

+
include filename;

 
 

 

-include Statement Definition and Usage

+include Statement Definition and Usage

 
The include statement inserts the
       specified file at the point where the include
       statement is encountered. The include
@@ -616,8 +616,8 @@ statement: controls { };.
 
 

 

-key Statement Grammar

-
key key_id {
+key Statement Grammar

+
key key_id {
     algorithm string;
     secret string;
 };
@@ -625,7 +625,7 @@ statement: controls { };.
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 
The key statement defines a shared
 secret key for use with TSIG (see the section called “TSIG”)
 or the command channel
@@ -657,7 +657,7 @@ string.

 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path name
@@ -681,7 +681,7 @@ string.

 
 

 

-logging Statement Definition and Usage

+logging Statement Definition and Usage

 
The logging statement configures a wide
 variety of logging options for the name server. Its channel phrase
 associates output methods, format options and severity levels with
@@ -704,7 +704,7 @@ channels, or to standard error if the "-g" option
 was specified.

 

 

-The channel Phrase

+The channel Phrase

 
All log output goes to one or more channels;
 you can make as many of them as you want.

 
Every channel definition must include a destination clause that
@@ -1019,7 +1019,7 @@ a delegation-only in a hint or stu
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 
 This is the grammar of the lwres
 statement in the named.conf file:

 
lwres {
@@ -1032,10 +1032,10 @@ statement in the named.conf file:

 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 
The lwres statement configures the name
 server to also act as a lightweight resolver server. (See
-the section called “Running a Resolver Daemon”.)  There may be be multiple
+the section called “Running a Resolver Daemon”.)  There may be multiple
 lwres statements configuring
 lightweight resolver servers with different properties.

 
The listen-on statement specifies a list of
@@ -1060,23 +1060,23 @@ exact match lookup before search path elements are appended.

 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] { ( masters_list | ip_addr [port ip_port] [key key] ) ; [...] } ; 
 

 
 

 

-masters Statement Definition and Usage 

+masters Statement Definition and Usage 

 
masters lists allow for a common set of masters
 to be easily used by multiple stub and slave zones.

 
 

 

-options Statement Grammar

+options Statement Grammar

 
This is the grammar of the options
 statement in the named.conf file:

-
options {
+
options {
     [ version version_string; ]
     [ hostname hostname_string; ]
     [ server-id server_id_string; ]
@@ -1089,6 +1089,7 @@ statement in the named.conf file:

     [ dump-file path_name; ]
     [ memstatistics-file path_name; ]
     [ pid-file path_name; ]
+    [ recursing-file path_name; ]
     [ statistics-file path_name; ]
     [ zone-statistics yes_or_no; ]
     [ auth-nxdomain yes_or_no; ]
@@ -1243,9 +1244,20 @@ the database to when instructed to do so with
 rndc dumpdb.
 If not specified, the default is named_dump.db.

 
memstatistics-file

-
The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is named.memstats.

+

+

+		The pathname of the file the server writes memory
+		usage statistics to on exit.  If specified the
+		statistics will be written to the file on exit.
+	      

+

+		In BIND 9.5 and later this will
+		default to named.memstats.
+		BIND 9.5 will also introduce
+		memstatistics to control the
+		writing.
+	      

+

 
pid-file

 
The pathname of the file the server writes its process ID
 in. If not specified, the default is /var/run/named.pid.
@@ -1253,8 +1265,15 @@ The pid-file is used by programs that want to send signals to the running
 name server. Specifying pid-file none disables the
 use of a PID file — no file will be written and any
 existing one will be removed.  Note that none
-is a keyword, not a file name, and therefore is not enclosed in
+is a keyword, not a filename, and therefore is not enclosed in
 double quotes.

+
recursing-file

+

+		  The pathname of the file the server dumps
+		  the queries that are currently recursing when instructed
+		  to do so with rndc recursing.
+		  If not specified, the default is named.recursing.
+		

 
statistics-file

 
The pathname of the file the server appends statistics
 to when instructed to do so using rndc stats.
@@ -1542,7 +1561,7 @@ in the statistics-file.  See also
 

 
use-ixfr

 
This option is obsolete.
-If you need to disable IXFR to a particular server or servers see
+If you need to disable IXFR to a particular server or servers, see
 the information on the provide-ixfr option
 in the section called “server Statement Definition and Usage”. See also
 the section called “Incremental Zone Transfers (IXFR)”.
@@ -1695,14 +1714,14 @@ and RFC 821 as modified by RFC 1123.
 MX records.  It also applies to the domain names in the RDATA of NS, SOA and MX
 records.  It also applies to the RDATA of PTR records where the owner name
 indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
+IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
 

 

 
 
 

 

-Forwarding

+Forwarding

 
The forwarding facility can be used to create a large site-wide
 cache on a few servers, reducing traffic over links to external
 name servers. It can also be used to allow queries by servers that
@@ -1734,7 +1753,7 @@ Statement Grammar”.

 
 

 

-Dual-stack Servers

+Dual-stack Servers

 
Dual-stack servers are used as servers of last resort to work around
 problems in reachability due the lack of support for either IPv4 or IPv6
 on the host machine.

@@ -1815,7 +1834,7 @@ from these addresses will not be responded to. The default is 
 

-Interfaces

+Interfaces
 
The interfaces and ports that the server will answer queries
 from may be specified using the listen-on option. listen-on takes
 an optional port, and an address_match_list.
@@ -1865,7 +1884,7 @@ the server will not listen on any IPv6 address.

 
 

 

-Query Address

+Query Address

 
If the server doesn't know the answer to a question, it will
 query other name servers. query-source specifies
 the address and port used for such queries. For queries sent over
@@ -2056,7 +2075,7 @@ but applies to notify messages sent to IPv6 addresses.

 
 

 

-Bad UDP Port Lists

+Bad UDP Port Lists

 

 avoid-v4-udp-ports and avoid-v6-udp-ports
 specify a list of IPv4 and IPv6 UDP ports that will not be used as system
@@ -2069,7 +2088,7 @@ to query again.
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 
The server's usage of many system resources can be limited.
 Scaled values are allowed when specifying resource limits.  For
 example, 1G can be used instead of
@@ -2113,7 +2132,7 @@ may use. The default is default.

 
 

 

-Server  Resource Limits

+Server  Resource Limits

 
The following options set limits on the server's
 resource consumption that are enforced internally by the
 server rather than the operating system.

@@ -2167,7 +2186,7 @@ silently raised.
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 
The server will remove expired resource records
@@ -2198,7 +2217,7 @@ every statistics-interval minutes.
 If set to 0, no statistics will be logged.

 

 
Note

-
Not yet implemented in BIND9.

+
Not yet implemented in BIND 9.

 

 

 

@@ -2435,7 +2454,7 @@ and clamp the SOA refresh and retry times to the specified values.
 edns-udp-size sets the advertised EDNS UDP buffer
 size in bytes.  Valid values are 512 to 4096 bytes (values outside this range will be
 silently adjusted).  The default value is 4096.  The usual reason for
-setting edns-udp-size to a non-default value it to get UDP answers to
+setting edns-udp-size to a non-default value is to get UDP answers to
 pass through broken firewalls that block fragmented packets and/or
 block UDP packets that are greater than 512 bytes.
 

@@ -2569,7 +2588,7 @@ to be incremented, and may additionally cause the
 

 

 server Statement Grammar

-
server ip_addr {
+
server ip_addr {
     [ bogus yes_or_no ; ]
     [ provide-ixfr yes_or_no ; ]
     [ request-ixfr yes_or_no ; ]
@@ -2662,8 +2681,8 @@ For more details, see the description of
 

 

 

-trusted-keys Statement Grammar

-
trusted-keys {
+trusted-keys Statement Grammar

+
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
 };
@@ -2671,7 +2690,7 @@ For more details, see the description of
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
 	    and Usage

 

 	    The trusted-keys statement defines
@@ -2702,7 +2721,7 @@ For more details, see the description of
 

 

 view Statement Grammar

-
view view_name 
+
view view_name 
       [class] {
       match-clients { address_match_list } ;
       match-destinations { address_match_list } ;
@@ -2714,7 +2733,7 @@ For more details, see the description of
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 
The view statement is a powerful new feature
 of BIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
@@ -2796,7 +2815,7 @@ view "external" {
 

 zone
 Statement Grammar

-
zone zone_name [class] { 
+
zone zone_name [class] { 
     type master;
     [ allow-query { address_match_list } ; ]
     [ allow-transfer { address_match_list } ; ]
@@ -2916,10 +2935,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

ip_port

An IP port number. -number is limited to 0 through 65535, with values +The number is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases, an asterisk (`*') character can be used as a placeholder to select a random high-numbered port.
@@ -2948,7 +2967,7 @@ and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to -use a two-level naming scheme for zone file names. For example, +use a two-level naming scheme for zone filenames. For example, a slave server for the zone example.com might place the zone contents into a file called ex/example.com where ex/ is @@ -3032,7 +3051,7 @@ from forwarders.

-Class

+Class

The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), is assumed. This is correct for the vast majority of cases.

@@ -3042,12 +3061,12 @@ used to share information about various systems databases, such as users, groups, printers and so on. The keyword HS is a synonym for hesiod.

-

Another MIT development is CHAOSnet, a LAN protocol created +

Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the CHAOS class.

-Zone Options

+Zone Options
allow-notify

See the description of @@ -3240,7 +3259,7 @@ shared secret is the same as the identity of the key used to authenticate the TKEY exchange. When the identity field specifies a wildcard name, it is subject to DNS wildcard expansion, so the rule will apply to multiple identities. The identity field must -contain a fully qualified domain name.

+contain a fully-qualified domain name.

The nametype field has 4 values: name, subdomain, wildcard, and self. @@ -3283,7 +3302,7 @@ specified as * in this case.

In all cases, the name field must -specify a fully qualified domain name.

+specify a fully-qualified domain name.

If no types are explicitly specified, this rule matches all types except SIG, NS, SOA, and NXT. Types may be specified by name, including "ANY" (ANY matches all types except NXT, which can never be updated). @@ -3295,7 +3314,7 @@ name, the rules are checked for each existing record type.

-Zone File

+Zone File

Types of Resource Records and When to Use Them

@@ -3305,7 +3324,7 @@ Since the publication of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included.

-Resource Records

+Resource Records

A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of @@ -3524,7 +3543,7 @@ are currently valid in the DNS:

CH

-CHAOSnet, a LAN protocol created at MIT in the mid-1970s. +Chaosnet, a LAN protocol created at MIT in the mid-1970s. Rarely used for its historical purpose, but reused for BIND's built-in server information zones, e.g., version.bind. @@ -3564,7 +3583,7 @@ used as "pointers" to other data in the DNS.

-Textual expression of RRs

+Textual expression of RRs

RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in @@ -3654,7 +3673,7 @@ each of a different class.

-Discussion of MX Records

+Discussion of MX Records

As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, @@ -3771,7 +3790,7 @@ can be explicitly specified, for example, 1h30m.

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in @@ -3802,14 +3821,14 @@ in the [example.com] domain:

Note

The $ORIGIN lines in the examples -are for providing context to the examples only-they do not necessarily +are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin.

-Other Zone File Directives

+Other Zone File Directives

The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same @@ -3818,7 +3837,7 @@ class.

and $TTL.

-The $ORIGIN Directive

+The $ORIGIN Directive

Syntax: $ORIGIN domain-name [ comment]

$ORIGIN sets the domain name that will @@ -3833,7 +3852,7 @@ WWW CNAME MAIN-SERVER

-The $INCLUDE Directive

+The $INCLUDE Directive

Syntax: $INCLUDE filename [ origin ] [ comment ]

@@ -3857,7 +3876,7 @@ This could be construed as a deviation from RFC 1035, a feature, or both.

-The $TTL Directive

+The $TTL Directive

Syntax: $TTL default-ttl [ comment ]

@@ -3868,7 +3887,7 @@ with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.

-BIND Master File Extension: the $GENERATE Directive

+BIND Master File Extension: the $GENERATE Directive

Syntax: $GENERATE range lhs [ttl] [class] type rhs [ comment ]

$GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE can @@ -3901,16 +3920,16 @@ or start-stop/step. If the first form is used, then step is set to

lhs

-

lhs describes the +

This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs side are replaced by the iterator value. -To get a $ in the output you need to escape the $ +To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. -Modifiers are introduced by a { immediately following the +Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} which subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available @@ -3951,7 +3970,7 @@ PTR, CNAME, DNAME, A, AAAA and NS.

rhs

-

A domain name. It is processed +

rhs is a domain name. It is processed similarly to lhs.

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index f4e26f0673982..cfb405482e982 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -1,5 +1,5 @@ - + Chapter 7. BIND 9 Security Considerations - + @@ -46,11 +46,11 @@

Table of Contents

Access Control Lists
-
chroot and setuid (for +
Chroot and Setuid (for UNIX servers)
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
@@ -102,7 +102,7 @@ see the AUSCERT advisory at

-chroot and setuid (for +Chroot and Setuid (for UNIX servers)

On UNIX servers, it is possible to run BIND in a chrooted environment (using the chroot() function) by specifying the "-t" @@ -117,7 +117,7 @@ user 202:

/usr/local/bin/named -u 202 -t /var/named

-The chroot Environment

+The chroot Environment

In order for a chroot environment to work properly in a particular directory (for example, /var/named), @@ -129,7 +129,7 @@ like directory and

-Unlike with earlier versions of BIND, you will typically +Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root. However, depending on your operating system, you may need @@ -142,7 +142,7 @@ to set up things like

-Using the setuid Function

+Using the setuid Function

Prior to running the named daemon, use the touch utility (to change file access and modification times) or the chown utility (to diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 98dbbedea6684..1bb97711b5b56 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -1,5 +1,5 @@ - + Chapter 8. Troubleshooting - + @@ -45,18 +45,18 @@

Table of Contents

-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?

-Common Problems

+Common Problems

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand. The log files provide a @@ -66,17 +66,19 @@

-Incrementing and Changing the Serial Number

-

Zone serial numbers are just numbers-they aren't date - related. A lot of people set them to a number that represents a - date, usually of the form YYYYMMDDRR. A number of people have been - testing these numbers for Y2K compliance and have set the number - to the year 2000 to see if it will work. They then try to restore - the old serial number. This will cause problems because serial - numbers are used to indicate that a zone has been updated. If the - serial number on the slave server is lower than the serial number - on the master, the slave server will attempt to update its copy of - the zone.

+Incrementing and Changing the Serial Number
+

+ Zone serial numbers are just numbers — they aren't + date related. A lot of people set them to a number that + represents a date, usually of the form YYYYMMDDRR. + Occasionally they will make a mistake and set them to a + "date in the future" then try to correct them by setting + them to the "current date". This causes problems because + serial numbers are used to indicate that a zone has been + updated. If the serial number on the slave server is + lower than the serial number on the master, the slave + server will attempt to update its copy of the zone. +

Setting the serial number to a lower number on the master server than the slave server means that the slave will not perform updates to its copy of the zone.

@@ -87,7 +89,7 @@

-Where Can I Get Help?

+Where Can I Get Help?

The Internet Software Consortium (ISC) offers a wide range of support and service agreements for BIND and DHCP servers. Four levels of premium support are available and each level includes diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index ccf9ee111f004..4d07ae9a1cb63 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -1,5 +1,5 @@ - + Appendix A. Appendices - + @@ -43,24 +43,25 @@

Table of Contents

-
Acknowledgments
-
A Brief History of the DNS and BIND
+
Acknowledgments
+
A Brief History of the DNS and BIND
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND

-Acknowledgments

+Acknowledgments

-A Brief History of the DNS and BIND

+A Brief History of the DNS and BIND +

Although the "official" beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and @@ -95,7 +96,7 @@ employee on loan to the CSRG, worked on BIND to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently -handled by Mike Karels and O. Kure.

+handled by Mike Karels and Øivind Kure.

BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then a DEC employee, became BIND's primary caretaker. He was assisted @@ -103,13 +104,27 @@ by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others.

-

BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul +

In 1994, BIND version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer.

BIND versions from 4.9.3 onward have been developed and maintained by the Internet Software Consortium with support being provided -by ISC's sponsors. As co-architects/programmers, Bob Halley and +by ISC's sponsors. +

+

As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997.

+

+ BIND version 9 was released in September 2000 and is a + major rewrite of nearly all aspects of the underlying + BIND architecture. +

+

+ BIND version 4 is officially deprecated and BIND version + 8 development is considered maintenance-only in favor + of BIND version 9. No additional development is done + on BIND version 4 or BIND version 8 other than for + security-related patches. +

BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals.

@@ -127,7 +142,8 @@ scalable Internet routing. There are three types of addresses: Anycast, an identifier for a set of interfaces; and Multicast, an identifier for a set of interfaces. Here we describe the global -Unicast address scheme. For more information, see RFC 2374.

+Unicast address scheme. For more information, see RFC 3587, +"Global Unicast Address Format."

The aggregatable global Unicast address format is as follows:

@@ -261,17 +277,17 @@ the number of the RFC). RFCs are also available via the Web at

-Bibliography

+Bibliography

Standards

-

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

+

[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986.

-

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

+

[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987.

-

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and +

[RFC1035] P. V. Mockapetris. Domain Names — Implementation and Specification. November 1987.

@@ -279,22 +295,22 @@ Specification. November 1987.

Proposed Standards

-

[RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997.

+

[RFC2181] R., R. Bush Elz. Clarifications to the DNS Specification. July 1997.

-

[RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998.

+

[RFC2308] M. Andrews. Negative Caching of DNS Queries. March 1998.

-

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

+

[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996.

-

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

+

[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996.

-

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

+

[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997.

-

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

+

[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000.

@@ -305,85 +321,85 @@ Specification. November 1987.

RFCs are undergoing major revision by the IETF.

-

[RFC1886] S. Thomson and C. Huitema. DNS Extensions to support IP version 6. December 1995.

+

[RFC1886] S. Thomson and C. Huitema. DNS Extensions to support IP version 6. December 1995.

-

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

+

[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997.

-

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

+

[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997.

Other Important RFCs About DNS Implementation

-

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.

+

[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely Deployed DNS Software.. October 1993.

-

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993.

+

[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation Errors and Suggested Fixes. October 1993.

-

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

+

[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996.

Resource Record Types

-

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

+

[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990.

-

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

+

[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994.

-

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using +

[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.

-

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain +

[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the Domain Name System. January 1996.

-

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of +

[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the Location of Services.. October 1996.

-

[RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER +

[RFC2163] A. Allocchio. Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping. January 1998.

-

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

+

[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997.

DNS and the Internet

-

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989.

+

[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names and Other Types. April 1989.

-

[RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989.

+

[RFC1123] Braden. Requirements for Internet Hosts - Application and Support. October 1989.

-

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

+

[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994.

-

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

+

[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998.

DNS Operations

-

[RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993.

+

[RFC1537] P. Beertema. Common DNS Data File Configuration Errors. October 1993.

-

[RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996.

+

[RFC1912] D. Barr. Common DNS Operational and Configuration Errors. February 1996.

-

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

+

[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996.

-

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997.

+

[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for Network Services.. October 1997.

@@ -394,28 +410,28 @@ Conformant Global Address Mapping. January 1998 DNS-related, are not concerned with implementing software.

-

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993.

+

[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String Attributes. May 1993.

-

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

+

[RFC1713] A. Romao. Tools for DNS Debugging. November 1994.

-

[RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995.

+

[RFC1794] T. Brisco. DNS Support for Load Balancing. April 1995.

-

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

+

[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997.

-

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

+

[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998.

-

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

+

[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998.

Obsolete and Unimplemented Experimental RRs

-

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical +

[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical Location. November 1994.

@@ -435,13 +451,14 @@ after which they are deleted unless updated by their authors.

-Other Documents About BIND

+Other Documents About BIND +

-Bibliography

+Bibliography
-

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

+

Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 6c62d12533e20..41b763c3e35eb 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -1,5 +1,5 @@ - + BIND 9 Administrator Reference Manual - + - +
@@ -40,8 +40,8 @@

-BIND 9 Administrator Reference Manual

-

Copyright © 2004-2006 Internet Systems Consortium, Inc. ("ISC")

+BIND 9 Administrator Reference Manual
+

Copyright © 2004-2008 Internet Systems Consortium, Inc. ("ISC")

Copyright © 2000-2003 Internet Software Consortium.

@@ -51,39 +51,39 @@
1. Introduction
-
Scope of Document
-
Organization of This Document
-
Conventions Used in This Document
-
The Domain Name System (DNS)
+
Scope of Document
+
Organization of This Document
+
Conventions Used in This Document
+
The Domain Name System (DNS)
-
DNS Fundamentals
-
Domains and Domain Names
-
Zones
-
Authoritative Name Servers
-
Caching Name Servers
-
Name Servers in Multiple Roles
+
DNS Fundamentals
+
Domains and Domain Names
+
Zones
+
Authoritative Name Servers
+
Caching Name Servers
+
Name Servers in Multiple Roles
2. BIND Resource Requirements
-
Hardware requirements
-
CPU Requirements
-
Memory Requirements
-
Name Server Intensive Environment Issues
-
Supported Operating Systems
+
Hardware requirements
+
CPU Requirements
+
Memory Requirements
+
Name Server Intensive Environment Issues
+
Supported Operating Systems
3. Name Server Configuration
Sample Configurations
-
A Caching-only Name Server
-
An Authoritative-only Name Server
+
A Caching-only Name Server
+
An Authoritative-only Name Server
-
Load Balancing
-
Name Server Operations
+
Load Balancing
+
Name Server Operations
-
Tools for Use With the Name Server Daemon
-
Signals
+
Tools for Use With the Name Server Daemon
+
Signals
4. Advanced DNS Features
@@ -92,33 +92,34 @@
Dynamic Update
The journal file
Incremental Zone Transfers (IXFR)
-
Split DNS
+
Split DNS
+
Example split DNS setup
TSIG
-
Generate Shared Keys for Each Pair of Hosts
-
Copying the Shared Secret to Both Machines
-
Informing the Servers of the Key's Existence
-
Instructing the Server to Use the Key
-
TSIG Key Based Access Control
-
Errors
+
Generate Shared Keys for Each Pair of Hosts
+
Copying the Shared Secret to Both Machines
+
Informing the Servers of the Key's Existence
+
Instructing the Server to Use the Key
+
TSIG Key Based Access Control
+
Errors
-
TKEY
-
SIG(0)
+
TKEY
+
SIG(0)
DNSSEC
-
Generating Keys
-
Signing the Zone
-
Configuring Servers
+
Generating Keys
+
Signing the Zone
+
Configuring Servers
-
IPv6 Support in BIND 9
+
IPv6 Support in BIND 9
-
Address Lookups Using AAAA Records
-
Address to Name Lookups Using Nibble Format
+
Address Lookups Using AAAA Records
+
Address to Name Lookups Using Nibble Format
5. The BIND 9 Lightweight Resolver
-
The Lightweight Resolver Library
+
The Lightweight Resolver Library
Running a Resolver Daemon
6. BIND 9 Configuration Reference
@@ -126,77 +127,77 @@
Configuration File Elements
Address Match Lists
-
Comment Syntax
+
Comment Syntax
Configuration File Grammar
-
acl Statement Grammar
+
acl Statement Grammar
acl Statement Definition and Usage
-
controls Statement Grammar
+
controls Statement Grammar
controls Statement Definition and Usage
-
include Statement Grammar
-
include Statement Definition and Usage
-
key Statement Grammar
-
key Statement Definition and Usage
-
logging Statement Grammar
-
logging Statement Definition and Usage
-
lwres Statement Grammar
-
lwres Statement Definition and Usage
-
masters Statement Grammar
-
masters Statement Definition and Usage
-
options Statement Grammar
+
include Statement Grammar
+
include Statement Definition and Usage
+
key Statement Grammar
+
key Statement Definition and Usage
+
logging Statement Grammar
+
logging Statement Definition and Usage
+
lwres Statement Grammar
+
lwres Statement Definition and Usage
+
masters Statement Grammar
+
masters Statement Definition and Usage
+
options Statement Grammar
options Statement Definition and Usage
server Statement Grammar
server Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
7. BIND 9 Security Considerations
Access Control Lists
-
chroot and setuid (for +
Chroot and Setuid (for UNIX servers)
-
The chroot Environment
-
Using the setuid Function
+
The chroot Environment
+
Using the setuid Function
Dynamic Update Security
8. Troubleshooting
-
Common Problems
-
It's not working; how can I figure out what's wrong?
-
Incrementing and Changing the Serial Number
-
Where Can I Get Help?
+
Common Problems
+
It's not working; how can I figure out what's wrong?
+
Incrementing and Changing the Serial Number
+
Where Can I Get Help?
A. Appendices
-
Acknowledgments
-
A Brief History of the DNS and BIND
+
Acknowledgments
+
A Brief History of the DNS and BIND
General DNS Reference Information
IPv6 addresses (AAAA)
Bibliography (and Suggested Reading)
Request for Comments (RFCs)
Internet Drafts
-
Other Documents About BIND
+
Other Documents About BIND
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf old mode 100755 new mode 100644 index cf61e9c81bbd7..7c74c3935bc05 --- a/doc/arm/Bv9ARM.pdf +++ b/doc/arm/Bv9ARM.pdf @@ -222,919 +222,923 @@ endobj (4.4 Split DNS) endobj 153 0 obj -<< /S /GoTo /D (section.4.5) >> +<< /S /GoTo /D (subsection.4.4.1) >> endobj 156 0 obj -(4.5 TSIG) +(4.4.1 Example split DNS setup) endobj 157 0 obj -<< /S /GoTo /D (subsection.4.5.1) >> +<< /S /GoTo /D (section.4.5) >> endobj 160 0 obj -(4.5.1 Generate Shared Keys for Each Pair of Hosts) +(4.5 TSIG) endobj 161 0 obj -<< /S /GoTo /D (subsubsection.4.5.1.1) >> +<< /S /GoTo /D (subsection.4.5.1) >> endobj 164 0 obj -(4.5.1.1 Automatic Generation) +(4.5.1 Generate Shared Keys for Each Pair of Hosts) endobj 165 0 obj -<< /S /GoTo /D (subsubsection.4.5.1.2) >> +<< /S /GoTo /D (subsubsection.4.5.1.1) >> endobj 168 0 obj -(4.5.1.2 Manual Generation) +(4.5.1.1 Automatic Generation) endobj 169 0 obj -<< /S /GoTo /D (subsection.4.5.2) >> +<< /S /GoTo /D (subsubsection.4.5.1.2) >> endobj 172 0 obj -(4.5.2 Copying the Shared Secret to Both Machines) +(4.5.1.2 Manual Generation) endobj 173 0 obj -<< /S /GoTo /D (subsection.4.5.3) >> +<< /S /GoTo /D (subsection.4.5.2) >> endobj 176 0 obj -(4.5.3 Informing the Servers of the Key's Existence) +(4.5.2 Copying the Shared Secret to Both Machines) endobj 177 0 obj -<< /S /GoTo /D (subsection.4.5.4) >> +<< /S /GoTo /D (subsection.4.5.3) >> endobj 180 0 obj -(4.5.4 Instructing the Server to Use the Key) +(4.5.3 Informing the Servers of the Key's Existence) endobj 181 0 obj -<< /S /GoTo /D (subsection.4.5.5) >> +<< /S /GoTo /D (subsection.4.5.4) >> endobj 184 0 obj -(4.5.5 TSIG Key Based Access Control) +(4.5.4 Instructing the Server to Use the Key) endobj 185 0 obj -<< /S /GoTo /D (subsection.4.5.6) >> +<< /S /GoTo /D (subsection.4.5.5) >> endobj 188 0 obj -(4.5.6 Errors) +(4.5.5 TSIG Key Based Access Control) endobj 189 0 obj -<< /S /GoTo /D (section.4.6) >> +<< /S /GoTo /D (subsection.4.5.6) >> endobj 192 0 obj -(4.6 TKEY) +(4.5.6 Errors) endobj 193 0 obj -<< /S /GoTo /D (section.4.7) >> +<< /S /GoTo /D (section.4.6) >> endobj 196 0 obj -(4.7 SIG\(0\)) +(4.6 TKEY) endobj 197 0 obj -<< /S /GoTo /D (section.4.8) >> +<< /S /GoTo /D (section.4.7) >> endobj 200 0 obj -(4.8 DNSSEC) +(4.7 SIG\(0\)) endobj 201 0 obj -<< /S /GoTo /D (subsection.4.8.1) >> +<< /S /GoTo /D (section.4.8) >> endobj 204 0 obj -(4.8.1 Generating Keys) +(4.8 DNSSEC) endobj 205 0 obj -<< /S /GoTo /D (subsection.4.8.2) >> +<< /S /GoTo /D (subsection.4.8.1) >> endobj 208 0 obj -(4.8.2 Signing the Zone) +(4.8.1 Generating Keys) endobj 209 0 obj -<< /S /GoTo /D (subsection.4.8.3) >> +<< /S /GoTo /D (subsection.4.8.2) >> endobj 212 0 obj -(4.8.3 Configuring Servers) +(4.8.2 Signing the Zone) endobj 213 0 obj -<< /S /GoTo /D (section.4.9) >> +<< /S /GoTo /D (subsection.4.8.3) >> endobj 216 0 obj -(4.9 IPv6 Support in BIND 9) +(4.8.3 Configuring Servers) endobj 217 0 obj -<< /S /GoTo /D (subsection.4.9.1) >> +<< /S /GoTo /D (section.4.9) >> endobj 220 0 obj -(4.9.1 Address Lookups Using AAAA Records) +(4.9 IPv6 Support in BIND 9) endobj 221 0 obj -<< /S /GoTo /D (subsection.4.9.2) >> +<< /S /GoTo /D (subsection.4.9.1) >> endobj 224 0 obj -(4.9.2 Address to Name Lookups Using Nibble Format) +(4.9.1 Address Lookups Using AAAA Records) endobj 225 0 obj -<< /S /GoTo /D (chapter.5) >> +<< /S /GoTo /D (subsection.4.9.2) >> endobj 228 0 obj -(5 The BIND 9 Lightweight Resolver) +(4.9.2 Address to Name Lookups Using Nibble Format) endobj 229 0 obj -<< /S /GoTo /D (section.5.1) >> +<< /S /GoTo /D (chapter.5) >> endobj 232 0 obj -(5.1 The Lightweight Resolver Library) +(5 The BIND 9 Lightweight Resolver) endobj 233 0 obj -<< /S /GoTo /D (section.5.2) >> +<< /S /GoTo /D (section.5.1) >> endobj 236 0 obj -(5.2 Running a Resolver Daemon) +(5.1 The Lightweight Resolver Library) endobj 237 0 obj -<< /S /GoTo /D (chapter.6) >> +<< /S /GoTo /D (section.5.2) >> endobj 240 0 obj -(6 BIND 9 Configuration Reference) +(5.2 Running a Resolver Daemon) endobj 241 0 obj -<< /S /GoTo /D (section.6.1) >> +<< /S /GoTo /D (chapter.6) >> endobj 244 0 obj -(6.1 Configuration File Elements) +(6 BIND 9 Configuration Reference) endobj 245 0 obj -<< /S /GoTo /D (subsection.6.1.1) >> +<< /S /GoTo /D (section.6.1) >> endobj 248 0 obj -(6.1.1 Address Match Lists) +(6.1 Configuration File Elements) endobj 249 0 obj -<< /S /GoTo /D (subsubsection.6.1.1.1) >> +<< /S /GoTo /D (subsection.6.1.1) >> endobj 252 0 obj -(6.1.1.1 Syntax) +(6.1.1 Address Match Lists) endobj 253 0 obj -<< /S /GoTo /D (subsubsection.6.1.1.2) >> +<< /S /GoTo /D (subsubsection.6.1.1.1) >> endobj 256 0 obj -(6.1.1.2 Definition and Usage) +(6.1.1.1 Syntax) endobj 257 0 obj -<< /S /GoTo /D (subsection.6.1.2) >> +<< /S /GoTo /D (subsubsection.6.1.1.2) >> endobj 260 0 obj -(6.1.2 Comment Syntax) +(6.1.1.2 Definition and Usage) endobj 261 0 obj -<< /S /GoTo /D (subsubsection.6.1.2.1) >> +<< /S /GoTo /D (subsection.6.1.2) >> endobj 264 0 obj -(6.1.2.1 Syntax) +(6.1.2 Comment Syntax) endobj 265 0 obj -<< /S /GoTo /D (subsubsection.6.1.2.2) >> +<< /S /GoTo /D (subsubsection.6.1.2.1) >> endobj 268 0 obj -(6.1.2.2 Definition and Usage) +(6.1.2.1 Syntax) endobj 269 0 obj -<< /S /GoTo /D (section.6.2) >> +<< /S /GoTo /D (subsubsection.6.1.2.2) >> endobj 272 0 obj -(6.2 Configuration File Grammar) +(6.1.2.2 Definition and Usage) endobj 273 0 obj -<< /S /GoTo /D (subsection.6.2.1) >> +<< /S /GoTo /D (section.6.2) >> endobj 276 0 obj -(6.2.1 acl Statement Grammar) +(6.2 Configuration File Grammar) endobj 277 0 obj -<< /S /GoTo /D (subsection.6.2.2) >> +<< /S /GoTo /D (subsection.6.2.1) >> endobj 280 0 obj -(6.2.2 acl Statement Definition and Usage) +(6.2.1 acl Statement Grammar) endobj 281 0 obj -<< /S /GoTo /D (subsection.6.2.3) >> +<< /S /GoTo /D (subsection.6.2.2) >> endobj 284 0 obj -(6.2.3 controls Statement Grammar) +(6.2.2 acl Statement Definition and Usage) endobj 285 0 obj -<< /S /GoTo /D (subsection.6.2.4) >> +<< /S /GoTo /D (subsection.6.2.3) >> endobj 288 0 obj -(6.2.4 controls Statement Definition and Usage) +(6.2.3 controls Statement Grammar) endobj 289 0 obj -<< /S /GoTo /D (subsection.6.2.5) >> +<< /S /GoTo /D (subsection.6.2.4) >> endobj 292 0 obj -(6.2.5 include Statement Grammar) +(6.2.4 controls Statement Definition and Usage) endobj 293 0 obj -<< /S /GoTo /D (subsection.6.2.6) >> +<< /S /GoTo /D (subsection.6.2.5) >> endobj 296 0 obj -(6.2.6 include Statement Definition and Usage) +(6.2.5 include Statement Grammar) endobj 297 0 obj -<< /S /GoTo /D (subsection.6.2.7) >> +<< /S /GoTo /D (subsection.6.2.6) >> endobj 300 0 obj -(6.2.7 key Statement Grammar) +(6.2.6 include Statement Definition and Usage) endobj 301 0 obj -<< /S /GoTo /D (subsection.6.2.8) >> +<< /S /GoTo /D (subsection.6.2.7) >> endobj 304 0 obj -(6.2.8 key Statement Definition and Usage) +(6.2.7 key Statement Grammar) endobj 305 0 obj -<< /S /GoTo /D (subsection.6.2.9) >> +<< /S /GoTo /D (subsection.6.2.8) >> endobj 308 0 obj -(6.2.9 logging Statement Grammar) +(6.2.8 key Statement Definition and Usage) endobj 309 0 obj -<< /S /GoTo /D (subsection.6.2.10) >> +<< /S /GoTo /D (subsection.6.2.9) >> endobj 312 0 obj -(6.2.10 logging Statement Definition and Usage) +(6.2.9 logging Statement Grammar) endobj 313 0 obj -<< /S /GoTo /D (subsubsection.6.2.10.1) >> +<< /S /GoTo /D (subsection.6.2.10) >> endobj 316 0 obj -(6.2.10.1 The channel Phrase) +(6.2.10 logging Statement Definition and Usage) endobj 317 0 obj -<< /S /GoTo /D (subsubsection.6.2.10.2) >> +<< /S /GoTo /D (subsubsection.6.2.10.1) >> endobj 320 0 obj -(6.2.10.2 The category Phrase) +(6.2.10.1 The channel Phrase) endobj 321 0 obj -<< /S /GoTo /D (subsection.6.2.11) >> +<< /S /GoTo /D (subsubsection.6.2.10.2) >> endobj 324 0 obj -(6.2.11 lwres Statement Grammar) +(6.2.10.2 The category Phrase) endobj 325 0 obj -<< /S /GoTo /D (subsection.6.2.12) >> +<< /S /GoTo /D (subsection.6.2.11) >> endobj 328 0 obj -(6.2.12 lwres Statement Definition and Usage) +(6.2.11 lwres Statement Grammar) endobj 329 0 obj -<< /S /GoTo /D (subsection.6.2.13) >> +<< /S /GoTo /D (subsection.6.2.12) >> endobj 332 0 obj -(6.2.13 masters Statement Grammar) +(6.2.12 lwres Statement Definition and Usage) endobj 333 0 obj -<< /S /GoTo /D (subsection.6.2.14) >> +<< /S /GoTo /D (subsection.6.2.13) >> endobj 336 0 obj -(6.2.14 masters Statement Definition and Usage) +(6.2.13 masters Statement Grammar) endobj 337 0 obj -<< /S /GoTo /D (subsection.6.2.15) >> +<< /S /GoTo /D (subsection.6.2.14) >> endobj 340 0 obj -(6.2.15 options Statement Grammar) +(6.2.14 masters Statement Definition and Usage) endobj 341 0 obj -<< /S /GoTo /D (subsection.6.2.16) >> +<< /S /GoTo /D (subsection.6.2.15) >> endobj 344 0 obj -(6.2.16 options Statement Definition and Usage) +(6.2.15 options Statement Grammar) endobj 345 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.1) >> +<< /S /GoTo /D (subsection.6.2.16) >> endobj 348 0 obj -(6.2.16.1 Boolean Options) +(6.2.16 options Statement Definition and Usage) endobj 349 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.2) >> +<< /S /GoTo /D (subsubsection.6.2.16.1) >> endobj 352 0 obj -(6.2.16.2 Forwarding) +(6.2.16.1 Boolean Options) endobj 353 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.3) >> +<< /S /GoTo /D (subsubsection.6.2.16.2) >> endobj 356 0 obj -(6.2.16.3 Dual-stack Servers) +(6.2.16.2 Forwarding) endobj 357 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.4) >> +<< /S /GoTo /D (subsubsection.6.2.16.3) >> endobj 360 0 obj -(6.2.16.4 Access Control) +(6.2.16.3 Dual-stack Servers) endobj 361 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.5) >> +<< /S /GoTo /D (subsubsection.6.2.16.4) >> endobj 364 0 obj -(6.2.16.5 Interfaces) +(6.2.16.4 Access Control) endobj 365 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.6) >> +<< /S /GoTo /D (subsubsection.6.2.16.5) >> endobj 368 0 obj -(6.2.16.6 Query Address) +(6.2.16.5 Interfaces) endobj 369 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.7) >> +<< /S /GoTo /D (subsubsection.6.2.16.6) >> endobj 372 0 obj -(6.2.16.7 Zone Transfers) +(6.2.16.6 Query Address) endobj 373 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.8) >> +<< /S /GoTo /D (subsubsection.6.2.16.7) >> endobj 376 0 obj -(6.2.16.8 Bad UDP Port Lists) +(6.2.16.7 Zone Transfers) endobj 377 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.9) >> +<< /S /GoTo /D (subsubsection.6.2.16.8) >> endobj 380 0 obj -(6.2.16.9 Operating System Resource Limits) +(6.2.16.8 Bad UDP Port Lists) endobj 381 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.10) >> +<< /S /GoTo /D (subsubsection.6.2.16.9) >> endobj 384 0 obj -(6.2.16.10 Server Resource Limits) +(6.2.16.9 Operating System Resource Limits) endobj 385 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.11) >> +<< /S /GoTo /D (subsubsection.6.2.16.10) >> endobj 388 0 obj -(6.2.16.11 Periodic Task Intervals) +(6.2.16.10 Server Resource Limits) endobj 389 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.12) >> +<< /S /GoTo /D (subsubsection.6.2.16.11) >> endobj 392 0 obj -(6.2.16.12 Topology) +(6.2.16.11 Periodic Task Intervals) endobj 393 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.13) >> +<< /S /GoTo /D (subsubsection.6.2.16.12) >> endobj 396 0 obj -(6.2.16.13 The sortlist Statement) +(6.2.16.12 Topology) endobj 397 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.14) >> +<< /S /GoTo /D (subsubsection.6.2.16.13) >> endobj 400 0 obj -(6.2.16.14 RRset Ordering) +(6.2.16.13 The sortlist Statement) endobj 401 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.15) >> +<< /S /GoTo /D (subsubsection.6.2.16.14) >> endobj 404 0 obj -(6.2.16.15 Tuning) +(6.2.16.14 RRset Ordering) endobj 405 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.16) >> +<< /S /GoTo /D (subsubsection.6.2.16.15) >> endobj 408 0 obj -(6.2.16.16 Built-in server information zones) +(6.2.16.15 Tuning) endobj 409 0 obj -<< /S /GoTo /D (subsubsection.6.2.16.17) >> +<< /S /GoTo /D (subsubsection.6.2.16.16) >> endobj 412 0 obj -(6.2.16.17 The Statistics File) +(6.2.16.16 Built-in server information zones) endobj 413 0 obj -<< /S /GoTo /D (subsection.6.2.17) >> +<< /S /GoTo /D (subsubsection.6.2.16.17) >> endobj 416 0 obj -(6.2.17 server Statement Grammar) +(6.2.16.17 The Statistics File) endobj 417 0 obj -<< /S /GoTo /D (subsection.6.2.18) >> +<< /S /GoTo /D (subsection.6.2.17) >> endobj 420 0 obj -(6.2.18 server Statement Definition and Usage) +(6.2.17 server Statement Grammar) endobj 421 0 obj -<< /S /GoTo /D (subsection.6.2.19) >> +<< /S /GoTo /D (subsection.6.2.18) >> endobj 424 0 obj -(6.2.19 trusted-keys Statement Grammar) +(6.2.18 server Statement Definition and Usage) endobj 425 0 obj -<< /S /GoTo /D (subsection.6.2.20) >> +<< /S /GoTo /D (subsection.6.2.19) >> endobj 428 0 obj -(6.2.20 trusted-keys Statement Definition and Usage) +(6.2.19 trusted-keys Statement Grammar) endobj 429 0 obj -<< /S /GoTo /D (subsection.6.2.21) >> +<< /S /GoTo /D (subsection.6.2.20) >> endobj 432 0 obj -(6.2.21 view Statement Grammar) +(6.2.20 trusted-keys Statement Definition and Usage) endobj 433 0 obj -<< /S /GoTo /D (subsection.6.2.22) >> +<< /S /GoTo /D (subsection.6.2.21) >> endobj 436 0 obj -(6.2.22 view Statement Definition and Usage) +(6.2.21 view Statement Grammar) endobj 437 0 obj -<< /S /GoTo /D (subsection.6.2.23) >> +<< /S /GoTo /D (subsection.6.2.22) >> endobj 440 0 obj -(6.2.23 zone Statement Grammar) +(6.2.22 view Statement Definition and Usage) endobj 441 0 obj -<< /S /GoTo /D (subsection.6.2.24) >> +<< /S /GoTo /D (subsection.6.2.23) >> endobj 444 0 obj -(6.2.24 zone Statement Definition and Usage) +(6.2.23 zone Statement Grammar) endobj 445 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.1) >> +<< /S /GoTo /D (subsection.6.2.24) >> endobj 448 0 obj -(6.2.24.1 Zone Types) +(6.2.24 zone Statement Definition and Usage) endobj 449 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.2) >> +<< /S /GoTo /D (subsubsection.6.2.24.1) >> endobj 452 0 obj -(6.2.24.2 Class) +(6.2.24.1 Zone Types) endobj 453 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.3) >> +<< /S /GoTo /D (subsubsection.6.2.24.2) >> endobj 456 0 obj -(6.2.24.3 Zone Options) +(6.2.24.2 Class) endobj 457 0 obj -<< /S /GoTo /D (subsubsection.6.2.24.4) >> +<< /S /GoTo /D (subsubsection.6.2.24.3) >> endobj 460 0 obj -(6.2.24.4 Dynamic Update Policies) +(6.2.24.3 Zone Options) endobj 461 0 obj -<< /S /GoTo /D (section.6.3) >> +<< /S /GoTo /D (subsubsection.6.2.24.4) >> endobj 464 0 obj -(6.3 Zone File) +(6.2.24.4 Dynamic Update Policies) endobj 465 0 obj -<< /S /GoTo /D (subsection.6.3.1) >> +<< /S /GoTo /D (section.6.3) >> endobj 468 0 obj -(6.3.1 Types of Resource Records and When to Use Them) +(6.3 Zone File) endobj 469 0 obj -<< /S /GoTo /D (subsubsection.6.3.1.1) >> +<< /S /GoTo /D (subsection.6.3.1) >> endobj 472 0 obj -(6.3.1.1 Resource Records) +(6.3.1 Types of Resource Records and When to Use Them) endobj 473 0 obj -<< /S /GoTo /D (subsubsection.6.3.1.2) >> +<< /S /GoTo /D (subsubsection.6.3.1.1) >> endobj 476 0 obj -(6.3.1.2 Textual expression of RRs) +(6.3.1.1 Resource Records) endobj 477 0 obj -<< /S /GoTo /D (subsection.6.3.2) >> +<< /S /GoTo /D (subsubsection.6.3.1.2) >> endobj 480 0 obj -(6.3.2 Discussion of MX Records) +(6.3.1.2 Textual expression of RRs) endobj 481 0 obj -<< /S /GoTo /D (subsection.6.3.3) >> +<< /S /GoTo /D (subsection.6.3.2) >> endobj 484 0 obj -(6.3.3 Setting TTLs) +(6.3.2 Discussion of MX Records) endobj 485 0 obj -<< /S /GoTo /D (subsection.6.3.4) >> +<< /S /GoTo /D (subsection.6.3.3) >> endobj 488 0 obj -(6.3.4 Inverse Mapping in IPv4) +(6.3.3 Setting TTLs) endobj 489 0 obj -<< /S /GoTo /D (subsection.6.3.5) >> +<< /S /GoTo /D (subsection.6.3.4) >> endobj 492 0 obj -(6.3.5 Other Zone File Directives) +(6.3.4 Inverse Mapping in IPv4) endobj 493 0 obj -<< /S /GoTo /D (subsubsection.6.3.5.1) >> +<< /S /GoTo /D (subsection.6.3.5) >> endobj 496 0 obj -(6.3.5.1 The \044ORIGIN Directive) +(6.3.5 Other Zone File Directives) endobj 497 0 obj -<< /S /GoTo /D (subsubsection.6.3.5.2) >> +<< /S /GoTo /D (subsubsection.6.3.5.1) >> endobj 500 0 obj -(6.3.5.2 The \044INCLUDE Directive) +(6.3.5.1 The \044ORIGIN Directive) endobj 501 0 obj -<< /S /GoTo /D (subsubsection.6.3.5.3) >> +<< /S /GoTo /D (subsubsection.6.3.5.2) >> endobj 504 0 obj -(6.3.5.3 The \044TTL Directive) +(6.3.5.2 The \044INCLUDE Directive) endobj 505 0 obj -<< /S /GoTo /D (subsection.6.3.6) >> +<< /S /GoTo /D (subsubsection.6.3.5.3) >> endobj 508 0 obj -(6.3.6 BIND Master File Extension: the \044GENERATE Directive) +(6.3.5.3 The \044TTL Directive) endobj 509 0 obj -<< /S /GoTo /D (chapter.7) >> +<< /S /GoTo /D (subsection.6.3.6) >> endobj 512 0 obj -(7 BIND 9 Security Considerations) +(6.3.6 BIND Master File Extension: the \044GENERATE Directive) endobj 513 0 obj -<< /S /GoTo /D (section.7.1) >> +<< /S /GoTo /D (chapter.7) >> endobj 516 0 obj -(7.1 Access Control Lists) +(7 BIND 9 Security Considerations) endobj 517 0 obj -<< /S /GoTo /D (section.7.2) >> +<< /S /GoTo /D (section.7.1) >> endobj 520 0 obj -(7.2 chroot and setuid \(for UNIX servers\)) +(7.1 Access Control Lists) endobj 521 0 obj -<< /S /GoTo /D (subsection.7.2.1) >> +<< /S /GoTo /D (section.7.2) >> endobj 524 0 obj -(7.2.1 The chroot Environment) +(7.2 Chroot and Setuid \(for UNIX servers\)) endobj 525 0 obj -<< /S /GoTo /D (subsection.7.2.2) >> +<< /S /GoTo /D (subsection.7.2.1) >> endobj 528 0 obj -(7.2.2 Using the setuid Function) +(7.2.1 The chroot Environment) endobj 529 0 obj -<< /S /GoTo /D (section.7.3) >> +<< /S /GoTo /D (subsection.7.2.2) >> endobj 532 0 obj -(7.3 Dynamic Update Security) +(7.2.2 Using the setuid Function) endobj 533 0 obj -<< /S /GoTo /D (chapter.8) >> +<< /S /GoTo /D (section.7.3) >> endobj 536 0 obj -(8 Troubleshooting) +(7.3 Dynamic Update Security) endobj 537 0 obj -<< /S /GoTo /D (section.8.1) >> +<< /S /GoTo /D (chapter.8) >> endobj 540 0 obj -(8.1 Common Problems) +(8 Troubleshooting) endobj 541 0 obj -<< /S /GoTo /D (subsection.8.1.1) >> +<< /S /GoTo /D (section.8.1) >> endobj 544 0 obj -(8.1.1 It's not working; how can I figure out what's wrong?) +(8.1 Common Problems) endobj 545 0 obj -<< /S /GoTo /D (section.8.2) >> +<< /S /GoTo /D (subsection.8.1.1) >> endobj 548 0 obj -(8.2 Incrementing and Changing the Serial Number) +(8.1.1 It's not working; how can I figure out what's wrong?) endobj 549 0 obj -<< /S /GoTo /D (section.8.3) >> +<< /S /GoTo /D (section.8.2) >> endobj 552 0 obj -(8.3 Where Can I Get Help?) +(8.2 Incrementing and Changing the Serial Number) endobj 553 0 obj -<< /S /GoTo /D (appendix.A) >> +<< /S /GoTo /D (section.8.3) >> endobj 556 0 obj -(A Appendices) +(8.3 Where Can I Get Help?) endobj 557 0 obj -<< /S /GoTo /D (section.A.1) >> +<< /S /GoTo /D (appendix.A) >> endobj 560 0 obj -(A.1 Acknowledgments) +(A Appendices) endobj 561 0 obj -<< /S /GoTo /D (subsection.A.1.1) >> +<< /S /GoTo /D (section.A.1) >> endobj 564 0 obj -(A.1.1 A Brief History of the DNS and BIND) +(A.1 Acknowledgments) endobj 565 0 obj -<< /S /GoTo /D (section.A.2) >> +<< /S /GoTo /D (subsection.A.1.1) >> endobj 568 0 obj -(A.2 General DNS Reference Information) +(A.1.1 A Brief History of the DNS and BIND) endobj 569 0 obj -<< /S /GoTo /D (subsection.A.2.1) >> +<< /S /GoTo /D (section.A.2) >> endobj 572 0 obj -(A.2.1 IPv6 addresses \(AAAA\)) +(A.2 General DNS Reference Information) endobj 573 0 obj -<< /S /GoTo /D (section.A.3) >> +<< /S /GoTo /D (subsection.A.2.1) >> endobj 576 0 obj -(A.3 Bibliography \(and Suggested Reading\)) +(A.2.1 IPv6 addresses \(AAAA\)) endobj 577 0 obj -<< /S /GoTo /D (subsection.A.3.1) >> +<< /S /GoTo /D (section.A.3) >> endobj 580 0 obj -(A.3.1 Request for Comments \(RFCs\)) +(A.3 Bibliography \(and Suggested Reading\)) endobj 581 0 obj -<< /S /GoTo /D (subsection.A.3.2) >> +<< /S /GoTo /D (subsection.A.3.1) >> endobj 584 0 obj -(A.3.2 Internet Drafts) +(A.3.1 Request for Comments \(RFCs\)) endobj 585 0 obj -<< /S /GoTo /D (subsection.A.3.3) >> +<< /S /GoTo /D (subsection.A.3.2) >> endobj 588 0 obj -(A.3.3 Other Documents About BIND) +(A.3.2 Internet Drafts) endobj 589 0 obj -<< /S /GoTo /D [590 0 R /FitH ] >> +<< /S /GoTo /D (subsection.A.3.3) >> +endobj +592 0 obj +(A.3.3 Other Documents About BIND) +endobj +593 0 obj +<< /S /GoTo /D [594 0 R /FitH ] >> endobj -592 0 obj << -/Length 223 +596 0 obj << +/Length 220 /Filter /FlateDecode >> stream -xÚÍjÃ0„ï~Š=&PmµÚ][:6$--4‡¢[ÉÁM”ˆp~ž¿rì†B{(:hVû1ƒ†ÀæCà-*ª%…uSXøÌ»§‚FF”Q…9l F/ìÁ8ïQµt?±_8‰`Å>€Q«²yÏbqÿ(¨BG*·@°r–áÆÅÍûdö¼œOS; Ãõ°ivíîxêêÓ¡žÞÒ6u©]§a|­Ûs½Ÿ®âKŽ`  ê®YsÈÚxÁÒ;½F,—Ô|¤ÑÌù»QX[ö&Å"Þ~ó]+öý»¼/g—RÇendstream +xÚ=O1 †÷û[‰˜ø«IÆV|$P6ÔáÔ^ÑIíŽòÿÉ5P!Á€ÿäÛ:1œÌù·qŸá¡QUendstream endobj -590 0 obj << +594 0 obj << /Type /Page -/Contents 592 0 R -/Resources 591 0 R +/Contents 596 0 R +/Resources 595 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R +/Parent 605 0 R >> endobj -593 0 obj << -/D [590 0 R /XYZ 85.0394 794.5015 null] +597 0 obj << +/D [594 0 R /XYZ 85.0394 794.5015 null] >> endobj -594 0 obj << -/D [590 0 R /XYZ 85.0394 769.5949 null] +598 0 obj << +/D [594 0 R /XYZ 85.0394 769.5949 null] >> endobj -591 0 obj << -/Font << /F42 597 0 R /F43 600 0 R >> +595 0 obj << +/Font << /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -604 0 obj << -/Length 308 +608 0 obj << +/Length 314 /Filter /FlateDecode >> stream -xÚµ’ÁnÂ0 †ï}Š©DŒÄIs»ÒÛØab…q€N¥ÓÄÛÏQ­›vA9ä·üɱÿ˜Ê!Å|4Q…耑X­vªä2úf[`g­W²ÚFÏ\ˆrPHµ!õƒ&ŠÀ:¥GðÖØ„ß•Ùd權½ñª\+2Ò§ ÎXùú4šÖïÇf»ykóçòQ1BÀ(}Eì€UJLf䥴àcPzÀ-eÖ½xdÚ4i‚ ¢çÚ0&ɽôšïÛªÙWm-Ž‡¶Úº`ZïuÓn?v㻂\[ByšqiŒ›/¦é’R'Ù}yv‰¬‘á½WÁ‘üOä¿-=Ñzˆ_±ÔùÇûª¿Yjni)ö>R/M/íUwëuûùÒäTŒªK‹áÒ¿ÓV[†´·ÿÞé/6¯žendstream +xÚµ’ÁNÃ0 †ï}Š©´xq'Í•‰¡q]oŒÝØa+êŠÐÞGekÙâ‚rÈoù“cÿ1*#{ðÑF¢6Èj¹ÍŒZKî>Ã/Æ1;" ®dµCöÖ)M +©6¤.hyÇ*”Á“¥Dß–ÙxêHEˆÞzU®T”$3ªU¾<ÞLê·C³Y¿¶ùSù Ø@0Qº2¦–)1ž¢TÒ‚Aé·I;ôÛ£hAfMs&ÈãF¹¶l’ä^ú^†^šíÚªÙUmÍû¶Úî»`RïöuÓnÞ·£#»„\iˆÍÂZ7›OÒ%!¦þ²»òä’›½WÁ¡üYä_m>Ñzˆ_úŒäoCì«þd´ýO£Mï#öÒö’®º[¯Úç&Çâ¦:·Îý;n:1¤]þ󞉑³\endstream endobj -603 0 obj << +607 0 obj << /Type /Page -/Contents 604 0 R -/Resources 602 0 R +/Contents 608 0 R +/Resources 606 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R +/Parent 605 0 R >> endobj -605 0 obj << -/D [603 0 R /XYZ 56.6929 794.5015 null] +609 0 obj << +/D [607 0 R /XYZ 56.6929 794.5015 null] >> endobj -602 0 obj << -/Font << /F43 600 0 R /F14 608 0 R >> +606 0 obj << +/Font << /F43 604 0 R /F14 612 0 R >> /ProcSet [ /PDF /Text ] >> endobj -611 0 obj << +615 0 obj << /Length 2200 /Filter /FlateDecode >> stream -xÚÝYKã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ6X4ЦJUd±ê«E›® üѵ)á&[+“¥‚P±.ö+²Þ»¿¯hÐÉOEÆ9<,¼Ý®S¡™Zo擼}XýåûŒ­I¥dbýðt\K*ž™õCùsòn—w£íï6L„Þýúðše©ÒŠ:3KˆT¢½Á‡fìÛr*ƪm‚:_›ÔH&£¶[p×i?ì,L­¥3³}cG|zßîóªÁñÇ|tîÃh÷8þ…òþã=|P'PIÑ6C5Œ¾nŸðsŒó‡fÌÂ6È:[TO‡ ÍÖ»˜Å6c5V(UIuG“‡ÎöèvEij„`1a3œ‘Äm„3šäø¸«lŸ÷wT'Å®*ò¥û¼i Ì*KÞ€€kôǽéït2Õnq7É4ØåOmƒÒÖv›U³ ëLã®í«Ü< ¤}¶A×o.¬7a¦°… ùŸíˆúUû®¶{ˆCîóºaàè¸Ë]º”Hòbœòº> |ŸwŽb(AÅÇD³<;òô‘°Ã`‡œÐ<¬¢j™9ªUCœ¹ªÆ…À={ˆ¸iðqëçj§¥½…Ü”’¾zœF?‰Xʇ“ºÅsïUÄ<ÍRžIPœ‘”IŽ˜§)€B’û¢í,ÎàÁŸïÛbr‘[.¦S©ÌY1ä­í?AR}<ÍYiX ? ñåðöÃÇ÷¡àí1cjäøQF#PiBe‘d°½‡ˆ“z\E §5ímaAÀgg}Ä6KPd‚@ùÌRûó‰ycâŸ:ÌÛsUÚð"_8¬pha‚ü±‚!Ö¬WFà\«)qP`n½b’2³<wa#÷íÓø23'É; ™¶«iÏ.ìîß…¨ƒÀåGÏ!xCƒÃÕ„]^|Ê·á#ïô"ÑÁ8/÷Uã0›mhô~*àh uÄ ÆõbÑÀ°WÏ1SÄwÑö¡òº¶)ƒ¹/ÒÏì"å_W ,TÃ?ûmÞTÓròéäò×—ÇÇ£ÄñŽ³åDaô…œkšJ–Á>“Ï#oO–ÿ…T<¨Ë $áóÄëWµ¸hÀ¦“yªr2¤R`äœΣÂvcä3ß1©™ZòŽÝôŽu¨’,:ÒØNÈax m¸b© œ#u›*éáXõ›¦Á†ç€!טä9ï«v -v¶yÆÉÚÆÏ¥ž1¹šW-_Ç3™f\_ÅÁðå80atÌÒ°0%%)!1c>|ÚÀQŽÛ_Ï'²TnŽY®ŽÆ0ã4Fdç1ìBÀg‡¡foàøò¸AëÕ<þmxõ45~ƒþ¨¤”º£ž™Pvð>¯J´EO"K 0$€qÀ7HÄ,_ÈÖÌ"¦{îÁœ{\’ˆöçÍÂY5’ažÜ¡ÈÔuûUKÙz=A—œ-$„«”+«Ö‡Ç$/;èdªb‡fPW®ðÛ·G6…§¼|ΡêÊ£¦¯@ô6t+ 12óvgCN©k„ϲ9ùºr“@¢4ÖwbPêOñÝñÌÅ^ $…íGÞº‡¶s»_f 5—ôšd"n0‚á|‰d¤*9c#ƒ‚ºÚîÆëþš "åÌdK41´õ3¶¤îüV2ô'Šùز⃠lµ.“Sf<»â`g —’Cª"œŽIu]L ÊÃÒU˜Ñw+4¸þ„í‰àÛãÑclEY(·ÙcÜ_Ûl[,)o -ÇݘšrÁèyÅ49.ÄÂG#ȹ¨»ë(\S ˜ª¥ ÉTj‚³þ9¬g‹ šÿºáoE%4¸y® ˜ô\µ.˜¢š/y¢—<Ñ©V:z2+Kw£ø#Ü[vmëëñ–ÁÀ~Ž·­;‡1IƤNB›*UòØ–ùàJ‚ ƒY Ož˜ä19ó`Ÿj÷´¡™„%5=~ugžRî!`Ri²pÏñMS¸£Ä3ï*lœ‰ôôz¾Ä·y}œò nsh3­Ì¹Û?Ý#Þ„Ë0êëM×K!^qƒKæjlÿwpbNzèÒ¿~OÑâ&œþ3üôÕ&_„“k03d›Üñk7ðqç¾qt›q¸ÑVÛ£€%?þûoPs×ãLx­ŽçÚÅ5)f7èû«o¸Ü7ö%@ÀöûóW¡c½èÙ.¿-p3D_FN¨EDÏ"÷}õ»ãX ôûR•ãî6x_Íß?xc¢_‘ ‰˜ä à¥<%œEˆ§cX¥g^7}?³…^/‡Ð-ágîü @?yùáÛ¶.oCéÕ\ÿ¿†’Q)1Ô| I„@«Kœ¾ÏpmId£iüˆfK¼†.½¾AAs¯¯ t 8¯æîŸ7Ì}Å¥¨tW¸A°lþ«ßÕ¯ÌS0êÜ×Z/þDùÛp‘ºÑá9#Ù:(¹,ð«°ÇO3ÅÕþÁ€Çendstream +xÚÝYÝã¶÷_áG-pfù)‘y¼»¦¸ ¸¢Ý òæA–¸¶p²äèc7Î_ß!‡Ôʶ|wé-РX`M†äpæ7¿ÚlMá­µ"T¹ÎŒ$Š2µ.+ºÞÁ»¿­XБJ%…€‡…·%4QšgëÍ|‘·«¿|/ùšS’¦\­§½ÒL#¤Y?”?'ïöùq°Ý݆+š°»_~Ài’d:cn…-É Õ~‡fèÚr,†ªm‚ºXbRžFí 悹Nûaoaiºi¶kì€OïÛC^58þ˜‚Îý©ìÇÿ¦Š¾ÿxÌ ²¤h›¾ê‡_·ø9ÄõûS3ä¿adG[T§ Íö»XÅ6C5T(Í’êŽ% Ý$8£;cÄ(Å£Âa§‰;ˆà,Éñq_Ù.ïî˜NŠ}Uä5JyÓ€›3™¼Ðh{ÓÝéd¬Ýæn‘±·%ÊÛ¥­í.ªfö‡}ÛU˜yBIûdƒ®?\Ø!oÂJa+Nò>;ó'ªÇÚÀ¹ë†ƒ¡Ã>wáÊT’Ø×õ å‡üØã(ºT¼ÏA4‹³›X–Þ¶ïmOÀ-ˆ*ª–ù£ZÕÇ•+° jœ ܳ‡ˆ[w~­v<¢¢·›@ÒUÛqð‹¨¥x8©Û|›{«"æ™$B¦< XRÂS˜g@È(¥É}Ñ-®àÁŸïÛbtž[N®Iš™³d É[Û}‚ zš³Ô 1@þ’$Ô§ÃÛ߇|€·SÄzÔÈñ£Œ“@¥ ™E“Þv"Nêqg8­ñ°µA„ ŸGë=¶Yòp€"W"ÊG–8Ÿ$ÈËèÿtĸ=U¥ ïÁóUêƒv È·í&bÎz¥~εšÆÖ+Ê”ÙÌɹ ¹o‡çÙtš¼’i»¡øìÜþáþ]ð:\ pþìƒ541øÑ_-xÌ‹Où.< ç^$:çå¡jfó¡íÞÎ 8Hqƒ~½Ø40œÕsÌñ]´]ȼcÛ”aºOÒÏœ‚ˆ¯Ë²áÝ.oªß§°¼ØôbòקÇÇ£ÔñŽ›+¨š`ô'«t6Y3’r køHZ¬G~>[Ø +ìWi&‚:° Bê˜'^¿«ÅM6ÌS•“!•‚=çDP +{"œÙÆ©!™’Ù’uü¦u<¨C–À`Ñ°ÆvD´'Š ~ŽhÔýu¬p0ÑÔõËMÓ` +ÃsÀŒkLò”wU;†y¶yÂÅÚƯ©.y±šg-N¾öƒà)‘B_ùÁMË~àÊè¥~aIF ¥1ŽCÞÚ@)Àí¯×S’h#Ìõ`êУ¥`D%Ï}x ŸCÍß@ùò¸AëÕ<þmxõ86þ€¾T2Æ\©ç&¤¼Ï«ç¢%‘¥@ÀØã$b‰/Dk6#†MxîÁœ{\¨öõf¡ÖŸ{Í»¤ŸGO¨2uÝ>G•íi))…^O±¥Ë…€ˆŒˆ,‹YëÝc’ç=t2U±ÇiW®ð;´›ÂS^>åuå¤é3­ Ý +ȃ̼ÝÙ0£ sðy)›“¯K·Hô„ƒÆúN Rý1¾›j.öb )l7øzëÚ£;ý2#¤ÐP‹”]3Bš¨Œ`„Xb„4RU:c#ƒ‚ºÚí‡gëþš ŠnäMômý„-©«ßYú“ŒûØ¢â lµ.ƒKJ!¯8ØMH—‚C–E2x)“Ùu2([WaEß­°`ú#¶'€o§ÒclEyH·ÙC<_ÛìZL)?Êݘ(F„âìð’tp 1Y µÇ±Æq€2Kæ¸D@§ufÎý1ëyß8·¨¤Ý>B#îýçbñS„‹©ÙVÛºjw]~ÜŸ–ªŸ Fgñ(ØÂÀÂÐ]ÙùǘY!w<´Ú6è»tSűúWžˆ`¯*nì/0!™ á\êódÂ[þ×5š"4šÐ—?9Úm›ÐUþØÇë]Õ|[ljtœûÒqúÇçÐYC°/zmÄ`¸Ñdg>T:1*xÇqÍødþwΪÕ_¦ïoL +­¢fk¦4¡)4tÅaõëêç_èº\Ñõ+J„Ñjý ”0ÔpXICªt”Ô«ûÕ?ÿËYÑŽY“pÓœGa­0Œ >_jÏ´a.¨fÓ7Rp„ CR#ÃmÇ·Ná¦+ß•ÛWôôz¾Å·Y=-ù³´Òåô™Ù?Ý/Þ„K?œêëC(קJ½â!$‡«…kæþïàÄ ÄàLqÆM8q rcÄËœbN®Í”È6¹k…%Üǽû:ÄÑ­p¯§¼¶“€'?þëïoPsßöÃLx­ŽÕíâ냈£ôý8\ñû `»Ãù«Ð·ÞFôì”ß渢/=§²EDÏ<÷}õ›ãØè÷¹*‡ým𾚽"ðÆ@¿"R 0ÉÀË¡‚Gˆ /eX¥‹5ï8~?³^/×-ágnü @?yùáÛ¶.oCéÕLÿ¿†’É5Ì| I”B«[¼|«áÚ’ÈFãð9Ͷx- ]Z}ƒ‚æV_Aèp^ÍÜ? n¸û¢+c©»B‘q9ÿíïê7@î)uæk­(Œ¿ÿm„"îçÄEôÈ@Á©\%qåöø“ãËJq·ÿž<ùendstream endobj -610 0 obj << +614 0 obj << /Type /Page -/Contents 611 0 R -/Resources 609 0 R +/Contents 615 0 R +/Resources 613 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R +/Parent 605 0 R >> endobj -612 0 obj << -/D [610 0 R /XYZ 85.0394 794.5015 null] +616 0 obj << +/D [614 0 R /XYZ 85.0394 794.5015 null] >> endobj 6 0 obj << -/D [610 0 R /XYZ 85.0394 769.5949 null] +/D [614 0 R /XYZ 85.0394 769.5949 null] >> endobj -613 0 obj << -/D [610 0 R /XYZ 85.0394 582.8476 null] +617 0 obj << +/D [614 0 R /XYZ 85.0394 582.8476 null] >> endobj 10 0 obj << -/D [610 0 R /XYZ 85.0394 512.9824 null] +/D [614 0 R /XYZ 85.0394 512.9824 null] >> endobj -614 0 obj << -/D [610 0 R /XYZ 85.0394 474.7837 null] +618 0 obj << +/D [614 0 R /XYZ 85.0394 474.7837 null] >> endobj 14 0 obj << -/D [610 0 R /XYZ 85.0394 399.5462 null] +/D [614 0 R /XYZ 85.0394 399.5462 null] >> endobj -615 0 obj << -/D [610 0 R /XYZ 85.0394 363.8828 null] +619 0 obj << +/D [614 0 R /XYZ 85.0394 363.8828 null] >> endobj 18 0 obj << -/D [610 0 R /XYZ 85.0394 223.0066 null] +/D [614 0 R /XYZ 85.0394 223.0066 null] >> endobj -619 0 obj << -/D [610 0 R /XYZ 85.0394 190.9009 null] +623 0 obj << +/D [614 0 R /XYZ 85.0394 190.9009 null] >> endobj -620 0 obj << -/D [610 0 R /XYZ 85.0394 170.4169 null] +624 0 obj << +/D [614 0 R /XYZ 85.0394 170.4169 null] >> endobj -621 0 obj << -/D [610 0 R /XYZ 85.0394 158.4617 null] +625 0 obj << +/D [614 0 R /XYZ 85.0394 158.4617 null] >> endobj -609 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F58 627 0 R >> +613 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F58 631 0 R >> /ProcSet [ /PDF /Text ] >> endobj -630 0 obj << -/Length 3297 +634 0 obj << +/Length 3152 /Filter /FlateDecode >> stream -xÚÍZÝsÛÆ×_ÁGhÆDï8àúæÄv£ÌÄN-u2m’%ŒA&@ÑÊ_ßÝÛ= +Ó¦ÓŒpÜ;Üí×íþv!¹ð'W± Uv•Ø(Œ…ŒWÛý•XÝÃÜß®$¯YûEëñªoî®þòΨ• ­Qfu·핆"Måê.ÿ9a^Ã"¸ûîíõZÅ"xóá‡×7ïiüþõL½ýçíÝÛhü‹ˆÅ›÷·ð×k)M"‚o¿{ýãÝÛ4/yË›÷w?¼ùÇ·w7Þ_ÿz÷ýÕÛ»ë±dRhdùóÕÏ¿ŠU~%BmÓxu‚"”ÖªÕþ*ŠuGZ{Juu{õ÷aÃѬ{uQSR„JƒV檊ô’ªb­´SÕÝCAâ횪jNe}O?·MýXÔ}ÙԲõL^|슜FeMϼ趇²½ÐìèÙû¾¹yÿfØü!Ôýñá ^ÿBUÅ_/UjÒÐH\GQÿ¿K§Ê†‰H.túŸ½åù+pŠÐÆñW8 ÷ìÅCÿÆt«µ—ihÆ2웑½’(´i²J´_†Ìu-¥ š±Î7 ³µL•ÖÁO×JŒLt¡ÿ®ZÐod“ÐJ‹ç ¼üwÒ¡5ÜÅÿ‰Â”ãö^ôp¯1·/Š#§±OÅÓ©q¾›w(;(9½¢TB' -·ú]ù=ÛüTæýÃóÚ"FìŸ\]FB'_W—T°› xð˜ÊlS¨®F\üyue,ÄÇ(¿®+±6¦4óÁ…»¬ò‘°=öpqðóݵUAñ¥ç9Ž‰E½­šYìì>'ÑusȶŸŠ¾ûõYŽyý£4zÎ0ÿ𪄠Ó’ÒLk=Nu³”§’4ŒR )Ï€ý4$ë³Õ@Ô(ÔäÃQÎ3°«° 9†`'~;d¿7Í>óæxŸí™zûÔõÅ~ÜÕ˜¸dOØÄŽ²jª‚öxh‰SIˆýƒó äÍö¸‡4Kt¢Â|C³Å—¶"®ÜK¼KYw}VU>sÂTVç48¶ŸŠ¢½<Œßãô ¤®Ùõ§³Ç!›àpÙ}ñ -%g:”…vQpÂÅàÛ›âÞ1¤Í‘h¯Ç²`St.ÌíŽuž¡YÕÑ”c fxItÖ>ŒYû0=h¨p†“Y73áô›:-åÙdçk@6ƒÔ*ŒNÐ(Ù/à(²ú»1óËfCÛ‘ÙuéÄ°@Hõ!u"N¢ñq¢÷{<”ÅŒ´}(·Yõêz‰$ÈË®‡¤ì1Šà yÖg›¬+žšÔ7=‘»ž²^Ññþõ®9ìÙkpü\2÷>k[2"nV÷Å¡.œGM×½™:’³ÆÁÍô;Ës>·óKØ?ãà±ÜDz,])Á‰eET÷bsì‡óGLóbÞË (ê@CÔÀ’(g”êüž#yÒ¶mšu˜56HC% -ßV%˜ÞÅî8¨šæŽ-='*%=rÅÞL°¹–Á Á”ÃlpcN³f’f!$§&â4ËÚl*ÐÙ‚ j )AK^\•<O%¾¢óNà=tZWÔ9KóùXJg ˜mĦf¾›=÷ìC \®•Ñ¡²6ö:§œX“·»Ãhå–!(§ŠÅ9¼h§<°MKç¡ÎµW$X -XªèÐÓUÌ·-Ž9²áÈòÑ“‡”áÖûjî(”ÑÃso˜ûë$ -^ ±c$<‹0q7|9_²­Õ†å}žW³kö'Fó;; -¬´Ä‚T*L’T _Å’º#H¸Âª‘¾v—‹17ûÍ6e½( ¤V!ý^‹au­¢$Œ5:ÆexU>¼ºðØ]hâ2%àšQ¸•`”œ£^N3.KUaàn$®tñWäXæbñéß`1ww ˆ â< žûø.},œ³jdhâÈ«ªÈzZöKà‚¸½Ïêò7|ÆŒ±D=-gö³í–‹Bœh =‰¾vq ””†B"@_NwN6€ÖTÓE‡g–ïËïÌ>DÛ4˜üÐÿBL=6x›¹@Su“ó"‚Úà =ðëâµtÑÎEa•€ñ9”•=º–o~Íðƒox¼Ã{©¥… Û·^&­ - v}¬ÏX0Ú¹w”ð«­á(ã'A…ý·}›ÕKaNÅ -®ˆðNóvrüM½ —J”¿šÛæXåtÞ¦Xh"D°’Œ6Ë*d!C`ka{GR7Ÿ<3–¡ˆaÁÄ3O Gx%™ªdàré(È‚V¤^ôniSR”¬àZ-Qªâ=‡ÞnaCëqÍY‰¡²õ±®9ÐF/ˆ/eÆ‘õ™\±©ï="˜l¯1’ -/!ﺄt˜Ê!âz)3â½;nÎ1Bfš„IES=Ãå\Ü J^P0Öö*C¡{Ò<ÕÕ’4ÑX§¾Ñ24=롘Ÿõ£òIL›„iŒæ—ЈYrDö^4á«eüy8ê ¨æ¡ÃÆE€¾Ä$ár=NÔ.{›¡½žñJN› ùÀ•Ò©/~ƒ½–À€C©Í(]ꯤLᎽ™q ïùÉf7p[’È^`{Ê<±ô˜ [Ös.g°ŸqªiD%…ôÚ–pg²p›Ž†TgœW¦Îw™Vr¹C’Ù »! r/G!DAéÇÎQxá÷—ÊEï;c 9nÓ-Á@ -B†Oƒ³qù°à®ié ŽÁtáK4¼ Ý «&÷cT¤Á à±þÂ…㊠Ûýç›e8 ÀµÓÈxV‡eí¦o¶MµT«AôUƒ€¡ -2”6¾¸/d€$e8Ž£¬ëšmÉ)~c^¤›#9GP³aäŒω1Î+{£  Qir_T©ÑPýø"ëHÞƒ¨€¬óE Ÿò7>aãæãÇ7èx6 -nÏ´ 1Ì)*¡qNÚ«´|=^?ï‰ÏvEán‹íù›ÔL¡¼d!¿”JN¸™µx‡U/01ßmä¨*´!­ZDWæÜÞp•V^¸¸QVT‰%-3¬¾è -N -JÐ}y_s5·[®6¹æʹÙÔø: 5ˎׇ»â0®ö’ÁÅ.bD¬ÙøsÃLê1w¾©ÐõÏ;Š´PµBÙºR" -êi¤`À5”RñÍ’wÊègÛ”NÑ@q÷HyQ÷>>Xêÿ"n¹ÿë(Ü”pêLGõg¹nd³#:ííOüv´pͱyYÞA jà¶x$F‹ g"^sîF™‰C[ g%MšÅQ<¦ñ ]¢>d|ȶ±ÐpŸ]bsÙ÷Ýl*oÒ ‚õ„Úx{ê:8”=YÊ!½Ø}âÀUç®[êZ-ˆÿ1¹¡8‘Áà¹i¿2zo[úa=™¶9ÕÜDf°ë ˜v|ÒX¡øåw[´ýR7lºVÊÊVé(ÝÊEiEe%’=’ƒÀ®g¡Ñ—F/‘Úa‰—ÃDG¤}vøD›Zj~$îÎ[¥åõs(Á’| ‚„7¿Žž"2öuœÓ–²g„¹þ†î±\¶JPÞ9Vî¨×0î€çm.?ûŸåcV Ûyì;ÅXY]‚ì¡s¶\FŽ­Å¬†Ïý_˜ŽÃH/æ0±zñ?~ïÿŒÿujE¨ûÔ3É0Åþ ˜B½G3Æýÿ–Í9ÿ7pðÒendstream +xÚÍZÝ“Û¶¿¿Bº‹ÅI}³c»¹ÌäœÚêdZ'”é8¦HF¤N¾üõÝÅ.(Räå2m:ÍÜ¡ìv»<¹ð'QÄ©J& ƒHÈh±=܈Åæþv#yÍÊ/Z W½Yßüå}¬iÆ*^¬wƒ½’@$‰\¬óÏK„Á-ì –ëoßÝ®T$–o?|ÿúîžÆ÷¯¿gê§~Z¿ûžÆ?‰H¼½ÿy»’26bùÍ·¯X¿ûHó’·¼»_üðö߬ï>Üßþ¼þîæݺçz(™YþåæóÏb‘ƒ€ß݈@§I´8ÃÈ4U‹ÃMé +µö”òæÓÍßû ³îÕYMI( Z™ª*ÔsªŠÒ ÖJ;U­,‰·«Ë²>Õž~nëêÑV]QW-²ã­L–¼øÔÚœFEEÏܶÛcÑ ^¨wôìü oîîßö›ÿ$„ÚŸŽ¾àõ/Tiÿz­Ò8 b)€ë0 BàÿwéT¥æJ§ÿÙ[ž±§Ò(ú è={ñп1ÞjåeZ­‚H†½½¢x`/ibFÇàK"&sÝJ)—õPçÐÙJ&Jëå·J Lt¥ÿ¶{šÑo˜š •)žÓóòßI‡zÔpÿ' +S"ˆ"Ø{ÖýÆܾ0 +ƾاsí|7oQvP²¼¢”¡…[ý¾øŠž ±ü±È»‡çµEŒ¤ru  m~[]RÁn‚âÁcv,²MiÿP] ¸øóê*N!>†IôÛºk#J3\¸ËJ ›S71Ö"Z~^ߦji¿v<Ç1ÑVÛ²žÄÎö—Ó(ºnŽÙö‹íÚŸŸÕè×?J£— óÿ¯J¤Ab )­`™Ê SÝ$å)“a¢!åű DhôÅj jèòá çÅBõðì$Àoûì÷¶>dÞ÷Ù©ŸžÚΦðÀ]‘{Ç·‘i8Ȫ‰^6§cS·üÃeDxvεÌëíéi–èD…ùšžökSWî%Þ¥¨Ú.+KŸ9’U9mwj¾XÛ\Æïqú…ŠòÆ¿ØÒ>å®êì±²J6Ìt( «#YIT-Ûz×/ž +pÜlo_Ý®´0ÌÏ<½±{'Ÿhzû±° =`Š8†ÁîTåª'+[Zí„.éícÇèŒÏY‘`MÛgÉ'G _Ÿ?ë | Øô—ëD¶×&MÚcOÉî'ѻÌ{Oñ[ï=ÚD½tÚ°tŽêåAêHœD‰ÎïñPØ#ÙhûPl³l‚mò¢í;œ: FøBžuÙ&k- Ü8‰—w‘ÛŽ’§myÿjWì|¸~Î)ý5 Y7óî¿€£ºíˆ^L- Éç£åÝô;Ës>·õKØÍ£åc±µDz´Ç6{…æáÄ¢$ª{±>uýù¦y1ï/kPÔ‘†¨±(..`wÃ.2]¨iJЬƒ¾A¿¤•P$nƒoÊLï-Z–uý…F§†ž#•žŒÜ"ïGpknåò‰†`Ê’Ñz´Ì8[Ç£l ‘=‰CÎ֬ͺ͸ ÖY´äÅe9èøäÀæ+:ï Þó@§µ¶ÊYš_NöX8ElC Öó]éy`šár¥b¨4ÆîS‘·»ÃŽhå–!¶' ‰cgP픶iè<Ô¹öŠÄ+¡KÙ=]E|Û`’$ŽR>zßÒßr @)ÓÁåƒ2zxîcæþÖ„ F:³Ñó9 ‰ MuÌò¾bß«Ø5»s= _lgG!c‚•æXJÆ$êbøò|´sê!o‹T ô=³¸\„)Þo¶)ªYY C é÷šª+š ÒèWÑUùèê¢c{¥ˆëLþ»ã­ä#s {9͸(,}X…»’¸Ò\\‘c¹ŒE¬¢ÅÔß% 7¥,yî¼ôÁpÊl,ƒ8 +½®º‡¬£õÇ.ˆÛ}V¿úã3fŒ%êh9³Ÿm·\¹âD«éIô• d ¦$ÖÐEÝ9Y~mŠä‡¢ÂK³ <65f?tÀsOº|—¹HSUÛgàŠç×lé ÃxÈŒ^µJƒ…áH±SmBPL nlî×xö˜Še¶±%³n┢# î±+ÅÛRIÅ@I– ($—ìE’;u8±Òˆ­|*€9zØ)Ë«Å%¤d®åsª«ù&눴£|x :/PF\Üæ©©fC Ǥr˜G꺛ѭ„êÄÄ>Báþ”¡ÈHPOfœW׃ÃpéŸdrÞe8q *zžE×YþY“F¿ŸÑc´ËŒ0v +„géu…cpP¿ó@9È@±èh蔂‹íŽ)bpÛdàà~ ‡ +à™×z8TSË×sȱ@©²RÔUÉ bã7UY•ÆçjfEÇ¡®á›_1þ Ç›Eïñ^j™B)‘šÒsm($¤ƒè“ú”£{G ¿ŠàŽ2~RTØÇ;4Y5æT¤ ï4ïFÇßUÛ`>Ð)£üÕÜÖ§2§ó6v¦B*ÀŠ\0Ü,Ê€… €­™íÓ8’º¿ù䙑 D F–:#&3 :Q¦çrî(Hƒ©H¼$èÝ2MHmPú‚k5D)í#z½-ÜšÖäš² !k­}¬«OG´Ñ âKQ˜úÌ®XW{ FÛkŒ¤ÂKÈ»Î$²¸^ÊŒxoO›K †™˜À„a8Žp9g¤7Í +†HŠ…fìP`ðXWsÒ„CíUó´ê›“¾¶S>‰™š ‰ð£ÅôÆb’‘Æ ‚¯FbøjÅþ<µPTóÐaØE€®À$ár=NT.{Ç}›>ã•œ6gò% +¥_ü +{Í@‡Rǃt©¼z0…;ö:dÆ<¾ã'›=†ÛbÂô +áR扤Gm;ePTp=#á6œ+QM!½¶%Ü™lG#ܦ¥!—Õƒ©Ë]¦•\ïÁdvC'ÆnÈ‚ÜRˆQPú±óGX/üþ\œ÷¾3ÄÃvß|D¡ døÔÙ;×3îš¡áL¾FÃËО±lr?UÌë®\øW.Ùð³Aÿ h(pí$Œ=«}‹ƒ²vÝÕÛºœ+Ö úª^ÀÀGÈ4ºº/d“0ÇQÖ¶õ¶à” ¿1/ÒˆÍa.Ǭ@9cÀsd ¤óÊÎÆhF}TÝejØ—?¾Ê:Qg…÷ * ë|È@þ±O@عùø±ÅÎ :^.?Õžib˜9R”A,¢«"¹=5M}ì¼ÍðÔS=ÚgË>5vÿ tqØ«´2ó!˜Z„§vŸahî¸_Ðàã¨MKËWÃõÓÞúdW×µ³ÛË·A¨™yÍ B~)•q3i÷«^`bºÛÀQ•´!S5‹®âKÃUZ¹uq£(©3W=3¬¾è +Ž +JÐ}±¯¸šÛÍW›ÜsåÜdjxЂ‚eËëˆÃ=«=Ó»ØU ƒ€ˆ56c˜I½êÖwÚîyG‘)T­P¶.d÷&1/yJ¿~5|aj¥é¾_y=ç+ +âeK9âgúYÁ¯z‹énÏ·1ã4NÔ¤¡¹ñ¯gRïu“?(¡Ñtk{Äâ)8vk­RÜu!´u¡ zÅZ‚& €7Š’¬brÇç@Ý9¤#§Óœ/p;ä`Ç©µÚòÉÛ-Ög¸h.Ï…"’Xéì˜C ª‘£ÖÞ3ºÚªóp¶©þ÷×›‰£Ûýu“Fîã†gÐ5ËÖøÏõ©-]O–;¥¡vˆ×PNÅ7 Þ)£ŸM]8Eó÷ $嶴{ Rê#žrØQ¸-9ð4šŽêÏrýÈnfKtÚ øjæžcû²ØŸ@ já6„x$†‹eÇDB¼ñ¥ݧZ$ö}%œa˜4jgDñ Æ·t‰úñ!ÛNÄJƒ¾»Ä×mqßÿǶrÿv_!]÷ì‹Ž`oB@Ç¢#K9¨¹¸êÒÄuK]¯`/&wt(2¼t àWFïmí±ë׳‘i›sÅmdF»~Qj‡' ŠŸ·¶éžû?#øÏA3±L,^üBþ{ÿéò¯XP3þWÏÅûDºg +ÍN÷ÿ«4åüßåmëendstream endobj -629 0 obj << +633 0 obj << /Type /Page -/Contents 630 0 R -/Resources 628 0 R +/Contents 634 0 R +/Resources 632 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R -/Annots [ 640 0 R 641 0 R ] +/Parent 605 0 R +/Annots [ 644 0 R 645 0 R ] >> endobj -640 0 obj << +644 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [272.8897 231.1055 329.1084 243.1651] +/Rect [272.8897 210.0781 329.1084 222.1378] /Subtype /Link /A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >> >> endobj -641 0 obj << +645 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [190.6691 203.5826 249.6573 212.9922] +/Rect [190.6691 182.1322 249.6573 191.5418] /Subtype /Link /A << /S /GoTo /D (rfcs) >> >> endobj -631 0 obj << -/D [629 0 R /XYZ 56.6929 794.5015 null] ->> endobj 635 0 obj << -/D [629 0 R /XYZ 56.6929 756.8229 null] +/D [633 0 R /XYZ 56.6929 794.5015 null] >> endobj -636 0 obj << -/D [629 0 R /XYZ 56.6929 744.8677 null] +639 0 obj << +/D [633 0 R /XYZ 56.6929 756.8229 null] +>> endobj +640 0 obj << +/D [633 0 R /XYZ 56.6929 744.8677 null] >> endobj 22 0 obj << -/D [629 0 R /XYZ 56.6929 651.295 null] +/D [633 0 R /XYZ 56.6929 649.0335 null] >> endobj -637 0 obj << -/D [629 0 R /XYZ 56.6929 612.4036 null] +641 0 obj << +/D [633 0 R /XYZ 56.6929 609.5205 null] >> endobj 26 0 obj << -/D [629 0 R /XYZ 56.6929 567.3837 null] +/D [633 0 R /XYZ 56.6929 551.1302 null] >> endobj -638 0 obj << -/D [629 0 R /XYZ 56.6929 542.6255 null] +642 0 obj << +/D [633 0 R /XYZ 56.6929 525.7505 null] >> endobj 30 0 obj << -/D [629 0 R /XYZ 56.6929 441.1968 null] +/D [633 0 R /XYZ 56.6929 422.4834 null] >> endobj -639 0 obj << -/D [629 0 R /XYZ 56.6929 415.1634 null] +643 0 obj << +/D [633 0 R /XYZ 56.6929 395.8284 null] >> endobj 34 0 obj << -/D [629 0 R /XYZ 56.6929 188.7253 null] +/D [633 0 R /XYZ 56.6929 166.2827 null] >> endobj -642 0 obj << -/D [629 0 R /XYZ 56.6929 161.3171 null] +646 0 obj << +/D [633 0 R /XYZ 56.6929 138.253 null] >> endobj -628 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >> +632 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -647 0 obj << -/Length 3284 +651 0 obj << +/Length 3447 /Filter /FlateDecode >> stream -xÚ¥ZKsÛF¾ëWð¶TÕ™f•ØÞ8U¶³6S[©$„D”@€KR´¿~û5HBö¦¶tà g0ÝÓϯÒ z‘ºHÙ,^$Y9¥Ýb{¸Q‹˜ûÇ–5«°h5]õýúæ»wÞ,²(óÆ/Ö÷“½ÒH¥©^¬w¿-øñîçõÛÏ·+ãÔRG·+çÕòýÇõçOo~ùaýþÓÇÛ•Ö>Á¹Xf×?¾ååo>}¸{ÿ‘Çï>õ˯_Öo?ðøwåÔ›_àGßþ±þéæízzz2­,Šüï›ßþP‹ð§Ù,u‹gxP‘Î2³8ÜÄÎF.¶6Pª›/7ÿ6œÌÒ«sšr6\j’UÅvNU.‹¼5–Tõ®9Á©L¼,ë¶Ëëmñwx´j¹mê¶Ü4é–ݾÀ£~÷Î%“ µ¶QcE[æ‡cUDÛæÀ‹Ï¸û$Ê2¥eí®9äeÍœŸ÷åvÏ|Êz[õ»¢å‰:?ðÐ-Ûž—Ä˼“ÄÃ8Ó^vß7måy‘ð•ÅÊ:e&ŸÒ0pÎÐâyqŠŒO­l˜×»9®Yd”1S¦›Í&úº´ÑQš&á­â©@5ØtÜôxHûš¾yãþGuc8d²ô?M]0“‰‚MSW/LßUñw%X§îÁ/XiÊF*1J{Å!\”fÞ¥M 0/d¦£$6ßPr ->悺¾­ßó=ñä-„¸Éüò~T”¡Òå6¯™tÈ<€­·é¦»†‰9ÿ´eýPÉ›ì¾*:YnúŽUe@Vk¼ ªÒâ_}µ»]Y­—yÕ6<;àƒ3 ù˜Ÿ:5÷ò -ÿ aR>½xºÕé²h/^‘xÂá„÷FÞKBîD 6=ñÃŽGmqz*N-‡:÷€·0CŠrò‚Q~I!­Øiy’g:–UÈeË¿¹ÜO n³HyïÏ3ÅL„fGÁÙÈq'å^XuËk^]ObÙ£+N‡²Î«f6Ë*άÛç0k…´Ïådu3ÃÎûH™”m¿á³µ3üâ$JÂBr_7Uøðª„hÕÁk}n Ò±MÈ}­3.’ ÒhPÈž0ç=„Á¶8vLgS€ Ø4/v'—ø$£l ¶Y×á}ÖnS5‘·ð *aUÖ]_våS1JyæxOÏ蜃mÿðÀ¾Áɦ@òKÓ3‰.ß1ùó»ZA]¶H1c&’FdÖÉ– SH-– ï@úéDŒ¾†*‰¥sù×Q bÙ—-Svà ÍïJ™m_usñÄ6x -ì(ÏÀ¸kŽåv?¬I6IiùZª…UjùýûoxÄü zçUE®8ƒéw(žÁÆø,Q#ŽrœGµhK!ƒ»¬ËÃã©<䧒òò‘MЦ-³áC«!ãƪöÂâ·¥”gÞ¬m•?ÑjpÕb[å§P¬J„Ÿ‡(¨ë*•xÁ“í :Ô÷suÑDé‚hJ˜¶Çb[Þ¿0?:9‰b÷D¢D+ž-É–ÿÚ5ÓÅã<@“G¦´ÍAv i”]Áñª¡'q–^Ä+*Ðr²Xª[~~.«Š] ABÃDÊæðœócPPØšLÆ"NDñ4—j/&ÿrªµÎ˱QŽ4f õ³ç{‘©öQDŸ3ëHØr+’ËÇêãŠjâÈëØ\"6ðî-ºG ºþŠë±üf1¼r¾£áÂ~|­À5ïz^§²Ë%ñ ìçz†°Ÿ àŒJ0±ÚCñ j˜SÉ5VàŽÈ€Æ°EvLÛ¼ð/e+ø­Š¼•!¾7c"‡cðO~.-¾' #1ý æTP¾2«'ŒGœoB°tT‰è‰ñH>Ét@Þå]Î#¶”¬dCyààFècô…e M–ëÛÌ,±R$²Á#ê7$ƒ$Æ Hiªâ”דɲ@ N4N”@¬‹î¹9=2õ>/«^ðÖâÔ,MÛñJr ^·'ß#NÏ ÙøÐGFªhz5—«§Îr‰‘8I'´îsÑ!‡q“,﹄ð)½4%.½x^$5¡ÃsôÕkX¼ÚgNಠÔ»;êOi~Cˆö—·^鸳hŽ¤å©c¾}œ=|Ña -t6ƒôÎ.žEÛœ˜®ý"´†)ÐPÖ'Y >sú®Ø@1çLä 8·ÄýÐÅV÷í°²kšJ¨UùX ¡?R:ŽLêCüìʇ¹øH¡÷öv¨ -N]6öÌšbóg&r™¦Öž'O |žöäaýjúÂuO~½/Jð¥Ø²êW±…–êÂù†¼g#éèêB[zOqª Ñ÷zöÖ`Xµš.»–ðz7Ñ‘ŽfÔ ¥12Ô-Æp0“Ú1ß‚ œq‚ü?¨xᇠ¾™iS$ÉU*œ¤ œ~ÆÂ+u)d¤PÆÛæøÂÓ„^’$,ó!IÒ^€ç°Jbº¤¤>¡¨K6ºÎæ1š;<í( -`S‡¹3k^S Ôd gh&øäIL½Il9©A’oKHá¨âؼ"8žÎŒ»é²2‘.":ï;æR5ù®™MúìXSuÀ—“,ˆòTâ=@< ¸ —»’šU¤o^øwßòZ¶ ÷ÚAJô…úŽìûü(IE õ…w„àPl÷y]n²à‚i’Žƒx@$‡Ã )Ì’y¸Çb솤Ax“ð0Ç“¤ÐËÂëâP3hyÞ”ÚGÐwøó[º±¤½glê"'á…f#ê(õ.´È!z¾ºk¬#§­\e&M "I-FòD<ÉFòÄƉ ‡qv@4%ÀPÌ f’BK@H½ªL)FÒÌÄ!ä`8gq(8 - ‰\ù€uó\ ú›»‹ÐÊE&KÆ lvó¡ÛbÜœóäzO ²¡®×˜€äFTŠ˜®–Úb1¢ÓËëP‰T ù -–Úñ S;É´v¬Ç@Ι‰÷XA\u·zI éGÞp[´Â!è·oÃת1ø©KÝ™cãâ b{?›ØÅÇzÌWÎgˆBÕòåâ݆û ÜKò<Š"…ƒµ£{Ážçñ'Œy%R¨%?Êbr†ø’€¶’dH²ô !%©;é>‘Öl“ú‚¿rׂ4m[n(]$rQ‰5'hƒßêæd¬ˆSäÓ˜‰›¿¯çÀ^X 1øÌðxGðžsÁ¿c”(ÝaÇ/u½ìÚ¢’ šC´g{L³ -f²}¿¾ewÅkÑá"ªkŽ¼¸*žŠÙûg:‹¿Q¨³Ô…r•‹?ç?k¥Ï'º÷³Á 4ì±_þJ {ÏtþRâ-©ŠI£bñàõÌF“I8ÜŠÏEÔéÃ參±¶½‰’عK´CÊœ† ->ðű„€q™°? BBGÏ$3)ɶN.Žq‡•³p^ Žç¦_c8 YšËžÓòr~ÂWI¥„`­CÆ”ß.4Oƒ†ùš˜¤æÙûâ»yÄ<Ž­§[D(ÜO)AP½œ-°Ð4{ -,õ@ž/$½ñŸI:,ºHˆ>\)H÷R§oó…, È8šÊ/>R"<ã7$a RÚ…ÛɧaÝ”µé¹ÛÂN‰ _º‘o}K ¦è Hz,Š#£áãH:t6ôžH¤(? „µRבõ±(äƒMä©|Ë Š>¬4²<|i\ÃΔ âxš½ÕjB5~ ŵÃM |á„RæCEÊË*ß„ò= €%ól¼¸jÆï#e^ÉUÖx»Æ¬ÚyþùTR€ -¤„H¯DÃÊhuy¿ÄÄÉÅ>2/­& MO‹žÀ=A;ZT¢Éà²Á›.ß‘uÍ}Wˆ ,À¾Ô´ 'þ6Œ¨­}¹Ûõ\§(b‹J!.éÞÅËO\Ïbôd°¶½“ÏX3¯2‘'\ç -À‚I£Ê€:¨lòΦؗtË$dÀ§~FWùÚ—².Xê¾™Z¿¯Gÿ >½m‡ûü!/°:âÛ2`ÁÁ½š¾Ã‚ðoµ‹^ûè¤ñßtfnÚÔð!âÿþo ñŸ¢â$²ijæ¯ì¬Êðkõ *Í]Ýh†ÿº–ü¿ E×endstream +xÚ¥ZKsã6¾ûWè¹jÍàA€äÑÉÌl&U3“+µ•Jr $Úb™"‘´ãüúíHJ¢g’ÚòPh4ýøа^(øÓ‹ÔEÊfñ"ÉâÈ)í›ý•Z<@ß¿¯´Œ¹ ƒn¦£¾[]}ûΛEeÞøÅê~Â+TšêÅjûëòûnZ½ý|}cœZêèúÆyµ|ÿqõùÓ›Ÿ¿_½ÿôñúFkŸ`_,½«Þòð7Ÿ>ܾÿÈí·„z÷ËÝêínÿ¦œzóñ>úú÷ÕWoWƒÔÓieQä?®~ý]-¶°Á¯Td³Ô-žá‡Št–™Åþ*v6r±µR]Ý]ýg`8饩sšr6\j’UÅvNU.‹¼5–TÕ횶€}™lù¼+7;l¦Ëüx­Ó¥Ð·EU<ä]±å¾®arÓíŠ#“þjê¢EZe—·'“ʦæ!‡¦¬;î*[&íóã#3Í–ë¦#á.¬÷ˆšþöó“ýØÔDÚ8ZÀ|¼ã™<~Ó·-O:QBì#o€ Ï)kž[Á±‹›Ø¤Qâ4hUë(sÎаƒèƒv€ûý7ƒÒ Ùîš¾Úr{]ðwŸw›]ˆ/ü-þè˧¼Ø‘äð$Çï¶eb.ƒPÄqTÓ¹¹?ëžž–ˆÑÞì)2­íék8´]^ohCV-7MÝ–[>YšO&JÔÚFY ÇZ,þÌ÷‡ªˆ6Í~Fã>‰²Li»mö9k= Λªß-wÔùž›nÙö<$^æíœ$Ú™ç ÆÜEyžGA$>Uëà0MŸžê¼¸FEƧVæõvnÕ,2ʘé¢ëõ:ú²´ÑQš&aVñT lŒ.Ø?à&íkúN,íßT7ÆÁL†þÅþdã©‚a™¦®^˜>ú©t݃]°Ò”TbΔöŠA¸(Í|ðÄéÌ ™é(‰ÍW” Æ» ®¯ë÷”gI&ó’T”¡Òå&¯™´ÏÜÖ›Žt¢$Â1çO[Ö•ÌdóEWÑÉrÝw¬*²ZãmP•û¢p`µ^æUÛpKÎ(9$C„鸅MSø3,üÙÉq"GŠölŠø6'k¯eÎ$0 ¹$ŒcÝŽ[mq|*Ží8&ðzHQN&å9*'ao(¨AODz +™b?|ó™x®m)ïýi¤˜ñÐ ý(EÜ E¹—¥ºaÉ˵ ­ŸÄ£+Žû²Î«™Ål '«üébÝŽ¢2.Ö +i—ËÎêff9ï#e‚S¶ýš÷6›Ÿ’( É|ÝTáÃTqÑ`?ÏV¤c›ùZ?F\$Õ[nšc¿7؇Žé|”И$ëGîdÒÃ:É(·\…ù¬Ý¦jdEfáAU²@ƒ¾ìʧb”òÄðØŸžÑ8ÁÛþám_erH~iz&±Áå[&~÷}Ë-d–)ÆfÌDÒˆô:aÙ0åÔb9 â„ŸNÄèkÈ’˜:·x9"]Ù2e ÖÒü¦”ÙôU7çO|&ˆúuWIïšC¹™ÍÛ+ÉV©åwï?¾á¯Ù;¯*òpÅH¿Aò gŒ¿ÅË¡Å^Žý¨mÉe°c[Àéróp,§•§pa‚gÚò2¼i5DÜÑôN–ØçmGáå9?VÞ[åO4LµØTù1d#«YÏ¿ŠCäu•Š¿àζêû¹¼h¢tpAf@_˜Òd¹ºÎÌ3Eâ <¢~A2Hbœ€”¦*Ž9]‰€L' Ô`ÔHã@ ĺ螛ã#Sïó²êa.N ÜÛŽG’að¸Ù­ôÜp£ÆÓ¨¢é›¹45– ŒDAÚÓ¸ÏE{€Æ—˜dyÏ)t/—ë3ËûERR040F_LÃäÕ>s—aÊ©Û[*LPÿš0ñ—F)×ñ³hŽ¤•›z¾y¼™ ÔE‡!ÐÙ Â;›xB'ÚàtÏD0í¡5L eÝqê3GP o‹5$sŽÐAÆ€ 0K Ñý˜ `tß#»¦©„Z•Åàú ¥ãȤ>ø϶|˜ó4ÒàdCVpê¼¢ãà>˜bÕ$¬•øÌ`m…; n|žcÂø›é„ËbÌ%_”à®ØÜH!•êìê5Ä=ÙHGÕ'mMè=]Ä.0äÍU‹†A7“Q—ò]ðéhF×°×ÈÐUÑBhLÓt ¶ %‡ÛU(PüDˆBJ!|5Ì2 H’‹88‰ØýŒYW’R3Hp´7Íá…» º$IæC ’ļ„Ñ*öaŠÄXI}B —0º å1žu:˜ÙA 'é;9êýkj„ìà¶n¼ó$¦‹Il9¢A„oKˆß¨âؼ"SfÀò»éüþc"?T"F9ï;^¥jrªRÉ"D“Kv¬)µ€×Ë€IDù'1Ð7(ÃáŶäЩlß]¿ÏkaŠÚAúIôÙÍûÀF°ËREz(jH.RÂŒ—ûb³ËërÃxL#tÄúPätƒ¤Ð?H +䡈KaÓÂC› ›±O +4?Ï9…ébP3xþ(5ø‰JýiɇêÔÄ{æL]¤ã$Lhf¢ŽRïÂý8xϹÆ:rÚºÁTf‘ÔÂ!ÍÄ #qâŽAâ?aJ ê3˜$Ë +R¯*SGJч‘43~Ð͉ +ˆÂ,"õã±nžk~s…¸ÖE&KFNà6ÛyWŒm>nN×ädOˆ²¡+¯1Æ]-‰Å¢G§çµPñT ·òÑ,ÝŃNí$ÒÚ19g +ÞC~Õ]ë%e+¤˜á¦he… dß—ª1Ø©K݉aãàpb{?œ‹õ¯œÏ‚ªåË!ø» Å ä%qE@K1Vô€ç©–daIh2E)u{®&'p/ P+I† K?Ä¥$t§1ifÞdF•×¢d¼Öj ¨ÜžWjDHoƼ m¶uôïø¹Î¿ŠºläªP]sàÁUñTÌŸ=ê,þJ¢ÎRÒU~(þœÓJžOtïfƒF¸­Ç~ù ÝÖ{¦ó3‰·¤*&ŠÅ×3Œ¾‘NØÜ ï‹~Ò5¾ç¦ÆÚö&JbçÎÑ¿}NŸ£áWÅŒËÂÓçÔHq!üŽ–IǤ$Ú:©c6+œ³°_ ŽûL¿´àɳ7 Í…ç4½œ¹_sr^†/ s˜¤æÙ:Äí¼ÅbG‡ÖS ÷DJT/g,ܘ½ –î@ž«‘ÞŽøÀ‡7¤ƒÎ¢õ¤‘äx/ép:›«±Ð ÃÑ”~ñ'“õ† TŠ¡@;3;yöp›²öÌÉÇa§Ä†gC ®å¡¢o)€@mIEq `4¼Œ¤ÃÍÁ†»'É ÇדðR+y—>…¼ÖôîÊ7 ¢èU¥‘áá™e0 ;“2hÅãlI« Ùø1$×~t75Xð™Jšý)/«|^/ä1 €)ó„ V­šñq¤Ì+©c¥5þÁª_?ŸJ +Pôƒéo¸1Z—˜8)àO^K« hÓÄ¢'°GOÐŽ•hF28l°¦ó92®¹ï +‘8Á—Z ‘ôÄÃøµµ+·ÛbÁ‰Ø¢Rp„³Mc¸wñòç³-™¬mïä kf*¹ÓI-ÏLUÔAe“9ëbWR-—I¸ïúMåKÏd]8©ûfzú}=Ú_°éM³ß÷xÏò «#¾-Ì«é;ü˜ÿVÛèµÿó‚›4þsÖLM ¯ÿ÷ÿ€ÿ +'ˆj_©(Z•áSõ *Í]”3ÃÿŠ]Jþ?d]"endstream endobj -646 0 obj << +650 0 obj << /Type /Page -/Contents 647 0 R -/Resources 645 0 R +/Contents 651 0 R +/Resources 649 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R -/Annots [ 650 0 R 651 0 R ] +/Parent 605 0 R +/Annots [ 654 0 R 655 0 R ] >> endobj -650 0 obj << +654 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [519.8432 488.7856 539.579 500.8452] +/Rect [519.8432 466.9635 539.579 479.0232] /Subtype /Link /A << /S /GoTo /D (diagnostic_tools) >> >> endobj -651 0 obj << +655 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [84.0431 477.498 133.308 488.8901] +/Rect [84.0431 455.6759 133.308 467.068] /Subtype /Link /A << /S /GoTo /D (diagnostic_tools) >> >> endobj -648 0 obj << -/D [646 0 R /XYZ 85.0394 794.5015 null] +652 0 obj << +/D [650 0 R /XYZ 85.0394 794.5015 null] >> endobj 38 0 obj << -/D [646 0 R /XYZ 85.0394 599.0929 null] +/D [650 0 R /XYZ 85.0394 572.6667 null] >> endobj -649 0 obj << -/D [646 0 R /XYZ 85.0394 568.7172 null] +653 0 obj << +/D [650 0 R /XYZ 85.0394 544.2407 null] >> endobj 42 0 obj << -/D [646 0 R /XYZ 85.0394 457.9037 null] +/D [650 0 R /XYZ 85.0394 439.1939 null] >> endobj -652 0 obj << -/D [646 0 R /XYZ 85.0394 429.0681 null] +656 0 obj << +/D [650 0 R /XYZ 85.0394 412.3081 null] >> endobj 46 0 obj << -/D [646 0 R /XYZ 85.0394 352.2747 null] +/D [650 0 R /XYZ 85.0394 339.9542 null] >> endobj -653 0 obj << -/D [646 0 R /XYZ 85.0394 326.5176 null] +657 0 obj << +/D [650 0 R /XYZ 85.0394 316.1468 null] >> endobj 50 0 obj << -/D [646 0 R /XYZ 85.0394 247.1936 null] +/D [650 0 R /XYZ 85.0394 241.2623 null] >> endobj -654 0 obj << -/D [646 0 R /XYZ 85.0394 221.4964 null] +658 0 obj << +/D [650 0 R /XYZ 85.0394 217.5147 null] >> endobj -645 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F42 597 0 R >> +649 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -658 0 obj << +662 0 obj << /Length 2399 /Filter /FlateDecode >> @@ -1149,39 +1153,39 @@ U I)ºì4é"&½.ì t‰"Éç ï)6gi(— 4¸ÒÔÈhÛ=LÜ1÷t! Ço°°eì}p%ûôOJ¡oÈRq 9jÕäå.ñPÝ1ÍQ;^9ÕªtMe:û, ^—eïü±é ÿ Xø ô‰îÿþÓaüï%ΙçÑø‚œõ´aPdÒ3…bIowNÜrþ±—ó¬endstream endobj -657 0 obj << +661 0 obj << /Type /Page -/Contents 658 0 R -/Resources 656 0 R +/Contents 662 0 R +/Resources 660 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 601 0 R +/Parent 605 0 R >> endobj -659 0 obj << -/D [657 0 R /XYZ 56.6929 794.5015 null] +663 0 obj << +/D [661 0 R /XYZ 56.6929 794.5015 null] >> endobj 54 0 obj << -/D [657 0 R /XYZ 56.6929 769.5949 null] +/D [661 0 R /XYZ 56.6929 769.5949 null] >> endobj -660 0 obj << -/D [657 0 R /XYZ 56.6929 749.4437 null] +664 0 obj << +/D [661 0 R /XYZ 56.6929 749.4437 null] >> endobj 58 0 obj << -/D [657 0 R /XYZ 56.6929 609.0996 null] +/D [661 0 R /XYZ 56.6929 609.0996 null] >> endobj -661 0 obj << -/D [657 0 R /XYZ 56.6929 584.3177 null] +665 0 obj << +/D [661 0 R /XYZ 56.6929 584.3177 null] >> endobj 62 0 obj << -/D [657 0 R /XYZ 56.6929 437.466 null] +/D [661 0 R /XYZ 56.6929 437.466 null] >> endobj -662 0 obj << -/D [657 0 R /XYZ 56.6929 410.2571 null] +666 0 obj << +/D [661 0 R /XYZ 56.6929 410.2571 null] >> endobj -656 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >> +660 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -665 0 obj << +669 0 obj << /Length 1888 /Filter /FlateDecode >> @@ -1192,51 +1196,51 @@ v Íž3_·F^¢vß2Ëm @=¦Â­FÍ4F€!g,©£ïÖ‹HúÔ…ˆ‹Rφ´‚ñ¥É{ìÅI@Á®!šë8ìnåè$÷ØNý;+ß‚ÇO7Œî®:êÒª‚0è»áª¼›ù|ÒSèûþ”œ(’ ‹®ó Ý9.8 }]YàIëps”V·s ’¹Ççùdp#Eí[šƒN"wy‚“¸YœpÅ3ÁnÈÒÄ|òŒå‘!GC´Â©!㶃۳,x“ô^BÊ7`+^è¡QPGÈÆvt#pý3À¿R^¤6?L*2»<¼<(¼ÀÛú¬›Yò[eÑØÂ,¾#üSc$×>àHêgw†¨¼R)¥ÜeO½D’E'xxNDJCs˜²8¦îáRá6÷Ý8&RhHfž¥ vëͱ™ »3Ùœå`å‘ ».'Áÿ!žD":dÇ =òÿ+½øÌ^ßÃ1G{Ñ\8¤Þ²ípƒ¸žøÏO9l ½z÷þËòÿP‰"Æÿ»Öþíò"Û› ýÕµDg(°±È’`Ý«^.þ7ûzµ;TÃendstream endobj -664 0 obj << +668 0 obj << /Type /Page -/Contents 665 0 R -/Resources 663 0 R +/Contents 669 0 R +/Resources 667 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 672 0 R +/Parent 676 0 R >> endobj -666 0 obj << -/D [664 0 R /XYZ 85.0394 794.5015 null] +670 0 obj << +/D [668 0 R /XYZ 85.0394 794.5015 null] >> endobj 66 0 obj << -/D [664 0 R /XYZ 85.0394 769.5949 null] +/D [668 0 R /XYZ 85.0394 769.5949 null] >> endobj -667 0 obj << -/D [664 0 R /XYZ 85.0394 573.1436 null] +671 0 obj << +/D [668 0 R /XYZ 85.0394 573.1436 null] >> endobj 70 0 obj << -/D [664 0 R /XYZ 85.0394 573.1436 null] +/D [668 0 R /XYZ 85.0394 573.1436 null] >> endobj -668 0 obj << -/D [664 0 R /XYZ 85.0394 538.4223 null] +672 0 obj << +/D [668 0 R /XYZ 85.0394 538.4223 null] >> endobj 74 0 obj << -/D [664 0 R /XYZ 85.0394 433.7668 null] +/D [668 0 R /XYZ 85.0394 433.7668 null] >> endobj -669 0 obj << -/D [664 0 R /XYZ 85.0394 392.81 null] +673 0 obj << +/D [668 0 R /XYZ 85.0394 392.81 null] >> endobj 78 0 obj << -/D [664 0 R /XYZ 85.0394 329.225 null] +/D [668 0 R /XYZ 85.0394 329.225 null] >> endobj -670 0 obj << -/D [664 0 R /XYZ 85.0394 290.8035 null] +674 0 obj << +/D [668 0 R /XYZ 85.0394 290.8035 null] >> endobj 82 0 obj << -/D [664 0 R /XYZ 85.0394 191.4678 null] +/D [668 0 R /XYZ 85.0394 191.4678 null] >> endobj -671 0 obj << -/D [664 0 R /XYZ 85.0394 156.6041 null] +675 0 obj << +/D [668 0 R /XYZ 85.0394 156.6041 null] >> endobj -663 0 obj << -/Font << /F42 597 0 R /F43 600 0 R >> +667 0 obj << +/Font << /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -675 0 obj << +679 0 obj << /Length 561 /Filter /FlateDecode >> @@ -1244,27 +1248,27 @@ stream xÚ¥T]o›0}çWø¤áúƒý˜¦´K¥¤)MSׇ4¸ÆÇÚþûl¢tOŠÌ=çúúÜÃu0@êÁ€ùÐD€@x!ÌÀî`!°WÜ…MŽ;&¹Ó¬ëĺºõ PøÄÉ뤇ˆs ’ôÉ&AGU@v¼Y¯"‡vÞ8.aÈ~X‡ÑÌ <;Y¬î4“p;.¶ç_gë$Œ4EL¡ëÅÊìÂøaÍÃ1zÜ,¢p®’ØyNî­09ö0í#Ú7ðÛzzF UíÞ[RÁxS‚X–Ç(d¥#’[±õx,8a‡­Ÿú†$TytiœGö õ9uŽ Hx@Fç#¤<骪¬[™×*YoÛ¬ØÇ>šVš¾cU—N>.áÐ .â¹ÚáñÑ@/°…vå¡ÊrÙèh[¤ú¥v¸ÝN- Ãê%ßÖæö^j¶è/²ÖTùª×M‘½»yöˤ”ÙŠmÙg'žùæ0fgEZ¾M«D¯W}›}cCÁ˜qJ™¤fƒ*þ¶ìEøD•ìWjw•Û–nºm¥Æó¬i53ÈTH3qWÁZWó¥˜ÝH©áö§)…³›e¨Á‘ÜàYq–¨^ÊÊ)ÿÈ\ci6¸&wmYhVËÐûÎzÓ÷ç4ìB/MÙ 5vRÇ©j¨Î^º6+ ø¯±§ ö³úɪŸqò¿¯Äé 圜¦}:•„#(zÕwÉ/„WçRù_`éendstream endobj -674 0 obj << +678 0 obj << /Type /Page -/Contents 675 0 R -/Resources 673 0 R +/Contents 679 0 R +/Resources 677 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 672 0 R +/Parent 676 0 R >> endobj -676 0 obj << -/D [674 0 R /XYZ 56.6929 794.5015 null] +680 0 obj << +/D [678 0 R /XYZ 56.6929 794.5015 null] >> endobj 86 0 obj << -/D [674 0 R /XYZ 56.6929 769.5949 null] +/D [678 0 R /XYZ 56.6929 769.5949 null] >> endobj -677 0 obj << -/D [674 0 R /XYZ 56.6929 744.7247 null] +681 0 obj << +/D [678 0 R /XYZ 56.6929 744.7247 null] >> endobj -673 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >> +677 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -680 0 obj << +684 0 obj << /Length 1190 /Filter /FlateDecode >> @@ -1275,102 +1279,102 @@ x ®Ý‰ÀÁ ®vª“Fmo¨íµ<ç­ ×›ùØò²P°¬$e‘s¯‹mè:1ÂRÊØrOC´g 8SJ£/^µ¼žÛD66øf÷µšº=.w^ÅMž¥—úÜœ•©5×ù°íH\„Å稌¦Nj?(Yq߇hÅÍK’’dÃÒw÷ÂâVøéÝRSbµf›VƒU¤,‹ê^oߎPõwšiêŽýîÑ:°Â€Ð{5~t5°›ëÅ¥Ünúê6«ê}èñbdËy…X~ÕÙMˆÃ#4˨½ìÜ0ëæÚUëè;¥†¨?zÀÑŽŸÊ ð…]ÊìwÕ{ NtÛ>¶÷‰ñøYÀÍË0Go¨q1˦킗NÕ¢;*m¤÷øn)¦^™¶ñ@÷êó˜.ð} ó:ó= |ïß;O“9ª¦ÎÎö¿¤}GÞ´rDïXF÷-˃*–ž•A üXˆÆ*ÎT:æ( Jƒ?W{»@àß^™ý|`,] Ž4ÉHÁà­ˆ„(s F ‡w€×Àèo!¡©8+½ç ¯÷\'<ÏuâìáÅÿ!wT:íöê$Z_¡¿ˆ™Be“„ç!føïâ^Ž­¬ào!¿m‰CÁe5€B=—Òÿ1ëˆþåJ8q™ÞÇn´«ðœb/1ufi> endobj -681 0 obj << -/D [679 0 R /XYZ 85.0394 794.5015 null] +685 0 obj << +/D [683 0 R /XYZ 85.0394 794.5015 null] >> endobj 90 0 obj << -/D [679 0 R /XYZ 85.0394 769.5949 null] +/D [683 0 R /XYZ 85.0394 769.5949 null] >> endobj -682 0 obj << -/D [679 0 R /XYZ 85.0394 575.896 null] +686 0 obj << +/D [683 0 R /XYZ 85.0394 575.896 null] >> endobj 94 0 obj << -/D [679 0 R /XYZ 85.0394 529.2011 null] +/D [683 0 R /XYZ 85.0394 529.2011 null] >> endobj -683 0 obj << -/D [679 0 R /XYZ 85.0394 492.9468 null] +687 0 obj << +/D [683 0 R /XYZ 85.0394 492.9468 null] >> endobj 98 0 obj << -/D [679 0 R /XYZ 85.0394 492.9468 null] +/D [683 0 R /XYZ 85.0394 492.9468 null] >> endobj -684 0 obj << -/D [679 0 R /XYZ 85.0394 466.0581 null] +688 0 obj << +/D [683 0 R /XYZ 85.0394 466.0581 null] >> endobj 102 0 obj << -/D [679 0 R /XYZ 85.0394 237.1121 null] +/D [683 0 R /XYZ 85.0394 237.1121 null] >> endobj -685 0 obj << -/D [679 0 R /XYZ 85.0394 206.4074 null] +689 0 obj << +/D [683 0 R /XYZ 85.0394 206.4074 null] >> endobj -678 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +682 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -688 0 obj << -/Length 1948 +692 0 obj << +/Length 1964 /Filter /FlateDecode >> stream -xÚÍXëÛ6ÿî¿BØO23|I¢.Ÿ6¯v‹d“sÜ.Š^?h-îZˆ®$ïvïÐÿ½C)Ë^9›Þ¸Â€5$‡ÃáÃy~,ˆb§< ’T’ˆ²(XW3ÜÂØw3æxži1æz¹š=ó %iÌã`u3’¥UŠ«ü—PAæ †—çïßÌ<¢á§7Ëy…?ÁǶ?||³<Ÿ'2\]|¸ü4_$4•á«ïÏ?®<ÇÓ2^}¸|{ñÝ{9ó_W?ÌÞ¬†]Œwʨ0[ømö˯4ÈaÃ?Ì(©Š‚{hPÂÒ”ÕLF‚DRßSÎ>Íþ9Ú©“È1J¸”C%#èTL"EUD)‰ºþa«ç‹˜Ò°Êº^·/Ì–@î‚1’F·L7Eé˜ÎÊf•›¦ëI«ïÎ&¹ë¦/n¿neÁS¢T’zN<·?&ç?Žs¯ÜšYëˆ~s *Ònï<}Ó8BÿžUÛR“uSM­ðï¦öûqža×ìŒI}ÿ*X#á$¿>ûân/>ºÝæy«»NwØlnÜ6ËìNwìƳ²lîuîjÜ·ÍêîF?nÊJXN™Äõe)',V \NnÈ3D$_qø‹ÉUþ¢ed'@:6‹ú–<ÆØ4¹Ïž„foV‘'­ãP>¹þ|l!ìKrhÇ[;uO&TB®ÎoÏ~F§Ì_`×Wœ×ó·’L!ÁÇ…"N8S©sÓ|¾`d½k²]êˬÌêuQߺùbä°`:W$NRtUçó…2ܶEUô…9hӄí Y(LOi…êzn›ë¬výgdëM¡ï´ã.ܨu3†xmâ„å@þ]7Ȫve_lKÇéTkçL…zÝØoÞ -:ýÀ²¦ÜeVi2 $$\Ù·f"WÂ_àgÐJyXܘ^>4sîÞX»7¼ý•Ð8puu…ýƒÓ0û¢ßàx­ûû¦ýŒÝÆ°ìdt?f¼¹Á!1æÇœ®Éݼ:Gn×-žMú@JP¤GÂÍpíÖ¤2Û¹S¡Oã°ð  Yip\Hö›ÌÉ^—…®{×}_”¥ënêZ¯q–æ«3¿Teì¡vË4žè7ª†zxµ>§Ù•þÇqZ@ZPˆ2–~]^À ò+¥ó‚ÿn–×c¤ëI pYŽô3E-üž"fDÄ’ IÇÁV‚P‹8@ M,H—`òó…T‚…«Õ;cRI¾zwþÉÞ·„‡«Ÿ?B -&Ã¥îš=€µF—±ŒÛÿ¢].áŸaûuÖgÇ' x­˜FÁXÛÿ 5K!ɬüb*S"iz"ó‚oMÓ(¶ÞßßCöšp‚¯6ÊDxq ]’SãžbÊÙp‹O£³_÷Û‚óM N$òb5‹ 0 LÂ^àD¥…ǃ"A¡{_v”ÑzcTxDdªâ§PðM•sVO£"N£2Zï[¡²/rþÞ‘SF̸4’¤ÅÖ£¢‹')(Ì ð)á„ÿó!‡dŠBFeq¿Úh›káãÂnSÚœÕôü¶Óm¡;l¸ÂDwÝéñ”!lB`q¾¼¸|ã.êyΦÏz=©Üêu~°þ¶ñ68"ï^Ÿ/Ùd~t">Šè›»ñ³ƒ„Ól²äõÆþú3r8 ³…ÅþRqb1(cí­…¤rÑ´9Ö7Ç7’(m‘·Û]wæ*Thr°„=æ“KÁå(ÝìfÛ ìÄ*Æeê5–°›2I¯>õTÄÁxTlSBjo$–S¯c#ö/8ÇdTY.mÆÍ9?ŒàHîœ&I<Öç‘Ó˜¾¬Æ#YFb#M¸ÚjstÐãGê¦÷,ÛmÓöÖV¹;)èF'g¨ÔàË•³bèhj{ÇBóåÌΈ«Üh®»u[\ö¸/-”LŽ*ã_ð.îfw`ÞÙu‰•ÛDÝ+aRø×IWöbÞk_Ýó„}™Üê6ÛÕ>R¢,U¸àÃK'sÒVsÆXØ4¥ÓÉF CüèÃÕ\$!Özã =­ÆëLWpUO•á¢—UaµÑþ¦‹ 7:¨¦Û¬ÄFQƒOÙêº38aW^d·5øµbmâ•‚ -<¯ŠºèzÀ—hƒ NÑ7xn¦Ýã^-Ç߸ïÆ+òÐ-&Ë3ú¸âã…±Ìæ?  Lì1h–eÎÈÚ™ƒu®1šëÝímáûX j(ÿüd¹-°`ÿÊÇ«9”ÏÚ‹AÛóSv¦aMÝŠ.º©(ÓA[àiM9¹™˜¼Ã4x2õüÚ·é½S’ Üŧ½Á)9¥ì!}¤¹Ä~¬úŸNvîL¨„\?žmF·Ì_áÐ7Ü×Ë÷’L!ÁÇ"N8S©sÓ|¾`d}h²]êë¬ÌêuQß¹õbä°`9W$NRtU—ó…PQ¸k‹ªè sѦ —[!e 0mi…êvn»ë¬vãnm¶Þú^;îÂÍZ7cˆ·&NXþGl÷Ý «Ú—}±+g;g*Ôëƶy‡ƒ§íöë­Û«›Ä~cÀ¸ÄæDÈa8a ÙÖH Qg•&ƒà„¤‚++ø½eU¿þÐKyXl̨ ›9 ÷Hoí£1¼ý·Ö8qssƒãƒÇ1‡¢ßâ|­û‡¦ý‚ÃÆ*íbô]f¾ÙàÄ'ó1§ƒër·®Î‘Û ‹“N +@¤é‘°w íSà ‚TfGü•ÂÀ¦1Þoº•¯‡d¿ÍœìuYèºwÃEYºá¦®õÚñOkZù­*cLµÛ¦ñD¿-P5Ôëmô™°†¾¨ôŸNsŠrŠ„ò@$æ°ôÛ’ +iƒRê8©øÏVy=FºžÕ×QåH¿âXÔŸi!bFD,Ù±9%•±€ÄÐÄ‚t &?_H%X¸Z}0&•Äá›—ŸÍc• Wûù›d<—ºkööÖîÁ,cÁ¾y¤ËåችÍúìô¤—Ó(kûß` f)dˆƒ•GLeJ$MÏ$RpÌiÅÒ‡‡H}.CpôÆB™¯®aHrë”bÊÙðŠÏ£sØ÷û‚ó] N$’j5‹ ª LÂYàD¥…ǃ"OA¡_v”Ñ~ÿǨðˆÈTÅÏ¡±Ÿ*笞GEœGe´ß÷BåP!ý/¼#§Œ(&˜qi$I*µ'O ³RPÕAàSÃÿçËI™…tÌâ~³Õ&Q‘ÂEh\ØmJ›ðš‘ßöº-L6›4‚N§ÇK†° YÄqøúêú-λ¨ç9›>ëõ ¤r»›À=Ú×ø‘÷ Ï£—l²?;ŸDtž¤653m†Mi ÌšrÅ0×½É +Â5R›ÖTèPÏÃ5†Wn±UÇ.%r"o›{›©äùÍb`((ò¦*]Ô6 Lk> endobj -693 0 obj << +697 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [55.6967 208.0574 126.0739 220.117] /Subtype /Link /A << /S /GoTo /D (rrset_ordering) >> >> endobj -689 0 obj << -/D [687 0 R /XYZ 56.6929 794.5015 null] +693 0 obj << +/D [691 0 R /XYZ 56.6929 794.5015 null] >> endobj 106 0 obj << -/D [687 0 R /XYZ 56.6929 492.2203 null] +/D [691 0 R /XYZ 56.6929 492.2203 null] >> endobj -690 0 obj << -/D [687 0 R /XYZ 56.6929 453.7474 null] +694 0 obj << +/D [691 0 R /XYZ 56.6929 453.7474 null] >> endobj -691 0 obj << -/D [687 0 R /XYZ 56.6929 385.673 null] +695 0 obj << +/D [691 0 R /XYZ 56.6929 385.673 null] >> endobj -692 0 obj << -/D [687 0 R /XYZ 56.6929 373.7178 null] +696 0 obj << +/D [691 0 R /XYZ 56.6929 373.7178 null] >> endobj 110 0 obj << -/D [687 0 R /XYZ 56.6929 177.8714 null] +/D [691 0 R /XYZ 56.6929 177.8714 null] >> endobj -694 0 obj << -/D [687 0 R /XYZ 56.6929 136.2124 null] +698 0 obj << +/D [691 0 R /XYZ 56.6929 136.2124 null] >> endobj 114 0 obj << -/D [687 0 R /XYZ 56.6929 136.2124 null] +/D [691 0 R /XYZ 56.6929 136.2124 null] >> endobj -695 0 obj << -/D [687 0 R /XYZ 56.6929 109.3045 null] +699 0 obj << +/D [691 0 R /XYZ 56.6929 109.3045 null] >> endobj -686 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >> +690 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -699 0 obj << -/Length 2677 +703 0 obj << +/Length 2683 /Filter /FlateDecode >> stream @@ -1381,161 +1385,154 @@ x ’S¡ú¶ÔÞ׋DP¢¬Ló·E"Ÿ7¥eŠëeÕšC±lË;óHˆ#gÚbIóì9¼æìÛ…pOÁ$~‘}rS´ËÍê~S†EóÅ,­ipVtáìwоüè^`Ò¦°]'(ðg[6Þêö¬wÐv±Å "{ÊÊXõ Fç/¶§Ïë½5—Æ£Çx`'Ë¥išò&8Ýi‡3ÜnìÍ$ç,Ku ¿rL6È‚ëær[4ͨJI– 9ýË*$·•KM|6c$=ýÍ!]Æï;ä§ä²rËÛiFãJùÓEù­o™ª½¸eŸGâ5ÄÆœHÊ!Á@iÁ¡øzÌà©Çæ¢EˆŒ¸lúqÅYªÜ—!z´ÅïflÞI,´Ç;B}ïM„âZVgÞ±Ša×A‚æ®îF±~NìÖ“¡´¸+ÊmãžpÍ°ôÀÀù]¿•œ*B€ó§Šåç3lF¤Áí'"î!|MV5©€ -˜ê UM—jºª‰TÝ*µËÔ†KÎ `œÂfPšÎðÄ+³.ŽÛÖn¾€¨ÅÕe]Y· ¾ucÚ{c*|´Á¢–mYì« =“¢<ÄT@4°7¶H©Œ7ÎbµB³nŒî&”¾eë­s}¬–Ö, ÿéÖ|ƒÝx 5_ZS­Ì*¸u»8óI ð¦>™ØSÊ U°“ÏH¢]ŒéÄ©.&v™ƒr¡KzŽL]ŒéÄ©¢ibxOŠ—«íáúþ.Äûd9–E8ôh<"ò¼ÛBFÄ·«‡jU·ßØ^œÈû˜¸†):ù×e¼rg {BŽóïG ÅP&2ÑÏÛÓJÓ<5žIïv_]C;’ÜÉrÍŸZ=}[97Hé¶baêÿ6ïMnF[|Zâ“<³§@ò|âëRM'¾H5Ä̓AUWIç©ÍjÚgš.=ö°îÍí¶¾¼6~Ä3˜Ê œÚo'Rf«7H¸®Ñ„™?‚‘÷è­qŽín–=Ú,&a4Uy/9ô=[çÁ(aäŒ~%qVµÂ…û+Zs -ÑWðXèöh{Ѧ»ä¡n¾Â¡=aDû…‰¯’qâY‡ã`Ï »J¹ò4wÕçÊ.Ž.škQÅ¢Õ2¦ü€fÝéÐsç½0Ý<ì"E‘ÿ“üÙŸhZçl]ðÆ@i¿º„佂ÎQtÕ©êGBL§Ædfü h4¨0“sÜ®#ÐI<< “0²Û_ŒGv„ -µ#÷‚+ÏÌ.¹Qø}lHì¬'¬#[÷BÏã–jü½ñO¬ ÖÖ•,¿r4êÓ’À°Á_T3 ·Ü>íl‹kÖ´?ë€gè£î¸fq3où§{³,-²²ó» -#¿UÃ¥ìœô­£e0fÆOØGG÷ãÑê‹aº°¿®Ï³”Z;Gà32’ØMZKÿ&žPÃ`3GÕÚû¤M4Ý×Û•³)îÊÚIdϸ¹žß{¤•—¡ª=-âÕ -ÅðEàð{» åÈm–&™Œ%â¹J&•…S4¦ý±1ã7dh¿á¸Š†Ö+2–0‘Û®SÙ$F”d²sõÈýÕã‹Õ®¬@•‡"TO½~ÄÆqìýpãfkámñ -ñPà·æ6žøï‹CÛ¿)ˆí<ÔÓF½…Ÿ• ŽÕÚLf„ju¡ÖîRM×Ú‘*8Â*YnÌòw°ÄõIÉ­R5Y~^€H5"A¿)HÌû"Lž71;’1Øš“Œçüô¢Õ·RöÕf°/ÍCÕ_†{rZ8ë“ñfØ C&äPœp¥ÒxIGùvú>Æ^ÄjÊÄs*¨.ÆtU©.VuŒAŸcK¥çÈÔÁ˜®ê"ÕØûâî·»¯gOF˜bŒZÇ8s0˶ÆK½á)$Š§ì[ïEÖåÖLœ;€kNU÷¼`Ìy50¦ê¼ë>ÒL;®§hëk]™S·…’LŸciNx÷]²¼ËüœÃêS‡ VÂƉ'9lÂhÓ†; t¬xõqêÏñ´$&Ø%^O_Ž¦Dpö¬kȈpæbi¦ÝÐo¶H‰ý¯†4Œ=ûŸƒÿg -LYhÍÇ@P†žgA(+KÎ `œÂfPšÎðÄ+³.ŽÛÖn¾€¨ÅÕe]Y· ¾ucÚ{c*|´Á¢–mYì« =“¢<ÄT@4°7¶H©Œ7ÎbµB³nŒî&”¾eë­s}¬–Ö, ÿéÖ|ƒÝx 5_ZS­Ì*¸u»8óI ð¦>™ØSÊ U°“ÏH¢]ŒéÄ©.&v™ƒr¡KzŽL]ŒéÄ©¢ibxOŠ—«íáúþ.Äûd9–E8ôh<"ò¼ÛBFÄ·«‡jU·ßØ^œÈû˜¸†):ù×e¼rg {BŽóïG ÅP&2ÑÏÛÓJÓ<[Æ‘«§zƒÝj×ãŽä{A2èížZP}[…×Ïò\0"sÈ,ÿ¯¹p:˜ë4ÚçÓ’¡ä™=’ç“a—j:FªáK/!r ígÆÏsŽTX3ȃLÃNò>=ÞÑ:Ç;¶)Nx&°ýµƒÐþŠ4ë·¼ö!n ªºJ:Om¦Ó>ût鱯uon·õ}àµñ‹4˜ÕTN˜à|Ð’;‘2[ÑAvÍ'ÌüŒ¼ @¿sl³ìÑfá™3[X+nj—ù`xËÅ¡¬þ=kM~è?Pù +Ó¯"®Šíðí¸TàŠwXpNA{:æj¬[9ºðŒ\³ÍßöÕŠ„^‰@ëŽM`ô¶Â‘“ž‰`é·cãG>9‹ 2˽OÌÑÅA³@ÌæƯœ‡SØ¿±3_ Xgîæ“I_dœHÍž•ô»ÓI?R]LúBQH¦êY' ]Œé¤©z.ês†CBdƧú_)ˆTÝ’6iëd]†ß~§ª £ÁÑÿ‹|Ï]çóxv€0šª~rè{¶ÎƒQÂÈ%üKâ¬j… ÷WÈ梮àQÑíÑö§MwÉCÝ|…C{êˆö _9ãijGÄžvš0r%kî*Ò•;q1\4×(¢Š…¬eLùͺ/0Ò¡ æÎ{aºyØ#DŠ"ÿ'ù³?å´4ÎÙºàru É-z œ£èªS鄘NÝ?ÈÌøÐhPa&ç$¹]G “x$x+ad¶¿ìjGî#Wž™]r§¤ðûؤØYOXG¶î!„>È-Õø{ãŸX +¬­+Y~åhÔ ¦%aƒ¿¨fÇ–JÏ‘©ƒ1]ÕEª±öÅÝow_Ïž–0ŵŽqæ`–m}ÃcIOÙ·Þ•¬Ë­™8x+ÖœªîÁ˜ój`LÕy×}¤™v\O3ÐÖ׺2§n %™>Ç:Òœðî»,d.x—ù9‡Õ§:¬„OrØ"„Ѧ ÷èXñ:äÔŸãiIL°K¼Lž¾0M‰àìYW“áÌe)ÒL»¡ßl‘ûŸ<# i¼ {ö? =þ˜²Ðš  + =Ï‚PVxƆ’Çÿ,:ýC%Mendstream endobj -698 0 obj << +702 0 obj << /Type /Page -/Contents 699 0 R -/Resources 697 0 R +/Contents 703 0 R +/Resources 701 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 672 0 R +/Parent 676 0 R >> endobj -700 0 obj << -/D [698 0 R /XYZ 85.0394 794.5015 null] +704 0 obj << +/D [702 0 R /XYZ 85.0394 794.5015 null] >> endobj 118 0 obj << -/D [698 0 R /XYZ 85.0394 769.5949 null] +/D [702 0 R /XYZ 85.0394 769.5949 null] >> endobj -655 0 obj << -/D [698 0 R /XYZ 85.0394 749.3395 null] +659 0 obj << +/D [702 0 R /XYZ 85.0394 749.3395 null] >> endobj 122 0 obj << -/D [698 0 R /XYZ 85.0394 221.8894 null] +/D [702 0 R /XYZ 85.0394 221.8894 null] >> endobj -704 0 obj << -/D [698 0 R /XYZ 85.0394 197.4323 null] +708 0 obj << +/D [702 0 R /XYZ 85.0394 197.4323 null] >> endobj -697 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >> +701 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F77 707 0 R >> /ProcSet [ /PDF /Text ] >> endobj -707 0 obj << -/Length 3210 +711 0 obj << +/Length 3311 /Filter /FlateDecode >> stream -xÚÝZK“Û6¾Ï¯Ð-œªÁƒàcoÞÄÎ:U›‡=ÙÝ*ÇŽÈ‘K¤"R3W~üv£”H)v+¥ƒ@°Ùh4º¿~bÁá':aI.óEšÇLs¡«Ý _¬áÞ·7ÂÒ,Ñ2¤úûÝÍW¯¹ÈYžÈdq÷ðÊÏ2±¸+ßEŠ)v xôý‹¾¼]JÍ£·/ßÜjý þÌõ?¾|óâ6£»×?|ÿöv™ò<Ž¾þÇ‹ïÅu_ÿðý«×ßþ<ð¹}÷ÝÍË;¿‹p§‚+ÜÂo7ïÞóE þî†3•gzñœ‰<—‹ÝM¬Ó±Rnf{óöæ'Ï0¸kÒ\¬9Ó:Ö‹¥ŠYëOQ‰„å*Ñ0žb‘‚Ü"“0Ð9K”T^ù: ”Ÿ ¦ó\/<*¿)vU¹\mªÕ‡OmSÝ.ΣwËò×ß¿yï®V¨©¯^¥!7‘¹¡DÈeµ-ºŽˆFKÊœeYš[*ϯà§4ì^;†í±ßû Žc2ϱ¿Ê±¬ÕªoÏLuÌ©Å)Ó§ ¦pJx¦"],…`¹ÖòÏrÿpUä_¸æõºi‘Š8 Ëbå¸þ:ÁL²4IcKðTš .R±Mýry(ê-H%æŽ:;ÝdóÜd`Ïna‚(ŒK³#â,IT26¢wü4ËÓ4q’ÕÛ -v‚eœ²Lò4”lm‚¥B$‹”k¦Ò8qK´ © ŽÄ“ î¨pÅCS®NMS&_^ÔM,ªBð’LÄ©/z·À’™Œ·"‹ª]ÛÛk£$‰¨,`º¡ÙUÛô†²ÝÒÚér´A;ä±?D·µ‰$g(·bA<÷´ÂúPìh¢ØnÛ§Ž¤éÀÝs×WŽ ÜÕMÝõ‡„¦úvFbd¢€Ý€Þ¸ÑY…Òv_—ÚlX‰¨} ÿ‚þ¬V`ÔU‡Çê€q¢¦â*zm)ŸÛ# ·Ytl¦”“@èN„º¢ð¨Á-ë~€neiž­p{´£‹ÚÞ}ª·[•u·ßÏ£ »bmvÀ£]Õ¹ ¸ÝY¥äœeJ«±[=´æþvæ3rpDÆSFà Yœ;Œ ¼ž -¥úÙˆ?'¸¢éçä!‹ù\ÀSù³¼ò!›ÄÍ<ØæC½ž -Ñ ƒœG†‚îj(°V9ÉQÊXžrÜ_å¸oSIÄ8 x~ÏWù}¨¦¼ÈäTÉŽ -«v·+šr -Å3&EîâÝÕxp‘ œ–Œ1ö~ÂG—*‹ðS°ØÊ¥ÇÔ ¯Ï¥}à­;â aHIé6Zw”y›ÄÒ èŸpä›u³>óNgÈ —øÙcˆÈÖ³)[·DÆÔ«m[”§k‚'°\â⢞èlÕ‘&@`'ñhÙ7´¬Ù:øÏ/œËõÑ#6LâÌÖê5l˜EtlNA:•Œ+~EC!Õ¼Š<ÕXG`ƒùlVä8Ù\>øn‚‹±ä©"›u¿Y6Î!ëêiJ–±¿ŸeGRA0û¾¬KOu®Ìqìýä9·#m†GïÍ]?VÍpÈóg ,“ òÅËgP]8cGEgüp¨ºÍÔ!ÊK‡ìaáêñüO9–p.pTµé©ÎÕyrÊ)Ȥ“±>ßB%]òÀ·+ꦇܽYyà;üY[€`¢T_±…€ê‚-8*²HA›îÁ…àÑ$bœ¯÷ÿæp–ËT\V¨§:×èØ@A9Ïâ±Jß *½xØÖ&(ÕßÐî -¨l²>cqRfÓ½£Á&Bªy›ðT&w>TÕ'×úK¢ÄLdÀFä—•ê©Îµ:¶ Hšs­äX­oݾÂð®T÷eÑW]`å‡ÿý•ÏP´Õ+º XXêDšz §šv¸E£Ú2‚VõÒÖEjU5‹ÒÖ¬\Vå—`d¹Bk3U²Æzij³sT`ÓEGÂW%È‹2F“çÁC©«Áj›ca9UeÝÛiªlut_Ñ­]QVá³s¼´n£¦=쀳ɼAù£‚—t‡Š½ÆJ»…¢ô×D„Ò&"zÝq±íZ­ŠcgÔãMѬéŠÒ†&'âà×öxhpSxáR5¤ì-«{KØ=Ð[©ø[Ke‹w>>ëßK)]Î']§@kâ…Oalô”÷öÚõ@ÍÁàÊ/¶ö1oExAÚ g‹¾¯v{s6pÇß’Ÿð|ýX±ž6õvr­8sÙ¿…µOU3_#gR¨+øP]À/GEbOóè5F”ÏJdÿ_ÀËå¨5:d²g*ÎdG:}Ù÷Æ“lÀ.™äd‘0YÐåpî4=X!Ü´X¦’„zOp¿i‡[4S[ƈeÊTÆJOÚïu€e©Ç²ÔaY:–®=¶¥!¶ÁŸÙ›A6°v‡l™Ç|À6ñRׯ É–‰™MõCb‡giæá²î>|9m - ˜¶,—$B“A\‚!€ÀEñ`ÀD9 Á9G›Â2€~¿­z³U-uôÂ=&Mè?R€¶¶¬Ñ™Œ’UŒ˜²œÂwÄš¶¡=¶ÀÈ3üo[@Z›Ý[Èðf+ ¹b Ï®ÔB!ÕÓ|Y“ƒ®zË2s¹ô LCÊ[;ó©ÖþEýh÷)¾Yá®Nu¦PLµÃ3–Ĺo‡P5Õv -r YÑÚANÝ Æ5c)‹óÄeˆN¸«Zêë×qŸaßP#ä²ÚeMCD‘"eI§–Êó«GøI «×Ža}j§v„ãÌsl¯rÌËc±jëãóS­X$4?gú4Âv ÷”Ç‹%ç,ÕZüYüK¨ÃrSÕÇ‚H¹ê‘*Î%×_G˜ G±²OÙ±á"$KÑÕÿ —uVî@+>µÕÉù"«¿à"{þ<Ö)ˆÂ„Ô%p¢E‘Œ†Nô~„ŸfiGN³rW`ÀŽ°T1KD÷5@g1çÑ"žc0 +â–hÙ§28¢FAÜQ¡Äc•¯Î…Æ1ã‘Nç…:¢¡²^‚qË¡Ðû-–HDp¼åIPìëÖ^#ÁˆyÓÍ®êª5”õŽ&Ð÷È–ƒrXa¨ü&º¥i$B† +y/æÄó@6ÇlOÙnW?5¤Mënž›¶pù¾¬Ê¦=f 4ÕÖ#Püì»õ=¨>À¥ÄËPõšþ3ú#«ÈPMq|,Žx©©bÜ•Õª ªoÞ¼ýŽF)/ÆÌ“¦ŒKÁ¯˜`2ôAל‡úØ6VŸÝŽÆ8XÕû}Vå ©çôö·;’1…’”©0rQ2®ÏRqÁBé F¹Ç©-weû Æ[ŸVÅ¡Á-eÚãoè›6;¶#¢µÒH9€ƒec³<“L!cJµ³ç t‡0xÚ–·‹Ggé3Ô{®O”Ÿo“à4¦’ŒáMô0”Ní§²ÝBAŒ³ê™õc£¡‹ÒÞ}*Ñq”—Ía—YÚŒþNM¶)h¸/šî"³\Öµ ï¿].äXhÅHÁF ù%Y]ŸÅ%»¬ÎSáò6ŠN©öÔQò%u¦ÓLGä÷l&™„<JçÜ€zër3–üE ²iyžd4W“ ‹w£…Pâœãá*GŒ£±ajx~ÏWù},ÆRGž0ÈÖ£?œoXË&xê0ûj¦1ÃȤd–Œ1öa ke¢ •ˆÁgçžýi= +„<ò)Õ@îÿb&…p -mø™’Å ÖôO'¬̲Ú\„¦scÄLH•ÌûzŸŠœ=qvOe¼½ØÕY~.–ó˜©ÎY¹žêRðÔPò;’l QôKŠÍÉe8‰3;a•¥Ä,µa“fÂl( £+fêQ͘ÉQ Íž˜Nfý½:™ª7Þp1þ6åcQu›<½ÇB±½i~{T3{ì¨h×ÒlÇ6yP°Ìm²‡«Ûó?Þe)H +[5kMOuiγ]ŽA'H–ö¼[m‹üä"ø³‡¿}VV-Ô†&‹'ø;þI_P©dIéý¬/ô©¦}ÁS‘/@‰S5kw6 ÒpÒù~Ò_ jHœ³õT—º( 54é»Î¤³›m}‚JÉýí>ƒZÔƒS> i0ѼOô¨f|ÂQ™ŽÆ±(>»®ã_%F`"6<7ª§º´êÐ/ u†²P ÍzwjïRªàtȳ¶hè; øŸÑ_þ\eûrE K ,ÙÌTUw·hTZF `U.m3B‡˜ë³Ús"ÇJ5•èm¦ £©ø ñlìœ/\á¢!å‹{\AÞh²½DõZ)¼¶:e–S‘—­¦Î‰ +ºµÏò¢Ǭ/mXÀ¨ª{àlòo0þ 8%Û¡!ÁAžñŸ£Ñ ê¶vƒk"Bm#(v["¦òG«ìÔóãJä ]p¬¿Í¤ms„Á¯õéXe;ºp©R¶–Õƒ%lžè­Vüµ¥²Í¡³5Øø^ +ár>á:Q¢'/|zcc/ |°×®Çöh6%¿ÜÙǼáYƒžÍÚ¶ØÌÞ_i‹ðŒçìcÕzÚ–»³E3y´êàÌÕÖ>Õ$~ÉD²(•Wδ>Õ4~y*R+{šF¯!¢|Q"ûÿ^.Gµh—É^˜t<“ØôU•='Œ’»D”’GÂdF—ݾÓtç…pÓb™Œ"ƒex¿ª»[4SZƈeÊdÂTž½Þ){X{,‹–ÅC]àÚc[ÜÇ6ø3k3ÈÞî-ñØ&qìº4Y!1³©~ŸØáYÜ?æá¼l>¾ƒPR[–KR ¡IðÞ¹ÝÙÚ€‰t‚s¤Ž¶™e…üaW´f©Zèà¥{L˜£þì‘´¥eÁdŒ,bÊr Üë°çƒ.žÙføßÕ€´6/z(\‹ÑãÍ4Vp$R^ÁŠÕ V8*Ê»ÆÖ 1 DxE²§º=l Hž€ÈöÕ¡Œ¬ËÀà²C“þ€10è®7ÌÀx8„LƒÓi…ɼ¶Tµ¸+\ŸÊ¦-«MÇ£/µ±}âQ‰áÆ”ЦiPb<§ ®ã™f¶ÙcAst¾šøÒ‘‹/|¦¡ûkw¸[E³M¬OàC—*!S‘ïÕ÷ÛËK%Œ ñ´uú‚žR :0ÑåŽðÁô•a¶:íHÁ{ZÆ"RؼÃøucÜÛàÇ°¯=ÖeÞœåúUQ¸ “âD”;R»š Î æ­z½£¶Ü;ݶž2v+'ãKDÛùWÚn}ªéøòT¦ÉÛfmsÙuã€ç±žë©.åƒ bJEpw øßX;ËÖÚÂÃ6ŽA'ôøU3´º7Ü9YoÚx*QWšq}ªã9*\Ão§âø¼«§ÁiVrN¢ÇÁi ûþ6A½Ù˜l—Ǥ !:`à.‚Ÿ.nÐ+ dœµI7L™L™û×NÚ‡‹O‡]¹*ÛÝ3Íç%誵,—KŸAÁ94 o»Ò¹?DL±ñ‚ VãÛ•ÐթβÑ7š,R©oŠÛ÷j#ÉŠÖrʪs®‹™J#—!:ûðŒ™ŒÒîÍɪC¤óŠi%ÜÇæ{"†Ýk²8Ö.×trž€ +‰óNÞ§švrOe¾Ò9íùƒ{)ÉÛïËU¶Ú¿/¿>L'òË2ûEšìÙ3ÆFÒè+cÈP€Â+ õT—+îWùÃÏ–ú,<9¶¢ŒKVøÆï™ÕÛ1~ ‘ëì´kék|†’D¸û5ýÕG{$… +ß:ðÉ#éèr£Ðù;ˆË6¥é+PºMhìSyR*ßËñh#úÅ`ïñ6¾\bhÙ9 [ÍfòA.}å¼êSÍx££¢óª>øŽN¡¢“iœÌË÷T— + W…àÀ)jpg4aâZIïËÌÃ… öÙGüÆÀàb¥ÒÉ™©Í›uXü,ª–®{}ŽÄö`H Õ&§Í–&º:#L|çÇÎÑdu-O†¹à›ÿ¼Æo:y¿¸â”D›–î4æ4o|‘»Z &|G„Ç>ó47L^Ó§ôýœµïÉLžf<–ºgüÅ:ÿ›¹ç &~e ì÷A«‚Êøóª¬Äx³¥)þÓúÚÓ±2Ymi›ÕâM×3ãŠþ‹O°4j"AeÛ—fn›^ËP›)ñÃKÊVqd”¥áÖTuÀÅsc£Ì=@qÌD]é½ôˆ¦ÃÇ¡Øm¶kÿ@ôÌ ï‚ç\úxìôÅSè!]'MtyL–{°b ®)$—£Ý;"HâCŸµmJî"8Ñk®‰^sMµ•e¢a:X|ˆH®©0à —àîk+®}xà؆‚äTèá4•Û8z°ÙÏÔvŽ+ û‰Î‰}×–0B°®çÙI³2È'-ñÄ·Ú°…j¼bý·_üw÷y;~…$'±ˆ±wL¬Rh}..?Å áèŒÄˆêÿ)r€@endstream endobj -706 0 obj << +710 0 obj << /Type /Page -/Contents 707 0 R -/Resources 705 0 R +/Contents 711 0 R +/Resources 709 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 672 0 R +/Parent 676 0 R >> endobj -708 0 obj << -/D [706 0 R /XYZ 56.6929 794.5015 null] +712 0 obj << +/D [710 0 R /XYZ 56.6929 794.5015 null] >> endobj -705 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F77 703 0 R /F14 608 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F79 711 0 R >> +709 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F77 707 0 R /F14 612 0 R /F42 601 0 R /F43 604 0 R /F58 631 0 R /F79 715 0 R >> /ProcSet [ /PDF /Text ] >> endobj -714 0 obj << -/Length 3636 +718 0 obj << +/Length 3731 /Filter /FlateDecode >> stream -xÚ­ZmÛ6þ¾¿Âè—óµÂwQ—OI›æ¶‡K{É6EßpÐÚZ[ˆ,m-9Û½Ãý÷›áz±i{ Qäˆ3gžšÏüñ™Õ “™š¥™J4ãz¶Ü^±ÙÆÞ^qO³D‹1ÕëÛ«ß1Ë’Ì3»½Íef-ŸÝ®~™õ·Wßß¾y½šÍer½Ð†Íß½úÇêùCZÏ?Š¯¾{÷ÍÍÛÞ¿ºNÕüöæ»w׋”e -¾¼üíwß¿¾ûpýÛí·WonûUŒWÊ™Ä%ü~õËol¶‚{Å™Y={„–ð,³í•Ò2ÑJÊÐS]}¸úg?áhÔ}Ó '†ÛÙh…á2JÄ™ªô«x"½~µé—3h+3ë©P¿Ý._‡kå2K¬”Ùl<á1ß@uÌWÉ1_¥˵˜2¾©—»knçŶ¨;Ú€nSP£-vŸ‹]K/«ân¿^—õš^«âsQQóM]$GKJI9KlvQsÕÅy¢‰Þ^|“f#Z©k´†ù‘Š„=-Õ‰ÉДΉˆŽD›êÖ²ÄXf'²}(º6ªQ8 jþ—‹zízæ5=‹?ªrYú]úœWû3úiÀ¬Aç>&;­ñž -—U7qcÕnÊåÆ7'ç3¯Úæà„úí討‰ª!b¥FתIt–Iú´Éë: £m³*¼Õ æQ×Øì^]/¤»¼+›;ù{®9`-zEcGZZÝïûÒ» Ѐârv¾,ˆÂY~‚†µ¯Ëe?)h§ì6Ôrö…T!Šbg`’ïa¸îðSÔ’¹/q%lºS«r]v9®WB„)×5  "e-0JÝîˆB?Š„½9½¶›Ü¯ÈOUø,ªÃ=–Æ;}7á°Å@è¼<놆],„ŽÎw<÷ý\®üA"9bB#›;ˆ]O×KQˆ4(¤"ÁÕñæ ©ÝæU°õ É ëvGzC”rßUͲÿ@Íï›5p_Ž „K b_p;"±Ìß‘Ky¹¨]¶4‡NÇ¥Š4‘ºÇ†/Šnù¹%0Û}„¥…,ÞÑŸF:ÑÂ.4S;¹ÛãºUÖGȼrHÁ!è©ÃḚºïÖ{(–%Jïìü>@«×Ød!bº,¸¤Eô«D)‘'ZUrT—¤8šÍ¥¤"Ê犇Mvå¼·4ÎEo1pHC öuað8„U° -$p¡žm¹-«|ç?oˆ"ö4÷1_¦á+ÎGûê”GÖž/;à#X9_œ¾îÒGÜ›c2-q¿óÖ¾Qr“MϦ—®¬ÙbP6é‰hP?c|âVÛˆ¨Yðqì8ÛFÒmãÇ@˜aiúÜI<؉È ¾fú€UY.|›ËÀASa ah+ƒjÑU€æ‡1|HÑ|$˜­¼m›e‰¡’ $,Ú -Àó““ì356Eŵ4â>‰4•£¡×GTly8mÝ?Qç ¼l‹¼öÓ‡IïûÈ¡§å™‡?@Ù¸þ•CX@H™Ž™*È—âÌ¿ÆtH0B—ô¤¨¾Ú$lžÎŒ¾l”Ê~“{Ù°`"çç[3<°´Æ‚^—U¾o‹ö¯QžB‚&‚5x¸8iˆ;oÐûøÁ|'‚”H4$Ý#gp4nÜx†e‡Y1QŠM«’Ôª Bó€oz<fóž%‰Iñêg¼½'õ!ÀŸe& —.ÿäò -ÈxrzlW.€–¯r1wXIV+ŸŠ„oÜëzïw{\V "|ðôÞy¨ža†åó$dà3è%<†­;O~¹Ë—öáÕŽPº&âØau/»hO`ՌىýâPxêqž³¢¢ÐĪPj Þªô·KG%¼’KÅó, Ü+³â`{´ -óܤ‰2ðR¿ -R4ÜçÔÕГ ¹QÚÔ[sçév}õ…’Á¨ªB»yFèæ¦÷ìÓÝÂ` àX  î|ˆP™¹dU$:XÙ[aK¯9=ÈÌ¡AÒ; -xBÄp©@{H–*´}ÆÖf<Ø¥MŽùPÁ¡ -¨•} çȆ҄‰þHP5ªæ,ë×eQÙü¦ó‹mŸÀëý2 T¤:H4ÿ¢·Z‘X˜Åj2p©O•=,ORœàÜ–`í^V2l‰ãV›2ƒàFHê&}ôÀÄ;èIÅÜB°†Ÿ—€'ÊôÇ+,ô¾©ªæÑamM.I’ïó\Á¾ i­N2Ë‚AÀbÂη{ꄯŠ@ONÏyU®¨¹j¶¹;T@Esû’W³_o¨Û]Ji]þ#ÂV8ß²Û畫иlJÈcŠ–ܹ—TÍê6{—Häh»|\•ŸŠŽûUQ´Â¥Ë[?¼ÖU ºF†ãgüNEÀ¬ÖÆ¥²èg\Œ§ŒÜš(ÈJØeOvÆ?¤I&{°çÖ:)åô6LÑ&ùšSÜ+eè„/z%†éê±W„YÑ'?6Ôs­ÂTFõñ<¯ÖͼÆ6VñO!{ëÍ““Ô}Š‡‰I­éЫƒkAmü¸)CiÍ;‡Ö¦ÉÿNL*Rš3ó‡|×:¸¦LiÐʗÚõ5z³Uš… -)’2‡Qù, -G‚rð¨ôè -H(³žÌç™E*ËÏ9›m¾\lW:¾Vô‰ƒ7=Øö~ÿi½x+ÉÈ0²:>ÊGá=÷¿IÊÛbaü¤E½lVá -…–n×°-ŽK(±øŽ—–öRxØ”:bÜ’ ™qK^'§nŠ¹ð>†Ð¿÷×’8î§ -iUvâ¸ÙÄfZÆ%òYô ËäÖR¬pÀ.„ÌüñX–`N p¦¯»($ø8 - ªAâ£`>wÂéØrÕ^$r'ü}¡™1Y,F¤Ï@i60è(L3g£Øp> -g3jÀ<¬O…NºDËÔùzÎBbÓ4oã{γ‘‹2–ŸÐ¬ ùIÐ"E?-FⲂkºþC«Æ>ª2BÃoSê Ç™®§¡Ž;ÿ ÁLìñEõToñ<¸AºtSú - ¬mã™:~ù5F$áJáDõÉÔ õ„’,Ëô1Ü¡ÿñ6~{æTvÿtyŒ8Ma5«/Þ¤Ï9J˜èÈ'L#Ž²žñ™§,$…ÔOºâûäö×çۇʸ-ër›W§®œ ³¿i{hÿ¤ÃͤÒÀ_bV+z«\ÆœþÕ¿ýÇI lmzpQ0@GùEˆD_¼ŒÅ2ê‰t)ß?Ý ]ß¼ý¸¿“ëü«×Û;y³þéÃëî§Õú§ú#»yË7?¿ýaýó6{ºyûf½ŽýÝO¿ˆÊôß—1„j{§WÄc¥8GŽÕ:üå©_IKàO›#wðï¥øÓ¿ ~XŽ(ËÚ?“ÌïõB᪸<”\C¯­H#¢ÿþ;¶Æendstream +xÚ­Zmã¶þ¾¿ÂÈ—xXÇwQͧ»Ëåº)zIs›yC¡µµ¶p²´±äÛÛýïáz±i{Ñ‹…)rć3Ï Åg þøÌê„ÉLÍÒL%šq=[n¯Øl co¯¸§Y¢Å˜êÕíÕ‹¯˜eIf„™ÝÞæ² ³–ÏnW¿Î_ÿõåw·o¾¿^Íæ2¹^hÃæï^þý õ¼‡!­ç?Š×ß¾ûúæíß¿¼NÕüöæÛw׋”e +Þ¼üî·ß½Þ{ýûí7WonûUŒWÊ™Ä%üqõëïl¶‚sÅ™Y={„–ð,³í•Ò2ÑJÊÐS]½¿úG?áhÔ½Óœ–6ÑV¤Õ)9R—<±FÚYª³ÄH!îÚb÷±ØÁâ23/[üÕóÝ5·ó¢íò]W¬@%J¥ó›{[/] :–nª`Ëc™Š÷¾èÚ¨^Á©ùçµ,;÷†\|z¨Êeé÷êc^íÏi]pZ_ÒúˆìŒÖ.«nâ&«y’ÚŒ_਎9O5 +£iÊÔ”õÿK£ìŒÞ„I„µò’ÞFdgô¨PøûjßnNôó|ûƒ~Ä7~Ð'Œ¿FÆÅ3·Ì—›3&¥3 «âü‚jÆd§UÓSõªA?9ÌÚ­$ó‡9MÌ ®B½ ` :pªCåÂH×áºü8Ž2Ôº§µýóú6:Ñ™¼sÆdgô¨ èònß1Và79@‹óŒÕ1ãƒÌ’4vÊù«²}¨r L1\»AìÁ¤×’¾@] ¢5×t~¨Ûä]hù®z¿½s¦ ©Äü_–üìe½¬ö«ðÔ¿UÖÐñÇ TªðvwWÖ«¯ÿê Çë\Hc0Hˆ)NAæÁ}¯LaUÜçûª‹pÍÌÀBäJ^ܼ‹p`ÈL)O´)CôX–÷=G +ñ¾ÛÛxðs‘…ì·9šuÙÔ×{šsuÆr…LDÆÍ%Ë‘±Ü@…«ÝËý®Eß~ÈÛÈ$U §ó¼Õ1ï©ñ›¤B0ÿj¿}8Øʪl½ž¯ó?öÅ® žb„=ƒòA~Ò_ÝUO#…÷ óˆÊiäAÒÌ€èÒÁ=t*kç¯nÞ}E­,_Dì ÞJ繫W˘=AR¤@ÑDÔîš‹³0/ÀsjЊm†Ðy &íÇݪ‡áA¤ln#òpknx0ð¸<@«×Ød!¢º,ø¤Eô«D)\Ró€üqÏ8£ÒŸü X1a´W'´§`:î›}½ŠÔ>$ÔìÐéŒ&*AÈÇÒnƽoÃVÕ4¨¼ÙD©J´áæhK?O±”ÉRë©cš¡eâäpl +tÇ, Zp©‚Õ´O-šËªÜEæ7¸æa9yK“¯ +Ôeí¼ã…y¶ÈOAÃBg_ð” AàÀÀÊ +m}Uî¢é1‚åp¬˜T½Z mÄ3ÃA;¡'@ã Ô´×“7ï©‘ùº¨‹9PìvµøÝ]Ûù¾®=ä:ŒæÊ4œ`Lœ‡”}uÊ!ë —ð¬ƒ|/N_wŠè#îM!™–¸ßyc×(¹90Ì/]u³Å˜lÒÁ +°~ÆøÄ«¶Q%²àãÐq¶!Š¤ÚÆO!€0ÃÒô¹“x¬‘…AxÍô%«²>Zø 86—s¦Â :ÃÈFÕ¢§Ícø ˆ¢Ç50øH(ZyÛ6Ë#%AIX´€ç'ÑÃ' fŠilŠŠkiÄ"ü%ÒtT•†^P±åá´uüDƒlð°-òÚO&½ ì{‡Ž–gýeãúW`!e:fª #Xr»üÓ€]Ò“Nltótfôe£L!ûMîeʉœoœkÍðÀÒ z\Vù¾-Ú¿Dz + šÖààâ¤!Œ?ì¼ACèãóˆQ"Ñuœ Ñ¸qCÜ–fÅD)6­JR«‚I̼éá@˜Í{–L$&åöÀ³œÒ‡–™^ºüƒK+ áÉégÓ¸z´|Á‹¹ƒÒH²ZùL$¼ã×{¿£Øã’ +hყ÷ÖÈCù ¬pçÇûz ŽaëÎÓ_îò%E}xt•#”®‰8öEXÝD‹öT͘Ø/åq§§9+! +0¬ +¥ê­JÉtTR øvñ< ÷ʬ8Ø­OÝ×qµ/èPÞœgÁg¿€²óɧLÙ#¦>Ͻ™ê1xÄG‡´à7Y&V!ú€q"¨d‰T鑈)KALàÒ>óܤ‰2ð2¿ +R4ÜëÔÕÐ/yäÈ^¡¨x«s©VÛóÝ4ûÊk +ŒµFÎTá—LNª´\õuzáF¸QÑ>¹QÖÔ[sçév}õ…rÁ¨ªB»yFèæ¦÷ìÓÝÂ` ØXE0݉øn.Y$·*¬ì­°¥Çœ~ÈÌ¡AÒ; +ø…ˆá2ö‘,UhûŒ­Íx°?Ġ•@­ì+8G6”&LôG‚*¬Q5gYo¼.‰Êæ7_lû^ïSH4P‘ê Ï@ü‹ÞjEba«ÉÀ¥>Uõ°Ñ<™1Iݧx˜˜Ñš¾IÀqŠÁµ 6~Ú”¡²æà KÓä'&©Ì™ùC¾k\S&€4håKwÝAíú‰½Ù*MˆB…I™CȨ|…#A9xTzt$”YOæóÌþÇ“±ÙæËÅv¥ãûaEŸ8xÓsŸhÛ«ýí&oîÛ¬Þêü}ú(o…÷Üš”·ÅÂøI‹zÙ¬†½váS/¼L,ω¶/-í¥è.°)uĶ%ã–œNNÝráyŒ ¡ï¯%;oܧ +iSvâ´ÙÄfZÆ%òIô ËäÖ2¬pÀ.DLüñTdÏÌ“À™1ÓW‰]|„U ñƒ`>uÂÂèØrµ^$R'ü¼ÓG̘Æ,Ö"Òg€4›t¥™3Ql8…³ 5@ÖgB'=¢eê|9g¡@±i: ·';î9ÏFÊX~B#`°f@ä'1‹ýt´XX8‰K +®éò­û¨È ¿M©¯?Ceºž†:îü;„2±Ç—ÔS5¾Äóàé^ÐMé 0°FX´'ê@øEäkŒH¾•Â‰ês©ê%Y–èc¸B÷ã;%—:Áï¿#÷ðïgøÓŸ™_ß#²VÄ/$3ä!½P(9—‡’÷ߣ‹þ_§jòendstream endobj -713 0 obj << +717 0 obj << /Type /Page -/Contents 714 0 R -/Resources 712 0 R +/Contents 718 0 R +/Resources 716 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 716 0 R ] +/Parent 721 0 R +/Annots [ 720 0 R ] >> endobj -716 0 obj << +720 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [120.1376 425.576 176.3563 434.7914] +/Rect [120.1376 401.6657 176.3563 410.8811] /Subtype /Link /A << /S /GoTo /D (controls_statement_definition_and_usage) >> >> endobj -715 0 obj << -/D [713 0 R /XYZ 85.0394 794.5015 null] +719 0 obj << +/D [717 0 R /XYZ 85.0394 794.5015 null] >> endobj -712 0 obj << -/Font << /F62 634 0 R /F58 627 0 R /F43 600 0 R /F79 711 0 R /F42 597 0 R /F57 624 0 R >> +716 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F58 631 0 R /F79 715 0 R /F42 601 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -721 0 obj << -/Length 1521 +725 0 obj << +/Length 1546 /Filter /FlateDecode >> stream -xÚÝXKoÛF¾ëWðЃ„ë}?š“k8‰ÄIc¥(#ÒŠtEÊ®Qä¿wöEQ]©Q…ÚåÎÎÎ~ó̓$ †I„DÒP“(ÑÀD$‹Õ'W°örB‚L…Ò¡ÔOóÉÑ IƒŒ¤2™_ti„µ&É<ÿ8eˆ¡hÀÓóã7§³” -<½8}?bú ü¹ùÛw§ïgŠOçgoÏ/f©Â†OO^¿›G‰‡uœ¼=qöòÃVÏìÓüõätÞßbxS‚™½Â“Ÿp’Ã…_O0bF‹ä&ch²špÁàŒÅ'Õäbòs¯p°ê¶Ž"G0¢ P:„N¨t„ĵ‰IF™Ã./.³MÕ¥_Š;¸$Çxº®óÅï0}no—¤Ô ­8¶!¨ÛõÕ-½àlpÞ -[™ù²l=n¿aL«â™Ÿ”—á¿n»¬ªŠÜO³ÖkÜ5cd0‰Æ£¢[YóТ©/G,Ð I-IÞ6›*RUÍ­vËÂÍj•Õù#ǧD Zr)dÕNïATy‰ŒR2lMœ¥ÒbYTM–Xš† A±rûºLRLªëbÑùI|H¨B~ÄO¯›u0‚ùÜ"ìÏ6mv/àÎVaÔë›b½«|=#zêlµ iâ½duþÓî¦Þ;¤jYåhƒwù²Ê˲ˆßþ8?[ÏôtS×e}VËnéG—uW¿¨tncS^ºbUÔ];æ½=:ºín«uÌ_ÎJ®¦XíÚ -vv^h¹öøíîÏÝwÙ´Ýs?ÿêÿ xÚ¹mHy±Z{Ç“‡CËÐ;ÚÆPçÿ—Y$xr@¥´ÎpSÜCÄ"Â뱨ÓP(%C6ï%:ª%bÔè¢QM•ê(2ö£‰.í5¦C•‡YŒjƒÑr{²µÑ^ðµ[þ(ä3*Dí†Þûž‚F9>{m;¥G*ŒPImº*ê‘£%CTé(|íy{µÎVþ„Û²²®1ÒÒò¦¨KpIuç×>:ÀQ^"sC¤s_N„š¤Do¶OÅþ ë}wÂ]³°gØfÙC«¶ñx1&§d/Hò²½®2k1¡!þ ƒË¬½ñíuSçÏC ‘@dìé£òÐp¦¡J™(8d®;2ëü™`¼T®–À#—ÕàI–oŒ`ÈCª"ÍmŠËïÑ ¥ áG&9üŽ«®X×YWÞà;(¯Pq—\â ¨n«&//ïFNÓT ]RD¥Œ¢Y×WqÔƒÖ# 5•c‚˜àR&!XöÝ!¥ÐK@GW^ÕÙ(Ûl†åÈpÂݦ“bÝe¥Ã›L?œŸýêGmØÚ—Yxº  ¥…Ò.7~G—}‰«×Å¢´.ü<[teS·Ï¼\Öú§yÑ.Öågß#AQ®÷NÛ©Výçª@cõw¾,Úà©ÁTüWûÚ°iûÊ;ž °”÷üÅf´‘¬‘`˜÷Ñîz-´_N •s)† 7)&̵Øb¯œ|Û®hÆ´{-ðû0è -øc¯žÅ+¥œC0¦ûr¶¢¡Hi¥É:]O¾‹³—¯>¼Û‰(HBR°d¨ñßÙ«±r׋;fžXþ·{íô–ö¸OB¡ åcI˜0È\}C6ˆgۻgY[ÐCƒCˆyB ™aHa@n_Ôþ? fйIL`0ô ‚K ïÕoî§ð@å“QøÀÌq -í|4…USe_I#‹?Ëî~Ž=ÙM¿;Ž‘§äÅоHñÇ DÃHäØÙùü~Š 4>Ŭ§ØÐÌÿ€bOvÓï…bŽ‘ГA³¨v?||ƒWU¤ f¶íSHx-ùN†“3ãc¿Êm?VBçÌ´fã|€@hM ]ž„|4Œßï¢ØÀø¿,ôgendstream +xÚÝXKoÛF¾ëWðЃ„ë}p_ÍÉ5œÄꤱRHƒ‚!i‹Eª"×(òß;û¢H‰NŒÔE‹Bírggg¿ùæA’ÃD\ ¡©Ž¤NÇ„GÙz†£X{>#^&BñPê‡åìä™ ‘FZP-¯ºÂJ‘h™¿›3ÄÐ4àùåé狘r<¿:³à|þ3üÙù«×çoN2™//^]^-b‰u2?{qúz$¾®ãìÕ峋ço÷zï—/gçËþÛÌÌ~Ÿ½{£.ür†ÓŠG·0ÁˆhM£õ,á ñ„±ð¤š]Í~êVíÖIäF”JÇÐq9€Nĵæ‘ä F™…®ÙteS·‹X`<ÿÓÜ'¢)¥¢˜¤9§V,/®Ó]ÕÅm±ýTl4¡aø‘§vžÞñ±¸ðßÖyöLx<>Æ9ò³];y–°Ý¸—5"ËUÙ:oüŠ1­Š'nR^ûÿºíÒª*r7M[§pÁi îÁVãIÑe'Æ8”5õõ„Š!¡_'î¼mvU8¤ªš[7ìV…dÍzÖù÷ÇÇD›”à0’H3*­ÞH²i)…?ؘèßU“æ–Æ~ƒWìë0Ir0©®‹¬s“ð°w¢›nš­Ðœ¹ÜÂïOwmáw¯ü N×~˜1T¾]5·¶Ðq^2:¿´»©©š,­ÆstY§Ùª¬=â·…;ÎͶ 5ßÕuYßøÕ²[¹ÑucÜÕ/*ÝØTžW@ ®Xu×Ny/°Qjk‚Ýn·î(‘HQ,Çñvvq㦞=n»ý³÷]5m÷ÔÍ?»?v$·('ækòø/F–¿‹ó´ ¢Îý¯ÒÀðÚ/äKi¼a§.¶‡ˆ·Sa§ OQJ†t>ÈŸT ĨVH)b’>$R¤Mn˜LŸq¯0hýÔ?pÝäåõÝÄi +Rª¦ü!°C„S!‚hÚõ5õ õCEM01º+Æ!Xô']ÄÐI@—XÞÔé$ÛL~MNHb7Û.--Þdþöòâ7jý~˜Ð¾ÈÂsßKP&h(“f¹q;ºôcXÝYiÌÜ<Ílo÷ÄÉ¥­{šm¶-?¸ Jr}pÚ¨>õªMuxËUÑzO ®0 â‡°Ú†]Û×Ýé|H€¥IÈMF›HÁ +q†“>Úm§…k dþ„@Šî1h·RK˜íÛùA5ù¶]ÁŽAÏr¯n]~p>(gáN1$O”`¶ïôG(jŠ¤’*J û4vÙõêâù‹·¯Q"²à,jü{Fö*'¬»Q bbcdæ™ €ö ›Þó÷YÈW´|* é ‘ßBÊÙ·®¦ä)DDÚG|K ½!D?"L3$± ÷oÿ*ƒéc2k„è̾Ì`B¡`‹$0^Ö¼ŸÂ•Fá#3§)<´óÁΪ"äʾ””Ýý{´›þ¯9Æ´ù#ÈW8†á½Dù·pàØÅåò^Š 5>ÅŽ­œ¦ØÐÌžbwÓÿ +Å8K" )ƒnQŽ¿¦}UƒU$56þB*‡Ä¡Ž¾ÊÚ‡~êÛ…Ö™)E§ùo€Ð!1A;jt6äèCdø&襦ÿ6U +¼endstream endobj -720 0 obj << +724 0 obj << /Type /Page -/Contents 721 0 R -/Resources 719 0 R +/Contents 725 0 R +/Resources 723 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R +/Parent 721 0 R >> endobj -722 0 obj << -/D [720 0 R /XYZ 56.6929 794.5015 null] +726 0 obj << +/D [724 0 R /XYZ 56.6929 794.5015 null] >> endobj 126 0 obj << -/D [720 0 R /XYZ 56.6929 526.4445 null] +/D [724 0 R /XYZ 56.6929 502.5341 null] >> endobj -723 0 obj << -/D [720 0 R /XYZ 56.6929 499.14 null] +727 0 obj << +/D [724 0 R /XYZ 56.6929 475.2297 null] >> endobj -724 0 obj << -/D [720 0 R /XYZ 56.6929 469.6226 null] +728 0 obj << +/D [724 0 R /XYZ 56.6929 445.7123 null] >> endobj -725 0 obj << -/D [720 0 R /XYZ 56.6929 457.6675 null] +729 0 obj << +/D [724 0 R /XYZ 56.6929 433.7571 null] >> endobj -719 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R >> +723 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F58 631 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -728 0 obj << +732 0 obj << /Length 2282 /Filter /FlateDecode >> @@ -1553,240 +1550,250 @@ H2! U ‹ðâÅ©¥ƒt•­7°ÔßAÅ´wSif*vïÐ}[ñnP@^÷^SD(eT¸ºeûä^×$Ô¼rÿ¡Î‘gšÇ H…9èÕ1Âͱ_{¼Ýî/3l®pendstream endobj -727 0 obj << +731 0 obj << /Type /Page -/Contents 728 0 R -/Resources 726 0 R +/Contents 732 0 R +/Resources 730 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 732 0 R 733 0 R ] +/Parent 721 0 R +/Annots [ 736 0 R 737 0 R ] >> endobj -732 0 obj << +736 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [470.3398 483.0796 539.579 495.1392] /Subtype /Link /A << /S /GoTo /D (boolean_options) >> >> endobj -733 0 obj << +737 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [316.7164 471.1244 385.3363 483.1841] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -729 0 obj << -/D [727 0 R /XYZ 85.0394 794.5015 null] +733 0 obj << +/D [731 0 R /XYZ 85.0394 794.5015 null] >> endobj 130 0 obj << -/D [727 0 R /XYZ 85.0394 769.5949 null] +/D [731 0 R /XYZ 85.0394 769.5949 null] >> endobj -730 0 obj << -/D [727 0 R /XYZ 85.0394 582.1251 null] +734 0 obj << +/D [731 0 R /XYZ 85.0394 582.1251 null] >> endobj 134 0 obj << -/D [727 0 R /XYZ 85.0394 582.1251 null] +/D [731 0 R /XYZ 85.0394 582.1251 null] >> endobj -731 0 obj << -/D [727 0 R /XYZ 85.0394 543.5676 null] +735 0 obj << +/D [731 0 R /XYZ 85.0394 543.5676 null] >> endobj 138 0 obj << -/D [727 0 R /XYZ 85.0394 445.615 null] +/D [731 0 R /XYZ 85.0394 445.615 null] >> endobj -734 0 obj << -/D [727 0 R /XYZ 85.0394 406.7709 null] +738 0 obj << +/D [731 0 R /XYZ 85.0394 406.7709 null] >> endobj 142 0 obj << -/D [727 0 R /XYZ 85.0394 289.0425 null] +/D [731 0 R /XYZ 85.0394 289.0425 null] >> endobj -735 0 obj << -/D [727 0 R /XYZ 85.0394 261.2074 null] +739 0 obj << +/D [731 0 R /XYZ 85.0394 261.2074 null] >> endobj -726 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +730 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -740 0 obj << -/Length 3597 +744 0 obj << +/Length 3476 /Filter /FlateDecode >> stream -xÚ¥ZYsÛF~ׯÐ[¨*‹¹päM±åR‰ã•´»©™XƒM€¢å_¿} Šr”J…¹Ð3Óóõ×= ªóþÔ¹‹‚(ÕéyœÚÀ…Ê盳ðüôýóLɘ¥´úæîìo#}ži¤£ó»‡‘¬$“Dß­~YØÀ !\\¿{}sõÃÕ»»‹Ø..¿¿Xj.~þñÝ—în.ßݾ½º¹åꯡ ¯z{Ou±4±Õ‹×ß^¾¿»ºá~+R/ßüçB)µ¸|÷úê w½y'2Þ^]â\wÿ¾¹º½øí«»~Sã«ÐàŽ>ýò[x¾‚ýw&MÜù*a ÒTŸoά3³Æø–êìöì_½ÀQ/½:«HÚ€ÒN5iÍœ&]DFÒäõì*‰OÍž ëì±ÀR²ènÙd .åë¬þP´\ñÝ^=Õ٦̹íKSþåzŸUÕ©ó´¥Ñ¢[Ë MU5‡²þÀc·» •,š¼Xí©$"eUI©Ù}üÎ-q‹7e›ÝWha©T:§iKýJL˜.öÛUÖá’ -iÉØH À¯»ö-.¤ÒÆðS(7I˜eïê•~ØÅ—‚߈ӱšœÊ(yf`±ã³Ð&H <PgAwë²eá¼e\WVµ²hVɦy,Æ›€!8ÅW-OââñÚq)©Šý,ÿ««¹¥DàÎÊ _ÃPW2CV¯H¿K«Ò I#3Õ3«NFk9R(l²¶+v\fY - W«²;+(™ŽT‹›}=s:„ƒHãhr,.;̃—„ñ ÇJ+¸„hÈš®šlu´`Æÿêxõ¨§Ñ‹Ë¢î¡¹Ô± Â0T^uj -Q$hÐoZÁ±Y°gX @Û†Xsž÷.– -ä-®ë|WlŠºË*á<^rÙÚ.«Û‡b×Îß©`±rMsÇ.J˜…açgJÂÞ¸Õ¢“I¸}J®Ø"Ý5y#ï–-¿™qõ=qá¡!m%üÅb÷ÈÀ©nœNÙÔ•Žƒ>³WsÔPÖ€N:Vç RŸ‹ñ˜‚ ¦¶Ñ4ØJú€fÐBÙSt *µ:Aª€KGÛ‡÷iûÐÓn‹¼DÐÓŠ±£æŽ›·¯¹|#ÉÑâ¶(Žý ༜VduÛ”Ÿ;wιp3rýøåø…Sq*µöË{Þȶi ÏažFÇSõÞv` - ^µ¿/Z…6°¡‰Ï#àªÌ¬7ëG-ÇÃN—z*™”—˜Ã¤Å°ºØRß×hÙX»ÈòŽNœÊ­<ù!üœ•‰’Å7×ïÞpWÊv¿Ý6»N^ãÓÆA ÝôÄEć <¬ $…ºÈ‹¶ÍvOXu‚cîwÐ5Ð1 d˜n“ueƒ[R–e”[dYY!ý`$„%-‡Ôyµ_IÅó4–ý*áõMV‚¡—5â»îŸø9øTä‰;ˆû° †‹ý,ofÕÖŒÖ!™(—xZ«EsïgÆfœŸ¨à€‹o‰$ ÐRÖŒrÄ\ÕbØv$4íÉFdã­c²&nZ•±‹m±Ã`Þ0Žø šöªëIºFTíH’—B’¯¸IÃð!â+1Ú4 ËထIdƒ][‚À©»4ø<´>Â(??ú–»f³\¨À¢Š:/Ú‡¢¹Ô¿ÝŠYÙ(°:ÔÓSm‹Ž '!ÉØÅ:ˆt´IO³³¡•‡öÑOf‚Ä:ímØm8Õƒ §ŠmÛøAÇ -ʵ@Ëb¾ÐšòX ­pt×›mÇ - á¹'kqbØØTW`¡\.;î-¥^|ÞVe^vx@X_qXºÄÆpN„Xlß4bü/Ù²Èî›}ÇE–Ç0¶yÅ=mQp±€c‹6ß•ÛA981PׇIêOfW|Úm·$¤œ‘ss©?¢¼ÊHQ/Ïââ"7]²KŸ®”óhm;à 9fc"p>€ˆÈ¦>6²Y‰náLºáÖöb¸s[t‚%`‰ý–ŸƒÐÁÕ7?–Å ¹š—ÚÚò¾„9û[Ž½`/3=艅v›åÒF°Óèÿ²jŒ°Œg* *ŠÏÝ…Zô=±D˜mSqdD¯Êsß2'Î Œß‚­phÐJ¸kÌ¿èÙz£‘¦"¸8­å\¼bað¼b­ ’X'ýiwû­õwƒû£¹†Šq°Š.¡‡;²¶©[Y^ÍlA²ºüâmZ;ZñÀCVwÓ13A*>ËN„ÊòQM*H€ž&úêÖ¥Ä͠♽ZGÅDñ±YäÍfC ŠÇëç>v6ÐÑz”a+-(¦¨«œ\ÀAOà»6Ü(«ˆ„ɱ8ìj¸¾.W²„_a{DXæ~‘kŽ8zØ4›9¸àû€¼‘,Ãå§*Á -Z®4Ëš‹Œo(\Óôí2ŠÝøı·”7Ûf#-«âžÃˆX<†'DKÝšâœLžuÓñhÖÌX*x‰°Üž8˜sà׃¡ENL -Óx -ª"ûØr‘ȘñÂ'.ÁÁÈ ôëeÆ•B™a × 0Uä„ÔLj8âs¶ÙV…ä¡ M…7­L×fOÏ8¯,ÿ’å°«9Y -]öBM±úäµÜ -§àž'.ÕE!£9 BņõÅMÌ‘°;¾¬ý0pv½˜hjÐÇVƒÇVࣧ¨§#CãÁ 7\õÔ3L qÓ@¡Xb¶¨åaÝ:Áñ@ó}±.ëÕ¬Š1!Ñ1ÇŽX -æ隆HT©J×Bê±&,Q£¿[‰y¼ Äè$Ô=ìWM¾GçÇÎÎã“–ƒ•Œ¼70žqÁ#ã|Ö -ÈT1ƒtä0§hâ –î —®ñcøEã’‘è)†ñ´ïZf+”Øõ°œJáµ?N‚(ç,¿<‹“ .I‹¥É"¤“í̾Éi}=7Ï÷E÷…}€ÊŒâ½˜#Ρ¿”2/@.K|8r§ÊÀ!Ä©Ob]ñÚ Æ`J'˜ñ©‘ œÒs.œÉô™À¨ØGr²ã gv?ç‚Ø7ÈS¼äuæ÷æ½1Vòf7¦iÔ–œKM½Iñ›¿ãIzÁ$.µÑt£{åÊ¡ìÖ\šÚ ¶x¬b-Z¼ŸæTbfÞë÷’tŠ7D,ò -üô^k«bƒQ[¶+¿øÉäÚ¡Ø7?üÌ÷´†h„‘Û·E>íèdã¯<Þ³î¸þÿŒal÷p!ðH™ ë¯ºà2ø,ºTÅÖÃC( -'S•ŒN&¡i:Š ÂÑkJÄ€CyÕãž)CÁá°{ ÎmEäIÜë_ÇÑ}>Z‰Z`~ÕÓìÈD1ÜÎ2y,³C%LÁ>,ŒR"Íi;lF¿û¬;”¼F Xö…Q q’GüiŸb(0Ïù%}o^ì0Ñ0ÇÏ~†¥\ýÝ ˜`&3…G3êWÕ {tþâ½®Ù}pd¾¢p-”ÃÃO9ê´*Ûµÿ`QR¤ÝðfÐ:¼ Wsh¦À>Ëlå݃…ùFB÷+hAüø·(aL_SRŽÎ'†¯*÷ÒÕÈNÜdŸ.f=%ᘯR"ò\‰WŽ©+%—O™l¤¤!-.´”¯ú(Š²ÞwúÏ^âw)ÛÍ=÷Y+ìhB”áÂïcë2_ËÃ4æ(IF~"–šÁ :XtYõqJH÷ q6²(©¢©ô¢¦lWÖG`†…›¥›ØÔúOÆ%þ8¡ù^çMÛ‡}ÏÅVÂ#éœ\9ä[ø,x~UÒ“)w.Ñ®ƒ(Uö%ÌFq¨þ‘ƒåèþG$«bZùQ‹N4è‡Sµ°ƒþS$oÎZÆ´{`8#è7K]kJŒaë7—°SÞò%ÖåŽpÎjf ?,0ás7jpêJ÷Œw8^Ð@ŠsEéKzU.õ4ûÐm_™À9D&]Õå‹!¦O¶˜ptSÒFѦ~øI"NÎhìù+‡‚þËal>û/rØ×9;Eå é -¬U/éÂ+?á=Nø‚²]Y5ʉ¨à¹_âàÏçf~iÿ²‹¿ý+½á·ŒbÁ$Ñó?YÐqØ„È¢pñ*:Y¹ÿ9ßéÒÿyÞþendstream +xÚ¥ZYsÛ8~÷¯ÐÛÈU–ûæIœ]OÍx²¶÷¨9hŠŽ¸¡HHYq~ýö3É씈£ÑÝ_7Ò‹~zá"¥&]Äi¨\ Ý"ß^‹÷Ð÷· -4+O´S}ûpñ—·‘Y¤*L´xxñJT$zñ°þy*«.C°¼¹}}wýÃõíÃe.¯¾¿\,úñöšKwW·÷o¯ïî¹úKà‚›ÿ¼½ƒ¯¾\Ù84Ë׿z÷p}Çý¡p½zó¯K­õòêöõõîzs+<Þ^_á\ÿ¼»¾¿üõịë‡~SãëÀâŽ~»øù×`±†ýw(›&nq„J tššÅö"tV¹ÐZßR]Ü_ü£g8ꥡ³‚Ô2„v.ÉÐÎIÒ¥*²Æ’$ož`WI¼|i\ØdÏ–’e×pË6ûPp)ßdõû¢åŠïΘzýRgÛ2ç¶OM]øÁõ!«ªç+hK£e·‘žšªjŽeýžiwûK,›¼X¨$,ŽeUI©Ùø+œ[â–oÊ6{¬ +<ÂJk•:ghKýJl.»uÖá’­hÉØH À¯»-.¸ÐÆê§#n’$0 òÞ×kaü´/ŠOˆÓ±˜A9µÕ2€f`¶ã³0V¥¨ LZ‚86eËÌy˸®¬jeÑ,’mó\Œ7$8Å7-OââñÚq)©Žý,ÿ­«¹¥D +ô.¢_‚ÀT2CV¯I¾«P§*I#;•3‹NÆ9R(l³¶+ö\f^ +™ËëuÙЊ–L)õòîPÏ„ à Ò8š³ËŽ3ÇÆÊ%Aü…cˆ”6Ú.i4pdIWM¶>Y0ëÿútõ(§ÑÀUQ÷ª¹2q¨‚ Ð^tzª¢(¢¢ªß´†c Áža Ú!íÛxÜ»\ià·¼©ó}±-ê.«óx9ˆydkû¬nŸŠ};|çr€iLè`Sšæ 4X–0 «Ÿ) zãÖËN&áö)¸b‹t×äŒ-[™qõ˜½pá©&m%øÅbÿÌÀ©nœNÙÔ•0ŽˆAžÙ«9h(kÐN:Vç– BŸ‹ñ‚ ¦¶Ñ4ØJò€fBÙCt (PkM,2ƒ6—N¶ãiûÐÓD¥§cGÍwo_søGœ£å}Qœú™0rà-\´ˆB£âsçþý‚ w#ÑÓ¯ÆÎ]Ä9_”ÚÏïx#»¦-<" xOÅ{ß)dD¼n=]´B6^D6PIäì¬7ë©Vc²ó¥žsc$ååÅ*ÖAÜb•†°Lìû÷¦)Û0\fyG'NåV¾üüÎÊFÉòÛ›Û7Ü•ò§=ìv;“a|ÚX"ÆB·9qõC›ÂkI¡.ò¢m³ý Vè1w;èè˜Ud˜n›ueƒ[Ò!i–Õn™=ge…ðƒ‘L`Q-i1HRçÕa-ÓXö«„áÛ¬C/kÔKìz|áïàSÈ?vöaA û™ßdÕ {G–Œ1™(—ŽxÆèeóègÆfœ¿(`ÅÅ·Pèƒ +© kF>ƒ b¬j1ì;˜ö`c°ñ„'똑;­Ê†Ë]±Ç`Ü°Žð šŸªØЃ$t Ú$¯$_q“†åCÄ!¢b´!h”C‚'áI`ƒ];RswiÃDÅAè#ŒòãißêißlWkàXTQçE;ãR4 —úÑ­˜U©Ðf*“¶èØÉxr’Œ]¬ƒHÇ8áô2;Z)`h ñdV%¡3³6œšÁ†SÍ6Œmü¡cá o¾Ðš2­„VHÝuÅv×q…BCøÈZ€N ›ê +,”Ëeǽ¥Ô‹»ªÌËëkK× ±1œi,¶o1þ/Ù² È›CÇEæÇj&hóŠ{Ú¢àëÒm¾/wrpB1PÖIêOf_üv(ÚnEšr~DÎ)çRDy•‘ ¾<‹‹Dn>ºd—>Ã0\kçµµí_0䘉Àù€FDaêc#' %6º‡3é†[ÛÃû¢]”8ìø;Ø\ÝqósYP«ép©­-K˜³¿åX‘ ö2ÒCnXhwY.m¤vý?@V–õH…AEñ±»Ô˾'–³m*ŽŒh¨|-c⌆ñ(Ø +C wí’ñ= [o4’T—gŒœ‹,Ï 6 U›¤?íî°“ þap4×P±@»¡èz¸#k›º•åÕÜÁô>«ËOÞV õت5³º›îŒ‘ ðPñ[vÂT–bÒ踩¼ºM)q3¨x¦ªëŒ~$ˆí2o¶[ZP<^?÷±³ŽÖk¶Ò‚bŠ:°ÊÉ$zßµåFYEl%LŽÅA`WÃõM¹–%üÛóJ„eî¾öc ‡ÝA³Sš7âec¸üT%XAË•Ô²æ"ë7nhúŒvÅn|âØ[ÊȶÙJ˺xä0"†á ÑR·¡ø'“oÝtLÍ’so Ö›À«¹äf0´È‰IBaOACUdZ.3!üxጡ_.3®’È ¸n€©"&¤>FDŠÙvW’‡‚6ydÞ´2]›=?¿|î|Àyeùà,‡ ºš“¥Ðe/0ë OÞÈ­pªÜóÂ¥º(„š³ TlXþXÜÁÌZÀUíÉÀÙõV`£©@[t V`[ž¢^¬ уA n¹ê#$2¨g˜@â¦B±zˆÙ¢–ɺM&ŒàæÇbSÖ³q%$:ÆØ‘–¢ótMCMÔ©ND¯ÔcCº @þn-æñnDˆÑI`zµ_7ùý§Ç'-+yn`}ÆŒó³V@¦Š¤‡9Õ&Î@aé±ðZâõ¥k< ƒ£h\2=Ä°>º–Ñ +9îzµœrékœ¤¢tœ£xÀys ×Ö0ôa€Ò\³•1‹vf“ä¡> „ +/ÂÈòû¢û†â=PÇŒ½˜CÍu~êÉ€u¸%ñÅáÄj ëSŸ½’…¡X‹¹5³ˆ(T.òr.˜IñYeuìC8•3¬Ÿ²s*vÖ ü4/y“ù½y7Œ•¼ÙÄñˆÚ’“¨©·%Iz—bÀ"Ù.˜Ä¥atàöG÷–É•cÙm¸45lñJŠµhùnšL‰roÞI¶)vÞ±ÈW=*ð×»3®­‹-†kÙ¾üä'“ûL„lßüð_Ðf ¡TDà¥0¸-òa9Á¼ :üÊ+z&Úècþêþ‹Øà&à5e¢]'¨Qº»ãNÿÞ%—ÒÜÜ󘵂.Ј&D©-|Û”ùFæžÎ£$ ýñ…Pjf³ÄèTÁz÷ßeÕ‡) =6„Ùˆv ¤vªM¥g5E»²>Q6@ØYÕb³t[ƒZÿ`]âš…8ojŒØÞú .¶’>‚ϣd¥™AæÇÿv(ö%%m"è”zzs¾7Š•"¡è"µê—}Ž¸‰UQù»ô«Ž«Ði¸!­®{ÎæÏqŽ•Žµ¬ô÷£Òê$íy®Â8ð/‚'ÌM¢@ÙÆr0_Åý„9Wè&¡qᇆ_HF½Ñ A,FÙØ¥Sµ–Ì·NÇȆµž-VX—°Ä˜%B¯¢+> endobj -743 0 obj << +747 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [464.1993 638.9439 511.2325 651.0035] +/Rect [464.1993 639.0148 511.2325 651.0745] /Subtype /Link /A << /S /GoTo /D (proposed_standards) >> >> endobj -744 0 obj << +748 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [55.6967 628.0049 105.4 639.0483] +/Rect [55.6967 628.0759 105.4 639.1193] /Subtype /Link /A << /S /GoTo /D (proposed_standards) >> >> endobj -741 0 obj << -/D [739 0 R /XYZ 56.6929 794.5015 null] +745 0 obj << +/D [743 0 R /XYZ 56.6929 794.5015 null] >> endobj 146 0 obj << -/D [739 0 R /XYZ 56.6929 704.5459 null] +/D [743 0 R /XYZ 56.6929 704.5805 null] >> endobj -742 0 obj << -/D [739 0 R /XYZ 56.6929 671.1703 null] +746 0 obj << +/D [743 0 R /XYZ 56.6929 671.2265 null] >> endobj 150 0 obj << -/D [739 0 R /XYZ 56.6929 515.8828 null] +/D [743 0 R /XYZ 56.6929 516.0178 null] >> endobj -745 0 obj << -/D [739 0 R /XYZ 56.6929 480.2977 null] +749 0 obj << +/D [743 0 R /XYZ 56.6929 480.4544 null] >> endobj -738 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F79 711 0 R /F57 624 0 R /F58 627 0 R /F56 618 0 R >> +154 0 obj << +/D [743 0 R /XYZ 56.6929 328.6232 null] +>> endobj +750 0 obj << +/D [743 0 R /XYZ 56.6929 301.3997 null] +>> endobj +742 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F79 715 0 R /F57 628 0 R /F58 631 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -749 0 obj << -/Length 2237 +754 0 obj << +/Length 2313 /Filter /FlateDecode >> stream -xÚå]oã6ò=¿ÂØ—ÊEÅ¢>¨æ)ífoS´A»›kè8EfbÝ*’kÉñ¦Eÿû 9¤LÉ´öpOE€h4Î÷ ‡4›Qøc3‘Êóx–å1I(Kfåã=À·œ1CZ¢Ð¥úêöìüMÍr’§Q:»½wx B…`³ÛÅÏÁ×o/¿¿½z7£„1™‡IJƒË×?ÎcÁåÍ×W¯ñÓë›÷¼¹ºœgqpûÏwW€a"N¬³+ßÿíõínÅ/·ßœ]ÝšºÖ0Ê•š¿žýü -À¨oÎ(á¹Hf[x¡„åy4{<‹N’˜s‹©ÏÞŸý00t¾ê¥>ï$\DD™Ç=1÷¹'ÉIÊ#®ÝsÝÌC± X,ª¾j›/à•‹ _J…§ÁjsWW¥²óüM’9ÜÀ<ÊrÐAñéª^2$ åBE†ªhV%4e£ˆÈOÅ㪖¤l=L‰`Ürý­md‡ftËvS/Põeñ$ v%˪¨ýÝ¿¹ž3ȲÕÏ…Yß/‹^ œ…QÊx–ÏBÆHž$‘U¶M_TೈÇÁ¶ªeë†hBÿýùgð`H²'D!WmÕôUó€kú±Úå -¸+: üºl»¾ƒÜã4 n—U‡ØÊpj¤\È…Y&ËbÓI$Ÿz¹n”ÉêÓcQ¨“ë'¹î´‰tlÚBé‘DAÓö ÿT4Ï´ äÁmaq÷êɃºm?¢Q€Ü¬ v‹@o¸/d]=YF/çsö¡à#k‚fdüÀÒà§y’U¿D¹è7¥‘Ž‘Ø &±ø«Ø,§ƒ2T12ÐùfµV f];Y¿ ¼(u€í²*—–E3,2Ð}»ÞîRUOËÉÊqÝA­;¬•ÉE.´•ošŸuHiEšŠ2ÌïÍÇÁ`7‘,õûìKOñ*ñ9É8Ç,ú\ëq’«þÇHóÍÍüÒèaã­IÝ`”鸎šâÑàmg´U9™ -ó6Jgoåý°‘ëJmD‘à†ƒµ1í\Éìð£1>hÄjµÝÖi4êË3>Ñ‚=ŽFoÕlrª7Xþu§Ld•m F™Ð«¡·:Ëúý®(?šÆ²9ä÷Á“#G·Í©.êïr*›#Ø -œlV¯h(ƒ:ÖZ³Ô¤µ†Z|bZ+h5×S@´¨ä2;Š¸ëf -ëJ6½aeœÂ›¡{í&µ`?CªD‡çÙtÓÔ—'\À‡“MÛÔϾù''"UC!v¥9h¬˜´(ŽÅ~h_”ð&ô–Kíè¡+OXz÷¨»IYÊæ#RÚÔxª -+®–e_=Jå›Ô5ƒ'Lwõ‡ßì_,° ['LÑY…ìÛI“‘N³qÞ÷?K2ÂãÌNµW¸%™üº)}S’?ì0j÷ÝqŸÙ¥Ï¸Ááx´s`qg·è¾ýòÐé"I``fâøQÉ!ÒG;*ç -¾ã¤ÿ@Y6•¨í<³£"¢=™“¡à8ÉüfF4FjGM:ê”Ú»ôðFxBàtÆOF"Â3‘=Œ@mñ$‹ÿäiŒKÝÓ9;ÐBó=<‡êHô,Õéð“êÄo*Ö@Wìÿ3‚ÄmhÓÃlJX–Š„’By’¥-ýE ÓUs$,@¤'éP ¤¥:ÈcR@NÅúéŠ}y ÷:õµö©ìú*ÎSBcq¢c¹T‡}5PôÕQ©;_í‰õúj$öêS¹,šÏÁ±7'½»ÖBã}àòæµ=Ž¹è•lU17 MÓñ9çín>>èÿCÛ‹6•8U·0‘Cu$F–êtŒŽIub4ë‘+öï·µÄ1ôå òåxª#´T§#xLªÁ©X]±§« " -yQ“ˆÀl—½(ŠéŸÞUþbg!‰9ÍóI±› X”ÅxÙO}“ÏÝM¼ Ç u–)ÌÑ ð8ÐgöZ1SW½®·õŸM×#´]¹®îôÔ®DݵORþ‚7m/-«¢·UÊ>õIe¬Qè»âtÔ!-5âbr q>›ÞÒNÌö€99g!ò¹ÝF¿ ¢OÒ^ûuRNS:f‚ˆ˜ Yx¬wü¸~˜!ðÎIî>tì'÷>_åˆ÷ê4d­â„íi“BßÉÇÊìÕ—%:¥Á”—RÀf  $IÄd»¹íZ“³ûØñ.c:¥xè,Ê/ûìfØáëïæ*0µRÿéy_d®‚0ùÇ…Í){8bo7Õ1{s¥V«.|hÃ¥\ËìpçhWŠ|àáÞgŽŽÒ„_†@ãµÉ¹ªj¹ðݼ*}.7&€#8?GĈª×n|sïø­]#U¼ÁÑÃGþ‡WÓ¢®Ûmد‹¦»W)á8¼šÛyVÅŽi^ -öñP?¡4­u“Ô?¥x܉KñÅ•=dØÅ$%…xêè³–]¿®Ê߆êò¸ëË^Ër³ît ‘¯äeâ ¼‹O$X8ÉÊi´ÜÁ6¨$¾Â£•³c½Ú¥DêRÆFHóR2¬Øñöój´ÆŸæ•eüêñ|_¡‹#ä–ÆaÂ袵i;ˆm< I¡oŸtUdj,b,À‰¹æÝeäŽg?ªÃ!=CÃ3÷UÉ_JÓƒ‰ç­9OÞažU?({¶:DôþÝÚ™73Â…ˆü§)ì9F)eäþ¬9üÀ½¯ú9Èúendstream +xÚå]oã6ò=¿ÂØ—ÊE͈¢(QÍÓ^7{MÑín®-Ð8EfbÝÊ’kÉñ¦Eÿû 9¤DÉ´½Ã=XÈá|Ïp†¡³þÑ™à$dYYaFw‚fá C+¡·:åÊšý>/>˜²²;föÞ#;7õ¹ê-q*–#¸œXVŸ¨'…,ÖBÓĵ†üÅ VÐf®;€4hP¡ÝÇu1×Ê€[T¥¬;CÊØ„rŸym%uà0>{,®½ólJiâ¶JП1UH±«iêêÙ×ûdD$Ìöƒh: ÞKŒÍh¨Z½XzöEánâG_·¡m;tÞéæJ_U;IJY? G +OenÙU²èÊ'ƒ©lS¸¦[ð‚©­^ï›»K‚¶ZëpÉ[+½[[iâÑ©`Ö͇æ§<%,NmC{ב¹ÄoêÂw)Á4‡íCí;.2CôŒ«vFƒýò{{=wÍ—ÇfJNS‰ôô€ì é†g<P° 4rT=v–ÄéI–=ÒÏI¿pœŒx~ í"ª‹½bh»ÌpT'µ9‡èðÌ!Œ˜ÉÙ¹9$",ü£Vü‰ƒ(—¸ƒ9æ»8`…ì´ï¤ã¾³Hg}wŠåà»)O¯ï\žÿKß·’Mgþ„Ð4Ÿ0/£Ï’´I¿l ©ªO¸P„$¡ôŒ ¤.4Hç]x‚¥ã O¿ ž/wáAq¾ÑÖ”Ýq+%‰RvÆJÒ +¤óV:ÁÒ±Ò„§ßJÏëááh2!vf¤»o,4®ú¯oßØÁË]ÞÈFUóÄr…I2žß†Nø¨á5g/ºAâr.;sƒ8H'œcÎ;çKÇ9ž~ç8<ÿoîO~îNøÎ ÷Ý –Žï&<ý¾sxžO,ð%ØâEþãæ-}‘ÿ’O¾<þCÿÍ`Ö ¿³Ìû> +¥1¾ã¥1¾ÒÀïðJý¡F•Ü F°Žýzj_ Sõª×épo–þµk;„–²-¶å½nÊ«ûæIªÎ^Ðà¶é¤%•w²BÙ_=ˆŒ%òŽ½ŒÚc åZ/\M¦ gk\çV¶#¶ããdŒÂÅçfgýÑLJ(¤}Ñk¥œ†s 1¸€¥ ¸Ž ©¸¹}œ!ðΉìá8 íCºÊïÕ°cµb„H“¨"6æ ¹,Ò9 ¦´”6á¾ç\$“éÙ½&ƒùØîGÞûb¸cd^TøŽgo¿?ÿ4¯|)¤fBàÿð2Š¯Ìb¦¡îâ_W6¤ð/“··è˜¼y/X”›vñØ,Vr+Ci›Bïi¸O•£H&„øž¬–ßD–HU%ËÕ ,=uÀ\^∌JWoür_ï­™|jcƒ`¯1FG™þòJšWU³_tÛ¼nTH8¯!å éØQ 5µKÁ>ê#ucÍ$õIµ=©ÑG˜p=ºllÂb H’ë·¥#Mtwêoçžözþ×¢wÚ¯”0!"µfaBDý«JiØ|õË?ýß–¼X%endstream endobj -748 0 obj << +753 0 obj << /Type /Page -/Contents 749 0 R -/Resources 747 0 R +/Contents 754 0 R +/Resources 752 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R -/Annots [ 751 0 R ] +/Parent 721 0 R +/Annots [ 756 0 R ] >> endobj -751 0 obj << +756 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [417.8476 408.3291 466.5943 420.3887] +/Rect [417.8476 373.1601 466.5943 385.2198] /Subtype /Link /A << /S /GoTo /D (sample_configuration) >> >> endobj -750 0 obj << -/D [748 0 R /XYZ 85.0394 794.5015 null] +755 0 obj << +/D [753 0 R /XYZ 85.0394 794.5015 null] >> endobj -747 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F14 608 0 R >> +752 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F57 628 0 R /F56 622 0 R /F14 612 0 R >> /ProcSet [ /PDF /Text ] >> endobj -754 0 obj << -/Length 767 +759 0 obj << +/Length 796 /Filter /FlateDecode >> stream -xÚ½W[OÛ0~ϯˆxJâø–Ûxê lCb4Û ‚ •r)q¸”‰ÿ>;ICÚ:¥P˜*µÎÉñwŽ¿Ï>ÇE:¤;.pè^@‘£Ç©õkñkîdu½¾†š}àb=‹]=w°|}éáÕ©A¦@€Æèøçд°ý£‘i!Ÿ:¾±÷}pOjûÜu°ÿÇDƒ£½á~gŠ ¦Gð÷Épdž‡‡Ú0l3í®A"Ó¼ÕNÏ¡~%u¨A@ßÑÄ(°žjÔ!À¡„Ì-‰6Ò~µ€·ÕT%;L«ô8žŠ'.Á¤¢çyW®AY˜€AZYŸòŒ™– ¡±Ã'%À=Fé4a ÎÓúÅ_A Áb`ÛµWÍ8‰î›a%C ÇYÖƒZr6íNi“™;KŸñ$i“±WÓQÎI#^²‚·©Êäa€\ ¾Énmy^š[ç4΋‡¨¸Zžþ¬ %Iþ`ÝÞ±b¶à=ÉDü,JxŠ=.>¯C+‹(ãcV¬l,%­©ŠÀ³•tjf_*µ—"¨'lÆ4zÓÛ3«$+‰%êã² ±xƒ€úÀz^ß·û?C“ÿ&‰}@I§Ö‰PD”LJ¼ÊgØœ¾º‚ŸA^ -Š&yVnr^ -#Zªôœ÷219Žóì B|ý¥¶PX—‚Eq¢daEhcÚ,ÒèÔ5ª7[ ß–”øfaÖdÊ­ëܺaë«‹B>•îüÕ -P‰Øc^£m&ËKFÂnOQaHé²¼ œJ´-j…¢*[ÔïäS0^“¸¬Ÿ:€Q3Îû—^°ø®àÕ{c|L{ã¿€n¢Ä¢n[Ô3ô íoÕVÆy®êýëŲÙGµˆžn¾UÏPqüÑm£‡·þ®ey)JÈESU.d¥¼H£Ù%Û}Ï­¨_´µ¯* º¨ÈÛµâZ [ⷾĿü¡ ¾ÛûùBÏž¨/@š¤dæÈ_É|~Û_Mýˇpendstream +xÚÕW]OÛ0}ϯˆxJâø+‰3ž:(ÛЄÍö…Ô…Jù(ItÓþûì$Mê”BaÒ„TlÇ÷Ü{ÏïqÅÒm8öt×£À†ÈÖÃXƒúxöICõs¹ÉlïúèkÖ‘ƒuxvtÚÂb2†trnP@Á@ @c|úõ‹?0± ÓñÀDŒÚÌ8ø<<õGgÕúrëððÇ!d OF‡-98 .5üïg£ñàÒ?ÖF~i;‰ óN;¿„úD$u¬A@.Û‹·8¨ïlæõuoÿ{Ô䟕Ä:¢¤ÕÕ…+"Ä·Ü3ªO_¥U²‹_ ŠÊ¶.nÓ¼(ÛwWÓržý”Éq˜&⛕³Ž„‚¨ c¸¹äwä» P&@ê dºˆ­E¾üdXý/P½ƒ¾endstream endobj -753 0 obj << +758 0 obj << /Type /Page -/Contents 754 0 R -/Resources 752 0 R +/Contents 759 0 R +/Resources 757 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 717 0 R +/Parent 721 0 R >> endobj -755 0 obj << -/D [753 0 R /XYZ 56.6929 794.5015 null] +760 0 obj << +/D [758 0 R /XYZ 56.6929 794.5015 null] >> endobj -752 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >> +757 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -758 0 obj << -/Length 2220 +763 0 obj << +/Length 2272 /Filter /FlateDecode >> stream -xÚ¥X[—Û6~Ÿ_áGù$VDQ*=}pg&É´MšÍx÷¥é-ɶ]]fêýõ ,y4Ív7sNB .´X8ð'Ê·y‹0òlßþ".®œÅ¾½½,³ê…Vc©Ÿ6W¯Þî"²£À ›Ýh/e;J‰Å&ùݺ~·þ¸¹ý´\¹¾cyör厵¾ù×Ra­?\ßÞЧ›÷D¼¹]/CÏÚüóÓ-r„á:ŸWnîïÞ.ÿØü|u»ôßA8•ûvõûÎ"«ü|åØ2Rþâ&Ž-¢È]Wž/mß“²çäW÷Wÿ6}5KçlâKeûÊ gŒâÉ9£ÈÈö}72F¹+é®í!Å˼z㇣%nhG¾§à”­Ó¦Êì¸*w$;Ù>P¶ëy‚e?;¾SÕ´wú­Ëtž–-pñªÑ¹†Øê¦Ízî¡jPÖipÁëÅVQæRÑb%]¸•ç›C›T×ña¹ -Dzm×:+!à¾kDJ]¤MZ?¤5‰‰ÐµE`Ãÿîß—Sqñq-æ.„gKÐ -·€Õ~Ž¤Y Î[®„㜱uab—ÂV|ò›CÖ€½‚ÀêGMCs¨êIßÚwY’·­økÚ¶Y¹§Iw¤q³p׺ltÌn&hQ궫—BY)n1ê ‹½ Lp^šð)—›4iÜÕY{bM™ûÓ݇›È»vÎòIÚÄu¶Åc¥ð­ø Ë}?Á›˜Ác¾VågÇq÷]­é`d"'gÍ+Ó<¿àt;s„¦KÓ„h@1 qwˆo$’l‡ü]JŸKÞo—žm÷r-Yç]B®‡ÂÑ,ªâ´i8Xv4Æ´›nÏk&ÖÆ×ôÄ‹t™Ñ5Ï‹7Ù~êaà=fí(rkî:¶ ÆhŽ@$ôA׬Ðu–ŸhÚtÇ#`w -‚±á[Ž¤ ÃÀðNÄÀ™EÑ•Yl\ ‘Êï¡l4£+lñïªLy3¼º2öK`)×*«6ÛLz91²rØ¿Ó&{H‰õ­Kë‘Ò`€*ž#¬O& ¦uC_{è+Îi0–飹 (·`YãGåôæJÑpÐý¹yVd-m(Œ5Á0Ì0G+ÎàÍ<ë&¶¿”V‘í-‘Û”Yc‰êšt×åD“£€HN̲˜%Ž‰nSô…ãYkâ‘çO4Ü:ÞBÏìÄÃ%‡ªË“A^ÔÏ\B¼¥¸@M£GyO?² ‚ ò¬m×’ÜÝÇÕà+¿?ÈÐOv0Xƒ%YÙt&´1•ÄD6b@@K`B—Ö§c[ík}<˜þÅÎ3ä@€9Åñ­í‰FòR¨ Z}§kb(Ò:« ÐQÐ7êôåå\-DGy®äŠ w1†™©+t* -Xµ‚KÉÔSÕ2MºÍ7ƒ¢)·]}9Š!4=!‹`@Îì¤34«Ów·ÁÂ[- d#Û…Îjjù<+9ÙVGL3}®Ï½˜©·æ¢/϶àý6-Óiö¸?è:ålûË€w}ÿs«cN¨uVOSú;ˆÂf¾Ô»Ð»F•zˆ9)=ˆ}.A8O¹$`É‘ àïY=3õF }»Üf›¶iZ²íƒqèB"—-‹}™˜ÑÖû;Ñ/NvÂþ6P£Ü¹„퇪ßÉtÚÒZ—¤¦®·¤yÌ98…RGv]ÓûÇ°Z¾&¸Ð+:»@Àg×õÌuVFç˜à„ÃÑMÅ”:©¢3YÖô¢l7ƒP_]·U_IñŒÆ&~ö -“cÊÖ][PcÚ„A‡Åû»€¡; 0Ï«Gî÷¢!6Ìä1Ãn©ýÏ0Ó4W­Àâ4Á¾ODoOmÚ7‘õîýúzõþƧÙ 7ihì9>So«SI‚Ðúµ‚†«žËŒÜÆ„ê܈á€ÚŽJ¼ÏÙ¾˜–—:õÜêT7Y/B½‡âүԪŇªeáÖô…D1«ÐfEW gïš½q3ÐÔ¤D–/\V8k›°¹¤ÔÌUs2cIï"Ýöí˜qÒqIÝHÛ'œs»F>ÀÅÕ¤‘Lº˜WjÎŽec‹ÄèôÕ¨L?A”¤l ã¬`à…^8+Mã¡ÐñªH|ænùýã*f°ø»ßî7¼`{ÏÀyÜÉD}HaL zPD}ÁmÿÓ:I(Cùe¬À á‡/ügC[ó0_%< ¡ì‰srò¤@Ä(º"ô ·’mÎjBgÓô -ö*“†/±v:Œàhx/7¶/"w -ì]VÇ/ê2®’M[ þ8ÚaŠIm®¢ú`ŠPöJÖë¹\,íÄp†|ɯ£=Ó?!+Ç w„ºâ"=öϱ‹·I¿J7ˆŽK”™•nö熶P2šâÕ\Ì íWýêÖ¿þò6úíEÕˆ/ßí~IÖ?þøß"ïÂÌÏØÕ‡fAÉÞbãLáIø®©ŸÚë\~žµØ\ÝY‰È·CÏ—sõÇåúó^—Îÿ×â#éN2˜ô+øÝDò³âh"xšxÎ%Cf<Çʘ75­p1·bðÆñ ù'㈱©Y}ÏÏÐZß_ßÝñÆƧ <Ô -˜<è@%1áÅáÅŽvOÿûÎ`†iÓ›ín|N0ƒÁÌ7P,<ø ­\OÆÁ"ŠWyB-’âÂ[à·7‚׬úE«ñªŸ6/^‡þ"vãЛýH–v=­Åb³ûݹ|»þ°¹ú¸\ùÊsw¹R¡ç¬_ýc)„pÖï/¯^ÑO¯Þßñúj½Œgó÷WÈ~ŒûïÜÜ\¿Yþ±ùùâj3è7¾ƒð$*÷õâ÷?¼Å®òó…çÊX«Å=L½bµ;˜à»tǧ<Ò¤IWgí‰5eîO×ï_¹D^·s–Ü¥MRg[.{(f›¶÷iZ²ñÃq󽆔žÏ¦ÅžLÌh냼ø‘'’°õH?'H¸*Ò½$û0κ$5M½Í ËcÒÁ)Ô9"°ãšÞ?ùiù’ àCŸè‰ žß'ßìuVVç˜á„ÇáM•”:©¢³i›ÕôAÍn†E}iÝV}Å3F ›¶â žÂY±eë®­ +¨‚ aÐaåþ.`èa (ć7{ñvrŸa+„ÔáŒg˜„¯W`qš`Ó'B¢·§6í;¿Øyûn}¹z÷JÑŒl†Bû.ŽÏ4ÛêΖ’0r~­ Ûš­hÜÃDúÜ…á€ÚŽ*¼âô¿Ø~—ýÔîÔ4Y¿„ZÍ•ßìP#(ï«–·¶)$ŠY…ù–]1œA¼iÖÍ@S;Jø¬pÖâ+Í}Rjæy‘“Kfx™¶ïŬ“FˆÛeÐŒ´}Â9÷jäÜ\MºÈ]—ðNCÃÙ± rìJOAeÛ Õ®l ã¬`à…^7+Cã±0ɪØ)ænùíãkfðò·¿ÝlxÃ(öæá °†Ž½%â>àŽÿq‰%Ô¡Œü2>þ™PÑ3ÿ¹ÐÕÜÍI¡• UOœSS âåH±£_¸lsV›¦W°W™4|Ž¥ÓcüÆÃÛ{¨q•ˆýi<`ë² +~K—IµëÝß´õÐÛc¦˜Òæ +ªSD²¯÷P°^ÎebéÆøÅŲ%?@z„öhL¿ANN8î sŃäØ¿ÄH®ý=¡ ty›Ýæ“»i‡åS” ¿$óhVÌ2°.F}…J=½"ë3[¨©&*é±kfjïÄQs@,,4rî†^sæºÎ› +•ˆõ‘ó¥¬îK"‡ šÎžc½ÔNǼöH9¥;çÞ9Úwe÷eQ f +!DCˆÚî<ŒzņYn˜7yY*Ç}R4ÂLzR—«¡@<ø eZã>õ‰[*¿KÏ|ö†GÉÿýùûü½?ˆ\©µ?|ÙžXJz¡«ý8ê•BåEüPóá;ùcÕÿ [àW¬endstream endobj -757 0 obj << +762 0 obj << /Type /Page -/Contents 758 0 R -/Resources 756 0 R +/Contents 763 0 R +/Resources 761 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R ->> endobj -759 0 obj << -/D [757 0 R /XYZ 85.0394 794.5015 null] ->> endobj -154 0 obj << -/D [757 0 R /XYZ 85.0394 638.3105 null] +/Parent 769 0 R >> endobj -760 0 obj << -/D [757 0 R /XYZ 85.0394 600.2421 null] +764 0 obj << +/D [762 0 R /XYZ 85.0394 794.5015 null] >> endobj 158 0 obj << -/D [757 0 R /XYZ 85.0394 433.5475 null] +/D [762 0 R /XYZ 85.0394 607.9601 null] >> endobj -761 0 obj << -/D [757 0 R /XYZ 85.0394 403.0897 null] +765 0 obj << +/D [762 0 R /XYZ 85.0394 571.7564 null] >> endobj 162 0 obj << -/D [757 0 R /XYZ 85.0394 351.2066 null] +/D [762 0 R /XYZ 85.0394 411.8462 null] >> endobj -762 0 obj << -/D [757 0 R /XYZ 85.0394 325.7421 null] +766 0 obj << +/D [762 0 R /XYZ 85.0394 383.253 null] >> endobj 166 0 obj << -/D [757 0 R /XYZ 85.0394 166.6305 null] +/D [762 0 R /XYZ 85.0394 335.6157 null] >> endobj -763 0 obj << -/D [757 0 R /XYZ 85.0394 141.1659 null] +767 0 obj << +/D [762 0 R /XYZ 85.0394 312.0158 null] >> endobj -756 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F58 627 0 R >> +170 0 obj << +/D [762 0 R /XYZ 85.0394 162.2273 null] +>> endobj +768 0 obj << +/D [762 0 R /XYZ 85.0394 138.6273 null] +>> endobj +761 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F42 601 0 R /F56 622 0 R /F58 631 0 R >> /ProcSet [ /PDF /Text ] >> endobj -767 0 obj << +772 0 obj << /Length 2286 /Filter /FlateDecode >> @@ -1805,152 +1812,165 @@ G û mÚ’šÓ{6f°±ü¶Èíöø#ìÀpБÔÁ”=¦CÖocliô½®¬U¸ Rã‘_ŽoŽÏ%<›X|Ó±½ÉH8eÐe$mdŸÑl:ƒoAYë¼òÚ$uؾàØÔåc)z¢®ß´rÔˆ{pDN=v²‹Q‚Â7#ó䃚zT0³®ÊFaÀ˜¨ ×7?a#Wzº*´›Y&ý“E8|YÔèIAwîBK  ‡‡•‡S ‘(´ó`ãæèã’BúÑ'Ÿ<\À®¼éô«×Ê•Œ#>`AÎÒð>A(©.€Ò± îw9„ǰ؅ŵǰ1‰X/ÚBÍóŒa¡Þd¦y»I^uK}ílU¬ ŒAui­ÕCÖù°4mÝt[æ¡}ûÑcºˆÇ%XÁØÁ>ì™q.W€ä*÷j†‘8eñ%f×¥<^ÿEÚÊC¶Ý9ðv¯v™ÃzãTVõfÄS^»3Lð%zgiÔ˜é g{äuéÕó^uúŒÝ]Y-ñòðb‰ÜõëtÕç‚…MÐ|ióEyîêƒj `öœ‡k7í«!T}°«Ëbé+9#@ú’!ècòyöC¾¤)D X'8Mõ—œkÖl||šèɃ=~™#œq5Õ¯ööÚ^‰ê ¢çò„âL,á<Hz¢Ç¥¸àÕc£ïD—ñìG{ýßN߻˜ˆ$á~É!ç%aL¬PZpN/$w߉.Eÿ²âöendstream endobj -766 0 obj << +771 0 obj << /Type /Page -/Contents 767 0 R -/Resources 765 0 R +/Contents 772 0 R +/Resources 770 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R -/Annots [ 773 0 R ] +/Parent 769 0 R +/Annots [ 778 0 R ] >> endobj -773 0 obj << +778 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [389.9997 61.5153 458.6717 73.5749] /Subtype /Link /A << /S /GoTo /D (dynamic_update_policies) >> >> endobj -768 0 obj << -/D [766 0 R /XYZ 56.6929 794.5015 null] ->> endobj -170 0 obj << -/D [766 0 R /XYZ 56.6929 769.5949 null] ->> endobj -769 0 obj << -/D [766 0 R /XYZ 56.6929 748.9393 null] +773 0 obj << +/D [771 0 R /XYZ 56.6929 794.5015 null] >> endobj 174 0 obj << -/D [766 0 R /XYZ 56.6929 700.6394 null] +/D [771 0 R /XYZ 56.6929 769.5949 null] >> endobj -770 0 obj << -/D [766 0 R /XYZ 56.6929 671.7552 null] +774 0 obj << +/D [771 0 R /XYZ 56.6929 748.9393 null] >> endobj 178 0 obj << -/D [766 0 R /XYZ 56.6929 470.7895 null] +/D [771 0 R /XYZ 56.6929 700.6394 null] >> endobj -771 0 obj << -/D [766 0 R /XYZ 56.6929 441.9053 null] +775 0 obj << +/D [771 0 R /XYZ 56.6929 671.7552 null] >> endobj 182 0 obj << -/D [766 0 R /XYZ 56.6929 233.8866 null] +/D [771 0 R /XYZ 56.6929 470.7895 null] >> endobj -772 0 obj << -/D [766 0 R /XYZ 56.6929 205.0024 null] +776 0 obj << +/D [771 0 R /XYZ 56.6929 441.9053 null] >> endobj -765 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F14 608 0 R >> -/ProcSet [ /PDF /Text ] +186 0 obj << +/D [771 0 R /XYZ 56.6929 233.8866 null] >> endobj 777 0 obj << -/Length 3192 +/D [771 0 R /XYZ 56.6929 205.0024 null] +>> endobj +770 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F14 612 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +782 0 obj << +/Length 3205 /Filter /FlateDecode >> stream -xÚ¥ZÝsÛ6÷_¡·“g"–$~LŸœÄiÒ›¦½D½››¦´Y¸R¤JPv|ýíøe&éÌ,€Åb±ØýíÊÑ*„¿h•ë TE²ÊŠ$Ða¤W»ÓU¸º‡±®"™³ñ“6ãY/·Wß½IãUiœ®¶‡¯<ó·×Q¾nvÆ9[ß3­9à7]o?¾û)ÎÞ×fÏíL-ïãÞ®¬y2ñ1îRu<`kYjL[VÜ1-o×:¸‚¸È×ïCœ¬ËÇ’eä®3-†Öñ 1ú›Ÿ?ütûáw>…:<4í©ì¸ßË“mUqëN8ó.Ý¥…£oÐíNF»ãT€“º‘­.õÞ´®+ëý°ná|¼Ù®¡ï´ªÂn—ôëµÿ–cÑä’€L7 ß“u»¦þ†ñý¥-;ÛÔ(¸ -Áµ\‡…'¬îdÔ|>Wvg»ê‰û_Ú{/ÌÏ«Þ$Ô|_“sòÓï-^õ`Ð!Nð-ùãÎfgqÃôûkz¶yë$#¶h*Îq5~ØZTœ­ü™±-*7öA¿zd±´BÆöÝ“Ì«ù{©ÿ¨›ÇšWýažÈÆU’³š‘.wunj',ÙJˆ¡ñŒd›Ëx´Ýf©HXBCŽ÷j>w y’è½Ysw×ì Os¦ _Þ¼F§‰òL! ·ä~‹h¢Aèö„öLƒ*äÕÑHƒÐP~É"ÊîÒï¦pP|¨*ÌÖû†8’ÊÊîËΠžãP”>Ó3,=ÃØPz=U£ …‰H#͆ÙD³0(š 3ÒìÂ¥‘žzŽwHÅIJJJ´ß Zc'ÃÃÄöLÅÃêAÅБ“$šGá@ö$CÍ¥svï;þòyqzU5tHXÔ–õ=©5-¾î¦¼’c¥½ËS){ ôO\yÁp”ÝŽòÇFÒ b¤TŒ]V1N#ãE¹EJݾûéö³gUÞ±)x$­\(ÂÍ]°Ãrÿp‚$M¯î•+1E¤0{hÌtž0ûNî²ÃH|¸Tä>JîÌ oOÀpÞÕl“#…oèüt¢Õ{ -N£µÃ ™‹ŸÁs ÿ$¿^L+{ᛀ°ºÈŽ@BØÁ/QçNÓY˜*Ïrüs‹GEÇœ¡Ësœ0+IÜ'îø!™Šx½ƒYª ‰ÛFG?Èѵ{Ln`F•¬íGÑ<è *CLâ„£,™,hkMÝ•èùX¼E$2©-|ñDÐu>óÒa.ÐÀƒ8¤Ìõ†£­¸N’®oy±DrÐòAì×Fî8ˆÁÂsÙ¦±ç’B,Nå…c¦–pT[sqòýzè“ÐäƒÜ^h{²>D÷°`ò^±ß¿×ï1ÕRÃLó¹Ü Ô˜:~â~Ëvpy¨[~”yä¹þ GûIˆŽüëh \¤ä5&Ÿn±ô¸á,æø þ\¼$"|ß/×¹‰÷ñ}ú%äïÍ[z@&HöV°d\8Àx¦/ˆú£È‚­°ÝC®ñ`d5ù ’U‘2„±Ž§j›Ú×Ñ~"h?´?Ž¹ËKFýìžDFš@$X;m,°¨îr>7m'eÂ×ï?~¼}Å#“}h´ƒ„Õ%Z2³HOK ¢t2æ J\—L¥°©×Þ¼bB¬•f¿k ÁX\¨(XÊ©¦ò(HÑ :n/w•Ý}Nà½'ÐäÚ )ÂÀwœf1Ňs0ñ ÐÍN¢O‘Sã·V1Áú½L‹¯Ÿîü/ù=Ÿ/bÕ§Å|ì±&_„¡Ý °[(í÷>Û[™eô€ÀÀ{¸‡ÎGù¦õH ¶žvWö@¡©}ì7ýFܨAÎYmMFºâÚ"xú™%LJɨª¨¤nª’q…j¹±»i] ñù‹’"(P†¬]Ø&¥†D¤m$A’¶‰àÞòµ¯- ÷§Ëb²Žqñû™žúj-á<•Ö§ì]gNçY–_5lZ4¡–ønzO¾œ¶p-\\¸‘Ù tpì„‘õA껀µ-¤ˆ›I¡wûêYÃölÊ“–u³C‰3ðˆoVóÝzYåÞèàMåÁ§=Ÿ½Ñ ¸XÜ´Š9õðR„X>ã¬t=¾F©,ˆóÈc¶Cz~î"!ЄºÏ9½/¸ð"PÀr^sÉÅ ‹§ü¦ÿ}Õ>»^ìùhwŒIFnˆ=)Ðè - -¿Àéb0Áñ÷Ü8gï*ýðÛ‘Ý£“ÂWþŠt`öÑì.­íž¸‡jfÁ ôW¤pâ> ánîìÒ¯bZȼ}$]iÀý±Î§žêŽNB‰fž€¯ÂGΗ›ÉO^ðåÈ¥ëÔ'S½„'ð›â™@Õ{\ùÙ&Cˆë£töÆíZ{gdŒÕ âå0³ç˹s–ù:ÊÌSôáqf˜æ»Å—û®æÌ_`,Áï+«Hæß €p93¡ä®ßˆçìFÅzM› µøñH9®é 'pcÖ—ô©´Îœ…ôVyd*Wx'ü W«f¾…ŠE7 -Àsí ýý¯˜X»Goᦿ8¤S¡9ÁŹ¶ö­,!_9~/|6å‚?¥A>¬ҞթOT^Úþç -8'&StÒ\n-ÃjýÒIû2ñP·‡·”=LÄIáS™Íqá ³ÑEâlskL5ÆÎ?RŽÀðÁÂ6·*Kuž4a—ÓË"9¤T0Õzý¾¡è’jïlS@ÓÁ²ˆÈ÷ÍY¹‹wè!81 _ne¸ê½\6O”~ž÷ ?¶ÉUÆ£_è›öNŒº—-w]Cé3Œ7ílÁ³9ù^âÿ[áò…ĹtRè¯Þˆâ('7B?.ŠƒÀ]ÄnÇÂy«F¡$rú†A–fÙÒ¯‹³ÐÄÁçj0e[Ù.ö·2ŽÖ»æt'Ʊ`u{Tžƒ—ÖÝ⨖þw*þÃÅÂZ„ý?Süßÿ×1ü#K’*Ïãá_6¦y^äq‘y¡Pwq4—¼ÿç¢ÿÝÕ;endstream +xÚ¥ZÝsÛ6÷_¡·“g"$~LŸœÄiÒ›¦½D½››¶´Y¼P¤JRv|ýíHf’ÎÜøÀX,‹Ýß®®ü…«ÌJçñ*ÍãÀ¨Ð¬v§+µº‡±®B™³q“6þ¬—Û«ïÞ$Ñ*ò$JVÛƒÇ+ T–…«íþ·õ«·7¿lo?\o"£Öqp½1‰Zß¼þçu†ë›÷¯n_óÐë÷¹ñæöæ:×Û_?Ü"Eå0/Y¹ýûí¿¯ÿØþxu»äóÏ*ÂýyõÛjµ‡£üx¥gfõ„y­NW±Ñ‰µv”êêãÕ?†Þ(-]Ò‰ÑY`²(]PJ­Â0ȉ&Z1yèH“V`E\oB¥Ôú¶m›¶ÃCÁRíéS­6QD¹IhÍöhAaº>·×a¶nv¶ëÊúžiÍ¿ÉzûñÝLéÊûÚî¹}‚©Å½í¸·+jžL|lw©z(kYjl[Tܱ-o×vpQž­ßx øâ>­ã]:[ ÿ¾™¬¬›zƒÇƃ +Ãò¢x]<,#w;Û‚`h/# ¿ùùÃO·>pçweÔ¡iOEÏýA~™ôXV·î„3ïÒ_Z8ŠðÝîd´?N˜1©ÙêRïmÛõE½×-œ7Û5ô݃VµŠàvI_‘Y»oá‹&—dºiøžÊn×Ô¿+Ý_Ú¢/›×jÜ8Á'8,¼tÂêNFíçsUîʾzâþÈ—öÞ ³Æñª÷ž„†ïkrN~úƒeÀ«-:Ä ¾º³Ý•¸áNúÃ5Û,ÈLœ[´?e¸?l-:J}kÁwfl‹Êmù€`XíY,­±}÷$ójþ^êOuóXóªOö‰üh\Ç«érWç¦î„%[ 1´Ž‘l³`e„Y:–ÐãÁ½ÚÏ=hžäú`ÖÜÝ5{ËÓ:Û ‹†¿/o^£ÓDy¦á[ð +·E8Ñ t B{¦A­xuèi:ãŠ/YDÑ_†=TŇªUºÞ7Ähô ôPTå¾è-ê9R¢õLÏ°Dô cwBôLTŒ6&rl yšUéD³0(šU)iváÒHϱA=Ç€;¤â8!%ÅÆí-_Åñø0±=Sñ¸zT1tä$±áQ8Py’¡æÒwåÞuüåóâôªjé°¨-ê{Rk’ÝM J•S2´î„2¨˜FI°ÐÝS8X–Ê}ÝW1tEÅ¡3Þ]~A©Ûw?ݾàyÖÉrxh­\HoNÐû#‡—€^÷ÿ'H¾ zº£Äˆ)"…ýf’Ìt€žÐp¼ºË#ñáR‘û>p¡äÎ,ùvS–õ7ȇӎväÛÙ=xªÆíåâÿÖyÒ²® ãÞL\ê•À= +-FÔì{â÷?oÑßÞüº}ËäÆq ýô$ªûrOqÜA+tâÌ)¸kè¥F Ž8³Ñ‚ ¼Ñ +°‘æùÞ,Ey MœÃlœÄ±1æÈ£A?»cQ—݉©‡¦e:ÜùR`ìÞÖÃ$&œ"ýXxANƒfv‚@è­­y°l˜zlº¾£À",ó1ŠXô¤ðº6î$Ó[ƒ5'¸£ˆ¯r4ŽçÊ2q T¨E _Ш3TY,“Äœ#ØÃwŽÍ# +î¬ (ͨAÚ…¯èŠt‚µ¼ èø¹ÃÁc“®_¾{ÿš'ä²üt®ì ¥ãùM] 㦶þÙ £@¤ž§3G*¯æ‘JèÑGÎaCŠPP·ô´6omUè-ºàû âÞ’ˆÙúeƒ.‰OÝ9±Æ:·ÿ¼”ƒjYU<ÈÞ–EÀ r#s3ÅzÐ2z[EÕ›Ë=J§Ñ—×n¹³´„n¾ü$õ’Ü8LrkÆø=‹C`ËákB?øù/\ ¿g +u[3ÓÓaĹN¿n{`Ýe2ÉKQx' Â¥á<„!)ÈAiSƒpi [=âI@ç‚ Úœ Z4 A¤42T¶Ψ%‹Šò®þ³‹b¤* +¿yöXÛó}”$'ùÌÃd3“»g +--x T%ÇeìÍ:o’|BɲÆØosDÆÖ–ÉóóAêªâ$þæñ’0s÷ÏRbT¨:‰wlD^/®ìme{(‚‚S„ˆ+šÀ8%ßc!sÅÊæÒ‘SÚà¥8KØ„‘’Þd cÖ¼p¯*ˆ äÕßr§©2ñ’IkÃÞ’¾uÙ—ì-±K‰CÂ𺻪¤×‡mr¤ð@Ÿ›N´zOÁÉ[;¾¹ø)<¥þ’ü.füy±­ì…o’Äê"; ¡ ¿D“&Ifaª8ËñÏ-sŠ.¯cl¡%¹×œÜã‡dÊ£õƼT[“» C~Þµ n° F¯Ë–½|AeˆI:aÀHL&;°šb:ÛèùX¼E$2©?|ñ„Ðu>óÒ*cxA¦À@)s½á(D+®¥$ë›CO^LaIŽZ.ˆ½àúÉ1Xx.ZÀ4å¹ ‹S9@ᘭ%œµ¬¹R6õ=HôIhrAn/´=•.D°`ò^±?¼×ï1ÓãLû¹Ø Ô˜:~â~ËîàR¿ü(³<È2ó0Žq“'ù×Ñ +¸HYl©T£pºAÔ÷" N,…íò‘+«Éß‘¬Šôê@E&šªÁ7µ¯£ýXÐ~*hß¹ËEMFýìžD††@$X;m,°¨Ýå|nÚ^J‰¯ßüxûŠG&ûÐhIm–X’™áb¿Ü ,ŠNÆ\щk—‰?ÍúÛWLˆŒ6Lâw $‹rKù×T‡;n/wU¹ûœÀ{O ÉµçR¨¯Ÿf1Å…s0ñÐÍN¢O’Sã·V1¡t{Ù_?Ý7ø_ò{¹+(A£+Nv ©‚=Öä‹0´w#làJû½‹ÅåCYÙe €ÀÁ€{¸‡ÞEù¦uH .í®€BS»Øo‡¸Qƒœ³ú›ŒH °v )âfR Þ¾úEÖ°=ÛâÔM«áÄ8Ä7« o¬rotð¦rà³<ŸÑ¸XÜ´ò9uðR„X>㬼= +¾Fé4ˆ²Ða¶Cz~î"!Ð(3ä‹Þ\xh`9¯¹dâ…ÅS~Óÿ¾jŸÎ}/ö|,wŒI<7Äž4—‚UnäWº<™@ &tü=7]WÞU–{=à·#»)F'¹+®åÉÈì£Ý]ڲ⪙€îé/OàÄCÂÜÜ•K¿œ @"ut‘te÷G&›z>ªMvpJ4“d%3ñå&ìB£DKdB ê“©@ƒ^ü‚ëyü¨x* ƒS÷ÛNBå%Q°ÙÛn×–wVƤê­%Š;åÂð$yŠRf®bˆ3óÄ<¿[|ºïjNýÇþVü[’¹ „Ë™ wÝF> endobj -778 0 obj << -/D [776 0 R /XYZ 85.0394 794.5015 null] ->> endobj -186 0 obj << -/D [776 0 R /XYZ 85.0394 769.5949 null] +/Parent 769 0 R >> endobj -779 0 obj << -/D [776 0 R /XYZ 85.0394 751.9762 null] +783 0 obj << +/D [781 0 R /XYZ 85.0394 794.5015 null] >> endobj 190 0 obj << -/D [776 0 R /XYZ 85.0394 586.2284 null] +/D [781 0 R /XYZ 85.0394 769.5949 null] >> endobj -780 0 obj << -/D [776 0 R /XYZ 85.0394 552.101 null] +784 0 obj << +/D [781 0 R /XYZ 85.0394 751.9762 null] >> endobj 194 0 obj << -/D [776 0 R /XYZ 85.0394 373.7735 null] +/D [781 0 R /XYZ 85.0394 585.5608 null] >> endobj -781 0 obj << -/D [776 0 R /XYZ 85.0394 339.0798 null] +785 0 obj << +/D [781 0 R /XYZ 85.0394 552.101 null] >> endobj 198 0 obj << -/D [776 0 R /XYZ 85.0394 207.963 null] +/D [781 0 R /XYZ 85.0394 373.7735 null] >> endobj -782 0 obj << -/D [776 0 R /XYZ 85.0394 174.5031 null] +786 0 obj << +/D [781 0 R /XYZ 85.0394 339.0798 null] >> endobj -775 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] +202 0 obj << +/D [781 0 R /XYZ 85.0394 207.963 null] >> endobj -785 0 obj << -/Length 2942 -/Filter /FlateDecode +787 0 obj << +/D [781 0 R /XYZ 85.0394 174.5031 null] +>> endobj +780 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +790 0 obj << +/Length 2937 +/Filter /FlateDecode >> stream -xÚ­]sãÆíÝ¿Â9yrÚì¿Ò'çìK.i/­ít¦—äi›‰TDÊ®òë ,°+RZŸ“iG±ØÀâc)u.á§Î“T¤….γŠDªä|¹>“ç0öÍ™bš¹'š©¾¾;ûò}ªÏ Q¤:=¿»­• ™çêü®úifE..`9»úx{{ýîb®Š$1³wß^þãîúæb® DDryõ¯ ¥Ôìòã»ë+‚Y¼¿¾¼ÈììîÇ›ëÛ‹_î¾;»¾ Žw¡¤Añ~;ûéy^Áf¾;“Âyrþ /R¨¢Ðçë3›‘XcÉFþ¤³BØ4ÏAd”ôê–h&>§¬°6ñ$ÄsÙ¹gÅ+G’Uõª~>’vM;§Ôœ(”MAG…ÚnÙ÷(º±zÖ èÍ*0÷4Û½Ç=ƒ2‘uHø¦%ÌàT‰´è[ÓÛÓðš§êYÝxNz¶¸PxzD¯ÇY­öô¾ìÚŸ¥Ô;ÚxEËСqòLø§Fà÷`Ì_QŽ±¥‚Êb4Þp-+eJW.º§à#ÞoÂhÓ1Áo Ô‚m­Ïƒ¬÷(¹ÉE–šœê p€8ÈN1”NÃÚ«\³M‘®‹Ïçàf¤tZ‰ŒôܬV,KóÀLJò®àô(ºÉjæ¥ÆÞƼ²Ä*=×nm€<†æÀÒ©ÄK§8 q»'`¢0xçÃïlÁkà¶uQÌ>EÖc­ôX>ÕGôåš¡6@Q)vHõðÜø© û C°‹S¯LsQÈï ‰œ"ç'ʾ(@™˜¤MÅÊ°Ù¹<+g˜=WuO¤m„ðxà“£yµ[ÖÕWõ©TŠ™B¾ŸÊõ…”ÉJ›´G¤xÉR‘éµfTAP|Ûô%t’L’õÔ Ü7Ûæ }'"´hŸ½~–‰|>ìÆÈ™[@WKLùø„¢„ýÄ!1òºAz8D`(`U…}O¢Èë'ãd‚12ÄÜãYnÃAîIH¥Xjlî6sw%”Ž{{Ì‹r#Ò<Õå(,Ù²ID26sÜ 1¦z+ƒbõò-a!h GWÿûUÂë$'cx x°–b̳­ˆš´ä¤CÄ”¬(‡seíÔP<6ã! ûâ1˲¯ÙH£ü¯fÞo9…Àâr´†z!ª¨<™•–÷ÿK$Òä aô”„%í‰5×Nȯ£ç(ÂåÎó=f=qÖÓ>nãvv‹ä*ô ˆ˜&éI‡GÑ2ìñÅÈi!Ä%‰ßaü|C©i¥Šm.Z†X=Ù¡ ×hpŸ“Ý&²D$Izê /Á¤,k)+F•zƾƒXî°Ez×5€âø·©·Cƒ'GQ5‹dÍáx’Us³îëQ;æÈÁ' ×›ºäåXŠ||÷·¯bõ!”r±2™O‰}¥«ú?Úwiî»nÁUCíÚ¹O\ýߺ/<¿ÇÍ2¨Iþ|÷ÅÝË¡˜Âåù\©€ŒZu`í>–µ€òÉÇt±zˆ êË“¢8±©„àÛq¥Ùoº¶jà`9'’ìð9îa0>÷»…ë[xÔ;³dg–jtù2`ùžúÄ CìÆ’4àî¤ò¥ ‘ÕÝ9œnwŽÕG æ#^AEÃ_fÒä³Õ h8-ŒO77·¾‰©O‹LY½åqÕ¿=t/\¦[Å¢!–LÄÝ$@eÆ€4²H^¹pÊ Å2 sµž« ·‹,3nî#ìð÷°Ô›yõæE%úŽ®áõúM½tù ®ÐÀJÍ>Ä8¤ tXòÏrpgÀZH^ZWXw#Þ†ÃÏêŠïrnnà0ô‘>„Vwæ‰<\ËÊ 8Ûúøà.|TU~òÀÎ]Šá•úgB‘Ž»-| ݾàè ¤¨_dÞ‰¬A'êwë0Û.÷ì‰ÐÕªð^Ò#äd²ÕU4Xa@÷£~J¼Ö‚A_%’"œ*°~¥à×\[¨p!¼uU}_îVªô=åäVõý ]7_åòGB¿{>•ÍŠ/ ܯ/Çg96êk·^ÓÊMDšIm"C> ±‹´…„úC:=âñ®« cô"ÂÞ £Íñùj{öM²pÂOe.WÑ0S Îs0³.üUü±8> ¼`i4Ô`ËÚÇ’˜²™°Y¨K°âºjnµ6OÍÑ%M×Þ¿Vï–ýÑoZ§L*¯Iúxd™ø¨2˜óúŸuˆh$…¿8ã+•<ó Ù‘‡èÁéœPt‰† 'àBdP.c‰N—ô£ÅªÕÓÑDŒÜÚ¥æÞó g'ÏéìPÏ;˜~¸AáMpÂ'ÈØMUŽT‰ƒãIºðGûtþŒæR=}H3Òó楮Gƒê3“x¾úxûýõ¿círÛá"{gf^Då·£êÇW·S÷„fßHc^IËÚª,^!pÓ嘗¬ ¯jº?ɵ°ê6)Ù½˜ª@ÛýèãÑ4½àDZzºõ´ázú]ø¢ªê[þÒôz=í[?m@D§#­‚Y.|ÜQ\Fh¥¼ù^td)j­Ëï· Ätçñ@Gôš¿ê„‰¿íêÞÕ€¹§yë@H_1a¤|>œx]®ìKÞF¶b”†:ÝÚi«0Ù¹9¾–4©5S+¯ÃÇÏE0÷‘E÷œš"׊¤p+?£p8 6äëÏ(Ü„žoà5ŸÊUSQ®´˜…ûg÷Å_Fú³‡ï.£ï’‘Æ*“"ËÂÅkêJSÌ]fT½;V}·~a—yî-1lA§u5ÿ5þ.fèpëÉú·Nÿ”sT%ŽINrÎÑ·NJ*ôYû(dÀVµ -Ÿ…)¡½´’µR„DûÂ?.L"ðo‘ÿGÈp´ÿçcþ€Ù乎ÿÑBg9$eX„…BÁµ>‘ÜÿmãTôÿù endstream +xÚ­Z[së6~ϯÈÃÎÔ™³¼éÖ}JOrÚÓîžî&éÎl/²¥$šÚ’kÉɺ¿~¤%›IÚÙ?ˆA@àeu.á§Î“T¤….γŠDªä|¹>“çÐ÷õ™bž¹gš¹¾º;ûâCªÏ Q¤:=¿»Í• ™çêü®úifE..`9»út{{ýþb®Š$1³÷ß\þãîúæb® LÄryõ¯ ¥ÔìòÓûë+ê‚QÔøp}y‘ÙÙÝ7×·¿Ü}{v}$ïBIƒâývöÓ/ò¼‚Í|{&…)òäü^¤PE¡Ï×g61"±ÆxÊêìöìŸaÂQ¯ÕŠ’BÐÀ©Z¬‰©%)Dj´qj¹{¬·*ŸÕ¸¹t¶Þõ¶’Y¹ê;¢-¸oÙ­×»¶Y–CÓµÄôÜ Ô9<Ö<®Z7mÓÛrè¶=uv÷GL›’mê(Ûê‹nËË<6«ŠØ~ïZ^{`Y`Ú¶_7*v?WJ€µÛʯõ¾ûY öîºñŸ¡ …™õõr·m†=õôC9츇÷ T·S 4m…Û¬+&ï‰LâCc">¯C=÷n@*éÝû’–å¦\¬˜‘&è»ÕSÍ#`‹‘M Û‹|ÆF‘³fè©Q•C {5J‚&úgÅj“ ±[§Û=Ö*´˧úH€¾\s« ­¨”G;$¼€<7~(´†ý†[°‹S¯LsQȮ鵪Ñó؆¹"•ýg­íöŠ¸`O$wÔàÙ¬7«‡H ÏÑÕÙ +Ú¯ï>ü•šà5>¯<§gëZOÂMFœ×Ÿù›ÛËÛo.•<£}çCß}·ZuÏ!p¡FÉ`I8l'Á¢¤G–æóE3L; +Ó÷ãX~šbt^¥Ùa4õJÔWĽr‡! s£¿äIóiˆ 2K¦;žÒy +‘f^Ò3Èîˆ zÂî˜ÀÜÎç]k"§ˆÇù‰²/ +P&&iSX6;—gå ³çªî©ƒ´-<øäh^í–uõeD}*•¢ÀEH!ßMåú\Êäs¥MÚ#^²TdFzí£Ù#(À·M_Z‚N’I20£žzáaõͶyB߉H °”JyöŸe"Ÿ€Ý€ß¸PY…skãR>½{?qDŒ¼H,éÕ9 6†òf…3†ËÉëýÀOÀ(ȳ‡ô…½Ã˜ßm5H< ¦EÍÝbŽ®„Òq?ùOnDš§ú …`-›Ä"c3·š¡… ieS/ßE:rtò¿_%U$V”õ´âÒ\qÝ‚«Ô +¹ýßê.<¿Ç'Í2@#¾îâºå£pz>WE* —GµW»åe-8ù8€.V!A}yR'6•|;Ƙý¦k«–s"IÁŸãêãs¿[¸Š…{½3Kvf©F×.÷Tñ‰€.vcIp· RyÐ#Cdu· §Û#Ô±ú(Á|Â˧høËLš¼Šk@Ãia|¸¹¹ýøuL}ZdʪèýŽÃýöP·0@·þrEC<,™‰ëHh•}LÒÈ"yãª)ƒË,¼ªõ«šp¯ÈðÂÍ}d9¼½=LõÙ¼úìE%úZ®áùúM½tù ®ÐÀJÍ>ÆVH¨­äŸ]Ák!yiÈ^S„Õq1à]8ü| ®øçæC©@h†qMžÈÃ…¬ Šƒf[Ü…¯~ªÊwAعë0¼L%!é¸ÎÂ×Pgá ˆžšõ‹Ì;‘5èDýnFbÁåž=1:¬ +ï%=BŽÀE@¶ºŠæ+ è~TI‰·Š/¨¨DR„SÖÏ +~ŸØÂ…ð~TTõ}¹[ l¨ÒW““û<Ö÷3ÔÛ|‰Ëw õÝó©lV|Uà.w=<ךåبoÝwM‘›ˆ”‘2Z>†|@¥a)‰ô‡tz´Æ÷8¯‚ZÑ׈ØöÅ6ÚŸo†`ß$ 'üTábp 3…°à<3ëÂ_‹ã3¶L# ¶¬},‰)› ›\‚e㪹ÕJØ<5G×3]{ÿÞ-û£ß´N™¯Iúxd™øÌyþW" +’¤ðWf|™’gþÓ´Fvä.zp:']Ÿa ´ÇG Àe„èt=?š¬Z= ÄÈ­]jîýºáìä9Âù¼ƒé'D*ñÂ?5†Å©ÈõŒ¾a§~uúõ {ù{J^¯H„µ¹wæ«O·ß]ÿ;v»n-„ lt—ྛм͖;=ÔN½R¦"·¯'㿼&q\@¥-\|ERdíòâèv²^LP Çí~ô±h×^ðÞŠ.Š6Œ¢ß‡/8Kßò—¥·Q´/ø´]tŽFdE®Æ<³ŒÐJy$0ð¤#CQA]n|]¸m ’;?>â×ü' ümW÷åžÆ­#}µ„žòù`x]®¬FÞE¶b”Z;-&;7Ç×&µfjòuøعæ>²èžRä‘nå+ +lgC–~Eá&TzÏùT®šŠ2¤ÅÜÛ?»/Œø2ÒŸ=|g}‡Œ”S™Yn*ÞRWšbÆ2#Ìî–ê»õ »ÌCD¶ Óºšÿÿè–@ t¸ådý[§Ê4*`c’“Lsôm“R }Æ>Š°U­Âg`Jc/¤ª¤@­!½¾ð “ü[Däÿ2íÿù߇?œ@6y®ã¬ÐY©&a¡Pp­O$÷Ó8ý¿Ã@ îendstream endobj -784 0 obj << +789 0 obj << /Type /Page -/Contents 785 0 R -/Resources 783 0 R +/Contents 790 0 R +/Resources 788 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R ->> endobj -786 0 obj << -/D [784 0 R /XYZ 56.6929 794.5015 null] ->> endobj -202 0 obj << -/D [784 0 R /XYZ 56.6929 684.186 null] +/Parent 769 0 R >> endobj -787 0 obj << -/D [784 0 R /XYZ 56.6929 655.2772 null] +791 0 obj << +/D [789 0 R /XYZ 56.6929 794.5015 null] >> endobj 206 0 obj << -/D [784 0 R /XYZ 56.6929 387.8252 null] +/D [789 0 R /XYZ 56.6929 684.186 null] >> endobj -788 0 obj << -/D [784 0 R /XYZ 56.6929 356.2664 null] +792 0 obj << +/D [789 0 R /XYZ 56.6929 655.2772 null] >> endobj 210 0 obj << -/D [784 0 R /XYZ 56.6929 153.01 null] +/D [789 0 R /XYZ 56.6929 387.8252 null] >> endobj -789 0 obj << -/D [784 0 R /XYZ 56.6929 124.1011 null] +793 0 obj << +/D [789 0 R /XYZ 56.6929 356.2664 null] >> endobj -783 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F58 627 0 R >> +214 0 obj << +/D [789 0 R /XYZ 56.6929 153.01 null] +>> endobj +794 0 obj << +/D [789 0 R /XYZ 56.6929 124.1011 null] +>> endobj +788 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F57 628 0 R /F42 601 0 R /F58 631 0 R >> /ProcSet [ /PDF /Text ] >> endobj -793 0 obj << +798 0 obj << /Length 2675 /Filter /FlateDecode >> @@ -1971,28 +1991,28 @@ ymNiËŒ#J ù2éÐHëÃñåŽOù¤xçpóäè'Ó¸#øå‹a@¯#¤¢9™™U?ÜPÏ ‹~ÙNá&¿°ýPº¼,àúðy©ú·áŽQ'³‚ðì‚–½Ãôo_&>h"I‚Ådøb| •ÅÂßED¿Ã}ìýÞ8“*˜þ_þ]Aendstream endobj -792 0 obj << +797 0 obj << /Type /Page -/Contents 793 0 R -/Resources 791 0 R +/Contents 798 0 R +/Resources 796 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R +/Parent 769 0 R >> endobj -790 0 obj << +795 0 obj << /Type /XObject /Subtype /Form /FormType 1 /PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf) /PTEX.PageNumber 1 -/PTEX.InfoDict 798 0 R +/PTEX.InfoDict 803 0 R /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000] /BBox [0.00000000 0.00000000 27.00000000 27.00000000] /Resources << /ProcSet [ /PDF ] /ExtGState << -/R4 799 0 R +/R4 804 0 R >>>> -/Length 800 0 R +/Length 805 0 R /Filter /FlateDecode >> stream @@ -2005,12 +2025,12 @@ q n*Œ1½÷¨¾x¥Æˆpîâ‹&XîÃœ§³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎr)`˜¢Xh¡Ò& „hb—H°Œe"Ãêʱ„£~Ï“a³tŒºìZDß!#Z¶ÚÂk! e'jÝ=§ _tsÙ¬ûÍ&­Nå@‚i¬ˆ3t%kÐE„\H–YZxÿ/U¥Ç™åë—Φ@±¯iW H þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5©/¨vp÷o`kA“ôr ±ñœÓ4N.4Žæ&F°ÑTÆG%V½ Î'ÌØR5¬BÔ‹`qUžv-UÍ=ëÆåQv2ë_ ”¿­qq‚~èr¯Ú5ÌJ¼ð˜°h»P¡õ‹kÜàéÚýªå>Ò¸D °o»Îi¸CrT]¿MJ¥ ÆÖ¹’°;¿ö‹ûóZ¼¬ å[Ç-œÁ¤ŸBx¿ýpü|üÈÂendstream endobj -798 0 obj +803 0 obj << /Producer (AFPL Ghostscript 6.50) >> endobj -799 0 obj +804 0 obj << /Type /ExtGState /Name /R4 @@ -2020,18 +2040,18 @@ endobj /SA true >> endobj -800 0 obj +805 0 obj 1049 endobj -794 0 obj << -/D [792 0 R /XYZ 85.0394 794.5015 null] +799 0 obj << +/D [797 0 R /XYZ 85.0394 794.5015 null] >> endobj -791 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R >> -/XObject << /Im1 790 0 R >> +796 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F84 802 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -803 0 obj << +808 0 obj << /Length 2020 /Filter /FlateDecode >> @@ -2042,47 +2062,47 @@ xÚ¥XOw :|›ÓÈ¥³f,F! }“"]Õ…ÔpO}´› 3ÜÖ#9ðhȺDÓã&Üý "X-ôDn¿y¤qE0.öïAö†o´hä®DÄq”8Îýütÿ¾; Ä„· €èÉž¬ÁÄÈV ü W éÕŠÃÖã8,êvûßÞªo„¬§ƒó[d(&‘é,=,,,ÂÎ8e6 Æ2+–\0s'>sõŒ)‡×(ãÅÒö+èÀ8öîw´”Ò Y訔w;xác™÷rBôøf˜ì9§º:FRîÒ¢oÚ‡[³Ÿˆ Ò@Ë@q¯q{»ƒ¿[•@ý›X #—+e„4AÄ›Òz„Ž=›¦ ÚCÇ×íOUtût|  äp%ÿhAýEþ÷òÔR»—:œŽôMyqP^8‘ñBÁg"M÷v+ªí¾¦¶bÛ×WÑð8mëuuó•è^¾uR÷ç ³JC[•^™z±CŠ±"xC]‡>€¶X%zÔ?‹ ‡… q›"Y«3” Uêâú'©/6³Á§¼aîþÇa$é¾E¶\†Û•y^ž»XœËSÎQ]¾e[Ëݪ dŒ6 Ã× –F—;ôŽ™~Mqɶõ2Îæ©Jbá«®ÞÇ*Š(ÔóŠ qø¶ÂÒPï «ÃÿX¼ˆ-|•ùbÊqZ(!ßû‡ò‹áïI§uˆü¸~r¿n—Äߧ~„êÆò&úÙáÁÿý{áå§Ô ›É†Ã0‹A+å¢\iÞþ°x­úÿ”H„·endstream endobj -802 0 obj << +807 0 obj << /Type /Page -/Contents 803 0 R -/Resources 801 0 R +/Contents 808 0 R +/Resources 806 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 764 0 R -/Annots [ 806 0 R ] +/Parent 769 0 R +/Annots [ 811 0 R ] >> endobj -806 0 obj << +811 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [349.4919 566.941 408.4801 577.7254] /Subtype /Link /A << /S /GoTo /D (ipv6addresses) >> >> endobj -804 0 obj << -/D [802 0 R /XYZ 56.6929 794.5015 null] ->> endobj -214 0 obj << -/D [802 0 R /XYZ 56.6929 769.5949 null] ->> endobj -805 0 obj << -/D [802 0 R /XYZ 56.6929 745.0977 null] +809 0 obj << +/D [807 0 R /XYZ 56.6929 794.5015 null] >> endobj 218 0 obj << -/D [802 0 R /XYZ 56.6929 552.7519 null] +/D [807 0 R /XYZ 56.6929 769.5949 null] >> endobj -807 0 obj << -/D [802 0 R /XYZ 56.6929 524.1722 null] +810 0 obj << +/D [807 0 R /XYZ 56.6929 745.0977 null] >> endobj 222 0 obj << -/D [802 0 R /XYZ 56.6929 397.0585 null] +/D [807 0 R /XYZ 56.6929 552.7519 null] >> endobj -808 0 obj << -/D [802 0 R /XYZ 56.6929 368.4788 null] +812 0 obj << +/D [807 0 R /XYZ 56.6929 524.1722 null] >> endobj -801 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >> +226 0 obj << +/D [807 0 R /XYZ 56.6929 397.0585 null] +>> endobj +813 0 obj << +/D [807 0 R /XYZ 56.6929 368.4788 null] +>> endobj +806 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -812 0 obj << +817 0 obj << /Length 1920 /Filter /FlateDecode >> @@ -2094,116 +2114,123 @@ A ÕVµ2,Û è_ç³î:ù¯ke—U)¯Å5¡.Þf2g)¯ò2*j£Â‡u(碚Û)/òYrÔFý¸$ج—x¬ÆÉ 6ó§éiøkÝÆÃ@]´£v›yo‘!ëBWéG!¥?È{˜m&kk-öf"C3wÑ®(¡oÕíDÍï ] ½¶+hwÑš jSlïíùn°+¼²±œ Ç9hÉÞY¢Zy’þ–hJ“60;Kƒ(±šßŽúÔ|žVü¶¨å8XcpQó‰‰Ø‡Û­5kW wR­Æ|ªîæZRÿhð †–Ç°0TÝ€†€ÉÎÃ+!@íüM˜­ÕHišñ+VÈj‘æ‚GÃÒèîå®Ä­§‰æÕÇÌÞ>1‘ÓcIç¼Z/­=«rþïÐÎf±ºëLÀ"Æk‡¬›8H!®ð&ùHÌ0 F }Àû ¥ÆYdad‘³2'lõúþZ„#¤×åLÖÜ^_¼‡2Üÿ¶a‹š¤F^LXnä+eUâf¼ø®™”Ý¥Ó­üm’ ªr:ßÿXE“VUQÏg•w?>M?ÆE‘âÏ‹k?.F•íU‡~Y\œŒ p;ÂñâökÓï”o?÷øh˜‡endstream endobj -811 0 obj << +816 0 obj << /Type /Page -/Contents 812 0 R -/Resources 810 0 R +/Contents 817 0 R +/Resources 815 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 817 0 R +/Parent 822 0 R >> endobj -813 0 obj << -/D [811 0 R /XYZ 85.0394 794.5015 null] ->> endobj -226 0 obj << -/D [811 0 R /XYZ 85.0394 769.5949 null] ->> endobj -814 0 obj << -/D [811 0 R /XYZ 85.0394 576.7004 null] +818 0 obj << +/D [816 0 R /XYZ 85.0394 794.5015 null] >> endobj 230 0 obj << -/D [811 0 R /XYZ 85.0394 576.7004 null] +/D [816 0 R /XYZ 85.0394 769.5949 null] >> endobj -815 0 obj << -/D [811 0 R /XYZ 85.0394 544.8207 null] +819 0 obj << +/D [816 0 R /XYZ 85.0394 576.7004 null] >> endobj 234 0 obj << -/D [811 0 R /XYZ 85.0394 403.9445 null] +/D [816 0 R /XYZ 85.0394 576.7004 null] >> endobj -816 0 obj << -/D [811 0 R /XYZ 85.0394 368.2811 null] +820 0 obj << +/D [816 0 R /XYZ 85.0394 544.8207 null] >> endobj -810 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +238 0 obj << +/D [816 0 R /XYZ 85.0394 403.9445 null] +>> endobj +821 0 obj << +/D [816 0 R /XYZ 85.0394 368.2811 null] +>> endobj +815 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -820 0 obj << +825 0 obj << /Length 69 /Filter /FlateDecode >> stream xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream endobj -819 0 obj << +824 0 obj << /Type /Page -/Contents 820 0 R -/Resources 818 0 R +/Contents 825 0 R +/Resources 823 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 817 0 R +/Parent 822 0 R >> endobj -821 0 obj << -/D [819 0 R /XYZ 56.6929 794.5015 null] +826 0 obj << +/D [824 0 R /XYZ 56.6929 794.5015 null] >> endobj -818 0 obj << +823 0 obj << /ProcSet [ /PDF ] >> endobj -824 0 obj << -/Length 3061 +829 0 obj << +/Length 3071 /Filter /FlateDecode >> stream -xÚÍË’ã¶ñ>_¡K*ÚÔÆ›àæä×&냓Ø{³]ŠÂŒX+‘²HíxòõéF)Q£uF©rél6ºý†ÄŒÃOÌœa\åz–åš.̬ÜÞñÙ#¼ûÛˆ0Ú(f´Rð0ñva”cÆÉl¶"ùêÃÝï´œIά•föá¡ßËfŽåJ糫Ÿæ_¯‹]ç÷oÒð¹}óˇïè3Í2— üŒÃ†e9wჯÞÿ Aç4|ÝÔ?s.û¢«ššð~ïëÒGŒj–³ÜJZ *3rˆPÙ€†r„ð˜×´^µ4.÷o„›7ÅjóL mµ­6ÅžºG3@ëþ -£óuóä?«™žßã7ïÖ>àòXŒhxðO„¯¦IUDjš‡)ªë{dY‚å&²ÚÊ5@;3_Ãø©òO-{³ÐÂ&ŠaÕá0D Bzļƒ É^㻈ÚusجhþÔì?ÆYÕ­ ˜øÀ7pÜÄøeUÓxÜ>GñäAëcÄ°m¢x&+›ínã@ËO%ÛXq$ –žFBˆ2ð+‚ -§‡8Ö¾üHÓê!¾Zûçø²¨‡xÄ‘´°êðI(+_w›øU…$na!íuh«úqÌÜÀN¤Åtæ0yðEw =Ú¸ÒêM«¨óË`=Ú LMŽ-GÎ5* -Îth ®(žx˜¡Ê)ºXOØj&™sÚů‹ÕjïÛöTÊj&P]n%‰„ðŠ ”Í˜°§‚ÿT®ÏHÌ3fµ»% ã"5‡¼D†ˆ ~Z”4çywK'´òhº5ú|\>Ó¡Ý'§681˜*—Ü^TÜ“mÀ8– 'NR pÁí°Sñ LBÎ7Ïëì-_qïÿÃÄ-¦šÎ^1qå`ÅÕKº-4ä©H¯~µ™'Œ‹!Ê 25œ‘UbLæ¤v 8t©aÇÛ™0^#ÒI&UfÇD^Ðnk™`¤š_¾ÀÅ؇3tDa¬}œìif‰§ûƒþJÇS.QíÎ <˜uâ†ç×c¼"•ˆÿ\œ«Ù”áÖ‘û NsÇlæœO EYn¸½Ÿ=Æ+|j¤kÀŸ»½¨~›àTr}<ºÈ©Š!A?eÕÛ7PœÞŽÕ„ñ«9|¯Å‰ç¨VSq7úÕÄæÂB½×ì'ØÅ\mMñDÊ!!Þ© ÍÜ:˜ùjÆ{Œ‹!ÊsÆe¨-šy{!å€X¡{‹L‰ì=å­÷gj2&1è I —ûÇM~ô&zøsšOí/Òó£/1$ú꟪œ‚™ÑsÖ!é¡®PqŽ­¯F¦ì tÝ6Àê[X(—\æäµk@ˆãU³-ªú,p)Hÿs›%ÈW‡­„oqD8Y%È،軔>sË8¦˜}Ì’ÚÎ=@}ÝP¹ -Ô¯¡²Ófþ´®B?–ŸªP -Ãb(³a%Öq:öj4u„`øæûiɸ§µ 8ñ¿ÛÅT‡d—ª¹Ÿ¥Ôžê ¡xrµÛgÖù¶cÇ“8áÕ)ˆk6.â|AM -ðÎÌ ¿¦¦J2Ãó,*j‡{QQì Uu€ò%eQéËj[l®kì?0™R" =6™ö´RÕôû–Ö?›C¨0à Ÿ› #¡7­ßû¢#x+’ e×N)êÏÜð³?à R ®%¶@Ú‰"Æ@©äLªƒ †bT³\«|œHŒ°æi 1›ŠVÅ­P)Bð¬ËMJÎ\ΰ¨¾„ÏHP瞬,h ›\ ’¹bÜdW+)î˜Éc¯«Úé‹Í’ðvÍ’!Êš%#/dá'Í’/!M€%1ÿÏO:NסgÛÆê‡Ã”£§.Co8¼ K Óc;/ßÑ»*Â@¶Ȭ7Ï´B²-›-ø¸±î&ä0¤ -2ïsf¨¢#‡¸ŠéoK‹^àMjX†Ãªiµ>lý¾*i¹Z»öF!‹ T:gH-£É´y®¦]¼Ö…1¤ç0_Ëp”ø\b^ãcÕÒX74¶]Q¯èžxE+[Ð’!çT-¸`‚áË(LŽ½ýÕ”$†$ÀY -9/{¢(^xæ9œ:Î}=îŠDýp³–`7Uý1ÂÂ>“GÑŸ^¼î¯\sÍa·kðN©áèQÚÖê,•YtÍ"hB÷ÂÀ—Kß=y_OÉ¿';lI’ ¤6(Ï»Pzå! ã ï}dì¹Ø4e±‰()Á¹Ï“¿[ã’Ï{ðŽƒ¿›lÊ'È‘ˆP½TfÈÔUf“Xa©èº¢\‡$šÀã Mxbk™1*õ§jϧ@N­ˆxO[DJ–»ƒàÎ/R0éóÉ!ƒIŒÙŠrøÓôÎKQgŽŽß€û*îT˜ óVÁ Ñʶi»Xš;méaxTø<8*O•Ê"m5Ò’bóT<ÇËWŠ£‹Öc @W,iŠtw_ûþ¶¶¡q™n]‡Qàr*4L1^™¶ r¡(üß3~q1’P9s­ $€™ w¡q-„a dú÷êT(a\ QNP(sØ‘Qx1‚y¦Ä1š¸Œ°øg¨¬ïÑëóìêFáÌíxí1^áÓxÏþ9¼Ž¸“=ëqE<‘ß*­˜äZÞŽÓãN•¶ðýg2 ˆkµúPÓ_gŽúm°D(së -Puçã0ÿŒ¡27š/ý¦Á?l2Á¥¦ÅîyWA ™<Æ8ixIìØ#ÄB–EàX™”Ǹy’VíßÀWuÓQÿºRjüÃe‡¹UææïkzÓ6ô‰EK)§ B‰ßCîRµ "Ô+‰õ -¾Ô3ᱨ§²Ë¨@IFmwœ²Lh»ããnÙѺلŠÂ`ç7¾ìF°{ˆïÍ–æëêq½ˆÇŽRœL®Q/»”±¾ÎüA'˜”¯ð8TËVO^W¥ÿéù ÿö;}cÆ-s2ÇÛ˜jô쌅ôßà#ª´ÝIÎa¾endstream +xÚÍË’ã¶ñ>_¡K*ÚÔÆ›àæä×&냓Ø{³]JÂŒX+‘²HíxòõéF)Q£uF©rél4»ý†ÄŒÃOÌœa\z–š.Ìl¹½ã³Gx÷·;a´QÌh¥àaâmf”cÆÉ|– ‘|õáî‹wZÎ$gÖJ3ûðÐËæŽJ³«Ÿæ_¯Ë]ç÷o2iøܾùåÃw´M³Üå·qø„ayÁ]ØðÕûï¿!肆¯›úgÎåãa_vUSÓâþÁï}½ô£š¬°ÒF„¨Ê"T6 „a9BøFÌkZ¯Zû7ÂÍ›rµy¦…¶ÚV›rO]ƒ£ u…Q‹ùºyòŸ€Õ\Ïïñ›wkpy,G4<ø'ÂWÓ¤‡*#5ÍÃÕõ=2Ž¬ +Á +YmË5@;3»aüTù§–½É´°‰bXu8 Q‚€1ï`B2†×ønã#¢vÝ6+š?5ûqVuk&>ðË8î@bÜYÕ4?_ x + €õ1bØ6Q<Œ-›ínã@ËO%Ÿ±âH @,<„eàWNq¬ýò#M«‡øjíŸã˲âGÒªÀ$aYùºÛÄ]’¸……ô­C[ÕcnDà¾DZLg“_vúFWšC½¢iu~`¬G›ƒ©É±åȹÆA%AÁ™G `‰Y˜fq¡©A‹‰ ƒåH´LDK q¿-;‚"^Ç€íÚo6qºÜW»ŽlÕä[U¶`Îäèlèœën_-¾¨Ë­_eɬÉpÑ4@?DÐôÈÚõ„Gà`´Èeü +ëÝÐLi+&ë2Í™´Š„j™Ãàü‚zWmâY~K‡ßN;$éÀ!* |×l6ÍS”'·cIæj;šˇÑ'ÌáéÐú¨ÝšXPsèÒš?U–åݤ4_5Ë~ ¼~‹ôß}û¡÷ÿ…¡çz¦…d–ÿ¯w?ýÂg+ˆßÝq¦ +gfOðÀ™(`{§eÁrž«´²¹ûñî_ÿã®D +Q±Bpu™ÚÇWœ¦cTYâ)SÎ¥pEÑFÊ ;™RÊÌ4×Ljž‡ã+—›S )˜³ª8~†$+œsÓÌf=Ælˆr‚D¤Î€‘ˆ61e(° hPW/<ÌPå”]¬'l5—Ì9íâîrµÚû¶=…²š T—[I"!¼"es&ì© À?-×g$9³ÚÝ’Æ„ñ +‘šC^¢@ÃGD‹??- JZð"‰»¥Zy4Ý}>.žéÀÐî“SœL•Kn/*îÉgÀ8– 'NR pÁí°Sñ LBÎ7Ïëì-_qïÿÃÄ-¦šÎ^1qåàŠ«—t[hÈSs^üj3O³!Ê 25œ‘UbLæ¤v 8t©á‹·#2a¼F¤“LªÜŽ‰¼ ÝÖ2+ÀH5¿|5€‹±gèˆÂXû8ÙÓ8ÌO¿ú+O¹Dµ;3|ð`Ö‰ž_ñŠhTn þsq®fS†4ZG6î'8u̳™s>5e…áöv|ö¯ð©‘v¬G|îöþ¡úm‚Se Èõñè"§*|„ý”Unß@qz;VÆk¬°_‹ÏQ­¦ânô«‰ÍÌB½×ì'ØÅ\mMñDÊ!!Þ©ÍÜ:˜ùjÆ{ŒÙå9ã2ÔÍ<½r@¬Ð½E¦DöžòÎÖû3 59“ô†$ÐËýãŒ&? z=ü9Í'ŠvŠéùÑ/1$ú꟪œ‚¹ÑsÖ!é¡®PqŽ­¯F¦ì tÝ6Àê[X(—\îäµk@ˆãU³-«ú,p)Hÿ ›'ÈW‡­„/;"œŠ¬dlFô]JŸ¹eSÌ>fImç¿ ¾n¨\†Çê×PÙi3ZW¡ËOU(…a1”Ù°ë8{5š:B0|óý´ŽdÜÓÚ†?œøßÊm6Õ!Ù¥jîg)õ„gzB(ž\íö™u¾íØñ$Nxu +âšM†‹8_PÓüó@3¨Á¯©©’Ìð"ŠÚáÁ^TÔ{CU |IYGTúeµ-7×5ö˜L)‘‡žÈ›L{Z©êÎ?ú}KëŸÊÍ!Tð†Ç-ÇfÁHcèMëwå¾ìÞÆŠ$GÙµSŠú37üßìÏ0ˆ¨k‰-v¢ˆ1P*9“ê ¨a§լЪ'#,€yhÌƦ¢@qk#TŠÐ#<ër“’3W0,ª/á3Ô¹'ë èæׂd¡7ùÕJŠ;fŠØëªvúb³¤¼]³dˆò…fÉˆÄ YøI³äKH`IÌßÿó“ŽÓ°3ôlÛ¸Býp˜rôÔËÐ/ÈÒÂôØÎ ÕT«åÄf¦ýXSBØ™„#²Z‹×§€ c6D9‘Bå¯8d=ØË~HkTTìÕ µ/ÛÃPÓne}{÷óqö[.Y„PØ÷¡lê‹NC4-¢AØ‹‘àngŒ/˜Ã¾Ï·­4ƒÅ™Ú¸uí’[ï¦Ü:Y £ä\¼]-ÜÛ·ð)=Õ0ÐLçNô¾4ßo—ÍCRU¦«á,Ȳž±5%Bñ +DŒmx³uùÉãÌÍËí¢z9d0‰1[Qšþ²ÁRÔ™£ã7à㾇Š;&è¼UðB´²mÚ.–&ÁN[z>ŽÊS¥’¥O´¤Ü<•Ïñò•âÃè¢õ(ÐKš2ÝÝ×¾¿­mh\¤[×a¸œ + SŒW¦-ƒ\( +ÿwàŒ;.fBJ g®5 sá.4®…0 ”Lá^ +%ŒÙå…Â1‡¹…“!˜çJ“¡‰Ë‹†Êû½>ÏÞ¡nÎÜŽ×ã^!@1÷ìŸÃë¨;Ù³WÄù­ÒŠI®åí8í1^áTi û?“ÑX@\«Õ‡šþ:ã9Ú£çš÷;P¦—ìÑVðâZa"DõžµWÍ1ÁÝÐ(_2Ç!…˜|–9f’;¨ pÌ»Æ÷79ËUÐ —\øýÕ+*†QÞ†NL´X5}l¿Œÿ±Õ÷„Ÿ8Þ|bª½"ŠC¨€E‡­7\z”¹%Þ K9¨ñoyä(‡£ùÂoüëà\jZìžw„ÄÓÁcŒˆ/‰œØ-ÄMØèÆ”ç‹Ë”å1ˆžäXû7°±®cnjãÿL̯›³¬«¦×mCE1b´”|Êðw”¸²˜ªýH¡rùK¬\ðõ ² e=•g†”Š3jÀã,ÐdBwÈ“ÖÍ&Ô¸²)¬øüÆ/»ì"}³¥ùºz\gñÜQŠ“i6jãeç20Û×9­“Òâe‡ºÙêÉ‹«ô] Ÿá€§ïθeNx/€BµžŸ±þ%|D•>÷_©Tdendstream endobj -823 0 obj << +828 0 obj << /Type /Page -/Contents 824 0 R -/Resources 822 0 R +/Contents 829 0 R +/Resources 827 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 817 0 R -/Annots [ 830 0 R ] +/Parent 822 0 R +/Annots [ 835 0 R ] >> endobj -830 0 obj << +835 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [356.2946 363.7923 412.5133 376.6291] /Subtype /Link /A << /S /GoTo /D (address_match_lists) >> >> endobj -825 0 obj << -/D [823 0 R /XYZ 85.0394 794.5015 null] +830 0 obj << +/D [828 0 R /XYZ 85.0394 794.5015 null] >> endobj -238 0 obj << -/D [823 0 R /XYZ 85.0394 769.5949 null] +242 0 obj << +/D [828 0 R /XYZ 85.0394 769.5949 null] >> endobj -826 0 obj << -/D [823 0 R /XYZ 85.0394 576.7004 null] +831 0 obj << +/D [828 0 R /XYZ 85.0394 576.7004 null] >> endobj -242 0 obj << -/D [823 0 R /XYZ 85.0394 479.565 null] +246 0 obj << +/D [828 0 R /XYZ 85.0394 479.565 null] >> endobj -827 0 obj << -/D [823 0 R /XYZ 85.0394 441.8891 null] +832 0 obj << +/D [828 0 R /XYZ 85.0394 441.8891 null] >> endobj -828 0 obj << -/D [823 0 R /XYZ 85.0394 424.9629 null] +833 0 obj << +/D [828 0 R /XYZ 85.0394 424.9629 null] >> endobj -829 0 obj << -/D [823 0 R /XYZ 85.0394 413.0077 null] +834 0 obj << +/D [828 0 R /XYZ 85.0394 413.0077 null] >> endobj -822 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +827 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -834 0 obj << +839 0 obj << /Length 3530 /Filter /FlateDecode >> @@ -2223,83 +2250,95 @@ iÓ Äè=P±s\"aÌ}™˜.Éc4]V½éŠx7¸MwcÆý²^®·é^cD˦XBS8-ýÏ/™õã}?úÿØì9!Óšæy‘r°(wóY¬œ`ˆ $Í,ý¿LËUæendstream endobj -833 0 obj << +838 0 obj << /Type /Page -/Contents 834 0 R -/Resources 832 0 R +/Contents 839 0 R +/Resources 837 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 817 0 R ->> endobj -835 0 obj << -/D [833 0 R /XYZ 56.6929 794.5015 null] +/Parent 822 0 R >> endobj -246 0 obj << -/D [833 0 R /XYZ 56.6929 363.2968 null] ->> endobj -831 0 obj << -/D [833 0 R /XYZ 56.6929 335.217 null] +840 0 obj << +/D [838 0 R /XYZ 56.6929 794.5015 null] >> endobj 250 0 obj << -/D [833 0 R /XYZ 56.6929 335.217 null] +/D [838 0 R /XYZ 56.6929 363.2968 null] >> endobj 836 0 obj << -/D [833 0 R /XYZ 56.6929 306.9099 null] +/D [838 0 R /XYZ 56.6929 335.217 null] >> endobj 254 0 obj << -/D [833 0 R /XYZ 56.6929 226.5017 null] +/D [838 0 R /XYZ 56.6929 335.217 null] >> endobj -837 0 obj << -/D [833 0 R /XYZ 56.6929 197.9796 null] +841 0 obj << +/D [838 0 R /XYZ 56.6929 306.9099 null] >> endobj -832 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F14 608 0 R >> +258 0 obj << +/D [838 0 R /XYZ 56.6929 226.5017 null] +>> endobj +842 0 obj << +/D [838 0 R /XYZ 56.6929 197.9796 null] +>> endobj +837 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F42 601 0 R /F58 631 0 R /F14 612 0 R >> /ProcSet [ /PDF /Text ] >> endobj -840 0 obj << -/Length 2750 +845 0 obj << +/Length 2754 /Filter /FlateDecode >> stream -xÚ­]sÛ6òÝ¿B{(G4Hð³}j\¹u§u{‰2w3Mg"!‰cŠTI*Šþýíb$%ÓIgÚÑ]`±‹ý†¼™€Ÿ7KBWÈ4˜Åià†Â gÙîJÌ6€ûáÊã5s»h>^õfyu{ù³ÔM#?š-×#Z‰+’Ä›-óß»¿ûm¹x{=÷CáDîõ<Œ„óæáñ{‚¤ô¹ûõñþá‡÷o¿»Žgùðë#ß.îow ˜iØï1…6Ü?ü¼ ÑâçÅ/‹Çå»ë?–?]-–½0c=!Q’?¯~ÿCÌrû§+áÊ4 gG˜×KS¶» -B醔R^½»úwOp„5[§.0”‰&~ø~ ª~ Ø@ªºÒMÀuÌ=ÏMÃÐ7²!¢¬3Unë¶ãχËÔTºkqB`Õ\{‰£i²§I®?áW:‰³_êa‘pŠj]7VvÜe¿Í„XškÆÁŠqëú`y*úzJ¦\·YSìù–Áë5}é"a ²’mªCåº=¡ÄÓ84„–´n#Ï K.br¡%9OúDÐî¡eàNåúbŠ7&ªhiÔžªNe]‘ÑM6Ǹz§a¥±¢ÑfEKwE[Á‚Õ&N[TÙäÕ´:;4E‡ìÆùÆÓauÌF _#'TWä£*‹n‹ *ËtÛm¾>t4!•oÈ>.H(ú © Ä@À¶Žµñ$çD¤mÁd"œG°`¸Ä FL!®×k§›Œ+ „hý†è?dÍ8+ZkEÉ–Á`¬ÆP©–rlIyPQÆ®'è?[æ*Š/ýÔÙ-äá7qŠ¼D°g¡_}" ²Š˜¬ÞíÙ sÂà-bö¸3¢€`ñ‡âƒ­È %Q,ŒÌEרº1aÀUÏê,nÂÂÜ!ÜMFütlËiDLhÔlDìa.*ÐKÛÙ {­§dëv7ar½×UÞÜ.?nÑP’’ÊÁáõ«kÏÑäP0c]ÃBÔ”õÖÏêª#ƒ(_³ PÜcÿ¤‹ÔÕÜFŸ}Ýt-/5Ç8ÅvKX%Z±é âŒmn`‰b¾8 }ÎAÛ$*ŽpŸù2ÆÊ(Ïe$¤µtO‚@V™÷™ÖºTYÖÇö‚¬9ÊžÍ4úýƒs"<×Uy`ºˆ– aì<¬ÑM~ì dA²^ÈË5¡ ad>”7ý:I§åLs¹e*Ê P#Œ«,?’®S`Íp„²Î«º+Ö'^<.(ÂÈ ‚8æů'ÈE®ý¢öçA7“ÄBWÂÞ/ЊÎhWíš|õ‚\X’DŸ¡7Bd…ɹ åÃÞ¤ƒ ºPˆy2ü ÝÐ |éñIÔæà€GÕ˜Šé9aÏ ¡dŒƒž2øl`¬jBK°TJ«¥U©²§m]N±Än…ÉÀ MB‡yÇQÄØ 8ô †b*ǨæÅλbW”ª)OמçY6m±Î*Ý(ñyˆŠ#[¾@©}¤¤aQD\EG´ºùhBDD)a`Ž4@{ßó­ª0¥"¬´ç@¹È®Ïè¢?fPrè¯[^8Ü‚fÐq[˜{€a^Oy+±qžxû(†O«7ÚŠé¥Ä–o·CmÓvsKpªÝ묭÷8«d¹©¡âÙîP ~HIÉQ³ZñÈÖ°-ï&h{Xµº;çHt›8PóMpŸ¸ â( l6‚Q E‰¡>‘˜Ï¿Òë¾pÆy¿qE!YåæTØ绬¼J6WI Ãö!™ÀDÃØ$EøV˜9‰€ûÎ}mWR»}©'‹/’öÂûpç٨湾+oýà[ ©ó„Z?!(8é·> }˜ŒSê¨Dñe¿gþp鈢ºÈÜ#pÚip>³,©ä -«[6-ÄôT{¡)¹®°) ×T'òÞ4výÔ;WmY×O‡=Z‚4 ‚¯6žéYez²¿ëïžPfâ¼o‡xÖR•ãtAA Új?éùŬ s|²u´!2Ž&ý÷MÚÊÖÖÊ–àõPûÐa¯h‚ý=ë~ñ¨Jwû{ëyY£ÕÊÒ£$Îð!ÿž{Bç®Þ õÔ;ìÃ>MÜð#×G«õ†qÿ”ÑSJŒ8j݈œAزád&Ãj3Á¥û½V ·yÕé8T8ˆeMBpÇÀv¯2î÷£™øYTâÊãw/D„üTh›Ccu%ÆNJÝÄúåuê;5!Ì%í¤ä[ëÙ4 -$kZRzIX¹x* xÇÈ›œs"4õ¡€6}(|à˜f`ÁìpŽŠ»×ü½¹1¤|§žlJZhËÛ½nú¶ÿ„⎰;O¨ænn|ƒ{ žì“ÚN5!è•SÚ·IuGn·²­jTÖÏGÄí+‚ãg[ªÖ¶bH_;iµ†øDJƒñ¯n b(À.~è2D R1í[Ò׎ÓDXˆxôv)âózæ¹.¡z§®¦Ì…0¯ ­ÝÓ‹øšK ÈÞ=yz¹ÃðË=· ɇr哺²g+úàƒ½’ - -œ„›ˆk%èç ”@ŒÁ°²w‡²+öe_uWøøò9Íûgš‡> %¢R0ëwK…¢’ E€ö…"ÌìÃ'€×5¦>~§ÎéöDÍÛ¢¥o«é €—¢w’¿©;áG!ôz‹—Ü=ÐäÕí7ÓÁü,þÁÜob¹Q¯£Ç¹S='Èï”&²=£ØŸvFsîÅn*ý‹®sBºð%é—RUeÃrV7éÄ òönßOè‹VcÌà%Ñ¥Ü$Œ’ fÆ9l¬›¹ô„›È øÒ­áƒ~˺Ú`a9Î%¦~Æ/¤ëC#ò×3êEB€rè +“ã[ Îû¥ƒ¾Pˆù*ú ßÈ åÉÉÜà€Oº¥Šé9cß dLÂ3ølHV5sK@ª”½¥‡J盦š7LÜ8ŽÒQ`›F'ò4>Ž£ˆ±ApèÅTŽQÍOœw嶬t[.|ß·bÚbœU¹q¨’ã3 1G¶|Rû‰“RŒEKû `Йö#…ˆ˜SÂÀy€ö¾“1ZUI¥"PÚ} \” WG|Ñs(9Ì׎§`ô´)é`X4sÞÊb'Þ!Š¡Â³Áê±jú‹ØeÀPÛvý²œîv&ï'ô¾d5BVë*žÍ¯!ˆ8)Ó JÔZF¶†íd5C»ýCgúc‰4hDZ€#·€‚ûÌa°Dih³Œ:((* õ©Â|.ø³ +gœ 8$ë‚v…5²+ØiåU‰¹*–É&¦Ç”á[cR”$v8·¥þ¤·»ÊÌ_¬í‰÷!ïۨ滫®‚ð[ ™ó„Ú e(8é·3> }˜J2ê¸D Ô°gÁxèˆâºˆÎ$í 8%URau+¦…˜ë`"°÷f‰dþñÕVMó¸ß¡%(ª `NdE0y¦o/ÓWÙ0ØTxö܈Àe¦Îûn Ga͇„„6~ÅÔãQ’¼Ÿl’¸©Û˜Ou%Ù:Š(NJÕÙ<Àù2êáÀˆþÈUŽ?¹ jÐV¡—ÌtŽ¶Ž&&Ó@éhÒlm­m ÞŒµoöŠ'Ø?Hѳˆ'Uº;œÛ Ë +­V¥K†ÁÅÂ÷<Ϲn¶c=õû°O3' ‚Ø ÐªÇÞê!yJ.&“^j`“ŽÙqû#eÂW¶õênÚ)ANÛíŒ +0½§±Â!*¾©}ºìM·Ó¹´m[}8e>‹GRÓbäN¬ø0‚¢ía½oí­Ä)YHe°ƒ(¿¼È§amPñJN;‰µ›u«A§¶c '–T®%”í³Ê6Fs +hê@áû.Ù–"Žd§Ä¹~-ßËKb8Íl;ÒAÛX]íL;4üTç¹c¡}@ùåÅh®/25Š(yÙ(®H„ÈÍ’K&7 UHˆW„°Ç?A,é ö¸±Ã¯æß Ž{"¬¥®ù{ÍŒ1^z‘?³§3_‰Çz…ÇÉ÷êŠùþm¹./çrû¿þîˆldüþþî¿<¢»¶ü°ÕÀ]ý_¼n¾—†n NCGö¾Ókóåèp=z5•?ú¯$–GnM!LÛ¦nêÖ/18é!Ç'Ý玌"âÈ3—r½ ¯¾g{£®×mÏ~ÙTö=Aý“´XùF·:ïÉçqõŠáø¨ÙUº³í²ÃN¦âvŸEy0ÝãÕCˆ¬’Ç-b‚ ‘ µléP/Î? aà%“÷J/9®`^˜ +*vîDa*Rxô‚ÐÙ5ƒŠ¯¥|€Œ=°ç×J£~¥Ïö88ʦR­À¤©íÞš?øHÀ/£‡LÆÍD´ +ŠòãÇ +¿ÛvZ.{»¯úrW •v.Ÿ»ùàèæ¡7C¸|ÌøÒÝqq¨<%Å!@‡âfö±À«Ó<}s·|¦ôžhùÛŠ_ù#¥Üc”oîLä!=‡ßߧe†t á·jê5“Ó,B½ï3iO¹4=—ž¤(Á×Ó¤ôÜ_OÈ×./o ³©·ÁLŒ‡bÁöe–giÑ$Îâ³5~§q–ØÙÉSÎ^´)øT½·l›“}Œ¥£šmŠÙmÝbÎNË\S³S”Áˆ¬R¬ ´QÇ&B<Õ9Wܣœ؅3Üøx»È8”çî{¡mjTÍz\3Æ]˜PˆœQc&`Ê[¬Ñã_6ðn÷6œÈ¿=“hCW‚¯¾º¤¤5womè–ØùÍK’ªÈÅ6gþÒô†ææoÿ:þ½&®JÓ`þ¿QHˆnd‰ + ²SɇZŸ‹þXBendstream endobj -839 0 obj << +844 0 obj << /Type /Page -/Contents 840 0 R -/Resources 838 0 R +/Contents 845 0 R +/Resources 843 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 817 0 R ->> endobj -841 0 obj << -/D [839 0 R /XYZ 85.0394 794.5015 null] +/Parent 822 0 R >> endobj -258 0 obj << -/D [839 0 R /XYZ 85.0394 497.0473 null] ->> endobj -842 0 obj << -/D [839 0 R /XYZ 85.0394 468.4726 null] +846 0 obj << +/D [844 0 R /XYZ 85.0394 794.5015 null] >> endobj 262 0 obj << -/D [839 0 R /XYZ 85.0394 408.9221 null] +/D [844 0 R /XYZ 85.0394 497.0473 null] >> endobj -843 0 obj << -/D [839 0 R /XYZ 85.0394 382.8699 null] +847 0 obj << +/D [844 0 R /XYZ 85.0394 468.4726 null] >> endobj 266 0 obj << -/D [839 0 R /XYZ 85.0394 310.3501 null] +/D [844 0 R /XYZ 85.0394 408.9221 null] >> endobj -844 0 obj << -/D [839 0 R /XYZ 85.0394 283.0525 null] +848 0 obj << +/D [844 0 R /XYZ 85.0394 382.8699 null] >> endobj -838 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> +270 0 obj << +/D [844 0 R /XYZ 85.0394 310.3501 null] +>> endobj +849 0 obj << +/D [844 0 R /XYZ 85.0394 283.0525 null] +>> endobj +843 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -848 0 obj << +853 0 obj << /Length 2299 /Filter /FlateDecode >> @@ -2314,14 +2353,14 @@ f y³,*æˆÂ†ì¸© ·ò¾MâSÏ'n벬ïíNÞ6øãÙÛõjU70å·ý3‰Æqį1‘/1¾DÀÖ[¾ô×F©‘2èUj´#Øcgv[‚h¥ åqúr2`à #‹ˆ ëÊiVx'ÐE rÙÔ8˵V&’Jeâ%$ˆ*]jƒê–‹ŸlS:›Y´Nt™vÙÂLw—à´ph˜R`ÊÆ)Ë2+­SœB3¾.‡œ,í‰&ø£‚×ÚÝC’§ làñ6„µ-‘ñÆm^®Òïá)£ñ.wjÍ Íc%dï­M]¶/0\V:¯h=ÁÞ@lÀòÒu{r“÷ð:Ìo6äÞN.“c„ûˆçRM5Ë—%™_ܺ+Ê¢{BFϘpƒÎÛà~lAz@ 2„`É2¦Á–´×³|¯\».-z³`=‡ÍûÅábL)9{@£1"‰ ¿ç{kWyVh€ f›A€\Ð+:ËžF`ƒt!Ǻ¥p=éŽ9\…³žÔ(O'lg=H›âKÀ‚ÖmŸ©¦×çϘ+@âPQêàæ¢Pˆ£{Ì…¢1·©î¬s ÁëLÆb`†ý@É%–ChîL̇FÐk¸÷/fHÞgÿÍ8#k,!ˤs¸7ŒZÛàÙÂ@¢ii½7WˆÄaÍu@&4%”î IöÄ$·Y¥¼oòý)%¼%™´²› ¸BRJÿôdi®ZÆý3'¤óŽa†3*‘u®i›u”Å|ÑMîsý±n!uiˆn™¥Ž¥O¸È0Å‘uï¡úÎ;°~*PÂáʃ7° nî÷ ^ØÈ3g&0ÇûuqHPŠÐ=™ ¸àÊ´rß¾ŠAÆÂÚ’÷ Z¼"SÑ<ÑJXšM&¶öJnª¶¿íÖ7Neå4µez7ø*÷ŽÝ¢4 ï¬ÜÿIÅîÒÿP.endstream endobj -847 0 obj << +852 0 obj << /Type /Page -/Contents 848 0 R -/Resources 846 0 R +/Contents 853 0 R +/Resources 851 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 817 0 R +/Parent 822 0 R >> endobj -845 0 obj << +850 0 obj << /Type /XObject /Subtype /Form /FormType 1 @@ -2341,27 +2380,27 @@ x 6\>RgÈbÏWÖ¹j[†› WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½t•‹ùD„™Â²]°Ä(‡;„ ·åŽ°Š­r²ÂÙÄLûˆ T¥Í¡誋ŠŽt’¹w_ =Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^ m" ^˜h±ÎW9AVªy­Â©/fýÆ"•œãûFy-Sng \Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&Øíþ²C¶O–ÃVç X×9g¹E{îÇ< •ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream endobj -849 0 obj << -/D [847 0 R /XYZ 56.6929 794.5015 null] +854 0 obj << +/D [852 0 R /XYZ 56.6929 794.5015 null] >> endobj -270 0 obj << -/D [847 0 R /XYZ 56.6929 486.3415 null] +274 0 obj << +/D [852 0 R /XYZ 56.6929 486.3415 null] >> endobj -850 0 obj << -/D [847 0 R /XYZ 56.6929 454.4975 null] +855 0 obj << +/D [852 0 R /XYZ 56.6929 454.4975 null] >> endobj -851 0 obj << -/D [847 0 R /XYZ 56.6929 395.7282 null] +856 0 obj << +/D [852 0 R /XYZ 56.6929 395.7282 null] >> endobj -852 0 obj << -/D [847 0 R /XYZ 56.6929 383.773 null] +857 0 obj << +/D [852 0 R /XYZ 56.6929 383.773 null] >> endobj -846 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F84 797 0 R /F42 597 0 R >> -/XObject << /Im2 845 0 R >> +851 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F84 802 0 R /F42 601 0 R >> +/XObject << /Im2 850 0 R >> /ProcSet [ /PDF /Text ] >> endobj -855 0 obj << +860 0 obj << /Length 3170 /Filter /FlateDecode >> @@ -2387,51 +2426,51 @@ B ’ÈéAÇØŠµÂhÿDáåÕvœú&$$¸dRk7³|ïùêè%=Á‰ÚˆRP͆I{c‰Ç½±ºó÷ÚÍÏòÅÔßc”œÅ„NŽ.,¼ÔY#½Ãg…¸iD?zV!ñvÍvwXÙ}øÁ1-¾DŠŸÎ^訽ƒG•J0) `uŸÕCi 9¶¡ÃÆàá(¾¦gñEmA/ƒ;fx#x%t ¿á Š)Á|>žX¢ )5õH>{ô¿(Oý÷eÿ×T Bpnð÷µu9ï?Õ¦PNJì|ÙŒÓÜeý¿@{Lþendstream endobj -854 0 obj << +859 0 obj << /Type /Page -/Contents 855 0 R -/Resources 853 0 R +/Contents 860 0 R +/Resources 858 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 862 0 R ->> endobj -856 0 obj << -/D [854 0 R /XYZ 85.0394 794.5015 null] ->> endobj -274 0 obj << -/D [854 0 R /XYZ 85.0394 769.5949 null] +/Parent 867 0 R >> endobj -857 0 obj << -/D [854 0 R /XYZ 85.0394 752.4085 null] +861 0 obj << +/D [859 0 R /XYZ 85.0394 794.5015 null] >> endobj 278 0 obj << -/D [854 0 R /XYZ 85.0394 683.64 null] +/D [859 0 R /XYZ 85.0394 769.5949 null] >> endobj -858 0 obj << -/D [854 0 R /XYZ 85.0394 653.5261 null] +862 0 obj << +/D [859 0 R /XYZ 85.0394 752.4085 null] >> endobj -859 0 obj << -/D [854 0 R /XYZ 85.0394 576.1881 null] +282 0 obj << +/D [859 0 R /XYZ 85.0394 683.64 null] >> endobj -860 0 obj << -/D [854 0 R /XYZ 85.0394 564.2329 null] +863 0 obj << +/D [859 0 R /XYZ 85.0394 653.5261 null] >> endobj -282 0 obj << -/D [854 0 R /XYZ 85.0394 420.3273 null] +864 0 obj << +/D [859 0 R /XYZ 85.0394 576.1881 null] >> endobj -861 0 obj << -/D [854 0 R /XYZ 85.0394 391.7481 null] +865 0 obj << +/D [859 0 R /XYZ 85.0394 564.2329 null] >> endobj 286 0 obj << -/D [854 0 R /XYZ 85.0394 295.8129 null] +/D [859 0 R /XYZ 85.0394 420.3273 null] >> endobj -718 0 obj << -/D [854 0 R /XYZ 85.0394 264.2689 null] +866 0 obj << +/D [859 0 R /XYZ 85.0394 391.7481 null] >> endobj -853 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >> +290 0 obj << +/D [859 0 R /XYZ 85.0394 295.8129 null] +>> endobj +722 0 obj << +/D [859 0 R /XYZ 85.0394 264.2689 null] +>> endobj +858 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F57 628 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -865 0 obj << +870 0 obj << /Length 3251 /Filter /FlateDecode >> @@ -2449,81 +2488,81 @@ iÆ¥3%à6O ›ì§sÃŒŒ—Ù_ªò4ÝO6Þ‘Å]1¬ÍüOØ„w+¥oé);è›÷ôjJ~|U¯°û³_ÐVÇÜYËÆKÏ4I¼%ê$r<”ô¿3`[<[àæ]G vâ÷äÐBK‘é? Dg¸)éJk˜±ûü_R3ñW߀çXƒ›a`z -˜U JKË—¬9 /ÎØc#º øJ;VÀsþìLylÅçÙå/)õþd‹ïŽ­™> ʇËЙˆù –¨uì©?W)ÃðßN|óÚ÷¯Îÿ’Òï«åÿø±)Ó)ñL¡Ôèß=ÔDâ¿@Ƭÿ——Õendstream endobj -864 0 obj << +869 0 obj << /Type /Page -/Contents 865 0 R -/Resources 863 0 R +/Contents 870 0 R +/Resources 868 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 862 0 R -/Annots [ 867 0 R 868 0 R 873 0 R 874 0 R 875 0 R ] +/Parent 867 0 R +/Annots [ 872 0 R 873 0 R 878 0 R 879 0 R 880 0 R ] >> endobj -867 0 obj << +872 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [55.6967 755.8266 256.3816 767.8862] /Subtype /Link /A << /S /GoTo /D (rndc) >> >> endobj -868 0 obj << +873 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [268.5158 755.8266 332.4306 767.8862] /Subtype /Link /A << /S /GoTo /D (admin_tools) >> >> endobj -873 0 obj << +878 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [378.2799 116.2526 428.5017 128.3123] /Subtype /Link /A << /S /GoTo /D (tsig) >> >> endobj -874 0 obj << +879 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [112.234 104.965 168.4527 116.3571] /Subtype /Link /A << /S /GoTo /D (controls_statement_definition_and_usage) >> >> endobj -875 0 obj << +880 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [75.273 61.5153 131.4917 73.5749] /Subtype /Link /A << /S /GoTo /D (controls_statement_definition_and_usage) >> >> endobj -866 0 obj << -/D [864 0 R /XYZ 56.6929 794.5015 null] ->> endobj -290 0 obj << -/D [864 0 R /XYZ 56.6929 441.8384 null] ->> endobj -869 0 obj << -/D [864 0 R /XYZ 56.6929 416.1193 null] +871 0 obj << +/D [869 0 R /XYZ 56.6929 794.5015 null] >> endobj 294 0 obj << -/D [864 0 R /XYZ 56.6929 378.9792 null] +/D [869 0 R /XYZ 56.6929 441.8384 null] >> endobj -870 0 obj << -/D [864 0 R /XYZ 56.6929 348.5817 null] +874 0 obj << +/D [869 0 R /XYZ 56.6929 416.1193 null] >> endobj 298 0 obj << -/D [864 0 R /XYZ 56.6929 276.8275 null] +/D [869 0 R /XYZ 56.6929 378.9792 null] >> endobj -871 0 obj << -/D [864 0 R /XYZ 56.6929 248.1435 null] +875 0 obj << +/D [869 0 R /XYZ 56.6929 348.5817 null] >> endobj 302 0 obj << -/D [864 0 R /XYZ 56.6929 167.2435 null] +/D [869 0 R /XYZ 56.6929 276.8275 null] >> endobj -872 0 obj << -/D [864 0 R /XYZ 56.6929 135.7502 null] +876 0 obj << +/D [869 0 R /XYZ 56.6929 248.1435 null] >> endobj -863 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R /F14 608 0 R >> +306 0 obj << +/D [869 0 R /XYZ 56.6929 167.2435 null] +>> endobj +877 0 obj << +/D [869 0 R /XYZ 56.6929 135.7502 null] +>> endobj +868 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F57 628 0 R /F58 631 0 R /F14 612 0 R >> /ProcSet [ /PDF /Text ] >> endobj -879 0 obj << +884 0 obj << /Length 2414 /Filter /FlateDecode >> @@ -2540,39 +2579,39 @@ F L2.­_èÁÀ:÷¦é‘uèÍóùõš€ ÀãÍ…øl‘Ç‘LUª½i§re2×OHZ$§yvRb‘ë Ì1ZíKLý®š´?LTw‹DDq}Ù¨wœ¨ñ$4ŽyvÒN‡ùce×fWõþÔö™Š™!Ðex†QÔ>͈á»Æ5Ïh£+°¸ ‘,&‰òÂI¬VПĒî»Æ+-øùGˆÚŽ…8ÆM˜œ‰®³€nadAwUÙ9Ò°wÁG^lò¼m=Š!o¸7|{˜ˆ;fÛ9 ƦÕq*sÝkŽœá›VO+{ÃtH-6ÀÜ,wíÐ3d: I´^lùžÜb©&r\±÷wlüN‚æâµoÄ[ û,‰´'Îèt‚Q½Ùöœöô|÷€2H°¯¢ÆYQ£^½6$VæîÐôæO[êðÛ-Áw*üçDª&” «ƒRa¼iùDœÔƒsM9 G9î‘lœz|L5·’žLnG×'Q壔z"TàÓLZä^_‹Í7ß[""êa’|›{|YEfåŽÒãªÂGm•J·Hpñvë©:MœüJéñ›ÅÙK]Ûå(õåŒ7­ÏŠ^˜mcC)×-;-É+ Þ§ð @,Â"¨›òƒ*Ÿý^âC»c¾ Ë­6_løNÀ™n”ËA‡u¸gÀƒ Í×Íy‰$AпBli6ešú$ë+`X®w]Oke³¬vXf"Øøýx˜9n‡¢ƒžŽSÿ‡ÐÎ:‚A0ty•p‹Üä* ®¾"€«MqÀ‘ç4æ)ÏçLøßó¿{ŠMÙßÜÛª×\°fuW™-Í}CŽã¡÷/Ò£ãä;x ô6¸nìmn¿úÔŒÂ/«˜¬ÊnÉX\ìÓÝ@ˆñÈG'0$üR4ñ‰(\ó»?H¿Öiˆóy.§¿5©8rYdž(TR§”_®ÎIÿ?í ;«endstream endobj -878 0 obj << +883 0 obj << /Type /Page -/Contents 879 0 R -/Resources 877 0 R +/Contents 884 0 R +/Resources 882 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 862 0 R ->> endobj -880 0 obj << -/D [878 0 R /XYZ 85.0394 794.5015 null] ->> endobj -306 0 obj << -/D [878 0 R /XYZ 85.0394 662.5434 null] +/Parent 867 0 R >> endobj -881 0 obj << -/D [878 0 R /XYZ 85.0394 634.6304 null] +885 0 obj << +/D [883 0 R /XYZ 85.0394 794.5015 null] >> endobj 310 0 obj << -/D [878 0 R /XYZ 85.0394 376.1585 null] +/D [883 0 R /XYZ 85.0394 662.5434 null] >> endobj -882 0 obj << -/D [878 0 R /XYZ 85.0394 345.4362 null] +886 0 obj << +/D [883 0 R /XYZ 85.0394 634.6304 null] >> endobj 314 0 obj << -/D [878 0 R /XYZ 85.0394 136.7105 null] +/D [883 0 R /XYZ 85.0394 376.1585 null] >> endobj -883 0 obj << -/D [878 0 R /XYZ 85.0394 113.7908 null] +887 0 obj << +/D [883 0 R /XYZ 85.0394 345.4362 null] >> endobj -877 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F57 624 0 R /F56 618 0 R >> +318 0 obj << +/D [883 0 R /XYZ 85.0394 136.7105 null] +>> endobj +888 0 obj << +/D [883 0 R /XYZ 85.0394 113.7908 null] +>> endobj +882 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F77 707 0 R /F42 601 0 R /F57 628 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -886 0 obj << +891 0 obj << /Length 4109 /Filter /FlateDecode >> @@ -2599,21 +2638,21 @@ yJ áx[%=v-˜Ÿú‹ã(½@íõ ™u:óeyÿåH #¶F›!Â!ÙØ7Ë+ }5®Æ$pÄ(Ñ™¯áÃÉ¢Æã“M‡ÛÞiá#µ‚sK‡:V}cÖ˸ê‹ÇœØóðÃÞ¯v¸`IyKš’n\Ï“,bŒðÊÞ‘€«þ:¹xšº:C'«F׉T:{M"QLÇŽMšµ¤¬WûÖŽôjás/Ö’†³ƒÌptæ„Ô2¥ ?ÄI‘±¼àš”—-†5ùB¼‡“2P_ÖodÛC¿;ô\½ýžŒ—O „ÔK·«õÊ_QÁP5/|Á—dÍI)g·'1"kÿoÏ\:> endobj -887 0 obj << -/D [885 0 R /XYZ 56.6929 794.5015 null] +892 0 obj << +/D [890 0 R /XYZ 56.6929 794.5015 null] >> endobj -884 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> +889 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -890 0 obj << +895 0 obj << /Length 2474 /Filter /FlateDecode >> @@ -2627,29 +2666,29 @@ x ¨\ǒ¨¶Í†¿ôtµ9£>´4Sú¡ì»þ×vÍ1½Xn^xš\~aQ{{ôÝÙE„Q;Bõ‹þy5­ö]g›!XÓhET1ESFóK!a¢Ä/…w ¹ÌŸ˜ccDïÿožüÕÂjöu=‘È!&ãÀdŠ!?Å”Ÿ¡íû@Ñqx}­õê[l)9Ïâž7=š@×”¡4ÆÐçF2i¨K¢“èhB’ÿyêUºˆw"WL¤Ð~~ÅJ²Â`ãQ-GŒË)Jʉó¶M° ïLjLô‹HE#™VÜÌ»Yšñ¸ ÊsßgÄ5٥ߦj¬}´kQ\Û†^Œ7ª d§“ÓëýÊö~/ ³àüÁµ~*´~î­Ù ÆéÑ€‹“îå„1WsøiZ"5mó*-[,¾On†°ÓíBk~òÐé ¦¤,6k_<¯àF( gål2èùòiýè’ÍS‰cbL¨4+_/ùFŸ q!ý¸¢¯¢R‘R5%4çàÐhçy6/p®q…=à…8éÂ~Ž²‡á%õ4¤Ü#R`ñ+”x^Eª˜)D˜9-÷&ƒ†èˆCäPBã·£¦>jš‰Ú§‚:ÕÁ/æHGµr:Ü€u쌞‘y.‹à²£F'¯­¼D¨D’ÐtI°9ôBž6ƒv8,0ò¹FB1­˜ÍâtîüF8»ñóo&iì ?ß|ÿ’V~˜c¨µvƒžàfô0SŸFÜit8¬£"³®YjŠü/‘†]®¨ð†j’ý£_(¡PŸ‡l"Œ¼üÜnQÇè¾ifãµm‘“\ùJ ŽÐ¯üüÙ 7”‘8Çr{ÇvO‹ÆZÿŽ“&ü®ÊÇa?¶†¹òI·H^nLÃO(vû~˜ÒçÑÑ *ý×aR»X÷(HjÒ!$,·_ëPšŸâÓy ^)²Sþ@¹–NÆ~Ýy3%„¯àlë×n’S„ÿ+Œ7pf•âÌjïq‘Vf—q¨žH:úòá pî«zXº‹Nc8t’Í8ŒèÍsƒ1¸àe½k×Õæx»OƒÍ'ƒø¸÷GÝx„úyS2OøÇÀ„Öéãå§ñ¡Q@Ÿù×T1øÿ¬HsÍG[úŸÿmvúŸbš3eŒŒw阙Œ„ â‰BÑ*}Nùøÿµ§¤ÿ ²¼^÷endstream endobj -889 0 obj << +894 0 obj << /Type /Page -/Contents 890 0 R -/Resources 888 0 R +/Contents 895 0 R +/Resources 893 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 862 0 R -/Annots [ 892 0 R ] +/Parent 867 0 R +/Annots [ 897 0 R ] >> endobj -892 0 obj << +897 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [173.6261 554.783 242.2981 564.1926] /Subtype /Link /A << /S /GoTo /D (the_category_phrase) >> >> endobj -891 0 obj << -/D [889 0 R /XYZ 85.0394 794.5015 null] +896 0 obj << +/D [894 0 R /XYZ 85.0394 794.5015 null] >> endobj -888 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >> +893 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -896 0 obj << +901 0 obj << /Length 2361 /Filter /FlateDecode >> @@ -2668,1902 +2707,1891 @@ G2 wT. Ò­‹Ì}™!ü ®Ñ!¾¹›W&ˆÐ·ˆC™ º3&Ó¤¹¦<ä <&±ˆÕþ—¼5Å+v¨aFó܆/*±»2‡î"…nÏBH(^ð«R§% ¹Æ(™mªV$9} ìæ§f劕׾ÅoüÀî».æ¶ÿ«^ã±Mk׸e©øÜ«Þîßö©/óÓ¯I™N¡¡£'")‹a±ö‘´4õcµútÒñoŸ¡Pðº&åH´lïåN> ö«…LO@¦ᜅh¹œ‚cœî66óIs“„sŽÁÕÚÇ· —T/a¿Çá’)áZ‹\ïu¿´ñy¼}†/ÃERèG bF¨)áRÇ}?õ ƒ“ŠxîKv¿º‘1IÒª7»¡?=€ú^ B?ùÙKó ”ÀÕÚúÿ5‰¨Dendstream endobj -895 0 obj << +900 0 obj << /Type /Page -/Contents 896 0 R -/Resources 894 0 R +/Contents 901 0 R +/Resources 899 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 862 0 R +/Parent 867 0 R >> endobj -897 0 obj << -/D [895 0 R /XYZ 56.6929 794.5015 null] ->> endobj -318 0 obj << -/D [895 0 R /XYZ 56.6929 769.5949 null] +902 0 obj << +/D [900 0 R /XYZ 56.6929 794.5015 null] >> endobj -893 0 obj << -/D [895 0 R /XYZ 56.6929 749.9737 null] +322 0 obj << +/D [900 0 R /XYZ 56.6929 769.5949 null] >> endobj 898 0 obj << -/D [895 0 R /XYZ 56.6929 433.0023 null] +/D [900 0 R /XYZ 56.6929 749.9737 null] >> endobj -899 0 obj << -/D [895 0 R /XYZ 56.6929 421.0471 null] +903 0 obj << +/D [900 0 R /XYZ 56.6929 433.0023 null] >> endobj -894 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +904 0 obj << +/D [900 0 R /XYZ 56.6929 421.0471 null] +>> endobj +899 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -902 0 obj << -/Length 2754 +907 0 obj << +/Length 2757 /Filter /FlateDecode >> stream -xÚ¥koÛFò»…€ûp4zb¸O.“Onâä\$NÏvÚ¢ ¥•D”"U‘²ë;Ü¿™åK¢¬¸n€îr3³óž‘Ù$‚lbT‰DNâD†*bj2[ŸE“%ì}:cþÌ´94íŸúþîìÍGÍ'I˜h®'w‹,FÆ°ÉÝüçàý?/~¼»¼9Ÿr:<Ÿ*ß_] •„†÷_¯?^}úéæâ<–ÁÝÕ×kZ¾¹üxysyýþò|ÊŒbpŸ{G.|¼ú|I³O7_¾\Üœÿz÷ÃÙå]û–þ{Y$ð!œýük4™Ã³8‹B‘5y„(dIÂ'ë3©D¨¤ÍJ~v{ö¯`o×]㟌Xȸx ›ãx Gxý”)Jïã2‡RÅ Íx¨Œˆ[©È¾T˜¡BMb•„ZpáÄòÇÎn3[!{à¼èÆÄJÆ€ÏÝnì,[<OWv{ÎL`é³á>ªU¹Ëç4¿÷òr¹´~­.CD`§ x wð/êó)p/¨êt[ï6ÿ€/ÀkV,i·^YšÌÒÚ.Ë퓧{ðN-C®™ð„ íŒ÷ç³<'Øi^•ŽÄ)x(WCRm‘Þçø²8Aèç,Ø>ѾÓÑŠ»"·U5F C.¹éø7G(‰Å’ùså¦ÎÊ‚`¯Rävl€Ã¶ ZY…‰¦¡•¬Î1ð—(âv>Êö»•%@Ž -š"-nb‹ºY#qoÊmí×ÍÅYžÁ¹¿û嫉Àt>§+•ßH‹ù~„x>:ŠÝú´ -¬d/ín¸‡ -'žF¡uP¤këÏÍò‘àîÊÓÆ‚ƒÐšWõ/ñÅÉxÊ™Ú{,€rרß “;Ûm+|~°UF7ç´<éÒCH=¨ÊÖcþ%RÑwt"[à¨ñ$<‡sLi6TP”u{î1êòÃõíÜð¤í*K ˆæïÐz¹BöOÓž­#th´élY4ö‹PojH -«âžÂîq™täEj}ÿØß4x@ý<9Èw<½ÅþøÚ?Óõ&·á¬\”«k/à?š}w{9v»úí[B?‡” -l} é”öŠ„ˆkˆƒ}/üJ×.¤ DPðDÂE$_“nˆãÑBêXˆÑBGàN™gÏ<«6i=[ üAò†‚å‚ƬYúUlÒÙïÖlÕ¥b¤²Ûgˆ0_—ó]Nnü@Q†Ñ®û0•–ËaLÚ¸ÍrÊûÆQiö¹ô:ÎwÂlî -âŸ{\˜±cfø a*H"iH˜<}vZ”×··—ï=G ïîn¯> øX—³2?à,úÖöh~:Ö -­Ô @67Ž³VF¡QüTV¥4Ð íx–Cxš’úžN­>Ãa[*ñ -_aä1ÆæÊo´šŒ묚•õån›bRàÂ_ä" Ã벶cæâ‘`†Å5Zô¬|°m, îŸh¤ìg `iÍ 1pFìæ%#q„¼F½*+ou OÜÇ|·%OsŸ-”ùôŒÒô¤ñ: wJ#ãÐðè% ›G•F&ê‹“æ(x(ô¾ÕævéÄ9-‹üé´]¶çA’6¹KŒ±Ô'1<ø\.+Úiósü¨WiM³Uú`÷gm>¹§4‹Ò h†*"yìdŽãõ¿?|ýr• ó·ëÒt˜x©îòš¾1 -à˜ÒÐ{òR÷¢©:øOYXša¬‡‰5X ŒD“WŸæg¬BžÈæ¼³ÀÒ¡«&T„2°zwß#‡²n¥NŒ*üÜBRJ¦y\“{*ò:­ë¹+=OÕ²x'Žâ½Zö¯Ýja: E uå”ëPq²Ñ¦>¨…E¤á5I ¶¢uÈXdúÆÒªA×MŠg)Çal0HlYÙXþ¸mªÏÛ -õËü\ñ¿M×kpž‡²Uã2L$“¾Ê<„f¤,&KÃ}¸4ÆïŽTv 4PIå5Šè:Ä ™°0WCŠ]ßG0ȯcP™¸5ÐRãb1‚Cs(‚usƒEnߎ@œrl5Ø’ˆÃDpӣܥºÿuŠÎ“И8ªyžUµEëjNº!Ûüæª?÷Aõ_î>ÞùDüÏ↡¿ô¿wcÎâ!³tg¿!sÞ‡¿t lŸây¹N³Â]’7¶ñ<-Ęb^Öž}TÖ¾óý„!‰ ±¯õÚDõôŸÔ÷%]d¾SÐÏØ~ªÒ¥ýCUl ¼ëDÕkF B‡Š-8 º”…b­Rmâ±àQ›õ»í’F*×Ýlæá¥BJCž-Wõ£ÅÿÓB›Px`-`ˆrØ;ä‚JYk÷=´âb ÇáJ‡:¢JŽ6·Ë Mnzž¬=?í_ OÖgÏ!\×X³3 -~S‰‰ÊP7HŽÂ˜BÕ>èmb ñ€Kjy¤çØžšöRw ©^5£ÍB uúD“{;×í³Í9ˆdT“(×â´*Å*IöU©".Q -Kyû*`̾ -ÀJ›~âÇcV¯|OœGÞëóͳXøg76æË›ÝÖTu]5ç>ãgŒÄ±æIïoû‰+‚\¤ëçU½lE9p>AZø©ëÀÑYåôZdpÎu¼Hº¸Gi!nÔ.âZVöbf÷7û܆}ÂæuYcçrÏѵ‚€užB}Rмéã<Í첦$€äµrr‡]L§0µ®´P”4ú6"Ì2´×øÄ>!×½3 g„¡9¼s-€dÏ„Ô“!KU×Y];T]1ÓPî:æ®»Üï?ÐK›®Zã®Û.™‡DD»H8{®ÃÆZ4êBãˆI¤,1"¸ÏŠyESbÎ:…À/— Á˜Ò°o¸6´@\iï—Á OƒÙ£¢n'L0LT¿”l±x¯¡œÎ°1Ì»ë'i¯Ú\4-OÑ4}« ”Ζ€ÐeÑǽ?~¦ª·ç&ØÍHRÎ(¨þPå"ÎÖiQP¿ŠJ!NÖ‚CQnש‡NŦçî®vÍ2o‚#y…ãPÂ]üŠ˜×UÙêªêªšåN;…ð™-nÏí"u¥ž!î㬹…Vál'ñuÜkQvÁ ‡ˆìQîAÆzÂ=iA;vK¾tÛ"1­z›-—MƒbÏÌó&ÀdÒª7¥}#¿±"ž±i¨Ζ³‡4o×æÊäX0µìu¨‹‘l‡62¼±õìÍÖ×±" QÉÛ_Â@kD”à"ŽvDz¹õ¯Li X‚³rA–&4Šù^úOÙqãàVfÕm×t³±Å¼ûñ¯ï s¨ü9gØÃÈ·-^&rÞþ GIøhõ•˜„•_ÒWj(pX'ÂÕ3Ob©¿ 3?‚ùˆ¼jáþ%‰Cææ$®ÐuÍ3üá´òo¢ -œàf÷ªÖÑÞïˆÙz·`R7¿ÓÁœÚ9¸F宸&Š¤´DÆ{r¦£¨4´ës~Ù¸hœµÉ€vp¯¹—z$öOª`ÉùOZÍËò÷݆–ï­o\Ùc¥ ëjyÅݤµŸÙ¼I7*txì/ - ‹—ô{Á~.µÞ«ÿÚ ûS ‰©k¿ñ?ð0M“Å…¯ñAÁ#L¨ GHÿ?¤Àƒžendstream +xÚ¥koã6ò{~…ûp +zæŠOI»ŸÒÝì^ŠÝl/IÚ¢PlÚ*K®%'Íî¿ß ‡zÙrÜlº@I‘Ù!ç=Ÿ„ðObÍB™¨I”(¦C®'³õY8YÂÞ§3îa¦ дõýÝÙ›FL–a&w‹®˜…qÌ'wóŸƒ÷ÿ¼øñîòæ|*tv>Õ& ¾¿ºþ@+ ï¿^¼úôÓÍÅy¤‚»«¯×´|sùñòæòúýåù”ÇšÃyá19ðñêó%Í>Ý\|ùrqsþëÝg—wí]ú÷å¡Ä‹üqöó¯ád×þá,d2‰õä>BÆ“DLÖgJK¦•”ÍJ~v{ö¯ao×{?rÆ…–¸g âãt‰Ftý”kÍöéN¹Œ˜ÒHÅpÁt,£V*ª/®$‹¥Ô“H'ÌH!XþØÙmf+|€—=xx˜H«ˆ ÜíÆβŽéãÊnÏyXúlp¸jUîò9Íï=@^.—Ö¯Õ%Cb€vÊá ´ÿE}>…× ª:ÝÖ»Í?à+dD5+–´[¯,Mfim—åöÉó=¸§QL.=ãÇ/(A;#.<Üc–ç„;Í«Ò±8¡`R +=dÕé}Ž7‹Ä~΃í}á=¯ø±+r[Uc Šˆ %âƒOpr„CX¤¸‡+7uV„{•âkG1¼°-ˆW…,‰eÜðJVçð—0v>úìw+Kˆ4E^ÜÄu³FâÞ”ÛÚ®›ƒ³<¸¿û嫉Át>§#•ßH‹ù}Äx>•& +ŠÝú´ +¬d/ãN¸G +'žGiLP¤këáfyŠD ;ò´±à ŒáÁU=¤Kïâd<\ïÝ @¹kÔo÷AׄÉí¶ >?Ø*£“sZ€7–éÒcH=ªÊÖc—þ%Ôáw‘-p4 ×BSZ  eÝBÀ9î¡.?\߈Á ÏÚ®²´€d.ñ ­—Û!f5ãŸu„OB6-‹Æ~ë-be¤°:ê)ìÞ+“n€Â0@­áÿ›hÞ‚'!ùŽ§·£Ô™ý3]orËfåš°\]ÓxÿÑì»Û˱Ó}ÒoßÑè9¢ü€haëcD§D´PD”È@ì{áWºv©b&!‚‚'’.BõœtB:Ž™‰¤<-Lî”ûç™gÕ&­g«“áâƒ$o(EP.hÌ +¥_åÁ&ýnáÁV]úÑ)&L*»}p†óu9ßåäÆeà¸Sé`¹ƤÛ,gࡼo•fÿ•^÷ò0…{‚øëfdXÄcqB˜:"¡ŠI˜\}vZ”×··—ïý‹Þ ÜÝ^}¼c]ÎÊüàeAÐÏ0„-x…¯0rÉcså7ZMÆuVÍʃúr·M1)pá/tx]ÖvÌ\<Ì°„A‹ž•¶e2áÁý”ã,¡,­ $Έݼ¤q$Ž×¨Weå­®y÷1ßmÉÀÜg e¾Ã =£4=i¼NÂÒ¨ˆÅ"| ÊæÄQ¥Q‰„úâ¤9JÁT¬¼oµ¹]:qNË":m—-—ËŠvÚü?êUZÓl•>ØýY›Oî)Í¢tš¡Š(9™ãxýï_¿\`€DeÂ|Áíº4&^ª»¼¦oŒ8¦4ô®9BÕ(”bFé9¶PÓ>Ø!w‡ØæûÞÝue2´NŸhrïd°†(ŸAÝ<¦>!Ä %NúEŒFíëOEt:rI#’a†BÇ•6áDøǬ^Ñò<[ èÂ_©¨}87àš¥‰öšTTÐl춆4ªë£9‡=c6 ð'Í­[o9Þè“#vÙG×Á«zù‰vè|J´ð)Q×s#Xí4œšbçz\$OÜ£D7jüp-+€z1³{ˆŠ}ƒ}¢æµ×`¯rϵµÖYé<…Š¤ yÓ#Æy:›Ù "äMéj…BÇ]L 0™®´P”4úÆ!Ì2ÚkubgP˜L"8Qh€w®è`ö¯€˜z cÉé:«kGª+_Î]Üõ“ûºiÓGktÛó˜ˆi÷“ˆà/Ð5pÑX}†]010…ü›‘Ì#–Á}VÌ+šÒSà¬SürÙŒ)  ç<èt׆ˆ+àâr€€b6Ñi({RÔß„ †ªñ +Ò+nö¬3a+XÈ8p=]§Ð¨ÚB6MNÙ´y« Ë–€@@À}N÷ œLUoÏã`7#I9£h°z ÊÅ*œ­Ó¢ ?‚¬‡¢Ü®S.‹M—ÝíÚcÞG2 ÷B‰p+ä^WU««j¨«2h–;í”Ò粸=·‹ÔcC¯³æZ…³Ä·Òq¯%Ùºÿ>!²GÕÇ,[®=ù´ »%Gºm©ŽØU½Í–˦±§ÿñóúÏUÒfÕ”åüèø_+TL¹¿r†œ=¤y»îÔV%Dz~ÀiL—÷|éb$9‡<¡ ol={³u–u,çO4nÞÄOP&øû‡ãݱ‡lný-S(à¬\™Iˆ"±—íS2Üx·U†IôA—5Ýll1ï~ëë{Ç +âç¬zXñø.ÅËD.Úßï(ç-¶’8ácÕ–òÅž +Ö‰qýŒÀ“H™WQ>"ïX·x¿IâÖ:‰kô[ó '­ü¨ Ï“ßóì‚ò†{?fëÝ)Óü,sêÞàU7¸âz&ŠríÉ™@QihקøªñÏ8k35lá^s.õD쟔üÃ’sž´š—åï» -ß[ߧ²Ç*?×ÄòŠ»Ik?³y“hUhvì iWôóÀ~ê¶õÜ«ÿ¸ ûË …½ƒ~ŸàašžŠg +o-£ƒúFÆLÇ"aýÿ1çendstream endobj -901 0 obj << +906 0 obj << /Type /Page -/Contents 902 0 R -/Resources 900 0 R +/Contents 907 0 R +/Resources 905 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 908 0 R -/Annots [ 906 0 R 907 0 R ] +/Parent 913 0 R +/Annots [ 911 0 R 912 0 R ] >> endobj -906 0 obj << +911 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] /Rect [519.8432 252.798 539.579 264.8576] /Subtype /Link /A << /S /GoTo /D (lwresd) >> >> endobj -907 0 obj << +912 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [84.0431 240.8428 119.7369 252.9024] +/Rect [84.0431 240.8428 117.8035 252.9024] /Subtype /Link /A << /S /GoTo /D (lwresd) >> >> endobj -903 0 obj << -/D [901 0 R /XYZ 85.0394 794.5015 null] +908 0 obj << +/D [906 0 R /XYZ 85.0394 794.5015 null] >> endobj -322 0 obj << -/D [901 0 R /XYZ 85.0394 451.0558 null] +326 0 obj << +/D [906 0 R /XYZ 85.0394 451.0558 null] >> endobj -904 0 obj << -/D [901 0 R /XYZ 85.0394 423.9067 null] +909 0 obj << +/D [906 0 R /XYZ 85.0394 423.9067 null] >> endobj -326 0 obj << -/D [901 0 R /XYZ 85.0394 301.4703 null] +330 0 obj << +/D [906 0 R /XYZ 85.0394 301.4703 null] >> endobj -905 0 obj << -/D [901 0 R /XYZ 85.0394 271.3564 null] +910 0 obj << +/D [906 0 R /XYZ 85.0394 271.3564 null] >> endobj -900 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +905 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -911 0 obj << -/Length 1236 +916 0 obj << +/Length 1228 /Filter /FlateDecode >> stream -xÚ¥XÝs›8÷_Á£ó U|ÃÝSš:½t®éë>µ Âhˆ"Ñ8w×ÿý$KØà‡L&“Ñ"vW»¿ý`eÛBò϶ü±[aìAÙ¾•”3dmå»÷3Ûð€Ž ô¹Þ®fo®ÇŠa8µÊzº"ˆ¢È¶Vé×yx!5 ùÕ§Ûë›÷_–—¡7_Ý|º½Žæ×7.4õ~yùñãåòØ‘oϯþ¸ükµXêWÑñöæöÞ‰õò„Òåâz±\Ü^-.¾¯>Ì«ƒ/}mä*G~̾~GV*Ýþ0CÐ#ߺ—ÚqìXåÌó]è{®Ûí³Ï³¿ -{o÷¢£øÙ:®Äê1€žcÙ6Œ}ß èÇ0p÷€ íJTBósA®½ü,° %©„Á¯Áe‰åò›k?ìEYÀ ¥™(Þk<( ¤Æ -—DS5k„¦h½>>ü«—oÈGš2âë‚rÃòßA §isVÛy8!¤b[S¿ëB¨‰_ÝöÞ£!TÒ%/‚¾ëÄG¼ ½#ßr**(«ô®RM|áxKg Ðs|èGÒ>zšÑí1JŒ]/¤€âSðpQ°{Mf¬1{zIXYv–pbŒd™^Ž¦× Ñ+Áœšn91NlÌNÙ‚Ö…áå¢ÝœxË üÓ¼ý‡U„Ã1”Açpè‡atÛ7`³ZA9!#P0 öW95ºUäƸ­Ñ1F½}(ÛŽ ç{¾ @gÙH !;4||h4­NΔRèBz±Uœ„UÙÈ) è¬QiWßFT'FÐC‰²tÀ mo`¾)B)g91Œ¢P6âCˆ$ßO™!ûdV|æaÍEC«í¾rÖš_wäœqq,úîi\BŸÀI#õšjý¸¦é9™”6$¬1E^c‘¯Õ9£&É^& -8GÜÁ.#Ín±×ÏJL Jš~ÒÍŸ÷[Õúˆ˜zxÜë'9-ȻҶ¬'0k£JRªD•M…&|ò5M'ó¾H½6Jup”Ó"„¯Y³®Øè)¸9¨výpœH‰jŸ‰¬QÀ*@vTœ—²Mþ᢭M¸÷ôZÔè¾#€þhI—~çMʈHr°-Z2Å”¬hyöMVyÀóV¤ì~’ï9–"E -’‚Êþ4 _UГCb‰€ïÌlЖÒŒSÒŠ–¸ áµìRd’mÝG $*£&ÙV1A³Ó  ¦²« šP1z¢ì)m¯=ž7¯ÉÇE5±§'?»²+‚š±b’û2ã…üt—5`ƒ9™”ÿç$¤Â›bR¾‚±;9"¤¤ßó4-šVFWIΚþÛsç—Jd#«]!:¢ó™ŠaÍ=nÒÓQ’UÅà ˜mº¡RÍ…ãõ¤u&X9 ÚÎÄñ³?bî…~=Ñ™ejËŠHî€þÚñ—Șõ³³õ ç3còø§('Òú^ð Ì4ØÛé -ûxúQ„¿† ÓbèѶb y&û±ô+Ü©À œ¯K,ûlïž1î©VÓkÞ¯Ð"\ñÃXñBE}¯NÏ+LjëT}ûLÖËyëÇ®¾®Õ}u䢊£ÿ«¯ÅÇß |¸Xœ;òí³Ë?.þZÎúU`l¼½¹}§Wb=ï—ªÕ1õ$ð¸× Nr2Z)¸Ò¶¬'kP%)U Ê¢B>y‹š¦“e%ÿ­Œžj3Óÿ¤j 8èi•ÂW¬YUlT·"Õ¶€Ï)hX)Q7‘Y XÈ–Š)Û¤mmd7_é•Îðô{Kº€= )#"ÉÁ¦hÉ(YÑòìʲò€ç­HÙ}5E5ÇR¥HARPYÑølª¼òHŽT@‰·¦›hË5iFuJZÑ !¼–uLÂÖ}Æ@¢"j¶Š šÊ O!Ûº  §²€MŠ´&KE@<ÔÄžN~¨e5cÅqñBþºÍ°ÆœLŠÿŠs’Ráu1)ÞŒBÁØl*RÒ¯’z.šVž8®’œ5ý·§Ì•Je-³]1:bó…ŒaÍ=nÒãæ“UÅÃà03Útm¨ê$ÇóIÛÚ÷¼²¥µ‰ k¿)Ý)=>SËehËŒHî€þ>ò×5Õš˜Õ‹Ýø+Zíõ(ãòÓ%Ñ÷òì¸å 0ýco¥KìÃî’þjxl˜C6kÈ ¹k¤A?à ‘Š ÂùªÄ²Îön&'ÌôŠ÷+­Ø=+¢Áß7"¿ç¨ðL²4vµu}¨î£#Q´oíùÚ{øMÀ“7„(r7Ú~ 섲#¤JyëFOw÷ã§Ðÿ¢¸Œ1endstream endobj -910 0 obj << +915 0 obj << /Type /Page -/Contents 911 0 R -/Resources 909 0 R +/Contents 916 0 R +/Resources 914 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 908 0 R ->> endobj -912 0 obj << -/D [910 0 R /XYZ 56.6929 794.5015 null] ->> endobj -330 0 obj << -/D [910 0 R /XYZ 56.6929 769.5949 null] +/Parent 913 0 R >> endobj -913 0 obj << -/D [910 0 R /XYZ 56.6929 752.2028 null] +917 0 obj << +/D [915 0 R /XYZ 56.6929 794.5015 null] >> endobj 334 0 obj << -/D [910 0 R /XYZ 56.6929 693.9224 null] +/D [915 0 R /XYZ 56.6929 769.5949 null] >> endobj -914 0 obj << -/D [910 0 R /XYZ 56.6929 663.1642 null] +918 0 obj << +/D [915 0 R /XYZ 56.6929 752.2028 null] >> endobj 338 0 obj << -/D [910 0 R /XYZ 56.6929 628.9495 null] +/D [915 0 R /XYZ 56.6929 693.9224 null] >> endobj -915 0 obj << -/D [910 0 R /XYZ 56.6929 601.0964 null] +919 0 obj << +/D [915 0 R /XYZ 56.6929 663.1642 null] >> endobj -909 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >> +342 0 obj << +/D [915 0 R /XYZ 56.6929 628.9495 null] +>> endobj +920 0 obj << +/D [915 0 R /XYZ 56.6929 601.0964 null] +>> endobj +914 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F57 628 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -918 0 obj << -/Length 1174 +923 0 obj << +/Length 1170 /Filter /FlateDecode >> stream -xÚ­XÝsâ6ç¯ðcèŒTK²ü1÷”KIš›^®¥ôézÃ(¶jÍI‚mï¯ü…m°Á! òþv»ÚÕ.B–m>Èò)´IàX^à@j#j…«‘m=™ww#TÊ€J4¥ÞÏF?ÞºØ -`àbך-º|hû>²fÑç«›Ÿ¯M¦c€©}åÂ1 ®}õþþá§b%(7Ÿnïïþ˜^=çjvÿé¡XžNn'ÓÉÃÍd O‘ÁãRCàöþ—Iñínzýñãõtüeöa4™í}iú‹l’9òuôù‹mEÆí#’À§Ö³ùaCØZJ u©VâÑï£ßö -oshWü(ñ!õ±×@ê5ˆìË£t &yY§Ï`ëµKô’+¡ÆÀµí«‹‹"É•š¯˜—óX(]¬—ùn„`@)Ε=Æ,ü{™Æü:Ø6Ø:`­Á:•ºM([9¡5u¸—é(xdïyÒÄd.A…¼XÏ‹ùúENî•’o«¿À× —; Ò y©§TP þ´©½7–½)~ü—ëÂ6˜xQ =‡Ð\ãù«ÊFã…Q…²j¹ÐÒ_/ú¦â€ôêÇÇú3tá) C×óh;¢Më ¾ÀiŒ òl÷%¤.p_ê´gCÙ¸íôŠ}Z²D-¸Z¬8IK6«G.;sã”nô T‡)ÅgLõN›*êp ÂXð¤*Û$7R‰-ŒP\ -ƒ"_$Óü,ŸBðó2úe}ȆŸTZ¤Ò”÷a2¥ Fà™ïó5¬X²+×ëüFÝ- ¨|ÏòÂ@G Ê‹Zzm%þáƒÚâ_&¬‰9êk@öm®Ö<ì´¦fº8–m†ë1͆" -^ WMgˆ¥Íþ2NaÌY"’'Ó4—[ŸÕ’3©9ÓC …‘\pÁB>b\ѦŠP g¦Óuj¶|÷Š? ÊäZ-s‘ -)× •QÕ³K-ùJk;ŠîX¯“Üïòcf†7­ãAsX²p9\|ˆt9‰'`¶FDBï:7êDê­DdšÛ²“<+胣ûDá¬eºQ'ªg”4ãšÒƒåµÌ - ”€) Ö쨫œ –»Í&£–ù>4Zf_.åÖ´wPÃÖ`PaéèÌîþ‡™TivÐ.dºl£—ÃcwˆÎu¼Üe–Dñ­¨vlÍôrž°ÊËw}·:ÄtyBºî`ìý¸WßøÔ×aŽ}}ï/sÒ¸Ì!¶ }x©Ì52ß_ SÿëìMendstream +xÚ­X[wâ6~çWø1ô©ºX¾œ>eS’fO7ÛRú´ÝÃqlÔ‹•Y¶Ýÿ^ùl0IÆÒ̧oF3£±°ƒì;ƒˆ†®ã‡.d3'^ ódçµhJ½› ~¼õˆÂÐ#ž3™5°ˆ‚;“äÓÕÍ/׿MFã! ]yp˜‡®ÞÝ?ü\Ž„åãæãÃíýÝŸãë¡ï^Mî?>”ÃãÑíh}FNbÍ~?@†sží ‚8 ‰³¸ŒBæRZ¤ƒ?¿o³…j›ÿ ˆßâ@æ7ˆ± CâSÇg!ô(¡…£4•Ï`µL"ÃÁLªçH%"{¡«ËG”$Šk=]D&žOS¡M9þý§Ü–À†Œ‘âÚz“™9×B¿ì1âæ2å/Â(ƒ$ZK‘€µ VÉ,¥2û„ò‘óF•Þk0òyž™Ùx#•R)/–Óò¥‘‘[pKòmñKò_V\m€–+ó +§(µþB mËgÊ—ÿ +,‚($Ô-$ô]Ê +ÄŠ©Ú†Æ„…ÂyJî™°‡¿.ñ1a‘vâ“cü\»´PF çû¬ÛâS/0š`ˆ}äU¤Ü.RîëŒ&—à7öô0"ûa´ˆ¾£¢LϸF,8Y©–­\µÆƱ’\™Ë´D’žY +w(õYÊÄK§‚guÚžU<^)-Ö¼‡FÉIs%¢”ñ¢l=»FCCpÝ‹~•ßVeÅÏ2ÚzÈt›Þ‡Á$3¬À3ßÆkñXDÙ¦ßÅ7ngT- ‹=+ãÿ­ôéÍÂÒKkAÖÃ=µµuuª­K÷(+±çCê·¥T0æE µR´ÔÒF.aŸBê†áI^E ÙQóŽ©ÙöÚ[º æµçój!†¤èöŽÄÔ€Ëܶƒiu›÷"·…>$¢‡ý÷³®#(„3÷MéY@Û“°[i›;]ÞÛp=•jšÉÖÀΤ³M?w3]ì“·u·‡méûí±:£»HCb~)9<£TKP²ÛëµöŽÚNà²(õ”ÍÂJé{çÉ#¾ÎHåÐâïuÀýmÝšÙR¿SÈÿMõ’Ç­:±´ÝűlÓ]¼lãõÕ(ט‰´>túˆkc[ðË8Å)2ûaOÃÕ:JÏújÎ#eydú«‚³(æ}TpmŠ±ç¨ˆuÿeŒ\J»å›W|Ähk;™µ÷Jin€TI}fW(ÅÈÞv”1Ü2¾ ò û%²Í›1i¯ØÎâ(žŸß%OéÊ_â Ø­‰0›Ö:­ ‘%e¶-¯äyB”îØK%×"iÕêh%m»¦MùºóÉ V Ò@/££SåœÙ|f#j^tà}½e÷å"5ÜXÍØv÷âµ.T:ªÙí_ø‰ !óB;Sr¢•™÷÷Ý¡v¨Ýêm>Ô×”¶]Ï íÇØ«/ƒv7e®íaƒ€lïy\Ú¸ç¡Èƒ ýšTn" ™ooŽ©ÿOªWxendstream endobj -917 0 obj << +922 0 obj << /Type /Page -/Contents 918 0 R -/Resources 916 0 R +/Contents 923 0 R +/Resources 921 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 908 0 R +/Parent 913 0 R >> endobj -919 0 obj << -/D [917 0 R /XYZ 85.0394 794.5015 null] +924 0 obj << +/D [922 0 R /XYZ 85.0394 794.5015 null] >> endobj -916 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >> +921 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -922 0 obj << -/Length 3234 +927 0 obj << +/Length 3146 /Filter /FlateDecode >> stream -xÚ¥]“Û¶ñý~…Þ¢›D0$8yrâsric§Îe:$“R"$qL‘2Iù|ióß»‹ø%J×´w ,°Øoˆ/øç ±(É"NB¦®›ÃM°ØÁØ77Üá¬<ÒjˆõÕÃ͋בX$,‰D´xØÖÒ,К/²Ÿ—ìV–_¿}óúþ›ŸÞ½¼ÃåÃýÛ7·+¡‚åëû¿ÞQï›w/¿ÿþå»Û׊/¿þöåwïh(rk|uÿæAj.,úîîõÝ»»7_ßÝþúðÝÍÝCw–áyy ñ n~þ5Xdpìïn&­ð0ž$bq¸ •d*”ÒCŠ›oþÖ-8µSgùÇ&$ðêœ*0PGLé@/b•°H -ixH?­6éfoVMþ»¹]EA°ÄÞoÍÑlèóK<%ZqÎ¥„›×nö«Cz<šl•fYmšÆ44áÉ4¿Uõoe5;óX›­©k˜¶+NŽâ/ -¨÷’š»/øÞ¼}s×Má“õI$LV6«Sv¨<Ö¦žÝM]Uí*3…Ù¥m^•«ª,ž@DÌ2Ÿ6Å)sKüË­”L‘7-}ýá0gWþp2õSQí&<™å)í<Ë›t]˜UZìª:o÷ÇϬ:¤y9ÚG‡ò¥ÛÂà"± Ó:NÆ{£Á¯C±èÀ[ÜN¨YŽnñ– `¹êˆìiHþlÓÖLÙÒç+óKˆ2G ‚¤eFŸštg-9E %‹Â0²¤ö¦ÛPÄ5K’$dÄñ;8_L‚ÖI©^3Øœ”ËÆ´ õNGjwEµN ê÷Ç‚¶Â6\®›Ð˜Œzë'jÑ@0ê>ìs7mBð:dÔ´vt¬XQocèf”ÂmóñÍà=Ë(Z¦ØÄËMU"ow§:%îâB -ûˆT²¼ß°Ý›ú–륡‰¸9ƒÀÍ06ÒL' ž³1tÁdL8û¬(¸e¢Õ1 ®‹jóžº „aÀÂŒp©WCÃÈxämã„6ˆ˜VI2ѳMO…ºÇ¼(¨g¯ Z¼.vf‘9‹9*Œ™TqxÁ‚Òjˆe h8ç:,RÚÚlÚª~šRNbo­¯SöH3”‡÷À²ˆ1iÔš•jùXÕïórG°!+›ö–/q_Zm©mýœÆÔAbÀ¯¡ó©Y:ÔÌ`ºnªâÔ:ÜcÚîÑòá‹dt¸Ö¹”¤ÔÝ'g ¢±¨Ó ÊN† €é{S(m¨¥³°îGTÑHk{ý‰ñ¸œs{¤„;!†—\Ôo†¶UMCÕ´Ô³¬æ¹êÔOnˆÕø¶c¤8#_;±ìȼŒÕ§rFÇÀÃCH#œŽ¡[ƒÕEtç Ôü9C¸Ak!¥c¼ÑbeÕÝ{Ž§1j3 ÓmCi:£IË3ݦìu@ûÏ.H´3Q¸³±™Ó¯B¢­ ðÉÆg¸)p;vSB'Ó}ˆ$Xn-¤:Âã>Gƒ4 :NÆi%ÊÛ´nÑRé„DÁ¸øžÆ€M°¯NEFK®ÝT´ƒ¶õJ3õ€ -]4Na”0üºqb]6NR}ožV ç1CSr•ºGš¡>2Pp‹J)9&ÿ÷½Ug,¦E;8±‚ë|•È74x:f©55зv -³9uþ à¿W¥i¾ ûC’ʃ3áÐãÀ Â2êñ´.<=ŒN¬Y -¼ =Oó´` uzźX;Ìmu*­*…É2ß^ØËÖm #Dm÷Ös -¿=èÀaÇ8“®/¸0ö`ª3±åXÁ[NM;öŸ©Þ:Û_×—‡HÈçw€uEp=Vg0WŸsS© 4,‹b{v‡uN\EC¹å¨ƒQ§ØNJ݇+Ò…TCþ˜ÖÌ™³$a²0gðî[šam.A%‚¬…–RNÓ°öZ{aÛ'´÷ HÞqÛÙðY„ -òÂ..³tj†e ×ÀKÍ‘Lì®N I«±B¢»TY/zqŒ4íwcŽi¶³=F/RñÿfG -RÙDy×1ØQ±Á7´¥1™É¾Ä-?ZèöTnðâÒ"oŸ†@_O9…x­Û³c žpúiLN GeMTBF0²ñ«*1ĺ¬ƜRÁ3K„Ïï°f¨l9OX Ñ÷˜<™à•ÏF±)¸KSfV¬•“HåïDžе¦]Ūhö)Y-7èPw¦4(CÍ°‰Ä¹8Ip:2 |‚øð—»Ì’ˆº AìúÎ1á èÞ¥ŽY¨ñ½oŠœìq»8rúÆ>‰›9ÙQ³‚¹ë’ kåÕÒ|Ú€;ØТô+oiu›E"ažBëÚ…pé-|Ãa83MÞsFœ¹€…º‰¿€ {sî$VãHË ´ž*Rbêí²O½#Æ,“h`~gÓQÕ.È£ÚìÐʦŒ††~"œ‰"1TIì­†¿[©²,ÈqmüÃÓÎ0œ Å”H¤±‘Œ%üùuº’ úËœ¨ß„D¤X¬:S‹ 2b@êã0ÛÕ·˜­?æ ÞºT·ïÜ3Rº@HvCÁ˜‘€úS”'ê;^JræØ^:^F+j…0€FæíÍ'WnÊw.?ËB9ØŒùÄ>§]\¢)°îþ >†#>®€kèw\ÈÉ¤Ô ô&ml˜(SÏURpúþ ´Ëõ™Í&¢ÈË]ùB&Ê4zÇ°Ïð™+’y;‰}$pÑc-XùÄu1ĺì1:¬žÕ{Ô¸ù êÚÖ qyDM¨»Ì*^¾¢(ØŸ«oMQ(aÒd ÅUÚ´vÖÏîr¸„¼ ¼{ èP1µ†zT€B2§f#k‘ ¿,H@/Frua皃Äe61¨§3Ž5 ¡þsž &®Áº}îÊ}¬P+xÁ:1õ,O`¤¨ÒÌAü>ç±lE>½A¨côºdš€T(O“̨ËP¤½hw*Ðe,Vøç2̽îÝ´Ë*k;°±AÔõ'5oß­}]ï˜ÅŸÓ»Ö½óXÖCÙ÷”¾þ5ª -B‚0š0[tH3ÄÇö8„l@#ê®0WäZë÷-Ó zé®È–¤7óªr<«Ú®žz‘w<‰1F”×y7ĺ̻ËäÓáxuè~Ÿ!ÞaÍP3/b!&#òåÊh”h¹¨FFÞû<ådXgõù™—FÄÁ£4“yYÚ¦kx®¨}¤pzyÙ´õ­^ž6ü²Ê‘ð“æƒâ•ÀD6 -'Ï\e¶qš »ÊÖ¼ŠÄ PFuÝN„b\7iâ¨<Ÿ73‘€5+Àïaþ7½e >‡ëÖŠiI§çQƒ^Ï?¡®ºWÃ%ÏßG%‡eÂ$é){d³ 9Ó¡äÃâ欪(ÅÂH>óò0ĺ¢*ËF=æ€/29èô¦¹¤32bª«»è°f¶1Ò8²”ÌŽöá\V0ÐüBÁ¶õÃ^g@>psàAê¼µîúp8*Âj4Døˆh»ýÝ:•#VRk>å-VvN¢«Ité½ ÒZÙ'5gu±ÿAž‰ïhCqfîVæâg a’hØ%p -8=#0¬+ã±l—gÄDã#±–×I{¤Ò£ØŸ(‰Æ¤æ XdWã¾¾ÕÛÕAÑ«7ªq'#¶†Öº²š«mLã÷¯|• Ó‡XÐ Pò,ãéûGôäúÇ"*úß{Eêîýô…OõìKƤ„ö1­_Ô§òI\Áó‰Ú^8½Rrxoö›üzè£fåÞ§³/“9œvŸ¶4ö˜–®GU/|§gúpÙä»2-šñ°S|ƒ‡T–9¸ò€Ûî\•LÇã§ÅNò#U*Üg±r¢¸{æV㕳¹l!P~’ûåDCSœq±iv"g‹b| Ãæ”ì A²{’4k8êž›¡·öÄÖ”naÿ¤Àc΄ž–NÒò‰žŒÀ>ù ¾ðhô8åVwoJÐRø|¨>º—ªxù¦jݘ½ÓFÚ°1êÌÑ<ã°Kï‚­(Á’)5vC¤­5Lçø{Œž' Ý8_:L—a$ý/¶•ŠApîßö1@‰ûÇ`Wð÷†)7EÕøW -ŸedÕ‰2è8'vé·Wcà¦f,XÐýØåÿþ]Vÿ£5,ik}¡”*bÍB ‹¸MáIÃàÜð»poý?4ħendstream +xÚ¥]sÛ6òÝ¿Bo•§%C LŸÒÆiÝ^“»Ô››¶“£EHâ„"]’ŠãÞõ¿ß.à—(¹³.ØÅb¿)¶ŠàŸ­d&šëUªãPFL®6‡«hµƒ¹o®˜Ã ÕŽ^€!«›îš­‘/ ­·ôìüšÖ4Ac bÌ­Y9Ô +Ü`vßÖå±s¸HÐóáó˜tt¼×©–´ÔÝ' #%Óë¤1œˆÁ³¦"PÖÒ“ÎR¾=RM35@ 'Æã2Æì‘4sB ¯9¸(¨g¦¶uCƒCÝv4²¢ṉúØ=ݪõ/22á.$Ù„èY,@áåas¬l È„¸³1 k°{$É‚£þœ‘\>g 7h} d´bŠ7Ù¬ª;`x/ð4&GktºÍh¬M'4i{¦cÊ^<ÿ½ ~&‰´;[¸pú æ ÚBÎD7>C¦ ìX¦¸Òs>¸ŽÖ[ ©„ð¸/ÐÇà-‚ÓqšG²À.k:ô@Z“Š ¸'?ЉÉöõ±ÌiË{·ý }z£YˆíhBgSœ@Ψâä²scwN=Rý`ž‚³Š±4”i|™ºGZ >qPp‹RJ1%ÿϽ5g©¨iÀÐN­à:ŸÀ$Š Mò̺[?­ÙûxðßëÊ´_ÿ!Meщrèqa›õáx_zz˜X·GxAjvSMñ‘ØõÒ`0|®z%À‰{‡¹­•5¥X¯‹-áå0^¶Ž%̵ÛÛÈÉ={0€ÃNqF.]qpqê#ÀÜ<²Ñ©"C´<Ûn?3Ÿ¼õ¾ß.+.Äip©òÅa]P\Õ;ÌàJn®µ‘‚mQm/Ñî±N‰Ëd¬·LuÀê”Û ¡†tE¸” +a(Ó™%w¦uÈ¡xsﶣÖ÷à”Q"ÈÆPxR¥ŠsŠÖŸÂÓ^ØöÉí=’ÄSÜn1}汄r²Ï‹§"»a‘Â50Îæ¶`]ì®É!’‚Pc•Dõ¶ZkPzž0Ì4í{k²&ëz(/€!ög8’PkéCLj¢b“oxVÆä&ÿYà6´Ðí±ÚàÅeeÑ=€½ J!ñ:dz &žpú!'¢7Ã8i:cB‚'Œ¸¸lc¬ó&Ñc!uæT +žxò8TQü ñkúÄ—3¦}OÉ“«YùjÇPâ@¸4UnÕZ:”^añ~\ÚCëÚe +¥jI€vŸ‘×r‹á€ug*ƒ:”Ó +[Hœª“€ #tä Ä»ïoþµ H< W} +b÷w O@÷.T¦‘œÞû¦,ÈëÔå¡PÓ·6ñÑn匣4 cHæ.3$ VÒ›¥ù´p°3`E1ØWÑÑDÂ6=…§(—ÂdððB‡éÜ´Å U˜qîF”êj;ÁðæÂI*9æ‘Vè=e"ù’30­/} Æ*“h`}gËQ9LM.&(¢ÚêÐê–Œ†¦~á<^È"±”:õ^ÃߊíTY¸75¼šnAàŒËPr-|Šd,áÏ/Ó!W±¿Ì™ùÍH$2LeïjqÃÐ¥Pú°$N§¢|‹ÕúcÑâ­ yÿμ …K„D?M ¨°Dy¢±“¥ `ŽÏsgb ˤ5 Ix{óɵ›Š+ÄOªP1Bé©ØçÄÅ9šÛ•ñ_c<‘cöˆqÇ¥lpΧ†J¥:èMÖÚ4‘;¡žš(”$ôýˆ+õfxÈ“Äë]ŸùR&ª4†À@døÌ5ɼŸÄ181xá¡Jº1ÆXç#F5ˆz·œD=C»ÇZ .N“¨uWY¥ëW”Ûä3øÖ”å +&E¾Q\§ @÷ÒùÕ} §)º ̇‚Ž ƒ“SkiD (Ä!§Ñzj6³æzø# v11Ó3œ+—Û”£.$:ÖÆê¯E&ܘ¤ûµ+ó¹:@­âûÄ4²2™²Îrñ[øšÇ.°Yúò¡NT0ê‹i +B¢>Í*£¾B•öªÝ›@_±Xå_ªX°öºuËΛ¬c£¬ë/ZÞ¾ßû²Ýq(ÿ">cw#¬ vç±l„²ßS†þפ+ÂdÁbWÐ!-Ÿú㪠M¨»Æ4^‘{Ú¸o…ÙKE¶%=º™Wµ“YÝõýÔ³²c(¦êŸ5Æ:/»Ë:äãááŒè0üH?C¼ÇZ >^ÆX`LÈS–+’I¡å²‘ø`ì[ðT“aŸÕ×g^ÒÎÖåY—݃Â;pMÏGJGaTTm×\«õqCÉï)¯ ¿h9) d*ijÏ\U¾q– \å÷g¢Lø(QFsÝΔbÚ7œXâ¤=_´ ™€u+ ôtTÿÍoYDˆÏàºSBñ‘þ™o¯<„^-y úƒñ–§ŸUƒmb­Ê^!ÃEÅ,T±`ãæ梩İêùeSa]0e³sÀ/2Øô¦=g3" &T¹è±Ø˜Ø YHf'|Í(5¶¥Éf”/6”lf ì €MÑÙbàp8êéüh?"z`·OíˆUôn>3<é‹ Õ¬˜×2'í°!žŒ(,gB6;ãÃ_=[ïOI.–žÄ•ïÊ¥àn$5Ho]çØuSà :”¾©ìºÌ%DëÆ7¶­KÇn6q¥ÇVà®^²:ÅC¥â±Ñ…Nw–²|ÉœJµ¶mò Êʶ&XQu”GäÇÍb-’±ç¸|ZÏÄÇrvKÃ],š” +¾ªp×°©=å<=[ƒØwÖL¡tçésßGHçÔ#Ùš¹ÈÏX¦ÂïòJ\¤ëqNéNzŽàðLèÞ-7 )Ž¥C?qˆc£&ãÄÒÁ&±gÙ¹6¦ëÆmLë·¯|W˵”Ó)˜ f…Hçß›’h 7|œ£&ë©ÇàÁÁʽN¾ð¥µýr4kÖ}ÌšͱzAzò¾ÅXÇ#—zK1¾4ûNyTì«é~€˜C[Òátû¬£¹Ç¬r#RNü)ý,"^·Å®«™N;UÅožàóª +3µ3?K‚8Š¿%ZЙ¨ÿAÇÿý“¥á÷\ضUŠ/«OU+ØÄ1…£S3s¿m:eý§êWendstream endobj -921 0 obj << +926 0 obj << /Type /Page -/Contents 922 0 R -/Resources 920 0 R +/Contents 927 0 R +/Resources 925 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 908 0 R +/Parent 913 0 R >> endobj -923 0 obj << -/D [921 0 R /XYZ 56.6929 794.5015 null] +928 0 obj << +/D [926 0 R /XYZ 56.6929 794.5015 null] >> endobj -342 0 obj << -/D [921 0 R /XYZ 56.6929 647.683 null] +346 0 obj << +/D [926 0 R /XYZ 56.6929 636.7498 null] >> endobj -924 0 obj << -/D [921 0 R /XYZ 56.6929 616.8659 null] +929 0 obj << +/D [926 0 R /XYZ 56.6929 606.5729 null] >> endobj -920 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >> +925 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -927 0 obj << -/Length 3384 +932 0 obj << +/Length 3344 /Filter /FlateDecode >> stream -xÚ¥ZÝsÛ6÷_¡éËÉ3Cð àäÉÝ^zÓ³û˜¶4 YœP¤JRv|7÷¿ß.v‘¥ôæ’–ÀbñÛOH,|ø/*öü02¼Øñ"ß^ø‹'ûáB0ÍÊ­†Tß=\¼ù> ©—&A²xXæRž¯”X<¿,ßýùê燛»ËUûËÄ»\ʼn¿üîýí5õ¤ôx÷ñöû÷?|º»º”ÑòáýÇ[ê¾»ùþæîæöÝÍåJ¨XÀ÷ÏpâƒïßÿtC­î®>|¸º»üíáÇ‹›·—á~…âF~¿øå7QÀ¶¼ð½0Uñâ^|O¤i°Ø^DqèÅQÚžêâþâ¯nÂÁ¨ùtN~Q¬¼8ˆ’Å -ˆÃ„6+eßócÚJFÂq:)G³R¶T(å®Ïú²ë˼[ýêûA¥§ûQàù~,†“±à¨fx<ˆ(ñR•Äc&6úrúÑr—õ›:Ûò[³Æg¼ìí0shÚ®³Óí³n‰2Ûít]t<à¶Æ_4ô|ÙèšÈ˺ëÛKµÜç½.ÆD?»†H÷]Y?¡l&B]…Òó#?/cÂn[9|—7Dú€ì™F߯铺éùÛÎKܳ.¾…ž4àMÃP¡×Ù¾2tá²äb9‘´ð…â5Pª…wŠ›$õB)C¦-kZ„W ˆAcþÔÑX¾oÛK¡–ºff‹’Þó¾i_/…v[x¸°âb$>PXQf±uÓn³žTŸfalØÇ6ìÒ< Ýåmùˆfºë)bƒ¦÷EºBzAd4‹ÆÚ§5îÐuä«ý1rfEæïa»eS[x„.§ …hzÈ!CGäˆÎ³q4hj¬Ø"$*ñ”ÒófcHuÚl8*\q×´ý‘¥ðCOÅ*9¿ª£šYvd)|å©0MÇë²¥PËO×?¿yx÷3½n %—õ~ûHÆ@Y ¡T½Ó‘ð¨‹q«ËgTqÓ•Õ…ý´.\ïõí=}º3Ÿ4}“7¯ÕfkìCÀæüHEø`èüd‚z§¿A,Ùj 6f ø’ºä²ÙY|©¥íÛfe]½r_݇¤ ¼%lØ#I¯ÁÖOoá-Ë였L›éæQ’'Ž5 Dž³ßdµåÓìËÛ¼—²ªHŒÃÆ#«nöh•Í+>óf»Ý×ežõ<ðRö›‰ò?UÍcÆS‚èOƒ< ¼HúñW@> :rKe¬8À Ù® -ý\æÇ~NKˆ09¿¼£šY„vpô~¥c ÚEêƒÚÈåüŽ†Ÿ`} Š»Wê@ùâó‘ î÷X -7'Al: .€Ž›éd8|îÚr›µeÅÝµÖ…Õ p@÷7ïÈÐGÊ‘JLjovºÍÌú2,»}¾Aåxtô|øËÍ?©êTw™±­ú4µ æÿ\Y™ÓË~Wa›¢ØWùTk&þWSëÕ1NY© åŽ'6äèdWs€6ž©„u…¯´C ˆ}cD„ M GÐûšD¹¥·—Mi6 ™ºÈêd½ ’}'„˘åKfÄ>3Ë.‹ ýˆ‡Kü¾/[2a“uF[†:,á`³’[.R°fÊ[†öOG/ÅR[Rýe“í;ˆªÐ¢IÚR“iþ$¶ dlgÛtÏYµç•fÃœ0’^„á3….oà|ÞÞÎ…9Ê‹"uñébEì¥Q¥¢ƒõAft®A”Zi@‹œ€ÑK=£Ø¨vÔ2öó¥ì4ÊÁO­O˜XŸ @_XÎŽìÎdÒ÷â8bbç!`µ>ûŒ€Å¦6îh ñ ½{!sY -qŸJ’1î˺ìKkxó¦ÆSzÚ²¨³j2Ž¾lävð'>†¼m¿ß±5/·Ö ÔÅ8=mH†<`§ïöÈÞ„–øND¸hwÒ Ä€(Ÿ³N`HuÚ 8*é´z­ÛV«'Dâ‘ð1*Tç×wT3 Œ½@ì)Š1FwT0U™Ô*¤ -—UÙ™ Éúצ"üŠL`]WðÁ ½¬îÐÿÈémÙ»™õšˆ'á`†žH+¡“³¬å%+ -¶§`v½´¬U#‹®n?Ûè?£ } Ûe3Š$|r”¸Hê-Øxƒ•um1šÕ<5KËä±ûñöÅsfhŒ’'’`³!Õi˜9*£óMÓƒÆWúÉèÙªÁo -6©¼XJuž G5ÃÆl -2‰8c>.1jh1T¤‘¡s¶½f0äzKIôŸ«ðÆŒ›Î’'yøéº#rqß쨻ÒϺâÏŒi;öžŠm~AΪé O2ôNðd|ü4ˆÌ,¦vC¸é/yµ/ø¼Qg<çÁ3È„rŒÛÆ¥]cíÁÌì4bˆ³ƒ¬)«^°ÒÞÃö× ˆ®oðï·< ÍŸ.!µÿÛ¤óÓ=þ˜NìúðéþæÓl9¤N|"ì'ô½( ÄÀCû „;ÿ¦”D‚bj,ÈYšœÜhóø¦Ðß¼åfõìšûÎ5·|î·öõ?oé 'K‹48§p¡ <)¯÷CªÓ -ç¨LVv˜–¬²ê©i7ÛîXÝ|Oùò< –h†…‘²ÉØ“`ÚÇ<\˜™qˆ`µå`çi„ck38`׌ŒO xGùòµ±„ˆŒÅòOk¯p?QŽa±«æB,tD©à d^˜(åAöh‹LXŠ2–dN¯² -6AÁ#(ÍG§L.7Ü6<ìÞrklê²ÏÝ®*q²Seàë+6}Hub–ÊH¥îÀÁ­ª¦ùœueq<$!LÄg9pT3,Œ Ñ­ÊdÌÃß)^M°”qêñAF‰Å¡;È–§Çè{ Öè}Œ…~ÚŽÖaÔ) ÝKHÏLè¯lœEÆŸU¯ÛšJIºÜê~Ó‹o06\¥œLL¥Äªàà+rpÔ*ãL -†yzYåBp-z§»~æè’Äó…HþøÑAdà ðrôÉZb›µ V¬±$[Q'ÍJm>PN7BNý` Ò랺xŽhùYó>ö5•Ø1@å]þ!¢Èó5)ž[úUVç’©dµ&é²hM­ßžäèhZÞù6AÚ -ŸI²¼&·K}cÀœZe«yt¿.€z1QÉ`*yVÏ3 SÏ0΀Hqºf¿ÂuâæíNÀVšˆ¤+·e•µ&TÃ雉j¼d\ çæ›hß^eéêmCu`yFö¹ß  L™@ÐBTǾŒ’tzëÐMj -Ãý¸Š›5¦ˆ¬[üµÊô;ÃøÌÍ„- ÄþÊkæ|§ƒÿ÷É¿´‹¤*œøõˆŸÀÁ§Ò2…r‰Ä”ó8Ó©9Ãú\#ñUendstream +xÚ¥ZÝsÛ6÷_¡éËÉ3Bð§OiìôÒKœœíÜÍMÛZ„,N)Rá‡]ßÍýï·‹]P$EɹdÆ°Xüö“’ þË…Ž„$á"NBy2Z¬wÞâÆ~ºL³rD«!Õ÷oÞ+‘ˆDùjq¿¬¥…§µ\Üg¿,ßýõí—ûëÛË•yK%.W‘ò–?~¸¹¢ž„ï>ß¼ÿðÓ×Û·—q¸¼ÿðù†ºo¯ß_ß^ß¼»¾\II˜ïó +'&¼ÿðñšZ?ݾýôéííåo÷?_\ß÷gžWzäÛÅ/¿y‹ Žýó…'‚DG‹gxñ„L±»£@Da¸žââîâïý‚ƒQ;uN~Q E¤ýxF€a0 ô ªE%B~`X¦;GÒñ²1õ“©ñÀ „Ð÷–w{³Î7/yùˆÇ„ÅüÉb*N°€Ëìólõ«çù/VV¥áYC”ʋܤ,oÒ‡Â44¥ÝòÜ®± µ¬6Ô‘Òãˇ+j 7úÕ÷c·%ÍŽ>çEA­×SçmkJ^¸ÌÉÅJÆRø:ò¡%EAùKË—ËUà…KóGÞ´(û†GƒFÀ«c׃¡g})õÒìª'“¡c¹¼©Zk·i;#HßóDã Ó}Ì ÎDìKG”7´dJßÍËse·Î¾‡‰²hËïÚh{r;R'¦7´3 ;XÁø¾!‚f$»<ª)×EÕ˜ŒÞò’žYÕ=Ø€ö·Ј#Eñ„Ç^(t0š5 L´R®g ƒ£Bk³îêîÌÁr€ #D°ÀYzªFª~î- £h¹OÛ-ë¼YTó½”KGÑcû]'+¤mgÝnßLÆ¿u°‚©sÓ¤-µRw•ør ×²-^¨‹ÞY@Ôõ¼¥°WÂQ´_x^6m}©—ݺu—ÝVî²éÙðó9o·³ö"2T #¸.³5Ñ÷5g."Å Vš#ºÞòÆ&ö lÐN¡ Âßò¶eôef“vӦ߼â!_A$”L´S?¸¦LœãIƒÝSAÜótØJùÂó}yØCªÓÀî©pǦM[´Fëæ$²Úƒ‹;ËBO5ÃÃÙ¡‰Vј m´h[˸Á'C;®ÉþqÃá)ÓýÞ”›³ÃÑxFEO‹MK>Áá(ãgSi×Ì;®U /ô¢1À "&š™{ÁµªÄ ˆDœBÖçŽ$>†z$*8D´ô䉧¸Q‰Àk8PÒ&¼[Ћœù_˜æ(g3ÐVõË¥”Ò /—Œ¿ò€Ò‰ŠîÅ.e•ª6…;2«o¬„ͺÎ^b‚X?‚å=™,D2ÀˆF(Ò`ý¸ Æí»=ýj8á»Çë"ÿwpâ¼*]Èè r§¤: òžÊÚr€Aµ[eæ)_{G¸-)u~ûžjfÿqܹh&c,Úe‚1Qg!·æw4—øLPÜ¿PÊŸLØÙ˜Úö8Š~ÍašæCÇõt1>÷u¾Kë¼àîҘ̭j‡ ¸ »ëwøi +u2†Gµ7uŠ`nlæà/›n½Eåx4ô¼ÿÛõ¿¨êT6©5¯ú$q NàZ¾¦—nŸ¥”y3À¹òÇÒ0ñ¿! jP£„•ÊRîyaKŽ®v5hë‘J:‡(ÑýZ0@“¡È³FDºz$½oH”;z{Þæö°0ɆÒexiFoËd +ù7vûœqÏÔ±€Û¢Do âáߺ¼&6Ùgtd9Ôá.6͹EA“)(ifú:ßqvdw&Lj=E.™é=ìÖ¦¿ÛšÆº£ „(ôžuKÖÇe DZ©iŽ–·¹3¼ëªÄ[zìYÔYT)Ç`.~;øߺíölÍóse6ç@O¹TÀnù¦{h@ö6À´™%ÂMOçÿ¡’B{ú•üHuÚ ôT6Ò©ÍÆÔµÉVˆÄ#/àad¨ÏïßSÍ00ö‘Ð:c¬îhª2‰SH,‹¼¡|ÈÚ—½¡"ü-ØÀºÞÂ?³úª–ÏU­`ivXÕÊ\ç¡–cá`†I+¡ÓÖj´à%Í2¶§`vEÚ?†ÂÈ¡«†Ð.H]ÁÇÔ/C4{°l†“÷ûS™ù8qñ+ëÆaÔVä,IËf‘wóùæÅsfRC+_ÉƇTg`樬ÎWU _˜G«g« +C¼)Øb-¢8Öç¹è©fØMC*%rÌÇý%F 5æš42Ð`ÎÁ¶— †µÙQêýÖçj¼„1ã¶3çEî?^5DŽ"n«=uæÉ<½Â˜¶aï©ÙVà rVUKxŠ¡d0Á“õñÓ 2u˜ÚáfþX]Æ÷:#z'"1‰€*­TŠrÆ‹Î`W>”Ä8;À™²âå+#¶¿ú~xu¹Â„Í—àÿcÒùõÿNL'v}úzwýõ¶z¤N|"œ'ð„Žýpà!€}áÎ(%‰A1ýImn‚vR/7ZÁ>¾ËÌw?p³xê›]Ó7w|v;÷úß\…|´5‰œçSôï¯Øõ!Õi…ë©ß ViñXÕ€›]s¬n D/>Ï‚#šaa¤lq$b0íc®ˆÌÌ8Äô±ær°ó4±µ°kǬƧ…<€£|~mE¬ !"#¹üÆÓÙkî'ôƒ1,öÅ\È‚µŽ0‘ã0aN žZ@öèJMX²–dN¯ÒAÁ#(Íç^™úÜpW5Ó¢íÚÙ—†öÙç~_ä¸Ø)ˆA©â×lúê Ä••JÙ€ƒ[Uõ{ÚäÙqð X\ç9è©fXA ¢[/ˆÕ˜‡R¼ª°”qêñE† +òÍ ¿È–§×è …_Mù{Yè' mhFÆÐ=‡ô̆ðÊÆYi2Îø,ZS—TPÉrgÚm•ñ"U¿cS‚ˆý#›•»ü/F-áüQ¹’Ëâ‚OÊ5"® Aú"OqêÓG®Øz[ÃñX|ƒ±á.ùda*()§‚ƒYäà¨=TÆ™¬ót?tÊàZÌÞ4s_ü”ž”êÏ_Džì?ج%rYË`Ç ³uÒªÔæ åt#àÔ +³i©‹×°Ÿ©Ñ•ThÇ•wìó†Âóu4vŽ~•–ë-É4î?‘*þDsÅßÝäèjmo ‚üM!v¾µ¼"·K}cÀœÚekx´Û·V ^L”3˜rFÅ:-çî™…ifç@¨¹Ý=f_áZõë6'`Ûˆ¤Éwy‘Ö6TÃ嫉j<§<âæß–SV +ÝfNÙlÇ€ý¹Ä-Ø¢ii|Á䃠³ßüœ4á2Šñ›RrÞ„©N›ðžj T;„ãƒY5ø=ïØŽkˆiB?>ÏFO5ÃÇÈŽ'¾Hü ü +ˆ/·&¯É]®·ôÑ:¹Ä„Mä–ZV„>Y&;’ò¸(ìÉœöH¨’†ïd% áð•õÑ'H8Ž'–K‘©Êâwí*/f.J ø0Ø(‚‰uƈ¾fQ“ô[©b+]¯Í¾åvÙ<›º¡—|COXÉ’ªCÀ݇ã J­gÙ÷£@$ýï+æ˜gœbž +¶aÅöÀ°r]Æ¡§‚±]¤8õ: )B¢²^ð· è†,jp‘–ÐI鬞'ü3´â²VJþº’LF$ì´ ^Hæ–éÊÌ0錟šÚ„Ú*ó +Mݱ#üåQ/B*ÐMcO)´ê `.d‰¼ØÕY=†âºÍŸŒ˜ûÈ‹?è‰uZ@ ÄA•ûØ·çAjócUÆeœŸ9Û:ñƒ® ø+¬áõèù¿ìuø%„‚Öþ‰‰žÚObÇ-”SÎû_…³þ?ˆSäÓendstream endobj -926 0 obj << +931 0 obj << /Type /Page -/Contents 927 0 R -/Resources 925 0 R +/Contents 932 0 R +/Resources 930 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 908 0 R -/Annots [ 929 0 R ] +/Parent 913 0 R +/Annots [ 934 0 R ] >> endobj -929 0 obj << +934 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [250.9056 716.0894 324.559 725.499] +/Rect [250.9056 636.9561 324.559 646.3657] /Subtype /Link /A << /S /GoTo /D (statsfile) >> >> endobj -928 0 obj << -/D [926 0 R /XYZ 85.0394 794.5015 null] +933 0 obj << +/D [931 0 R /XYZ 85.0394 794.5015 null] >> endobj -346 0 obj << -/D [926 0 R /XYZ 85.0394 185.1414 null] +350 0 obj << +/D [931 0 R /XYZ 85.0394 101.0136 null] >> endobj -736 0 obj << -/D [926 0 R /XYZ 85.0394 159.4803 null] +740 0 obj << +/D [931 0 R /XYZ 85.0394 74.7058 null] >> endobj -925 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R >> +930 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F57 628 0 R /F58 631 0 R >> /ProcSet [ /PDF /Text ] >> endobj -933 0 obj << -/Length 3394 +938 0 obj << +/Length 3525 /Filter /FlateDecode >> stream -xÚÍ]sãÆíÝ¿Âo•gŽÌ~‘\>^ûêLã4Ž34É-R{©Š”}î¯/°ÀR$EINz3½ñx-Á],¾Xy)àO^Fq§*½LRFBF—óõ…¸|‚w.$ã)èc}ýpñÕM¬.Ó0U|ù°èÍeCa­¼|ÈÅ¡ -¯`1û懻›Û?ß¿¿JÌìáö‡»«@Ebvsû·k‚>Ü¿ÿþû÷÷W´‘œ}ó×÷¸¾§W1ÏñõíÝ·4’ÒãȤ÷×7×÷×wß\_ýþðÝÅõC·—þ~¥Ð¸‘_üú»¸ÌaÛß]ˆP§6º|"”iª.×&Òad´ö#«‹Ÿ.~ì&ì½uŸNñÏD6Œ”‰“*´BM3Y†‰”€“ 4¦{&›I&{,dr^f«Ýf¼W‡Q"’Ëþ„Ëz¤‰euoÙT†Q¤äpÙÛ.ùÕMd{˜6Œãµhe0™LÂT«„qÞȤ˜µË¢ѧ)B0$Ĭ)¶ÏÅ–·WÒΊ¬mè]¶ZÑ‹ÿÔUáÇ*ô&z¥‘Œ¾¦á¼.«§ýÇŒ»ÍªfQlyŠl?5 #£ƒº -òbU9ní2ÐÀA“€uH¦À¤¾DE³UY}„Mj«f/Ër¾¤ÑyVðXà3ž=ÒŠ»§eK/ü÷¯ôˆò›jNßÔÛò©¬²Ömq4Éš¿X– AÌJ0°$Ãì¡{µÌš,/ÝôÀǬªuû~cdÏãÌQZàÔ¼väD µ5=‰»näuò Ø]ÍamÖ<““ûð»uVVmQe€JMíq³– ’ŸN!Xf›MQñœeE«eýše½mÑa¨.³}ÎVïègíD¨¶½²÷íPJÕ)ñ²È¶í#¨gàgšÐ{«CoŽ¸Ä²Þ‹ÝjõJ?óÝÖqa2GsØgˆ{Šg·L{¶B®(ð™Ín³!á5 Yl¼±J=Úz½.ÈUÖ zòRbVÕÛ5ï`¶€’pø}mt P*~™‹l·jéGÙL¸ ë0I,󢪧ÜÓK(!mG%Q˜h­`;ìEð%.é ̘ä òбʃ¥/Êj,}ˆCà]#v °È99‹öïë¬i1¢x$à‡‘)ÇžÁ>ö üR:ßâFû¨Þµƒ™ï~x¸½ù…`2ÁqœCD\?Ï~™UöÌ–:rN¿‰H°(Ñmѹí×n…ÄÄh‹åÓ“£6f9 À\ˆ] -Ѥ®vëG:_ó4s”ý¯e")äWêç’Ý< ;Ï‹˜àuÀ‘Nî‚Ø‚ ÝÔ/ìÞz*˹±šžÀýrægÒ=ÞÞꮊÑ,R*Ld¾äxhQ{.Æ>ª)Ú¡$‘7ÑÏ x÷j0h)Óð¸§R˜zµr.ßMHµt"Tç[dÄ•@:Çg}…ŽãqÀ‰Gç3i¨¢Î8½·Mac­·7ÛÙ›Š}t€Åã<3|ÈN®0I‚{6íîqÿÆÛ8bÌé a2@7a/Â> á§Ý*ã¯~SÊì)ÃlÊá×ôÌÁ'"ã‚ŠÓÁ”/xÍ%krœÌÀ¼·¥ó}ðƒb9uåÂ8@›b»€HJ?€H†^x§É‘@¡¤ - üøCy… …ðšP|Ú”L-­SòzYž—l¸zMOôhh,îÏwj¨ô}Mﹶ&ì8ÕÓ›²rÞE¥}•ç—òàR^†¹,!ÁÊyô•ž»† ¥ 2IB›ó–‘‚ΟZø”&&á „»nì7ÀkЪ쩀09µ:œðl—½Ñê5œ¢’TÇC¾m²¦¿3ekQ¨t$GÑÑeäž.ötÑJ¡§{î%ùo³Oãp:%&V੽Â7pÜëBð>ÅÏ7r°sÕß‘LiÄ1OÂ¤á ›9|ÃG5A»v3Ž~Ü&þxáS¥8bnÚÀÑÜvÉß›Ì-è>lºgxï8îx§<`n…Ö¦>+=¡$&ÔZ'C%Áiÿµk8Êäe“=®|ÖOÜ8ƒƒC¶†ãzAªAèq ‘†µê-Å@:*£tXùs_y:z1÷(ô€¹ô’Nø=Æ&¡ÑZ)o¤”M¾B¦Éà ïŽ?uî26f³R“¨FG°d¢“¬½?ë Å$*L!„÷éÿßX‚Ì72é%òŸ‘Ëp:3I’N×®:."6щ£Ÿ ¥ôª?Ê„!eW9ci)°ο0C€G"žj’{=º¾`îÁ™8šÂiîÅ œS}¢À–š0Ùçrö,ãÏ&YÕ#âó²ê³š3œˆ¢8‰Ï° -|­ŒŒ:/ ¹5¡W§¸Õ£ã V,H‰b©ÌnÓ ùguë„öÈø‚™¥’0Žu†YZ†Êh{&ˆáÖ[\VŒ/ØeÂaUžaD•µI?sþó<;eŽ=r>ÓöÿG2É$cX~ SZG½<­C.SZ®‘!“ÙŽŸ…= ‘ÄFÅỺíê)û”dŸêôOãü¼_ñröÛu -NÖ;†àÀ{¶*¨€Kû‚ñAòêÛg1‡:²út­u¼ÇÖa¹@ö±J<\ähC«´>½x‡5±ºu¬0ñpù[<·CÚÃPkfO©á&¾ëJ×ð¶¨ðdÓ‹¦\ïVÜ%R¾üˆXõcS¯ -'xþöî'h—ƒ:78xûãÏ×÷W¸þr%¥Ä>RŸžh–òYX‡JŒŽFUA¥<²Ôþ¸Ò›ŠgL${§„ ÛE+8-ÛÒqÑz$'Ù¢/ƒ§Õ®8¬ -c%ôÉ…;¤Ã•bàÏEoÔ· ‚™ÝË+6~Œ¥ƒ•ËX“ -À0³ ;Y¨€¤ÇØîàØÛ] q$cDißU˜g»Æé¬Áõµ¤W³\=²³¬m‹õ¦í—”,­È%ô0zÔ%Z°ÅÀ'¢zç€ù`Ôw›aW"/óê/ /©¸WÕ°QWM»½²³Ýœõ=õ{À×ÀœSÃÙ²6ã~NW8ÆÖÇ‚Û>270uN•…YŒ/øÒÕ}›2ç–*ûÁŒÝaÆ¿á}¶¯8àà¢Ã¤ •íqS1ܪ=g+=¬Æâ±è4&ô®Y®ïŽ½ðf¹kóú¥:0ˆÉ6ÍiR:¬ Zô¨øçüÿ€˜PãFk®{iH?³uÑ5oàEñ TGÎú•ï -XÉŠò™úðåO·®ï¿G¼OzUódyÍ‹`ëc9mOãP%V µ=«^9hr¥uÜÈØ–mѼ©:¬íc5Tv&{R,c!-¶WH}[óuJÍ°» ±êÌ•–>Öq5ë°\%.ƒ]¬ò`¾*±qy \J‡±–æ4ÖƒÍBv“dH÷Ú’¸sοdUuç*tÂw?ß¦Ø ´vöp•‚^’â™$RË¡Sââú¾úé×ÅÏ ®¥îosÐïz1¥iÀcº mB2#ýŠ-8}iþà ¡¨©¾x‘ܾԾò»Éð¾Óê„2iK¬Ò+o¶k—Aõ)¯ñù\e(Ò‘ÝN“­Àù(mÞÐuó†¹]Ì•6ÀDJN1 ü_Ç«cÅ0c"_0.!¾Y~Ü" ê¼µg,²‡uÂ"=–“{Ý´^%(›¶œZ$:¦§ è°&(Z$¼÷6$Áe@‘ìEG—GÒ'ÁQâËòcQlØçJîóÊYoiáZ“øé3¥½âf‡§!Ù»!“Ñå¹Ï‰vƒlÎ}ðÀ¨¢É¨1R¶Kvõwþœ4ðn :ÈŽK[ÈPÚ8:#íÖ i{,¤ÔÝ÷ÿ üD…ëàoˆŒ…Á8–É::¬CB¢xd·QjG”øäÊìsd€iLïO09­Å«i­$_š2äÆàL72ÌwÓñŽX´]I0”AÂë’"·Á¤TbK?2z¸k„ :RW5·We¤¢ÑU,¢ÄHPV—ID ÀmE÷~¸¤ÿI¹Þ¹Â&]\ä»} -oPSzxaòB=<­D( ¡ÀtšóMøµ©á˜6ųӭÏq‡üµÞùDÕ뱿ÉÁ]*¾l±kŸê}Ñà`ƒÜ¨»”É µ]3Ù2á`w ßÍo©¤¸í7H›úmÜ?‘ûøò@„™)—gË’o½_¼¿|m’®+wè/!ïÄCŸöD!áFz * éÍ!éÿÉêEendstream +xÚÍ]sã¶ñÝ¿Âo•gN ¾‚Ó§Kâ»:Óó%Ž3m&É-Q{©ˆ”÷×w»à‡DINšNoôÀ°‹ýÂ.䥀Ÿ¼ŒmdS•^&©‰b!ãËÙúB\>Bßû É8Ó€4íc}yñÅ;«.Ó(µÊ^Þ/zs¹H8'/ïç?Ml¤¢+˜AL¾úxûîæýwo¯3¹¿ùx{5U±˜¼»ùû5AïïÞ~øðöîj*],'_ýíí·÷×wÔeyŽ/on¿¦–”>G&½»~w}w}ûÕõÕ/÷ß\\ß·{éïW +ùõâ§_Äå¶ýÍ…ˆtêâËgø#"™¦êr}abÅFëвºøþâ»vÂ^¯:Æ?»(VÆ^Nµ‰¬?Îe%RR§‘ÕJ·\6£\XÈål×,§åoójåþž¥²‘QR^ö'>X¾ÅY_÷Ö—ZFF(3$àf«~ñ.v=Ô4J´IazÄxÉkBΖD©VŽqÞ\Mµ’“f™— ‡ê³ÀÄ‘2‰äAoßŽÍ ·2 < ΗLŠš¾Ùê9{a¸ÎZ¬*©áöŸ_üðöæ–þm¯¤›äõ¦*ë¼fó§œq‹}‘P?IoŸòm»P¬52R‰K’QÇÊUV°®ré$›5»lµzáp”Õ–“¬)žr|£’É=.€ýó|‘íV~¨ãöØ.Š[Þ|Yñ‡ !”¿n#p‘ðÍè3[fåcNK.* Öê(MEzZúXÇe¡ÅòÂPd«ÝfYg£8ÉéeÒȲ}HeÜ“ÃeGí¼‹,Bç'éì¼’‚í<8Uf§­ùôtRYSSH?uü»*óÐVSÚaü½PKgv y^yÙ +ƒw›•õ"ßòÙŒ,[¦¦fd4êÛ<_£\xÓÀAP¡¡ˆñ‰LuOVEù }…S“çe1[Rë,+ x@gÛÉ­¸{\6ÔÆ?¼ÐH\ ÊÏB¨ßðX”àpCˆÓd?Âk(BÌJˆ‹@EàXy±k™Õ4Ù¼ðÓ<³JoQàxcÂåŒ3ÃÐÒ§f¤Es"šÐÖâ—¸ë[^6 yuÒö_•3Xc Œg"·9‡L¦P©¡®nÖTð× Ël³ÉKžM®– ÷B‡Tƒoõ^@Mp™íS¶zC+¿ ByðL{z(¥©âežm›Ïi˜iDîŽ\l‚n°aQ“eµÉ;òùðw¾Û²íSÁ² A Ì`ŸÞÊseÚ³UÍF´Þm6lÑê<Ä€«$Ñ{[¯ÖÁÖ-öŒÅ5ïaÖïR{'áñûÒè)—@g— ‹K’$q¯K"ÚŽJb$5Zt¶"äŠÆBC 1©q!æìŒäÞ:ZEΤ1£µ¶?uG 9 Cj+~ëM>+pïÞÉAƒwrl½FH¨ßXy*òçJT ÷÷dtSN·‘‰? ‘‰ |±"gÝ€’­AÙ|È*EK+›#$–Õ¼3Á·z"C0eÆ;;ÀH¡/GÛb~à=WÕC+ÿ}Ò˜!1É+ÎC[7<>})ð¬öO£Líb6 °È9‡úï?ë¬n|@ÎHÀ#ÓpÇèOцî?Þ¶øVo¾ªvÍ`æÛ÷7ï~$˜Tð×]^3Ž7ˆˆæé–YeO¬©{Æég V#%šm#Z³¢ñÚaP¬-êbñø詵|0¬w¤ª4ÂånýP}¼BÓyCÙí)#I!»R=læ-EЬÒÑ][p!ˆZUÏmh׊ /ÖÔûÅÕϤ^g@tC¸Ø…_UY‚cjC·žÂŠîNÕÞ‚¤#¯ûׂ}ïÂ÷ªÑi)ÓðÐÑF!LµZ…¸øaÔ±@¨¥¡ZËØ F´DDÒÚ³¶Blj 8`ĦGç3i¤âV9ƒµMaã\Ð7×꛲Á;ÀÇç|ñ®he{®Ðâ£xøÖÍî¡…þÖƬ€ƒ9ƒ"L +è'ìy¸½Ôü¸[e<êg¥LGFS¿¢ïl"b0.ˆ8M0;÷¯¹dI¶ÉÔ{[xÛÈ—P•ÞÄWúD2ôÌ;MŽ8 +%á¦~W\a"!‚$ä¿mŠîVë¼^6Ÿ¬¸zE_´h¨|ÜSzjL‡Id{¦î9žS=ÙxW”Þº¨´/òÜàC^|È«Q1—Xsn}¡/¥F.åI)kÎkF +2kBhBn˜˜!ÜuM`k¸^ƒTe˜Ù[]DÚ;X}£†[T’j;šMV×`wÆt-Ž”Žå…F´tÙÑeDKõPmÄ~¸ç;É~›.ŒÃFBj…˜X€Çö +càº×ºà- Åa‡9عêïH¦‡4b[ áÒ°‘Í ÆðUïá~FâÑÑÁ­bâŸg¾UŠ#ꦋbׯR·i;h°éžâ½éR‡Ìãȹ4D¥'„ÄDZëd($8í¿v5{™yQcÖ¤> Ü8㳶¤)R ‡ní¥Q2²Iš¼&®GeœóálT £B¥€Æ ˜‹Á0b8Õ4ìijD%ÊÄGÒ)E“FêHK)wxý©æ>b3ñi6k!5IÑÅè–Ltr€ÕÙ³þ¡˜DE)¸ð>ýÿKùF&æÁe&QbÓ#ÕŠ–ËBœ8NO\ýL$eý½H3Ë9cjiêÜa†)^‰xª1îõéúŒ¹çÀ4H#OsO; @ˆäD‚ Sè],×ò§ce¡>sV%˜KIÏp +cb{:\2kD¬N1«#ã3æ•¡ÝfÙOaÎxü³¢uB {t|ÆÜ‚‹Pjœ=Ã-¬ôjöüÇ}øn½ÆbõÈøs™%ÿLfiýSŸa†“NÈ~àüÇyvJ{äüYLëJùÿXH‚ã›Y$Åð­ÀA)/ëŠã±»ñ`ÇÁi¤½*p$.±t,·UÓ¦Sºˆ¤‹tú—Àý𼟡B6¿m¡àdºB¼ïžM +*¤59[lUqŠœ>]bëc/±µX>}ʧÞ-B48˜È)­O/Þb¬®÷ + N;\þ¯íõ„»™8¼d¤¦­ÓÇ]æz©œ:§ŽºXïV\$R!ûˆXÕC]­rðÐL¥uh—ƒ +7ØxóÝ×wW·þx2–‘úôÄ“”¯Â:RbïfTæ”ÉÁKn+½ù(wÆDr®wôp%^6ÏnëÄá,¸y3[NW»üðlUd•Ð§×n±Fœ­H"+ú;éÕÑ­ëNÐ&“¶ÏÓ—V“ @33 7š­€[¦qíí±·Á©âHØwyðk¡´0˸‚o]H²%½¬œã’›dM“¯7M?¯ähEÎ*Ù$rz¯@J´`¯EÕγAk(-ÖÃÒļ˜—axIF€8µ†ÅŒª¬›í•›ìf,õiØ!æMΖ5uÚì1Ö?\ûéŸþDc9Âî9Dg ŸÛäo]̹®ž°QÌÂ#‰yží½88xà6ªHøêáˆÂH«À„XyZaúXǦŢ+™Ð»z9õÅw,ˆ×Ë]3¯žŸ›gv©5§Ii±FhÑ{@ïÄüƒª7ZsòKCš­ó¶‚þ}ŒœÔôo¾Ë `!Ë‹'*jÀÈïoÞß_ß}xC¼Oêªx²yÅ‹ «ëcyiO->ïÚK¡fåKx8BéÖýjƶhòúUUÔa‚S¢²UٓDzo!¤ƒƒíeS_W3™‚5;+f=¬b°|:.ƒ]¬æÓÙªÀêåá[FY-ÍiZ¬ +›UÀ áê€.¸%¶5ÎûGN U%X)–¤Æ'˜±}½Yù’«Onc$F¸\;ð(aÎö]’ïà ƒ±)–›Ü_¥ —$x&‰„ÔrOð(ÃÞ¥@=àKùóœªÝ“ú_-Æ$ ¸cL§œÌž|YF_šßùH(ª¬/^öHnž«þÝdøh„iõ‡2ªó¬2ïÁ£Ø=rý-#ìM'[‰È(m^Qz Š¹]ÌåS §ä³æ\Nª¢ÁTFÈàßòl~ü¥YiuF;œ¯ÌÇŸxU7S|IPÔM1;ÔE4':MO-Ýâ¬=ÔCÐW0jýÅ}ÔËþ Â7ü„½nxAÈNñSžoØÎJ.ðÊIúþËBÉ|<ˆÛÞƒdïiLF¯fdìKÙìÐ>.jˆÅôhä(.Ï&0^ûö¼{˜oðÊèÔ8wÁ7a`¨QÈ]£åHDJ[5Bú%d¾Pendstream endobj -932 0 obj << +937 0 obj << /Type /Page -/Contents 933 0 R -/Resources 931 0 R +/Contents 938 0 R +/Resources 936 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 908 0 R +/Parent 913 0 R >> endobj -934 0 obj << -/D [932 0 R /XYZ 56.6929 794.5015 null] +939 0 obj << +/D [937 0 R /XYZ 56.6929 794.5015 null] >> endobj -935 0 obj << -/D [932 0 R /XYZ 56.6929 511.7419 null] +940 0 obj << +/D [937 0 R /XYZ 56.6929 434.0333 null] >> endobj -936 0 obj << -/D [932 0 R /XYZ 56.6929 499.7867 null] +941 0 obj << +/D [937 0 R /XYZ 56.6929 422.0782 null] >> endobj -931 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F56 618 0 R >> +936 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F58 631 0 R >> /ProcSet [ /PDF /Text ] >> endobj -939 0 obj << -/Length 3651 +944 0 obj << +/Length 3508 /Filter /FlateDecode >> stream -xÚ­]sÛ6òÝ¿Bo•g*Ÿ$8÷”&vÏ‹sç¸3½iû@S”Í E*"W÷ëo Pü•^nb¡…šàAvxàQ˜Xñ>w¤úí6Ð8Ü„€!ŽÄØ[K J0ßãùEËæ%+q¤—¯íè9+³}Òäå3>‡Ëý57ËvÇ^£Aí¿d{‡!/ -z£*‹#Í%ë5 IZÙßuMpM5@—VÈùbzÃâXƒ¬@TZ ËsóRíó1K±LJÄ,9’È›¼*“‚ÖI“ÐJ¥¸PÓ¼Û Ì9„Ø¢i>ä4XÈïL³,xƒL-×Y‘='+JPêeiŸ¿dÝ“¼Ê»ÖßÈãK^“ýl“# òíξ[YL0ád–»l¿©öÛ¤LÝDµ@¸CE.9ünem’CÑ8õ„â°É´rjQVSšãX'`dì΢"¦‚8‚WæÍ®5cvÊšl!ßÙ*-“í„Ñ…œ‚Ðó ´Pô6†Œ¤é³àN,ÖËj‡§Oã×ÄN†ËCmÕ¦r·ä|/Œ X]‡Ç¤(ªW7¤ŸuµMèµp‰¤Yÿ’|q3^ ùöþÍû2JDÆëE„‘ÁI)-wÔôK^ í§Q£ð×jÞÝ$Àº;K -:v[ÃUð:Ÿ¯ÉÑѨ›}ž6è$+7ÄBšÕ"´;Ü_›å¡ £ËSÕ¼8.½ÑÔ 9æÉD‘9k"Ÿ€zAæ)=và²ú¬Þ†L€Ëyµí×ZD–Ôä›ãHW¹"®å,ÑhLµo–QÆaØ#;8 ÀÙdzáAð@síÃz=:¨°õ"èÎÀéI9ý]¸ÿðxwûoÓ¬“g{Ì°ÒºV\ª³²¡ya @ÿ©JDô`ÅœÌ=ºyòµVíeŒá^öµµ <µ\¦/I Ì ÃãT6: -#ƒ³xJH öR¦Åýó‚ÝSñð«î Ç2‹|}¤XD¼AR4äFH›7#Íh¡.ð0ÆFž{¥BCÑÙèëÄB\r#ôC¸Ü¼´Kx:5=9˜âš r·»ö;‡Ý* “#·dO’ ÄJ<˜¼¦Ù9‘Ê;ÕÚ?Ž[]q¾®sô–%œ)¯~üð†ï½óQÖ…dÅÚ«7¦!¥{ßn~“òØ%WÓC»ù%2®®ƒ¸´¤¨«ÕÉA ’†Hµ™âMà<½[e "Ì gBGÞš³?wEžæÍ1F°¨“F±õ]V*èW#ÙI“"åT§]š‘’КNzªÈ‹ LJÓ˱ „˜òz~æ¥ þèsÃÎ8@„‘Ô_Ÿä´‚ v;!×™yŒ®·¬­˜4¹¼Sò×9®ÇI  ?¥ag¶,9€1ÞÓ Ø7ä6“ÄÊŒFOýÖ»,=™…KRpaZYy¨ñDZz"^è@C€w@'4Ù¶ ‚SR´^_òô…†iR;~ò†~!×ÝïÁhë9nVà⦠îÉš¶Žšfâóâ -#°—!‹èE¸¼kèå×êP¬ièÚ+:‹9KÑIîôhõ–›Ã¾t¯lðÌ7n™²DœöY"çn5wÓÄ¥‹°VÞÕ-r«\Äto·é>©_Î&0ã»Rj>ƒéBOaZ(›Cféa_ãF†±S@ê¡â ¤[¨ Ú=Ó“Ê[6 ~Æ­iÃþbkƒ›Í cA97§Ÿ?2{¸±h뿬nj‚rÁŠdð}K‚§ú m ¯¸")5 n»pš²y(NÝoBPü„äµÚrN; §t^tÒù^qÊ(> ˆªIY¿Z˜‹u8 ­qÎÑ5ŠX¡DíBo[„Àê-,Ô™)'4Ñq¦Ý)–•U\f½£{¡ ÔÉúH+ŸJ[ët¹r¬B°@Ëå’ÂÒ)D’—trÆqë,ž“îôµPÖF6)”3fÕwÙ¨lâJ2Ñ<ùj‚~Ͼ±Vú½qH¹oGÕ„ U…LÏÚPë@Šë`ÈÏ!B›x*)g[ÝAû ‰åšFTSE­†i`å™~ͱƒÒA¹:ˆ…ƒw}9\EñDezÕéxÚž úóú¯w¹¶BæßÐy„*êÆp!#MiñWÜ3Hc¯MÌô=˜_)6 Ãó¸è=¸ÜÞÐT+Ï6ŽÆ¥î*]+YÜ$ru ¨h MÙÍÞwÄ¡C¬lGËÖr?\¯B¾|„ÿby3n4Ê ¸„ÚChl@|ñyáGű$¨ÎØîö$;ñÃÝ–/ÞU°§Ew[óª‹Úî˨Þù  T Sº·!+2Ëãµ`Óé!ßî -›˜“—7Ôçƒ_×C…Q<:zá:”¡\t…ûmç% öÓ˜\¬N—LߦMu¸5 ÄpÍøÆî30xÅ5ë[(”'8ŒU¾^íªª¿Œ­Œ]´cÇè¡ÆÔuØ=K(Ë™uí‘?]c´å;Í=ÕU‘5Sa„¦tØÍ£øÄm¥o*Ó¸¨RìâÒ£ÏÚax÷ÎÍu|Á]ž€hΆ,áÅʦÐÌ©8 _/¯°ØÌ!‰HÇ·ص`FÌRoÆäûñJÜĺGÿLÝr!¿"¹ºuSèË“ÎE_Ü^ôAE‘VEAÙ‚ø=Û$/6(¹ÃK“²½ü  -©&Øæ;”e3ˆÆw+Í ñ2²ÃâKªÀ”#c÷„¾ÍšÐ¤ZøÆÊušaæ)©s×À|:º®&Rݧ“vte -¼s§#Ò=a‹`2~A¶o$÷!®Û 虲>~¡ë¢ÐuÅÖÝ4®Tc®}§vÀ"f·VjÂà‘–ý\ÓölwííôÖ*wcü☤{šl‹0OwDçšI‚E`W¼+?ÐÊá›(¿ [u×WÉ6ÇÛ{*+\PŸéK÷ ->MèÂOØúkïV>û‡Ì-ßtØ€gz}Ž‡ºÄÈÛì­0‚C.yácŒ.Ôy7ÛBµÁïOðú£Ì‚n %ö,åjLºùÀâL‡}Úù€¥N V-Û¹ó‘/X t´)RÂöeð½cu A™Q§Ö]@Àï:¯“§"£‡»_oúË ýì’=(ó¡HöôÜ–ÈTo®ö¥3ÔFL‚Ô ÿ˜—ö„“®ùßi3ÃóŠboe»}õ%_Ÿkh``’F…ƒ–¶»ïÞ’Åp -,ÚË¿ ¦Õ‚¯:ð·eC¬Ó¦e†ÜH¿ ³ƒ|¤gfžƒ!¦NZ4*ç{Ä!$˜¡ùJy´à¸bÉCr”ƒƒÇ2eNfžüÓ¼{‘ØSÑ÷Òšq/jJkûÉ58 Yð,õj‚|Ï¡*P?Уߞ{s*©ëtŸwì£ÚLØÔE ÒÁÿÅöÆö -@þ÷6:§`þ–Çx¿ÖäP'x÷¬&ÎC]bc„m^×dÙB_(ºP3ºæ¡¨ loÎèš ¸Æ4G½…š ß×5pÅûäÿ?ª6ÜÄPÕ4}qVÕ&Zª¿Ï9Uóðv<ÆûÕª†¹”¸pì-Ô%6FØ濥ÌB~áSºÐÌ—tÈ~@¹Ï’f•R9”Ô«z—¤ãïbÀ)@IÎòЙèL'B½Òåµ ?{Ó·t0p—£Ê}ï3®3#C?¶€ßmò)s3Vs;Õ©8én£zL“ý>OžÝ½k%xÆ2ôw!©.ïv²$䀒±ör~ÂT›öö~Jý%d‘ÚàHK6Ç×K²OR÷á«„ÒŒ ¿åkÜ7¾þ‰ Ì¢aêÕÞYÐåˆ]Jè‘×mçVšäÉÝ×X’ÍéÎøo8Âå&Ió?´r/U²v—1]©À$ÕÒ8:}€‡Ë¥c…~~¹¿ûÕ±{„m{î3q©ƒ3*Ö6J¿ùòÓ÷õ* -¤1⼿0"ŽgÚ!›ÏYYwð·,ÿXï®…–Y[œò  Xâ‹<˜ :ÊÊ(•3ñ°)[Ü~5Û®ljÓœŠšÇ¶©ŠÎ1u"y dx + ·ÑmGß¿dé¾%yÇ^Þq/ï8²D£kèutvÏe]x›¢Û;zÉèÑí²ºÍòîZD=«Uó„Ü´DŽŒKµ&c"Nb}.¶ÖÍŽ·uîäîô"«hò?ã æÑÃuÊ#¤¸6ÀfpÜ„ hJpŽžPFÀ+1 +ȨÀÎêâká™Ø6m[>V…Ç~»v»áaÒíâÐìIGë"è/‰G«²ÍàsziöÝSSÖOAÅO÷“ÿ£ý!¿·öGz߷ᜇš+“”Ù$¶þ ·»æk¹*Hg´¶hm˜´`\73ŠN'(ΛK@[¹Uú²Ñ ¡Î[]åÌ®¬Ëç¬ZîŠvÛÔmÑN,·BÚË,ôP3<Œ¶kfÓXŒ™ c>^ʤ°Avbl‚¥J†Ãpg"°g Ú©ž@ÇvYçu!‰HÂŽ|Fƒ¶Ø‘:"†²ªè‹¦®4—­V4 $yãž«–àHè²ý’,<7OS=VånÓìÊ1+e5bVI”h*NKaa•u­´…³¡–æýaÈ$ÄMÓø˾¤ÁŠ@þË5/Ø“³1ô4Uñ”9¬(A¥Á¬ðýkAÐ#YÁ§‚mRŒ<'p背û¶ùLlãÛbnç9«ó`©ëÞÏ@èz+«bí«ÇÚÅ‘`ŠƒgÕìä«ffÓe«;]0:älø/!/ó:{ž±¸D@* õEê=ДühŸI”QvDߟUªQÆÒ$D)˜*ý’wò0²â´^³ªj^ü«Aáîh6Ào²¯~&È€ ßÞ½ùpCf¢KcÇf215¥”ãN‚~-›*£}à4ê>.áàÝÝ'l;°°ÌãÀ¨RŒ¹øc[•yÙÍЊ!ÐInI¡I÷rBAçjÔ K2±× œöYžñu˜H'Õ¤…ã}‹ÙåLÅKÌx?—åCÒ=,¦>–ŸñšA +­¿=ÇéAìBžó]ïøT{1iòxÇÜÏVÈýfK%0S)ŽYØ™-+`\ŒTö IK$q€2£ÑcAÏv[äG«ð™ +.ÌëªH4“€<çŸgÂ…f¢¼‚d¡s¥".V²§ð²)ó slP¸QÙÑRÝÝl¶½Ä ºPûĉûÚ:jšMÏ‹+1`.§,¢” õàã—f_­hèÚZ':‡¹ÈÑGîôêô–»ý®öŸ¬ñÌ×~™REœ©"—~µôóÌ猰ÖVãµ=r§\ÄôH³ò]ÖnÎf11(Îâr3„:ŸÅôP.‘,òý®Åœ†N ©Gœ¾Bº‡š¡=2=ù WcâgÜš¶üO–¹.¶¹ô0•”x Ê_ðý˾p‡›Ê¾ü+Ú®%(«H?öa°&x*¿`Ð×Àð‰¯‘RêæúF0M)=Ô¦þ™”8"yivŸ½ÇÎç|N?ªM9…' A5«ÛÇ÷¡´5!ºF™Æ(Q·0Ú!pz KGuæ±Zè8Óï+áÆ).wÞÑPêlu •Ïµ+x†\yV!X *¢°t!½¥õÜz‹ƒ÷l8½’©ôftXTÃÚ±†—Ù:DΔ6Bµ%4wMç‰t›ÌQ0 §®›pV 9*b78@0˜´eƘàò½Ô°ßõ Š¯—):iÍ„Ô'3¯J€p±YGÔ4nžéíɳ /IhŸL€èͱåGøCKßäY¾)þâÝ]G`!;ÐC=ùºx¹Lì±ðüh½"ðl¶LÌjêĤ¼hã{B}˜§ÓÜ—ýµˆŠ]‰E!Ó€žh$uc`Ðv¤ˆ%‡3¢YWó㳦¥1Á "X8‘˜ )«ïQa+ÁuØœW‘ +*ž=„ɹ­ùò6”Y®Ô]­¼ªûŪi>ï·­ïý|*|â¹ð¹‹•!,®‹.ß,Ÿªý\-‹EÐ÷ìöÙ ¤dÊŒ~% €Î‡ ä dC)c—Ýa[LJ&kH«¤¹H»š™6x]‰ +fÍuŠínÔ̸$f&áúr… E$·†<"t A RZöe tOH)W4¢bÊÌtz8&€M`o³Fˆ/€xròm¨Ã&b“ΔÔtƒÐ·:]Ë=yûç[ŽBƒŒE*¾£åîî$*é·Ü,*ë.JíüÍ"žäš'ú<.úŽ.? _ŒQ-wßXlÆíÆ^²¸I³€t›Y-¨¿7‡vUƒkàhÕÛìÇëe"¢ø_F7Ó&(¼C 1·ŸÅ—ž8MA Æn·G)¸‰ŸnŸÅâ]{Z ·0/‡¨Ý¾l<:_Ø¢åÀB«â¶å╱ÑáZrèô2¾[ʼnšž¾‹ +£éÝj ±:Q‰Z åû}G¦,6Óððx³ü} +)ÃE°ð,"¹à±·Uú•à +å >cY®–Û¦©&*   UébˆvêÔ”úøîjr®@cGäWÇË_õs/c “(1ó…ÐV¦qÕäØǥײÃðöŸdø¿8ÑœW[çOEtºp*(ËK¬4KÈ òée¶,¸•©÷@Sòãˆ3aS=¢¦hJ„TßÙšaÑ”„ÚdpÉ—ö—|PNäMUQêƒ aÏ.ÃÁ« ÊìðÚ¤î¯?h€Bj ¶øöuE© ¢ ­ +ÀãÒG¼Ô?ܱ„úÄE+0ecíÉah±fô€<Ëý<Âw™aæ1kKß¼|<øŽ&R]æ3vôf1dƒvÈð„‚Ù©¾U"D¹ast¦ýcäéâ•–KŒ®+=ígÐ-ã2NR ÂmèÒž°ˆ©­“š´xg¤O~ëàÚDYŽ ú¡@r¶M‡w†²/–võ*§¯‘èœzÅà¦Ó>|¹«gzCøÝñæxµÞö7ÓÏ~ÔøÛâg’n~h²ï*Â<Ýë$InÀ®ÄP~$ ¥Ç7S{Aªœè¡¯R}‚ô ö\b‚m­¹~íN!d +Cøó?Uê¡F7 +ô[/É$ofzËážq4õ9ê5F&Ø.Þ[ðd¯þøitÞÉ >òùߌ3ˆ¸)×—Èö@ºã ÆfMšŒSÌSæØßÃq?w>楒)‘ :ÕIê~®ã:Öî:ˆ€~ ƒ#—ñóÿ¾Üþëýýx9£Ç6Ûï«lGÁˆÈ—ðê.ÄL¸Uà ±Xw!FÈ6þ:M }h~rŸVÖîÇGM Ïy#Ãó2izö?cóýâg”GLZŽ-˜å p>2ÔJ¼`X=ør?sOvŠuÞ°ì)7 +‚/‡ w€|¢iæ2§˜IѤ’q&^&öåу¿ÂÍ)Ö‰føKÐj¼/²¾û§Ç_ãƆAÂæ¾Ò%fejSÈx<TÿËÔ)ëÿ¹-endstream endobj -938 0 obj << +943 0 obj << /Type /Page -/Contents 939 0 R -/Resources 937 0 R +/Contents 944 0 R +/Resources 942 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R -/Annots [ 941 0 R 942 0 R 943 0 R 944 0 R 945 0 R 946 0 R ] +/Parent 950 0 R +/Annots [ 946 0 R 947 0 R 948 0 R 949 0 R ] >> endobj -941 0 obj << +946 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [182.6146 634.5522 231.8861 646.6118] +/Rect [182.6146 546.8636 231.8861 558.9232] /Subtype /Link /A << /S /GoTo /D (notify) >> >> endobj -942 0 obj << +947 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [108.9497 211.0729 182.6031 220.2883] +/Rect [108.9497 119.3949 182.6031 128.6103] /Subtype /Link /A << /S /GoTo /D (statsfile) >> >> endobj -943 0 obj << +948 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [293.8042 165.7184 355.0043 177.778] +/Rect [293.8042 73.4705 355.0043 85.5301] /Subtype /Link /A << /S /GoTo /D (server_statement_definition_and_usage) >> >> endobj -944 0 obj << +949 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [395.8905 165.7184 444.6373 177.778] +/Rect [395.8905 73.4705 444.6373 85.5301] /Subtype /Link /A << /S /GoTo /D (incremental_zone_transfers) >> >> endobj 945 0 obj << +/D [943 0 R /XYZ 85.0394 794.5015 null] +>> endobj +942 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F56 622 0 R /F58 631 0 R /F84 802 0 R >> +/XObject << /Im1 795 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +954 0 obj << +/Length 3894 +/Filter /FlateDecode +>> +stream +xÚ­]sÛ6òÝ¿Âo'ÏD,ðóÑMœž;MšsœigÚ>ÐdñB‘*IYñýúÛ/@¤D˽¹Æ“!°»vû J]†ð§.ã$Hr_¦yÄ¡Š/›‹ðòp?\(¡™;¢ùêûû‹ïÞ'ú2òD'—÷«ÁZYf™º¼_þ6K\Á +áìíÏßßþðåîú*f÷·?¼šë8œ½¿ýé†G?Ü]øp}w5WY¬foÿyýéþæŽQ‰¬ñýíÇw Éùñ¢w7ïoîn>¾½¹úãþÇ‹›{/ËP^äÏ‹ßþ/— öa`ò,¾ÜÃ$ TžëËÍE› ŽŒqêâóÅ¿ü‚,½:¥¿(΂XGÉåÜDAûOkY©R@”Æym¼–£I-;*Ôò¶mžÊ¥—ßVí±ÈJ© Ê’ìr¸îÉîžjb{3Ø8 ¢$Óãý?[ËŠï×2XÚnÑ–Û¾lj4+dìH˜< BeÀ”G[Çi 3Ð"—õ± :S@Ç#AÙ>^òàn ²§EäÓuYäÅA8´r•3d"¨txVSš÷T¯°qº²œX¸˜QªÁ zÍÖTglÍQᎭýsg»~ÚÖÂ<È”Ñçw÷TÛm- +ÀQãñþ­Kqlkq›/ÛZšĸ¡çlÍÑ¿"òéºÕÖLd:~åÜ=Õ+lœ®vÖÖ’‚‚ _±µ!Õ˶æ©pǾµE?_´W*›Í‹nÞm‹…=1:±ÉÕy6<Õ#£ƒë03r¿.;P¤f³3ï î:»ÄQˆ¦BÉT0ÊøÑ7üÜ_­@È~áζO¶ É +RótQ´mY<ÊŒëw­lò{‡¿k±«hx‚: +LFbÁõ„CDA^èüa L¥±[÷ý”ðµ.Úb1Ç—Àª²$Ó “HDZmQ9i"r¦é¬+6–Aû♤@@<åó¥aÓ2¦/À[²˜êß,3¬TÀ­ŠEY•}ÑËËUS,Ëú‘W€h@Àÿ4µ C]YÙšYáÇ—·¿ +»Ï]o7$bèd㢦_óù€ –Ï„g¶¶-0A¶óÊ.äùñžŸ$<ßýü™›b±.k EŽ ³Ù­;Jfù~>4ýšGÂ%Œ^:…Ù2Ïþêù×秚¥zpþNœ¥“ç;!~‰4LªòÿÑ +Ç’ ­ðo’ƒÌ6Ò&€´í¶¶û +΢ã`[øãÅIvë‹…ÝÂI¿‘)éd˜”šA>*å¥ò±nxÁå˱"nž˜ô•X: :K +V,—%²TTóUÛlæÅ®_;îP °Ç“0«¡ŠMR“çÐSM°8Jt )_y¼_ÛôgòHô×ñdÑÔ› +†ÕŒ˜».žJô(ziÅOô8z‚ŒM‹¡|²|ê*ÓAcÕ7Ç¥öËœ…G”äIÌ¢1gQ„ò‹f\xø·Ìì©´ûA…;þº‡¾|Û£ˆ:æ ®.[ °¶:5 +FAjÌy«À¦SEÞ‡Ðàeõ©l¸µ‹rõ,ö:± Sݸص|°Èä¦Ð9¥pðcÇâEAÊÆ-ùØæ­l €Cwéõ Ž„ØqzTÜgØ¿VÍ£@$m͵L6ÿŠG;iLŸÏi#Ê‚L%®#˜n7¡ÒÕ/œ†J•øøX, š¬¸6ÖC—œ€Ui©­˜Ñn½Õn9vÌH ™}“›Š$òã{.vX“ êš¯»-úP eÚ BÙ^pÄ+"‘’{c]„@î‘çÀxËQ11¹\>"ª”ÕwhþE*š}s„Lšã„Ë^Ê©¦Ük±4*“ìð>Ä¡ÓRÚ55#*TürÔ îF +WÒíì™Æ–2 §žšïUt`RIýO¨ž WèzO–$.%÷ñy´·dMã.ù0…u²ŸËiwŸþ„§­ýÆ#W¬ŸÜMvô½1,šŒÂ·Ñá Á™æ8Á8äÀüÄÊe·Ý¾ A ½²m[T|kg4ß?#–­Å‘5lë{œÅ iÇدHýÝ„PÒTÈfT>ðp+Y¥îyN«¸Ä‰×ùÃm?JgŸËza(Ëi1iÍúH°ÇêC]0Ê+ÈÁÝAb|¸<ê|˜ÄÂAtèapÌÚ¸pb"E¥ +ê\pDÚ‡ç øbÀ˜ãẖ€(pœU£tå:9UÍKQuîßÞšªÁ8!ÈÝ ŒP¢ã»Iƒ->´]~&J*Ì_S¸¤Û6œV2é¼r×ÇÄ_¦ñ›t± w7ï¿|¾y0\>»à‹kטeâ‡q.™q*˜ÕÏ£f Îa#q¦cƒÂáH÷‡¾ÐëþäX6v„îá–Š­¦= +y¾ÑÜ.{„¥Ê/5$Ì0^¹R½| 쩸·èëù¦ØnírŽ] pÁ½òè‹Î&‹Ïóá©&¥ï4 ´‚cNnWS—‹x·˜œ½\„Z 7zÐvšŒš J­Ü +›8Ý~zŠDNF aÔ¨™C€xpœ±z„ +MˆV<&g"® kͲ|l|UÙa;¶qjÉ'v»„ò ±>…’Ópqxƒ là=[Ínjˆ/ž’›¤l¶P¶°½á”Á®ûrãØÏYíª©ˆÇÄhïdnq2p€üTÖ»o<äcÝùÄ×0tß´_yÄ~Ã}>ÍùñÕ¶µ­xŒî#Ô’kSÅ.Ýy"Ý¿ý$覮ù2¥›¼g“𢸧…§ëðË*$Ó•tFZ"’’kå?èðŒUIU¢Äzð½®Y|¥N#Vþ†5Æ3eS£—GeIC1Ë%Ä£³œ’ÂÙG’’-u<Äêî±&s†7bIê,F”cU”_ú9-ˆ ‚õ=gÑT:¸$•Lœ: Bˆ|»mÄX—ßÓÙv×n·Îô].Ôç‹f×BÛðò7/E± +*ë³ánHõr¸óTôÃoœã9#.ËNÀ,ä€Ó¨k Oæ<;žj‚ŸQœŠSüΔŒúŧòQÜÓ9fbýÚW•(w-)6‰S ¦|I@üüÝIôbHm÷<Ç2ŽÏ6–“?mŠ®wK°ß rP%¼ìea" ˜Y¤.§ø;— Üò'îÖÌB1Þ1¦`³ó{%öQì.Ñ3\üá™aB…e?¤xÞj˜ +?ã>ÿ#‰‹òC‹Q’ +€êDW²N_ƒ[®Û…õ|È:×;ôdœõ-tc»ŽQÂŽ\õ#dQT‹]E?b 8CùsÌYùì`Æ\P/è’?NcñíiYópµ“sÖœ­jùs—\ßEîú.ŠIÿèøopl¾¹‚‰;KŽbÿS ¿B„ß.ëG+K, +ÙàAÖ§ÃÙ”}ï8àÎD³%´ûyÌFöA“èøÅb2üø¶òØ$Æ—gC“˜¼¦ÿ J´EÿÍg§«zCÓCëdÚðóAÐò«!q刎ֻ|†þ§\0†>a1þ³:”ûqº…¨Þ~SšOè¾\Rëš!î : üGÊôÐ+ˆG½ýôEV¨²±›†Z6Cbîv—7N÷‰\ták(Éé;!RЇ*4|ï*Å èÉÞXΠäu8ð^‡¾rÐ|w¥ýñj¹d æo[Ùž¯bsð“+÷㪺gÌà;g¬ûŽÝ˜ö¤~DÄ7‘ž3íŽH@áæ…Ÿ(›8ÀßOä ø/gûÿ|ùðÛîŠô,;ó³Ä(ƒE„)<‹(:MçT¾ë Öÿ d^ù#endstream +endobj +953 0 obj << +/Type /Page +/Contents 954 0 R +/Resources 952 0 R +/MediaBox [0 0 595.2756 841.8898] +/Parent 950 0 R +/Annots [ 956 0 R 957 0 R ] +>> endobj +956 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [309.3157 134.9691 370.5157 147.0287] +/Rect [280.9692 755.8266 342.1692 767.8862] /Subtype /Link /A << /S /GoTo /D (server_statement_definition_and_usage) >> >> endobj -946 0 obj << +957 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [305.9683 104.2198 367.1684 116.2794] +/Rect [277.6219 724.2256 338.8219 736.2852] /Subtype /Link /A << /S /GoTo /D (server_statement_definition_and_usage) >> >> endobj -940 0 obj << -/D [938 0 R /XYZ 85.0394 794.5015 null] ->> endobj -937 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 797 0 R /F56 618 0 R /F14 608 0 R >> -/XObject << /Im1 790 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -951 0 obj << -/Length 3814 -/Filter /FlateDecode ->> -stream -xÚ¥]sÛ6òÝ¿Âo§ÌD,ðóÑMœž;MšKœigÚ>ÐdñB‘ªHZqýí@R¢Ü»9ûÀb,û ©ëþÕuœI®óë4‚8Tñõjw^?ÂØWJp–i9Æúþþê»w‰¾Îƒ<ÑÉõýf´V„Y¦®ï׿-’@¯`…pñæçïî~øòéæU-îï~þðj©ãpñîî§[nýðéæýû›O¯–*‹ÕâÍ?o>Þß~â¡DÖøþîÃ[†äü¹°è§Ûw·Ÿn?¼¹}õÇýW·÷þ,ãóªÐàAþ¼úíðz Çþñ* LžÅ×Gè„Ês}½»ŠbÄ‘1R]}¾ú—_p4JSgù§Â@àÕ9#3b`¦‚8Ïãë4΃ÄhC ì¶E‡Š’ÅÑ^©la¹÷hk{(:»Æn¼hjòýpÏßæÀß·?æÆ®XmËÚCM˜-î] ­ü5šnË­/î~åÖïZGÈÑïÞ©hD·Qi ³<ƒÓ"Å5£DcÙˆ‚<ƒ9S„ñÙ™T í#ÇY»ó|'Gˆ/‘‘ÆIUþwTA8Ì$ÈÒ8úoW¸x=>à\/#m‚$†¥—Jyk^À+¸‹–…¶ð׋êX<»ÕÊîá¦_K—xn+È;+I ]ʤò±nxÁup¦*H•J®S•€8êKRËHË1 í¬Ö;,Y¾u•é Œãxzë­=<*ƒL„‹ãÖÖØR°L -^Ö<ðg” Æ*W[nV&xFòȺè -àq”RúñêábÓTUsô«¿ùpóþÖí»&bCG$Ûí·Œ7¶ÚeÝ+´Ê#Âú…60J‹¹Àñ¾ðW©îÅ;­í»aeŠ³ÑÅ© §(Ó3pã\ß´ -B“;¥ÿ=ŒC¾.Xrm7E_uS²3*5˜,äñ3CJ!îÁ»uW¦mX,v2Þ/å–sètzÇcQ›•Óí0;‘Æ‚5µh0Ýïa¨{¿!Ž—5°e¤êbáÁ3½>ËÈŽ4g5ؼzãÁ;î«g†ËJx°SÁÐÂâPWQ˜#…øÍ}K|Cì À_A©Ç©ªÐ(²¢•ÑZÏÏ„`“ÅÿÅ1û/€µÍNFÛ²ë 7žFim罯׶-ÅCe_£O4‹¶GeÓ9\1Í4¢G¡3ˆ•†^Zãõ­ìApš'>§q$ãø§­:8¦¬J7Ák -Lˆhd‰Rå{è*f.¨­ÈDèd`j’Ûf؃Œ¸Ð%&ŽáÛ5ëï×Jÿá™z´ˆxÉ®²Â¾8t`­0¨H’ÅMÕ6(’OM¹fÑHÜ&(‘lˆÑÐß4‡¹£ÈÝez*Ü™rB#"¯k÷–È`¿ç¯3µ8Üì1^ÁÀ%;þ2Q€°oÚ¶1`°ý¶·u+CtUgdho¥gäÊi._TÛTO¢oGè°Õô•¸rRŽcÙZ¯zôݳ<•|WèÖëߪö¢ì'æš]Þ;”*bápÅnO¯CPŒ B34‹8(f›EûµåÖ†§fäîðþWþŠ\7NgãöÙ6m'v=mc‚4ËS±Ú›¦ „¢`ê~nå3ˆãL!›Äw!^à¾ç´ á½Ã°„Ð:€¸=š^ØUNhD|xè$ *äï®(+Ozm»Ò•¨>L²QHHôëÄg»¢ªˆÕ¡;]¨ÈLˀ驈^äF&ðùÂÅ ü±·ÃžèÔ)ë5¸Tˆë„œÉ„;ÑA¢OCÕ¹ÃÁbáp/¢Š*bù…ï‰ü„L*|¶ª ø!èkÝkÙ'²¸OÑ?¢™PdOŸeo…¡S77J?GFÆRE´ˆ;†Ï¶ëÐ2Ñ¡ÝANÌE0:ÑC±¤U&qpª“ù`¥næD! -tÉ£¬ËNˈ©ƒÕ‡(áb› ÜÔ××2Ì›7¤°&NбqÕ¬8010 F4!/ClÈ ˜×”c›–!\);—Š`Œ$‡s׳‘¢‹¶EƒÐ¢Aƒdt¶&QÁѾõãø†Ú¯@X–|x?‰^4f/ŠPžh¦‡ŸeO¥=Ž"Ü‘ ÜtÝí;<¢ŽÙ¨ë„ÃVlíÎ … -£ 5æe©À¤ÓçÆÇ^V/À‘ʆ{»*7Ï"¯3»@Ó™Óƒ]õ‡–>XdvSÈœR¸ø©âòª fã–|íóR6bÀ]z>ˆ"eȼô$Ôgœ¿VÍ£@ćšcèìÀþvV˜>¿Ä( 2•¸Œ`>Ý„HW_¸ •*ñö±XA4Yql¬Ç*95„³,Ò[F&»u‚T»åX1#QLdÖMN*’8ÈÓƒÄ -kd]óµß£Å¦¡¼ ”å[±â brN`Œ‹È9Râ‹g`“ƒžR*”p!qûV8€@?‘‚fŸ!Crœp˜ÂëÏÅFsjȱ‹H…Iv\ñFè<”vIÍ ¿ž$B£ÚHák%mog#%NlÉÓ°ë©‹øO¤’øŸ A zc‡¢âªïVGYZZÓȶ>—ÁIÌw:ºá)¿›1Ï’Tðf>ps/^¥î¸O«8lj —ùC/e?JŸKÈâN0ÊiiÍüH0Çóc^0Â+ƒ£ÚAb¼¹<9O“X(ˆ†Ûl¨3'&Rj!  Ì[Ä}øŽ‚/L)Ž¦ ˆ ǹQ5JYí­ª¹dU—~þD$· Æ‚Ô Ì9:ÎA1›4˜âCÚYPñ3Qyd¾Lávß°[É$óÊ]_Lã™TØ„O·ï¾|¾}0œ-MܺÄ,=ŒsñŒ3—ƪ7$kp;±3- 6'¼òBÏû³°lìÿìsKÁVs81y>Ñì‡b´Cy± !P©6/ÇX—‹À‹s‹nµ]îŠýÞ®—˜Õœ+ÉP8›,~™5CÈÄ}§i` œRr·™+.ң̋ÅEˆr£Gi§É(¹ ×Ê©°‰ÓÅÝǧHÎÉHxh’Ì!@48Θ=‚…"D+ž¢3GµfY>¾ªlÑ„ -˸ µø»] É%U£Hi88€q<#ŒÈÀ:[-nk°/““Älö¶°¼a—Ál®»rçÈÍÙôÕ¬ýFAMiïdiqp€üTÖý7n¶Ï`v-•”Vo€›ÃWn±ÞpžO}þ|µ‡ÚVÜFõlñµÐ"•n=·îß|”᦮¹˜2[àqæEqN _—Áp¦ÉŒ´X$%eåt¸Çʪ$*Q"=8¯mV_)Ó¨«°Æx§,j4i¸*KŠù\‚<¹Ë¹ pò‘¤$K-71º{¬Iœ¡Ç‰X’: ù*ÊŠ‹~B ¢Cc}Ï^4• ì‰S'A‘·«ÉF¬8êü{ºØ÷‡}ãÖ)gñùªé6\~óÒQh­²—ÍÝë²¹óX¸yù}<{Äu¹ÁÈ€pnõb„)›ÉñX3ôLìTœâ;S2%èïÊ'vOçè‰õß½ªD¹KIùÙ$NÅ€€™ò! «¦ p"¦ú!Bj{ä>†q|·±Üü€´+@§e ÖEI/;Y˜Ä&Ai=ó&a9\à”?qU3 ÁxË#0yÐÈ(‘çbWDÇ‘ñâÏ , ûÁÅóV;°ÀøÁ¸œPœ%Àëµ;‰+tˆ]È:[J&¾CÜ.¤çcÒ9ÞA Gc¯o!ë[r¤ÔUQ­úªèœ¡ü}fG¾Ęêùã4ÝžG‘5‡ÒNÎ^sFe«æñ‘Ÿ»¤|¹ò]ÿÑ2ðß Ø\¹‚Ž»l‹ŽbÿS ¿B„o—õ£•%V…lð ëÓåìÊ®s¡†ïR‰–_m±“}P$ZžX´ó‘ «ÑŸˆÄ´x6‰ÙòÆ÷P¢,ú7[ì¯êM­•nÃß ¼æGŽ¨ ½ëgÈÊÐsúãŸÍP¡Ü P-„0ûDi9Ç…c¹¦Ô14 BÜ :4ü£Š å=4ÃÁ -¢Ao>~‘jì쮡” Úà˜Û~çüÆù>‘³.\Öˆ’œÞ ƒªPð½Bª З´=(i6¼Öa‡KškWÚ_¯–"%ûÊv\ -ˆÍ '1 é)ŽŒÞ9c=ì;UcÚ“2ø W"==f^ÌÍÌ}qP’Ë9ßQÿ²œ±uâüG\~%4äˆðPÖ‘ ‡Q!8RÌo‡§poÛ$ßó˜~·¡H”_îEÛÕ2W)OsǽÌåýÕËÊÂMèwüÞJj•ˆ.äÂ6¿«ÃÂ\B¥õ¤V ¬HeN™2<[;RQúƒã‘Ó«mA R!G¤&üC_ƒÉÅ3|βßI„F .ý²ÓÄþsF¾C¿Äÿý«Ïá'±p›,Ó~x–fA”Á"BEç–A~zNú> endobj 952 0 obj << -/D [950 0 R /XYZ 56.6929 794.5015 null] ->> endobj -949 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F14 608 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >> +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F14 612 0 R /F58 631 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -955 0 obj << -/Length 3474 +960 0 obj << +/Length 3452 /Filter /FlateDecode >> stream -xÚ­]sã¶ñÝ¿Bo•gN8âƒùèÜÙ©3sµ™v’<Ð%qŽ"‘²ãþúîb)QöC;7s ìb±ßœEðOÎÒXD:33›G2žÛ‹h¶†¹/$ã,<ÒbˆõÃãÅç›DÍ2‘%*™=®{¥"JS9{\þ6ÿò÷«o×÷— GóD\.â$šÿp{÷• ýùòËÝÍí¿Þ_]Z3¼ýåŽÀ÷×7×÷×w_®/2%¬W¼Ã™7·ÿ¸¦Ñ÷W?ÿ|uùÇãO×á,ÃóÊHãAþ¼øíh¶„cÿt ¥ñì>"!³LͶ&Ö"6Z{H}ñpñÏ°á`Ö-’Ÿ‰S+“ÌÚˆ4=&¥‰(©-lœ‰D+¤l&¥ì±PÊ˦ëÊbQ6ùS]ŸYšL(™–L‘Xôõ€¾Œ ÊÁŽ¸&Ê •¦ó¯w×_pœÍ»ýós»ëi¢jØäÛr iT<ÿµ©Ë®£ù®ì ¡oñ Ÿoât@X) B~‘à[ÙΘ9+2­RÆù»e)‘# -Oå&);¢’3ÙjEß³¹l=FÓöHdZ(mc“Y+·ÿáp ptjA›’Ër•ïkF©º‰cIc„I“„ynÚ©c1QB'JÍšcáø6“Ôk€õŽzy,¤øç¾Ü½ÕíúD³T"¢(6ïSX¤G§Ô‘ÈÒÄŽi?<—Eµz 3Ý”ý¦Üá‡&®¼­«fMݦÝ×K?•„Ûõù®/—a—†F^5pbtp:Jç·+¾…¡h´ÙHé¯a(”£“ ÎÀø+­:&ÖöLê¹¼”óbAº¥m&ŒI‚n‘߬~"U.?‘æôÄ1hàOÃÃéIÉXóúr·­w>ø~z;Úàyw)ÓyÙ•MÁvu„2Ú¸ÈûrÝÍ É$±Hµ6ÉT“ö©µ°±þP‘ƒgïëñé¼{$$WlÊâû¯¼;u‘Z$iö>å€tJz¤Æ&‰Æ´7x/Údóö¹¯Z¸LÍw…°}‡·„ð|ÂwÓ甆缜*6ù./z´„w¨KŒ“7KÂéÞš>ÿ‹€x«n]¹ëóŠ)/Û- ¹ãŽjX'SaASÇîn›wDU'sÔÎÚ­‚ û¹å pƒ4à<·MçñT”Õ‹;.@VÔné‹Žƒ¦ì_ÛÝwëSr¦Î?^r§cÄ@Q´n§¥ÓV·—ó£pq#«ÚwùuÛ‚¬ˆ›-Þªù lpªØ6‚|'ñz͘Tk© $ÚÚÆë-ÉÊA°‡80ÖØT(ÂÛ*¯ê©@ “É4Ø°.Ï°®ÀÔ2ë}PWCÜ›ØP¡Š&Ùÿ‘ó×|×L‚j”=åÜÉ›îµÜu¬| ¤KY¬ÇÚ7VtHå9-Vúø=Š£ –¥R"Žý±w¬¦SžÜ¥uÞaÁnòˆÚd€Ñß|cµnÚÝäMdBëÌ]#ä±Ç¡(0³I4;$ž(I:ß;3T‰ž¯œ4\—ë¼&ئíz¶oœqá[Ô/"OÀ[°Qð xq6| „ x÷7_œÅŠW6ŒÈSzž*ÉDyóm»¬c«T,V uã0EÛÀ®bÆ29rîGÂM"aµõv“??×Îw(IWEß(Ú×ÆeQðŒº"ÐÕ'ú¾ºº¢f~þXQÙ!aF¡²d~Û3zÝ1Á÷¹`í´Às?reÞkGÖåÕ:òþ÷_©.Âÿ®hÎE˜º{øD€‡_®BA xœÀØÌÀ¡» ~UÙü¢Ÿg]ü¿ÄJrÊŠeV’ù·ÇûI‚S*òŠY«fêÍ/•á²†!`Õ,+ÌV–9ïy¢'ˆË‘à;§OÚùo_·í÷ý3SX,§OoPD÷ò>/e3} Šó¹Û»ÅÕׯ÷âêþÛe¦H½ü-™ÝÞ=¢š²È,E%XdºhDyVÌþƒ«Š¢.øg%O$¢=L’¼ ÞÓÊ-„×(†øTTuÕ¿F‘7~â%œÐ¤ge)8ÜöePœ®iã5C»ª/¯Õ²¤Ù"/<-SÈ™§ò•W”;¼8TjéÓ¦å¾`FÁ&vù -ècŠ©‹h_\NcàÖ«æ{GCǵÎæå_ðt¦¥[ÅSÅÅ›†‰X Æ9ŽžxÁÞ¥iËÁî­n_ièSfZôFÔ™ -/rZŒ£%/wõ6Û³eÅ–…xÊbšäjm;Tʆ -€ÛZö(I“ÌŸö=!¼VÝf¸Ä:ë Úâ81U.¨÷LH±y{Íß.¥”òc£XÊXmQìw¼¢mê7Ú´m¦®«T@ä@1pÁ¯›ªØiä¸>¢j “æ=칫ú¼‡hÇ †£·†èNØãí){áíÙ®«¾óeèðÙJÇhHD Ô¼ï–:C¬óµNÀr $YúiÅ.Eleö>á€5Ay”ŽBeCr3&͵¸®Pëdr`tÁÙ–y:°Ú×4ƒ}„“J`àxÈ VW]?ÞÌåö¹ºfuìâ À_òzÏ;¶\×ÇvT½âi}2¸ªv]?Ÿ¥iÀú„Ý+ -s.D›(‘…k %‡èÀš°ï(ã3â ¨&[úëKû!Þ±,†> ™¥¥,8“ÔØr›äŒ„úÜü­÷x¬¶C:@»ÃKû4m|.ªÅ®S¢® Ê] -‘‹ÀY²Kš¤A ³`%e½Â CšÐt]Ž‚’Ǫ w§=—“kBFá=Æ>K1è£dú£nâÄþz÷vàòq£„±æ¨4ßÍY[× p™féû¶>Ä:oëk`ë\@ÌÎÀ廤=Òéq{.Ã&Ó~2F¡{ëU`k·ß/—Ü èNK(®;ß”.àˆÔ%“GIjˆ6\ødjPu±#Q&Gà`ä.p„©ZÃtW”jrŽ,ûèNÄCÆ5ȱ†¥ÇqHS*¦Tœï+ÊÜTÛ ¼Ö{NVÚz|úóLéîÂ÷iÜyWa¢£4§IMy#ƒÁºnŸ\ H³'ü‘gîxU;eìŽ_(Û0AÚUË¥³mpcŽ¬øèëÃ8qÃœK–AßµR!þýsØvOp R« Ïù®¯Š=æî{PŽvˆÚeO4[¹dnÅÅ@ÓÞØ»…ŒqG“ç²£œCüÉ–§¹µ±ÂÆ‘w/>´RÏ\ÆgïˆOSªDb2ß?pϘ'A1ÄY½O[B~18 g>O©ëO>9yãq=ˆÂ3-•ÈRgÂ4·[Ïhp?0ù€¾àŸšüÉ®Îâ!ŸtQ^ô”Pú˜(0;äæôUÌ#½ÏÃÉ^¡=r\ipÎVJMÖ?šëŸ¯û¼^t}^p{è3ì‹¡áBl/ºøÂw }uŠ\ý@’wt©þ`»T ìÝ[7/œúX‡ýÛ}ÃS,» ôT—[¦âú¡Ï -ygþä‹4Øl¹/mÖ {¨ƒTü;Àè}+$ØeÅO0®&}1c=Hâ-ã(MÆÒ™F[à­jÎgÅJj%æƒH9Ä:)–KÈÂ5.ºÃÕ"fb!Âgñû<¬ &Æï‘/$Q:æb3µ‰Y2XvùÚ €®œ‚¿Gñ±¨¥{9ò‚W¸š…žá º–fc¾4·5½$tkÔk‚D^šô(ïÛAÒ†ª€N=Án2`SWC|hŠ Ð%æ–^50O–>¥·iÈ»p~»w§¶)UÉ¡7d„8®mxië?±a\Oé€âËùš¾¸¾°Ù9=‡ÁÜNqOHA˜p®ÈºÃ!„“EåÅÌøýEU‘{[,¾sŠžêxýD_>Ž u-åi<Ž"±P1x4ZÂhŠ¥ý-9„|–==ªS7]'B¦ÙÑÓµ×ÅoN.Àðç@>®Þe´§Ò¿A.«ojyÆ΋v» tM‚ãV|)ÖS®[¥>™ùæ·•…E 3Õ”—j9hÊOǃaû4ŽW1|i›~×ÖÇ‚°È(’ñ¹'BacÊv`ö‰'‡¯zôî¬0«£¡$IuØÌ¥Ðf”BÓ„óÐLŽ%oô¬¼u}¹Ôc}8ÍLj„Ñ™žI™ ©ÔGICÀ_ LDì“}Çi°*)ä1?±†l#UvÄωë Xpáý¿Œ,ܸM|ê^ÇóªîƼÁnÜÐ"ºðÛÙØLF—áT¼ëÏW}Ö -eùÁo2Hïü$ƒ‘œýbþ¿€¤Ù;y̖¤ö}Òé”öø1Œ%IÇÄÇ5Ÿ’¡ç¦”  =<&Ü1LÅ×ð—ùw½ë!”Mˆsdì"†{Ãd3ÀÅKš…l§Y{†¨dRxW•Ó:~X±Ræ(`¤I}`m‰#zïí¦œK–Š,4%Ž/ãôñIK‡Gä7Ú›Ä)‡?üýÓ¡_A—Ð1o˜Z‰È„Ÿ™8¾'_xM Ò€O€*Ç5°T À7ˆÃ"ïÊs?›Ó°™žüýX~¤ô?ÿ¤îð{C¨»€#u¦8‰‘â«;3…Ç3ñY§rÊúdG¡endstream +xÚ­]oã6ò=¿"oçk­ø%Qén¶—âšî%)p‡¶Š,ÇÂÊ’kÉqÓ_3œ!-Ùr‚âŠ5q†Ãù¦Åe âÒš(V™¾L3™X˜Ëb}_>ÃÜ÷‚qæi>Äúîñâã—D^fQ–Èäòq9XËF±µâòqñËìÓ?¯¿>ÞÜ_Í¥‰gIt57I<ûîöî3A2z|úéîËí÷?ß__¥zöxûÓïo¾ÜÜßÜ}º¹š k|/y…3|¹ý× ¾¿¿þñÇëû«ß¸¸y {îWÄ +7òûÅ/¿Å— Øöq¤2k.÷ðG"ËäåúB­”‡Ôÿ fݧSò3ÊFÆÊtB€Z (bëä25Y”(©œŸJÜP6k—ôÌéÑUº ;+Úõ&ßæO5#ö-?W „§ª)ã+2¢µ5ãä šrOƒ?Û†¿z)·]Õ6à-Ì@­+·€Bã}U×x †¹QfŒt{jJâ&ffáY®7í6ßVõ+òºn‹¼/ém]®Ûíëø“³ UÕÑeQ—þ«Eµ¼v¶vàQ6û²N#Žb:›ŠCdÓ†ÀHó!ã¤!x,ÜózW÷Õ|w=°sD\h%ÖÚ·©¬ ò#5Ò6JÒXŒé?’à̺U»s¢K$iÂÊžûUÙÐèµÝÎ*a,·‡MíßÜ^:BZ¶[Öz°ÂR„,t"]W2Oô¾tŠƒ¨­S›9N*µkÏñ±"çt$/V æx•e³Û%.ññ‹±Ñ€g’±cu ½u‡3_eJZÆA=·é¬É×NeŽSj7jZ&]·Ï0H3/=óf-*Û¶Êý»õ“Û"ŒÛ†> ˆ¬nìŽ +ùõò†d"D u +ùÙý*ïI»=«h»­—‘·«Uî$bPo&å2‡ƒ¥—ª››°*JQóH&M;%6>!B9k_I"£D$úmûb·¯€å´¢m*æeã<á‰e‘V¿M>`MÐmÕh 阛†}°µ³Ïw7Ÿp q·×ÖÓDÕЄ–fösãÙ²ÚŒ-àè¤ ñÕ7³õµ`ñhÏQÉ™lµ¤÷ŠÙ\´uÜ©*5c[Í"­“#­ª~cY.>øðî86Þ©ÂÀïÞăÝö›NçÀ•®}ÒÏž^Øp:$” PF c*òŒ)È„dY¥ô@2Õ¤e*p¢F½«Â&M#cÌ;:<Ä:¯Ä )«²ø6ÇSï¦ìâk‚úDrDž¥!ñÜô†?Å'†°]‡g¥8¿CŸP¿­ŠžgðhpªXAÂ[¸h©\>Å8.Û@œîµéó?ˆgë¾+·}^1åE»¦±&wÜ1CÍ0õÐcÅô1Z©d†:Z»¯àÈ~lyÜ x›¶é<Š²zqÛÈÒÚ5½ÑaДý¾Ý~såŽ%gŠààLñå%wšF EëVZ8ukµãÜ›…]—?£†§ +â&G»OåìK»Pï4†Š%ñÚ}È_O•[H‰„†Ù_GDÈžR1ˆé!Œµ²3ÂÛ2¯ê©@`" ¬XgX—`pYê=QWc{º 40“ìoä|Ÿo›)B@µLO9wDò¦Ûc6MÊ—@Ř5Ö¾±ò [:(ÏÈu±òÐ˯±‰'XR‚múmoYM§ü¹«l½Û‚ÕĵÉ?¢Ò83’¿ôeO©™•‚‰òâëvQͧêa +wãPEËÀ‚®Š&„%räÛ›ÄQªRo3ùfS;¿!WÓ±/CÐî—cÄÁ+:è’@×èýúúš´m˜ùñ?`%eg„9…Ì’ÙmÏèuÇß悳ÓÏý¸…À;N]N­bï;pÿ™ÚBøïšæ\€©»‡xøéš 0‚@Àé4”i¸‡î6€øPèŠÙ"ïg]ìÂ'±’œ²’2+Éìëãý$Á)ٯʠ˜‡âR„òTö°jæ+‹P9ö<Ñ«K*Õ­?1ì딾œm¿í6LaI°œ^½9]ËÛ¼”Íñ†( +UœÑÝÞͯ?¾®ï¿^e’Ô Á_“c³mžº½{D?4ecFY µóH‹”ÈaãÊf0UÇ1:]ðÑ.RžKŒ>8WƒÇµtß "ll DU]õ¯„Qä ŸøÎiÒ³Îqû2èN×´ð3C»ª/çûjQÒl‘ž‰–)ä̶çÜ®éÖ¡n Ÿ9-v3 +¦±Í]ÏM1¥`­ëÙ) ‡_5ß::®U6+ÿ€˜ß GE(.Ž˜*æ(ÞBtÌbÐÞÖqôÄì\¦¶¬®©Ó·§¡Ïé£W¢ÎTø#§Ì8Zðç®°ÀÁŠÃû±ª-*60Ä“)fJ®ÜƱãAZ¶WÜ6¸Õ²GIêdö´ë a_u«á'©3¡© ŽSå²@™…›×}þz%„À¨o´d(`µE±Ûòmƒý\´m¦Ž«;”BäG1ðV²_UÅê(N:³‡B‰Ê2Ì›w°æ¶êó¾za|îíƾ0DçžàpyJ`xy6ïª÷YÔá³%l4²2~§äb/y–Ë!ÉÐOëv™TdoX”G)øò›1i.wÀƒ…r'³£ȺÌÐ宦lÅ œT2“CÇCf°ºêúñ‚d(×›>èZªŒ ;Éë¯ØúÖh:*cq·>\VÛ®ŸNѬ X°EÑÎEjÛ(NáXÆýZÊÝMØ…®oèÕD`KO_ãñŽe0ôiÈ,½H™ŽÚ΂z[n‘œ‘PŸ›ôÕvHhw½»å˜4>ÜÌk«CWØøvŒÈEà,Ù%MÒ …Y°’²^b¢!ô¡o=< UO*ƒÜöLN¥:”jå 6\ŠAC%Sïm€tG ð×Û×ï”’kéT«±ŸŸÍY[‡„8RiöÎËë¼­¬­s 52w¥# ‡÷&i4Azܦ˰ۣƴ‚ŒQèÞz%ØÚíWßyd¬èßÁÀ;¥ 8"uÉÄQÒ¢4W?™^ìF”É8¹ aÆÖ0Ý%eœÜ‰#Ë>ª8ÄCÂ5H±õÇq@“ÒP"€Nú%eFnªmPZÏ;NUÚz|zl(çûF[ ï*Ls¤âÄ!P#™Iob0x®Û'WÒì ä—;þª2uºS.=ÚV‹ÝiŠoXôÑÃ5bœ°aÎeÌ„ï:ªýþ‹‰,]§) ò›šmòm_;ÌÝû "Õì•Ëhvâú+ÑGæçœmBI3LžæF´¿|ú¢´ŸH¬u¥&öÎÅVJÍÁa|ônøÔ-Y%:ó wÿ€YTDG©}È.{áÜ¢·Â|2srÉãš&ZÇid3ín÷irû|IƒûÅüùðƒS“?]×™<$”.¬Ód$Õ1CQf鈡Ç°ÞaãtµÐ%9®8èT5Y).‚>ïòzÞõyÁ}¢γÏWD19»á‡ØgtQã„oEúR_¸‚<$ïè„k¨`»„ ì%Ý¥w1œZ‡õÛ]ÃT¬Á ôT—k¦âš¡á +ÙgþäK5Xl±+ýÖ »¨ƒTüµÀè¢+¤ÙeÅ72®0}ÑÇ¥êKâ-ä(YÆ:šÚ@×Ög㥈U”eæx9Ä:/–KËÂ1λÃÑâf’BœÏÌÛ<¬ &Æ“5$±s1ŠœJ– _¾‚ +ªàyE‹zû&\ÿÓÛ†æC¹§¹ Dz®¥YÇ斦‹ƒ„NO22B5ž ”n:Ttî ¶¶ÔºšÊàC‡.=Oéz³eáûÔ†ì ç×;·ëÔR­ ºLFˆã: "mýâ'VŒëé!P|1{¦7®2øWS©¬ß fx’D’$ ãÔm!œ2J/fÆï艪„#wÕX|ãD3ÜÜñ÷ zG™ +½åi<Ž&&’&ü„ƒëP‹=KeïeG·ëÔVWI$lfƉ«×á‹80åC?žà&mé¯$U‡'µ8cçE»^‡:º&ÁqO¾Œž§œ·´^žù.øà×s=ÕQj•tç£s¿yÃX &cP®×ÿïßÃ~, ƒ²Vž‰©q¥r–z¦ymŽ9?œ;eý}üB—endstream endobj -954 0 obj << +959 0 obj << /Type /Page -/Contents 955 0 R -/Resources 953 0 R +/Contents 960 0 R +/Resources 958 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R -/Annots [ 958 0 R 961 0 R ] +/Parent 950 0 R +/Annots [ 963 0 R ] >> endobj -958 0 obj << +963 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [367.5469 309.3417 428.747 321.2419] +/Rect [367.5469 204.2481 428.747 216.1483] /Subtype /Link /A << /S /GoTo /D (zone_statement_grammar) >> >> endobj 961 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [483.4431 115.3171 539.579 127.3767] -/Subtype /Link -/A << /S /GoTo /D (address_match_lists) >> ->> endobj -956 0 obj << -/D [954 0 R /XYZ 85.0394 794.5015 null] ->> endobj -350 0 obj << -/D [954 0 R /XYZ 85.0394 539.0447 null] ->> endobj -957 0 obj << -/D [954 0 R /XYZ 85.0394 513.59 null] +/D [959 0 R /XYZ 85.0394 794.5015 null] >> endobj 354 0 obj << -/D [954 0 R /XYZ 85.0394 295.1443 null] +/D [959 0 R /XYZ 85.0394 437.6905 null] >> endobj -959 0 obj << -/D [954 0 R /XYZ 85.0394 272.6685 null] +962 0 obj << +/D [959 0 R /XYZ 85.0394 411.2314 null] >> endobj 358 0 obj << -/D [954 0 R /XYZ 85.0394 159.1962 null] +/D [959 0 R /XYZ 85.0394 188.4473 null] >> endobj -960 0 obj << -/D [954 0 R /XYZ 85.0394 136.8798 null] +964 0 obj << +/D [959 0 R /XYZ 85.0394 164.9671 null] >> endobj -953 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >> +958 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F58 631 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -965 0 obj << -/Length 3270 +968 0 obj << +/Length 3263 /Filter /FlateDecode >> stream -xÚµ]“Û¶ñý~…úTÝŒ…ÀÉ““œ“ËÄŽs¾N’ÂÜ·7œpfiÖÅúêñæ‹7ZL2–i¡'«-ËkùäqùóT3ÁnB2ýúÇwoî¿ýÇÃë[£¦÷?¾»‰4™¾¹ÿá¡o^¿}ûúávÆmʧ_÷úýãÝNi¢ñÕý»op$ÃÇ¢woîîÞ}}wûëã÷7wñ,ÝóòDºƒüvóó¯Éd Çþþ&a2³éä^ƳLL¶7*•,UR†‘Í͇›Ÿ"Áά_:*?ž0!AVçT²#@ËYšeéĤÓRH/À²½I#¦õS±ß—Ë¢Á×v]¸³…îÁŒÎ4lë–Ö»¶¬+Zo6õó¬ªÛru¤•Ý½áθÖaeÓæm±-ªä®M:½'&J"VW›#BÛ"¯Êêãê°qï|ºª÷´>šMþT ø¯º*½;Ž—ÉŒ›„e^Dœ³,M²±+å/I"Šå+¼Xwl,‹U~Ø´øâØò³5>wû[n§õ¢hh‚Žíá-Œæ šÁ“8h…‹¶ø–ãÃñüwBÝæM[좱3µâÌp®'†&S•]PDšu±P FÍ(`9Iàíýv(öÇáÞœ –H•]ßçû¥;òÐâ g6tî*#k„“žÅÍŒíëÜâ´Œ§e´8Oç^¢ÅÁ‹×^x6‡ùÖûr€¿9Vù¶\Ћ€ày›Á2ŸHycr.ÚŠAÐrñÆ{KZ’ -Œc¨ŽÏÈ×Ò3Sˆ"ƒ[–½äf&¹™>†™ŽÃö*åCFj»1MhÈb°ù7äx‰ Uñ%‚ÿ‹Í’A¡Ö¼BòA¦Ž!H,bíÒ >QB8»ÂTb†²&c–‹´/œp|´ge¦Ï¥wÊ¢`dWìÒ¶X’ {¼Í ÏEœ¢Êç‹[Ü,P~…ÈÞ«…»/§Œ3žŠ~î2ªÜpÄ•}/C¢Í«cì—/ŠÖ•NPO}@¶ÐaÈdú”oÞ\ƒìYW#¬s™A´ö]±qu`8.\Ó]Á´V¦O¶s¼1ª ž„J¥¤#šÈóˆ/‹úP6S°<,H9$É8ƒî)G .ý•»t0²²Z¸»Í‚e€ A7;ÈŸÊy¹)Û#"x'ï¢FÀ`¾ ¢à¤|Ú"kÖõa³D˜·Hå¹l׃É&qa ±Ä*æZ„>â±½¿ÀäÈOY&µñ3ð¤ -O GݽƸÃáhî+;y{Ï Ô>s$ª?gbì3q¿íﻺ) žö„<‰p· *2Vp”KV ÐÁýÂÈý{Ê—K’5¥“sHª—4·8U‰paÛꦥm›/>5_Rr[Ã$¡|¯3IͬԾ¾Ç¹ýÇ HÐg]üó@tFÕÇ¡bárydJ´!+ -ê¶Të>/g±0b½À‚ dŸ:ëó€ªïJâº+ïeÑæåærB® °¦¢þÕ4¡‹u9MˆX'Oú¤gͱÝm0Jõ2*”s‡ˆ5ÂD/CP «úLק0\ÿñe‰Q#­go—ÿ‡ÞRGŸÓW’Ú²Deüºõv±.[oÄò}Ç dëzs–^ð„»8óÂÖkdïžáB(WY:ؼg¸R`›Ò7!ªW4qJ§.%’BPê@Ì÷„ jËAØõpD ïÚ|êÀK§Õáö$ -Ÿ% -¬mÝqPožŠÀ.ÖMŠÙL«¾òa¯“s>%¥úérsÑåÅYÞp©nìê㜰OuÂ2DŠ¶¦ý/ièyE$Á”IBIT]6z÷ý*”xçæ -ÑYƒ[6NKMbã÷8YË-¨ X÷®NZålñ||j2E Ž¯KœO‰‹|‚A&võÞ÷A¤š=¡œáQ#Lrô‹›ç0zjÝÁKçZ|-tÄá9G}_ -‡°ß|Ì)¨þ¸K|PhN±‹jVW#'ŸEÜž¡Ï '&©ý ÒJ2mƒ³kóOXƒs>q|ƒ•¬“¨+øRŽR<Ó+Ð-ðyú.ªëêšae`j¹@¢Æ2‹ß+_ú*¦ÿü9‹g]’Þéôø“‚;%Ô§1V¶•†L¦ÂÕò/d2P|‰IH -·ÞcÒ{À—MpZ‚6â.)º?”ÝA¨tÑ^±‹:8]¥‡­«ž±…0Ìü8ˆ€g¥.J؃nóAP¥¯œNˆÙïÅh{BNåÐ)_îz9Özx ¾¯ÜmF­3aeŸcA‚YÓ­˜/ùt+RúM([‹ßó-pñjÄŽfpó©³db›Øñm)êSAÉ ³½VÜ°(¬Dá9’;Õ£ö7®Y2Eäàí ®¯µù`' ¦ õ8ñ ßíJšI0Xå[Š~F±¶”áRaÄ_ª í-úÀèßN™¾Ž¹%(§& %Þm<³ÿˆ¹¢o‘ÕšuÿSëP¬Û|±.«"t~Hi RL]°‹ü’b“´Ç´ô”rŽ}€íËÔVÓ°ÿ•ì5ÞKϤ‚Ë趺ÎM0ÌÄöä6X,ÿq?âéêõãx¦Ÿ±D«³3ΞôX;2Y.U¯* ê‚Šƒ6Û%Ú¡ò¿ÇPáü*é{:)bÀHÈ/žP×Üò)~úìЊ²t¥õú;²„Ñö£'3êkŒzÝE½}ï[tã?Ô¡—‹÷ïŸô˜*ýÓ50νLÒ¿†Ïê{Öxé&f%všÓDL‚z;eoü‘Â…4ÁƒüÑa £ùŸÀ‘à¬Cñ<þr“1V÷½˜#÷“*¥ñ_Åa$xC@a"áYÃK B -…¹9!úÓî½ôH§Rÿe›ƒØôlÎy®Éœ^ •À¯ÎnÝ Ío]T&,Ùå{×ïÇJJgL‰SgmêÅ'ïf%}—îÃ2¶¬7„¢1ãkß¿KÒRi¨Y”–…Ä[цk"Wï -`­^›#ˆk‹ð:':EE?Uøõû{Â<ì¼ó¼ð³@™2÷[¾‘êþ“{øÓ?<ýžR&ݲÑ2]Ë”"Ä”“¾ÒçM úmá9ëÿòp‰endstream +xÚµËrã6òî¯ÐžV®!@`å4I<‰S›Iâñž’(‰±†"‘²£ÝÚߺ>%Oöá©)6F£Ñè7Åüã‹D1•Št¡Ó˜%O›ÃM´øsßÞpÂYy¤Uë«Ç›/Þ)±HYª„Z<îz´ ‹Œá‹Çí/KÅ» +Ñòëß¿»ÿöïoou¼|¼ÿñýíJ$ÑòÝýßîúöáí?¼}¸]q“ðå×ß½ýéñî§Ñøêþý78’âãч»www￾»ýíñû›»Çp–þyy$íA~¿ùå·h±…c1™šdñ/ãi*‡›8‘,‰¥ô#å͇›ŸÁÞ¬[:+?1!AVSƳLR¦¤A€\±ÄEÑòíf“7 ¾®Úc]Ú3%Ù£-VB±HFH#,ŠÅ²­í“/Û}ŽM~|Îo² +g×4y¼åf™7í±Ø´ùÇÖYƒ _ÖõÄî‰l»¥¥´m½`r¢üû ˆÕGbåÜ´ùîZFzù!ÏÇ·ƒ„"'!)™Š„#Î?.xèÉ= ¯zø(ö¾°&T­È>䛶ðÇSŒ3>Q%«=â×®þ áæg*VƱ°«xÏۼ͊’.ÝñÏ}ý‚€»Px6Où¦ØñÅÝ<‡÷eÑ´ ›ž…iÎÕB¥œE\ë gA¤Uë²,{–¬,ë—UU·–ÃÑæœKÆãH_ß=`Ílß%ç†q!†Û°²ù5ŠDnÅ øòe_lö HŽf(+w,;E‡'dxÒ B»/h™¸ 7v@/3ÄhÊì9§!g€ûº¢ 6û¬úè**Úu»-œâ+©X"DlOÏÒ$AÕ´¼HcД,€$-tÈÀ€Žx¿£k§œêd9w#*pf\&„|ÈÎH=+ÚzMû5A®[°Çð¼MyàR°(Ž=aÇ÷tw‘°8‰5!5m>!¯Zc ò;Ð Zp‰äžR§\{a *ZÀÓàƒà’ŽÅ֊ܾ¶·|9˦L«ÔsY?Ùû 5¯„Ì•š°MédyO|D¬®Ê3B‡<«À îN¥}çhún?|8EBÐ +ÍÓÛá°ƒÇç:b©ó6}}é]ÒrÎ ;ϲËNe‹/E3t(OÎê.Þåø£j¯sJ%ïpÑÜ>,Ï%TTQk+—½€()ä+N¨Cºâƒ©Óy8Çz)ãôêÎiºõÐÿhð;JöúŸN{…Iƒÿ±üŒwþÇÚSMƒÍ'¨궨²ã§¾yÿ§0¦‚Êι‘&L(#Ž e– \ñ¾Þ ½ð*çC…sÉ\ðÀ;Øçäà9ïŒZqúŠsˆÁ5™ß Lè{éè|nnÕ\˾¸Ì 7Óvù»âºÌ@¾þ¦.€&Y”9tPÖÉÀz±ü?0YÇ‚–¿ÂÛçÈ*ËÒç×’DÁ©ŒL®Ûaë²!¬NéŽùætl(Ô ¬Q@ý !J\e `Íp0°Gi%žŒXd¬‚Êè ÀÎ ã¤g0ƒi´£ø”#„¨îLÏ4ÔÝ]±ÇK8}Ü#=Ê`ªË\BÀDðì nHSGj3Ò“–hÝÓmPK49m‚–Þ˜imzLÃKOq†IqV2•Ë÷uK+Û}F;n‹Æm‚™= ÷±GŠ†>#ì*Iဠv;„¶µÇq¶b Sù3`^4XÖþá¨iògÇ #œµ™_žÑª‚¶ÊJ\‘mÏ4Qvò5Ü Ä¹™ãm²Í>¿li‘d±1é+–Öúbi«³´Óœ._T_²ãÖylqš3A±x•‘€5ÃÉÀâ4$a¦¬©Å),NÉ`qvg_‚ÅÁ‹Ó^x6§õÁùr€¿9WÙ¡ØЋ €ày›Ñ2—B9c².ÚˆQвñÆyKZ’Œc¨Ž/È×Ö1“Pí5Àý´ÒP½|ô3=‡íTÊ…ŒÄôcš­Õy6ÿ„ì.²Á Ê¿Dð_s±YB¦küš7HÞËÔ2)eCÌ¢]:£Á'Jgw˜J¬P6B§Ìp‘ …ãO•º^¾ÎĆ:zù”Ò!ß’ {¼M!ÃEœ¼ÊÖ%á…­î (¿Ad_ÇÎÈ J:õÐ w™Un8âŽ<&‰6«Î^²_¾*ZÛzJ8êïîŒCFËç¬<9_p jpDd]Í°Îe +ÑJ˜?wÅÚöÑüqášfè +¦T¨•¦Ç›£ +‚á‘¢%áÔœ@žg|ÙÔ§ +´™ +€íi³òåHFÆjT®È•YQmìݦÞ2ÒÐBz‚ü©XeÑžÛ€43ß©x©TÞÈD‰c;>•[„}o +©¼í~´3Ù$.ì—è–U̵}Æc;É‘›2Li‰® #žŒ}Ä“^ÅQ9@±10À°?›…‡ÚNcyÖž¼Ë³¶½cŸò…Ÿµ Š1Æ’ÜnûÇSÝä~Û!φ"Ü­DMîw”Šª±Úûßk]$ß´s½†äÆ6$ÃuõóÒ¶Í6Ÿš/)»vö$T®àv1hXddúJgÏ£¯úøÓH4¡:ìì+šÉI“ +¸D©!/“`°^a!¤Ÿ*òZ{‡º/ojô]Ì$”H®5r5Oèc]ÎVçJŸÕª9W » †©AŠƒ +EB_ç!`Í01HbÅŒ‰‡L¬*·~ÉÜ õlƒ?‚2!9êø&ËæP×ÎØÁ#„À“Rƒd6Y¾…?«iDá3«¶£Îû)¨œMV¤åä2ÈU[OPr¿Ë± +É7—.‚Ð,…ðþŠ!ô°®‚Çê Á)Î.?N+Sð'†'×÷X3 Œ@$̨1ƒ<9‰Ïé,Hyr,z•©y²}±gŸtC¹+ì춉 +huvá&÷„Õ¯J§™$LÙOYýdŒÒ„rH›QšÐêÄOÛ„+ô™dê —dÂsØQ‚×ñç….Ž°ß $¥¥$Yª§›7øÊïàSk©§GØS‚‘~Oé27Ú0‘˜I_ÚŸ®5W#ã¼*¾4ÒñL×ÙÙåÿ¡¹ÔS Æç4–„–Lêä•0ÖǺl½Ë5KÈ2öu9I/xÄYAçúÖkfïáFŠÅi2Ú|`¸R`ïö‹BöÄo<>ò¸”H +ú@jï Aå–…°ía‰@ÞõDp×<—^¯ÃîIN.KXÜÚâ .ŸsÏ.N13©Š§Ý™ó-ç|IJõóåî¢ÍòIÞèq©pìëãš°»Baë#E[Ó~—4tZI0‡XG¾&ª.½ý€¯ñ¦æ +ÑYAÀ×6$,IuÒÿŸÐ÷ø{[(í2ȯ}†”à¸ÂÄú”°È*Ôaâ©>ºFHÊ}ÑžúOæ)ï¾ÔLrt‹›?Úõîà¥w-®:ã𚪣¡/…‰Sƒ8å˜Ma¹õG(4«Øyµª«™“¯î@Ðç͆H£Ä|éX2e¼³k³OX„ó¥ýé‚}âY‰¥¬•¨­øŽR<=¨Ð ðÙ}Õµu͸N:01Ü,¸ÑÌHPŽÏø‰`©1fþ÷#«@qÕ'éœÎ€?)À9i¨ÛÆÊ¢Ò˜ÉDØšCþ™ô_c’‚(†[0é<àë&¸-A±—ÜŸôÊn!T ºè +¯ØF œB0¡Æ½«±ù0æÌú<Š€“R%~;1 +ªôÓjÙ8û½m;äDŽ¢÷…à®·ÃÞCìóø¾â©œµÎˆ”~Ž ftH·B¾àåÓ¯HIXtêw¾lÍÿÈÀÅ›;ZÉkÉ}¶;n\[ŠúT@2P“A+n\“ŒV¢ì,¹]< öžY²˜ÈÁÛ\]kóÁNÒÊ,¥'^¤»¡]©}3 «ì@CÁ Ã(––Òß)Œ¸;Õ¾½Eàº)03T1»å`ÕC§¾Â›£gv1wô-²º@³~j7Ùf_T¹oüÎ椗 ;oÙ%½&iÏ)i—qÎ}€åKã?­¥~ÿ+Ék¸—EyÑïtM-ÐÏ„ ¶óìÒo!+°?ü›É$á?Éú¿þ}a÷ãËX3i»Á³)©€Ú"6@„˜²"‹ÕÅŸ¬MYÿ7?²Žendstream endobj -964 0 obj << +967 0 obj << /Type /Page -/Contents 965 0 R -/Resources 963 0 R +/Contents 968 0 R +/Resources 966 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R -/Annots [ 967 0 R ] +/Parent 950 0 R +/Annots [ 971 0 R 972 0 R ] >> endobj -967 0 obj << +971 0 obj << +/Type /Annot +/Border[0 0 0]/H/I/C[1 0 0] +/Rect [455.0966 729.7963 511.2325 741.856] +/Subtype /Link +/A << /S /GoTo /D (address_match_lists) >> +>> endobj +972 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [369.8158 503.0308 418.5625 515.0904] +/Rect [369.8158 409.2782 418.5625 421.3378] /Subtype /Link /A << /S /GoTo /D (dynamic_update_security) >> >> endobj -966 0 obj << -/D [964 0 R /XYZ 56.6929 794.5015 null] +969 0 obj << +/D [967 0 R /XYZ 56.6929 794.5015 null] >> endobj 362 0 obj << -/D [964 0 R /XYZ 56.6929 337.0807 null] +/D [967 0 R /XYZ 56.6929 769.5949 null] >> endobj -968 0 obj << -/D [964 0 R /XYZ 56.6929 314.1315 null] +970 0 obj << +/D [967 0 R /XYZ 56.6929 752.0968 null] >> endobj -963 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >> +366 0 obj << +/D [967 0 R /XYZ 56.6929 241.6876 null] +>> endobj +973 0 obj << +/D [967 0 R /XYZ 56.6929 218.2875 null] +>> endobj +966 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F58 631 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -972 0 obj << -/Length 2358 +977 0 obj << +/Length 2580 /Filter /FlateDecode >> stream -xÚÍY_sÛÈ ÷§`Ÿ*u¢Íþ'7~òÙNª›Æñ9º‡ÎÝ=Ðq,‘Š(Ùçéô»X,)R¦ì¤Ng:ž1—X,À?`)qøQbWNG±ÓÌpa¢éê„G_`îÉ<£šiÔæúiròö½•‘cÎJMæ-Y ãI"¢Éì·ÁùßÏ®'—7Ñ4|`Ùpd,ü4¾º Š£Çù§«÷ã¿Þœ c=˜Œ?]ùæòýåÍåÕùåp$#`½ Ž,x?þÇ%>Üœ}üxv3ücòóÉ失¥m¯à - ùzòÛ<šÙ?Ÿp¦\b¢xáL8'£Õ‰6Š­TMYž|>ù¥ØšõKûügTÂL"ãjÕç@ã˜URyÎË X»ÁøúÞÂ(áƒß¹áÕ:›æ¿s.§érùHù<<·Ä7- X½ªˆº-‰zó~(ç4VÚ)šM‹Y=}Ne´„x,Œ‹j›¥³7ÈÓÀ´ÌZT´´,ÂN‹ìPå‡|9›¦›¡H3<pÌH挑ÞÊt6ó“YUùý`í¼- DT°ÕŠˆeámê" æåÅ´\­—Ù6°Ÿ]i¢Ú­×å&¸¤ãÍ`Ë¢|Èî³ FR 4{Þf‹ôÜ•ûe@ȃ©‰Uº -¼ HaÛEº¥ˆ¤­a[kÖð&LhKG}– é}Š#1(çDY§›m>Ý-ÁþüŠ-¿eMNÓ‚é²*‰ë6#J4ž£’pŽ÷a‘Oõú*£eÞH¿.Û ƒíü‰{ë­j>Ð4…èqDUNï²CWd)–jDhYö†(ôú%DÑ&ˆŽ^ÂçÃ"ƒd: ̲*§•A0† g‰[S€Ôó·(ðzOìãn¹Í!èp’¹†š39XŒäµQYŒà䈹ùƲX4Ìåz›—EÐΧ×+¨³«²戸küøgŠ±ÿ†D›¸%zäb¦´JºŠwôYÎÿ¢GZ<žÒèߧ}Çøt!%Ž„Tº#ì/’sñnv›¼{÷VÉÓþ\û)@ZIÜ€c Ær3ÈŠôv‰ÉuˆL >ýÔÄ(P}XTCŠQDñ‘‡Ђ!—`î0—`‘ö!ß.«¼øR+ÒÁ5šõqŽÀ‰)t¬A«ŽC©@’ŽÂ™à>á´h¤n8:Ð ™Yp2”¢¬ =½›pfM‹1¿þ¤©ÎÉio,.irÙÏ‘UaïD¤Rúâh•n§‹ìEhG·ôåÑdèä ¤X^¥wÙa†³Å±7‰ÂÓŸjÀX{ G zò„c‚e‘}GüŽçµÚ=!%K Þÿ×q€ct?ê@ʨWº’õXÝ ³‚;p€b‰’äìÙ„eÇ|öË.ÛÁg A¼×‡Ò0Y§úPÕ樖9 -zÂY™UÅ_·4qW”¼iQ=/÷-®Iéõë.«Ð˜¨±ñ=jPY\RRiAjÀœF^g@ÇÀõyyI£ªÜm¦YÁ£†½[3›E<²6Xe;x@3„20˜O- û*ßn)GÉ]8Ù-$È6¾¦™ÎQ#wéná‚bjsÆWgOî?†;¸ŠˆØß[œMâo¹Iæ’$é¿ÿŒ‰£¶HºÜ´Õ3B2s³ßÙ·¼Wÿìq*à¢u:Þ{•ŠìÀ™”&éVЯJSŸ«TÝ"+úã#Vм>VŸ1½J-ãç¢Cp¦µµÏ†G¬m¸RÓg -¨¹eŒÏ n “Ë1îŠõ&¿Ï—ÙŸÉ0²[éÆj¬Öm«'‹¾¼“GŽÇ5&¥÷e>ÝëÑn¶‘ƒUâ YÔ¦› ¸i_þH‹uNÔâŠYŸ‹ ƒ¤QÝ-­ßò˜X1ø¤†[uÂ0ð0< àü…­¤gèsî=pÉÄz¬·5VÁ&-ÉJC3éÚývŠË¡„‹q½¬­Ü¢ôA—ì· zh e>TÜc2¾Ü–xñÁѯ×Ä \ÀKŒVÝ,™œcNt­t@Ð8Áã AÏ-*¹ó8dê/JþJ -Ò¡%zº^/}¿…sõW-ð,è‚„Ã=°ûV _’¼|@Æ| „›Ï“~ÊJðû -¶Ë¾úà;V’Ù” $7°ÃXÔ.fÔŠÚYðºÄÂ6®=£ý÷ÕW§=¢«ø¶ÖçEY±`Ö -õ–Ò -}B„L–±{B¤¸4‰û‘ "b8@©ÝG‘¶äg`D$€î±£õ9Ë(âü‡Ì§¡¨êîk S5ÇÎ<<<Ð ©}çÖ´.]‚^(©û?¸+çó—Àb…«º­<ží~]Ðüÿ§Üüci¿ÇÒ°âXz´Ä -âÿùìRC=âúGfGÂ!Ô~lr´?“N2.$]y>—þ·nÝ @0ACúà×uâ -³! -~,¡‘ÿöƒúú]×$OɶÔ«úçO ½ªß¡.ìøÒ”Q|Á‚Ôó‘³*§˜5wø?#ú -v,=Z'üº˜ùßd‡ÆÒfû~èãM$¾úgÅ}¼ëP(‘ý¿bÛ•HGÊ0”…¾Öñ“Kýûcàj©þÎ?=endstream +xÚµY_sÛ8ϧð=}S³ü+‘íS6M{ÞÙ¦Ýlvnnv÷A±åZS[r-9ÙÌÍ}÷R–l%í]zÓ™ŠAFŒ8ü#kWNR§™áÂŒæ›3>úsïÎDà™F¦i—뇛³—o9rÌ%2Ý,;²,ãÖŠÑÍâ·ñÅßÏ?Þ\^O¦ÒðqÂ&S“ðñ³«7Dqô¹øpõvöî×ëóIªÇ7³WD¾¾|{y}yuq9™ +k¬—AÂ# ÞÎ~º¤Ñ»ëó÷ïϯ'ÜüxvyÓÚÒµWp…†|9ûí>Z€Ù?žq¦œ5£{øÁ™pNŽ6gÚ(f´R‘²>ûåìçV`gÖ/òŸQ–+Ój5ä@ãX¢¤ò¼Yåh°v}-ã ,æžg]ÔM^N«rz—æ®\“°D(˜«mST%xIóqQÃW¹ñ¾ÎDi*¢ÔÛ|^,t þ²ÉwËlž‡uY¹ère[íššhq“ûU1ŸˆñêHVïîò­º/Ök¢’)D]V;´ÜfX’¦à?!˜3Fz;Šr^mŠò÷—}¾+¼ZE— öuË1ûxñ‡ò8²ÌªÄËùÇ +öóN3iÇi‘É8Ïõ¯É4á ~xM£8º/Ø;—§äÊß9—ÞÇÜŽ³0ÑÄ£ímœ¦,áÚ†ÓÊ‹]^×Çq,9Ä +„[â Då7²dÎZ;ÆÓ(pÚ•èC´§¨ÏxªÜacTr“5óÕ‰ŠõÆ}O£Ä¯)©ä¤U}%1²ÎLæÒ$ºC®6½´SœAÖ‰oN;é ë»i÷¤‹$$ÆFL‹E•‡À(«†H·$NÃ&.Ùf»¬É)5d☖€(½Ü¨«ùçe(2ÚŽól¾¢fÚ|¦Ÿl¬uþ›Ž‹ +¨#r ÓAØ2l¸ +âªmŠRÂÏúܵ¡ñ* rò²Ú +zœÎýq¤MVo™èPꢖ熷96ÏÖëâðúà·!¾yUÂêMMTï ^¿_ÐXi§h–€ÍO_E-a'„íxV‚1ÙÏÓÿEDMK=þáNÞ=•ïóÌûzÑ·R¶YÂïk—]a ¢õ&«ÒÛ Tò+è¸]çM`'ßÂDô­§ö¼lYU÷9Æ$\¬Òîy›¯²;pWá—ÙpX~0±Î67«‡ kVY@fÚšpY÷q9@î9X.$å-ŒÄ¸Zâ¿)æû58Ðÿ&¿"GÇo¨89ÏJdëº"®Ûœ(`K•„s ¼xe­âú:§eÞH¿.$mÔΟ¸W0nù:™ÊÉЮ+BŠâ Ö»3€Ð±ìQèç§EkÊY £—ð{¿ÊAã ™‹¼.heLaÂYâÖ qþöáHÞÐMú~¿n +ˆ¹àÔœUß œ©h™ 8ƒrþ4½Zy¼à󦈀â¯u㟆þ‹ËuêR¦´²ýHëéão÷ÓëþõÐ)ž.¤Ü‘J÷„ýEr.^-ní«W/•|=¼ÃiEwNê¡ÕIŠÀÍìvñÈuL –>ûÔ†(P}TTCŠQDñ‡Ђ!•`î8•`ö¾hVˆX`EEz°F³>Ì71Àî5h5àPÒQ8Ü'œöÒ GGº! Nâ/QO(éëÝ„3[ZŒéõ'MõN†HcqI›Ê~Ž¬ +ûx'"•²G¾Ê¿Šìè–!à»™89®(–7Ùçü8cÍcªL§n6áâ1œN5–¾Á$ÐÕoòt~”U™ÿá;[F­ BJfþßâÅzØþ¨ÿBãñ£#€Ø¸z54vê´<«R¦­ˆùWÔ’Kµ1ãoCª1®MÔ 4ƒTÚõgtÆjìïhøú ªøS#! 3.Щ€øQæ^£ø‰öÝ@:†yzºß{RÓ]ó:™ ´sOò©~R8‘a'}¢žu&úê¥n`•×/é.zýØ+¶Ô€ †ÓËšÈq‡ NÄ*|ÛziYaW`ûçaã´Sa`‹cz[¯:9`-²%#–€#€P„ÿåøòØ3 DËA i·fôœÉá`1uÆÞÖƒ<áål#Fo*°hÔ1* +žv%{£¬îf¸„;0…¤—\[vÌH ÝÆ üPýg1åðÛ¾=Ú¤+Zi¨(]·ˆÂ2rLÁ9‘ÐÇe]’”A'uüøï· zr e9QÜ3þ¸­°ùÁѯo>g@5|-Ì­ú©rs·´ÕQ7(ƒ z‚Ï ÂŸ[TrïÁÈÄG%ß–‚t¨G‰žm·kzȇ¹ø°e¨]p¼–@P ë@’×÷Ș¡‘aƒÐýœtiøšeñ‰kfáo¼‚Hf{!¹µ€‡£v)K@­Q7ž—]˜ÇÆAï3=üÅéÙ¹ ‰ßCV*X’@!ùí–ÆáH@¡(ž†·kûØÿ`$EŒüþ(ÒüˆX°ÒºÔëûKžS´ùwÌSxÀ¿y(˯*§z‰á›{hx#@u(ÝÚÚ¥?P ÙXB³\,¿<'`cXñxjtN÷yñòÿÉ V€kþ®ËÛ(|ö_‘±®Sp³•Ã VÐÕXé°aa( «Ó“¶&þ¹9puTÿóãÕ—endstream endobj -971 0 obj << +976 0 obj << /Type /Page -/Contents 972 0 R -/Resources 970 0 R +/Contents 977 0 R +/Resources 975 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R +/Parent 950 0 R >> endobj -973 0 obj << -/D [971 0 R /XYZ 85.0394 794.5015 null] +978 0 obj << +/D [976 0 R /XYZ 85.0394 794.5015 null] >> endobj -366 0 obj << -/D [971 0 R /XYZ 85.0394 518.4711 null] +370 0 obj << +/D [976 0 R /XYZ 85.0394 419.653 null] >> endobj -974 0 obj << -/D [971 0 R /XYZ 85.0394 493.3754 null] +979 0 obj << +/D [976 0 R /XYZ 85.0394 393.5443 null] >> endobj -970 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F84 797 0 R /F86 977 0 R >> -/XObject << /Im1 790 0 R >> +975 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F57 628 0 R /F84 802 0 R /F86 982 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -980 0 obj << -/Length 3477 +985 0 obj << +/Length 3187 /Filter /FlateDecode >> stream -xÚÝZKsã6¾ûWø¹*ÂâE8NOÖ©';ã­Ôæq %ÊbD*"5Žóë·Ý HŠ’'»‡­Jé lÆ×4 ®%üÔu’ŠÔky+©’ëÅöJ^?Á·o¯ÓÌ#ѼOõÕÃÕßÞ¦úÚ ŸêôúaÕË éœº~Xþzº¼=z©±£[«ü°a‚²9Çb»kÙÕ1»PúE&²bÇí;–qÝè9Y¶Ø èÕyo(•HéeoØ£ºà #Êj›ÿ>ηwÞ–Ûb^V'®1‘"q—ù`š 6pT'©2C>îªGˆ`Ð|;½”úQ‘3`¤ÝìPU!àÀÏ›ºz ->I! ‹¥àT ´Í«ê¹-«C[p3! Kqžb¿-çªÌ¯*jvº·ü,T(-hqʈMÅu}Ø7´ÛÃá`/ÊíaK•OùæP GÖŽ§Í_z£ZiF3^DR±¶Ê\FRŸê<’:ªI$•ËÍ$’l&ÄP—9é¨&X¢I‹Ì+7äåˆ&Õ¡I Ѥ IPFMÅÿ]à½~Š¶ŽZC<¡:d©Y*A¡CPÏà‚:ƒK1¸Ô\ -|œÖÿ-¸ÒsØRGlýÿ g,¯}Z=ª ЊTçT}hO­T*”òê2+Õ/l¥°Y‘ÚgæÝ¡epa4Â^£ÒÞa -ª}S…õ €„­U ÖŠJ1–"L…R·½½€G‘cÃ.}@y8 KÿµV6³"qR}ªóê¨Î[«IHA°lý+¬tT¼ Í•ÆÈ3GH!e¤Ø+©Žö -ÊÁ^Áÿ„½‚ŽÁ^Ɉ-êì•$lÝ †ø Û+Ið -½X$ °Td`ņƒAþ6Ë-Œ„͹ °Õ€Eª­û2ßÌ;û—ù>c`”çe˜fbþ¨ ˜'®oÀÀ‡Mþ %fôñœ¬MgN y,ÖËr‘oÂÁ¾néã6oÚ`¬ ¹×_ÓéþCcI¨7¡±\Q›Eš»ÌyÂê°}ä<úuÐpÜ\­‰gçg˜U{ -³:Ýæ‹5µ7‡XŠÌBñ@g(åôG[ÏMœÓŽR*ØF¡;·éf¤UÞÌ3;û‚G«Šö¹Þ¤Êc^-ŸËe»Sí‡'R ‡RuXLx"h븀rà„8"ÑÂ*0¢µŠIZ ñ½!›Ñ˜V4:O÷¼Æ ã‚D QIºTTšp’…Ôc}jR±‰¥v并NEâU<£N¡~×,º;åÓW­Ô,¸D‰™„¶@O ;Á_‚ÎKNý ÉÑ8Ȉ+¢ˆÌ×.U< Ê€ùØ´¨«¥ ì­ s{F8%‡¨œ4kZž5*&±Bé×Nk}ªóF¥£‰·¤ôÜÀ¢('ÒWfgš‰ÉE‘b0=˜ý·GûNíf·Ç˜3ÈH8œƒ†Ë3¼&M-ðÖ€ARŠæ£í‡–ãöcò3n?|Ûm°¹‹Ãž ö> æˆú°S’ŸØ¡0ž1î#cÀ’`¶;äáKÈFÂðšð6°iA¡ÉE#uKÈóBseø X¼É’x§ß=ý-kšÏ…ÇÁÖú.­ô9[«Ð/õ·–ÍÏ]…9M²{š’|sÓKÀËØÜY4w`ë(Km=œ¬²Q*¨KÑ—‹W)d‰ò&F1”£_RõÐtg¤‘9‘€Hþœ ÌlæF9cN´Ë„—ê²5é7&‘¨ùB½U½ß槱/Þ}yc.rв0 R¤H3›x ›8å“~¨‹Õº,<òwÚ%,ñv„NÏ5–wÀ2x5)­ªùrÊk™L8o£ß>æÀÀ3 0‘´°½I$E]™Òá¤×LƒÑ67© 8™N8£ aæHGQÅ4à0ÕÑ1tf#LjS"I݉uM;´,„Ô¿°ö¸c0˜d]˜jú_áHZ19©e f~h"þ‡½\ÒÅß8A®pS\oOX4Ò!Ê“¡>»_k¼˜¦a(64aYh:©oî?P ç‚©5„ØÊ°¦Ëp‹ÛµÆ "êEOß–SkÒ {À¿ýLdxaU—ûÞå‹Ì{¸n†Ã9Žrß©÷jõÔ5VŸw­²ñå5æü¿«›¦|Ü0)Ä^5§?–‘˜Ä¡ΩÏE½Ru×%Ͼ­qi6+‚‡ôxÉW?ÚÌÃñ™ãNuN,Pj»]½Ç‹?ò©%jt!ˆãnòñ†Ûªâ™ -ñ$ º;Ô0»'åXb®‹ÎÁe3ͱʼnߙ˜|ªƒ]lë‚+8.ß@©Œý­ð"tŠŸVþÑþëBwï°Ð;mô¬ö>^cé(ËP Ró>‚‡/žÜìûrAI‡¦^qÓ7IÈYÖÏ<(ÞG÷®'ËÇ nYÀ …âé°e‘ÃÁŽ•ÍÜ$(GwoùY66éÛØñ¤ðÞ¸?gDµÐ>ñ!°ãÄ ƒéBrIQÝÚb{N;>ZÐÐ5oBŠ¨y4vpXžÞ['¾ ½ÇÍ®‡'(v½kflè?y¨Ü6;’iÆbxL4”úTžŸy8>_š»#:|/² €ÕŸ=èŽU½³7V¢îXM/]°­îÒÙX#åÁROyœ”?åÁÂ#Sö•IÏ(¿Ä*KÕpÏ:yiF5ŽfMÛD(ðþï‹>;¿ï<'ô’îÉ”â3s…áóÅ|ø0…}ª»&1p¨î¢©ÏRÞ3øÃÊä"þzDÞQ2ÑÑ“U§9(턵F]d¡#:åÁŒÞîX8è ˜àteÿz*Ç §€”<šp¬pBZ .UB•Þ}HF!6=2å êý÷l(ƒD¶£œ!½…«·ôT+§¿øZÊGÔlë–_xÑ ¾ã³.L~†ä·¡SNþ'N%€Ð¢ÉÖSvZø,K{ž¢Ïñ -â †˜N›s}–<™÷Å&ø(x@²Óƒÿùíñña¶Ípx&!ª3@¬3&2…«°îTýø‘ò)ëÿ/i± endstream +xÚÝZÝsã6Ï_á·Ê35Ë}ÛÝl/k¶·››Î]ÛÅRbÍÊ’×’7Mÿú(KŽœl¯7ÓÉL‘ ? hµð§I*R§Ý"s±H¤Jëí…\ÜCÛwŠyVi5æúöæâ›·©^8áR.nîFcY!­U‹›âç(Z,a½~wýö껿µÌâèæêÝõr¥½½úç%Qß½õïÞ/WÊ&*zýW?Þ\¾§¦”Çøöêú Õ8*Î úþòíåûËë×—Ë_o¾¿¸¼Ö2^¯’òéâç_墀e!…q6Y<À‡Ê9½Ø^ĉIlL¨©/>\ükpÔê»ÎíßÀ³Š­Ð +Æø’i•Î%ñü´”KÉ`çÏŽEý$ŒÅdè1ê¨Þ4u"•.Ô›…RÂ%‰Fý¦Z˜L¥‹Ì!± +Ô{ìHÒX!Ÿ’"1÷ï–«TE7ð_GOÔCÊLg‹ÔZá”ʼnŸJÈØ9C<#Ú¯ô¸¾â›«­Z¼ia=‹Ñ’¸«ÑÀ~E6p +LÙ"“RXk¬—÷C[ç{À`UÝre¬Œ´H„"2o +"Jæ©«rO5E[2ÓöDt‡Ý®…æXF¡¦ìûª¹‡ÌEý¦äÚö°_3žìx¤»¥‘QËܼþ·U?(äíÚõRËè#þ+ûn B‰ÓmŽA±Ú:»` Û¿„gâR@Íø ÒSj¥Ì‡sf&5`\Ą́Td )eô߶)ÉÜ,•RÑ>oº»rßІƒíÔ %¥È˜46yGĶ\oò¦ê¶ü]5TîêÜk ȾÅ2‹îòuµT€Š>ïKªúÝ‹â™)ü'a uµ­znmy ²oÛCÃŒíwhó‚fé7y?‡ŽÑœ¸,2’8–~$ºÇ®/·`h‚m µwm]·³¾×®¯Ú†GËw»ú‘Gi©ü}Øøaæ'hL”ÈØ‘$0f6÷9Ì´sÃÀ…‹Îë®]Á)¬îOçV2.†3ÿìä×Ììcì(0uOfSþ"¥n¼5Ð6ʱȢûº½Íkªª«®'Ê+Z¯~df8ýKe#°Ô?c5ù¶$ª+÷Ÿ EšO}©'ÀCW6ÌpýîæêíˆÞ ù}é'Œvñ:›²)?{óž—vüŽÅÛPíºÝ=ET¯rÀ½$; +MˆÖ²ø­™åCäí]…¢/:G£QŽk…Ü·² ŽÐ2ßW<Óõ‡¹³@¢¯[_€ËUlÀ3mP>íd´)ë“ÎP–MwÛªâÝÆXyU27®Ý÷Ú0ÊÂmU]õéP­?úóâ»7¸µ0ò}Ƀ4Ô–˜×ý†*yù,êÕÝtYaå [µñ¹PF›± >9' †“fSm˜—°©ÁYûmͼ¯>— Wq™Ï̘ÁÓ”‡ñÚ:—†¨Ë¥ 3uh%·€Ï¯qXp¸=ÍÈ{µ°ú}U”ô…û;·TGlìxУ…BAŸ]9Ä™•îTA‡ÂX s¬ž‚è§ß gf7ÁdB%Æ7Áóžß|-dŸŠ@½˜†˧sZ-¬N‚þšvfXPO ŒZ7>~ASãã%ðkñ²›Ó‚*VòäÀYgI2…Œ‹ß0ÖB— [:ÑÂmðY´W@ã†ô`Ü؃탧Ëû£—:utEy—jf¨ºçXnw=»:¨_d"v|Á¾#ëF°Îɲ…^À¯ÎzÃ8µAŸ»o8æ:ï .Ü«mþÛ*8cT絛¶åªjž¸Æâvû¼Ì3#Æn€jh5S9®š[ˆ`|üïÔ8*²Œ´MCA24×msO!6¢0oEÁy «k©ç¶j}ÉÕ„$¤nÃ<å~[­T™YU6ÅTg¯ø"T(-haÊ€MäúŽ´=tQm[úøœ×‡r:²¶/óÌÌ?•I…3QMøPçŸqÇŒ>Þ“µÌ Tï@Ķ¨Öyí/žÐ楥ÆmÞõÞXAõ¨¿¦Û/”>Qž_YÝQ›Eš»ÊyÂæ°½å<&Oà$€ãžx Él]„Yµ{°X§Ñe¾ÞP}wTÈÝI€Ê© ÕsçÆ´¥” +ÖQèŽÃÕÃŒ´Êå*‹£¯x´¦ìÚýGú¸Í›â¡*ú˜»hß,ÜH¾OÕ!™ðDP7H´—„0"ñÂ*0¢µ +OÀãFCv'czXÑè<ÝÃ3ŒkwˆòÈ2¤*à£ó7YÀ•åóÜtÄfR#^\yS‘8î¨s¨?k–a 6¹ãª•Š¼K”˜IèKô”  nñg^rêYŽÆA\Gö¸v©ÂMPżªuÛ‚n°7´2Ìía“ääB9kÖ´±(Úˆ4F‹2žý +Õ£]§¶‘Eõsi—s8áòŒì'“¦±ÐqO€ARŠæ#õCÍQý˜ü ꇯ~¨å®{‚¼×½†Mõaÿ¦ $b‡üxà£02, f»}ŽZ|6Jï5¡Øõp ÉE#wO äyà\¶a‹¯–YÞ ÝQÁoE@Ñ[°³AñÓnx¾°jlogs‰èÔó<± ÞãEç¾i9”8Úš™|ŽÕº!­ô%ªUR§Õ²ù¹j0§IvOS’obîBz d95w1š;°u”¥Žܬ²““;¤hŽËŧ‰ÁN²Dy¢ÊÑôy膎3»‘Y‘À–ü9˜Å™=Ù3æDÁÒ¤Ì^¸²¹Î›“küþ㣽»v¿ÍŸ†¿p­N1Ï 1pÍH1T$D½q:ƒÞã”KÆ/~®Ñ! qËí¤+¤X)¾ÓCKDѬ„4°Òº¯ç|—É„uqð^ Ç +x€fÒ’1(9 ¬xbæÎ…°Ò¿Ò£yäñfE®f8œW†`3¥'±Å<ìØËA 3º<ÅIjŸØØIJ[Ë|B5¡…Ï=†„I6Kž¡¥²(ýÅ´av:œž›å¡‰¸]ôüwš&W¨;Ò o´õdzÂÏêË ç’ÁDQ„hü²Ð€‚Po®?P g„©ÖXËf°¥'ÿ–;Ô†g"궞ڊ¹5i8 ü…Èp"VC|—¯?²ìþÑfô·9Ê€ãL¬ç³Æ²k•>qQeÎå®íºê¶fVˆÀZn§‚÷HÌâP kÕ—¢Þ +©†GŠg߶Çè4‹JŽ}’¼â m¢[É@á¸SÛø{ Pô[ +|þ#_J@P¢¦§èÖ3Öyî¸æº¦| "ÜÔð’êgýCYÞ1;ÄèนçXcÅoÌLžÕ‚ûõ¦ä—ß¡TÆ×ñ€±p"t—Ÿ?ü'!úË›n!êáMN£ãcï“0RǽôŸ~ל àáç'ýP­)õеw\õÓ2I9EûÀƒâ«ôè‘2‰ù²Ã%ÜS(ªö* NVUusp“p8†×Ë/²±ÉØÆž¾L +çŒýsFT ¸i»AÞqú/Ãô,YP¬Go·XŸS±ãáƒõ]óÎ'j€û–Gc‡ä™{W ãœ;FŸgí ØM ÒNOÃôAsîWp&ø³´/‡~ýå_È×gÂX{&o¦!ÄŠ- ÂBá +bû4`’BƒEœý›N?endstream endobj -979 0 obj << +984 0 obj << /Type /Page -/Contents 980 0 R -/Resources 978 0 R +/Contents 985 0 R +/Resources 983 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 947 0 R +/Parent 950 0 R >> endobj -981 0 obj << -/D [979 0 R /XYZ 56.6929 794.5015 null] +986 0 obj << +/D [984 0 R /XYZ 56.6929 794.5015 null] >> endobj -370 0 obj << -/D [979 0 R /XYZ 56.6929 769.5949 null] +374 0 obj << +/D [984 0 R /XYZ 56.6929 645.6366 null] >> endobj -737 0 obj << -/D [979 0 R /XYZ 56.6929 752.2241 null] +741 0 obj << +/D [984 0 R /XYZ 56.6929 622.1818 null] >> endobj -978 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> +983 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F84 802 0 R /F42 601 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -984 0 obj << -/Length 3053 +989 0 obj << +/Length 3155 /Filter /FlateDecode >> stream -xÚµ]sÛ6òÝ¿BoGÏ„,¾?ÓÄé¹Ó&¹Ôy¸iú@K”͉$ª"eŸûëo ФDËî$Ϙ `,û ñƒ?>sº`Ò«™õªÐŒëÙ|}Æf70öÓ8yBʇX?^ýðΈ™/¼fvµ¬å -æŸ]-~ÏÞüûõÇ«‹Oç¹Ð,3Åy® Ë~¼|ÿ–z<}Þ|xÿîò§ÏŸ^Ÿ[•]]~xOÝŸ.Þ]|ºxÿæâ<çNs˜/â -OLxwùËA?}zý믯?ÿqõóÙÅU–áy9“x?Ï~ÿƒÍpìŸÏX!½Ó³{h°‚{/fë3¥e¡•”©guöÛÙú£aêÿ´t…vÂN0PÉ9X™™Õ¾0RÈÀÀýö<—œgÝm…€ÈæÍæ®Ús—ÝT›yE£Í’ÛUy»þj6Uû -`a³ë}GuGxåªm¨g]>PW½™‡U«²­F[òlÕ” Bj6ÔДuÓEÔM¹Ž#mµC:á~ -¼8ëPXØ,ç¼ðZ‹pÊnWnÚeµkó--ß´qÖCVZÃõ±0‰Hw"»Æ-ÌØpW/Õ†ú›ø-i8-)£©e[·| ´}[on¨ yL»P¾ÐÒÈHFOûÁJFù„¹½Ýs‘¶%í6½E.+¬Òc.E·‘ ›Æè¸MÛ•]µ®6]q$þ¬`4Ó2«z?­î)b‘´Nª{Âò‚øÜìwóê®Eá…z†ˆë*¸¶…gúedJpÍ:¹¶¨ºj·®AiÀ‚H–ÝßÖó[Wͼ\!ȳr± ‘oZ½Z„R¾Í~³ 쮡®ËwŠ «7 5ÞTó®nHÐñ¢]ÁA2ÆW¾o+\K;Z ¾Ëª tT<ŽÆqqJ½I´hÄ;`¢ê"0TÐ\J•]v4@Æ¡OFs§¸Ó<¶ãa›ƒ^…ƒõšN¡$zLÖlñðåjõ@í¸¶Í>¿ýH=Ûf×½¢¾Ä›-›ÝßD´Œ»ÞRçŸûjWÙæqO˜|_ÄEZoñ&«žÓø~»Õi‘µ$”MÓO’´1PˆhU…°è²Ü¯º–ZáÂD°>øiZÐJ‚áò»@F³ZB ï®\í+“è!HâоÝGf ²xaÛŒåR}ìË9ÏI‚<Àu.ËyœóE5_5m>uºªEW 4ˆ‡pÜ;GfªÍ=3ðâê6ØSÀ‘„Hë}Z³Ün«rG½õ&îsׯ-qíµ6RrShn|Ô_`NsŸ÷š¬îÆŠ‰d‹Iüh”© ƒ` Ͻ‹,1YJÐ7`æ&6®«à&„‡Ê‡R!MV/ ±¡pÒ–:Úm5¯¿0&*dšd*2-Œ%ÛMS@ÆâÀ´ŸLFèOô¬ÙŒ‹8‡ô 6(ÉŽ‰8C¬(œ0F)†:›—!0ä¡cä±ÇKj&|WW÷aGiä¯À-IžÁB‚eµ_w†îrR( —#¼`¨C÷™d‚åü˜÷uw‹’‹±æôÕ([X͛Éw -®Ï&j›ÝÄ:°«3:ø3¹³ÞD¤kpX_‰¶!Óƒ¢w³ß•¤Ø‰=«êÉpA{šÆíépaˆõt¸Ðc=q=ù9ŠŒ)¬ÏÐÑcM2Š²á¶­’”\%þ´!€E¨œ2:Ú\xþ·Ä sÊÆ9¯hõêójÛLB®©%‰²(Ôe]“ãb)LE¼¯yúò ›°Ê?wy¬——°ÈàvùKâ=<¾v§éHHtŒïÌ‘„xzDÈk42Ö"AÕnS¿aÍãå„ÁaÄ‚m´Îø%·èdx gUƒ£^D¬ÍTüÏmaŒu×Æ™¦,ËzÕF¢!6™0`Ö½JJÑOŽÜŽ ’H神ΠžµýÒöƤŽb^æH|R2ª¹­}Iª,]ÈüÝtª †ÃtHú§×¢y ÖŠ`š1^*OÔåJ<0v /=[Ðxõt,1x«Â¹ß8£ $!ù†œN$Î|8Ï Ï®à¿È.ŽX‹Jˆz!ùw…°`J`óÙŸ3ð"ʇdàpÚG.„Ž.×|ö¶3͆ÇJ+çåùœe=pDÇ€kMS©ãUÉXöp.XÖ쩱À<ŸñĆŽûcd„HôŠƒ¢EíÁA$™:‡l%h¬‹0ú^Ç6ÆèXo`fLA{ÛìW‹WñÞ™©b‰;‰4’ÛÂA¬H¢=æ …Ð:™Y1wÍȆ@¡†Saä¬éH#÷t{Hd"˜…À¢ÚV›Ø¹ß6›”ªÅ­FxSu™dëBÐÈî0IŒ‡}×åñ•Z!K°)µ}ñelì ¯¡œ˜Ó ‘tàå‘Ê‚=U5r6TŠoÓ3é`IÏä,¬o}›È…/p0‡Å:¥N¸%Ðf -º~Ú+õX'¼ÒTXáÀ$CÌ4ÜäØ1E¤ RFŽÉ™ÂX+Ç´ c– 6¶F©´å”6ر@ÁÉ1!<혘+8ïCû§Ùp@½S…âJŒS |Ú9©´Ìœ©…£ìØØ‘ZœÉãÇúbÙ)ç”Âi îõò™Øfˆõ´õXÇ&èt|ƒWoàêOÓcMP3$ò¦À:ŽÈùŒUCá’•p~$RÎ E -Eª¥á&€]+ИiªmÀæ%m\²6¡£ÒhG)ªsÃ*ö7SåKÐ )ÕX6ÍÄ¥C¾†1xL€à|;pP1â­c|<ØQ³é9“…>eRÕT5â6üΦY¬& Ÿ$\Ê“Ö[È®ëUÝ=*Z‡ Êèg„p€uBñ««—O‰mÁÔÿäö=Ö3ûs –\Ç8MÀab# © Ÿ( bQ#V±$Ó©€Š½£8†FõBHëyhDV± -ƒ8'™êc8z]E猒 ¥Ÿª£JC¿mpìÒØìý‡«Ëwÿ¥Þ5ÐQÞ„ 12U³``\ÍBLªfáPªfGÕ,“Ò -Ü&¾È˜¾àš[•M´Œ‡äR<>o€¹Ÿ|UÀ÷$!ÅAI 0xk¥Í8œš¯Ê}xuŠÊ-ð dbÑgÊÊp3ª«‘(LЂ‰˜•I§h¯ðHÇó`»AU+4CU ¡éÒ W>û¾ ó1“é†-\;´è_´Š¥+蜗1˜6`,-J\1´B+€£o\¹ -8»ñU»${±¦¢ÀújZ´è„[·`#µ2/góìè1ˆÖïëV1õzz’S(ÍÇ yQá鬾W+¥‰Jzÿ]rX‹‘ýòØ:Íx*‡åàê-ÖŸÉa…€ðÎ8û]sXÁ“Êþ9ìpé9,÷¦`Œ‘Ëù­Y•1i vÖg¢Ð'<UÄYÕ!#‚žESE|Jth÷Û-ª¢á‰=)CÃF´Ðþ1§5ôz-¼ÏBæŸ^GèÏâCXLæàZ5 êé¼,^´þvÙùÇó2}2/ãÒ㯞 fz¬#«5•#(õ'ž…#Ö £H8 ©›ÓðKýuò=‚ÕÞ}õ‹(© üÓ„Ò±Þ}ó¯¥J¦löHLk¯Ä"Šð6…|WþòþgUǤÿq‘‡endstream +xÚ­]sÛ6òÝ¿Bo'ÍD,¾>¦©ÓsçšärîÃ]ÓJ¢mN%R)»î¯ï. ‰’ÉgÌ°‹ý†ø„ÁŸ81™«‰ÍU¦דåæŠMîaìÇ+pæi>Äúþöê»÷FLò,7ÂLnïk¹Œ9Ç'·«_§ïþùöÓíõçÙ\h65Ùl® ›~óáêÉéóîã‡÷7?þòùí̪éíÍÇÔýùúýõçëï®gsî4‡ù"¬pfÂû›]ôãç·?ÿüöóì·ÛŸ®®oû³ Ï˙ăüqõëol²‚cÿtÅ2™;=y‚Ëxž‹ÉæJi™i%eìY_ýçêßý‚ƒQ?uŒJ»L e&sm3få8“YÆ40mn¥Í”p&«Q&G,dr·+êö®Üµóª>>1Dø ×=Ù½ÇÙ^¶çJdÚÉtûÛ‡r6—BM7ÅŸÕf¿¡F½ß,ÊÁÍ}«zÑìë5þjê0¯§?4ŠŽ eQ°˜»™›î뺪ïBS/÷»ÝŒ»iYwëçç|Š2"…' ˜1ÄÌH8çY®µð4¯Ê»b¿Æm˜ž>ë}I`ÕâœïÞk;8µå™“Ê«p*g„’2&¬M(@Á¼©—DZÑ"Å4kx›ZgŽIf_ãÑ€¬Q yS<Åí¶,Wî·øE†Ó{KOÂ}Y/C§¿ œ¸.C^Eû`À\ìWªŽØÇs ’/z’bë¶!Uó” PŽ[R'uS¬jê“¡e±&°}n»r“(mP cóLjàÀEýbן+e|³ïNHÉŒ+æ.oßcìŸ*˸"%ÀkâùAƒ°5H æ/ û€À BØ"Bh BˆN*„^…XÌ¡ +!ê"Íb-ùäæÿç7õw6¥-ñǾl»6 +}Ë?—eúð éýW4>Uë ‹r¸æݾ-WŠ'#VáP¯ÁØì7Ó` fšå\| +Ÿ“B)3¡€—¥p€uA +#V*…[ÒÙyÝž£6™u¹¹LE5BFrbÃ3kYžÒAæì ŒØˆÂ(XNwÈÙÁœcƒd¡,ú¦—Eœçe»óDö’ù»`4Áo‚*OMøŸ× }9›ô¹¯Ëš@ZvÓt%µëb ¶Ü¡Y †ZäáÈùP¨òƒPåg„J(•Yã_c6;Ë­5¯ Ù«¼p+?ñ +©Xíd89g‡ÞÁÕ{‡ Ì |·ÍSmö>4ž|#>F½Ï€Áè3 «÷ŸUGxä°‡üt¥Þa°%Þ‘Ð;$Ô /è=)ƒK<å!KeåµL«A/‡.Ö Š>œœ6(”«Jö7á[Ðp\:PFSá’Û>Ú¾¥ðº: +QŽhIÏ´4òXF¯cT1·;b.ÒvG»o1—ÆeVé”KðÓm$ľÆè°MÛà¦AaÏÚH®L­/ÛÈ!ÖyÙc yA|nö»eyj"E– õ=Ö TpÙs¦_GƱ4׬sk«²+w› +”4ÌÀÓCµ| 0†@’O‹ÕŠD¾häe0šø 6°»†ºn>=*‚nß}"Ô¸.—]Õ ãEƒ3ÉH¯=+úMGkÁ÷®ì<]z£Ñ&{┃ý×¹oIÚ¥VVJ‡;ˆ¡£Ky’ÌžâNËЄm zãÆŽâR¢ÇL›-¾X{¯í°¶þòÃ'êÙ6»î õE6Øé]³KðMŒA®Ô aή"²ÍaO˜üTxÄU\oõ &«ZÒø~»Õi‘uG(uÓ¥'‰Úè©D ½SK-aÂ[üPðL0\~GÞq½ö„@_ôfFÑCÄ  }»ÌdñüHåR}ìËŒO I‚<ÀuÞË0ç‹j¹nÚùØé JD.À â!¶ÃÎÄìÃ@Ycü§·ÞžNB"möqÍb»-‹õVuØç!¬•®-qí´#6Rr“in¢æ4Oó^óOÕÝ@JÌD´Å$~´ÊTpÁ2Ë!—JE–˜,%è0³EéÝ„€LöHùP*¤™Vw„Hq U-u€Ï_V_4CBHLócÑvÓ±00î'$ƒÜYè#Oô¢Ù¬µIŸ`ƒ‚예1Ä +ˆìÌ‘Q +á„ù?7ä¡#ñÀØã5£~¬Ê§€°#„8Š0=3‚Ï„!Êz¿"ï ÝŨP¨L‹¯åϘ0êØ}F™€ C¹£àö©êªAª|J‰²™Õ,²ÙŸøtgQ¡°‘Úf7²ìꌎÄyþŒ®ÃlÙ8¬ßÓ¯OçÀô èÝïw)vbϺ<.(H? U—Ã…!Öùp¡Ç:s=óGs1H—ŒxŽk„$©‚Û¶JQÒ§­-e!cF27.rþUâ†Ç¹¾<õæsoCvü×IÆ’qòUa T”uS†BMSïkÎ^žÌsŒø ±ÞëüåõXdp»ùkâ=<¾v—éˆH#t¤wæHB<òŒµHP¹« ï7¬T?pp±`­3~Éí:èYWà¨W«‹ÿ¹ÍŒ±îkm äÑèÕº D׫1ãf=WQé!ú™#·ƒAÊUær©Ç3¨m¿´½1©‚˜—9Î`–2 qµÕ0û¥xéüË‚/ÅC€á0’ùùµhƒµg¤KÍ#usygWä¥g O tOJ¬ñ âÕ‡g´$1!ù–"ræãlnøôþ‹éõ k`Q QïDÀMÀ™})qòǼˆÊ}²ÇØŸöÀßñÝ͆O~hàL“á±âÊóáÒþ\N%YÑ1P*.wŒŽuã Çlú<Âäž+Ìó÷A¬ïxª0FF(”¡)ŠÂ4h‚$ÁÈÔ ²¯E°J,Âhè»mŒÑ±ÞÀLJAûÐì׫—ñÞ™óÅ€(î$ÒHl z±F ŠvÊ.2¡u4³bîš- B§ÂÈY Ò7F,×B@·§H&žY¬ÊmY‡Îý¶©cª¶JÂÄû²ëÈ$[çƒ~ü@v‡Ib8„ï[K<ÄïÔòY‚©è‹w(ccy å4ÐÀœÙˆ¤/OTVå`—°.1TŠoÓ3é`ÉœÉÉüð~ömV$;ÃÁ¹¿SŽ€}Ñ+õX¼ÒXXáÀ$CÌ4ÜäÔ1¤RÇäLf¬•)-蘄eCÇ„ÍAYZI*m9¥ 6Fl–…üÁ²Þ1!<î˜ð”÷¡ýy6QïT¦¸©sò„;'0•–Ùs"µP`”°*Õæ aÂ1`üX_,»äœbØÂs‰”Û˱Íë¼õX§&èr|ƒWoàê/ÓcP“Rò¦À:&äüâì\´.ODʹ¡HÁàA¤ZnÂØ5_Q×TÛ€ÌKÚ°dlBÿ G¥ÑŽRTç†UìoÆÊ— 5RªTêfìUGÈFYjà|;pPñ©¨Kž’‚@Œîș̬Èc&õ\ŽUc!nƒÀ?â|aš…jÒð'.æI›-dH‹j]uÏ€ÊÏ !dzàÛÌ B8Àº „‹øÕUwÏçÄN¶`êqûë…ý¹K® >½LÀqbÁ‡6|¤€ŠEPŧêP@ÅÞ$‡¡¤^踽‡FÔa…Û¾0ˆsBa‘©>†£‹ðk/ ZæcuTiÈáâ·õŽ];ýðñöæý©wt÷¾hŒŒÕ,H«YˆIÕ,ŠÕ,㨚ebZÛ„Ó\çVMÇ Z&Ç·çÃó˜ûÑWËJqT@ ÞZé#µ[®‹½uŠÊ-R™Xôs#@†2Ü$u5…±´<¿uŠöò?â‘y°Ý ªå›¾ª…Ðxé„+Ÿó¾ ó +1“é†-\Û´è_´ +¥+I?]¡tJJŒ¥eÌ-B46,hù6V“/­\yœ]:BÕ.É^¨iù(𙾃š-:âÖ-ØH­ÌëÙÁrvòDë÷u«úŽ==IK͉½ªðôŠÖ« +aÿ·V¬[è 6b!YŸ-~óOÍ¿ÃC:ÌÝŽÞê DI¹DáyU~L¹F‡`j„ô¿^¢ûendstream endobj -983 0 obj << +988 0 obj << /Type /Page -/Contents 984 0 R -/Resources 982 0 R +/Contents 989 0 R +/Resources 987 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 987 0 R ->> endobj -985 0 obj << -/D [983 0 R /XYZ 85.0394 794.5015 null] ->> endobj -374 0 obj << -/D [983 0 R /XYZ 85.0394 119.499 null] +/Parent 991 0 R >> endobj -986 0 obj << -/D [983 0 R /XYZ 85.0394 95.9037 null] +990 0 obj << +/D [988 0 R /XYZ 85.0394 794.5015 null] >> endobj -982 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R >> -/XObject << /Im1 790 0 R >> +987 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F84 802 0 R /F86 982 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -990 0 obj << -/Length 3129 +994 0 obj << +/Length 3150 /Filter /FlateDecode >> stream -xÚ­ZÝsÛ6÷_¡·Ê3Žø$8÷”¦N.6éÙ¾¹‡^(‰¶y‘HU¤âøþúÛÅ.ø!QrÛ»Éd´–Ø°øí,g ü“3ë„ËT6K3#l"ílµ½Jf0öþJ2Ï"2-†\ßÝ_ýåS³LdN¹ÙýÃ`./ïåì~ýËÜ %®a†dþöÓÇwÞÿãöÍujæ÷>}¼^(›Ìß}øñ†¨÷·o~úéÍíõBz+çoÿöæçû›[r<Çw>~O=ýœ™ôöæÝÍíÍÇ·7׿Þÿpusß­e¸^™h\ÈoW¿üšÌְ쮡3ogÏÐH„Ì25Û^«…5ZÇžÍÕÝÕß» £áÓÉý“‰PöêtžÚ@› §•¸Ï«u½Åe©ySö×ÒÏW¶å|Wï[Éé§ïhŸò–˜Ê†z–›zõ¹Xsã…_pÆÐó¯$Qaòâ9ßl`¿µ´ó£é;{þð¹¨XR}`â¹lŸh°9¬žFŽ'=¿Å³ ZH)2kUXmûTÐ æUó\ì‰~®›5‘UÝñX0A+Iú/Ç ‰³­¸ª|ËTSì¿LHzÊ¿0C[Óo·z˜ï1/+ €#ÞXŽNE¦µê¬_:Æ*“$™Úû¼-«Gšåî¥i‹-[l{´b‘?–Û²mx~=ž_¥"±.LV£|·¸ß4ÔuhòG­ñU6ßæÕ óGÉ@Ó^õ'Ä߯òŠˆ%ϲAŠ5ZF¢çw«|Œ F¾ä›Cü,§é¸±ÙÔÏÄ•ÍŸŸ -ž±Ù«òá÷aÂŽõAyŠ¤7 Ü87Wï±W΋¯ùv·)¾8 ©µV˜g•ï'vŽFùT3KX1ÊZ²ÌCƒº#UV°_97`;'Ä%Jè4sQ\’êÔH¯Ì„X«„WIƬh^8-ï -5òÁªi©xˆAzÅÚ=–ùò¥-¦ÌŒp&Qã­=T|ˆJ™T¤ 5+E‡ß´x°Ú¾¥f»Xמzèj±Í¿–ÛÖù—¼ÜäË åÛúPµS*+'…wƲëâ!?lÚ Eµ™÷‘ôhŽäó¦Q_ÎÔsÎleŒn¡ @±ÓiÜ!rWõ§’h³CàÁE˜;Û|ÏwC½.Š£ÖE³Ú—»¶¬yºI‚au—Ö”ÿ)Žý—VXd:sÆyÿ¦pÃü´ÿZt3.†S’s*§•V%¶—t£8#¥„Il´pÚòÑ2ࢄO†2ipÿ8#âvàA;þ %G¶q2/Ê¿+VýÎ;!µ1‰Óóf¤Í‰ï¸^Ñát6ÔA°ÕÁÝ—©µ`uàûxÂq­Áü1ÉA@³ ׀ᵱ·÷"Ðì°èSìÄ/ ;£„=m”Éž0H`Ó†Þ]˜¡wÐÄ7ó»:òõ -LÀ7©Ò´Wóu]}ƒøå1&ØQt‚ýM˜ ©€äð\òœóŠôC¢Cþ4±óOO"Œ@‘<##MÀMè|Î÷UØ Ð(1 À¹—„U/6õãbêra=Ñhc.«ÑqMè1º`Ú #ÁnGŠPÌ«3ÝGGGGØ·lêMÑÅ"¨ 1Çp8_­Š]HSC«ZóðcÅ!„ -ô˜‚<ž:VõvDZ,7eÛh - {Ïñ¾yy³®§7JK¡5ôÖÿ†ë–tÖ_{ámÀu6£l²û°ÉÙ¤Õ ²SòoÿHäÏÛ’5èöÝ+¶4àº`K‘ëÜ*͑࢑iBc#JÀk5¸+^˜°eøÓÁ56(†DŠìˆ"µ XqjSŽ´Mšâ´i¼›Vs©Œù_YØé¼£2jd–O yZ(cíåÝí¸^Ñât6Š¦À<®Ö'ó†ê0jCˆ|f)TR8c³£äuÇu6ŒbÑÐÓÿpŽ?cœÊ^s ;ƒÏ~VoÖEÓrç>¯š|£Pè —dÈÞiŒ Î+Zòp~hë-€Â*àÿD¶@ز­¿tåï?à¾e’" fÿ¿Kf™Hç/_ì!×ù‹Ýq¡Ä§ºiØ´e»Ñ,àVÜm“ˆ4þ‹Jt\ZŒn·±"µ^ŽÕø€çç|9—Î=šDªæÒ 1}¼æñ·ãt ~qm4Ú/F žÞ—4aJY ãAøý þFPÆü±nÉÎàÖìØFJ|¤ÛÂ\±ˆz -ÕÙù…ã0ʼâö‡\N4rs½A>7Æjp``è¢ -ׄc´v¶ÊŒ•˜ -ªeHà†7m^õ¡!.ºz¼®N×õçîÅYrüfUÆGñ¾ª,5?‹Ô¥Nûñù-‹§|ƒjp}^øñžaå,Ѽ ?¼óþLYPêLøLv³TO½ i‘ÉÄ j‚‰šW¬r*Àää¶ìC%;íh˜ŸÊið!/÷Ô±,Û᪺’(Æ>i}·1ÒiÈ4¤Ÿˆzµ ¯ X~Ä]Ö’P»UBíÏå¦ÆÇZ|§Ðñ±ÂÛ9Oñ@]Óµé1bLÜI¡â|1"…dܪlTŒ Q!éBY”NcWx†–ü:,eEûšS… Å[¡$ENÛñV ˆ4ÑÆè/A’yÿfÜç‚Xž¹í>JËW^KLçïzd -Ç´Ú½äàå]ÕEÉÓ©èqÚì…ó©ɾUÖAeÞõ7h* »ã=}ÿögªè|zÖ•ûŠn:ªèöÅbJø)SRïOʶ¿×u;%¬ïžëåä%–˜G+ÖgóIi+ð/¨&6þ³vÿójõÅfRÀk¥ä ÆÃ$¬*n“Skå¿è:Uý¿ jÏrendstream +xÚ­ZÝsÛ8Ï_á·Ufj.¿EÍ=uÛ´×ݶ—dçööA¶•DWYòZrÒÜ_AÊ’-;ííMg*~€H?tÄŒÃ?13–ÙLf³4ÓÌpafËõŸÝÃÜû hæ‘h>¤úéöâÇwVÎ2–Yig·w^ŽqçÄìvõ{b™d—À'o>}|÷áýoׯ/SÜ~øôñr. OÞ}øåŠZï¯_ÿúëëë˹pF$oþþúóíÕ5MÙÀã§ßÒHFŸL¯¯Þ]]_}|suùÇíÏW·ý^†û\áFþ¼øý>[Á¶¾àLeÎÌž Ã™È29[_h£˜ÑJÅ‘êâæâ=ÃÁ¬_:u~Z:f•Mg S܈o«œ?E7-–ÃeÀVR8ù“¼h^¡WŒYÍ`&ËÌl'ÃŒT®¿^­fB°Ì‰÷ëR&SlŒ;·t¿ñ„=eÆŒÕ gFI Ü‘âÓåÜŠäþ—ÉÑ}8Ë2¸‹Y +rœ’(yöçL0®³LÍ í·º??ðㇵ˜½m`C³ážßù€±ß’Ó‹RÁÅ€î)4Ò,u^ᛦʷ`…&)Û˹²YÇÂ5ózE"ÐTe±¥‘USúºé¨Ñî6›¦5OâHÑue}Oî¡£Ín» í|µÚmàtw©xàØðÎûÛ5oß|cO,^^Jž|ÁÿŠ®½¥Øá9k›1é27Þñ_3ö`3ð¡ùÞôÿšQÏeÆœKh¤†{9F‚ÁZ°V›2‘“µNQO…G÷RÞ=Ïé´çöð”„âÌ=²>R M( †¶¥ žQc ~)¿Ác†ÚJØ"&?Vsà_‘ÚÂÑJ©_ä-v5òÍl²¥N×ЗXR{ Ö•ßGŠ¶¨»1í‡Ïp2Ä +LñR¸-›Ð{.¬`Ò(¸خѲÇ|a™ÿà@;_»ßÞ~¦ÆçfdþR¶`±Áº¥eœ›ÌóÈ›r5ÔóÝj3"ªƒƒÈà ”5á Ð5UK­p‘†ØÚo`ñ«ÝK:»L$9~88}ÛÑ@sG#ph: B„!KC´qhD?Û=äÅSYU4æq‡þÚáD8gZé4z>aî®-P„ƒ BfN$ísÛë8Ö–÷5Q,x…ˆ.85€©;D&#õ<ñò CÀÈ~(Ú‚&*MÄ€,â‘Ìæê|Õ¹ósÍš&–MÓz¬ªZîï{ˆf[86¿ÐȱΆNfrúìÂ)QÙÒÈ¢ÂM¬Bç™&Ÿ‘£ùç’vð”WìT\~¸±ÿsWlçà2iv¡ñTv4Ùî–£…cÅIÏWS»õÀï=¬nŸŠ-µŸš]µêÝ•÷Eh,‚óö+ljÜVTx9ÑÏ·’òÇbìþýîß}^ÖS~ϧü= þþiSls +rÈä&Ú&æeEŒtäüërÒ{, €|ëw#]¿Èõ~hih‡PFMïŠ2KÖyýè£hh ëo(¬_æ55K…J+´ ®’›e^yc‚™Ç¼ÚÅe9± ªjžˆ*KžŠÀ1Ä”Áèƒò$I÷hmòT'_óõ¦*^MÁ›RL˜>Ùï'ŽîFºT¿c”µ2 N°UÖp^yèÀqNˆã’)È”¢8žªT 'õ„X#™“<"/š²íá;ù`×´U¼D/½ÚÝ—÷ùâ¹+&Ãâ(h.ÇG»«Ã%N(¥SHxÔŸ.,žàM™ÁZê¶ÆWå–0B®uþµ\ïÖÔÉó²ÊU˜Ë×Í®î¦T–0Õ1f­Š»|WuŠ*Í2ç"èÑȇFcyh=嬬)‚( %›U¡¿Ç)mv#¸Èc®ÐåÛà»(­Šv¹-7]Ùv“6P¤6Æ×ò?Åa"¦ P2J¤p]’Y¨¾%¹”x`§RËžã|Èò8oTP«ÉÍ^rÌ&îHJ¦1a¡Ð‘¶a,ʤÉí}(a®©eO?¡äÈ6Žøúº¥XîOÞBÁrXp¦Ðùq±©^Ðá˜êÀ‚Õï ¨Áê ô5©à¸R`~ˆ˜! Ûx‹ñ†«±@Š£û0ÝË¡}Œ¸’°3JØR£‹2C$ô‚iÃ(e3 „ƒÖ#¾†ê/Ò혀oR«4'¡ò«@üÂÊW|·ž¶<’Ãׇ&¤ó8çd(ÝùSn’Ou`à3 ß"yFZh›0ø”ok*&±ãÓHä½,˶ÝyhÇö@Þh;!¥¬ƒâEÈ "º@³ Þq⨰Œå˜Ê2¦Rçk¶!Õéš­§òáªjx"2Ť0/ŽD‚G ¿Ì°‚o#ªí!U‰ØFI}–MŸ îÖ›“·{t$¬‡êñĤ#<XÛƒƒ† ¢û +ðô¥XðÑ”».e@uæR"•×,ïò—’b°9+8M>¸”T1L‡ ÒþR°äòáv\¡Š´X7ÛP¿uq}žW˜ ÇÔKɽœý¥ebúÒ”òoGæ»/ )äÝ«gŽ¦*YêìANã÷b ]÷V¶¢^tRhz܇ï~_z°qCy2ÊÔ¡ÜÉb*1Z©K8³¹„£jU&³—y– y—Avñu鮼>½Œr²Þóª¿BÈM£6Š  ýXÛäÒ+Oí Y)}Ù£áâlÐÀ&ÝnZUA… FöûmZ¼­!AC_À{ˆkê¼ýx³_U.)ÿ<„M0òúPa²¨|qOO‡2Ä6jDZm¨ªgêƒÙÝí»­òe2ŽåôyÊ6„‰ð€£’’Æ+ +"V$`WûLÍ£XBY>õÍÂÓ&•þkCÑ dVP3ÃÀF5äɘ$­…;•çcÒêtLê©P |©ŠöPn +y?—ê¼ÜH4!w¸mÇ1=°c¹!«M‡ašÔ»õ‚’̔̾QCßéâ²}:š@ƒj3<Ëàâ¯Í µlj¸5‚ŽºðB$ÞÄÍ^‰}¼‚Ît¼JÓù‹Å²ÁÈæÔKixË„¶/\é€êÌ•F*D]¾ü2™g¤ÌBÌ…ou2pΗ|؈œ§¨i¬‹ÿp¨¯! íŸÑ`\¥… <„^Ï%2ú—;RÔýKÈŠ¦Ëº+¶5”gê˜OÄýÉË…ÈöÛ ïðE¥?‹Rì;éSèà{Ùy—ö¨HCIù•žéçUs?Ÿr.|RÔJë³:ôDÇJŒsL 0Ù¡”óªLí³£,dG8¶h›ªèŠ¿á#¨ö9Çp:_.‹/S}Ïÿ‹Ó÷uHÁÂŒÀýÍÒ8X6ë \Ä¢¬Ê®Ñ@÷6äCøNfàA×c_‚).‡Ñúßà)`C'ã54¦àu¶£j²Oð¿BcçnW^vÊðÝÿ-„;iE.cR‰ŠòÑi+ŠD§¶xh@Üœ—iŽ¥š‡€5SxŒÐþ°ðÓC4v({ÄY4ŠÜ¿¢@+hM +DZmx[¿CjÇTåíœ{¿‹äçwuÄuôz‡êhâã÷;Ť6æì¹öDçU8âEØÄåÜ8žüÓ¿£*„¿'ÎŽ’G)˜Õøã‚uÞÖ0sEãNcÎ ÿ#òð93À­arìTx4ÃAa‡ËšjUø^qp›×m¾Œ™'ŒxÇ’÷c'Ô’ÐZ„é|×5k‚¥Gû ”'> endobj -993 0 obj << +998 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [361.118 643.0167 409.8647 655.0763] +/Rect [361.118 468.8579 409.8647 480.9176] /Subtype /Link /A << /S /GoTo /D (configuration_file_elements) >> >> endobj -995 0 obj << +1000 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [347.1258 251.1389 404.2417 263.1986] +/Rect [347.1258 85.4256 404.2417 97.4853] /Subtype /Link /A << /S /GoTo /D (journal) >> >> endobj -991 0 obj << -/D [989 0 R /XYZ 56.6929 794.5015 null] +995 0 obj << +/D [993 0 R /XYZ 56.6929 794.5015 null] >> endobj 378 0 obj << -/D [989 0 R /XYZ 56.6929 726.3067 null] +/D [993 0 R /XYZ 56.6929 647.7963 null] >> endobj -992 0 obj << -/D [989 0 R /XYZ 56.6929 699.4102 null] +996 0 obj << +/D [993 0 R /XYZ 56.6929 624.4206 null] >> endobj 382 0 obj << -/D [989 0 R /XYZ 56.6929 385.1287 null] +/D [993 0 R /XYZ 56.6929 550.3829 null] >> endobj -994 0 obj << -/D [989 0 R /XYZ 56.6929 360.7028 null] +997 0 obj << +/D [993 0 R /XYZ 56.6929 524.5365 null] >> endobj -988 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> +386 0 obj << +/D [993 0 R /XYZ 56.6929 216.2206 null] +>> endobj +999 0 obj << +/D [993 0 R /XYZ 56.6929 192.8449 null] +>> endobj +992 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F84 802 0 R /F42 601 0 R /F57 628 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -998 0 obj << -/Length 3097 +1003 0 obj << +/Length 2948 /Filter /FlateDecode >> stream -xÚ­]sã6î=¿Â÷tÎÌZËO‰š}J·Ù^:mº—ËÝ=ôú Ør¢YYòZr²i§ÿýÔ‡-»½Ù?A  ,g~ræl$tjfIj"+¤-7böcß]H¦Y¢Åê›û‹·b5K£4Vñì~=àå"᜜ݯ~ž¿ÿÛÕÇûë»Ë…²bG— ‹ù77·ß&¥æýO·n¾ûçÝÕebæ÷7?ÝúîúÃõÝõíûëË…tVÂ|ÅNLøpóÃ5AßÝ]ýøãÕÝå/÷ß_\ßwº õ•B£"Ÿ/~þEÌV ö÷"Ò©³³èˆH¦©šm.ŒÕ‘5ZLyñ‹¿w £~êÔþë"«L<[h¹xL„…][$6b­t·Ëfr—îò&û²Xf˧|Ñ¿æ‡JKQ¤:™ 9­ßQM HÐF$VŽ%¸Ê/A=‡¢›ý;é<ÛÔûª¥zÍù¦Þ½Òx[nßðìu½ã‘À¯ÉwÏ9 áœÿÚÊkúàDÏ‹Šp¯mÞ€qÄÂÎÿý”W=Ø 8I•¢–2J­U^æ Š•—ÛUÖf!gl½$øe Ü]J7챧 BQÑÐPYlŠö ¶Ÿ”@ø¥(ËÀÐëÝ3\Ö¾]1+Üló/Û‚¨¿¥Î&k÷•¯^K1V¯Áé -ÈPI%Y…B^Ê9ÈI=/:´UÍtù—ež¯òì§b~SÑxFWæï¨ûR´Omö% Ûb[ò2ÏEþÒà^¨d¸6/,çÙv[yØn³]Ö¢2$l'~>ÖŽ Ÿ††óö–-A¸ðeªæ €I,'àWù:Û—-u@màûöƒMFÖmÀ‘MËá*ûÊ‹›¯ˆtäà/ê4S¢=ʬ;«Šê‘V Gèè|™…CÅΖÎò–òýµïÖ›À‰ÉHmoÓJ€Q§z|èuå÷"à‹÷„`r±#ðþþ‡† Þ¨¢£ É‘(v2rÊV¢ÓÁ*¡„ír»(‹¦Í«Åç}¾ŸˆVi$‘ž]¾#:^«bóBÔPU霤 ˜DYhØ™U¾mŸ|(q=mo9Öª›¢â`󊆚çÞ¬G¡,ÊwU^Üì·Ûz×64µ‹S`}JÄgš-— Pºdþ!TÙb,ñ=¥ F,ŽG«WDÐE$„²#B˺jɬJ{ª_ØdÕ+A÷ï?vÔU¾l‹ºjËŒ¥ †Ðêæíߊp9'6h¯¤œ7Ûl™ø’­wìøðï ê s@– -–Z×]„‘‡¼›·ÍšWGØÇ hi×à,TšÌÿ…Ñ +÷>ØÀ`™7 RAš¢øìdaŠ2¯Úé »ËŠ%…‡¡í/”‰Rã­¯#£9ÂFÆ‘”Òˆ­ó]Q¯Š%»ç¥DÉ›OÔ½©à¤ŸáüNy¨Mld\bλèê´vT>º–Ç‹p䥱‚T¢ßY:ª Æ~šÀh…ðÎgtìo¸YÐê±K'„_„õ³'´ƒ ¶45×%“Ec$í.’´am¾gú…4–T^ŽÜ‚îPŸìâPp9•ÄÁåïSn@¡ËaŸ\1—›â“w%1{xï„÷.§È»O¦€#CS˜Ð†n]JC|A ÛÃÿê‰ÆÚ(1FŸ÷Ä!ÕiO쨺x¹†¬áŒ'ê(–æ¼hB„ñ}{jõX:U›ʹ~w»ô™„åŒ*o_êÝ'¢ìT 1Ì> :u¯(-"kàVg¶à@rÈs¡@?º;´¦\–‚v""mã·ì¼J¦±·OlÑ«°í9)H¤üFxt0o 9›÷p:š7¶dÞ Ì{À—Íy£yãˆ7oм‘½7oOXºö;‰#¸ñþ☰m>—†Ê( fì‘\$¹pf@Ú‹IöãŠQÈ}iŠO»™Àû.´eQl”›_­}R>â„r½¡ºÇÓÁÅ;ÙòÇ‚WâÒhJª+!¡W ëÞùZk3GYI™<UþR2¸*še sn„¸ÎžêãÑÐÓBý\¬ˆÊ äÌ£—Ø)Ëú%pz` -.c¯ ç"e\HhXÁºš¼1í¸Ö Z g¾©¦­·ÑJ]FQs9<Ô›¢^ÆyÊSöÌáï‘b'®ðWfå'cžN’(5BžyCªÓ1¯£ò8-¨Û´Å²9ô„Žÿ@ˆŽjBŠÃ°'dr Æm¶ñ}þááN8ìw%!Œ<0uY?òk†;âdj#ª°Nh|ã F>NÓᩧO(âiY•æàl±À)EðƒL;áÚæ[mÛ)#4¼¶­8¼¶÷ŸNŠ‡;¶ì–‚6öÈ¥€-2ñ •±ðüÛèoÂ97ý¸ ñRàeOó¢yx1fŒY-‚tp‚1Š± v§!m+(—4¤À:‰é¨nf`c#=%ÜŽZ6ƒŸ á“P@/b5¿>Ú`ªÜ‹`_”Ÿ}ž!™4ÕD5€½¶ý.xÄÛ›œ}[ƒN³¡ZóbÈÚëåÌè]Tt$p&RöÇ«å_\!Ý|½Tbžs§ØlË|“W­Ò@DE-~7IÎݤIëXφ;ûu‡9l§êöþ³Æ×™Òðü¬)ãóP)ˆ@NÞL¿™Ð+I½­Á^'☭6N¦~ú•¯qpÜOX÷H|T†k¡!4¿#!:ÿ¼ÏJðGc%§DœeWrùT×MÎ,2j*)q´§¤)ÄáeýJ¨Á[C˜­8!ô‚® ãùM½ì{îø²®S9Ç×tÝXÃ"4?<âÇ*˜Œ‰‹@CÛX,áB¥¡e‰ŠµaœéÛ&/×XU™.“<¼çMSvÈöô‡<ùÞØy=Èî²O9K—Uë€mš8 ~Ÿ­øÅà[„MôAV»Ã—¾‰Hið:‰‹ÒT$ƾØãYë6tÁ X›·”*2®#£ÏwíòéHH#¢Ø õ2pü#! Iq*ÇBzó<>K™D „êpþe\'”d±EúWnĵa Ûí»Í6_¾ì‡NŸm-l"ç×ôIÀœ%¤%Í%gÁ¼ 惬y©¬iŠÇ*gax!H‚[¬ùí*‰#ȉÜصnëjQ噽¿…{ä !úc4¢3ê–„|Èš0Í'ãªûö‚¨mÝTQà€ß„ðM¨z´öUI—k+H$yæîIÆãAú¢uøðî]X;žìAä]K8ÿéL‡o€RÄb@ÿTïè“ÃË@uÍÏ0“¿ö%÷U€¤àUØ*Ëp|ôO ø6<¿"|¿õ@4Ö=,·eõ#ãžvÛ´à0—£}$u!Ú£”?©õîlœKó +syñ^jfõIœKË­Nñáô(Ì¡Ó‡9ÐÞ¡= +sàô¾ ôç_³©ëb'¤ºç¼‹”_Ë aÌö@åëµÏÛt”qÄÔ§û”4Ä2¦ì¹XÖ"U6…òŒr“: f‹‘|æàažÔ&.üXêüÁ÷R¸"X|¹†\Q,ÛòÏâ4ÇË”9i.¯ßKÍ(0Ù+ÀfŸjà *³Q!–™KòmsÀcÅú(@âÇ}@Ï'<$ Y‡‘8_<`hk‰åwŠIÆH_e‘ç¤PÍTòŸç¢fñ>YÀ#ŽO j'´0A$›¼Ë‰òõÚ1-KdÈÐ÷°ƒPÙÒϘWµ>í½èà¥~BJôý„ëaÃT„EDRü±+I€ú;êlóî@TõæwɦɪÅÏ…ˆQ#xÐG ’×P|a€žWÚº rÅë¢Ø>Œƒñœ¿™k,I¾!PÔÀîJBÄx)‹W¬B˜ñÚaa¨U»]EÈËO»Ë÷y‡›!e{õ‹éîèðÂiH8oïYÐRµD +¾vÂ×T£‚s¿vìÌWn^1”uÌî§Añw”X¾Ñ¹ïÎk_¡q² +F*2zxø1Ô¯Á©Î§+¦RnÝ{éj$u!]E©X§*€àE½üýPŠ9PÊG^Ö —šQá”r%äT‡°\BŠMÚ,¥/ »îÙ';ÈþƒÉ­Þ±-ëò¨†x¦ ßÞ>Nšƒž.*¢ÛÃn×ìRÈ€e#@L,Õ4´&Á+PÕy †=!2Ì[!+mÞAC”—Ê+ÌHAYíȹª0öܼ±Íë7¢|ÒC¦)ó e2¤<  éí·!^YÏ…mܽ€ÔîòuAäk^vl¡ã‹€h¶a<¤e.`©Ç¦O†0²*úïvyëqÒ>{@‘€ ÿÆœ€`´¥Áªh›ª‰’A!ÊÒ~Á LYD™Oµû¼l1]žBÚ¥ÈRÇ4\áJ -ϼ<¾@p¼!]/ñnüRìËfS®Czø˜·_¨{ wÊ=`èö\œJÇRáÔ;q:–:§½”ϱe³eT8} pÄ ^T¡—šÑa¨ФÓS%|ðeRûºõ½»tBH…rؼxA5Jm›±@ÛPŠ]±“œŒ¢CÚÍâÙ¡ÚøÙ¡’¿Íœ´.eç¡ô¶£–V#Œ4G#»Üî†vBŠ9€cXÈGf„^±ã#Zͨ=óÍР¯f£Ï… sçožÃ!Û(`1¸< ì¨ëdo·ñN_tíCZö µuÓßÑGÎív|“oÖpÄgº³åJÊ,Õ"Sï„ÁHêBD)ë+ò}·*òîBhni/ëÐKÍ(1½MðTjŧZP°g,¦`äö/Èþ³©ƒð6Gë¼ö^Cä•–Æ|žE^'ÁïZâmóý?ÀÎÛ9‡; ”ÎÝ”àJ»Gï°©Qöè½áIá÷!uʸ!$<eïÇ.b9cǾo“ø5ù¾û>|sü¦ÎWUøô%Ô¤ŸÃH†ZNl…¹Z†qÁ³ŒáÛ¤š†ÕPyq¨¿Cùx CûrÈ…ÜÜÜš¢Ëè] ⣠>º¬ è>¹ŽŒ]a¦†QÕ%Ò†Ûqð‡ÿ7ññÄ9ûÎsæXê|$öR}¾|Ôp!eªyvY…(4£Â´ÙT9%§:„§7ºÔ ÖîÚ# åâÓ¤Kê¢{mö_H²ß!ú$ê\]’¥*sñQlÞGš[Ž/Ô'µCJ²”´ K¥ÒGaÙGwÚû'¶UØ3 RÞ|üÞÃ]ÿØ7þÝo¤Fî=š7¸7Îî#Þ½‘@÷Æé½{Cz ì`IAÃûÂ1ãÛáx¬‹÷#ÝØ3ÃUÉÆ3`/‚ì§\Iý“"~âawð± mÕätS΄M>™ õú†.Ò/º.Þë¶*žÊ°R¸Íeº]¡· uÓP/ÿü LBò@ÔÅkÈMÙ®\8`#äõþÔR†š—rCRjæò%vªªy3­Þ†wß™ram*2MØ =·žTŒ(;½ñO½% ›&©¶kvñyWêESÇŸg†}SÖËN¡÷b¤ž(wâ +¯ù;ºÜxåæœ7–:Ÿóz)ÿŒ3üw)é1©ßQ¢—šÑâ8í1nŽÔ¸Ë·þ bÀžý–&{<‚#« ]5OáMÞMqÜ©T:Ö™Ÿæ8¦grfe|ð@e<€SJ˜c @3ÌœÍþ\Õ#åðLì[_¶UDÊH˶bÇeæþË xò#åijWýÏ`hØä L”éÏD +'ò—~›ÆxcÖÚùߦ!ÿ ÕL«ósÑw æ +düb:Õ2j·„âc³cì‚+¾fÁñReè÷…»‘(q/µQŠ,8ÁÏ÷8\Ÿ—Z$7'†9¥€ªháFžy»,~_€eÎI’Ñ~§ƒ<ãÛÛ-_|×À~ã-Åy—ÃÄ~K6›¼+Âî,lØakÈõîüƒ+àÌ·kÁ’"t¦¿$#£¦6ü’ Ôé/É™3©–Z.F†ýº£›jÇàÖ>üOÂ×9Òè-$K­žÖc‹X¸¿úŸ*†ÿ8Éàªbí™gÉtj…3 ©R˜‹ƒâÇVРƒØHùÿ;J¯Óendstream endobj -997 0 obj << +1002 0 obj << /Type /Page -/Contents 998 0 R -/Resources 996 0 R +/Contents 1003 0 R +/Resources 1001 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 987 0 R +/Parent 991 0 R >> endobj -999 0 obj << -/D [997 0 R /XYZ 85.0394 794.5015 null] ->> endobj -386 0 obj << -/D [997 0 R /XYZ 85.0394 630.3935 null] ->> endobj -1000 0 obj << -/D [997 0 R /XYZ 85.0394 605.2917 null] +1004 0 obj << +/D [1002 0 R /XYZ 85.0394 794.5015 null] >> endobj 390 0 obj << -/D [997 0 R /XYZ 85.0394 242.2106 null] +/D [1002 0 R /XYZ 85.0394 449.5881 null] >> endobj -1001 0 obj << -/D [997 0 R /XYZ 85.0394 218.2795 null] +1005 0 obj << +/D [1002 0 R /XYZ 85.0394 421.8763 null] >> endobj -996 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R >> -/XObject << /Im1 790 0 R >> +1001 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F84 802 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1004 0 obj << -/Length 3112 +1008 0 obj << +/Length 3433 /Filter /FlateDecode >> stream -xÚµ]sÛ6òÝ¿BoGÏD ñE‚“§4qRwZ§u|smh‰²9‘HG¤âx:ýï·‹]P EÙ¹s: `±X,ûE‰YÿÄ̤qšË|–å:6‰0³Åæ$™ÝÀÜûÁ8s4±~¸:yù.•³<ÎS™Î®V-'ÖŠÙÕò÷(e| -’è͇‹wçïÿ}ùú4ÓÑÕù‡‹Ó¹4Iôîüç3‚Þ_¾þå—×—§saˆÞüøú׫³KšJ™Æçoi$§æÑ˳wg—goÎNÿ¼úéäìª?Kx^‘(<Èç“ßÿLfK8öO'I¬rkf÷ÐIb‘çr¶9ÑFÅF+åGÖ'O~ë ³né¤üDK²: VS4yœ*©œï«õeEt·=6*Wå–úm¹ýRn[ìȨ©i°.»ûfû‰:"¡¶»- kÓ´Ý óhÕ¬×Í}¹$ŒëjoáQŠpIÌdÿHL³›¢ýDK¤11þÌ >H`.Dœ#ÝqŠwÔ: «U¤)mà°Ý-MË”_å]W9n³YÑ°g@?PÔŽQEàM@ôl:V‘Q¿ûmµàí+¦½—9Ë©3­Ë¢íHñ{ÐëuÜ£ÚX ›9Ô+w,@X–«b·æU]s׬››êÁÞ°òå;“º!Uœ‹D©í×¥IýEͺYkÏ« ço¹ÿ÷«c"yˆ4ɾéUç¹ÑÓ¯N‰8•¤éÓ´h]´ô+†¤öÖÇXxj -ƒÇÓ_Ãj–Â…g"¥ÆTB¯ç‚Déž™D„×h”ÎÆŠˆ®à˜  ™d2›™<‹³ùÜD@߯ìn«á¬ŽÜîú¹¢¦…Õ)ø¿eÙ•xr¸Nås;ƒƒQÀƒç¹Þ!½$®K:ÿf‡ê%ðU{K´ÝófË„ÇÁÄBHÆm{åräïÑ3”BÇiš›™“š$G§Éí [§Ë Féñçá‚Ãå.²ó±\°füûÐáÙq¦¨§8P6¶0e”-ÈuÊ>I%åL+gßh@˜a­=fôç!ÉÃ8CZK4e ¹Ü¤##XVmµý~<öŸàQÁ5êL¥C&ܤÈb•*áåI^N±ä–MSÇVut‡`ojÙ4Þ*`¯½+ªóÂyz2¼΢•ª0˜V|S©8ânQ ÀYLÆÈÁ±LùZ ½lÜ3ƒt5òÐï&2ZÐ!—¡ÀþQ¿ËøópÁ”ßÓú]`Ìû]y¨×n.,ÜbÂï2ÖSœP ü®‚œù¬pY4^CsGÀ.wMBI³zôÆÄÝ*ﳕÇM‡PÚ#nv­§ßµåzEZa~¬]Úr•IóA•_ïÖÕ¢ê&ØIu¬õq+" i0²ÜÎ$B>û…öç!ÉÃ* $¹™Éö;5#`°! Ä0î»1é)>ÅdžÄVZ5dò˜±&÷ªCxWM]ÒeaÝ}C@I+úÌ43""-*E€ägL•œsÙ×¼’ôBFç¿’ #!×£˜oï­Áƒ*ˆÜ2“ã2ײÕC>¾ŽP^¿ù™Jwr炶ÀRò²í¨ö4v‹æ Ǧ N-° -÷xÏ÷LpPœräfºßö¸W‹›«Ì~?=Á'ÔiœË4pxLu¬2“³¤)öpWµ¢¶tf!gö`³ç@L%þAã8l·åâ×Á×Af•äéH±nŠªö%…n_inŒÒöê7¬Cö+|½À]ÝUÔÔÐøâ£kWÍ®^NÆx\.¡4'"„ì(-‡ì ‚“Q¸‚ÙAäÛ‚‘®Käø)—øLRHʇ‹%ËW÷nű‹Ð…¸CÁñö.^Æ¥h8&‚_6¸¡äð] Ï¢Ûa &TÕ¦êª/%u÷&D$œÓá0sNžÎ@>BŒä#) îÚ~mC-x/ðñ~›£ëë©$._æã²’Ì) „vÓ|ô‹®Ë›ª®)¤æƒù¨KËTt>Æ ½$½Ç¶ †ke!ñ{æ›ñTPê(ßcғ٠ܸ ¯Æ²dmÔqBß‘€3/LÈ÷ÈèTxÜéXbôL'ê©Ü¤3%s6Òô;äLq’œÊ!Tl3 Ó£=’D@¤¨¥ù~LöŸ`=‚PB ™<žD-- #EwKSn0‰!’PßÙÈÆ‘=~^>ruÚáL ìF&† ´ÂðÊêIÓÑ&[Oˆ:‹¶­nj—é§de¡YÂ) *Äà û–úrN:6âH­¦–1ÄøÃ0 ‘6U]mv›©=+&Œ¯ÞïÞ·&)·24oa¥s¼5kù¹@ßEe3ˆ¶ üÊðKŠÊ_ˆ…þ¡r)}_äX”•ãÚ¡ÂÚ†zý*çfÂÍFU4$v€ƒŸÊâ\ÁÁTcFè¦ì¦Dž¼¥ºpð±$†•äQËÇ}‘ùVÔöiW§Zó,¶\€»°¼ÿnêŠBl]”_;ÂÛ¸s ÊáGK‡°¯µag9Ÿ²£Cfù¢.?m$rÌ2m,^JMSÌšj‘²^b±ê¨Äj}Ípˊ뎉Ý×S=IÉ$¹<̨~fÿ‘7±¤ý§¨Ñyªé"(Ž··Í}Mà5У¸CIä¨eJ(”åmŒŠ~ëðGŠ ØbB¯ †5LQ ×QwÊÒœª³úã*“y(ü)ö¹š‹àXå Ý!Nq˜b²!YjïÍø>Qç[ÍøB(5ñò™¸ˆ½´L>––<ã}®ÃÒÂȺ¦f,ïw×¼»Ï“&P̘Ašö"´>&Ügf,Ìœ…9õÛ…Ñ[FƒX÷±Úò—ýjPÄÆŠið‚±¶Jlô™kï¿(Ò~dŠ~  †¬M|û—îãäË—4sþW“°éîq t"ßÓÖCüëðw¦í«Ï.ZU[ÏìªbE”òÆGùßÒ7ž¾ã9ð8ŽLLÝ3ªï«áÚý}ØR‘(‹-˜žIŒ¹Ì唄ýë=9‚oF맄-Û)µ“òÞµ|™1þ†ÅI{ËrÔWO*Ï?/7ùL¹Éo–›üV¹É±ÜÄÿ-7ñÉM=SnêØ/~”‰ñ·kåà¤ÿiͳ"·ÿ±Vs­•GêÊ> D˜)”ƒ9¨e÷¿¥;dý¿H¶ý÷endstream +xÚ­]oÜ6òÝ¿bïéd «ðK…<¹©ÓúÐ:­ãÃ=´}we[ˆVrVÚ8Fqÿýf8C-¥ÕÚ9$0 Éáp8ÎW.üÉE’Æi®òE–›82Y¬6'bqc?HÆYz¤eˆõÃõÉëw©Zäqžªtq}в±°V.®×Di¬âS  ¢·ï/ß]üô﫳ÓÌD×ï/O—*Ñ»‹_Î úéêì×_Ï®N—Ò&2zûóÙo×çW4”2..¤žœ>Gˆ^¿;¿:¿|{~ú×õ¿Nί‡½„û•BãF>üñ—X¬aÛÿ:±Îm²x„†ˆež«ÅæÄ$:NŒÖ¾§>ùpòû@0uSgå'E¬4ÈêP€fV€I§ZéA€2¥¹!¢ëS)eÔ>´u{÷„Û": "K•ÆˆÔM?«ëÓ¥Áý}¹EPEý}ÕÜuÔ}SLÝå§]Q¿¤ÿx_6¹$Ì®Ü~öV÷mÛ•L¢ OSlJÝcʨo©ïÓ®Ü>Q×íöTڨݳUTW]ÏŒÞR£ûÃIçI¢ÜŽˆzŒê\FÌÑFŽhy #Ø¡‰oi›Ò÷Œ\ycµ*êú‰†V5n¬÷ãŒßwe} :˜]ß—,öðì´Èâ4^‘Åþøñ •çŒØõE_nÊƯw +òøX2wE3³ŽÍb“f Ï/ÖK'¢¥Ñy,“ÌŒEµÞ–]7½VÂí”j‘ Ð2+¿ê¨8·ÖÎ߀¥'¸ )j·…gûU‘¿Mѯî§üI©b­µý~ _àPÊ$Ö +à“N3Rfq¦•ôѬáÐtUM_nYûŽûz?†ßU›ÝC¹ªŠšÅ“»Øhè2 7º´¬ËÏeMséžà@Y{ÍAÒ¼TÑuÕ]S23¼ÐæͪŒIW²4Ö©´cU¹l›eSÞ:â\%=y¤«DtWöÔ]PÛ“¤Î›¢óÓÚ†àúU[êzh»ª¯ü€ôÒý„Ü^f£Õ!É 4×]Êí¤“”ÇU76’o!Rµ<ÈËÛžúÐÈ`Ù‹Tø÷í¶wë†T‚­C7 Þ‚í˲!”ŠWa­–aÓÎÊtQÿ^ô€íwýU]Sçͬ1 Î[ Ë ð¥Úì6ÔžUXßÑŒ1c`æ.nŒý™ä¼_5-µ¯(8ã‰Ag±^ÓœŽ±y0ÄŠ”“nŠ4³¹Çû +倗ÅïínK~ `ЂŠæ‰€&Tcì û‚+ô+?ƒ¼n#c !-!riyZù¥Ø<Ôå+²I6öÆÒ¢-û…e +žüo·g¥ã#‘ÑÎ¥xmßÌéô?$„úµ2oæö7œ×2}C ”ô_š³œ]‘c‰€{:Deeàl©Í.ÊYìlàF´ÛÔ‚¾NEkÓºû¦,hd[×í£“1`Ü<Ñ÷ž¥‚1“ýS$F7E÷‘¦¨$‰ñ0`LÎ^§ÆdŽ42eØlOÃÄ2å—Uù@† 1Ñ„`·g@?P4ŽQMà˜M@ôl:V‘Q¿:k>Ì©˜ö^æ¬çÔ£. ¯îŽ=Ô于Tw˜„zí¶ëò¶ØÕÇÛ}êâ*”Λ  ÛïFú8›LÆFæ_žƒsÏóÄÌû~Ø4ÐJ…Üó´hžZ ú“0bHƒtžÇYžÙ}¡ƒfÝ.R8ïL¦ØXÚœÜkp»’ÔHAˆ8ÑÊpñ„"!º_B¼y¶I‘©la$Q‰ÛËâÓâ.“ƒ”N»î%à:^_läâÇö³¶äé.ÂnGÖ'ù ÁêJÆR5èÛ“Mè@̆Á#’[-=bë¯UF¿MÛsÚV4»ÎB`cr2POfÒ<ÛbáY}Ûñ£¢%y +ç¿Oõ¾M9Ç¥ó\?ŸB*ÀA„y¡öy¡¿Ï-{¯÷aÈ0^L‰‚6ûé\%B8RPóÇËÔæ¬ÁMñDƒ+˜FËC¯³Bй SÁ9ŽhwXzW­û®;šˆ&óêªsFÜaݶÛKYq´øèÍæ’Ègnü2e 7`œI0H™-B>³E˜Ý!ŽK”Ab‹cÿݶ¡6ù<‰€¾Ÿ‰øhÔDnuý˜ F`bia³.!…ÃqR/ï Ø™q¸Ÿ›Òh”%ýlê +¶IâíÐv |,Û-ž¨L"béÔaúŠä«fz ˜•4Í“…†‹šÔ]CÜÞ±qº +*%þ2œàmlàƒè";ÊÛ`ÆßsÀ“Mâ\@æ.qP³°^â䀋µHå)k0´ª«AR^akÒ&m׌YÇ®^‡xÅv[4wÁ:Õ‰â9¶N€u™dh!a{ È¡}ØVpZ`d)×Bp¼ê\Wí:ºV8ÇE¿ìù’é‘ö‘έØ”ž(#"~]â&·LŒƒùéRaC*ò3„…œ•¼š»¾ä# Y)ÜU lG]+wXã¢.M©xÈð8Ýg8¿åkÕ»+íºš?…Pw;½=‘GÿqE2G€(GlØÁ׋ÕcÙA`&L_yÞ˜ ´â8qænÓ†l†)¡û>”[´ŠAS™AÙÔÇÚÙdÐIÎ×q¬eZ2í៵‚SA«¨ÐÏTŸêäc½š~ÚUŒË”©‘ÂU^.îQ6×A¬ÏÐJŸ¶!›Ý$´G&ãâNÃx+78ÉC§MœH›ÎTèÀË¢]uæ7%ä-ì™r8;.Ý 1_º“ÚÆ¢¡v7[žCƒ¢´R eÐzÁ™kùk ¸ I†ÊÚX%°Ž–è4Vcý~<_àQÃ1šL§c&—ètªÇ%:!KtØ×Ó‚¹i¨gÓeh¹Zj3•ŠÉîZØ‹Ñ“B×RyÄÛ¢˜<ûŠJ±ŽÁ¯Ì¹Z ½nÝ-ƒ\5òÐí +ˆ-è(3¤ ù‹n—ñ—á„9·;¥;v»ÀØþ¹â@¯œ„Õá3n—±^âä€Zàv5¤ËT@uÇÐ>ÀUTÚDšÕ³'& èQ>$+Ï›©GÜì:Oß½p¥^5aÒ±Ö )×™r!$Qùå¡®VU?ÃNjb¨Ï[ 9Cb!YQJÁå7Ù·Ñ=ÅeHr¦ˆž@†›%Ù~åã•~›Añû1é)¾Äd.b«¬3yÌŒXH’‡@…!<+zXÂ(fKýcK€¯ã‹Q–Pˆˆh@¶®~¿Gò#‰à¢Ž¹d +žIz¡¢‹ßH‹d|K3 gYÜ´$ÇiîËVùø2A9{û ”í äö•P©6Áu×SÙiê8V2’› -è;Z•åéwpLq’œsIœff¿ðqÇF7×™ýŽD`Þãë«ôá«Ógb`521dŸ5ÆXvâþmS)O=÷ÄØ[Ðgÿ"ì:ÝCXêK:éÔ†§‚doÃurSáÌB¤MÕÐ+ôášÆ[ïWo[ŽDŒŒÀœWCgq‡fý;>ôìèj›íq—Fiª€!º‡Ê¥õCcUVŽiGdÿšní~–ó2áb“B;ÀÁ§2‚8_p0?„Oç3 +7ÞQi8x+$a1yRÊà +òPg~âŽ[úEiWªªyìZÀW><›ºº$\—å—žð6nˆrøféöå6lðO˜Äô§K!³ÂF¾®ËõOÉ3MË×ÊÐs„–Z¦¬Ö€XÜöTeµ¾ì ¸eÅ¥Ga÷%UOR1I®#zÙ¿ñ +KÊ?ã ܯ$ô|û»ûö±!0ø‰ûÑ]Ç(”ThÊ;Itôû ˜€?QLþÈ[}XÃ4ÿLGûÀ(Œ¤yäYV'1þÒq&oÃûç7ÿ rÿ(†i·µêH ³±±@„™Bi'E‡á——‡¬ÿªþ¯Sendstream endobj -1003 0 obj << +1007 0 obj << /Type /Page -/Contents 1004 0 R -/Resources 1002 0 R +/Contents 1008 0 R +/Resources 1006 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 987 0 R -/Annots [ 1007 0 R 1008 0 R ] +/Parent 991 0 R +/Annots [ 1012 0 R 1013 0 R ] >> endobj -1007 0 obj << +1012 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [213.6732 493.8452 286.8984 505.9049] +/Rect [213.6732 308.8411 286.8984 320.9007] /Subtype /Link /A << /S /GoTo /D (rrset_ordering) >> >> endobj -1008 0 obj << +1013 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [209.702 415.6507 283.4678 427.7103] +/Rect [209.702 230.3842 283.4678 242.4439] /Subtype /Link /A << /S /GoTo /D (topology) >> >> endobj -1005 0 obj << -/D [1003 0 R /XYZ 56.6929 794.5015 null] +1009 0 obj << +/D [1007 0 R /XYZ 56.6929 794.5015 null] >> endobj 394 0 obj << -/D [1003 0 R /XYZ 56.6929 561.8344 null] +/D [1007 0 R /XYZ 56.6929 769.5949 null] >> endobj -1006 0 obj << -/D [1003 0 R /XYZ 56.6929 539.8007 null] +1010 0 obj << +/D [1007 0 R /XYZ 56.6929 749.6227 null] >> endobj -1002 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F84 797 0 R /F86 977 0 R /F42 597 0 R >> -/XObject << /Im1 790 0 R >> -/ProcSet [ /PDF /Text ] +398 0 obj << +/D [1007 0 R /XYZ 56.6929 377.478 null] >> endobj 1011 0 obj << -/Length 2396 +/D [1007 0 R /XYZ 56.6929 355.0589 null] +>> endobj +1006 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F84 802 0 R /F86 982 0 R >> +/XObject << /Im1 795 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +1016 0 obj << +/Length 2147 /Filter /FlateDecode >> stream -xÚÅYmo#·þî_±¸Oë"¢ùNîå“s±/_«sQIPìI+[ˆ¤Õi¥ó©Eÿ{‡rÅ]­l_¯AaÀœåËpÞ8|†b…?–YE¨(df -Ie*›,ÏhvcoÏX˜3Š“Fé¬ïîÎ.®5Ï -Rh®³»YÂËj-Ëäo~¸üóÝÕø|ÄÍ59)Móïnn¿Çž›7ïn¯oÞþu|ynd~wóî»ÇW×Wã«Û7Wç#fƒõv¡…Xü•R~¿K÷ ùNåA¦*äAŸSÜ⇢¸d½('^j)@j¿­”t…öÁéò ĪËèÇa‚H6ø;¶› x`T;ãX^Q¢ /ÂÜf[n«%¦-Ør]m–sXAƒþåvîÏÌðzBÛJÙÚ¯Xw4eÈœ\ÃEïÆtK}‚€&‰øêòIûFb4_…ù墩‘ÚÛÍÀHRE[Äsxl4! å¼o³oú(N(I´Q™¤)„,œÂ±Í}†Ä8Á_qú(ïáWwó>W'Ä{È’è_ñ Š¾@’kX¢lG¢#ØÎzFcnN‚þ‚°Ð²›Û.WCv×ìš`Î6PSÁws (¤¥D:Û¿sRXk‡ñð¨å8JY¢’áx¾–‡½Ë×Õd ,8‡)*ž»y¸¦•;6˜\†naÍë 21‘ LÖ±ÝdQ:<â²´'ÿ±ò7ã<î×O;*AÒ¼šÖËr¾òƒ¯SÄZSônjoÿ€WO&lV¨kdâÖÞ8ä¡O8œ lÙuÍÏYHg½¹³I5,lÈ¢nÁ´š•pÆÃ’f0Xsk|yû÷aGèBƈ"È…³A83{i]µ{ùÁ“²©lö„lFÉÛò”lúiÙÐk‡ÀÞœ„eºë¬®¸1µ…° ⺋¿r.‡§œ5 -õ§±%hx'x6È*Z6[“æw Y8ýŒ "¨01‚MR€ÀªEu_œô©\ìªöHl„³8(‘¦‡á˜„ŒcŠö* °àõQ*†Hed&Œ‚«O½¨¸Ò§›Lþ»UQz(åNJ€ë(ð -d\ÑÏfQ)ˆF´V'’™ÄBÊ΄6„Snqñ󫬞Ez´‰w—¤ ò’¬¼`Ø_Þ2†$LI1öïuó%,êq¡ù?ëU5„ÉݪEEŽî< PVkž%–ù:c;·ú²‡£ør–qÅiÿ‰b¦°Ï9½z„u5–‘_à?•š½EN­ÿmÁWS/ãÜÈÓg™?aõDŸ¯³Ñkvn à´üŒÙZ²Áä;ÙOóÉfö2™PïVÓRâøK€š™ÿ¥ˆÿÄÉtA„áò'€\È-¢Ø#4+¨……  ØÉa0_\¡æ'\‡:ôºE~x"{ý|õžV[I¯ÁNÆJÝÍí¾!uøÍÕø$HB&õòU‚ÒÄó9Xï'³0nC¡ßìé×Äë -'¥ÍÅ"{Ÿ–»‡—m’7B¯££.O–õº­Ûƒ‘éŒä8…G÷ŽXÆ7ʲéx‡b…EôÐ7ယ…"Z¶ Òqª!JlšÝÌIëïN½ ‹OEÕ,¡P_tmZ.Ë}Ó}:}øŸÈ´¾¨½ŒïLÉKÔ±_žlB.;‘XAnZœß©ÇQ›,àhÊ¿AhwözõtÔ`½®J/Ëâî”k_ÜÀ¯$£†àAÓƒÆQaªƒq“żjÈ©b˜°PÛÉå<¸HQ(yö@D ì‹+z¹ýÅ -F#,OS[{Ò0ʬ«¢aFb<Þ&ŽPñX%xtÄ;H,¿ƒÿ<¿ê¦p%*Hf¡’2·sö1sE!pNB{Mð7K–}_ƒ>Y¢Rä;J{•¬ìTå†P§I! Õà–X^x¬N304I ž3•c0žsš·Ùa¯àº·obBp¬¡õá戽ãSù‘Ïv |c‡‰.ɸuøÊÎýYs-þvà¨Â=¸S“ö`3ÙmF˜LŒ$B ÛÍ%àêŸÈ œÓÚ'Xcâ٭×.Ù:ÔŒ=.ùTu.@ÖiÈj0®æÞIïADqÛg_ìë#Ö UèâK0ijçÉ=S­‡³hö,X|éO¨‡Ó&])Þ=mÉó\ÄBÅÕÑK\û[k˜•ˆþÌoendstream +xÚÅYßsã¶~÷_¡¹'¹ÁøIwOÎÕ¾8Óø:N’éÐesB‘ŽHŸÏÍôï P EÙjÜ›Ž.€Åî‡ÅîŠM(üØD+B…‘“ÔH¢(S“åæ„Nn¡ïà ócfaÐ,õíâäì2áCL“ÉbéÒ„jÍ&‹ÕOÓ÷ßÿuq1?qE§ 9©„N¿½ºþ3J >Þ¼¾¼úð·ùùi*§‹«×(ž_\^Ì/®ß_œÎ˜V æs¯áÀ„Ë«¿\`ëÃüü‡Î秿,¾?¹Xt¾Äþ2*¬#¿üô ¬ÀíïO(F«É#¼PÂŒá“͉T‚()D”'ŸN~ìF½nê~Jh¢4OG”b @eH"¸pVyûXo= •N‹²ÄÖýö”éi¾Î·ø^·w¡™­VØÙ4ycEzZWØÕÞe-¶zjÛ:tçØ`†–hÂϸôJ«U¿Kø.T5Ä‚ Ï#F)îÌÿñ!ßh†™¢Y˼øœ¯pîÚ‰ê ög(¼«›h·†™nuéW‡!ÛCÔÐ@ìZPÊ'”õÁ4ÌoÐÚ@³&Ú'L)¶Ø\ÞÑÖ.`%˺ªàÕzm_{ˆ]ª4 +»bJŒ€p±+6õ¶- ‹GBéôwgÄØàí™ö;Ž(ëeVZßÁRŒ‚äì {®.í)¢‘êÆbÓA¾Ó-ëÛ›wVSé^|wq­u± Æ® ß°%~áû1Q„mc°mV¿ +úÍëº,ëÇ¢ºEMÖˆ±ýñ†Æáû®/;Ñ¿÷ŸVåL¦Dsš>«9XiøÂÁáe™5 6ßæÍž[)Ñ£x?4~3 ûÆ£½õ>x/Ï×Ç¿7~4nüXÜø7ö‡qc_ 7ñJÜÄѸ‰cq/áÆ_ƒnƒäþª¿@»[¬½ rà’ò>ßo±X`VËÚ.+õ“ìE;D`P6aó$‰³ }Í¿d›ûÒ÷a]³­[(¯ØÂ2”5u•Ý„q7ù]ö¹°¡Fßhþ(Ø&ÖaÛrÕ?ˆlºÂÏAµɮڤè]í› ®§Wv•L WNÓiSlŠ2Û¢Ðò÷tÆ©žñðV¯ÝQyF­ž¨·¨P¨g2•Ä/ÞŠyÞÜו¯é0-¯Ú¾¿cuu¤eÄ=¤!ÂmÓóÑ‘Ä'ûì˜ ³ê Öûìtô¡µ’ˆHØ×L•&±¶Ýpk|vnØ—ˆ{y+F‚×óJ®E·÷šãÞƒ(ÃÇ `@Lx`@ÇÀì‹Tó.§n@¯@„+qʬ¤É6yO+8/i¡\Ùžà°hKi°Ér³ºÅÆMŽOCùêYª¦RµD‘T‰ñŒSµ!½Šò}‘‹ÅIq°à Éð¾õ.©À1önÅ å9Ú8Ÿ7¹GâãvPAÖÍT’dÒ)ùû]šnʶ蒓Ú=W ÉPh¶•‹è.ª{üðªyt{gû|^ÚdO(¸ñj <­J”¹³ OˆÅŸ)å·ñz>ß©©·)÷yÐå;ùî€é#[r_fKgµ`µ[VJ¯D>¤]pÚ|±º@&<Ø&d£A¿U»ÝÂÌj þòŠ•rãÇ6mÖæL[°ä}¾Ýî°‚!;ÿ³¶pç F8?áÙYÙá€åæí ƒƒ2lÒ~ˆþV”á#Šxëë‰e;~Êýø¬lêî’5†›Ná.UÀ"œÃ}Є$”ó!fß ¿%I’ª‰`Æm¯ëØ·½`cÝïÃðY<~ÿz¿§Õñ ²dîá Š¡A’'DÀµgÑÞw†nÔ †ìk³–àõ}&$¡Id?·Wc¸'ö{Eêáì56œq;Î 7kLÊŽùâ‰ÑZo™ug±Jt²g7à›Ü-ì¶ü>_Ž„çDRÎ]ákÂ*·Ç¦ +—öÌ‹‘„5oG +db"@ÖÃ.bå®ùÏÊU0f©|ûtïù´mÅ=Ø´=oVõ&+*×ù9µ!Z§fPÚþž¯LجD'JYøP‰{µÆUŸF¼ÉVTœ²©oZô +‹I¾,t>ºØ¼±ÎàŒû)Íh°çNÒòùõ?Æ7"12DAuhœöÆ™y“îón-×yÐ6ۦؖ +"y—@ž³-yÞ6ܵÝB€7$'¡YÒ߬¾¹!µù°óæÚ—‹?s.Ç §6îhÔŸFÌ–àðàÔ BªhÖ´&ͯÐfþô3È‚Štì³Êü6ó<ésV>äÝ‘ØŽ§5hP"Nã1 '5])ó´àí^*)‘*•f(á)åǤ!5Iãô“É› ¡»«ÜA p]¾f ³Yp +.Ü”•1²™DCΞØrk(„“ÛN /xÍ@ +4ÐÕb„tÞ£^’FÔK²!õ‚nW½eˆI“$”?í)ê'L˜4ÐB§ÿª«|ìŽag•9Ù+z¸l’ðI ÍëචüKïãñ*ÃŒÃ;õ]RÈ^/ì ‚“e~ÝßÂÍ/’ÿŪ÷Ž;u¨hG¿šzÆàBøɺÛÍTNŸ=òçu}]Ø%ToiÔK°KËŒ¸åÓ²,–_ ö,P?T«¶nBÿ±yö¿Ú€ÝßTÿÔÉCDÊdPMXšÆ4vÎ +št7 ØDØëgÿ5ž§RŸQ.kÉ÷ŸÈÞ¸½k ºfï²ÝßCì嫈Ð]]ïضÎý·À}³W|â !Ëzó&"iØÄÃùîП•@Ùì?Œ#”ŸN^> endobj -1013 0 obj << +1018 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [353.6787 494.5292 427.332 506.5889] +/Rect [353.6787 309.2241 427.332 321.2838] /Subtype /Link /A << /S /GoTo /D (the_sortlist_statement) >> >> endobj -1012 0 obj << -/D [1010 0 R /XYZ 85.0394 794.5015 null] +1017 0 obj << +/D [1015 0 R /XYZ 85.0394 794.5015 null] >> endobj -398 0 obj << -/D [1010 0 R /XYZ 85.0394 565.1194 null] +402 0 obj << +/D [1015 0 R /XYZ 85.0394 379.8143 null] >> endobj -696 0 obj << -/D [1010 0 R /XYZ 85.0394 537.528 null] +700 0 obj << +/D [1015 0 R /XYZ 85.0394 352.2229 null] >> endobj -1014 0 obj << -/D [1010 0 R /XYZ 85.0394 387.929 null] +1019 0 obj << +/D [1015 0 R /XYZ 85.0394 202.6239 null] >> endobj -1015 0 obj << -/D [1010 0 R /XYZ 85.0394 375.9738 null] +1020 0 obj << +/D [1015 0 R /XYZ 85.0394 190.6687 null] >> endobj -1009 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R >> -/XObject << /Im1 790 0 R >> +1014 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F57 628 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1018 0 obj << -/Length 3333 +1023 0 obj << +/Length 2922 /Filter /FlateDecode >> stream -xÚ¥Z_sã6ϧðÛ)3•*þ‘DÎ=mw³Ût®Ù^’ÞKÛÙ¢cÝÚ’kIɦŸþ‚”%Kvv®ã‘ H‚ ð#@š-bø±E’F©æz‘i%1K«ÝU¼x‚¶OWÌñ„ž)rýðxõýÇ”/t¤Sž.׃±T+ÅÅoAñèFˆƒ÷Ÿï>Þ~úõþÝu&ƒÇÛÏw×!Oâàãí¿n¨ôéþÝÏ?¿»¿™JXðþÇw¿<ÞÜSSêÆøáöîQ4}Î zóñæþæîýÍõ?]Ý<ök®—ÅòçÕoÄ‹–ýÓU ­’Å TâˆiÍ»+™ˆ(‘BxÊöêáêßý€ƒVÛuV,Ž¸]M(g˜è(\ô -diÄÐKÇÁã5ã:課zš,ŽEcé"ãq¤t¢ÏCLáë‚,ž eÙæ;¶íötbÍ£XkuybÏ43±L¬30ÆÆ?˜¶•OÎ}ZkôÎãDpö§oàÑ€ëy.¯éópZÒ:—§ï¹fæè:ËÒ±îdNR¤Ãà ñŽdr4(¼lÊÕfÔg€1Øî¶1ín(ìe•^‰‚¦¹¯›²-á0~6þxJ( -®¬ÛY›‘¡eêÄdNOû­+g>/Æ|¡N60’‹‡O’f°Sš]Þì!×ùÍî¹ìf—Ux¨ë¶™ltCOØ‹S÷\3s6-³l<¹ƒ/…RøíÕÇ( l_»S59´v;ÛPS»É[*‘®µÃæ?»ÒeÔêlE‘»¹LÓž08 Ò£YÕɬ5±,%p yj ùjeö Ñ7…Wj¤¯4RI¦šñ¼KÈsˆab8ŠE‰üM 0à9}KV"”M²Ô|VC” ƒf´ÅócQ¿ÆrEêq:Tè¥ %ØnÊu6´š^ƒp@T—)¾HbXwsØXw Œ$•Œô%‚û3ýó5àD5aʃIº¦šj9DJJ›7-þ\°(–Z b”íZ:°„ïowlñ¡†-†‹r‡Ã‘í¢”až€L ¤—TÊ(»³V–ïö[‘9'H¨èëòT(éÉnËTG\A"4ÔçßÛ"¡ÐQ! Yèß3 ëH© r~ž@úÉÕe0“­Çi\³žË†åS‡fY”íkX‚ -P››Ì 4aÙb8ÁØ<׌#`K8æ8c9öfUbŒŒ!­ˆ]œ‡mXFlÃ/E"ÆtaeÔaݵ!Õ_6¦¢Ò‡»‡‡›÷T†…W¹gtsæ][ïò6$|Ê óå˜ ñ rÓ-2NO¦2ŠbcAÞ9§ªÙ‚’­ì@/^«|W®ˆØí  ¡<ÝNUϵ‚ü›™2 Q©à¨Sj<<9÷ºÿ44Ç;L7a:.…+ -ÎQ6ñSi¤\ªt$ÍÄz®7d˜Žæ’L—[S‚š1_÷îd‚sAjFç‚Õ¦?°Ã|ž ®“²ÔGßb.ôf À—ò¡7ZW䣕$LŠ™Bă„+.áÆbÙÐswü¾šüàH6”OSÌ¢µD1ñqà‘uº1+<iw JÝp2©!c(‘ÅÙhL‘3®$›±£û Ó -´¯k?ïèvaÕˆ^ù`Ü•ƒ°|»­_¨èBƒ>Tß–»²øó]ÝùQj㯶õÊ…yÍó‚ùõÙØN$ ƒ¿È¹ÎÃaÏÕÇvf}0Í&Äå}×_¬Ì’-w{xòzâăR8mâT^^BÏ5³†‘¥i”(ˆG‹x¤šiP®µ˜†*`-Åg["Ø­Å‚û3ü£qÑ™ÂÛªÓðli6ùsi·VWô%³X;ijs–žÓç/²2! áXäáÕqIg)À÷ðùV›¼z꯺p¢Ãp¢¶ï `ŸCnYP¹=@αv9Gœ¿6LF¾€µ.9ñšœÑ:pCeJûÈ(nPÊ{÷€ -^‚|GX´ìZ¢ù;Œ“1ý”Kiº|í;Qa—7˜ÏÂ^¸qŸÊgZ/46ÛüÙñõÉ]„ã¥õ©JÙ€ZÚúÐx7„ Õ;ôЬ+>û<„)G.py‡ˆ8Ž˜rºs¦&Rq45‘JH§siÅ@×VÓ×*ÃòP½On, ¯Ë,µGÛtbs'¬½¡Ý{âéÖ›¤;ЕòÞØN!î3º²”=é¹$<²ä„¬Qòài[/­u1ÖßC;…à€½B°rÜ{¨Ø€‹ŠdgPð‹¼ö~ïÅÛnI$ªqÓ»fp“m¾ÛÏm{ÙdÚP˜hkt<ЖÇõf ìýˆM§ƒ—æ,RÃùhÅøe¤rGêžËn]Q5aWìæüËLo€!v˘¾<}ÏõÆüA(È•Þàôr ÒQ-Ug/h2™qðp·¶¤KTh¸ð”Z~ýð ‘–½;^[…;•m¡8^[cñ.Ë‚ÿ :ÓÊÄzp®Þü !aœ0ì6bRÉ™ØF’±N©d'¡""øÓxPwmS†*-=À@é€NEw„Ã8Êà:.þÛà> ©Ëú¡í˜õCÅ?hhøiPDÛ'ë/˜N\¡kºÜžvià¯ÚñÔºu=,ÀÞ´`™NN¶Õ¶£Bð›Ó§ª«° N0,–ŽÔÂÁãz=G³»jÇñ÷ÚÃÁ÷yã)åîi3‡YKjýb“žØ‡ZÚ €QCDºáÁÒ’Â*,®ù“O“±¾ÏW_¬Y -ûhP|oayÜÇ -=a>ßVF×±Ž¯š[Z ›d¾3¢v°ìHÄ™½Â¦îö‡®Ü¶¡õ…$Ü^b´lßQÜS,‚θ)Hyh†oÇÐ^Š{Rù3zãZëãÛ˜í~Ým‰±(ó§ªnZ›Þ©)0Ü[Û#'zŸäÉ&Š@[ö‹ÃÉoºªÞ¹¨Þ -ΰoLWÔa[ïíy6Û°€¼¶¬f%y”oÍ–%ÝíŸf‹x©ÄüS¡ fqñÔÉÎqqá³­÷?¾ûü03 Œ1¸ô\p5b •(`|¿d¡f†«Ë-•¬ª„½ŸÄê@cP³§¶mFÐjŒ9÷/H=YúFjÝÿÿbÈ?É'£ŽkδµbΦÏI”h¡FâÌ<8®7¤˜ŽvÌ­Q›uÁת~î±\ã5}úÆ6—bý¢Q€a-@3ŒQa³ðyrB2þµÑA…#ÊC…v­‘ÇgEä±Â·LoD·ws‰=àEÖ?ˆý³ŸØÅC.ѵO­ˆË¯Ä@{ãJT” ¼Õ+ÇØ[ â< ë;«áuÐTf³HqåÝ͆ɡM‡æ®« _Ï[Ô4½ÑA!ßïé Í|î Ž™‡"ïÁÃ1Áíšh¯uG…µ1ÛQ~“=øiwQ¯•ÿËÅpd -Ò8b"KÇàãCT‘*LŠ  ¥C$(³ˆ`—³ -¨EšÙ€éIŒúõ.=³ÿpDÀΨ· †Eq’y+q €#¿Ò¤…ÁÔþ‘ÇÒóŠ¾æë~[®ð@Çšï—æåœYÂq’Ày¢O./ !cÚC«™Ák„vµñaxî_TWÛ²ÏÅæ L$þ j9âþ‘àoÿÙꈄÎf¥Î]1fàŸ -qBÙƒ_N÷¯¬©èÿ3°®gendstream +xÚ­ZÝsÛ6÷_Á·£fBŸ$1÷ä&NΫsç¨OmhŠ²8‘H•¤ìèfî¿ @‘RÓK'3¸X,€Å~ü2 ü£LâD1¤JÄ’P»<ÃØÇjy"Çù\?,oÞ~HX b•°$X®=YYL²ŒËÕ/a³xHøîÓÇû??Þ.R.ï?=,"&IøáþŸwØûøxûÓO·‹ˆf’†ïþqû¯åÝ#%VÆ÷ï‘¢°¹ ôñîÃÝãÝû»ÅoËoî–ÃYüóRÂõA~¿ùå7¬àØ?Þ˜«L¯ðAbª v7BòX +Îe{óùæ߃@oÔLÕ%1ã «©eê)0q€’J'œq£À¦]•í"J ‹c±­Š¿ë3McÅY+)™aþ¯|ûApO, "Nb™ÊÌð¼VÛ-h)IÂ"?t%vóúˆvA³°ìöMÝ•&¥áºiq¬?î-û­Ï\4¦]uH¬j+}›w–tÿ€’úMÞ#e“¿XQ¿2&pÓ#]0ÅbžRЫÙô¦éú¸üšïöÛ2.šÝÌ1•ŒA…`ÄâÑì&rlºÃZïöWBØ×7@JiØ7¨RžáR–:¢çÛ×üØ¡]=•ØâÁûC[—+¤˜S둼^ÁöLßꮌ,˜SÞåëÁ~£ïõ$ÍW#s¤þÑzh³ëé3ÁÝÓ ¬Š$æ,÷käܶ}ª´jô½X¨˜&"³jlÛ®ì#´Á©Ê%;UÒòv}Þ—»²îÝ öû27{yƒ8ñqæpuÓÛ³4»§j8!Ü`:ÌÃX”emêrXd[•]|ÉÑ §¯ò[<²X))æ=T™¦q’$â²,œG@–íâ ~&êQešÄY–¥C@ý½ãI†s&м›0¢!ÂH`°7ñ â —ð? '!d’Œ\ªöHÌÒÁï‰PŠ#“×7g=éÀÞÞïhð¾Þ¡œàÈ—l• ßO³¸Ò ÑQ‘Z'[n¬-f‰H,RÏT†h FÂÁ&Gâ!g™¢ç6 ÞÇYXuØ“Ó£Tš®ÛíÑ2ê@£çik4„[Ì@º§tN"©OÁ¦8´èd£[ª—a)øjc‚,ôÐ  Óö{pØ=Rt(3ájÁa¯+Ù`À¦PJU?O<@$*f™ÊßƾÏlµƒH•ÀNÙîûœjì Bvò„9l!##lÀ4‰©ÈËe*<Ô I8 qJÁ‘$ÑS8»§‘)ò¹®ìÅqé½ló]õýö|aHcDéK¸¶°cšYx”áRÀU”Žþ\šx+˜ “‚‡õa÷dr ›5¶ä—Úä`€„gˆE^àf²#Œèc¸ í‹RÕ«ªÈûª©u#YH¾ªºüi[Z©ZšV= -ׯD’妲ۃvšmx}Ê\ +yø´œI3à ,Kœù‘Íš;pÓU¹Ša5Š9véòŪ\çélÆìf`å"Vs0PÖÌú: 1> 8%6Võ¡/;\Ú¤£zu–³vù×jw°ˆà%ßÊkÛÇcŠ»íÐl~?à)„zÛáÓíÄ—<@8pyÕ|®Ë |  +jcQs~@ãåòúú×Ì| PHM£”Ñ– ª`ÒZÇêPhu3ÖeÿÚ´_p°oó8ŽÇt(-pnn°1Pöe x—×E© „¼\&ONº¾±àÇêò\æÅræu÷Z¶ˆSδ ¸ÏDò±yOÕy¦ƒp¬Òxã! úöŒ“CÛéô¦;9îód@³ÀR8·W™=þš´);K³çÀªÆÝZNnP¸Èƒx4r»Alë°éà°S%AZ§§8ñ-ÊQ’Ñ“r¦¾†“‰Ôy™w5Îb!Nw¢°WãxØÝ4‡öäug;Ï ÿÁþ¿ymáq–_‹Áq¦V_¶2Iýb‘hÅŽ¬É}^ ÓU[Dt¸jdNò~óÖbðÕPU¶†@»ò8slž­ûô®¼1Aïb<â +nVQz=ù\—ãÑÀå4}9–”„suùkfýq8U§i2Þ€ÍÌ2qÉ ñ“tŽdt4è¼nªb3šãÅ=n¯1R7tmÙWÕy{DŠ6Í}ÓU}Éø¥té)9E¡ˆ³Ìn_¡ÌÈÎLæFqM2]âŒ÷ñy_•†ÈÑrbažî¸Ð¦û:´é'ºZÔQe4a}èîÉO¿nÊ{ï>¾{‡}8x;F»f~è›]Þ»C±&lj +JS|·Øô\Öe‹ †SjÞ~59ÇO+ÙÄ,M6{úêXç;ýŠª‰‡ý +t8¢“Û¹ê™ÊâLÑ, Ða„£ÂÁöÙz×ãGß`,äO˜^ÂT.¢ˆ±¹Þ›ˆÙùn8TLÀ•ùÂ'†0pýÁ¦ÒliKk Z3å×½ML„¢˜Œ6]ZÐæË\&¡ +HøæsÈ›Jˆ^™CÞÚºbVdÌ©8+—puâÕÛúÃÖÛºkžþ Õ¥»neÞZ’AòÍ!.)å(ÌÈIðÈ:­ÌZ'F¼øD@ç/ˆ +†J³X%œÝÛ¼w£ˆ¥« +‡Ù×ÿb><.‡éµÃâSz¨|»m^±k‘Á€Ô·Õ®ð~¾kNJc!~±m +‹òº/å«.¯/B;¸è¤âz8ô¹.‡Ãk€våº-»M¤÷fxW™%î¾=NyqâA ’ˆëG¸fÎ0ò $‰eqtˆ%VÐTrÅtøæÑ#<Û"Á\­î8ØŸŠðog™~¬:ÇéOå&©ÌÕrÇ5¶hkñÌ»œ¡çØü­Œ Œp4Ù-—°–|Ÿ?Ýb§ØäõóðÒ¥jý…úa2ûJËöûJŽµ-9ˆ î°ú‚^¨·%#N\œÑ8p‡}Ü”rÀ(öÐ;ý ú ä Æ¢§C4÷„q&Ó›—ÙŠ¨OÇavvy×—î§,-÷¹zÁóÂ`·Å3•:ÕjZô*šss]#t –¾i;ç†P :‡öíÁ¸â‹+£a3U{âÒ¿³ÍþÆgM'üdj<.h:æeM[yÛ±c ¶F†¿‡ÚÆÐôk™¡Ñ6™ØÜë`(Hwžx®Ÿ²²?Œ +®_Þô¤Hß³ve!ÒK…ñÈ%Z£`áó¶y2ÖEéð m¢ +ѧ»‡¸°‹vw±š×<êgñþð„$½©Î.o‡¹þÑ{·Ÿ³è!d£i¿ézÚ½{Úrq½öAb7à´•÷àrù'Q×úf‚Š–ïþ»ˆÓ;AQ_øI +Xdœ»MiUI1Í1ö(¦[ÿëoendstream endobj -1017 0 obj << +1022 0 obj << /Type /Page -/Contents 1018 0 R -/Resources 1016 0 R +/Contents 1023 0 R +/Resources 1021 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 987 0 R -/Annots [ 1021 0 R 1023 0 R ] +/Parent 991 0 R +/Annots [ 1026 0 R ] >> endobj -1021 0 obj << +1026 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [297.8955 410.3076 347.2449 422.3672] +/Rect [297.8955 194.3978 347.2449 206.4574] /Subtype /Link /A << /S /GoTo /D (dynamic_update) >> >> endobj -1023 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [55.6967 109.336 116.59 121.3956] -/Subtype /Link -/A << /S /GoTo /D (view_statement_grammar) >> ->> endobj -1019 0 obj << -/D [1017 0 R /XYZ 56.6929 794.5015 null] ->> endobj -402 0 obj << -/D [1017 0 R /XYZ 56.6929 769.5949 null] ->> endobj -1020 0 obj << -/D [1017 0 R /XYZ 56.6929 749.3863 null] +1024 0 obj << +/D [1022 0 R /XYZ 56.6929 794.5015 null] >> endobj 406 0 obj << -/D [1017 0 R /XYZ 56.6929 180.2089 null] +/D [1022 0 R /XYZ 56.6929 554.7106 null] >> endobj -1022 0 obj << -/D [1017 0 R /XYZ 56.6929 156.0579 null] +1025 0 obj << +/D [1022 0 R /XYZ 56.6929 530.089 null] >> endobj -1016 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R /F84 797 0 R >> -/XObject << /Im1 790 0 R >> +1021 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F42 601 0 R /F84 802 0 R /F86 982 0 R /F58 631 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1027 0 obj << -/Length 2858 +1029 0 obj << +/Length 3197 /Filter /FlateDecode >> stream -xÚÍZÝsÛ6÷_¡Gy¡ >°}J;çLëÜ9îMgÚ>ÐmsŽ"U‘Šëþõ·‹ R¢$·ÍÍu<ËÅØvA%ÉÄjÆe¦&&SLóDOæË3>y€wïÏÏ3 L³>×··g_]¦b’±,éäö¾'Ë2nm2¹]ü4}û7ÿ¼½¸9Ÿ ͧ);Ÿé”O¿½º~G”Œo?^_^½ÿáæ͹QÓÛ«×D¾¹¸¼¸¹¸~{q>K¬N`¼ð ¸¼úî‚ZïoÞ|ÿý››ó_n?œ]Üƽô÷›p‰ùõì§_ødÛþpƙ̬žP»ÒLÊ,ñì·?ÞŽˆL )ƒÄ×ȶ)KÐôIÂ2­…{7¯ò¶™D(–j#¼ŸF¦‘†¥Â†mB@ÈL°±(îóMÕQ§léÙ…·¤ö¼¢^4vêÍò-…mT9 ¼!Ú`B#Óé§U1/ïŸËúad#’k–Y³c -?OS#»šÉÔ2’‡ªZ”m~W-EõÊ­¿™m‹;šsx’{@]§,Z¶û>À ,ÎJu"·LGbÐ3áB›¶ Ž9ˆA‘1™È£³žýYîè!25œ–Â/M·ó»^È1þ°â/5ÃøƒwÐðÐt -îË<6aʤ™7zXСUƒ±ᇓŒ‡ßLZˆ#«åÐ;^‡0V 9ÉY&à ø£!"o)8lb®%z×ø§ :Û7 ’]lm_ëé2Ÿ?–u×¹ö€%ŒÞÚ©yKc-SVÍй{ßlj4µ2Ó;´£ -ø „‡¢ Kú™kÿ qÜoêy‡˜ òyæ} ¬Öå2wî€ÍzÕ´p¾Äv3$Š>"—þ‰*Á—墨;@ ¢>=–aÈÁ­ð¡yÑaõ›uÝœðÌëçyÞvÔ!½àtÜÒ´È1ï6yU=þö ÖæpºÏÍfM­3‘6ð-a…Þñq’ƒÈöÍØQç&‚ -"š³Ì$ãŠï ÞÁ9ðX–}èú\‡‘.ráê¼ -gåbï4ÚŠãÓG®‘ù‡˜Ç™™.Àƒž™^½ëC”ƒ=Óƒ½töÌì™}Ø3§a/Qi€«wìÓÅÍ¿/nFA§ òEõRЃœ#IxúGr·âCX7S\0#­:Û‹AO„€Xfd»ªhÌ<ß WHÉ]ôxIg|Gç\oêå-½ög’ð,s"ýP–Íh߉’,ÝË!w:€ÎþA—pïÔ@Éó¾zÀŸL+;ªŸ}…(4ž…¸,Ç¢ôÈ ï@R,%NÊÆbZÀ¬©@¾ìÆJ9ŒÉ@åÌyo‡Ÿº¼+!ŘûŒú²¬Æ&†ƒŠ‘L%}ÀövgøÏœ‹Ê¿{(êbwhe캴Cû¥ۖ˲Ê]MñÚÙtԨߠ„ažWžÃ†;óî…³ZS X)Ìñ-6Ë•U<”µ§z¬†VN -2¶×¡ùŸâëÓÄ­›ñÕ«Wã&xgŒ,è­P&³™ÊœÛŽšhoCR_Ç­©SbÑ¥ít•ÓÉWCà´,î¥æôMÔ â[Шêò·YÛ=:W‘ºrYãråòj5]y»!Ù /ÍKm‹yS/B§¬ç^‡¼ÞàÁ1’ï%(4ÓÓ$<<ŸA-<½lªªy¢Œ8ÕÞîÎÌŠRf<ºizbȉÖúGúƒ<Œh‰ VÖåeíŦaÔ€¦sÙ5N‡²_¡ VIyµñ©ñ]ìÜydsÍ -Ç8Z’#©éïùŽ€0õšˆ¹ËÝ¡1:HBÚR<ƒ«°`"Ƹ Å&úmCQ¥â(¹•¿½—¤ ’["ËCÕÜåÕpG2ƒÐmß7kjø›…þVFYÐÜ"H+§ß•à[´Z£ã-Œ¢[ ¸<4bâ&ŒòEÑøÄåç¢Þe±ÚZä8G,ç'êAW³,»94{?3w0ØA©‡ab KxéaßD@#õ œH> -€ôôXÄ8èsÄkAuÒ"ªzÞ†È]XÌ` h Ó2Ö>ØÕ.é›Í¿bT/AÉŸ…0§`rËógq’‘eìðáì{½ˆàP°—>ŠÅ×{ÕdœJ5‘2à À¾ä†Y* ¼fç†ùÏ - ]+Ã,d¤‡W@ã8ÈòÍ0b(j7…I8³6KÆ‹E̾¬„j24&UBþe¦®cY£‚ºX…”“Bã:x´ÊBœz!÷›Šè±¢ÀÎ2_ø¡Î“¸q8cpŒ®i3‡F -Üú Qúsa?Ô„ÐtñÏE‰Oíºy;ä̸/bF@“©Û¬]j!Ýé‹ë77ñC‰ ej»jjWTÉûŽ¿£gUPÍM‚3Š˜±íÞÜìÝ((îMšŠIߪÍSÐ'%ÇS@EpôËžÈ0â°ó¥ÆÆÚÎ'¬dZ@Ùì´]ÜC.DÇ×iï—Þ‡mô>•È­·!Ñ—§Øôf¨GO@ -æ[Û7~n'ƒ(³1ÛÛ#êíü¯iók ¥O­>e ü|”p¶þ¶^·E÷Bt°½³ÉZ•šõÐÀÚ`l탗ÈmÔÛd7û¯}ý±È»üˆ½zŠø²öR_Ô^8ñð„½¤Æ«ÌÛkÑàù÷2ƒ ­£Á°Mw˜ºw!pßÍ¡Á„NCúÍëß}üþÍÕõX ŒvÄ0½ÿ)É ~Wæ$ÒŒÍéîó²Ú¬‹–`P®‹%èºXÒ=¬“:bÒwbI _[J*…_@HAõ ÏçÒÝcè¼­&¼ÏïšÏÅa“öuõw6©LBFr¤‰5x›ãº˜oâwý[šlƒ-õ×£iÿö:!ØR9· Þ.Ø^œÓ=¾\ù›®1KBŠ¿$;‘¹ÃŠ©\òφ.¢™›íåQ½Ø©Mg{Êg\½xÐzšýR°ý1Çÿ#wOÒŒI#äd–*&aýO({ŸR$O!Ëð’›ãuwbÇ?¥ÄÖ† “ÒYw‘»ðNãï-dšCPB/襻uMC˜fÛ¯@ô·½Ð -·½Àß¼«ü°†njÂW¾ÝKsÖ¿y8\,àí&~ÿíýºbG~\‰ G?dÒ“‚Â]üክâýÉ99•†úÔô¿Xgƒfì ŠI¤ØùÚ{ü¥å¦A½!òîÂ}F='k/ (v¯CÔ-B¡ëoSóÅ¢ì_Dñ`ëº#fųÄ=ƒ2üÌÅyÐc¼ƒë#Åõ²C?ï‚ŒEA:öéþ½âþòo¿¶?Œƒr²K1x1@êp›Zï®]KË´flñÿ2…Ô±endstream +xÚ­ZÝsã6Ï_áGeºVù)QíÓ¶›í¥Óf{NÚ¹™¶Š%Ûº•%×’“Mÿú’–9Ù¶7›~ H?”ùŒÁ?>3:f2S³4S±f\Ï–Û 6[ÃØwÜÑÌ=Ñ|HõÍÝÅ—ï1Ëâ,Éìn5àebf ŸÝ¿FßþëíOwW‹Ë¹Ð,Jâ˹NXôÍõÍ;êɨøöÃÍûëï~^¼½LUtwýᆺWï¯W7ß^]ιÑæ ÇáÌ„÷×?\Qí»ÅÛ|»¸üýîû‹«»°—á~9“¸‘?.~ýÍ +Øö÷,–™Ñ³Gh°˜g™˜m/”–±VRúžúâöâßá`ÔN:?¥M¬…Jfs-bÃÄô!³˜i8´yªxœdÙñÕä!{*<ä²hºù¡ØÍ»êÏòtË\e±àf0ejù@õÊú\+<†ô`–ÌJLÌu‡d©»²ï.ç2Ë¢~SR%/Ê}_ueq9WŒEWïnniäçw?Qåþ°ºä&Z•{jÛ¥l­jÅS_v  ©6Ñ/—™ˆòº*hè!¯¥[4ß#+&웋Xáþyœi-¬|š  ä,ê[(Y)–%Ôc— êoL³ÀÚí¡ïª¢¤ý¦rÝû¼Y—T}¬êš†ï]OWÕeÓ×OÔÊ‹ÿº¾,€3‡m(“EwG Œy´ÊuOm»2UýJ(elwÅü~ȉ 3Ñ¡;äN:ƒ¼kZµ{ªÀåôU³&ªñ½Úq:åDѴͼ(½`Ð ÃMY—=uÐ"“¦{,÷Ýsíò®oƒ®¥ßX¡ÛÃz6ÎdtOíeƒm7Âíë1¯ëŽˆúMÞ;òº]~¤êjŸ¯·pò¨n8s—/?Z¥ÄÁ¼)¾ÄÓÍQ$4öˆì½ZYâµ;ß´ur+yC8eu +NyÉv†7*ÎXè!e̹ÃU„BžÀ@#ƒùæPÕý¼r\»rÿ€v‚õª»Ýæ}ÕºÁ?Û¦ì&Œ”ÑRŠ«Ö˜#3ix´£#EïÜh»ut›²Þ­5U¾nÚ®¯–48’;F·‰3rêoÛ{¿Z»¢¾û°9l‘ü–àÐç…’i´ëÊCÑÎûv7¯Ë‡²ží6Nvû:"›q¢ÓÔÔ}Õ‡$ÒX¤Ü#™ VÁåžßœH•ž8· ‹3c<Õ²åG— +¼€ÎíÂoYš£šÙÝåûžjö¨$™%4'­‡ª|¤a­®,ϹÅÏeý4´_Ϩ²˜Šää)䄧òD¸½ÛréôgV…î®$è 8Éó oåˆ^á/”Ñ•À3ÃÒúÄýÉ,–©I^¹@ 2\(Gõ¸©–b‹ð‡eWÂ5@K0€«ö[³zŠ•€¡Ø û +"¬s" +fbZëV¿¾™<Oa‘|&EBàÇò .”ø=ÁºnïÁYX')!€I%OÇ6@&ƒýìð^;jt{YåS2sÆc#ŒqT·ó?åþiBxX|ƒ§-ZZ¡i{ªä»zO\‹Žúz²¬Z»AWªet½¢¾§ö@•UYÖañhJë2rFXU—ß×#Î7$Ê4{Z»œ¤LÐÙ¢‘*å°*á¤ÒÀ¶1H±ä`À{êßP 1œŒyâþ±áfÌk Ã!¸ Ðæà9?Ñ¢E‰¾³!¿ýè°,?íêjYõÔòó4¡ ôœS˹HtœˆGóržyPu.<ø‹å9OXYÖ¸nò•#s´VàµN^³‡TçÃì@eÏ BD¯SÄâ£zõòÂjbå±µJ89p£¥­3© 2ØFï{ƒ)b}Óê‚êdÚ»½„]åTqY­Z¤òlòm9á&E*b-ƒ[sòÄgÜeŠ #Ó«~ãVyÚMyL¥c)3îÈïþs7gP•žã²F%à¬T2Ö¶³˜©ÐÏ‹×`=ürŒ©ƒp1TŽ!/4lœ eïG]ðWS+\6BxukEvžçàîrZLcdÝîÊeµzBÃœðOLCìž\…[hbWˆLÀÈÜr(ç,Íy˲ë,"`ŸUÍœz@U§*Ï[¡ÊD,u*_¶Â!Õy+ T(ë¢J¯›#3„pKBdöâžhbá‘ŽI‹L¬LF˜$Gl«÷ÝÁ +±î­ }d…0FVWx+„ª=æ!ÏsVhx¬Ò$sWï:g†pÞ2!.2m„Yƒ5-O²ÈϱF˜«ÏÇSêB¦ô— XÞ‘‰˜Ä[^Gý6gÄ’’•áÕ`7%aXƒGYnªf@K.oHâg'ƒÄG»H4â-|%ͪ…<ŽT¥Ö¡ +åQ: çõ"aìí‚O X Ç”ôÞù »}µÍ­:`ã°ßµ6˜Q¡¡Ó…WÊx¤îÊ•6rAˆ#š°ƒz}\J|&2&ÔEcí²²5íšPBX¸Ì»žt.6¦$ßR,û¸è'O‰=¡4!æÚS-ÀT¯Áè–0BŸè8ñA|ûzÊá€÷Ddac\£06“1Sìûþ?hÇÁ©(ÐÚ—Ñn@õÚyªA Ϋâ9äéXh#^^>PM¬?=ù*Äl#è¥Ñõ»!D¥S°—`/9½ôöÒç°—¾{ug*<$^¿‹o¯¿\-¦‡$†¨_}.èAäÁ9KþJäa%>CÚ ‘9d.#eûlÐ>Ú`ô1Á…Xú”‹0ÁE&XR6#.yD°¬râ3‚áh‚®xër[¡ŠŽi€Ø 4:8• t‰xKc˜’…7å¡Xfg!‚AÂÎÕ)DØ9ÏÀ IO•3Á ÃÙ˜¥™oüEÙU†Oçé´èRò€uSâˆe©Ì‚bÛ7e˜³Ì)ã”ÌZãd$”a̽Œñ¡§„VÞÑ°óeØe“Cd±qS/›» XÉ8yIž8:€Î¡£ãÌ)µf!„žx *3y>Ù#˼]VSÖçÍ¥çw&4.%,:ý ‚™³Ú©§ØÔ=ņÞöy_ᨋ«ßWuù™ï®ö÷d:¦èµ[—M‰oJ…<¦òÙ‡µÊÍíªmUç6³xã¦\’Mo)Hk†e^; + Ö ú|üÕUÍñûC +X)ÌË;*ÛcU®«Æõ:¬Æ”ŸŠ"¶7¾ú±üjâjŠ䴾øâ‹é+xV $¨­`Pif2•Yµ¼¢g‚´Àes{jØ×VmðQÖz¾Æ>unЕ9pMAtÍú¹©>Í»þ й.©«¯¶%nw6®VѶ̻ñ.7ǵ+—mSøFÕ,‡ïóæÓ»ÚéG!ŽL3ñ ððrqô¾Å§8Šˆíî]‚Ϭ)dF×^Ÿ §¾Î9鹟ÑHÖç•{["ïÅ€¦·Ñ5.NÙÉChƒY’û”èÀ5ŒùÉV'‚YzisGKR$eŸç¨aê uæ6v×jz’ô±@`3,@—~£XE½mɪT˜%ü«×UçŒhøÙH®';™lÛ~¯ÃŠ{¯Q¨oUàíÑ[‚42ú¡Ý"iSÞb½ñR"iØDª\R4½ðºz°_àFÏV[C “,å„Zº…ÐÕn«>@­>ŒÌçÐ@®ôõô Act–€†p¤$#‚>:ì#¥ƒ.gÐõèÏO(ÂãŽp?¡/ ª£m©»÷ÂŒæàxBÆÆŧZ"}}r2å'@ŒúsPò7!Ò×`òHówq’„ È2åœ9û‡Þ£Eàpeá£,¾z–ý@Ä©tª ^ ‘ÊçüšC*ÑBzòkŽ¿7Ë »VilKÎK@óðrUš‘ž°š‡MÍ!¬Tºù_FB2Âá¼M¢è•²Œ\§‚Fi±ò'YšµW>¨[3uLèK.ô‡„Û¼pS­"{°óo¦Ð5Ód +ðc hõ[ê®…mŸ÷õÌdþÓ„hæݘ2c.‡™X—ô¨?ìmd!­óÅâæÃÕbñ“$}–ÚíÚÆæTÒ›¾¥ï©¬KJyð;kã¨(‡™‚°ÅâÙ3‚Ü>M1\ê?ÓÅXœŠÄàÛ7äÓ¿êÿî8þñ}A HkÅô‚d ˆ ©Ô1ò²?§Ñ§Ç¡¥‰µj úÿ‹ÝÐ3endstream endobj -1026 0 obj << +1028 0 obj << /Type /Page -/Contents 1027 0 R -/Resources 1025 0 R +/Contents 1029 0 R +/Resources 1027 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1031 0 R +/Parent 1035 0 R +/Annots [ 1032 0 R ] >> endobj -1028 0 obj << -/D [1026 0 R /XYZ 85.0394 794.5015 null] +1032 0 obj << +/Type /Annot +/Border[0 0 0]/H/I/C[1 0 0] +/Rect [84.0431 608.1033 144.9365 620.163] +/Subtype /Link +/A << /S /GoTo /D (view_statement_grammar) >> +>> endobj +1030 0 obj << +/D [1028 0 R /XYZ 85.0394 794.5015 null] >> endobj 410 0 obj << -/D [1026 0 R /XYZ 85.0394 562.9775 null] +/D [1028 0 R /XYZ 85.0394 675.8841 null] >> endobj -930 0 obj << -/D [1026 0 R /XYZ 85.0394 539.9988 null] +1031 0 obj << +/D [1028 0 R /XYZ 85.0394 653.5729 null] >> endobj -1029 0 obj << -/D [1026 0 R /XYZ 85.0394 352.0635 null] +414 0 obj << +/D [1028 0 R /XYZ 85.0394 349.5008 null] >> endobj -1030 0 obj << -/D [1026 0 R /XYZ 85.0394 340.1083 null] +935 0 obj << +/D [1028 0 R /XYZ 85.0394 326.5221 null] >> endobj -1025 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] +1033 0 obj << +/D [1028 0 R /XYZ 85.0394 138.5868 null] >> endobj 1034 0 obj << -/Length 3403 +/D [1028 0 R /XYZ 85.0394 126.6316 null] +>> endobj +1027 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +1039 0 obj << +/Length 2879 /Filter /FlateDecode >> stream -xÚ­ÙrãÆñ]_ÁG*e˜ 3(?ɶv#W¼v´r%)Ûå‚HˆB- Ð(Y‰ýïéžîÁEh¥S|ÀLÏÕÝÓ÷P,bø‰…I¢$•é¦:2±0‹õþ,^laìí™à9«0i5œõåÍÙço¹H£4‘Éâæn°—‹bçÄâfóã2‰dt;Ä˯¾{÷æêí×çV/o®¾{w¾’&^¾¹úÛ%µÞ^_|ûíÅõùJ8#–_ýõâû›ËkJx/¯Þ}M”>Ïlz}ùæòúòÝW—ç?ß|svyÓÑ2¤WÄ - ùõìÇŸãÅÈþæ,ŽTêÌâ:q$ÒT.ögÚ¨Èh¥dwöþìï݆ƒQ¿t–"Ž¤^2PË…QjŒqФQ¢¤ê8(,p%Žãe“×yMD¾o³6ßçeË쫳ý>«‘âÏß;¸˜x±’:JµÐ~ðGû‡_²Í†;ÿÁµ ™FÎY¸í1Xs[m ÍzÊ›_ªú—²¢î~Q¦Ó­êê¡Øä«â·»ú5«è:ÿõ˜7í'®Ê7å'`ÖÖYÙÜå5/)ûÛÀ‹ÙÝÃüÕ]Uï³–fþ›˜ZU™¯`ÂcØãwúì³ò‰áM·D„cüçç¹Ó>äOM¸ ÿiÚº(·ÝB!Oaø‰¢ˆ¼‚ôUSëuÞ“Rô@ -~÷kEb#e¥†-"«•ñ;üÅ™(µ6Y à=q‡ªn;Éê;„ÏJXÁ’yV«‡dˆXrŠ˜3‘‚óþ¯ˆI)@ÇâdŒÚ_2•¸ªAOmÜ8á^VϯóŸâX–E[T%A²rCšl›óQêy½½¹Ï;|úI"à®R˜<ÐíÓ½X¯$1aÚ· á–7Ô]ßgu¶nóºhÚbÍÀ¶¢ïmÎØ7Mµ.`&â±hïy„>õ¹pË|_µ¼ ÌöÜb$ÁbGÄ~FJi”5¥JÚ“ vV¿‚\•Z1C®UËuVR£Z¯553kïI@­­ÙåùŽçß&ÁNU‰œÛëŒï€Ùñ„Š·/Êì!íœÍ¥„‰„QŽ~(òǪ@œq'Tî+›.¯îžß¥˜õØ걄?ŽÁýÌ‹EšÛ¬(½X84€ö”`_ÑÅÏÝŽ#gÍk.Ojqr|óžÂ‘»':«½¯>>;:hE º%x*i©œƒÆOª+ºa²P©‰œ˜8¿Êk†ŠAJ˜6èèe±-™Ö Ü€¶±¿?&<çb‰Gc§gÎ5ÃkÁ®8ó -þ$©“süQÂmxȈ¶éYBGÒiù¿ž5Ãcƒ¶Àƒâ¦2hïS1öC›ü.;îÚ&꜔×zç= µY>UGjlŠf]y£Š½öUéÄóC+ƒý`±]4ôÝÞab»:òúÛlÃdm†œKRpÛõ‡nfÑÒ7ã]8Âæc±ÛQë@ç?xíÀmïŽ5È]=çÜ!¸©‹|bN ¯½"ö掱gu²Ý‘á`|æTÊEôšï‡p|Îú‡YE3³Dœ¢³?xª‘ÈDÐ -j…  Ô¯±Ý2Ž´îÄ{#žžf€°Ä„Óֻ숪Žvn“ƒkÍÚ¤—z¼Ï=×}Çë½²n¹«ÖÙŽ`½Ë«ÖÀnðotÓ0èoæﳦLáža -]ss€c+´!þPïñü%1æQŒL]{Q®YHAH<>q²ü··›Ø -ñö R2üž'€ôØHØ¡?¢J‰” ÀwÙCŽ Ü°¬õ"§­es…Û´|æœUR.Žl`@Œ='¦¨0‡OžN& ¬•2MÉYÛ¥•l„ÔÌˈç£ò‡°âP5Mq»Ë#ºÈ+öÓž0Üg–0©,$c±~½Ì£‚í³ÇƒdÂw«Qx Ç!ǧ~˜©˜H ”+G! ôõc‚„—(Ñê,¬n©D#ž)‹‚‚fÅÓÛùèʚȓ¾REÁ]ô¹:p»e -a@.Øqœßí®ºEmð0¿´¡Î-¨íÞ†AÞ³g”K–N˜¬EžlA'þå…¨R;¼Ü(!òŒ^&‚e’N’eb³$èÍ2/D0K)°L{³„ó˜†Cž1*E» _·,sÏ €Ð Ž•Ç€ xó‹¸Bo_¬ï©9 Þ )L; -Súa|°ŽBzlmÂñUû´t0ß0Ô]/ ÷Q®ž Å´‚ˆ%MÍG媛5òÍ}uÜ!–„f»Ç «@Ø~¬ê¨9IÂñ!ÀÇú@iO’’‚$ésæÜÉH+e^mε•!HD®ÍJ£;%zYãlšŽì$ÓUð×ß´¼?x‚œº=•ìÑ»y=@š :3qŒ"d4Õ…ÛƒFg•Éåu2­œ ™Soá¬ÛÊ×/ÆFË·Iv á­/ÍJŠ=Vñh'yÐ)ÈÿŠå]Å»ä¿e{ ŽcDØ©E¾Æ©ªôR>0(·ÇíöiRIZ×YsRŒ`¥ÖU]Ÿ»åñÐòf<\´!ò¡ÅÌ™¬Os¡N‹`‹}Qv¾° ;yì‚záF®“Ø>¢Žca€†ˆ`]¢mŽÓ1÷m!?=´¼¬¢/b——_¿{Ï+(ÎXÎØï%=ïxÉhÈ©ÌÄ ôõ­Î!L+\úÖGrºÙô ë­±úÂì9À2ñèN. RÛ¬[—â ªã3ÖAFÆJÓ‡ÖZøH¯¡S:œèÎ<:/”úÎslÈ4 "´bò’@éZuôµ·"‚¡kòQÞÚÆÅ]!gæj¤¯83¢£Òþ)U‰‹tgoÁg6t´÷ù = ‘ù8Š“ÅC›ˆYOá Ü›ø3G¤é*²f¾L -ØÞ¾fàcWÞƒž‡ˆuá&Ú= ±ÖXp2-’¡beõXÐc¯9ýþ±ÜmUmþDp~óHÊû÷ýÆ020ýµëû.0 #_‹–”"5LÑòâ—öÄèXdð9%Õ˧€ý‘|ÙÍ!_wOÔá Â×¼¾PÛÛl4¼3ÀFÆ›½Ä=¸’àž tX$-Ã]tZ -¼ïR3¡F·j\Ìôq*&Î'Ê3 æ7ñ§fe»®bì oqJ±'BÏ1“|ã‹úB]Š–÷Oœ<8ˆP@)B æÏÃ÷¨XëQN0[?³‘J;þ -âx„÷>\܈#•ØI(¼˜tu‚ÄĽöÉØ)l&VJ:i»Ô -®@Ä+ï} eƒ·²ýS'Σ¼ -Cƒr}dÛWò‚¢¼­Ž^› rD1ÎãQŽ88dÄ\6ö‰T#''ˤŒX5_Ó%»'ŸØ£T즙ù ¨ âÈ›ž gç ÈÖÁ$Sv>(àÎ –”ñ öíp^Xœg¥ÌêHêNñ‚¢r%]Dqê+é¯)³ -#¿ü“òl$fâDN#1 ±ùDxÔdîAÉ©H÷¸Â!ÓZÈî5] -P· d¯ø¯…ŒRçÜü?-VÝŽ«á–áoCúÁ„»$éOöʲ™ ¨däúk -Ï "Û›ý\n®Å)3aÀ”É1Ú¦³&Ë…þf<¿Ÿ@‹|‚ƒ5!,U  ÉA_ñY©}ₘ3R9)ˆáãùÍû«·ŸMoŹ(1±X|6Àcà ÕÛ5®ÿ\ ÓWÃùÄñ!'»"ïó€·³àTÍ¡’Èâ“ôpï“ÿÎt³^@át·þýà€ß%Ë6Ûñ#(+þRpkÇ%v—Œí—•ñò¼‘õŽ¼[Á8ÅUKZZ¶?_Z Khþf\¬U“¿$à™&œ €¦Ø–Y{ìžãL—0ønó2¯éŻdžØ`“ ,B9¦ GŽ])Ç÷|¸å‡C^n¤)m™öaé*Qvy1÷Ï”qÓ§®Å¶(³¶³¶wóŠ ldÄ©fú—‚cýùÿ5 'ÃØíS8/l†üB,gß./vÿ·Ê阑ÄÆ–ÿ˜å;èyÃ蜫KAŠMò‚í6Q,N -иk¶ÛU µ½ÁÆ2Ïâ°ã)¸'&[ -ßîwp_O÷I£L ¦R½2±]ð#¯H ©¼™Ó•Šs‘³O‚æþ•§ –«æì@ÜýçOÿc¯ÿ;£†¨Î¹g Š´ßT@ -‰2É æá¯}§¨ÿU ¾Ñendstream +xÚÍÙnãFòÝ_¡Gy1êíû@ž&‰'ë`ãÙu @´DÙÄH¢BRò8›üûVwuó([Iæ!0`««º«šb +l¢4ÑŽ»‰q’(ÊÔd¾¾ “ûê‚EšY"šõ©>¿»øç;Í'Ž8ÍõänÙ[Ëj-›Ü-~˜jÂÉ%¬@§_¼¿ywýÕw·o/œÞ]¿¿¹œqE§ï®ÿ}…ÐW·o¿ùæííåŒYŦ_üëíî®nqHÇ5>¿¾ù1'½½zwu{uóÅÕåOw__\ݵ¼ôùeTxF~¹øá':YÛ__P"œU“'x¡„9Ç'ë ©QRˆ„Y]|{ñßvÁÞh˜:&?Ia\ $%’±Ó»âv Äùs71ꃠ) u´S‰ì«„1E¤5£Ñ‚‹ ’*_æU•­¼l€^ôèA*FI›x»Çür&Ÿnvëû¼B¸\ú§˜þ²Ë«"¯ùôX̬.™æõnÕä Ä›þHÜ;¬˜™?l9cŒ8¥xػޖ›:¯É¡¥2 B,õÿkÂÒ;™%‚O©”–òWô#1œ¹ÀúæcUÕysžz„µ­z<ìÕ#¬ëÔã‘Q=ªÇc¼züŒ›÷W··ïo‡Ê@'Ž“P%èaOEóˆÐ¦Äç"k²ÔՓçU—ü”êÒ–vöup,c:ªkQ®3âYúâJµúò°×—¶úò/Q_ê‹+ôåGn¾ÿòý7o¯oƼg °ÓJésû7ö!m8ʽã´5ÄQ†1n™«]•ŸéCJ\²ip#x n¤zQN¨6Êyü)Œr~$ÃW<@ êÏx!Ö¡•Í#š6Ù&AeÏîË}þ‚F{¢ú;k—Ò½µ†uu1kÍwU]”çú™fŸiL[×ù¼$?pžíêàa@Û¤ê¼ÚãlÚ”8¸Íƒ&G¹,«5ª µNPE|–alÑj9†Ï)å›EÒwÞCúlT¿©Ÿ`:/è¿'ØO¥ÿ®²y­Tòs 5¥ÒŸ›•´#Â@é2ãŽX¡X¿Ä:*µ¸þ­à`bÌΔîLLŒÔªÊÁêZí]eÁ»µ FòìA—™ûàè0xÿŒÏ $O’¬Ä#ŸŠÕ +¡`PHÌæÍ*N+7y–Ñ’û¦Ï hƒSM¹ÞÍçy]˜¼NtoF–ÒD*%#Á 5¬d4ˆâÌ•NW'‚A%Ìäù Ì›R'ŒjWšÑx¿9^q&…!†y…÷ –Óá_p¯NrKÎwŸ'£Â×ù"û›äxÑ/×ÙsÄ,Ež­VÕ¼wD³\ÝòôR4î¥ILórG9'ÎKÚ}Û¨"”ƒAµeämcÆ 4[”Ò.ÐÁšß6YÖ‹]Y•­×Y”½2½sBðã°Šc1‹Å54¬WlÅ—ÿ…Pé½×7ÔÓ}ù°«‘ê9¯.«Ÿ}5é_?‹¯ÛªÜ‹|V|\VçϪrðçº9{-_lþÀÉš +¢3¸Xœ’2Ï«ô3Ÿ2²)¤Š"AbÃ}xÿ ëlóñu;…¥mÂã§1^>äÏuÒExÔMUlÚ‰Œãüƒ‚Àïç°R—»jžw¬[Ù³‚ßÂ\¦æ– F +VøGŸ7FOzøŽ¹mY5­eu/xžƒ  S^:Õl¯ûÓdz +Òbñ`òÄÁä:çÐøª‡Úøý³17¥áv€ ';÷´¯»ç—y¨B4:ˆVßÕÙÃXlý–µåÒq¸bPªi“²B<ÀH8…#k¢Z=<ÛÏ–ZÆùcVA"„ú«nŠy=Ѳº.çE»~Ÿ™õ+«uÙÄ ›l¡xÈTAn€Ü.¤·5K¬bæev!ÇÈ3Øΰv€°A œCpG0‹cXÑÁÑšr‹˜U¾ÏW‘~9 ‚•Ê—Üîʢ^é1«HPÆå‹M ñWÎFØPI3%l<ð¾ÈŸF¸‚Ìd•=â +|_7½^ž^ß_KZøé} …JnÄXŒç¹j ˜E¬’<:p +ˆu›©ÝIJ¬Qç(Kv´}²¼ƒ-1—Û®Ý2Ól»m±%¢bqn‘K¤B—³ÚY>&Á òæ7ðvÔºIÂ}‰ñ'÷‘öe]£4¡öM.Šs‘/3èÇñº#$©àõ˜J‚¥š>—;E=/±l‡7hµé c©QÆ¿·5>ÀEχb¦‡Ë]œŸ-âY“½Áúʧ-eÑà3‹«Äȃ±yh‹ûïƒwøe—»*\ ŒäßÞÍQN‹à½Œ¦K'šÄƒ/ûlµKËQ—²D_GýàOEÿDUÔ#+9¢YZó“!%·$Éa€œ:iQ¿»9…–·5ïAx¼›Æ´J»ÍW±Kƒ8·È}™Í¦ëýPO9^Çøì÷Œ®Ê¹oÉ=®K9oü6$©yƒš†Á a _guÓ#bIÏƵ÷t°mécHØ4d¼°À…a¡^ˆµJÿpª§¿bw Pªü›¿PÌ7ÿ Àzn`ìð>àJ0‡ð«lŸ{Oi8Ö5Ž““ÆÄpå—iâžcQIXJL[`@=f’8)\¯äôˆq Î_ óƒö¢‚O–(vn8€A7 ö²ˆ4 ¨|Ÿfl˺.îW9AE^Ç<óëŒ2Æ¡#U]ÿv†ÍûËg«Xôš‰ðZÊ>,Âyªý!“"2Éá›Y,G¡ büõ%CòJä yµf7Óþœ.šG¥(`ÉÇ{_fHìÎtQHWJ$.·±‚Õ‹M· žS°u<Vå}¸0ó¸0µÆ—{pÛq™ˆ +™%ã¯S´“CÉdõ òŒô ¿è—«ÊpEûж•¿™8ŒLÜrŒL1,q˺°ä£,X +K7p`äéW@”EÚèÔܺd<–÷Ýgz¨UR§†N‡1ˆ=´c5]¢·­ã Z³JÈㆆ­øˆgº.¢zÏ´:z¦ŽÖf6oúò±d­&~t‰g‰Lþ2•·IëuµY­Ž¬Õ„5؆05‘ jJÌ©Œ¤±Ö¥ {\kþIŠ6ì|DÅ[ëÐ9m­×ß¿óÖ…<ãàm`e_ã ÖG~x‡QÒžn·Å¾×v GS\¶kÊ5ô1óxYƒK uÝg¡Þ¾oa ‚àÝc¿Ç‚Ø«T÷ïšÃr(F8ü,)ìt“wðåØf—ÎÙ¼&.\û5@¸>ó¶Ï¡k9t±è¶?Kz-Òöeó@2…ojÕ+l¯*ó³ÇJ1) bqN½˜(g-ÕÀëÇr· +5ห§ì¹Fø©¬>xÏÑ:},qÓí®ÚbÛ£]üZâN…sˉBÎ¥á©HôR ”J*u¶Ççq2òUÄ'~«ñšþ²¡ê\ÆŒÞÒaõm2øÌAb„!CR›´@•1åµ6PŽÌŠXoyªû2Ü_.­£í¢/R'Å:nVÆÑÖòà¥ÀüËüW¦¸ßÇlíKÇtÆ"ž°í£¾;¶VÞ (÷»‡‡çƒ›¤y•Õ©ÅHQj^VÕ¥î¶MÝý ^Ú ûEá,rêg9ByÃbc¿¢¡“dÙù7;Ýš¤!ÂZ>þ(~Kí©¼Ì”>:;£„ ÍÇÿ½øpØendstream endobj -1033 0 obj << +1038 0 obj << /Type /Page -/Contents 1034 0 R -/Resources 1032 0 R +/Contents 1039 0 R +/Resources 1037 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1031 0 R -/Annots [ 1037 0 R ] +/Parent 1035 0 R >> endobj -1037 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[1 0 0] -/Rect [87.6538 115.3135 137.7628 127.3732] -/Subtype /Link -/A << /S /GoTo /D (tsig) >> ->> endobj -1035 0 obj << -/D [1033 0 R /XYZ 56.6929 794.5015 null] +1040 0 obj << +/D [1038 0 R /XYZ 56.6929 794.5015 null] >> endobj -414 0 obj << -/D [1033 0 R /XYZ 56.6929 769.5949 null] +418 0 obj << +/D [1038 0 R /XYZ 56.6929 567.2594 null] >> endobj -1036 0 obj << -/D [1033 0 R /XYZ 56.6929 752.4085 null] +1041 0 obj << +/D [1038 0 R /XYZ 56.6929 541.57 null] >> endobj -418 0 obj << -/D [1033 0 R /XYZ 56.6929 588.3944 null] +422 0 obj << +/D [1038 0 R /XYZ 56.6929 374.0866 null] >> endobj -948 0 obj << -/D [1033 0 R /XYZ 56.6929 558.2805 null] +951 0 obj << +/D [1038 0 R /XYZ 56.6929 342.623 null] >> endobj -1032 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >> +1037 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1040 0 obj << -/Length 2900 +1044 0 obj << +/Length 3111 /Filter /FlateDecode >> stream -xÚµËrã6òî¯Ð-tÕKÄ«rš‡gÖÙÍLÖã¶2)%Ñk$R);Þ­üûv£Š”èѼ¶|P£Ùh4ýÌ')üñ‰U,•.›—1•r5™¯ÏÒÉ|{sÆÍ4MûT/®ÏþöZ‹‰cN =¹¾íñ²,µ–O®¿%/ÿþü—ë‹«ó©Pi¢ÙùTé4yqùöaý¼|÷öõå›_¯žŸ›,¹¾|÷–ÐW¯/®.Þ¾¼8Ÿr«8ÌÃ^_þó‚ 7WÏþùùÕùï×?]\w{éï—§7òÇÙo¿§“lû§³”IgÕä)ãΉÉú,S’©LʈY½?ûWÇ°÷ÕOÓŸ’–)+̈39¦@嘖Bz^/ ÜöuÍãBà4í6¯šÛb{Îm2mêÝvçôÙQ8æäÕbœ¯ä\?Íwz¯GX[Ц6‘õ|•ïš¢ƒÈTÒlŠyyûˆ´°½üå>#ÊQ:L•pÉyH ?.šÀ³­éÃ,pƒÕüf&Sîs’ƒ­rÎœR t[oϧ2Í’ÿÔUÚoÍãÊvðË‚P´âºnĦØÞ9˜Û3@À· l¯-ï‹Õã9ç<óÌŒL^Ó‚ -vGÜh¿ˆòÍŽùÖð:> Ö¡•Õ_täÓnÖ@sKˆ @øõ‡ô!ME±`(–HÞ—ër•oö@4!9ééi¾‰g˜þ¶<Çþ¶pîÛ*¹„úb‹“Ì™¨ŒÏØÏkÝ$ëšD%{‘àšN€ßýPÐZm^®šgJš¢ €¬€EÑÌ·å¦-ëŠõí˜/Iˆd¾ÔIÊN:©2ò+œTpY—ÕalÌÒ” +ÍÄɌ֣}ÜÞM¸ê…µŽ~ÚŸpÖŽùâúïÑo¢þ0°sÍÌ‘HZ)"Å×Žê” GÜPÖi¸sï80Òd˜1ÚyZ/'ä,ž¦`Û]Ó‹éÇⱡm¼oó¶XUrÐ6_¯ó-ñW¦'I:™ - Æ!D8Â>' ¼ÿëÍÄth@çmÚmYÝYµ[Ï0†} -îÓÿèÙ*p£¿'WÿÃ#§ŽYkÜЧþúqLÏ ˆÌ1#E§^‘~®z_èáU¹7#Ê%üÚäwcÞÕéýDnÍöÉl Æ1GHÕãG´¸—ÐbœðúTÃWoß¿¿xIpSÌwÛ²}¤‘wÞºnÌ)P–Md†AgV,úØ5gf'*³˜ŽÝ)ÿôÓþ„1·9ä;ô_&cöP•‚f27æ¸2 -D'$8âE~‹(yõ9%ãË„¹Ôf¼¨lÈDQÙ4òê…ßxV¨^™&Ë¢¢õØìf«rN0XC?%ÓOUWÓ|×.kX/Ç€ÐTx ã¸ÞǪ~¨|nTÉl„DVEÁfaª·Ÿ²(¢÷·VÏ Yy¹%Ç -‹¶·»[LéA9¾àá˜(çX£Ñ lñWyшGÑÍ%`¯2…* - zœ]à³ÉIîêh^\iW5å]…Iz°1Šï*,%ú5þ¥ãx™7„™xJˆš×žß]PÕ"L t9 Ûí¹M¼;Ó†òFš EG„³Zâ•·Cv@pKqÂ2_DyÎyB"ñä>_•‹Þä*mH›÷E5vœûãÆÊ…§>Hù  -Îz……Å»¢Í¦ á± ‡µ÷JŒ«UGj™¼Í *M³›-ê5ØTÓ747–C3©}äÚŸ e» ÜËs¿š4Iˆá}HUJaóz«èºZø|‚h´“9 W%ÂõŽ¶bf_ žŠØ  s&VX¡ôÜï°’ï1à·ø–'HïhÊbEíགà÷a™ÊžåSF„*W9sÉý>©“iò®©ëUßþ+센B -¨ÓÀãÚ1ÐŽ ûÙʱֺ@ìköиÕMq¸ô^w0ð=цî,Úÿ õóAåÿz‘P‘q}P*\]5E{hý{•þí=X°''ð¡ŒöMa€Y˜ò©ût*å>_k\ë‘"@ºÐœH‹! -#5a×»U[nVB:q¸½mYøÎ#ƒH’Ï—ÝÜ:¸ˆ &çbrò¼^€–œ—ÐU¾.ž‘®aÖ54Aˆ™2¿‹NˆLm=¯WÏbÀ¸ÃT¶\?;(±ºfèE¹Wgýµ ^ »ÉMÒp&í:Ä öDyHå·Ýׇ<Ô‡÷eñðµe7•ÄA^7¨+¯*©˜Õê 'œ¯òfPœÄíuÞΗÓùª9::ÿƒ×+n<ÅÍʇÄÿÕ¯ÉG¹AÉGîUø-,yå£wuÉ”œÉ‹æ¦ÞÞTõ©&Á«©ö}ïAÍŸG¶›ÎûƒŒ3›Iþ•ý8uþÿǾ@‡_þ˜“PŒãýÓQ()Õš2¥z†›ú¡ØÞîV„¬p;ˆ¾…ŠcC+~AÇÁtmŠGˆÖ'„VE;äíÙ#ÂMŒÇæUó@pGH5ŒÿØÛÇp@Pϧû"å/ ê™ÂMì ÍGê ²æ¦Ù‡¨tü}XÖ„²yóˆ ®k%’ËvøÂ{[Îw!é!6é`ºÀ \CÌD…vË5›UxÑVW´»M3æxÑWï‚¡,ó{ -¨”êÀ B fÓ‹Ñ*ê±Í!¨G.·2&:i0ê݈ÁpÑo %§2°dùyËàÃÊBæë—a£W€ÜÙl`jøL©\r‰2IIݽ‡ ¼tPY2«Ûåèã!-ù´¹k|€Û7µ£Ïƪ!Ç[s8¥KN‹â6‡”H;Á„‰¿ž¦QzOÑŠe›aOáÖÁõªÀ"¥N.«î[W²¹¡{Zó!K;ʇ|ƶ -™×Øîéå¤ö$Ëd*N=ºd™R_¢=‹Sº§-êQøU6×æÇ -Í©t`ÙîðUê‰æ¶ªUÍïaYbÏèKªpÏT.Ð!´¤ÇHø°.æ˼*›õ ¸’ÁsS7ÂþœácS¬ŠyÄEB_‰8‘ø¢Žã],’†úÅ%iÏÍ‚0=Oˆåá˜*âîFº£ƒVfÄz¡_°1™`ÿjtÔ0Ôû+. iaÒxåaÂ5q\¢‚B¹iÃÄ[Òñ:pŒ¾àYu½ ~ -7‘¨·¬÷› êQ·”‹Çt"UB˜  ˆÃ[úmG›g™…¯'jÐŒad>(Aâ[†_¼©õ‡ÚꃡŒn¿Õ¾æ“ª¯,Bà}wÑ'ñ7š‹°XµßŒgŒ—&ÅŸm·UzåìÒôÀ?º{rÛeŒÁ#:¨Yv‘ÿimhaºi2 ¼ ¿¡`Oýo‰„(åØ{GÚµ¶ßü'ûÊÉ “ÖŠñ—™BÖ‚P¸#uôÌÚýƒÊ±èÿßi9€endstream +xÚ¥ZÝoÜ6÷_±o·,?DŠBŸœÄɹwMz¶‹Cц¼+ÛB´Òv¥µë;ô¿©¯•c'…– ‡Ãá|ý(‹‡?±°šq•Æ‹$™æB/V›#¾¸ƒwŽ„ç‰S4äzsuô÷÷F.R–iW·Y–qkÅâjýËòí?N¼:»8Ž¤æKÃŽ#møòÍùÇwDIéçí§ïÏ?ütqzœÄË«óO‰|qöþìâìãÛ³ãHX-`¾ôž™ðþü_g4úpqúçǿ]}tvÕíe¸_Ánä÷£_~ã‹5lûû#ÎTjõâ8i*›£X+¦c¥¥<º<úw'pðÖM³ŸV–i+“Æj΀:eFIå xuŸã&€uhk‘2 ò‘'_WgÊ“1Kb¥=ÓªÌöM~)a—ë¼Íw›¢Ê|N–÷y{Ÿïè%ŒˆZÖ«¬$Z“ïÂûÇ¢,‰!kÛ|³mý´š~ý"ÉòìÝÇK?ã>¯ˆ¶ª7›}U¬²¶¨îPåEƒI¬V‹H–j-²E{Oé´ÁÁî$固õÏ^%8†²¹³”{³Îo³}ÙÒCÑÌ™Ï$ŒK{Ó<åsæ1Kc•zFÚ + Z§®eIÒŸQ¤¬êÍ„ãýv[ïZ´°—ícMäÿÖ•gnwYÕÜö œ@½n`/IØ ’å\îšödf2áL£Ï‘‚ 7 ðp/Z2ÈÀzrÅppR ­ÒéDGæÔišìÎS·$sS2‘ˆñYÑÁ4õÞ VxFxêªv¿k¤ñnÇônÍæNFj¦xPt“UO~Ss'd,‹ë6[}nh鬡åpöP™/«8™¼­›¦¸)=kQ¡{»÷^6Ùgn ‘HK´V¯ÜŠ4Á× +Ô!†C ÕP‡X.ó[|@‡Xy.Ôxy³o‰™&I8Ëò‰(Ÿ«ú±"¢ÓH7^Ö¾Zƒm]¯=ý‰è>3%õò{ŠexZV­‰}›µ«û|MÎá·0ò ˆ†¦¨+t³Ä.ë[ú%™8‚c|Þ¤ñòçã´ßÓ‹UVÑ Ùæ«âö‰ï‹Õ= )^hìROR në 2/$Ä%Êp©ÅM›M­­Ñe8‹.JÁöÈÝdíÌñEݬÑöëm »‡ýÅÖ.ÏogV‹5K%ÿºÅ õÊCï,Š§Ëªn):‹¡›äk8/%ãg6jSL¼aåÁB¤zj0¿^¢ ²ãsÉ4s¡ (¥ý›6ƒ"þNK¸âC¹(…’k;³_Àfó %î°ë95bH™JÚaH&$G‚B +(e±)ZR­‚AµßÜ ¿!:=ÒVuµÚûÔWù EuSï]0ÁU'ºS˽¸u“êÍd‘‘ùqÚ¸"y”X¿•‘oVõ\ú…Ì%msÀïü Ce±JO 052ÇÔd§Y3`¢¨Bà:ÞðÆ8¢RK£ãd+t"49Ä+¸©X>‘c€ ‚cÈI«ú+×üêòüÃÉôT„0,MYž0C¤w»» .(¡cü‡ á@*êp™½m5U¨b4B 59@)ç…å'’¼-í}k–mV~vñ‹dg}ü¥®6õòÈ=Ê\‰äËÿxA‰«àÝŒß÷yÓÁ•=7µj¿¸ +œ_X(,tBgjáHeÆE×ÔédM 4Å]•µûД)Ý!í] ~ïò*ß÷­éqßtêƒIèÁ$pTApŸ÷ÂSê³Ü`»Í¡cóOè’õHdÚ÷£‘QÉòÔmŽÏõé~;˜Në]qWTÅaPh^¼FéÛu=óïûÂ7ùã Ê3Z2¼s½§[/Cû!<æ—ìÓú¾ý´p1÷:âàn—m6ÙŽ°ä†·s5.e‰Ñæ…¤ `\5IÚ(5+Ëú±¡±Ë8Øà,¶¥gA™²X³‚ÓÂŽ<æ<àkt‰+ °\Ñ[o^zÅà,oŤ½ô¥7¢G¾ùél÷Å"©[H)ç:A„L«|®~B}iH·è¨³r¤«çåFfF4tÒûº¡å¶Ñ=±ñþ Ôób"y`âHÆO‚>dY¯=ô2 4•2z +5R‰xlt*<Hžë!’ºHwÑ ¤Q¾ƒÃ4änH¼J[ÌãyÜ?Š¡v½§õÒA"FûEÊXn|(×Á9Œ£™ÑÖ|Õ‘Gݬ±¢ZRzÂï ©aÊåòÚ½2Ûùma3¨Ùùi~Î (£„#Íx[8÷™mI xRKýÕ§Xšc¼b?ïIõ¤èÔ8* `ÎN€ÿ:o³¢lNBîÌ'Ùu7«]±¥úíÒòílÒ‚F o,¿6H¿¤:QߤR¨ º¨¦$/&­Jqj¡ù[|¹ûéø£á„ÃþãPî¨ÿ¡[f „%*蜌’#•Ú Žë%E¤u·„ÎÂ]ˆ¸À©€¶M¥ ^§gz Ž¥j·o kG®¹m\öÀ×]hûçäëd i¥a""áP’Ùÿsî)ÁÉÑFÁÛ´;Wý‘-€Ö/‡üß9±B'™ôOMªûaÌ£1™2 ¸a¬öŸßÍÙ™ã™È0ª³¯ä¯µï;$EïGTL`ð“» =ŒÎðæËÅ5î«ÙH™kÚ”IÙÝÉ ®>¤ådjèñÝÇË˳·4öP剞¨‹«[¼LÆ®cÈY4Af׃!ù0€ zglJÒ·?_àÀ 'ÌÅÍTî8€A™˜Ù©6šƒeât¤ÌáwÏô‚²(p]¿uì…›Ès<5}[‰ÎØôäÌ ¿x PÚã"|AiÛýMY¬hìzÀ¾&*ºe†Ÿª®¢l /¬—ag@dS¤x·ž»êuÅQûa B%«‚b7~ªóW³¨‚NAB}ÕŠ`¹À‹¶çúm$€+Ð(/Â#¬”«ðmÉ, w ©   >'ÿmA˜ÉðÉ·Q0ªçÅy9Û¬¿;Ï +í+‚l¼1ÊIŸª•ƒJœÐ Œ/ïñÊ)7¹ÚÝÕáùÝí;ã&z¾ŒÛÝ1^9·áu@-îÊÁÛÁ#$œÕ’¬¬‹†[bî³uР©$–YY¬“+Ï´%k>äÕÜqöÇ=ýH>‰””ó_ó|zì’ŒýÚ}‡2$b_Ïì›™¬Í<0¬ ¹Y×ð©¦ënhn臺`Ò}æš~¸€[ŸÂa„W/”¥~ZÜ….º®üÝ!ÑMº¡ÀDz Ã1%½ƒ|­YÒwƒ/%l‹WIè°ºÏ5 }Cîö+9Œ¿ù…ß*\NÜÑ”uIpèÎ> +¯R2Ï9p| 3&jìßnŸ„dš¬ÃxeÞwßî-åDBΠ0ð…QgÏ['±ŒKûjãXk»;Öªì€[ÝäÓ¥{ÛÁƒ¿eG^΂û ŸË)ÿ<ûÙÛEAG&¦_ ..š¼:oÒ¿w÷ìØiHW;£Ëƒ¯ }¶àZ§¯7š0f¦P©Ç&Êb‚¨a7Ù#gÒ®}bÏt‡Óî[ +ß>ùã·vÝÔü‘ãe]£­œ©”fÖ艥VeÖŒzóIÖÞàgÕhUâgÞŽÏýàí¤ŠkÇq]ºl‚ô?‡-9Ÿ~yFiÐðµî²Ï}ýf‘Cw˜»èJ"ŠmdÊ›ëzw]ÕÏcÙìš¾»LZ~~˜Ø®»8óÎýkXÿg¦Aä;üåûéÿ'*N ‰´ÏÜ–+n˜•P¼R¸}L»ÿ:TýÿÓ’«1endstream endobj -1039 0 obj << +1043 0 obj << /Type /Page -/Contents 1040 0 R -/Resources 1038 0 R +/Contents 1044 0 R +/Resources 1042 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1031 0 R -/Annots [ 1042 0 R 1045 0 R ] +/Parent 1035 0 R +/Annots [ 1046 0 R 1047 0 R 1050 0 R ] >> endobj -1042 0 obj << +1046 0 obj << +/Type /Annot +/Border[0 0 0]/H/I/C[1 0 0] +/Rect [116.0003 603.8664 166.1092 615.926] +/Subtype /Link +/A << /S /GoTo /D (tsig) >> +>> endobj +1047 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [399.2874 719.9611 467.9594 732.0207] +/Rect [399.2874 494.5894 467.9594 506.649] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1045 0 obj << +1050 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [461.1985 544.3622 510.2452 556.4218] +/Rect [461.1985 318.5752 510.2452 330.6348] /Subtype /Link /A << /S /GoTo /D (DNSSEC) >> >> endobj -1041 0 obj << -/D [1039 0 R /XYZ 85.0394 794.5015 null] ->> endobj -422 0 obj << -/D [1039 0 R /XYZ 85.0394 703.9029 null] ->> endobj -1043 0 obj << -/D [1039 0 R /XYZ 85.0394 675.4275 null] +1045 0 obj << +/D [1043 0 R /XYZ 85.0394 794.5015 null] >> endobj 426 0 obj << -/D [1039 0 R /XYZ 85.0394 595.0025 null] +/D [1043 0 R /XYZ 85.0394 478.43 null] >> endobj -1044 0 obj << -/D [1039 0 R /XYZ 85.0394 563.7177 null] +1048 0 obj << +/D [1043 0 R /XYZ 85.0394 449.8913 null] >> endobj 430 0 obj << -/D [1039 0 R /XYZ 85.0394 407.1582 null] +/D [1043 0 R /XYZ 85.0394 369.322 null] >> endobj -1024 0 obj << -/D [1039 0 R /XYZ 85.0394 381.6476 null] +1049 0 obj << +/D [1043 0 R /XYZ 85.0394 337.9739 null] >> endobj 434 0 obj << -/D [1039 0 R /XYZ 85.0394 250.4371 null] +/D [1043 0 R /XYZ 85.0394 181.1837 null] >> endobj -1046 0 obj << -/D [1039 0 R /XYZ 85.0394 219.1523 null] +1036 0 obj << +/D [1043 0 R /XYZ 85.0394 155.6098 null] >> endobj -1038 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> +1042 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1049 0 obj << -/Length 2026 +1053 0 obj << +/Length 2906 /Filter /FlateDecode >> stream -xÚ­Y[sÛÆ~ׯÐäIš‰6Üåmyüä¤NêN㶎O;sšŽ‡&W6'©’”·Í/°ÀJ¤Ì+MÇÄb!,.€%-§üÉi‰(QÉ4Nz2œf«‰7½…½7É2 '´èK½¼š¼x©i"’HEÓ«eO—žÖrz•ÿ:‹„sÐàÍ^ýpñúüÍ/Oçq0»:ÿáb¾P¡7{}þýQo.Oß¾=½œ/¤åìÕ·§?^]ÒVÄ:^ž_|Cœ„ŸQzyöúìòìâÕÙü·«ï&gW;_úþJÏGG~Ÿüú›7ÍÁíï&žðNïaá ™$jºš¡/ÂÀ÷§œ¼›ü´SØÛµ?Ÿô„ò!Vøc ùÊ·ü_]™v¾ð!$¹yïyª29-ï‹î®¨ˆNÑQP×χô´ð/#PѶ0÷,Õ?T…p–¯X¨íÒάLÕ¹#Ê’¨CϺ*†œ4ËLÛ7%¯»ŸÞ,+ Ðæww)«\¥]vç˜fÄlÇBI/|Âl%¤ixDÒŸ½|@Ééò!|åb¥I*+Äá+ª[‰Ò3x$³? ÀĨ—ôD»ìV›®x«ÚQqÜ[mÊ®X—ÌE+Ûç@ûþ,/–s©gKÓàÃÆEÜ9É,O»”xYZqÃ[·ÅÖ0 ãˆÏQu‰ ïsë±7ôtY7TæcºŸÓê½RAQu¦©Òiâ¦U¾ß6·wiÄ…uCv]‘ß\¼cžé6k±³J‹È‹"kÕÛ´z@Ÿ O -42Ö]QW--\ €,ª½àÀƒHÈ0ˆNÉc°ø‘оÁ8ꦑ–mMÔ ›µiMN”«5+7fJ¨E¬cõh…ZÚaÓ¸DXo+²E"ð•t饞š®×X„*I¸‘º¿³AŠpÒÖå– ¬ß7¦)°XIð)ÍU‰Âµ)ƒ‹ÓÈ€K+ä6‰‡àËfz¯2w½u· ϶¨‘¸Á̤ôŸ` ¼8‰>s077lMY¶iÜÀ@|Œè{"ùtsÕM -8¼2 :Ö·¦Â…¥\ÙÐåà^Û=¬±ÚŸ¸ä²^Ô‚¶¾FoZ¼v¼×Àk1Ü­þ™Ÿÿ!Yøy,ðŠ/ÚÁÛÔì"@Þ3wÙFë?m°üPè( ‡eùâ‰\ÙâCª½«7eN4¿³!YcB‘pºiU™î¾n>ôFG¾öç‹Ý‹™bðblÿ^èb|:q -À·ÚáÀº›z‹(²‹Æ¸ÚbËËÖ4Û"ãÖèc#àص–õbËC¹ÓoSÊÕŠŽ™û„ ̬yw¼Å ðb¸‚;4Êc¿Üäö^oÏËó^¾M;Ô?tnmÝabÔ¾¼ *=KžF Ô‡qÈhᨓ1“—Ey |áìùͳ®Ü1ýŸŽØÜ¥Ã?D½{‡=õo÷ø¶7·G`©ê®W †Ëâæá ëÆl‹zÓîóþ…õ3â¨B¸4ËMûuàB2píôWõƒÙ5EÖ¹(ý›ðçÛòÿt÷µ¡ßÜÀPu«þ7©¯.•­ãäß)—‰^ Œê?¢ì|Ù±—xx_ÂíÁ}yU>\Ï<X;žÞõ¿~x³7MºZÁUáñxÁ”‡"ñ¥(¤®éƒ¡ÉÞn{ñⲄb<^ ?Ž£¡sPõý¿X< kƒzݵ­žë²h¹$?Ñãd,»¤«kÒªÅïgÿ\ì©Û¬óÔõö¯°Ô,Ö5àvè)í\ÓÎu³q Bãr[/ _Ë¡Òb}VrµÔM·cïÐ{¤:^vg“ýѧÑA·Ì>,-Œ‘÷^èݧMõ×2-Ê¿ŠÛªn ðdÏ¥±öPø•}äóº·«¯þ˜¿ÿOG _k5þ^Åp“Ó „B?CýÈr÷Õÿ±é[–´¼endstream +xÚ­ZÝsÛ6÷_¡ÉËÑ3CI\žœÄiÝiÜœãÞÍ\Ûš‚,N(R);¾›þï·‹ø!Á•ÒËø˸X,~û™Í"øc3™„‰âj–ª8”“³b}Íîaì»3fçÌݤùxÖ›Û³Wï>S¡Jx2»]Ždea”elv»ø%HBžƒ„(xûÓõû«ï~¾¹8Oãàöê§ëó9—QðþêÇK¢¾»¹øðáâæ|Î2É‚·ß_|¼½¼¡¡ÄÊxsuýŽ8ŠÏ½¹|ysyýöòü·ÛÎ.oû½Œ÷Ë"ùýì—ߢÙ¶ýÃY +•ÉÙ#¼D!SŠÏÖg±¡Œ…pœêìÓÙ?z£Qó©×~, +¹[P¦>J&‚ cÀ?^ã^½ùŒ±PIÉqj4›ÇY¨DÆ{+s–‹¢(x(õ#™áS—wz­ëŽ^ßé_£ˆ×eW65qòzAÄÏm~¯íBb¤¬Ãe˜&"5ëÜ®t¯Í0‰º)Ë`2Î1ËJ1L0a'µƒf"bAÙâô¡×Mó¨·Ë]EÌ·ƒì¥Î»Ýöœe¦‘fI ä(bt«ÜJ®t7•]çkûu«·zKܼn‰î'¾»þDï¿ïôö w6Ã,p¤ýQÀ^åuZjR­îª'ø0‰ƒ…ÞèzQÖ÷ôŠFÇçãªABÒ®‘·Ÿa@<‘<¸ê¦ƒ›|ەŮʷNì®Õd —Í–ˆr½©ŒAûåÚMUZY´äén·iÍ^"· òÓDz[5; ”Uþ`Ä Ý5ôÜžgÁÎÂf½«ºÖ£7²cöb³0V\±—y±ò †Çà-ò(`xÌ”0Œƒi ”5‰1sdÀ%ä#eÁšdFçßnòÂò-R€z,«Š¦ÜÙ±V뚨»§É:íî,9]©¨JЬ0• .,^Б5Å ÍÛei°Î»b…»À—ìâœÆ…á°eÆÊÎNjrܾ_}´/„¿¶¥/'¢;縓€Ãe2.bkcŸïÅLq f²Y"¢P¦<>%jòPeYæ™ó^â|,ò0 +„L'aš2üf9Ž!¿k=þvH“ÈEXc¹Eç¡”*óA¬õh DAH°’Š*‡h‚Î( a †ÄB·NrJÈ@¬™©c¬!£Ç¾<ƒ5P4“ýÊÏbM†OÒYQ$a)ÿX³çc‘>¬AÕÂd2¬ü'`Ë0‹óo¨¤“xLIÅ ¶NU|ji¥Š æÎÆÏB-‰Â$É P£Ä1‰o€\¦²x‚7,æ¤ +®P'!‚ºéˆh7º(1®ëÅKàÈ8¸k:_ú€B”ÌØDÉç1Ÿ@­—¨Ô!pîÉHp0PvN$ÙšÂOúµÐËÒ"í“&>L¥Æ€àwaÌŸújŽi‡ƒ=F^¥1‘Wu?Ö—mÊæd€ÏŸm¦V” öåø¶ +Ù7…2æTë‰0ÿSëAÇR~õ2ü„÷(w­Z»¹.ÿì+6çB²Ñ½&Vü¬Ÿ|«ÀV;ø=®Jðf*«Œ‰š‡r‘ˆ ·ÕÙZ«¼.Ûõ¤ÀÖs€ãÒ7Òæœa°Õ•.ÏM4Õˆâ)ì”fª­QP[’öŒÔUfä ®Dô™Âínâdý­.vÛ¶|Ð󦮞|è…œ¹ŒîÆÓÄÙ‡§ Ì%1‘T"ñêmex0»Ä˜ÅrÛÙ—d㵕è|Áˆrx3CTzõ“FË¿±ªNÎ{d\IӘ̹AcÖ\`-o^—ôì¼ 4ªŒ©Cã0NÓý2´%¹¥}¶å}m µ#Ö¯œ§HŦ®F_÷=21¬ €ºÓã)mS= Ìbõ°#¸hêNéú­kAABÛ²çô Të¨ä¶Ïck0³è#ÿóÖHxêLf¡bKû´•5sH&YÂØ´'øwCu;ø„+ãôŠMnéÜf¢,qm!¸§qjH_ƒ'zÌÉ‹bgyWÙwãår„YäÆAö˜%¦f°­ó +é½[ dì ¡qënBl/KM³¹-ÁŽ‘ú[hš½Ý퇼Æx(Z +çfÀØPâ3/Î@–õ0Ñð8 ™Œ:!ž2> 3Á=GÙ6™Š>™ +: xBõµ Êùš™çSêá4Kùñp ûB¬×ÃOìÂì¶v5Påß»BÉ7“Y”r9¨Ç•1PC($¨ /eJÓÝâLØ R™ HÀ%ˆX¦Á¿zau3L˜÷‰¶°Ì¼Úi"K+ÜÞËÑuÂþ¼z +Ø!ÞzŒ +ý_œ¨ãÇ #ö®Š­Z±;IejzÒâ¸ï˜—”#­»Â”œÊ–!H¬ò=A/f«vî¤.1ÚØoýÛK]ÏpÿÁNÏ,ý®_Ûk(H*6ƒ0­ÊÖ«Míh¨­TôB×…å5æÚ¤6Nª þ@ì…ž.æ'9fÄÊ›Eư∧aäŸç’;„[ÐÎ)wWœøSkùÖC4º4 DOç–öéÀËY<¾ºžNƒÝZ/¬Ü릳«[wŠÛ¥˜Åê¹ûüaPz½3• jEIîw +d!îØ‹´¡¼-‡ó¡`ÃW×.vÓÌ%¥%Šf½)+½˜»#àkóßMóI¼Ô½Å1û/Mëi‘œqtBdŒcå«A.©ê +0Àjx´÷ô†¤Mrœ¬ÆÇ»âý_o¸ðÃ(3±¡êÄUÝà®k`vYÀ©Ú#Ë°ƒÛ Ë™TwgŠÔfŠ¹c@ÖÕuHÄEýä-Ùâ2€3–‰AcA©úndl,”<‰:¸|SÓ€±ž!š TúAWÄÔ<šÄzï¶öJ GÉÒD÷'og·åÂ"cáJë4L%Ÿ†3SÕd¥Xxâ…=Qt¿‡(6†ÏÆÈL‡ õ’îk)YfÏE –rˆ@ê¤Ü)•y²ȶmP.åfQ¿{éÔ<pÑû8—F9Š¨­ýʦ¢ì¼=j¾R©§};9XGyfØ[WmD&Dyì9Zq€1Þ–%Ï,lƒ†¦z^—0ÞÛ©(Œeõö•[u™Nlš¸QÄú^-P:³Ô“ÒØ*ºœÔµÝÓ½ýH‘k废’´-£w­½ÂÚïk †Úê¯íóïž;bص£,ÞÛ6»÷Âû/èý¿ÆXBB—)÷ÞW¯hÊ­q>¤ÚU³«DÛž Iü=ÅN6½Õº{l¶ŸG©ãàŽ¥o$Hó`Qhþ^e¯‰A¿ßšR¡‚p8ÑîãÖ^AáËv¸PIìï“ea_ÐG•œh€iÓ«­•‹!ç=éötr»Pƒ è,s8„™Qoe‡,ï}án_)·¤ýjG?’šõèwÝNåO· U[·0|po‚ÊH“ãhÿÐ-,õÚÛ„–Õžð¹Ó+\ܽxm=×'ÿûãû¨w=ìé¨ÿ0àÛTn`1—î½'hëø;çä87[ýP6»v8÷¯ôÈ'9Â^š_¢Nõg’ÉÖNAÝ|5øݶ,:g¥¿ß?¡À âŽxþe$êÿ×ãÿþ•á¿wâ4Y6ü²´÷sÜ „X¥Ð&2;ÐÜý'Ë¡êÿÎßcdendstream endobj -1048 0 obj << +1052 0 obj << /Type /Page -/Contents 1049 0 R -/Resources 1047 0 R +/Contents 1053 0 R +/Resources 1051 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1031 0 R +/Parent 1035 0 R >> endobj -1050 0 obj << -/D [1048 0 R /XYZ 56.6929 794.5015 null] +1054 0 obj << +/D [1052 0 R /XYZ 56.6929 794.5015 null] >> endobj 438 0 obj << -/D [1048 0 R /XYZ 56.6929 195.5375 null] +/D [1052 0 R /XYZ 56.6929 731.1791 null] >> endobj -962 0 obj << -/D [1048 0 R /XYZ 56.6929 167.3986 null] +1055 0 obj << +/D [1052 0 R /XYZ 56.6929 700.243 null] >> endobj -1047 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >> +1051 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1053 0 obj << -/Length 1020 +1058 0 obj << +/Length 1065 /Filter /FlateDecode >> stream -xÚÝXÝrÚ8¾ç)|vFZK²lkz•fI6mÚeÙ«n‡q° šÛ•Dúî+,cLbÀ¶³ÓaýXßùÓ‘ôIÈqÍ9!….až0RQg4í¸ÎÄ|»ê r X õQo_/}ì0È|ì;ƒqMVÝ0DÎ þtvñûùÇA¯ß˜ºg>ìê»go¯o~³=Ìn.¯¯þîŸwïlpýáÆv÷{—½~ïæ¢×(¤Èàq)a àòúž­]õÏß¿?ïw?ÞuzƒÊ—º¿È%KG¾v>}vظý®ãBÂBê<˜† cØ™v–\Ý9z@n«kÓr~¨ÐÕd 4‰b!ùHg²\y¤ï†i4åå¤aÃ0`›ÊÖÛ&-OžÕLZ!ËZ!Ä6GI¤ª]u \¡6„êy¾š$º/õ—Ù¶10J’ìÔÿ“-–YÌ•N#=º&&¡lÿ÷!°Â¾Î¸ú–Ù¢Ö›’ñ5]Œ#‘,Ä$Í$ßzxãW° -ô#XþïYú¬Á*V» Ò•ÿ[\}Z‡ÖÖJP-£í“´:Ï«J}–ÖAÝ·OLJDú:ÔšJá-Tª…Z| CÿKVž&+oZñ0?€$À¤¤;ÞºãHw*U‹Ö3»ö31sÇ#Fãi™CW¸ÍóFƒÃ¶sJÛˆýçä Á¶½¡Ã.ƒQ盧jš‹3ٜԙâ`kôª5±ãóSÝNµ|6o èµ·…Ÿ…ñ7=ü“„4=Ó˜©àèG¡õ‹™g¶É0ÄÕ{Gjï=ÄõaˆY°2jéeÏ-¯^^šþ/,÷CÐendstream +xÚÍXKoÛ8¾ûW9Å IQä”flŠmºëzOÝÂ%Ú!ªWI:±[ç¿/%ʲì(ŽóX ðA|}ÙáGÎŒ‘eë²| +m8–8ÚˆZQÚ³­™ž»ì¡z X/íUF½“ [ \ìZ£iK–mßGÖ(þz|þÇÙ_£Á°0µ]ØÔµ?\]ÿnFó9ÿ|}quùÏð¬ï9Ç£«Ï×fx8¸ ×çƒ>@>Ek .®þ˜ÖåðìÓ§³aÿÛèco0jliÛ‹lRò£÷õ›mÅÚì=’À§ÖîضҞC ¤!둤÷¥÷w#°5[A»üG‰©½R¯å@„mØN`y4€.Á¤òàÉI¸¶}å™ +yƳ™éçY²4­b>Ix´î…QĤ䓄™þM.•„¥#´6!PŠ+É?ó¬^sÄaZ$ Fyzd†~U@ß÷‚mœZ5. ¥bât[¸9ø)Ov„¶Ð‹³0ñäÈ`@§üûz’Pè»”vMž\8Øj†§å控]럕DÁD³ÆÖû3KR|Q¡b)ËTͦi(Œ¼­“Ðâ0…ˆP²ã¨²5δîFI(å–¿ J^m¹¢Û_žçn&I~~Ì™X®¥š3c¡uœ†*º'\*3~o>§]§kd)frÊÄ+Ä¡–¸yk¾Z7#¹æí¶¥fflfÆb¾&„ð“e²\ñé¶P^ŒK-ëÛ’ Õ o:§š-øðµNè¾ÓeÑ ‹¾ƒ’-5Gþµ©}Šl5 y²â³,L¡=&Åã"¦ú> 6Õaá¦âè3¸ýXµ›ËÃ@¨µ×Á ³“&>ˆ¹`‘Ê׺ÕM•ДYE¼*«ØÍÂdÞ²®¤¢¹;Ââ˳ŠwŸ¡€:<5<}•šï$«ÀoU ÿ7«À/Î*ÐûË*ð ² +ôYEY#Ƚ¦þÚ¸¶]XÈ£W‡“´‰çM£}J§ß]…µ®ÙÊj¸£ ¶›zíÕE÷æ ]ôßÇM=íVGlú8ðÖJ•Þ¥Á®æMuþPõÿ¹endstream endobj -1052 0 obj << +1057 0 obj << /Type /Page -/Contents 1053 0 R -/Resources 1051 0 R +/Contents 1058 0 R +/Resources 1056 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1031 0 R +/Parent 1035 0 R >> endobj -1054 0 obj << -/D [1052 0 R /XYZ 85.0394 794.5015 null] +1059 0 obj << +/D [1057 0 R /XYZ 85.0394 794.5015 null] >> endobj -1051 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >> +442 0 obj << +/D [1057 0 R /XYZ 85.0394 672.4064 null] +>> endobj +965 0 obj << +/D [1057 0 R /XYZ 85.0394 645.0635 null] +>> endobj +1056 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1057 0 obj << -/Length 1196 +1062 0 obj << +/Length 992 /Filter /FlateDecode >> stream -xÚÍX_s›8÷§àѾ)’š{JS§—Î5½sÝ—ëu<Ø`[S ᤾&ßý$˜œ8IïÏøeÙ]íþ´Ú];Hÿ°Ã<è ".(d3g± g¥¿½àJÔB -õj:89÷ˆ# ðˆçL—-[>D¾iøièAGÚž½¿<¿xóqr:ât8½x9„¡áùůcK½™œ¾{w:ì3<<ûåô·éxb?y•W—¯-GØÇ£“ñùx2¾<>OßÆÓ&–v¼¹&¯ƒOŸ‘ê°ßt…Ïœký‚ ‚8›e.dÔukN<ø0ø½1ØúZªöâ‡$®Æê>€Œ·ô=È|ä;œ è¹Ä-Üß@ùr€‡Ð0ÙnæQnéŸMˆz€1Œ«´ 6*j±]¤fi>KÒ¶ ú>w•o“ą d¸¥Iµº¡fIP;³ˆ¥,ù½T¬µî-vY%¿–IaW`PpîÕr6_–2®äT‘Ëdõ@aG« iÒ$Þ=gGq±Ž_€‰ òûOÄÐu'7Ë@Æ7r•¤y¤y¸¶Q>NNìó2-,q±Éâh%EÂ^8q/œôep✪ØÎûà´¡qœ^ƒ¯Û(ßÕ6ËG†y¤Ôl‹õ,–ªŠéöGÂvdžõ;”A¼Í¬€¥gif¶ðŸØç£r©J»4ב„û¸ÌJ7K™«â`D¤­åͦLôSf3²efi^¬Ùû—*³ „•Òmÿi.ϱzÐÔ÷½ë–ª”Z{{Ó¨=êØ—h×!î‡ÒéÃ)ƒ›âUäA¢–QdG@&Ç–°¶ª)}Ç«fÛyãw[øýhv4~¨t›/¢=Ô2£-0oJ]ìqèrBµ È©ËJ ?íO(sZü=¬S¤¬,˜»Ð¥¢S©;~+¯íšwß5ŸAW¯xÈ5ïY® ‰Ox·ðài°íÍèßè}ãxÝâÙãÛ£Ð$ ÁŒþPè´A=St:åVEà zMÙëM|ÓJ€*t­T…\¨c*¥EDɸ -bÊb§Ï™.úíÈÓE0Ô±]{#=Ï,u÷Y7ÑàÖôµöjOžž6ráÿýÈUõ¨ÃcÂsÚþ·Úßñýÿ?·ã^íIßÔf=99§Äil-c”Cä1¿¹1ªA•oöJóAërÚ´¯¯õ¤…H"íìd8AZ⣠-VQ³Ðþza PPL[ë@\­ôG³Òt$4¾™žò:—'}?ñ0Ž®ÔÜ£ü˜Ë“+\Èï\žž§U»ÑÚȃX=¤mUd­qרCºiûŒÒþ‹™ PøÜñunÍdÊnK–ëîïê*Ŧk*eC¥Kª) „zÃu ,3°ºhz‘f;+•.-§¨M˜Bk?éC×ùV剱Y¦º–qlYóúÓ<ŽzÇ›Ôn|–°?L¯dXeB°-Öi.MC¹ªY‰º.»y±~hB°›,”kLtÿuZȾl¯¨æâùp ¤Ó¾Ë6jNÖ‹¯öûÿ=ôñt}Ÿ4Éqgà ÷!õ]⸠[åÙB÷þx¨ÿ¨¤Z®ÿ GôÐendstream +xÚíXKsÛ6¾ëWð(u0IŒOŽ+»Î4J«ª§4£¡EHÆ„…€b+‘ÿ{A‚¢(‹²%GÍôñx’ØÝo¿}x ì óƒæAîøÜ… aæL’rfæÛuWgÀúhžz3êœ]yÄá{ÄsFÓ†®¢ ÀÎ(úÐõ =£u/ß®n®ÿ^ô|·;ºy?èÂP÷êæ÷¾Ý]/Þ½»öî^þvñǨ?´Ÿ¼JÇ››Á¯ö ·Ë¥ÃþUØ\ö{Go;ýQíKÓ_ŒháÈç·ȉŒÛo;R0çÞ< ˆ9'NÒq…Ì¥tý&îüÕù³VØøZŠ¶ò‡$ÔpµK ód +ŸqèQBK“ðȇiâl”ü*zÀC¨›.’[‘Ûýyá¥10†œ1RËé_Ü~Ë]‹ûöJç2=ƒªöFe‹|REîÄœ»ã0Šò5ÂB{>¤>q +è»”•~)?1È}ßsïl…çY^ù$çã̓Å°O¡yøâ5y»À©±Ws÷sÆ1$ñ·#ÆGÚFÍ Iã>$žé[´µ`{‘:‚8$˜6¦F¡éDOÐ-”{Ù«+¢5ímíF7cÐÅ>9-Ý6½Ó Ú*úà-òÜåüÄÅÃ!%þ“òùš¥(j©´œ¨ÖžÓÊsêð6TâÀæ‘Èäbš uWvÃ#ºèQb¸aMçËãm+´ˆµI¨ôúX+y€p>߆ùX«$rŒÜ:$V¶ØÓp f‡ªŠÐ7[¥ÝVª—óêüLõy3k¶Oe|hð"‹™I‘,Y/O’ɘ|…j“ñ÷až®¦¡ŒWr–f¹Ø$ð¹]ÎÎì:Ȫ ¾Iæ±HDªE[é$­tÒ<¡SéÅí~:Ã8ÎîÁç…È—kåRÔ¶Pjœ„zr7ŽM™Ù÷§¤­-f2Œs{ÀîÇÙ¼áç#rišåÆ“hãWai5•¹Ò/xTIŠ¼ÀÄ6»MÝÛËBX =î™÷Š:VϪú¶nw•P#¶«ZìE`õˆVovÊ¡½?eN; :äþfLzúÓþíý9eþœ2÷L™¯›¬M%gàKËHꥩ3Ó8ÌÓ…zðÈ…èÈE^3rá>rdFh»}¡æ¿JÛîJÌoeú»of6×V®izA@êK—6.]ˆ@70J*På¥ÚA¾¾ÂÙ…þ/%gËendstream endobj -1056 0 obj << +1061 0 obj << /Type /Page -/Contents 1057 0 R -/Resources 1055 0 R +/Contents 1062 0 R +/Resources 1060 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1031 0 R ->> endobj -1058 0 obj << -/D [1056 0 R /XYZ 56.6929 794.5015 null] +/Parent 1035 0 R >> endobj -442 0 obj << -/D [1056 0 R /XYZ 56.6929 158.6437 null] ->> endobj -1059 0 obj << -/D [1056 0 R /XYZ 56.6929 128.5298 null] ->> endobj -446 0 obj << -/D [1056 0 R /XYZ 56.6929 128.5298 null] +1063 0 obj << +/D [1061 0 R /XYZ 56.6929 794.5015 null] >> endobj 1060 0 obj << -/D [1056 0 R /XYZ 56.6929 104.1184 null] ->> endobj -1061 0 obj << -/D [1056 0 R /XYZ 56.6929 104.1184 null] ->> endobj -1062 0 obj << -/D [1056 0 R /XYZ 56.6929 92.1632 null] ->> endobj -1055 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >> +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1065 0 obj << -/Length 3602 +1066 0 obj << +/Length 2980 /Filter /FlateDecode >> stream -xÚ¥Ërã6òî¯Ð‘®Š8x|TN“‰gÖ©'ëqjI´HYÜP¤V¤¬x¿~û’’©™IM¹\  Ñè7¤ -þô"u¡²Y´H²(tJ»Åj{¥O0öáJ ÎÒ#-§X?<\½y›Ef±‰ëÉZi¨ÒT/Šß‚wÿxûËÃÍýõÒ8ÄáõÒÅ*øáöîG†düy÷óÝûÛ¿Þ¿½N¢àáöç;ßß¼¿¹¿¹{ws½Ô©Ó0ßÈ -&¼¿ýç ·>Ü¿ýøñíýõ?]Ý< g™žW+‹ùïÕo¨EÇþéJ…6KÝâê,3‹íUälè"k=¤¾útõ¯aÁÉ(Mã_dlgKé0Îlry_ÞCÁ¾Ò4ÚAÞm»Ô: -3—À¥8gÂT%ép).™\Š6:´ÖºEâ²0¶ÆÒ­tuþ\"oÞ¼ì;IîWÖÛë¥UN¡ÿk›’UÇßœ?ûkå®®V9c¶ë“ñmÞõå~\®1Jâàa㩘 -’ÑÈ<µ›¡Ö&a¦T,xuÕõBð®\U¿+eJš…l‡I)L¶ל¡ t“© ÝówÛò1°§ƒÛ_šƒ»Öã k™ §ÂvWLšÛoòžÁýF6.bsÕ6}¾êe±¾%"Õ)q‡]‘÷ˆŸ¦AE¨ÐXµ»l%L@xyhx¦š(øˆT]ë`/³˜1Ø*ër[6ÃjyüîZn=–¼|“o…wY¬Î´oûÃÆxð$î‡à¸WtØÌ?¼0BQ®óC݇KGA¿Ï›n=LÈ–ÓREÉà5Û-Ãwí¾g¸³²3Ç4↜¿Œï‘ `’Ö(æ##Âc)€MÞ<•×(ØÈ뚇‡K¥9/DñZ¿TÍ“`󇈜!ª9lIôµ…m׃ŒY Á0  -Rø¢ø!ʉø­ÉH` ·áoΨ»’0—Lµì˜wtxÄZ£°Î\ª°MñžÑ‰È£½MUðöHMêÝW´kD‚Ë_?}Prh §•¶­`#­cÕoæXöê ©>Ý~àÖŸå ’•(Ü®”óu¾.¹M§ÊGcP÷"fzÃ8L94NÍŽ‰@JTÏPxÜW}Ë°bÈ“8‘3„xB°}„íÊgÖ–XÙ”"ÈOY$=1AÞ fÚêt£à©ƒrÌÞ%-§³‘£HP–s×óArÑ}¾ïQo• -~íü¬õɬaAÑ&ãÙ«v v¥`Ú ¨_Õ¬dªç íÙ5ÃI¸Ÿ² Ø‘.l#E‡w„øPm«,£ÌÈùÓÀ5H+öLp$Hl¯P šâXý&œ£á®íK/Ëh¸±%Æ@5›¨'Á`uî¸ó»rªjÎÔ*Ã~‰Í¡…*üÈÚOjÐÖÁJú’Áµú ¸à\mv¤vA„v%©g ’}@x,ɪ@‹tFx·È~lÁS,kК!`úٲ᫠8 ž‰ü˜aˆ1øŽA< MþƒÜ‘ Þ“{EïóW¾ÝÕ%ÊH–ÒÍлElúÛO3æþ+Ç1ÀI|cœƒèÇdÈ¡ø}?xBòŠ5ç,˜€8)VÖ‡>Ûêiƒ¬‹ÁùÔ9 -³3¹â8õq€Ð—³KExÕ£cÒ )F[× Â3gÐØÆq2œáÍÙ1 ÐIÁÜJÆÅc˜Ìøc7¥¸›×»Z&'›~q5+›ÿ9XA‹bùœûzl¹Q—=‡Ø!I¶©Ÿ“x&Z7ÐÑ€î¢F}l;ö¤ËĆ ‡ÉYÜ -nˆ„T%A÷Ú¾í¸óXn$XM¦A©Ûc-íjÍß—öÀÝ¡g|­C”oðíÉÒr·ÐÊgíDâºRTbûHÐZ¡×ïi2âTŠ÷nÓþÛÒwB8K -BÛPé¿—jø)s PÍR'ý…\ÃEQAÈŒé_“j] ZÖÛ€±«1°üh‹©C.×°ýÇ1±"Ðĉä†2éU¹ëQ"r\O¾ŸÏî`mƒbÂø³~ÿî [;ø=ú’û²;ËDAwÈìphU @óât[9`Œ5DÄ2/ä¬æóF€l5ª÷¹çhÚþ”G=øÆ/x`—ï…D‡ñt@ãÇ»Oß §7¥°d ÕÇE×eÞ¦ð!ÜZ^Ô°2åþ3œ­ÐàavB欛fØhà€"hZ /#tqC8@Æ AÀÁĨAâì£à©>Þ4BNošÇªfŽá9[þð©éÏ}…£ßû×Â铉„ï6cÿlãFoÂê€qQ؇Ì c”4Ã6 -iÁ–¸=xRÚE’R¶‘·QŽ"w -ÃÛ2'L P{Å?ñíVŒÃ*ç$­7è11Áí¡.Øž<•Þª!‡ DY¤àùû&Í!`t.²àhççotÈˇ”VÙ ¶×>ïA…=ò‰æëÁxGY&÷ŽÀŒ?’ÒÕ_°H)YzßÂ7åg‚mÔú"ïÅÜLnL@á t×åÔeƒ½„&¥+d„* Z'¢ -ñ Öäx²/UàÝAÀ^­'¶h8ÌÏæHœd'È8¾èäü9ædPÈn7yÇ uÉžn›S+Jœopü• דÚçÒ¨lR³S>åPbž „'4*ot±%3h±¡iÙ ËËB°YZlÁ™à®k™âC£¹{î8”l±†D’Vu ”œý<Ýôé$»c­ÂªY"ŸM7óý.ŸË)uÕ²]¦å2-_¦åò$ DÄ7å¾Ék† -Ÿí¤àJ“;Jt<\9hÐpëv¸u!^è9á0«¶óåJÑHË)Ù4ÓùÆôiÌÉ´ÎB‡ùì×/:L¹˜“éD…&2Ñr2“ê02Îy†ó}ñUiY¢‚ßÁ}òŸ=å ¸ÇELÅæ]±!Á×F_Ù1NÖÿ ¥Êq!_ -“1£>Tá•Ï2 ô¾~MŠâ0±ÚKûXF:c¥‘ AªÔS.‚¯T0G ˜ª—ÝÜsUêÂ8Î| |™µS¬3.NAUÃ;ä3ËÇI¨ „øâò ú€™i}¦·MñÆ›“u-ð%Iíéºóm. -ƒæœ;`;2ÁqS­Ð -9#eóë‹»†XDÀï%é.Y'B†„¯t™i ]¹ÙçœÑ_`[Ü>ÄðƒL2âI| ¥X)~#@P;ÃÅaœféWqÁ‚iH’×2‚«WÓ§F—œd'žC ÌÁÄ5ù'¸r»ë_ΟëÖ³÷¦M|Å&Œ“ÌNÊw¸,qª°‰¼…PÉVüð™NÒ¡t‡iÛSÉ’7-/;AÊËŽöÕsí«â4W×HoXô·‚ÄœâŠOAØÉ,½âD~ƒÐ¼ k{ -½Ù?¯%à™œöàùór:ã¼Bµ;J çž—áÐ:~eB~l{Ø(D3ãnTQDÀ‘R#ew„°?$Š*™EÆ„`ä"á%O#¾Ç w‘±gåkz&ÂÔÊøäÎrݳ"¦[#9š¯tà©nÁÙÎuªõ‹ÍÂÔú„g¼4l}.é=QBxî2XŽÀÆ.>³PR;_á{Jg”zéÐk%”ÅáÀwÒÝ3îsEOÁ° —ÑG,óâ°ÜN$¡gä£oHBû\¦:„'BäòåàÌe  k½‘P>Mpâ9[Êc²OÊéJÜ>÷ËË4øÆàbŒXÎóo,).F+Y:è}!Xѱ†Ô¦Ätpý#•/êUSõò¥æ5h„<ô¶­@¥­ñ¡ßÊÓ1ǧc@<FŒLôrQ@"‘æú¨(œKþÍ/ÏÆ¿<3HOžÃ;T$›ñ› ¸g¼Ò›“Ã@ið-ƒv¬u!,Ÿ›Ó|VÎ1½—‡hlPéR¿´Á¶í$E%)8ÿ{)b ¼q

¶“œ-Å»ì¦å¯¿û ÏŽp®ª;+<“¢ÁýÐXÕ9½ CóörôÈl3‹‡ê¶Á'¶]U—Å’ -ä§,~jñ'2ÙôÀØ›ü<ÈòUa– -ÉÍ;¤ŽXd†ŸÕdRX¢ð:·w<.µ…Œ„ßÇCU÷L_6Ð7ëeÓKæc¢˜ß¤êøc7cb°˜%i4÷“8øʾùxã¯#0ijÓrêÀxsˆxÖ…¸r$~ý"g ©°&¤ÿô¥Àendstream +xÚ¥]sÛÆñ]¿‚ÐL wø?ÉŽä*S+©¤¼4ÉxNH¢–E3mÿ{÷ë ÅN= öövïöööóèpÀ¿p–Å~ óh–æ‘a<[l.‚Ù +æ>\„B3·Dó1ջNj77‰šå~ž¨dö¸­•ùA–…³Çâgïý_¯~|¼¾¿œ«8ðÿr'÷îöî;ÆäüyÿÃÝÍ퇟î¯.ÓÈ{¼ýáŽÑ÷×7×÷×wï¯/ça‡À¯d…WnnÿvÍЇû«¯î/}üþâúÑe|Þ0Ðx]üük0+àØß_¾Î³xv€Aà‡y®f›‹(Ö~im1õÅÃÅßÝ‚£YbÒ_¬3?ÎT:¡À8)0 2?òt–ƹŸh¥Iƒýq[^Γ ð–íî`vÅ[<Ô,öó4Mfó0ôó8VD*LýKmSÿ³¬v]£ñÌLr–»Ž‰þ W𭶟LQì¹mw=C€oùãû¾0ý÷l ¶„¢¬Ë•é«¶™£XÌt,»OíîSÓŽe›«Üϲ4?qXUi?ÇËCìïm#ÚAèSc62\Ô¦s‡AFËu²è Ü3ñ¬$SL,É››HÍz‰‚E©$qFDh«*"ÛåCoúrS6=¿+ ÕT¸/cLS0ðSgV¥Ûh°T@vF£}üPvú‡Ûéñ2ýnËîÜÂØã4šÅ ¬šÂ:_á:×~¤g^ðÿqYAFWùªÌÀZZŽÓ¥æîPó8JàÂðS¡¯µŽáð¡Ÿ*'%nL×—;Q¶‘§)Pƒ¿Dö¸FÝF±×•»g 8ñÖ¦c¤á¬Eð¢Ý™ª]2¦·K¦7<¾w6'æ‚k’5Ñ¡ªkF=Ù©§ºœrå¾åûßî.ÃÌkŸ«B Âìûu»«À«g‹jºù<XªÞ?·™B“J ܵûm7†¶¡!O€„1Pþ)#ŽW@ëÀÏ’ì‹F S?ÉULŠëjó\~Ñ®.ç:ˆ…ÀDn ‘UÇ_ú€r[W Ôh£yk)vˆŸQš•½t{*ȪJ¤`ÖnBZ8Q‰ÐÕU׋ÀÛrQa°á€€A˜2•œFi¶<ˆd ðÝ´| …Þ팥¤€è®+;aX +ƒµ€ÙO:æíצg4:γ\´Mo½,FçÎa-uÙse€²`YžÔ*Qsµy&UäIÛŽé<…²9Ó³² ²gzÝ’ΦãÁS¹–Z5óÀ”ŽBR·‡ZàjÉßc»g`»ï™zJÆàÛ“¥ån4Ü …·ª¥Õ(* ‹} "„`Ù¾õëÉFc\Á[W0j4í¡NÿÌš–åÕV#CŒ£è †VÊò\:~ÿô5†‚•hÒ69Ž ÌAÜÇLJ¸Š£?ÎIi 2RÊÁ¤å¶gB©Çq=ùŽ2>'Àñ[ ÓOfý»˜ÖÚe=úRòÒçÍBÁÐõÚ ª¬)N9¸&VX®>Ÿ{šÖ ;Ùjðîó€Ü´ý©ŽzH/L_ðÄÖìD$‡²rðÝÝÃ[Ñôº• …ú°è²4ý~ŒwÅÖâô¢ÜÊô:¡Ù +ãö&T_NfgÖ€ŽœtÙ2SKqaf+Ãåi4” ‚^ %Ö Œ’y«z/TxÓˆ9½iž«&ëÃ+zjúóTAÅEÀ@!ã~ÞB• cŠð݈5ðÇ!nH&숅}(ÊÁ4ÖHj£‚b`‰ÛC‹G»H‹g§l•ž7»ÈÀÇ=wö8ñ#ízo\¬ð!.'|=Îý43!ÅÊ])èü¹@OáÆÌJ$©dK4^N}˜ƒ$:=ÒYщ¦4o*Ä{=0ÄAS\íwdTÅ…PjI˜—§y`ÉÑí·ØÄuŒäÊ5¶Q1¯]¼J v+ëIŒÄ}¶¢Û†Ñ²#@Ñ› ÅI"7îŒÅ^™„vý±aáxàƒb»Þeñzk§c6h½ ]89tÛ8;âźªÅžã,ÛYG6FÅp¹S˜Þ”†@(±â‹ãú“ÌÙn$8, ·¸½ÁIˆn÷uÁñdUÚ¨†&õBgï›<‡Px€!¹È‚Cœ¯þà:f×ІÚ7ÕKÛ€c‹a‰Oz±ƒ‡@³‚zðDÆÀ]„ä½ Î!Ä&˜µ[^‚}(Ò"gÂ.KXli4uÏòN}~È?JŒq4t‡Z#àäý%–» Ó ɧpÌÝ&Û9ì»NоWŶêÚz/ïA#.3¥÷UõLÏ%å‹3ä6Jòòhø!‹“j±çŠÏ¦¯áá3}ñÂïòuæ©ëDtùy>™¥Å÷ +¾*<©+"[…gH|¼,­á¯áÏvW=óKmˆöÍÏî7žÙwn©û›÷af“r —È#ï GðÊð{nŒåЇ{H$]UÇHiÕÏ»MÛMr:¿jæ(Ä+ݦ$¹ÝÖL5ˆÔ¹†²]¦Nä25_¦Näò¤DÔ7å®15cEÏzôÜJÌ#¥:vWän]»[áEžó|Ù›¤ ÀLðõŸ~FÎ76O‘Ò¾R tdº"Å¿@žÿl¸W¿ùGúá0DÐbe™rÍÚéO'Aâg*Og:öq-úyõe‡jͪ‘èÿ@(Š%endstream endobj -1064 0 obj << +1065 0 obj << /Type /Page -/Contents 1065 0 R -/Resources 1063 0 R +/Contents 1066 0 R +/Resources 1064 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1067 0 R +/Parent 1072 0 R >> endobj -1066 0 obj << -/D [1064 0 R /XYZ 85.0394 794.5015 null] +1067 0 obj << +/D [1065 0 R /XYZ 85.0394 794.5015 null] >> endobj -1063 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >> -/ProcSet [ /PDF /Text ] +446 0 obj << +/D [1065 0 R /XYZ 85.0394 636.8504 null] +>> endobj +1068 0 obj << +/D [1065 0 R /XYZ 85.0394 606.7365 null] +>> endobj +450 0 obj << +/D [1065 0 R /XYZ 85.0394 606.7365 null] +>> endobj +1069 0 obj << +/D [1065 0 R /XYZ 85.0394 582.3251 null] >> endobj 1070 0 obj << -/Length 3274 +/D [1065 0 R /XYZ 85.0394 582.3251 null] +>> endobj +1071 0 obj << +/D [1065 0 R /XYZ 85.0394 570.37 null] +>> endobj +1064 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F42 601 0 R /F43 604 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +1075 0 obj << +/Length 3257 /Filter /FlateDecode >> stream -xÚ­Ûrë6î=_á·*35Ë›Dqö)íINÓéIºI:³»m[ŽÕÚ’kÉÉÉ~ý%ëfù̶ãñˆA q#(1ãð³0b‘•vf¬f!ál±½à³èûx!<μFš·±¾}ºøæ&’3Ël$£ÙÓª5WÌx‹ÙÓò— b’] <øîþîæöãÏW—FO·÷w—sòàæöÇkj}|¸úôéêár.âPß}õÓÓõuE~Žooï>ÄÒãĤ×7××wß]_þöôÃÅõS#K[^Á -òçÅ/¿ñÙÄþá‚3eãpö/œ kål{¡CÅB­T Ù\<^ü³™°Õ놎­Ÿ–ŠE2T³¹0Iŧé t}3†±qÔ';AÁaO¢X3%´iö$4­=±’ÙØÌLhY¤¤r[²L7éKReE>/òÍ;.Ñ77ZµFÔ‚mæÿi•—s-T@OÊtIª gš¯Šý¥ˆƒEê;Ö)áö©¹Þ²JªƒŸ´Xb–¯öIYí/ãà°¨n¶™6`ᘠCéøùo‘§0VŠ(ø•‡ÛyC&‡8\^kÇ°ÇG…èQF‡¡€ ·™¼/§ŒC&9©sÿ2£ÆC;´×øg$ÎK"/ŽÂ¡>ˆˆé>K*D…–g6¾Á:ÃÈp6d„T6CTTꌲµ°&”­Æ:îÓŸ‡t?¢k’q¥í4ñk„zW×@?D¤ºäÿNek„èë$ªÉ<ÆtM1 Ó‘sR×<þ‰‡ó~¹®iË ]§—¾Á:ÃÈp¶I]_ÊBËi]kcÖµë¸MÕ?«t?P7ÉÁ;‹pš~ƒ5Â@GÝÐ×G}þNukËÑ#ôƪ“™ 3¡¶Q'4®Á?#ôpÞ/׸È0­`¶ÉÕo°Î12˜mZãtÌ$ži§5®…5¡q5Öq§;ÈXÒ¡{ƒMå‘ž¦Þ`ïê›Àz˜éÒlòÌÓx¼­3—Îr¬‹²òÐ:—¦—úćH®tÀòð¼u9´?¼Ã [‡»G‚’%A)/èŽ4©oû¢d½Q}`AÏÁTË~Ùc•6H.²”b_E÷eêÊ\9’ðñ¨]‰+&ØI‰$´ïŠ*%¨/Šbñ–å/?Î]x -XÜi¯©Í´`àñË -E5:øʺýi,M–KRöŽ…Y^¦ _ü‡ORÓ¡®@Ú`d f‚™¢–ñƒmðçí#Z3˜w`°2Ó~À‚„Wƒïp3¬vÔXgx€ôYƒ–Óæ¡9ª,Ó*É6åIÛ•V3šxÚvÛX§m·ÁBHæ»b“-Fri&´Óä¬ú]ãÕà7ê2Ð5Þã‘îW)õ#V^}ylˆÞvŒ#½{ „¯N<5L)XªÒÀ6§S!¡Æ?#ÚpÞÑ 0 6fâØô7XçÌ6d¤`ë¤9£V-¬ µª±ú!aZþ–ì—èú -f‹9WÓŒ4X#œtÌD° m±þz6b;ÙȨ@#)xhcq2/Ñ\‚ ;BO(aƒFüá¼_œ—èÈÂMØé}h°Î12˜mZ •j¢3JØšP‹ö¬,NðyȬ†Db’xƒ5B½»åœ ¨ß»Û2)m°M“teuØÐ{6¦n£Zgõ“Gz ÍÐØv fL`_SjSL‘þënÌI\}IùŠÀÊ´¢†«»"—ÉbÑÍœlrhù++iÛ7(žìH-IF!Ó&®ïj0s¢ÖÈpÝMîîŸnoþ=VlŠaá›’øŠä«­Üˇ ’Oùœ‹`Aa–rØÑÅT”øÕÃ=Æ&+]}Ûti€-¬ðº -'‚»¯ÒPWnO²ÛgÛ„Æà­=÷B-%‰Xi‡Zz9 AshU‹ Ý«¶ØJ0 Äd\8æXîÖÆuê}ˆãê}C“„ 0:°:æÑ7b°áP×çy,YÇ&¸òìûŠZîjÏi—KøMÆ‚…Bô®¨(‰«›‚æ°«#¦Œ ¿ˆÛP2%£šÛNŠ\AÝmj¾ôÚ¸¸¶4ÒҳΠWæu;LBs¬ðzMˆ‡šÓz‡º¢ÞPÖJ!ZGxßÖÍ¢§%‡¨CÝ«ƒ7W³_Ó.†—Õá¹s-ëopš˜XFZi{1Óí®¾¦Ak9éÊEÂA<ÿ¤+ocvå –+7¯ÓÅs´Îr˜¤†˜PŸ!Þ`Pï&©pT“ªGÞߎkë¯¡í— aþâÆß#Äk_µÏÜÍO½”صX'{p×NÜ1¨"¸»DÁFùžWÉgêuꃃÒ=œ<Ùe±¥¶&UznòÆù©{Ž¶>¡*…]p¹q£~±ü¦ð Ïþ®È˯{{ŽÖ­—Š¼|ÐÈÓê­Øÿá>ø‰I¿|´ -xÁ{©†ÅÂ_ ¹ó©›«8õÙˆWË÷]êõ÷¦¾í¨P1iX=HöÑ >Ñ£ÕŸ¥t3Å®UŒ„m,Áˆ:Ù[Á!n,%„hEË—žf]â?ª|å&yMDz8Ð*¥þFÎ!ŸÍÇ)8´È#ç§ìž ü.*Ý]}þ|uw9I(‚÷ß_ýøp}G]‘›ã»›ÛD1ô81éÝõÇë»ëÛ÷×—¿>üpqýÐ쥽_Ánä÷‹Ÿå³%lû‡ ΔIÂÙ ¼p&Œ‘³í… µRž²¹¸¿øG3a«×ÓŸ–ŠE2T³¹Ðã¡œX—Öà°®k +aXŠ¸·î<F‰t´No”0nÅHf’x‡†E +F›¬ÊýKº_¢n¾ý¨U‹;Ž™R`_nù®@™1~‘RÓK‘K"þ·,2ì ·¼¢gJ—ô•uIÏEYü¹|:Ø)2"¶æÌ‹'¢•Eg¢]fûçËr›æ + ¢Í…`& ¥•ñ1­ò +ÐaŒyiGmP‚Âc%”ÛJ=²m1¥혪:­³mVÔ—s'A¹ÂgÔ¯»ld$dQd¼ÊN«V &­e‘m‘49(¦ÆÙґ飘qmÌÙéç9]õ¤ÅòÛr?2¯½Ä‰êÎ›í«‘©CÍ”²¯wp$¹ ^Öùb ò‡ÐÌ7l‰ Ýí6¯DDàó÷C¶Ï/EUž¹^;“ÎÑyèE'ÏQ¯'JÇ3¾m?åÏ™mFÁã+‘>k\Û*Òm˜ˆ8nVŽTŽ(A8D‰IÞ¤Å@Åñ#8{^ÑF¤†av°#ÔW–]&©=>Áà½gÛ]ýJÍM^9¦Õ¨Ý„ÔLŠøMKÅÆ›ØQ˜Öjl'U“ (I¢Þ™´›qÄ©î¦ÈØJðàµ.ØÉê_Ø“M ²íÓ£ae%#<‹lc}‹Ù +×^e‹º¢xú°#-^›¹½„nÛG—@ÀA¬H!N:T ŒY(C Ê]—Řöà€$"ø†R@¨YPŸ€ã|E«½–"¼¤ÖÌ(@I”C•y‰r7Ê:K+WD!ôºaVïœ;]µ/Öiñ„ÊRÒiM)°À:}έÒlUT×-ƒ§Mù˜nÆÀ N„8ë\”a ëŽÎhê_xÈëuZÓŠy…æ Õ dŽ „Á0êy(Œ ûªv±Îu]":uâÑ ¤a‚3W›Wìxç^÷Äûœ/2¢<>R×ûx¨©ÛYýFI²Žw$H©À}Œ«Êö8'¥©{VYM Ò2ÈÄCA Y¶¤A‚äæÕ.[ä«W×g×of¢vÏè¬$L›§;¨îiý< nåKµ5*%„À„ŸÇìšÞQÛø$„8æ. B9¹³-õ»0w¥›[±[¼%ciç¯óG§s¼ƒ9w©ƒcb÷.uþ¿Q^elcÂ. Ö¢}4¸’1$l jNGŠ žèƳé±[5 …‹ÖÍ–—sÁ¡ÄµQd /„:fIÂܾ©¨M±[[¼³Á¥÷˜ÉÒû£cX•›Mù‚˜°T×›ÒÃÆYF'ãx¿‹š¹_6Z}÷{xÉA‚âpê{wŽ>³©¡;s‰˜.} }SÔÙ¾ÈÆÒL³Dòø8¡xG¨‡bˆA²Ý«óó¦4¨Ûlɨ`}X{º.ʽ;du“ä÷J€ç´r}Ûô7ï$á­t.c‘VÎeX'‘Fœ“xðUowËÐä¡WÍ:«òòD¡Çòű³œ’šÒbx"^–Ô¤"iáx06nÇGæ=¶³ìÁ·Ï7߸)¤Žß¬6p……_Šþ2웺+…dlQ¢‚N[1t&Ì£{–i‹fcÏ#E85Ïé>/m5€|­ Î¯¨g™Öé#*Óq9úoºìpÇÒ쩪6ÚÇaçÙwû¡åf¶©4Ž©Jz–…ÍL¤ü'{})ó©`@[úþ~ìhðaÒ¾ò é2+Õ×¢,^·=Ș+ÑÝø¢® +Ÿš&!œûs¶)w[w©º ¦0x¿NË +ÎÓ;J_S¢þýê–ÆÑeXY—‹rC]‹Vd§™ +b¥Ó„m¾ws›7 ü›*èA3mG;yéø…±;aÝš˜öOáPÿàûCîUûþû«/cP’©8‰Úˆ\¼Ì… Y’DD/¼?NTÛ±+çØÝ6A¢/ÇkªÎ× HÂøD©%Ä£_oÓ¼Íu:Î4\6«B—?ûã%EoqîVhðŽ“«7\#Ëw ˆÃKæÎò÷YÖó‹Ë¬ZìswåâP½&f\jo«þ&úפà0TsùOWÒí}–˜ÄZ§½êÜ?ͨq×ìžÿÌŽ‡óÒ–ÇÍ!DÄt_$" åÃ7\gΆ‚°“`ƒÓyKtl-® °y®£ð;ÁÖ$äŠÚL/Þp¬ÞÅàCDª»ü_ ¶f}¬Å¸^<5… [ÜÙç$Öÿ™ç};Ö´a1Ô­Óªo¸Î2œmk"L$ô½ô4ÖÚ\§±ÖpÍTï¡òYeûÜ$ï,Âéõ®:pC_õ%ø+áÖÞGoñ(ê| 2‡Út¶:¸†ÿ̦‡ó¾qT: +f›Ô~ÃuNÁlÓˆ 9ƒ*÷L(msM Îs-uØAÆ’ Ý•Gzzõ†kdù.Þ^†ÅÝõï›|ó4žø·Pß벪5m¾Ð㋯øÉÞ[±:¹ž —' Ìwå&_Œ$&ÏâÐL®Ý0 W½Oûq«ÎêÝc{,æð;Ó=^¸ºàqß@‡Þ²R»¯ªðîÄBî^â~ˆ-¥@K äÂ-9§bgŸÞ×`ÖÑH›F“0 ákR» Ó)úsM†(dJŠi$yNÉñôÀÜ}kw¿±è *†Äˆs5%BÃ3¡ƒ'üª“7óõY‡éd£[IµC“ˆ“ù‡ædØÚîâîÉ÷ç|sæ¡#%™0Sºox¦EèÍ462üáÈjðï"ÇWÿPñø+NSœwÁt-­¼PöZB gRErDôÿíú=ëendstream endobj -1069 0 obj << +1074 0 obj << /Type /Page -/Contents 1070 0 R -/Resources 1068 0 R +/Contents 1075 0 R +/Resources 1073 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1067 0 R -/Annots [ 1074 0 R 1075 0 R 1076 0 R 1077 0 R 1078 0 R 1079 0 R ] +/Parent 1072 0 R +/Annots [ 1079 0 R 1080 0 R 1081 0 R 1082 0 R 1083 0 R 1084 0 R ] >> endobj -1074 0 obj << +1079 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [284.2769 435.3027 352.9489 447.3624] +/Rect [284.2769 238.6772 352.9489 250.7369] /Subtype /Link /A << /S /GoTo /D (access_control) >> >> endobj -1075 0 obj << +1080 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [282.0654 405.0176 350.7374 417.0773] +/Rect [282.0654 208.0269 350.7374 220.0865] /Subtype /Link /A << /S /GoTo /D (access_control) >> >> endobj -1076 0 obj << +1081 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [299.7586 374.7326 368.4306 386.7922] +/Rect [299.7586 177.3766 368.4306 189.4362] /Subtype /Link /A << /S /GoTo /D (access_control) >> >> endobj -1077 0 obj << +1082 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [184.7318 321.8124 233.4785 332.5968] +/Rect [184.7318 124.0912 233.4785 134.8756] /Subtype /Link /A << /S /GoTo /D (dynamic_update_security) >> >> endobj -1078 0 obj << +1083 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [330.7921 290.2521 399.4641 302.3117] +/Rect [330.7921 92.1656 399.4641 104.2252] /Subtype /Link /A << /S /GoTo /D (dynamic_update_policies) >> >> endobj -1079 0 obj << +1084 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [401.5962 259.967 470.2682 272.0267] +/Rect [401.5962 61.5153 470.2682 73.5749] /Subtype /Link /A << /S /GoTo /D (access_control) >> >> endobj -1071 0 obj << -/D [1069 0 R /XYZ 56.6929 794.5015 null] +1076 0 obj << +/D [1074 0 R /XYZ 56.6929 794.5015 null] >> endobj -450 0 obj << -/D [1069 0 R /XYZ 56.6929 639.3701 null] +454 0 obj << +/D [1074 0 R /XYZ 56.6929 446.1352 null] >> endobj -1072 0 obj << -/D [1069 0 R /XYZ 56.6929 613.6661 null] +1077 0 obj << +/D [1074 0 R /XYZ 56.6929 419.8946 null] >> endobj -454 0 obj << -/D [1069 0 R /XYZ 56.6929 492.1088 null] +458 0 obj << +/D [1074 0 R /XYZ 56.6929 296.3851 null] >> endobj -1073 0 obj << -/D [1069 0 R /XYZ 56.6929 466.8231 null] +1078 0 obj << +/D [1074 0 R /XYZ 56.6929 270.5629 null] >> endobj -1068 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >> +1073 0 obj << +/Font << /F62 638 0 R /F57 628 0 R /F43 604 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1082 0 obj << -/Length 3028 +1087 0 obj << +/Length 3398 /Filter /FlateDecode >> stream -xÚµ[[“Û¶~ß_¡éKµ3BÜGÇY§›iìv½™v&ÉW¢vS¤*RÞl~}n¯ ÝØ“É,|À¹àÃÁ ãUÿá•â(¡š­¤fˆ'˜¯¶‡«dõmß_aÙЦ‹úöþê›7‚¬4Ò‚ˆÕý¾3–B‰Rxu¿ûyýúï¯þysw½!„µ&«ÃãqFi¨)®Þ_ý«°Ój»NùS…¸"rÂŒvˆ(3±’\#A µ¼ÊÀ"†×»lŸž‹Æ}äµ±ì›7\uú ‚(N$5ÿrzhþâP=)D#¥¤ö¨¿™ñh˜Yÿõ¯kW.Ó&ÿèÅçåæªÓ‹û<]cµÎv›‡"Ý~Ø4î3hš6éCZg0W4‘`AnÇKÚ«² §jŒ¢«&àc%VŒ‘æœX›ôCæ&5µbχ¬ljd»$€Uˆhî¼õ®yÊN –²õÇ´8”Rß1s Ǫ®ó‡"sMùÞÕ¦»]ÞäU™®þ¢«iÝÀ'?ÚSúÑW?dYéꊼüí\m^6•«mž<°ÎNÐßÕ¯ßW‡¬5 clŽ…7·z±Ý·äå¶8ïŒ<óõœ7O®dåÙ®yÝœò‡³±ÈÕ@ÙʪÌ&† ¸á}Ÿ?š£­¦%ºPa)ðtôð MåÈ?=Z”ñÆ.‡I<ÅbÌÆ’Ä嶨 Á½U‡aA˜¥Û“ü>ˆ.Íêí)?^A„qÀ´Ü¹ªº9?¸Ò°¾!8n“ëÛ½oÍ<Fï„j„ž/Y=ÁX,‘¦D]¶ Úaq”^µ`Æ.¼€¬ç¼(¼Eí5pA:k”h¥‘Þ¤´ (õÁÏiû×Ç°<E7°)…EÚŸN·„_Ž~ åæ9C¿À±*±€2fí«ÓszÚ¸E0⊠nQ’{óCâ‘žèwÖ ”òõ!K˼|ÜŸ ¿Ií]½ß¢¸Ÿ8Óô”Ö®*uœþfjv~d°]ÔÝʘeð8‚»‘LDÈFÂâÆ#Š–؃ì–ídnÓsyY­ŠEU}€pêô®\ã>Í Ç)¢1Âã>§Ò}c2"§ð€)cÏW¨gݪ‚ÆǬiÚ.eå*Ó²~v{¹Iž¤X??åÅ´ 0JQo,prª›)/Øä1xá¹:^~ZÕ³×ÉÕ”Õé`RSÜam«\]X`DH ÎÀ~åÙnv@b Ò Ûx5¿ZTgÿ×eHÁLEEЄèÞ -€0¦ ëêËþ©¶ÁKç"˜ç -’ªS¾Ë|í“/F»RµwÀÇ¢z°¾†º>M‰fÚ…WhÌ}G–bòY[Q³mnæ=è`3+@¤îÓËV¦t±jL% -GIต #Êp_…(@‰hô%ƒØ€™¬ŒÒ‡ÎŽiŽë»k“E@ ¢?.‰d¹´µ®3y’Í™¦ÒXç'(ÀZÐ|Ê)[ e¡e@Ù´ë÷½ÕfcóüQt†0 -[r\|‹šßÎp¤ƒH×WàßךØ=Ãvy¶DÅšY’˜w(3%å ƒÍ§¥ÕþÅ}XŸ›Ö2=d®Ê©Ó…­Ô'y[T®å—„'¿Uçœ{ ˆCeB -?ªwS¹{ùÖ+{„ó‘5?KÊå ìZJÀAçö?oî+‚=p¶üÎ}h÷'„ˆf)Q» -G!hã*ÛѶ@$ÈÔú¼m†œý¦Ê.¦K^{ .Xgì Ç8³ÒÓ>!„ùDIvf‘‚„ ,É%[5«Ë×öBíoe±˜EY1náTƒäqÇŒ¹uç,™]8L08N“…¤¹‹š_8-ª·pšÃqãÝ9\>Ì\—%ZÔ„=·1‡:P£]>.ùPR½!IdÕ9³…“íåJ™[ -œ¬o["îæ zÞÓ”" ~‹;úŠøÙƒŒ}‡ô÷]¹ûÌ»;?d›ñaKç Á¢j´ ±=O+hL¤ê)òçÃí1sZh¨”röxL•BL+Òµ8r:náqÛG£ÎåPÆ ?AáØ ´ ¸£±¢c–P$ôÜÅmK½*½€šœ­|WL“r .t\“5¡JŸ~&‡7SÐÕåË\ÆÄ,ò„'ŠDøG ÒkÒ3:J@_0<î§S™Kc%âóТe!•1¶ppè€æ9@ó£:7#*†˜à"ªG +Òg †F`jW“¯DÀ®=£·È%°ÐóÔq)x×æ»—bo³_\érFÌLº ýÜéº:¸¯]^°Oé8ø*µo«‚w—Fœû—‹2éEéÞ{3ö÷òþùÄ.óúW3Ý°à¦kžÄD!N”\ q!q@e?7u3W7ùv|™ I+1i{T5¡AÍœ!lHÜSáv?ñ€¹2¡êÿz> ïsöç¶|y6ûeÇðºçmN}S^îÍC€§0T8~Û‡¸¼¾¼ÄYAʼPlŸ\í6-Û§8ûww>³#½ÄH%Éàž¸{75ñÈ!S"¼d_&§s/4p‡›·=v™–Ã[—–k­k.7ɳÄ3É“ùÝL”wÐ<íÈÚ”?n>¦E¾Ë›— J'øƒ9’ -XÓ¡•èç€|`^W‹/³9ÏÚ2>ªyôL$HCο7|4êìvÍÇ70ö£þoAq5FcE·llS ²°ewQÚ”{¬ë¤êuu>mÇ·¬R -”hQZô#©„Ôø2Ä›1f Läþ‘SˆiÊ{öÆxð –ÇýôSGBÍÕt|hAÑXqâŽY¸tî€"´ó ™‰Ú|#âÁ] -W¢µèoIFûj|5Öyc:(†¦â™w’/–ÄxàqËG£~:ëà0¥˜Žº?`â: GŠRNsó[”…P×ÍS.€ì[aÑl>%Ø ‰”É»"JÌX‰>ãRTÓž_†q[†”ãˆ&šF(›À´ko”r7}4êgPŽ¢„%2êÿ×b4ÖÂÿ`^úqi‹‰ýðÏb"Ó4éÜÅ]L‰)1q±G»Z|UÊM:w¯G—îõhÇÞå[=7}8ægÞè s~‹‰ª0išoáŽ#ó‹þ ið¿?ýé8pùWL"jÓ¾K„e-ƒRFqA‡š·ÿÂ`¬úÿ[Á—fendstream +xÚµ]sã¶ñݿ“—Ê3B€>^î|©3Í]ês¦í$y %ÊfL‘ŠH£þúîbˆ_¢’I2ÀÅ» ì7ɯ#øã×F±(NåµN%SW׫íUtýs__q‡³ôHË.ÖWW_¾OÄuÊÒD$×›Î^†EÆðë‡õ‹·ÿxóÝÃíýÍR¨h‘°›¥J¢ÅWwÞ$¥Ÿ·?¼¿ûúûû77Z.î>~ ðýíûÛûÛooo–Ü(ë…ÛáÌ‚÷wÿ¼¥Ñ×÷o¾ýöÍýÍOß\Ý>Yºòò(FA~¹úá§èz bs±85êú"ÆÓT\o¯¤Š™’qì!åÕ§«… ;³véÔùIe˜2¹^²ˆ´˜>åˆE +Nm©%g"•q8e9yÊ O9+›zYÕm±9%æ±D<~ÝÝvD<`MP;Ôyœ2¡Õ€üǪ<±‹t±Í³ª¨ž6‡’ž‹ ò3!á¬"»øÄö€–€¡Ò©C+Ú1[µÅçœÆ›zOƒöÙOÿ¯®rБ8ŠÏ­É[ÔÇe¶z.ª¼ñ‹37ÿZ”Žïý 7‹|•R1¨t—ÁD1©p¾ûð ‘à¾yÄtöÂ9H „ýðñáîý'ÄŒ ƒƒOÜ&Û¼i²§%pòá€ä‹#cå#AP˜µƒvô‹b"n†ÒÐr‡QM›¯i\e[mòýç|ïü©¨†rV 6Ùí‹m¶?’¬žûž¬Û Èìa'+¤prÀ€ö±@»òÐÐ(«Ž4¸ûÎÖkº‡¦ÉZ×ìòUñc +à¼í󄊉D0¡ãNu`ƒ ÓJj‡‹ÆèÅÇ^½oi´Í{ù€—¾vè8àé΃œ eÒžnš7Á®LX¬…úMÜ*Áb‘xn;gDÚÚ_jµvº8ã-´†ô¬·4ÆÝ0 €  f¬ f±Î7Ù¡ô¨š7!á‚B‚($åLKð5žÐiÐó5ðLÞM{x¤ªYƒî€GÎ0p~×ÖÏæÛ]{¤!Z E禓$fÜ€•Ïúò.Öy_°PÎÕs¾zY¢u6#_.c–˜ôñ€5A½çË%\ ú©ùr5ÜÈ®-j¼rwL;4ÖððÀj‚8ík÷Ūu3dä)H’íÁ][ÂkÉÁPNf•pšcÕf¿Ðj®Ë÷mV8ÊëzKcI.«q UÁÿh!eßÞÈÿbœ,Ð@K» +€ì—µ›@wmN‚]]5¯ãþ×ÙXP½¥'UÞ¾Öû›•R1Ÿ >gû"0°ZÕv§5h®Û«¶’D}Ë i5ó¸Ë +¿‡µcÓJqî‚“}"Ζ‚[thÖ2ª?4Œ‰È­™çöØdE9AˆCTLyÇžg]O&ö±¯)3·‰€b:ÆëOãü5ÛWS„ =“âÄù9Ó èé$½`ú¬Ó÷XHqµÙcÖä#»’H«ç)¬ Ò½ûÄÊ$\ôiÂhf£ƒô&§VùDÆx¤ùš Ëùé¼1¢4m½'eËÈ'0Ú˜yûÁ5§%›º,ë×Þá…Ø+Ñ÷ÝóÆ|pyQäóƒ—üøêì¨Mþ+0¦¹ÊœDI7™Ñ† Ù3„×碇’­òå:/‹má–ê…§‚AIA.Aú©½ßgÀË:¯ÚbérKÇwÏYØ„m"ÕÎ&`pº( †‹ü;hë{f.4‡Ç&ÿådè9péðH~zØe½c;ÑCx:laÏF=ÏŽ›~̧œßèÔy|û›ÑÏkæ¢tHÃVÎ)ÔCçp¢Ü©'jX÷AòŽ/ïK”é:\ÈÀxäÝÄûÇö‹éòŘP¾ü÷‹}å ;§ƒhØиÊ\Mƒ«å6ßÖû#=Ò!¬—eYAKžS'˜­w´‹Ü¢g£­Î=H¬¥jY3ÈÚÛìÅQï>û‡¥É[|tya,!¼• +oñISpbW7MñXæ4Ul + kyEV¼ëOäb½/\)SÏ,ø1Ï+‚•EõB1Y¢šÔuþJºR›6$óŧz;©bM¶Ý•^A<Ñ“ì¹×¹UyX{ ¤4¾¯[ºªÇeJ±ÏS«|bK/@W¥½0v6ðHUMÌ/ž.ÖùÀ°¬£,àw£°Ã%8U-æé¬ ½°.Ú`‹¤GùSžby³Ú»Ó‰ÖS=„T³HHo]'þÇIOœ„V%]EA Ÿêžˆ4¹º¦Á}GØ€AØñ¾$ìê$6³xÂø%pùŒ«ô©¬ ŒŒw›Mm$Ô\ilÌ ë`Íh˜Ç²7”—ùS†Ò/kì UM% ¦óô=Òýž¢%0‹uMòï©-âì ÇjQSã + ÙnWC’ÅsAQù˜™øÚF¾¶”R/î6n6wø”ÔↈSÆO­žcÞLeÏxæ6еƒqTŽ5/†+€–ëZ¡PNÓÈÅUŒ÷,JÍ _pa$ ±5sδýTÇnãSô^g­§ºû¼ŽOI© :ÖÁšÑ1eë‘z‰ýzœ=s¦4hþ,á€5A¹Ÿ='L)¨Fz¤©Ǫו°AjCp¢TÈ|%Ä·†@ýÿ6ór1Pº„2i5x¢„RØl ý o\ãÊÆpí˲‰æ*;¸ªWžX,ëúÅ6cE>Lúb|`ÊÇZªßÊÙØ’[hЃýѦëBs§¯: ‡“dU0ù”·mXRÕ̪æ•b9&O:Á´ºœ>Îc|èSé‰S°MúPÖ‡ÒÑÏ°Äp<¤ª÷[LQäÃÊV̘ЂE&‘C+òõYˆTÈæRýØÅ:o«cx¾o 07KÚ#M¾0X÷hOUw¹=6K ©ÚØœ¶Ðg7 r G¶‰fY?Ú³X_Mz³”Ü+Ln¡uKܸV zma‹QFFÎYšTM¨R¬R¦O]’ŽGÆUð±H‚›¦â |— ïW¡Uú“^4ÒõŽƒ]‡d1t1CBtj‘½tçÂÑažds¦©46´L±Ø3ÇYzq‚ T¦Î öà´2—ä!nY?Ñ ¾Vù¹>ì¡î¡÷"ÄÞ$aÚ{GàúŠ•cvõ‘s5?ëXéÛµ*…ÎÝÞß3‚[$C ÅdjDOè™"9à_¼ï¹"YY’ +xž½‡€u‘ñn³E2Ooy©Hîb×€5ygźœÖBÈ3$^³œ¬ VúZˆù<\C—?§13'ÑP c–DácŠ)-àõSÑzV þñÇûþv-”m`’1{ë#ãÝæµ01p½êBºÖÅšÑBuÞsÔ‡v¤†F2™ÀªYVÖ/}5LAjTê.3‘vEòAvÁ“ô¼"¦)S:Q=±çÑã_8€ñ¾¿]“?w™¿tÑ^óZkfq¡™ÓÅšÑBuÞsLj!Tÿir•€5ÁK_ –h=`æ/ +É]‘†Þ[…ZÎ(¡„CÓª'õ¬:ü ò÷ýJ1 ¥×ì=x¤ lŒöšWÂH3tñ%ì`Í(¡Çê›Ø/"€9ÏÓ X„ûïE4jfÒ§üçhÜÙO«b¨’$9ÿ^D%,ÒÊôDœ{/âñ/;Þ÷w¼óT—N=`]`d¼Û¬†iÍ„N.Tx¤™ïv’Û_ò õ‚U‘Q³DÒ˜j¿"™1©é‘½Ã“ÖÒW\02Øa5ÜG PÌÁø5s@|/_ÑëP­\§ +À®M⸒Z¨¥+±cWKÃ*Ø‚ÂòÏùžÞßg'’¶ì¦xª2÷é¾g”±é—ÿíáÔÕÔÒÁßw>}º}KcÜÃò,døx†¯ôNEؾ÷‘F§®™ÀÞM¶öëNŸáÓºh^ìKwîÏ€©›«=êº ps<1“˜>óyz¬~S>qñðïº?øÓõÓwýR3¨ÅÄK‰fDª=SxêI<ä\ņ)#ôëÿ;_ Rendstream endobj -1081 0 obj << +1086 0 obj << /Type /Page -/Contents 1082 0 R -/Resources 1080 0 R +/Contents 1087 0 R +/Resources 1085 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1067 0 R -/Annots [ 1084 0 R 1085 0 R 1086 0 R 1087 0 R 1088 0 R 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R ] +/Parent 1072 0 R +/Annots [ 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R ] >> endobj -1084 0 obj << +1089 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [259.4835 683.3704 328.1555 695.4301] +/Rect [259.4835 478.4263 328.1555 490.4859] /Subtype /Link /A << /S /GoTo /D (boolean_options) >> >> endobj -1085 0 obj << +1090 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [387.5019 430.1364 456.1739 442.196] +/Rect [387.5019 224.9363 456.1739 236.9959] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1086 0 obj << +1091 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [381.9629 399.8859 450.6349 411.9455] +/Rect [381.9629 194.6431 450.6349 206.7028] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1087 0 obj << +1092 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [398.5803 369.6354 467.2523 381.695] +/Rect [398.5803 164.35 467.2523 176.4096] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1088 0 obj << +1093 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [393.0412 339.3849 461.7132 351.4445] +/Rect [393.0412 134.0568 461.7132 146.1164] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1089 0 obj << +1094 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [255.0796 309.1343 323.7516 321.194] +/Rect [255.0796 103.7636 323.7516 115.8233] /Subtype /Link /A << /S /GoTo /D (boolean_options) >> >> endobj -1090 0 obj << +1088 0 obj << +/D [1086 0 R /XYZ 85.0394 794.5015 null] +>> endobj +1085 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F58 631 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +1097 0 obj << +/Length 2801 +/Filter /FlateDecode +>> +stream +xÚµZ[“£6~ï_áGwU¬èŠÄîÓ$é™íÔf’íéÔ>$y ¶ì¦Æp÷8µ?~8ƒÑ©ÌÔTB|>:—OGG ¶ ð-TD¢˜Ç K¢(S‹õá†.vðìÝ ó˜UZuQß<Þ|ý6⋘ÄÛŽ,C¨1lñ¸ùeNnA]~ûãû·÷ï~~xs«åòñþÇ÷·+®èòíý¿ï°õîáÍ?¼y¸]1£ØòÛ½ùéñîE^Æ7÷ï¿Ãž/BîÞÞ=ܽÿöîö·Çïoî[[ºö2*œ!Üüò]lÀìïo(±Q‹¸¡„Å1_n¤DI!šžý͇›ÿ´;O럎úQÂøjè@):4Œ¨8V ­b .jæš´Ï“ ¶’Ì7Ò]–·Ì,m‰Õ“ÅF~¬Ò<#ëÑŒE Í Q†± m´ê¢PÙÑh7(§ìŸyfWe•TiY¥ëòz|Æ)1ÓaZÔˆ]w1®ˆžž÷[7è×o•é Á\îg["¤/L“XðóÕíJPíýGËÒ϶ÀöKºßc룵Gÿ¼19ñÒl›‡ÄE;àÕSZbË9«È,_žÒõö®ÿ‹ßýØ›Óáh7Nep#†Rç#Fb¥x­l•_¢†uãÄ5‘&RÞ°KlV¿RÊ÷vÄÀ>©Ú_l¬f¶á\vEµÖ5-íÊIÞEF¥¥ ó®‹šæ]‹ªÍJw«çdŸnÒê¼J³ +t‚H\³O‚+$ð*¨F‹Ñ£Gʼn„9ÚÓヵWîÙØr]¤GOç£íHbM(—q¤)k®Tˆ¤•Xú_Ad® ›Œ–t-Á‡Ån‡Žé-~Æô¡\´}}±Ò¥}¦®u’0i•˜¡BšÑc Ë©1M>¹Òð ù:¨ùT=ÿŠ$+·¶ÎÄ«2?k;L|€×zF‰5¢E?ñÅD©+-þõšÄ7aË•;­Ä£†ÀuïNx¦ÂðþýúºÎÜZQÓ¾¶Ûç/+}bóJe³F»s#cˆ6dÿ +¦µ:ºØŒæa÷å³Ýã÷woŽ?rt|}¶ûó-c yÑt_pc ŒFcÜ<Ž{W¡^i^½(4_eÖûäTZ˜RUÉ÷(8dz"ðèå)©°u™¬N¾‰‚´58îRk`7.Þ\,ß8ÿ©ei0%½Ó%Ä,O{<¥ÐPèu³!uŠÚM=K"P2mí¬Mê£8¾;…`ø !W=`Ï76K­ï»PÇwl„¹ÿ³Ö‡#¹ÉñÅ 0 +Ég$ +‚{ôÙÆwž±…»F:‚ÞT¬Ò +´ßI&ÝY©†,Ä%‡¶C Åüq²e…A±2Ùù§©W²LwyhÿJ­\ˆ{vaÓÒ§¨´j¦ÃzÚ4§Ø.ž†¹ƒ—Ç÷ïü¤ò Ã Aá?66]ÿWW“Ì;àÜŸž—“LN}/Oa¹ôßÖ5• jæˆ7œ¦žj‘n \ßtøæ:"œ`‘žZM˜€jòòþ}~bkÉšÂèO ?¿,šù™ÛW ßlÆîƒM²4ÛmO{¼GªºXÕp'Û±FDlùß'›áôdÚÀz¦âa1 êMÕë-‹…êZ³ˆ£Vä馛ա„ÎÖX!Ÿ:ˆo/ {s :m‰©À[4ÛLE†KJÚt~t/ÜFuÇy¬­j +14¼?ï;†9Ÿk=± (C8e¡TбŽGôÒ¼áƒKû)q4/±'t·“÷ؗà­Ïÿì&÷‹ ©µEX²Ùx»J¤~Œ,¯<Ÿ¸€u-æ}>áöö9qî["SŸ8šëSþÒËÚËÝ­;é +ù:Ë©sÊÖn1ú^þ¼“þöæËo©‰0†Oì‡`ºKB¼RõæB÷¼þ°óPõÿï§ë†endstream +endobj +1096 0 obj << +/Type /Page +/Contents 1097 0 R +/Resources 1095 0 R +/MediaBox [0 0 595.2756 841.8898] +/Parent 1072 0 R +/Annots [ 1099 0 R 1100 0 R 1101 0 R 1102 0 R 1103 0 R 1104 0 R 1105 0 R 1106 0 R 1107 0 R 1108 0 R 1109 0 R 1110 0 R ] +>> endobj +1099 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [381.2254 182.5173 454.8788 194.5769] +/Rect [352.879 681.7691 426.5323 693.8287] /Subtype /Link /A << /S /GoTo /D (tuning) >> >> endobj -1091 0 obj << +1100 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [335.4973 152.2668 404.1693 164.3264] +/Rect [307.1508 650.7179 375.8228 662.7776] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1092 0 obj << +1101 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [363.1733 122.0163 431.8453 134.0759] +/Rect [334.8268 619.6668 403.4988 631.7264] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1093 0 obj << +1102 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [365.365 91.7658 434.037 103.8254] +/Rect [337.0185 588.6156 405.6905 600.6752] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1094 0 obj << +1103 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [393.041 61.5153 461.713 73.5749] +/Rect [364.6945 557.5644 433.3665 569.6241] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1083 0 obj << -/D [1081 0 R /XYZ 85.0394 794.5015 null] ->> endobj -1080 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] ->> endobj -1097 0 obj << -/Length 3167 -/Filter /FlateDecode ->> -stream -xÚµZ[“Û¶~ß_¡GíŒÅâFlŸœdíºmœt½™N'ÉMQ»¬%j#R»V¦?¾çààUÔ¶vÇã%œËw. Å þñEœDI*Ò…NU3/òÝ[ÜÃÚÛ+îhVžhÕ¥úæîêo±H£4ÉânÓáe"f _Ü­^&‘ˆ®[~ûÃû7ïÞþtûúZ«åÝ»Þ_¯DÌ–oÞýí†Foo_ÿýëÛë71_~ûç×?ÞÝÜÒRâx|óîýw4“Òå ÓÛ›77·7�¹þõî/W7wA—®¾œITä·«Ÿe‹5¨ý—+ÉÔÄ‹g¸aOS±Ø]©XF±’ÒÏl¯>\ý=0ì¬ÚG§ì§bÅB%`I&¦Ì#Í9ÐhÅAÆ´5²š4²§B#ëb•m›UsȪzS®¹Y®êýñCpE -fÝmFª idGžÈH2!úâ|( -rCóàë¢ÎåcSî+šØoP°n©Ž˜PDxRCI8”›Ä=\VCÅ¥Ž£Dʸ§8-î4¸í˜ Ð_0Á˜/™ o•ÅàI¤‡")%"Éå¼+<Ñ1F¼PŠh2øÌ#±C5ƒDO…;Vû¦ÜœÎaƒƒ/íî‰&vïù[ð(MµìoÿeÈKxFJ öN Š¹Ôg¡&R ì¤é):µ@Aç1ßCMÆi¤™”ó¶—LƒQ¹F‘"ct:Ä€bjdÚÕS2‚ˆd‘‰Õ¢Ëz G4!@"2ŽŒŒe_‚ÿDœƒí5èóó(üŠ‘jzºÎ%$OAí1ß—£ÄèHêTΛ?P]dÄm6'%P™ŒÍÌu¨f0ç©pÇ]Y­ÅæPÔ«¦Ü¯È»ìóä´¥n§1­Ÿ™-œË5¯B šÐ¡g¶$‰b£u_ [ž:Øâ [œCLÁ–<á¦'Ø ÄýÇ|{CaÄxQe5ÆQY 2&â0 -½ìƒo]ÄËQ¢˜H~R.Ëš®Uñì&P0)|ŒÃLJD+ î±éë˜aôTÅ -,_V…£† j,Í~KŒ÷àAZz~ȵáŠüKò$.ÆxßCV‚brù /ë™ÅÊY]GÌò¸µ\aÙ* -³% -Z¬mœ$ äž"è´E–?ôx¸é¼u .»áÖ×EUn®ÅŽ›Øx*ðsÿ±`É섀A&&ôµüXÐ=Ùlí&O4IÌqp …Žƒ`¶›²)ÁvÍ—ï6DF0Š6‹†-ˆ‚Øüv,ê†A°:»w«¥².ïÉó0þ…ŬA÷ô¢šTÖ.I•‡|{\“õXÇÒÏ\ˆ~ =MƒN­x½8¥ÃÅ­ÃZ¢‚íMp8‘P„%ú\Aá2‚”d^ÙZqßýNþæm%ÐÜ…n_0¨¿ÕöDÓ»"«Êê~sÜÒ=a¨³äÈa#¾üÇCQQ|rm ¤Åé8…N¨}«fñË5Keì©ëˆwà<ÄVâð¦}}¨auMcT‡"£Û¶¶g®uƒÉâ@™é@·¤¶9ç¡XúÏË…'É´ìÈqeM( øЈ~€tC›k}¦Ä&ŒÿÝ‚Nu:!—Z.‹Ï⼦yŠ˜ÑÄšËèÖ%ƒ?u³ >±§^*/ˆ,[¯^5”njß8< …-}<ÑCÛâ)CsLÉÒ¥}Ø?÷òG'“c(ÛRU¶]üv¿ÿTÿ‘LëAë‹ïà)È1á\¯h£m á¿é©åD#ÊH8jó Þa6oNE{=¹€!Nžë»ÝÜý†êc«M’´µƒÚEn¨E 6QåS¹-î)|c³ü¡ÊÝ£]Ú\>dî¹ú˜ç°iÐeMþàóXÖŦŸJQ¨€>Ô€iYO•·r·+Ö% Ðn`RR… -ˆË”tYÓ˜R ª=]7ǃ«ðD§ä#m[úRil”HlÓ³­á†R†éh “ϘêìÈÕÈÔÇÁDY£'í±Cû“‹é˜¶¥`k›X D®5TºË$¬ë°n<š¶Å&³Ü—½Œœ kÏPE'¸;œœ(î82ôQ(Žî9ûÞKØ-žbª£½š7Õî¶Ìœg{ß‘ Ó®Lg/g²ŒˆZƒYÁLF·Ïåvg¡Ow¶ÇÐàlùΓÙÖ–^Ñs %£ï•Þ&›Á’kX:û÷– K*ì)(Å/îka­@±rn†NOihÎpÜiÎ߀a[¡íZF—»¿Þü“FÅçü!«îÝ£6Úq (GÐWt3®9í¶tlë‡,œ–­ …#„z|LRu#ÞÙcœbír­ê²u×î9†GR†·U6ÕwÂ~ ÀED¯&ب(5ာµÊè"t§F\bå÷rˆ\O…ŠŽŒ`:proaÖ,¸EOZÛÍE%G¯ö9¿ÀŸ—<Ò2Õ/ù9›T&ÒL~Îö¿=åÁ~щzVzŽ/7ôOôY­‚R0Bs¦*¼î?(0 vîRs>Í00½‡o>gy³²Íq ;|œcx'†¹®WBÒÀ›Ð~à õgR»SNù͇ÅçcQÚWÌáÞºd D‘gÛþë¾Ð³`"p/¦/¦rD{Œ?­_¾ÌÓŠ±H‹À(RfòlðßYí‹ØÛþ겺4æ܇: ƒ‹ýò¥ÆaY$d"> endobj -1099 0 obj << +1104 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [374.6372 737.8938 443.3092 749.9535] +/Rect [374.6372 526.5133 443.3092 538.5729] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1100 0 obj << +1105 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [292.0276 708.0059 360.6996 720.0656] +/Rect [292.0276 495.4621 360.6996 507.5217] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1101 0 obj << +1106 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [319.7036 678.118 388.3756 690.1776] +/Rect [319.7036 464.4109 388.3756 476.4706] /Subtype /Link /A << /S /GoTo /D (zone_transfers) >> >> endobj -1102 0 obj << +1107 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [460.1655 648.2301 533.2211 660.2897] +/Rect [460.1655 433.3598 533.2211 445.4194] /Subtype /Link /A << /S /GoTo /D (tuning) >> >> endobj -1103 0 obj << +1108 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [362.144 618.3422 430.816 630.4018] +/Rect [362.144 402.3086 430.816 414.3682] /Subtype /Link /A << /S /GoTo /D (boolean_options) >> >> endobj -1104 0 obj << +1109 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [293.1435 588.4542 354.3435 600.5139] +/Rect [293.1435 371.2574 354.3435 383.3171] /Subtype /Link /A << /S /GoTo /D (options) >> >> endobj -1105 0 obj << +1110 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [288.6803 558.5663 357.3523 570.626] +/Rect [288.6803 340.2063 357.3523 352.2659] /Subtype /Link /A << /S /GoTo /D (boolean_options) >> >> endobj 1098 0 obj << /D [1096 0 R /XYZ 56.6929 794.5015 null] >> endobj -458 0 obj << -/D [1096 0 R /XYZ 56.6929 544.3772 null] ->> endobj -774 0 obj << -/D [1096 0 R /XYZ 56.6929 519.5953 null] ->> endobj -1106 0 obj << -/D [1096 0 R /XYZ 56.6929 144.0934 null] +462 0 obj << +/D [1096 0 R /XYZ 56.6929 323.2894 null] >> endobj -1107 0 obj << -/D [1096 0 R /XYZ 56.6929 132.1382 null] +779 0 obj << +/D [1096 0 R /XYZ 56.6929 296.7987 null] >> endobj 1095 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >> +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F58 631 0 R /F57 628 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1110 0 obj << -/Length 3017 +1113 0 obj << +/Length 3154 /Filter /FlateDecode >> stream -xÚÍÛvÛ6òÝ_¡GzâNpßÜÄIÝÓãteõì¥í%Á·’¨ŠTÜì×ï  )Y²ÒMzºÉI ·¹Ï@bÄá¯9ø*ô(/43\˜ÑluÁGïaìí…ˆ8× ézˆõõäâ«7VŽ -VXiG“ÇÁZŽqçÄh2ÿ1{õÍÍ÷“Ûñåµ4<³ìòÚXž}}wÿš }^½»s÷ö‡ñÍe®³ÉÝ»{oßÜŽoï_Ý^^ ¥„T\â_ïîo éÍÝw·—?O¾½¸tG^Kp…çýõâÇŸùh·ûö‚3U83z‚g¢(ähu¡bF+• Ë‹‡‹¿u FÃÔcdÒ\0!][É”ڜܖ¶à°ml*Ãœ5æ`W¸uδɑôJ2¡ŒêHoòé…VÌ)eF¹)˜URÚ?UËù¬ÜΑ:_½Ñj0!ç¬ -€ˆ“…'œ|¸¨„ój‘Gœu¹òG’93¹‰8?q.ýr~y­¬Ëª†¾Ínúo?k±“gmMÀ×÷Ôˆg¼.‹óüo›rÝTõú -úEž•ëp oÎ -as Š`…12lÙ.Â>ZfÛK—í–;*[•íláãÈÓ¯©Õ.<5ÂmæÔWë÷Ümæeëçû’.˜e8ßßÿC¹¬æ$ˆÝÁ©[?Ò7ì‰áUÙ¡ÄjÙefÈèÏ¥S ˆ ÀŠYgÅïX’fÈÓòhaq­ yN¥Âk¹@«Æ/?A‘Þß1T¶g(ŽC±ˆ‹ãÄ.E†"°c(Â÷VhIâ¹9«×­_·Èp©ñÛU[0):õ¨æ0¯j?¹ŸŒëBíëš1%OhHºvZÕ<¡Šgšç­âù«÷ë:ˆ›Ÿ_‘ - °‡WÞ»õt´ÓdÍ¢Þ‘ú #~uT$…€VÙÐ÷8]„æÌg>‰0ÏpHktO˜=¹Ò˜ó<]ú„<]K†XØtKÑ‘±ý¸ J-²d5VuÓd×øÇÝrßbˆ¬\.ë§h!§3õ:®ô‹ÿHß“©hHœ&ãçTK0o`]q+âQÄYÄ- Ø‹@îáPäŒõk‘NB*›µ—"«©9 Ý`AS€øŠÛR)„¿ÎÝ'0¬ˆMšñD26„}âžÍÆϪÀò0„ê9¿ Ë·ÈH–k¥Ãz9Êrð{Üh0L‚“Z†#®“ FvckV6þ´íµÏ3”½íí†sÎÉy~üo³ÒAX)F(’`/‘˳xÏœ,ÀÅZQ°\‚ÝNæ}Ü)¼²ñ@ˆEúu‰ ÓÓº¹êàêÀKyÆÎY‘Õ¡ÃEW;Ô]lizü@Pæe„üº/Ý æõªLÂÛ22…aàˆ$„J’׺C/`D¶Fí…mHC ²Ó\è€û_V³ªÅMo áÉä6Å*€ÛÇ*€ØÇ*Fõ°Ñm#aå™ß´~¸{{E­û‡+~xwA*ÑØ?&I3B˜\< ËíYbÛªD"B°?ÐLˆH(܈ƒõ\Ï–»y°…8ò“”úæþŸø‰n8¨ÓÝ;$Ј÷Ãfº¶ãɯ¨÷´¨f jÎJäW|ðü%’0ô¦GÍ]tüp LZ‘Ý×-ÞOÀ…÷Ò.Zyl…µa¬l[¿ÚÄá`3à»*çžZhÀmî—¾0º4HfäqçM\°iêYEAHزjq}"Qé`>­¤#-…ìX¸²ð³_’L?ÖÛ‡–f!"­š–¸½ýF½.°¨t\7Dü`Ì@ë8æ3LZEJ‰NœCâ_H¼ª¥ï§¦c…©Š3›‹n*qr/‰{!òØ7õn;ó©gœG” ÒØø;1 Ï\Ó÷‡&Nwµ:b88F Ì“–Ê7€üÌÚ˜b8›-‰Æï=én‘Mëm€ÔO!0.{¤þŠÆÇo^’K™ûf¶­¦¤´.zkÀ…˜2©¯£€%uéâ¸ò,b B Ô¤ñ9NŒÙÐ$ ñ‹†{‹.|*ʪ8aºy Að¨±'(&lvS°beÒ '†/]éÊR;PÅm¹$øÚ?ÑãqÜjQ~ˆËO}:E Ѽ1G¿«ÕféW€œä»wæ‘íC²N’,t&™\QS§Éh°ü¼—õ=9Q ¢"V,‚¼v{\4Ï -Û Z×ùlÇXçC44VF”zî‘7ÙÝã"Z öèoiÁÀ#žLОH´ZƒiX•IÞ¥LfƒùÇÆ4b£ýûx)„ÈØ1A›,bØK›C#l®Å±Í5nêEÄ>YÄ0BŸM¹m«Ùu2ôS"žbvpõjS7i´ãafÙF\BL±€’“ãqÔ2¿%ÿ@$,¢ðBƒØFš*x¢uA‡€ïºŽ€Ò¬ÀLðPD~‘¼Ÿ ‹léå·Ž Gp£¤ ¥‚ÑmsEù\¢ðr«ÓùÛÅaúAâŒäD[ÊÉøHž wIƒô X:X5¹^ÈKšz]Ç`æj·l«Í2N´’‘&€ hUµ¤±Ð%„‡Û´ÕªúO”‚€¹Û" ›¸Y‡é+Q﯎q,Ùý½`/zó>ìŠOï|¹Fd"'µ§Q¥Ûm•, 2qÛ´Œ¸ñàýa¢Y$6\€A4íB‘†·ïGÔãé„=œð<ž~¾.Þ÷ÁÏÚ®šd¢@Æÿ,y -bv©÷Îô¼6™°ÎœDÃ`¦ÅþI¢ÓÙÛVpñÜ|*):üsx¶îIRèÃ3ž3…ùÄ‹¤è°Îœäùjx’˜)h€AøéöS…IrMÁB­©’4 tÊa¼“ÌdçXqYtc=¼bW€“®À\åOK,ºùéÉršq²ª(óœÁ¿骊Òqæ,$³Á?­“NÇ*‡K…Ác©^¬ÅöU—½˜b_*R½à±Þ­_(ÖÏûy4è R±âÅ7‹gK¦§ÉjS6?GUHÇ î¨tB•2«±Ü·&W!„ÍÄ2£°×Ó -½šTXßùT--#°Ï$›¾Fb®«±ª4”œÜuP3§Èí¹CÕÙOk^àUO„Ï£kÏ*ƒQå¿gÉ4ã4«¸aFÛ³ !Ø,\Ìl&ßaÑ´ˆr¬8ÄóÕÊ_·õõ² -!8aO‘>lj$&FÐê«È"L#d/"PHwŽ„>pUœdAj!šöÔ¤À뵓 -ôÃÆ …Ãî¢~ÂÏ–u„lˆQi‘´îšÇËaÛyŠ7ë¡É©Ré*Ö܇1ɼjÒC‘I¢²òyò÷‡ZH¬˜UöŒD‹"g"ÏÉúÌ–&€L+­Éü(He×Éö¨íQ½íQ*Ù@8ȱ” -r Š»ë¶žÕKB},W(o'…8ÕU ½nËu2;.}¸ìiŽ Hñ¥l!è/Ê0“³\š³Ë“6'4~Mo÷øß –ÒÓ‘æöHj¨¹Á‡T1Ï©"Â(Y¤YHaü¶‹Á¡µCÁ` ë$©6rÂm¬ï¦šszT„M™3ZËÏùè,e?õG[ý× ìQÎÉÕ—d×@‚p­P6ÏŠ Ê1ãd‡58ú¹ÁcLendstream +xÚÅÙr#7îÝ_¡GyËêðì#o“‰gâlʳk+µ›ë¡Õ¢­ÞHjEÝgöë À>¤Öh’IÕ–«Ü$‚$€8$'þä$µ‘Й™$™‰¬vRl®ÄäÆÞ^IÆ™¤Yë«ùÕob5É¢,VñdþÔ£•F"Måd¾üiúú›Wÿ˜ß>\Ï”Ó8ºžÙXL¿º»ÿš }^¿»s÷öû‡W׉™ÎïÞÝøáöÍíÃíýëÛë™ÔÆ*  ™Äïîo éÍÝw·×¿Ì¿½º·[îK +ûýíê§_Äd §ûöJD:Kíä:"’Y¦&›+cudÖ²¾z¼úgK°7꧎±Éê4²©JFødôŸlÅZiϧۼXÁyâxº¿N§‡µ£Îó>ß65µ«=~“éÒmKǰݾ|_®Ý³«/Ú¦ÓwÛ‚§æôÙ¸ºÎŸM]å<¯> <Ö댗7ÅÊ-sy+7ÐKÄ´Y1åjçöySV["ZÖÈ~àÁLÊ(³Vù•›[–yãüiFGñ ¤)€þ,Kjç[nl+ú>ö°æžfð^jÆÝ_Ëtê¨ã~Ï7åÖ-FÅÓWíø²&*Ý)ø²r[jÑÑ Q—Ï[Xqä<4ɘ„ñM:-áMÙ| ðÏB(·^ÞÐX‹´Í7ŽzDÚñ¤O—[æEQùã.sº\{)›Õ•æÃnH‰·‚¬œ‰”“æ‚ñó¿ßþ@-÷{±Ê·Ï<Õk;.±p×rê'Açhð-hvI&[¯XË–¼QLjÍÍYaÒFô.{È<ü¶Ã²¦O–§×<öÜÎñw­¼>"wa5b¼ic“:Ì-èàýYž£#×ø 7¡²pJj?ð¿x“$=KŸIx­*Þ"†zÄÁ“` iˈå¡HãEàG¢(°(ÖJNˆJžSÿqñüøýúþ‘FIi8ç.ßÖ`áé¦gÒÀI´Ê†Ü¨‘ za“žÉµ^×Îw;ÿ jE ÍaÝ”»€ê9sÛ.é!ÓÚÛ‡SŽÂæ"u™¥^ê4Ö',…å6‡º¡mÕ¶ÉÉ€‘q˜g¿òuÏÌgªM^·Äë(µÂu€¬Íkwz™E2N2ÞckÀÇ#åÈa?éÐ0ôyŸ¯ÁV|IDlµTFZ·¬óæít%¥£ =&Bº!c¢,•A¦A°~G³qÇ>x°Õ›ïÕ ÐÍgHL!,6Êü¥Ô]Í_%@´>¶ö 3Î ‘U½pøŒY`LÍ¥×àX€FÕökdr×IdO.S0€ßÖoÒçz¿€ÞoÂÆÐoBHÏošé,i㮼`<õCÉ£àžäž94}s#l¡ÅΩbÙGL–}¶²ßÇPìLkЂ\…’Mf»ñSIöþQ?"Ž½‹þ<áéä1ÕQœíO'fœ•Gcb8{é´JEÒ‚ÓûOb̘ɬç Ë,î.GèB±å™‹ãt]â E`{¡P`órlÇ:[¤•¡@H™3¶(Î"xÐ’Oð¢Áï7™>¶G ÒêŒæ¤›Ôè‹š'uv¢y°ß’÷AqÅabˆA2¥Hy ˃×N aeu õµïÂ7x8H +-?Â÷Œ6 À6µŸÄƒœ?fLlMǘ¡³ ξhý3ò4SiI%ãáÝv¹°jÓ`56UÝ‚[[†ž¾õºza 8­±¨¶L‰£c5Ý'½Ø¤†Œ_ªY,Á¼uÅ¥BÎ㬸Ad›2ý!¾‰T÷h÷‘FÌ¿õ:ö)Šš vóš‚q£ˆÏEZRA(.ÒOŠÑPsLB2åÄ +5‡)0í…êô¾302"Æ‹ŒæéýmôÊm kÀ0IAjé·Ø¦Õ‚;[äµ;o{ûFíó eg{»d÷ÿ#ú‘`¥t¢@álHé´Ÿu?ɾÃÝC˜Ákda°üÑä»°f*HÌï˜×ùzݱº¾ù˜7§Àm©þ¸3ÇiVNAp>õéo€>£)1e—Ú·»LÃ,³,)\€‘Ÿ•2¯îÀ„ NdA0².ž‰ö|ØæßPïeUúbN†‚„÷•Á=¸÷˜„ÝSo1ú‚ó“9äˆR°÷UãB¢:o8ÇMÑÏêsò»iÜf× óØ›|Éék÷¬µ¬]Ã0:I9½ + 5¬ëª(9–òiõPmÈ»¬z›AwR[ 1]fÄž[‹_ƒL?…XËQÌû¢eÝ´‘ýpƒ]…!b}Sðhƒ¯f V‚\ÅšÂPŽÀeBLôOž/–k×M Ü÷SÁ{™…©‘äÉ$œãWW‡}áBö¸¬»Ü”op†¸—}ø¾æ ðPmFlæ|L”iz.¥¶x ?EÃÁEO×ÄãgGº›MÕÞCªØtúDý ?¼yM` YººØ— RZNå".x“A}©‚Àœºtp¤\0öCï‚5éáÁChâxý X4_¥hL?{Y@XÉc˜½Çò¸¿¥¯‚!”v v‡Åóø>€Á¿cøÒ‘¡Ž¬ ¨UÜcLð­{!¼Ô*Ïä.lˆü6/#šÛÞw¹Ù­ÝÆm›³Õ1ˆ£V‚,tåLÿ +ÕU˜ŒË-;Yȉ•\g÷òÚJì¸h^¶WhuÒöÁ6{i"é󠦱œQª¥ó¥)ÍUì¤ù€zí =@Ðß‘&h R-·OX¯ ò®T0«8èÍ?6Œö +{ÑØýÌWìðÒâРB‘[‹JÝâìJ÷,"öÉ"úúìò}SÔIß!¸lëYEµÙUu Ö¯Ìä”D!Äà*mËÇÃZ†Eq|ˆ… /4Ê^eЗì†óø¶bVýe Šz‡É… +a‹¾àÒàŽùåöïCYpÁ•Í )h©`t_ßP$8¼îÁª°_ß¹0d'ÚRÁÕ×PEk€¾KTÃÓ I]íùéèÍì›êy¥˜'€ØgS6¤±Ð¥ 7·kÊMùßðKÄ<ìñ +k^¬ÅÄ ìðw#' vàçñkÞy|}ññîË÷ F&vR{jìû2X¼Ä½/ãm<:w"@|! „R‰(‘Æhpÿ<¡ÆCß“ø³þ„SWú”.ž÷ÑM›GŠ#DXÿ$l‘¼ue{:ñé[¬ ;1°˜i9Ü ?:ƒeµ…'^ØOeE‹i'tϲÂïÉŠ$ÒJ|”-Ö…œRkK\p¥"p?Óa¨0ï²Ù`¡¶§ùì¼ïï3Ù>,=¿ŒŸ±/ÏÔÒ$Šeÿùˆ²ã‡Š ¾2µñÏDëÞ}öÏ¿ºŸÀ`ošª3bP¤åf{rááwbŒÕÛúÿÒßÜ6endstream endobj -1109 0 obj << +1112 0 obj << /Type /Page -/Contents 1110 0 R -/Resources 1108 0 R +/Contents 1113 0 R +/Resources 1111 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1067 0 R -/Annots [ 1114 0 R 1115 0 R ] +/Parent 1072 0 R +/Annots [ 1119 0 R 1120 0 R ] >> endobj -1114 0 obj << +1119 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [341.1654 318.5226 414.8187 330.5822] +/Rect [341.1654 116.9088 414.8187 128.9684] /Subtype /Link /A << /S /GoTo /D (the_sortlist_statement) >> >> endobj -1115 0 obj << +1120 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[1 0 0] -/Rect [434.6742 318.5226 508.3275 330.5822] +/Rect [434.6742 116.9088 508.3275 128.9684] /Subtype /Link /A << /S /GoTo /D (rrset_ordering) >> >> endobj -1111 0 obj << -/D [1109 0 R /XYZ 85.0394 794.5015 null] +1114 0 obj << +/D [1112 0 R /XYZ 85.0394 794.5015 null] >> endobj -462 0 obj << -/D [1109 0 R /XYZ 85.0394 528.8329 null] +1115 0 obj << +/D [1112 0 R /XYZ 85.0394 626.5613 null] >> endobj -1112 0 obj << -/D [1109 0 R /XYZ 85.0394 496.7273 null] +1116 0 obj << +/D [1112 0 R /XYZ 85.0394 614.6062 null] >> endobj 466 0 obj << -/D [1109 0 R /XYZ 85.0394 496.7273 null] +/D [1112 0 R /XYZ 85.0394 327.2191 null] >> endobj -643 0 obj << -/D [1109 0 R /XYZ 85.0394 466.8716 null] +1117 0 obj << +/D [1112 0 R /XYZ 85.0394 295.1135 null] >> endobj 470 0 obj << -/D [1109 0 R /XYZ 85.0394 410.2137 null] ->> endobj -1113 0 obj << -/D [1109 0 R /XYZ 85.0394 387.9025 null] +/D [1112 0 R /XYZ 85.0394 295.1135 null] >> endobj -1116 0 obj << -/D [1109 0 R /XYZ 85.0394 301.5861 null] +647 0 obj << +/D [1112 0 R /XYZ 85.0394 265.2577 null] >> endobj -1117 0 obj << -/D [1109 0 R /XYZ 85.0394 289.631 null] +474 0 obj << +/D [1112 0 R /XYZ 85.0394 208.5998 null] >> endobj 1118 0 obj << -/D [1109 0 R /XYZ 85.0394 109.5064 null] +/D [1112 0 R /XYZ 85.0394 186.2886 null] >> endobj -1119 0 obj << -/D [1109 0 R /XYZ 85.0394 97.5513 null] +1121 0 obj << +/D [1112 0 R /XYZ 85.0394 99.9723 null] >> endobj -1108 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >> +1122 0 obj << +/D [1112 0 R /XYZ 85.0394 88.0171 null] +>> endobj +1111 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F77 707 0 R /F57 628 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1122 0 obj << -/Length 2987 +1125 0 obj << +/Length 3068 /Filter /FlateDecode >> stream -xÚÍ[_sÛ8ϧð£2ÓpÅÿä½eÓ¤›Ým’³½w½ÛÝÅVM]Ëg)I{Ÿþ‚²e'–²w&Ó™„(™@àáƒþñ6ÌxáÖ+¦S®“/éàž}8àqÌQ3è¨=êÇñÁgF <óF˜Áø¦õ-ÇRçø`<ý=1L²CøBšüûòâôðHè49;ÿ(.•ÉÉOÇWãÓ!=0qèçï‰ã©9¹¼8;ÿðÛðøЪd|~yAìáéÙéðôâäôðÏñϧãÕ”ÛËâ©Äùþçà÷?ÓÁV÷óAʤwzð”qïÅàËÒ’i%eÙŒþ¾ú`ëixõ91©”3.´Á¤ÙìüYú‰~6’R3g´ÞúÕ#žzÆá?½ŒK-W¢W²%zÎ5SάöÌH!ƒèÍ!ÌD™äüêÁÀ²étyÈ]’WˆZržŒïŠŠžM²9×9¶<ɨ»È–u‘Íž|€ý‘ê4¬îoðÑi*¾›Ç7æÓø¹9ji`óZ X'§Z̧}wR%ÌC‚iÔelïr"æÙ—H=Þå4»|="έ¦^y³õÙ#gOqbéæ”4²½% ˆ $hoÊûùe™úäôë"__òyÍ"ë}^M–Åu>¥ÑE|{xvB„p mëUÚ2Å=¨³¥ô×’TŽIØ”ƒ#!™ïÜO>Ù¼±Û6SÇ„Ð=¦ Ÿ±Æ82ͳÑû”pi2+')]8t&œÁĘfuvU9±«|ù/Ñx·ÛGÖZàƽGPœ;Ù¡„õê^'°µšÙ¼ü“Í;u`¼aÂx×­ã=sÚ(RÂÕ¯ànµäÛ»:Ý0~âÌŠª.#}bæÀj¤~È“)"dÉE‡ÛÓH¶¥Ì÷*e§˜äÊöHÙYæSN^ø‚›´ÉÌÓCh»+gÓ(äè6§ÅmQ7þu’ƒ³E±ÃžÈ·„»-Yv#\ˆ:®C¸­YïK¸dãjŸnĘ”©Tõ„8c5óʺ8¹8þPBå“b -d—£€­#¿/¬G¯]΋I2t)Ž ¼ Œ ^úÙ¬ÈBdôfCìð¨ˆCРwºXŸîÐCkûr%Ê2'Ró>IoØ=pÁ´“}F®ƒÕ’?õ J†ùb–M‚¼Mj°Ò  §å—,ˆè¨ ªE>!µM‰ñXÔwDÚjŒô[o0Ø©ŒËÒ ˆ*ågü ô2¹_¼ ±&É@¹AñϾÑÈ ób~{szmi1€_Ý_×ÔÏi@žÀÅ3ðaµÖT63O¬$CÌe—ìú.‹C³8æ3k.*C;¥çYEÏèT´t`L0RnL‡6J0tp45i,8’!#b—£YycE‡u·Ìæu¦ø}eš2#\Z1©b‚Gá}¸º0¢àµÑÊX«-ÞÎÊëÆ‹/ʪ@Høè~‘qYåÓF¶×ߨýõò¤C¢­©î×oïþik˜åNtKT{Á„ö>Hô§ó‹³KlNlûmá¼^ýF%@ "pÈ}•GN$¡æ®$œ’nš3< æ í+x{¥ûràß!Âb˜KmÔ¦˜$¬û|ôrjjýMD€¢¼ˆÎ]7- 0¢sŒœÂ?ɃµXÞ^ä~u±ßÍ!sÞö¸­SM‚ ~9ýâru]Fá¢D,!F—,î¯gÅ„èÏù7"²ª*' Æ)õcÅ'ôòû‹õ1ᑪ[-üyµÖìÚ"­õ¾eµ€÷Îöù,‘2Xù¬_>4‚liËaò=Ð.€È¿N ¢ß†ðÝ›25[€"e±R†Úœ&ø«{e­ !Óe´Vù†sWå%@É]€§b†;rW6a‹(sA¶šöJ@qØùp5j0ÌMÙ“F­Ü³¦áBÄ^ù°]nÍ|_º)àì±vˆÓåÆôø À7ÌIµ`ìÚómc—©Fc—©IÞΈj¬zA!8ŽªnÀ!(Œõk“câqst]ÔDÇPsC%½£ÝVŸÏ <Ûä!›ÝGKx³ò‘ ´Mƒö:¯ë| wп)g8jŸ~£6âf`Q XÁ.zR“Ðr¼ÐмUï¶m¯v´õ·¯2à÷ØÆJfæ=ù»‚)Xoɧ^_‡`©LÁcaä¾¾ƒÍ\kÐt1]béÿ/TD<ׇG<éjkºû-9íWªRn6¼GªÒ0§„%©ŽŽ¯p·9ÓÔ˜æyýX.?GO™/ŠI#ëÉd]õCAï1ˆö‰Ã´©éokÞo8yQ@I¥{°²Š9ˆQ¼LS_2~e°ÖˆÕÔ˜‚¸AxÁAA7‚¿~{å%|s£ê”¾ ôxÖ -÷[u²û¬:IÃké>;‡”Ø[K¸ø4(@ÆtP§.øl`NOˆÆƒ$zÐÄäžb Ö~hô´ÀJ+=¯ï²šøÃaE¡h|Øu|U>ÎQ½ -SÒ»Šù&r2j°²›O¬FA|E×ö€…äOËø•²&"ÿZTõö÷ž Fÿ-çáŒËPªŒÄzmØ{ kCj8¤¶þ¶!óŠõaÚ*cæG ŠèáÓÔ†I=WõZ°Ö¾ vçm³ØWUé;¸)- SÕãF¤–Œkä(«ù´‘> *cWq.tÂá§i•@Ñ9àQ,±CõÑDƒDSoÄañœÔXª7‚ ¦ùÑî,¯w:˜öÚßpÊ'¹d6U=(X -Ï„2dÎW˜ò}Æ=Q>ÆXé, ¿Å¬=öm>æy8ÂtQlÀuB‡ÊWÀùÄÀEÞfád§oéÝ>ÜtTIÚ‹~Ã+ȱªçY“Rt^݈â-¿4E*•&M 9\UÎ+êDY/€Q\‡Òºjb±jª¸@¬cqÚ/w$$ÏžîÜD嬶ö¥¨ïJÂf`^8Ó­(á8SþHQñøÓàa?í£û:?ªï"}‹e*ðZ×°Bü0MZ&fU˜C4åIMÏ0Zb¢eœü -Ьˆ8 ‚ón ®¯@pWü;œ¨1z«€¶jžÎ>¹Šà¬[9Ü­ù*+i‰ÿ _Á¢T - é±HÀ¢ŒÎ?@,tÞ‡tþ!TUÜγ:Â5dP*o`[NÊ9"© -{.Ü! -Q8+&T5 bö7k¸;t|éX'tiKá ÇEYO{‹œå)¿]#î–úÉ™»nÎÜMRÕ¬ NÙ)…†°êƃUÂÏ9I¾Û:W§¬yÍñMk¥o8r'`¤íq±0‚Yé©Z7jüá¤Q›Q‚˜³kð¸HBÏfÄüHù‡3À€ë‚9:?†¯Lf*˜Æmü¦éô‘n\oŠ6QÆkjÜ[6nÓ¦æ®]Þ/©;¯gñÔá!›[&²ºëño»þäܲ’’?÷é ÷JêKÿaý7Ê2év]¾‰Ú’«Y…?É0OæÎ!\H#ž›üÿ?ÚpÌendstream +xÚÍ[ÝsÛ6÷_¡Gy¦bñ ðÞ\ÇNÝÇ'«3¹kû@KtÄ©,êDÚN],HAŽI&µ2çvZKöó· šüËGÚ$&éȦ*ÑŒëÑüîˆ>À³·G<Ì™4“&ñ¬fGߟ1J“Ô3šÝFk¹„9ÇG³Åïc“ÈäV`ã¿»<;žÍÆç¿@K¥ÅøôÇ“«ÙÙ”˜0õ‡‹Ë7DI©9}wy~ñö·éɱUãÙÅ»K"OÏÎϦg—§gÇÎ~::›µ[ŽÅ™Äýþçè÷?Ùh§ûéˆ%2uzô–ð4£»#¥e¢•” eut}ôÏvÁè©õ96)Æ.´M¤Jüþ—ü¬T.±Ìvü,M8OR­{Ö¢÷¬ºÍûKM8Kÿ1*›ky+F%#1r®åìÈjž#­cù¸Î·Äôuv—CÏ¥v\/s¢-Ê»¬Xï=‡ÞãÞán†íìiwQQ{[Þ¯ÉS*mÅSØH´Ý—±™-A5G!“´W1>[²y£›«0Ãã¸*SÜ‚ö\­?m€%F=΀{R¨q¾>æãy¹È4æfrSÔØ—ã‡luŸ¹^fXmòyñc"¯šG9=¡Õ‘TÞÊ2H,dùÈIâU«i¸³ª¼÷sæAdô¼ômŸ¬"&¼Œ±;Yø`ö+–lÞ蔕±:I•²há7ˆ#³Ù/ *=–LŒëâ.ŸÔådU¶ˆj½¨¾ƒ‘b [ "aÚf[ÜeÛbõ‰†÷U&Ü +‰»*Wù6¼ÆL{h}9x8*¾d@k³¹·pƒÇ®ðÜ +ÏHžØYäÕ|[Ü ºâpY>b‡Wåú‘²f‘fÝ5unòý ÐñýÏ.HMoòÛ2v9ÈKl«ey¿jçŸUTóŒô9ïÑèXU^¦~ßÔû-&õ€÷1Æ&ÚZò>óUVŒTŠÜ”à~ß##ß#w¾GÊÆ÷À„b‘¯ëóg5Ïײ.ç劦Þfw¨oJ\†èR¬«:[7nÇë3´5ñ²=‹Xq(DÔA%&Â5 1%1iú†þïäx¢Rܽb¦µÙãVLY)ZëÈ‘6r‡"Ä·ÃØÖËè"¡·ð|ÁÞL3t&=aã.G¯»×0x‰+lBÕ¼GxW%¼fû{hìeŽˆøA‰lÂì>xü D +ë@îøjKŒrúÑ \íDqÊPŒjÖm¹Z•…w¨h>Á'Ó¿?‡¹»enÙÁÎ[Èùk¬2ÞGBd\–ºQNs±Æ‹QS;7¾XÓÂ0åâ’Þ¢ ¬Kƒ&ëÑP©%ï M‹"àÑÅÕ3¿ökÕ3öû&ÄæE㌃xÏO©Ñݶ³äP¶Û@¦?Zòĸ¡ôGÃI… éÏ ü.Pqdèƒ Vµ'6ÉÙ0ûœ3=ì‹öu¨<áŒÖ_±dóF'ûT +3Ðô³$+yÈsN€cF€êw3„ìÃF¶Ž¡oö­‹lõÙ4ɧhîoñ†š»ðC0—[w[@±^!Ù©‹ÍPƒ–¡õæÊq±å¸–ng„½Õ4òyA¼ÀÞî‘€»Ç§Ï lB=y|`%1 :žIІ,Ò…t|öq“Æt–­)ÖM˜]„·I7¡#ð£S7c¡¿L‘¾)¦RøÆù€S†ÿ¥%©æùõ›À´…à dž‘Ð…ÓæœÁD@dt“U9‘«|‹ÉpWqû”áHÚ1¼GÙž:°ª[Ñé^±UóR=”\+ƒ5üë$‡àS³f{ÚO”UQÕÁá>ÕóÈC¦Ùá†%}\Ž¶(7ü Šx +g zý\Ö<Ñ.$|§gÓcÈäg>s`@V‹j/¿ZŠºq°ó|K¹E>à€Ù s…–®‡¹Ñ®_q-O •°” Ä8%ÓÄHAŽäôòä×3f*}’¤µO›¢Û.×ÅÜ3†¡X +=ïn`¦wë0pùИš=¶Ã£"LA…îô-ýP->à+®ÓIkaÒ!%‡ÖŠ€`ƒ´Sãi¾Yes/,Vƒ’z)@¿­WC?ˆz»Rê‚E½¤H­^ú +øÞ :€qY¦¢Jù—¯¨¤r|¿ùÎÇšqîÊ-‚Œ‡ëp8Ó‹Ü'm~´¦wP•Zˆôêþ¦¦qN<¸H \<Ú³2Ùìœ)8kæ‹,@ÜfáhÌוÃÔ,̃ý¬š‰{E`zžUôŒ~!”#0ÇHùL¹®ÉÛÛ€`8”F&ÔÒÂXѭܱÖªd÷ <8¸ +€ÈÊö+·„ì9eœœÌÛ«wF”¼v×ý÷úaUÞ4N|SVBšà¿¯ï7·U¾hK¦Ÿ¨ýåÝiG£­¾b·-KS%5©CE9úãÅåù;lNûÂruîU¼³±Ýxs³*æÔÿËßA'«ªr^h\Ð8DQ|B/¿¹¼¦1†£„îþŽX„î3‘ø¼¯ØD„q‰±rÀg §ÁƒkøùýñÄpH–ž8,C¾’tòsˆèþ‡·eèPí{$ #Za¨}¼iÚËÇgÝÔNB²aD§§;Jf››QìboU>˜×íÐÞäuoCéÆt;ã¥ÏÂ;k>¦] `¯ë!Ü…IÏ€jbªNÀ/ԴԪᆰÆËïP…ÀoaÈÆ\jõ€šq­"‰^ž\ͦxÏ)ão˜²ûz Ö\jð4~–±Å د(‰¤\Oø¸‡«Ñv[s:he§³ŠUŒ%Z¤ÄÔë“+46gšÓ:¯Ëí_ÁSæÛ‡¢¹ìÏæó]ÕùÜÁaàìgÓ²ž‹•xÛ‡Í^ +и•ƒbw.ÑVºÀ]¦)/™´U׬öß$!©)1ynï¼{²¬éîíÖ;JXs¯èÄ:@€Øý¾#:àakNæ5'@¿µø€’sȈ‘„“/ßÏ<!ÔÌyG€-à«ë³Sêã=’f)~žE_iøÒÍ^Xg¥çô… Ò§ÓŠ:¢ñaßíUøLSA^JbW!ÝDJF Öu3¢‰v÷Ÿ›m°n€ôEV)kê䋪~ºÞ3‘è¿åÚ_qÊ”±³;Žéë!èá÷]ØÒWÐµí‡ +ž%~D pî—¦Öojò\Ñ«…_ ªý‚XØŸNÄjqØïÀëD‡Ån«S‚œˆzÚÈÔ£)cÛçþêÓDPt xKd_{4¼`§©6â´pKj,UA Ž|Ò­À/ùü :ú+Î÷¬…—Ùþ…Ô5•‚>¹Âlt³ùúí`0FIgöm6 éa0ó1Ïýí¥ <ª‚(T¹ÊûD1hû5“N´;h:ÜôH¢#¿bÁh ¬gCŸã¥ "¤¾W^0ÂgvøE§7-¤nU¹®h½BqãKꪉÁª©Þ*Å`Ö\+÷Ø˳WŸæÓ[ÆŠÎÿ2–‚v%~Ø©K˜²ò¹¿–`£A|ú¥›±ûûp¸ÒueïáË:‰ù¬þ<Å|ö§#œ%BÑN‹6ÿ?’ Uendstream endobj -1121 0 obj << +1124 0 obj << /Type /Page -/Contents 1122 0 R -/Resources 1120 0 R +/Contents 1125 0 R +/Resources 1123 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1067 0 R +/Parent 1072 0 R >> endobj -1123 0 obj << -/D [1121 0 R /XYZ 56.6929 794.5015 null] +1126 0 obj << +/D [1124 0 R /XYZ 56.6929 794.5015 null] >> endobj -1124 0 obj << -/D [1121 0 R /XYZ 56.6929 75.7394 null] +1127 0 obj << +/D [1124 0 R /XYZ 56.6929 579.9063 null] >> endobj -1120 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R >> +1128 0 obj << +/D [1124 0 R /XYZ 56.6929 567.9511 null] +>> endobj +1123 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1127 0 obj << -/Length 3270 +1131 0 obj << +/Length 3381 /Filter /FlateDecode >> stream -xÚÍZ_sÛ6÷§ÐÛÉ3Jü‡»'7±[wZ'ç¸wkû‰´Ä†"U‘´ê|úîb%SqrÉÍu/_ß\]óãíÅyNï®_ßùöòêòöòæååùLê0RÀ@3‹ÿ¼¾¹¤NW×ß_žÿz÷ÝÙå]/òpY2Ð(ïïg?ÿL2XÝwgÐ&&;¨B£&ë³0Ò" -µö”òìíÙ?{†ƒV7tLMa …T‘žÌt(Òx|Ä´:LE$GÓþw£¼$Ád&¥0Qô h\¼¸èG²½'"Œ4~˜ˆ8IdoüPŒ/C-R­£II¡b8ë_ƒ!cÅÓ»UNÖº®Ú|[å­86Y6Kbp¨á<Ÿ';jIƒ'‚i‘ª ù–~ÄIuÄƈ4ŠÃçÔ¡ Êñfç5©Æ]ñú-háÔe<µç³0VÓï/n° §›í¹L§u[/ê’( GÉm›gD°-ùáúŽEEß5…u‘ÍPÉ PÔŽÜ;Š"M4°—4ð¸µÄ½|ÅÉ´kp,Ý×[*mC…UÑ´õ¶XØ’ê›n»©›¢5w-‘‰á!#”¥wMŠþœµ[”í —¡=mòíC¾¥–¢‚ákÛuE„÷u•70eèi.–âòþê*JPR û¦Ä™€YãÛMf}ãNæE•§[*-Œ <£ÓŽ;ôˆÏó²½ãê"I}K?â´ãÆ°˜g76R„i’ºEûö±;~›ƒ3´vNm…VOíƒ4^±È©’åyYoœ'@uþH_p\´<ß»ÿ–/Ú1‡%W¹Ç®,F•N¯ÁÍ´Ï@ßQš=)mM”fÅNÍ\Úí¼î˜ÉƒÝuÇœšÇfvè©äm¾n(‚e¶µsÛ8ÄzÓ-VT²Ü¤ÙúÖ%­­ÛxÂf[`䮶ʘKM_vÑqXîó¼aï`û|öÿÈT2†è˜(H™*Ar˜XŸ$XÄ°]L>¬cI}‡}öe*¢T’]Ò -4¼«\`be×L$G‚Æû6¯˜´Þ”Å¢À­u:ÝZp@×®,wB¯*ª%U< ¼Üb„ÄÚÆn[ÏÜçYoo®jæœÿaaÚœç\ÛêqÌInÜ‚&Ñ™ÒÈÍ»­léâ84¢pTji/äÔÏu ®l³"JÒi·h;êØô xüŠ‡fÞØ… ûF³q±²À±çí-3UË{ªTu–cÚ eè,2²8’` ŒœbU(~•SeC¤~wc…ăÂ/A þp‘z¯r›¡Å¨! -ÚÇ8„tZÚ¦áòÝÝ÷Ð*©ßnU¸ÝRlAÒ¢®HzyÕR”@Ñ^<Ï‹âQ -v^æc¹ü÷< -wûŠ°/þ»`y"çi}§@µ§2šªòbÑF…Ï{·î§¡ñU1'ü„FÉ–²eÑ9÷t;¾þÈ3¶¶M¾uÀ¤Z0Piºå2o™Ðî§RÞpt¡†;¯ê®dà3çf8Ê'…Ñ^" -Ûrõž¾™}d.dÇሔ„𱲪›ÖÁ®xzÍc-} ÚWËÑØFV– -õÝ‚Ãnðü‚¹-Lýd†= -O‘N³nAàÎ v"Y ã¼fÐh€µ¢êCùâ‘HY·åìM¦±ñ}q׌R ¸²íÉ1ÆÚÅ;îƨ®ð‘ír”lÙåž\–õ®Ì} §Éâs²Ï*xKaÉ¥ÞاC $"5² §Çœ3°ŸËÕ1,$,ìv[ÐÙa-~¹­^Ïqã2ÙsAêö‘§iQ±~`Åœ²zm½ˆ$1¦ñþ® ïTó˜¹Oý¨9ªüÞA~v¸‡ðwvˆÈQ*ÜÔ¼±|hš÷Þ®G¶xuóVðépxëÂk8LJ¾ïÂ*)ÔùLAš—R¨k;w^Žàm¶yÓòiMðôè ̆-9æd'£*€ -•7œ$@nõ†Rvè c”Ç„Fq«÷ƒèjñ.oy'—QûVX>õ^Nà^<ì1òP®®é‹žÒ‰1â«b¹¢ë3…í -¨1£ -˹qG[hx#A¡‚êÓ-}³&A©€Ôš¿&•ØûÄ݉$´iï%ã‘yC5VÂC‘Oz{õ’FÊ@‡/Æ‚#FÏ‚wûXæ\„(UÚ-U\ð -úàøÔ†46໶Ÿ?/'Vv– 9[?æ‚~*‰ydç'e‘ T"äen.iÀÁ{;ýЀ¢3 ·1lªhº®1£)˜šÇÆÆAŸÖ-ç^wAAî€6¾¯{½ÑɆ%>Ûá:BI¡óþ>˜¸î5‘íC]x©),;4Í>ÍÖ0„FÅiF"-C‡^¹XÜ«ÄU÷þ•¬h~Ãluê -ǽxéîÀ®“ý$´j,Ъ“a-""·rç3–A0„Æ:98@?|òØK}r]à¾dŸÙ5œ`Û~PöY{HÑg¦1ÜâP%¹öè®dÜžØ8 3»Lª‡ž!gÓð)â ‡ˆ3ä¨çÕné»_7T0tò£¡ø®ªwež-ó¬úSË^àÞ ì0ž©Ž4†ËUǕﺿ¦ÃÚŽÇ­´p,¤ŒzÀ•R_4×s1êÛØebÿ~|,µabÒ‰RJD±ù¨‹Û8q¬¢O¼¸õä‰Q~‰'F^db˜sx­{ð¢ƒOi™‰’¡PA@oj×o¯Åå«ñÎG§Áô‡ŸÎg ¾É(Áÿuysy{!únÇ—ëFŠ$Ô ÐÁÜŸùìšü¢°^CÒ¤"ŽÒd\C*4B…ôT  i§¡§*¹ø©WÈI} gú ë#Eèè‘D0¥ÎCpOP«Ä ŽT*Œ‘ÔiÍ æü¢šù¢{I&!ˆ›†ÏxŠLRÏ}î‰ÍëæDPÁ€ù_Ø9b%ÞÏ9G ‡vàœc¸7ä ]$µ¨ä´Zþ…Õ"iŸqŒ(¡ -ãCÏð»CŸÖÁžûRÁ'p]‘>ÁYîåÚã,¬ð;våKOfE׿š®péŒgs÷Z¤ª[Ïé–Xó…$Ý»òk€¤û{9lÂË•ßâÙ,cÖ!wä€8WWAFG×oNð ë…Ãk<¼°GxJ+Z_„ñþ˜å^~0PÇGòãÑêöí!KÓôKó˜Îç(Þ®>Z·<·þ—û£óþ¡vìTœú¡›Žþ:mägiÁäÙò±?‚Ûÿ0L„NS5îÛý`¡Üµè“ i|œWɈèižùéendstream +xÚÍZÝsÛ6÷_¡·Ò3Kü¼{J»q/MzŽîÚ¹¶ Kl(R(+î_»ØEÉ”•¹¸sϘÀâk¹Ÿ¿Nø 'Yì2&iùqÆ“buL0öíEÈs¦nÒt8ë›ÙÅ×׉˜ä~žˆd2»ì•ùA–…“Yù³÷êÍËfW·—S^â_Nã$ð¾¹y÷š(9=^½w}óí¿n_^¦‘7»yÿŽÈ·W×W·Wï^]]NCÅ6¼ÅÞ¿»¢I×7o¯.}wq5ëY¾VHä÷÷‹Ÿ &%¼Ýw/ó,žì øaž‹Éê"Š¥GR:J}ñáâŸý†ƒQ»tLLQú¡ˆådš_& ›“ÇÒËMûYÇG§Â[§~§(z)üPƲ}$¢#égRÆ“4ÎýD +ie{)Sov ìd·¹ 3¯ÝvzÚ-¹½X‚“Ì›WMY5 êܵj,[Ólæ^·¼ =ÕQ§li¼i;ž¨î5µº¥®64«Ý5¨”Iùyã«„Ø–±²²èvˆdîíªRSKÑ€‚^xîvíæ#•% £ XA–¦ÞÕ§µÞT+Ýtª¶¤Ì{­§öààðHSlª¹.Édª†íëú5Â0Ã:2¢¬(E5eÿeú”QæKðÉTH?Ò2méVœ6‘ ó…ˆÏYìo•Y©|¸ùÜ)Ësï— ~"2Õ¢QÝ–$Á„‚Ô+ZsÕìe^©:E-µ½7]U¨Œ$0>a€F¼çi«xýîƒOêx­ŸV8Yü„ºörø2Ñþ©ÚJ²È—a”žQW’ç~'©ëýKPW$c$þK>šÆ$j‘&žéÔ¦#Z{G$E?ÚF €êÚMÕ=\†aèôe–HæXéÃ¥?¢; +óðªOhdø®Ï«’èYU’~Dçbl’Æ~%ôân/ãØû7&¥$YAø\©®jAh­ær±™x;]×DüØ`t´Ä>Â!ÝèÍ}U Bq=’\f]+¤žtœÿñ½ôs'ÍĪÈà¹Tå åó·towZU°yå✪b@ ¦`7ûi†j’¡×éO ƒóPkŸ%¦žákðöeïûçZ»0'aó3"Œ@sAâ, D(Ryhé±”ÎÒ±¹[VÅ’›Öè±ÅFÍÞè±ãŒþÅiû6[ܯ =?|?ûá2¹÷‚úÝR±B=Êv¥œÚÌv½n7Sî›Êtó +D 'U8Í_9‡àî\ÊOÂÄÓ€@áO"Æ”§lûkUˆ¡H›‘ˆl‚ˆDìýäãt¤ì±a1a±ÓY^ ¾ñs)féÏÕ¸& Ò£á[å “Ü—ÊÀ@R?Hk‹G5† ?y:™Æ©ôÃ8<¡{WÅqì‹0K)Zˆ2¾këºÝ!ä9}'ƒ• TLyÁq¸¤¨ª˜æœ r_H`„æY@ÑÇSÓØ+ôh”eOeíaÃsž+{¹jèëaȯ`g¥æ~*Ãœ¯" ðå™ô^-Uk@˜…¥!Ò–A‡ØƒÞ4}²‘f/µ*mŽ°qÐ=¬-Ñ$¼ÈíÙì-]â<® qyÅ'mc «ä£> &(¬‰=· Ù£)ZÔ¼Öc…ì}™»}MðßKæç bÄWëÌÀl´v8ÕAÛ~lãÎ5I™+qüž½ j$ø p³ÒŠ4!ùF‰dÂ@éÅ^òÕ%u¬;á½Ï®V<½®VUGDº{+lw<ÖÒ)”X‚zÇ~¡xù¨×¼KÕœT¨b©Á¾ÀO³¥cƒN±µ²¥k¬>Èœx½FÿAšÍ%HâëGH÷š†èZ[ăŽ¿ã7 u<Æ›«ÚðV(‰’ˆÀj¢ $X„£sw0I×éðŽU¹d5„ÞºÅÐäxG‹KYv—<²¬LR°Ë™£‘ÞrVú°Á;uËP-'y´ßC•çÀ ÚX•stÀ¥Qk‡±’Óï~éä$è¢j«Ëšð~\Võh@0 |t‚,D® µ¬I`c®éÉ`2#µá^Uh· @ùYè’»ˆEŽ +?ˆÝ¶?†Œ±—Õœî£}80†¬)¨»JóLë‘ðtÅÌØ»­õÆ“¦` b¶‹…6ŒLÈû©¥ Ï@2s&€#\’—³”»'!šxà]HÃ%) Âc?°YØ•x7¼VÑ¢}³mä°"g®PÞìKÌmQæËÙ¡ñhÉ´ÜîrÄNÄkÎ8o° 33Ì€½ªéCyñ@¤r»áìMªÑíûâ®!uÕ‡+»Œ»,š«â#OcTW¹ÈÊvu˽ª·n:c8~:>‹$`—ÂUw.á ©ÉÈ&œžpÎÀy6W'°P¨Í¦¢*’amBw–8Ö®æ踼KØï‚ÔÍÓ¡`݆wê¯;a" ãI¼¿ÞŽÚé#72ß®d¶½&"Ç/„ë–€7¶µÓ²sàþôeŽÏµáðçÀ¼Lü(ÈI-øé?ôÅå4 ‚$¬ô§nk b¬G?­7Ú˜¾VuiUð¸ð„ÍìÈc¤¦\ $G÷£öåsÊL8¡×K.$Ì:cÉ\uÇ'X¶r±…·§ùÃktåÀ¡ž<<äkk¶ EO3iÙ1eµXÚ¥Iî·h,©ÃüCjÜ‘ o(RP¿bº¢CÖtpi€þùéPR#à&ȡνih »Rî€9ÿÒ€…p_•Ç‡Òqj?¾D/ÆÞ ƒg±»{¨57!HÕjC»‚>ö.³!Íb x®1ž¸Ëò…â†fÛ‡ãuÃTÐbÙ¹C™%üˆZâÝl΀' b÷$±ò¡Õèm UÛöÚ'öV­±÷>[p˜,x~CMë!éG ˆÔšHuÕÐ=€‘ý.תٺˆËpª¡æà P[ ž7¯ùØ­¡€‹Ê]ëbž5O\Ù¹†&…>éÌDÚ“±%¼`Es4Ê¥çèJ[ bã†Gíãv”ög ØÞUÝr0 kÕ|Dñ€r898¹â-ðmŒŽ˜¨ Œs} ùÒ ²î ”G{û=]®Pã¿ß ·Ôtº:ì\‰sŠ­·¥‹éTõŽ*Õ¼ª÷¿ 8Ð}Q½ÞgWôm2rhPÀé1Žåøé›èueØp*€”L¢*çÛ¸‡4[NòžwG+©Æ‡Æ«ý¤~!nF­­ÑG W^µMU˜ÑÂE£ß7}Šž·÷Ö9‡b“ ÏêŠS¯½Ÿ s@ßµ½Ü‡àx×vøQH¡Óþ>˜Øé-‘Õ}[9®(,¶¨šxÎfA£‰â1caÒ¾†Œœp±¹‰íîí:ee~à ÛÊÌU +dzøÕm½.Óý!ôÖØ ·†½˜dˆ»Õ; œ± Œ!2–AÄÁæá·Œ=×#‘±‡¤‡ϸ@ l×{eŸ•C}fƒ-ôP’뎮 +€ÇÍãŒý6QÆ~$e8öSÂ`rö'ŸûÃÅý7£ðNvâf¯¿t\YÈ•óËÌ3‘Ž1ÿ_Á÷uˆendstream endobj -1126 0 obj << +1130 0 obj << /Type /Page -/Contents 1127 0 R -/Resources 1125 0 R +/Contents 1131 0 R +/Resources 1129 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1133 0 R ->> endobj -1128 0 obj << -/D [1126 0 R /XYZ 85.0394 794.5015 null] +/Parent 1136 0 R >> endobj -1129 0 obj << -/D [1126 0 R /XYZ 85.0394 769.5949 null] +1132 0 obj << +/D [1130 0 R /XYZ 85.0394 794.5015 null] >> endobj -474 0 obj << -/D [1126 0 R /XYZ 85.0394 445.1692 null] +1133 0 obj << +/D [1130 0 R /XYZ 85.0394 552.4093 null] >> endobj -1130 0 obj << -/D [1126 0 R /XYZ 85.0394 420.4669 null] +1134 0 obj << +/D [1130 0 R /XYZ 85.0394 540.4542 null] >> endobj -1131 0 obj << -/D [1126 0 R /XYZ 85.0394 234.9227 null] +478 0 obj << +/D [1130 0 R /XYZ 85.0394 229.3354 null] >> endobj -1132 0 obj << -/D [1126 0 R /XYZ 85.0394 222.9676 null] +1135 0 obj << +/D [1130 0 R /XYZ 85.0394 203.1874 null] >> endobj -1125 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R >> +1129 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F42 601 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1136 0 obj << -/Length 2988 +1139 0 obj << +/Length 2798 /Filter /FlateDecode >> stream -xÚÍ]sÛ6òÝ¿B÷@ÏT8|ì[š8­;‰ÓsÜ™Ì5} %Úâ”"u"Çýõ·‹HJ¦çâÎuô@`,û…Ý…ÄŒÃOÌŒe6“Ù,Í43\˜Ùb}Âg·0öã‰sæqÒ|<뇫“¾¶r–±ÌJ;»ºárŒ;'fWËßË; <ù÷»‹³Ó¹4›|Û•‹Ü¡_¸!6=ûà»w¿ôºÙ¡¼XnËOEŒŒÁv¯®Üp"ŒP"ví.¯àÚà7Qc”I® 5,nB#¯îò{8ïÞ‘(@@& -•¬š¶ƒ¸¥` ÁÛm¡í°'ÀBà®!@·*ë?ä™'dDxyI]¤ûyü†…÷¯Ùäå–€„B%˼ËQ8ÒÅé½®À(±[ÀÑ -£þ]Ù­â.Ò#ñWŧÜÛŠÖ¸Ñn\Ó&Éë%{õ }ÂêG/ h (Qšy…}åC#û¢² -¿«¢Ú4÷mW¬Û@BÑÛuY‡åw«"®ƒ“Mâ2ÄjÑ[5Ü·)Ë”Lý4]:p üÌ{CóªäE-/^ÐMÔw?£©h`YT §Û{êyyÁ·áT;4§‚©Õn@DÅ¢üȹŒ;xaâNqú>yaR¤’>›mÙlË.lîåE£lêF§^aÂõIÔl„KÛñ9[ïâÄ@P±¥.á´ÁEx?=5GìÁ¹-ÍÍ;÷¦+–¨Ó©ˆj:Þ¥jîÐÈ&ì³Þ­¯ ïY\‚ ܶ æ¹â69÷Î% ÷ ‡3ygˆý^¸Øñ[áô͇|…>ÌÿKÊ°|>\’K¶ÀífÜÌÞþ¼L@}¸ß» _úôÞ-8?!µb×ûðMS/ËúéÍd8†Ó 1çu@ÌÚvÔÍoé*th¹U˜s“SK'×ùâ°® ߈².>rëõD‡ókÁ“_zÂ%$§–¦/›©Ó‘;§¶Ê?á–2%¾'P~Ý6Õ®+¨·.òÎLs>J™(Ó{FÁ„¿ÃM]…‰‘‰Å¢+ã¦þà8 ðm©éï÷ÕÈIà 7a/V˜ÌkJ_ƒ±IŒÍèÁ¡¼7´‚N`Ó[ŠÑÁ Jw±ò>ÑCúF›ÛŸèmÏDacë:nKÖH¾<ÐtÞ…8ÍŽbù"×i ¼Ö»¶›ˆp ¼x݆I$CÜ&'>€N@Þm¬;Pé¶meÞùÛüõ‹±ÛÜ‚ 1ß¾xñölßÏ“ò`Dºóaú‚EYãƒ?Åöft÷y*ê°*îæÏŸM(À6MYw£}&üÊu(Z¾¨>ì0M´¦.iÌxZUFf̤"ýº¤nzÕ¨Xñl¹v<ò˜ÔY1k§jíàèœI£ç±E³Fç  æ:¿À¨““D áÁO!Ž†í-9ÌÂ3ÈÂÈfcR¾ítÈG‘bBÕúæ4Kõ~  Ö3åƒ@ÒÆÊÍw²Èå¹#ŸÈžaãçåγªdî©3îKìI!yN¥>Â9fÃÈc·aÍööæŒöýsÇræ |ÜØ”ÕL‹”|ÔCóØ}°8‡÷¢r^¥|íOgÑhó¿±yiÇ\jÌXd$ÓVŠžE6·Û#<’Çy4Úý¹xôôJà_qi É9®Í×V•=ÝÇ+Š+ƒIG±ÓPü~2«¦AÊQÎ'¥ˆáÀ}¸ß>û£.]ᇅB#˜àVÇôÀX&‚Q/iƒÑbÍ€Sv„S~©68¸Ã¬8ùXOQ‡öù0V‹¾ ÙHˆ¿0»eÎ -¹Ÿ”¡ˆXeÈ8F•Å³ÌÙ.…Ï’}ysà«áGØfAe”ÈÆl¼ì×$”ˆãCB;¬¬FY©ŸZZý°~ªBýô}Ñu”¸¶««7O¨”^QÔf“®\ó®™W”¨„x”ÆÀΆâõÁQ-©C…èÐUr~]vaBÇ[⸠Ñå&d„Eˆ*ý,B°«Ë®ïl!Ž]@úÝz‘Äð¾ßÒbZ¼Î·%½š¥T@: Žª²U¨øR+å%*&·ÐZä Ê °ŠØâM¡]`€€«Ôˆ¥å€iÕÜQ£j¼¬¢¤…J‘„7lu]Œ6ZFØM3¤@*ñ,ÄêòªÙUýœ©4cY¶‹E¬÷Þþlê° -ÕŒýðšpàõÏf"… ÚHý¤×L±”§ê+_w&W nLò¯y°Š+î©x¦¹ÐRâÈÓ8€ ®ga-ãNQ®üþÜ«üH”šNªÜ~ rYš -ŒÖÑ-•¡€€.b¨‹Ûv5ï†Nþâëwo_œ_ K'èP{Ã'® ¥¿!jפh÷Ínò­·7ƒuþ¹\ïÂlttóY¸vñ1»†ˆ¢˜ã¶êm¸ZÑ«Åa$”‚ÌE’©Ã·iê²âÎŧvõíoσÒrû¥Ð+­p ¼ñÿÞOh¬ßÕáeq“ïªîÀëõQ w|òÀº9=› ή/®,µE÷ˆVŒøý8Ð -ýŒZA¬âQÈ4ƒÂí½ ù°BàT%gôv, Jî@hÄ´ñœ„qû-}É—I‚jþ:e}0óòÒG„ýóÂbDlö^“Žª]ãpŒèãøàãøØÇñp–à/ŠƒXùˆøÆ>—ð¿âoÁE:—x0‡ÙËÒLOý=ŠÏ¾˜ä>õÏXÃÒÀU*çä´ŠöIË€+üÍ=ø¯XüÛVœ6"þ¿XB]endstream +xÚÍZ[sÛ¶~÷¯Ð£<ãà~é››8­:“ã¸g2§é-Ñ6§©CRqüï»À)Q¶“8s2ž1A`±X|»X|Å&þØDi¢wã$Q”©É|uD'7ÐöË‹2'Iè¤/õóåÑ¿^k>qÄi®'—×=]–PkÙärñçTAŽAþ÷íùÙñ Wtúzö;”˜ŠO_þzúîòìtýyvþ +k>^¾==ûå‹Óc#§—³·çX}qöúìâìüåÙñ_—¿]v&÷§Å¨ðöþïèÏ¿èd³ûíˆᬚÜÁ %Ì9>YI%ˆ’B¤šåÑû£w +{­¡ë(LŒ.’}œ¤ÃI9¢§ËÛæ¤å´>fvš7Õ&æ±v‘µ–ªŸ¯ ÿï«š|ÞUå®ñÙ&ÅøÌp|¹)>å±Ã¦)Ê,þ]VwË|q“PÕÞ¯‹y¶ì¼Žvçe›#À#Ë cÄ)Åïƒíà7T?-Ò‰â·AôuÍ?g«õ2ow±ßª¸¹m±ØÜVw;Z/.,̳º.ò¾%>³¨"ošì&öÈšŸvC†07 œiÙ“‚HhJ´æjD_×+Òñ Ø‚®XL=†ªNºIÊ Ä#ëBT™^ˆ2ê €œª gܧÌÞÏÈÙ«?`‘jaéô͇ã# Ÿ2 +5”Nÿsv~vqJ:±D¥`°D{cÛ|ê ¼^Í|Ó4xßÐÒo§!ÿæóª^4#¶û$‰“ ϧ~¯Ô|ºÈ›y]\…]P Ü^x^¸Í̾¾ÉëOyû4m•n3|[QâN…3´gQ.ëúy¬ +[3Ôíß·øV¬£öEì`à~oÜùG’WÜ½Ó ~€Ç:«Ûb¾í#¾y¸àb€žƒ)„®WÕÆûKФ%ÝÙ@±Û² ì·,,}¤ŠFJTF#6Í&[¾Šoúˆjz…ª¡s Ùò.»‡ù¦„WyDô¨jZAš‘ÎDõMá×Bãé ä"Ђ՞/øŠö¶(ÿƪãI¡¿˜ò¯ÞNÿž¥gìx¿15묨±UˆpäÃmïbZ_Dç`(›FMHp”ï¡û—ù§,¬.à6+šT@ XÙ…_|4Ä·TÁP‚Pxo†ë2)Ât°eèj¨Ô +ž·ùrÕÜ7m¾j¢ 90ªUQÆîw·yê3™ÄE¼UMÙª?©Q˜0ÄÀNðcewm(B(—@)¸W  ÕùⴾǷà/xæàœ¥¿åU"FŽ —›¾Ô¬ÁEù¼øH)O#gú‘’øм(”¬ÄǺ.ªºhãàÁ_Ø:S0ÒD~¶O´êzº¤îϳÁö6 Fƒ©‡WÔ©»ÃT…Ùc±—mP6kÁÝë6_ø˜6,…iP€E62‘t¢àÂN=€un>ê4…äââ¾ÍqN!ú÷í0¼à=*ˆ7~ù`®1‡Ù˜Q ˆÝç0%Ùi hW«˜fã[È2QqÊáaì6>ñÑe7·E~,uÛ.‡¯«rQ”7Þ^Çã4¬œ"è^®ã@ªnñ5»Á­Ðú•»Œ2×–à–ÍÿŽýªøL*ËüsÔ±DCnBâóMÑqþ’Ñé».„|ôSƒâ‹jÔ•!CRó(ç‚ø«²«¦ZnÚßVyVâ½=È|äÜ`5XšÄ; @`'¯AsU.£`ÑlÓ aâ^ +ôÕX û{§ª—$|#Þð‡ñƒ[A..¯±IÆÅÆy\lJn£’){«î+…/†•¢â·_XÁžrb¨­ð™ÖÜP0¬=•œíKWiX\˜Ë£M³6ò4Ýã.ÂIBý¯Õ¦iGÐàë: +Åû&C &,¡þ8 馩æEÖ¦§ý´½Mw¾.:Ú;?}s6Ìó<ž‘níó¹`^ä{I¿ÿ¥EãúÓÛõEt†_Nvçk¬ ‘> YžWUØú´Iz’aÚîÏÀVv|†¸ÚŽƒÇ/O‡¤ú¦`âõïy‰ºö×6A‘ÃŽd“¸üjúˆðÏ⦬¶ñ !g%ìÅYÈÌ4}l².eGG”  +«0•¸ØßÑm>õåuoï V”±W-ÌßÔ­+ç²gdÉ]Ýï|* ^ÚûR£á\j¬°p@µîIßO¹#Ê0óe‡ºñ^ßãÓWšÓ ³p¨³ÂŒŸµ µ•ôS÷×Ï?ÎÆs™W«ðñ 8×ìܳNêâõ!µá“¡1ÑA—ÝS¸ƒS8XØ·äÛ&çadFðgÇËød!‰áV¸Ã¦P¶J ÖÁâzÚEÇ%tD@‡?æ&ý‘ŸöœøhNŒò1|4œž•sðá}|ˆ§›5©ê›ÐéûG¢Ä2ËYmJI%îHûëÈûvÉÙpoCL…Ë?v¢Þà?0D«Å#IN¤tºChg ÁîöDü0DÛÁŸ ¡§_~=Ã/8K¥òwXD}ÊE`ð« L2ýðE Sàu£¿QùiŒ^½AzÀyïÄÇ9KdêY€gwöÃWÜÀw¯ #Œj™èçÎJ¡¢ÁÏ4QÑHvµ:Bîéä(õ8-·‰ûû¦ÀTü,Ê8Áî4ìïŠ^ijHd_þl QÇøñ +±Ì‹xÞ|¬©Ò¬f3ŸçáŒ.7·¸*z6 #˜ëöM±c¨q)IEùè+‰]ø¦}EýòL("ñ{änÌÑÉ£)ä©¿JÛþ2O"l/Ë#)È£Qá*×îYž~¾¶oú?f0eñendstream endobj -1135 0 obj << +1138 0 obj << /Type /Page -/Contents 1136 0 R -/Resources 1134 0 R +/Contents 1139 0 R +/Resources 1137 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1133 0 R ->> endobj -1137 0 obj << -/D [1135 0 R /XYZ 56.6929 794.5015 null] ->> endobj -1138 0 obj << -/D [1135 0 R /XYZ 56.6929 756.8229 null] ->> endobj -1139 0 obj << -/D [1135 0 R /XYZ 56.6929 744.8677 null] ->> endobj -478 0 obj << -/D [1135 0 R /XYZ 56.6929 645.1992 null] +/Parent 1136 0 R >> endobj 1140 0 obj << -/D [1135 0 R /XYZ 56.6929 620.8596 null] +/D [1138 0 R /XYZ 56.6929 794.5015 null] >> endobj 1141 0 obj << -/D [1135 0 R /XYZ 56.6929 421.005 null] +/D [1138 0 R /XYZ 56.6929 726.9349 null] >> endobj 1142 0 obj << -/D [1135 0 R /XYZ 56.6929 409.0498 null] ->> endobj -482 0 obj << -/D [1135 0 R /XYZ 56.6929 255.583 null] +/D [1138 0 R /XYZ 56.6929 714.9798 null] >> endobj 1143 0 obj << -/D [1135 0 R /XYZ 56.6929 228.2785 null] +/D [1138 0 R /XYZ 56.6929 546.8104 null] >> endobj 1144 0 obj << -/D [1135 0 R /XYZ 56.6929 186.806 null] +/D [1138 0 R /XYZ 56.6929 534.8553 null] +>> endobj +482 0 obj << +/D [1138 0 R /XYZ 56.6929 435.1867 null] >> endobj 1145 0 obj << -/D [1135 0 R /XYZ 56.6929 174.8508 null] +/D [1138 0 R /XYZ 56.6929 410.8471 null] >> endobj -1134 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R >> +1146 0 obj << +/D [1138 0 R /XYZ 56.6929 210.9925 null] +>> endobj +1147 0 obj << +/D [1138 0 R /XYZ 56.6929 199.0374 null] +>> endobj +1137 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F57 628 0 R /F42 601 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1148 0 obj << -/Length 2593 +1150 0 obj << +/Length 2704 /Filter /FlateDecode >> stream -xÚÅYÝoÛ8Ï_¡‡{Šå‡¨Åalêô¼h“^ê½.¶ÛÅ–c²äZrÒì_3R–l¥iw÷p(P1äp83œßÐÂãðOx‰f\¥¡§!Ó\ho±9ãÞ¬½>–&pDAŸê§ùÙËËHz)K#yóUWÂx’o¾üè_üëüÝ|z3 ¤æ~Ä&Ž¸ÿÓìêͤô¹¸¾ºœ½þåæ|‡þ|v}EÓ7ÓËéÍôêb: „ -µʲøíújJD—³7ÓɧùÏgÓy'r_-ÁÊûùìã'î-A»ŸÏ8Si¢½øƒ3‘¦ÒÛœ…Z1*åfʳ÷gÿîöVÍÖ13I%X¬•¨%°è+±D¦1U§,RRuF Õ˜QCÁ¢4Õƨçe9 T*üz…_é·ë¼Éij>ÓÐä2Ÿ•íËÖÕD±¯ŠÖ’Ð~á7ù¢®–Í‹IʸÕû»õ±ðYE»níQù—mY,Š¶|¤ùf›/Šß9—ùÒpŠüU½£¥üK¶Ù–ù ¼¨——:îiȽ@–j-nb­ø†È†)K’8r¤b–BzÝÞÜ€¥ ”fBðȢτà@œsVÝç;´:ÎÛl»-ª;ú£¨è;{wŽœBÊ¥¡ Ï›ÜòQ)÷«lƒ£$õw‘øyS—û¶¨+ZýkÞ®³–( -²±öÛ]V5efé`ee6×Ú5{G³Ùri™6´`.ðP`-h¶h,ùb]€hKš½}¤ÙMgÑ]8G‡±W=}E˜ó!&Y¶Ûf#v°)Ó­,ëMV}b?«PŠ$òßÍoh@Š,jó]6ȱäþ´jwEÞÐ&ÚñìÄ‘fyp±¥…M¶Ì‡œÊÑÅüÇ•^HË:=HÈC~K­W©b1jýŸÛåéÝÔ“Ð>¼ìÐ)?dtJ:æ, •èÀÁ t -)˜RJ{@ËBDhÅ\ßÌ^ÏBi¡¸? ˆ.÷m¨yÂdX®Ú_Óm¥î÷ï4ŠN¨Î?c”H²0 2A&Jb0Ú%‚%¥½*vù,KN7Ò j¹!îâ Ði %˜zGcË -0+  ¹Q˜}0*Á+/ÚÂatÄþ+sOf•¶Þ\^ЄàJÓÈ´U8 4DÍþ¶É?ïóªuÜnó¼¢Qþ@þ2_2j:?¬Qª¯¯N…5:°Qn›¼\ÙqCßE™5룗ùϬ,}†o88½¶;ûÚñ›}c™ÝÚ™Ú -ÐÉÝXmea’ ¸‘¢‡€qæpÓ$ݶ•jQî—y÷ÆÐË´ -\=ŽÄXúø¦O)´¥{1 -ÐL"”c4»ºxóË«éX‹ AË'²Wµa)C@>IìxÎçoÈ„º SŽØCAxñôL؈˜;[vøqÏÇÁûǪ;ü0"—ÒLcF1ZŸ-¼&¦9:=<‚À†ªhi?Žp%bg7€vôÉ‘›„y‰îÓˆø@ÊØùSüÜåÇdbÙä­ñ+áÜUtRË®ù.óÃè¡ ¨Öã©Na$[Êš¾YõHƒ}õ*•}|£§Ï-J(H¹=7£Øì'l4 Ó«îÜc‰Se.z¯ "¤†¯É¨¶/Ä醾¦;„“‹ ½ŽE”ÈÔ阃Ñ7lBHwWÿyMŒá¢º@Ýzþ3`¥¶‹.þ~‘jÀŠE& uê„¡ð}{û Q© -ќć}Ú…Œ¦–¬3åÁ ÐÞugw²°õ*soJé£W®Ã í0ÿvïa£”A‰žœDH'-=EÝí7] (\½h‡uÃ`3“ÎnÍ£iÎFnˆÔŠd<úLwÜÀ×·>˜ç-î_\¿ÅŸ¿=Ÿ]ï§7ÿ™ÞŒg·þyNf(µÅ}VvºÁ-Œ¿i÷öÂñlúëùÛwo¦ìâú-#¡­(ÑP’!áéð±.Or¸«'ÿ³$>(Xƒ¼«{EÊyà -*í)\] |6…×;®#|@²$ÒºËàô„4ÂÜYêøÏTúu‡ŸÔ€Ê‚Ê3C›còô&ª‡^™¸‹ØQJý“‰¤K™=ÁÄmâ þ~8$b\%4cÅ+*“7Fä2ËYë Ë|[ì<òg«1Ô!ã‰TÏ^ª´ŸÓ€}?%QÅáØy¦ñµ¶—Gz&w‰Í¼YU¸EÕ¥ªoMiP»h·ùÒáaÈûÜ¢²KàCá~`êdþzI1Ü>vïß'“SûLöÔ ø«åÈÏ•Ü{öeî[íue aBo°§?ev?yZ¡LúJOÞÛTÂt"ãÑÿ …£sÞendstream +xÚÍY_sÛ6÷§ÐÃ=P3! + ö-íœ:­SÔ¹›æò@‹°ÅŠTD*Núéo P¤LÅé%7½ñŒ - `±~ ˆ‡?1ÓŠq™Å³4‹™âBÍÖÛ >{€¾×Âñ„ž)rý´ºøá:‰fË’(™­î²4ãZ‹Ùªx¼úûË7««å<Œ6UƒŸ7—DÉèóêöæzñú·åËy«Åí ‘—W×WË«›WWóPÈXE @:¿ßÞ\Óõâ—«ùûÕÏW«~ÉÃm .q½.Þ½ç³v÷óg2Ójö?8YͶ±’LÅRzJuñöâ½ÀA¯:¥&%5S:J'ôG3!X¦T4R”ÊX"#i…[“°OÎyðÖt]Y?ÐþV«_ZÜH‘móYÅ,‹El‡¯6Ù“ +·&ìš°*?:Jsß4è<ËrIßs™ª eK\9ý”QxWv®«î̃ÙÓý\èÀìèÓèòjp¨Ë®Îœ­Y7uѾÀ_:ÈëÑ”I°Û—Û|_VŸ€D†q‹½Ö`‹wØŸH·‚¶©>š}K¤Ç©©›tlë|m7 Íå²³‘±vjh•…i×ûòÎ8I›æ‘UcZ¹â庩îÌ`¢ÂÓîZý¶*„o»iUÏ3Þ9JQ¶ëÜ-L«Ü*j{“è64‡ëí>ïìò¡Içn{ÐÈûÕÀõaO?뎔ÍIÙ¶EçÇÉxðGS»Qh&•a§>&˜ŸJãY’)–ˆT}—ÉL²”§'^ößò EÆ)ÓOϯ€Æqåš~ÄXTØo*L€#Í}ôá¡÷‰H0)¥š%:eQ¬3{†oo_ÎCŸ\Tyk½H½M:eÇÞ'% E +9…ô=qP›‡¼sÎLÆæìÀ1#¦ÕÆOëì!7UK}hÒhp‰"k9•3s¥‚fÜS³5{ç[àeUÙ{4ë&lëMX4Ûœö¢`ƒŠßüëòö×—‹h ¢:oÝ5ukÚ)ÿ§ÕnÉØ>76åü½+lóOåöà¸1ØyÙSc¨.>Twªå¤¸ä¾õ&®¸Ü࢟˜¹âšE $º¡A|›‘¡9KÈÁ%˾˜Ÿžˆô#ÎÛ-ph¨çìVf,Ž4)÷o6\ÀOIz–‘v4¥™è פVìÌ;úvÄ ¹¥Ù%x9G°Eq„ºQáÃX9¾@öƒÔ˜´u³ž7ãÂÜ燪; ~½Q0gð–‹<–@7ŠyíάK\æúDPkº/Æ@ãßvŠ§†OÃP˜Ašˆç C(¦DJÍ+Ëb0JS\GA3RÔ)—¡±É­ÛA+§é·ô¥ )‡¨} Œð£¬O8—K„ Ä¡Mégv! ç>F»óÆA9¶áƒ?;> vÜíÅŸ^}£ü‚ µû½Œàˆ5ÿŠ´*2Át +èÎñt zŸ€_Ɉu€_•F,β3v汯R‘“„ÀëKÎF +€ÆqaOoé)¥C]I/Õ„ûà[ Zç§ÚÚZŽ4ЉÑÒwo°¢ø8‡úâDf?¶*[z€vã6ÿPÖOÂ^œ¥,‘‰œ ÝéÛ<cÊ’ìÏ„½/Ç¡ÓÇ,ÑqòÌ ’€ÔÛÇÂP¹Âðöx¿ñ{‘]V®uYîé:ïÜËR ÜUƒ›W­¡¾Uï©íD„@´µ' +ÔG‹¨4yÙ•²c)€x±¶çd{ièòú—ŠZô6¤µgÀÔîZóáàŸ, ëÎØÇh™O€ùé¹kÐnpU6Ùã°~ #mô[°w<­©îÇ÷Åë*o[_Vf‡sÖþæ.Çù}ú¦2=ýöÐ:awfüŠÓ¯»Íý=·]Ëñ†\C /S»Éiá—ÃËÛ~UëêP˜þÊax%˜:ÞbMDÓ‘`4 Áß‹ Qn´^ÐâæÕ/¿]^MUÜZðQé«.&D‚OH@†^¦}ý°!4J ·e¡H‚wOúèL8èz89r„çýàíçºË?ý8±.‰7¦Éd +JÓ'JKF— ¡­•žNžJ‹cï&¤æÂG7b¤·E›œ8)ÀD±ô‚ÞŸ{)‡=Ä’¢â)Râ3ïKßüŒ~ pqʤÖÑô%a™èWe3{eýƒûÄâÿu¡à7endstream endobj -1147 0 obj << +1149 0 obj << /Type /Page -/Contents 1148 0 R -/Resources 1146 0 R +/Contents 1150 0 R +/Resources 1148 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1133 0 R +/Parent 1136 0 R >> endobj -1149 0 obj << -/D [1147 0 R /XYZ 85.0394 794.5015 null] +1151 0 obj << +/D [1149 0 R /XYZ 85.0394 794.5015 null] >> endobj 486 0 obj << -/D [1147 0 R /XYZ 85.0394 714.4345 null] +/D [1149 0 R /XYZ 85.0394 769.5949 null] >> endobj -1150 0 obj << -/D [1147 0 R /XYZ 85.0394 684.4451 null] +1152 0 obj << +/D [1149 0 R /XYZ 85.0394 749.4437 null] >> endobj -1151 0 obj << -/D [1147 0 R /XYZ 85.0394 595.1519 null] +1153 0 obj << +/D [1149 0 R /XYZ 85.0394 707.9711 null] >> endobj -1152 0 obj << -/D [1147 0 R /XYZ 85.0394 583.1967 null] +1154 0 obj << +/D [1149 0 R /XYZ 85.0394 696.016 null] >> endobj 490 0 obj << -/D [1147 0 R /XYZ 85.0394 394.0393 null] +/D [1149 0 R /XYZ 85.0394 527.3014 null] >> endobj -1153 0 obj << -/D [1147 0 R /XYZ 85.0394 370.8687 null] +1155 0 obj << +/D [1149 0 R /XYZ 85.0394 497.312 null] +>> endobj +1156 0 obj << +/D [1149 0 R /XYZ 85.0394 408.0188 null] +>> endobj +1157 0 obj << +/D [1149 0 R /XYZ 85.0394 396.0636 null] >> endobj 494 0 obj << -/D [1147 0 R /XYZ 85.0394 305.4099 null] +/D [1149 0 R /XYZ 85.0394 202.1472 null] >> endobj -1154 0 obj << -/D [1147 0 R /XYZ 85.0394 280.4837 null] +1158 0 obj << +/D [1149 0 R /XYZ 85.0394 177.8748 null] >> endobj 498 0 obj << -/D [1147 0 R /XYZ 85.0394 138.799 null] +/D [1149 0 R /XYZ 85.0394 109.157 null] >> endobj -1158 0 obj << -/D [1147 0 R /XYZ 85.0394 112.5279 null] +1159 0 obj << +/D [1149 0 R /XYZ 85.0394 83.1291 null] >> endobj -1146 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F84 797 0 R /F86 977 0 R /F77 703 0 R /F11 1157 0 R >> -/XObject << /Im1 790 0 R >> +1148 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F57 628 0 R /F56 622 0 R /F84 802 0 R /F86 982 0 R /F77 707 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1161 0 obj << -/Length 3047 +1162 0 obj << +/Length 2290 /Filter /FlateDecode >> stream -xÚµ]sÛ6òÝ¿B~ g,ŸÑ77Qrî$NÎQ;Kó@I´Å9ŠTD*‰ûëo H”E¹îe:ž1– °À~PbÄáOŒLÊR'ÝÈ:Í f4_ñÑ=¼{s&šq\4î¯úyzöâu*GŽ¹T¦£é]WÆx–‰Ñtñ)I™b€'ÿy3¹KÓ××oJ™¼ü×Õ‡éä–^¤aéÏ×7¯hÆÑðòýÍëë7¿Þ^]XL¯ßßÐôíäõävrórrñyúËÙdº»rŸ,ÁÞ÷ËÙ§Ï|´ê~9ãL¹ÌŒ¾ÁgÂ99Zi£˜ÑJÅ™êìãÙ¿w{oýÖA6 Τ–óI«!>ÇR%•çÓtYM:KšMy_Öçõ‚€ŽÞºd¾Ýl.D–uGoÍ*Ëë|К¯Å&¬êš¸w¢Ú[T*©=Дùw£T2Œ,ÇešLê¦Ç]ã'ïF zFI¸ûþbœŠd -ÿerd€“[iG)HD"G¾ŒˆÇ9E‹z°§uÏ?ñâz%F¯ hÔ#*"÷1{¢2ÝSððη þAÊ·¯_^Œµu «(ãI».æ%JÕ_u˼‹PAkм%à,*¬0 YN´Ëf[-h嬠¹MÑvͦ³ù]WlèE^W³´¯ÝJµÜk÷˜tu÷â@W{ª@±ÒL ±\ÂÚ$³ É“-Þ]§IÙÑdÙÒØ–ÑpSÓšoËßÐ$±€= à!:\NÎÀ#‹|8¯Ú&œÌ.^.PB*Ùþ8U&øce úc.8¼oirÖtK‚š;áz«°wº,ò9]Ãï(âTÝv$·m± ÜyXžÓ°(.O¾–9±ž²¼+‘=ÒfÉݦYä• T¦Kó°qy·Ýpfxé]ŒHÇ‘#Ñ©c2sÙ¨oª?fýègŒƒùñ>šü˜oê;É,¹(ò'CÚdÓ–ë]„6L8ç!g=ŸNßôªÜó®üZ xu‡ÔÌiA¸>>Ô]þý§¡@a˜©‰–„Èý"pûE"€v1˜,Š»|[u㮫NN3&µŽk? `S Ø6ž8oV+´“cDZÀ¡*"úLV!®AæsJfD^ñÔñGw¤‡é…^ñÉɤ!ø-rÏCpÃxMÜyí ÝÎÚâË–"»‹¡mÞøqÑÒä·M ¡m½(Ð=Öh7þ¼éÛlNƒ†ÿ†GçUÙ{ƒHrBJÓh¬‘˜Ó -> ¯ïƒ.ð±ÚêL¥ÚÒL «-4?äÙ^Ô\?u{Ÿ$x,C”'‹@*žíÏìÊqÄ7E‚§;ÕNƒbïsÊwyëݾOE˘\L¾wEÝ‚;ù üŽˆ"FCx3¹™@æ ,Nþ9‹88åX™SÅ8W1À÷dS-Û¡lK²ŒËçÇ°…E)FÃðÇ árLHc£¡Uy;t#éX–Y×7³Gh \9‹wîÖÀÍ ä öÿ˜ÿ#Aw†¹¨×ö”Àýøa“ª¾‚Kˆr­×m€|^-ÓdRØ® ùœ†¶Ø”EØä FZÙ6[øû Äî“%¿¹®Z”w¸äÎë><ßù>jš"Ÿ/ÃJ3œ…­yMc †“CäÇ2lÈöÇ‘êƒ ý—¬‚"-Qs'WG|—4ùe[ppŽ—¼^7XCyŒÛ/¤îo†*« ¹T$ä€úEQ÷9&*;'×Î7åì ''lpB/јª¢ ;!ÿ¼zõê–]Ý~@f^E|ñ€ c‡ÜqPÛ÷·×o®¡~NÁ'r†Ù„d=¼Wl(Í -Dÿ‡ûÄX4Ü|¤ñãäö·Éí9›ü~õîÃÛÉóP i <§áåÍÕ»ðòœñaÛ§(Æ”"”µ?á„ø7(8!ŽY0D”8A”xB$ŸäŽx -Q3´î™Ò“ÏD*Ÿ‡”Hfl˜iŸKBXyâ¼~žAÞ*¸Ik[ÏH˜$ß–ÛGýœÿoW¯Q;ƒúöoqÇ£Œ=Ò©UÊ„¡Åqʬq™I ™Œªý Ãj’%oiFô¨86µ,E˜è¾5@6ºjÑù@Ùvù¦C¡·»64îç_@"µfè UrQ-Ã!˜ÉmÚnHwðÌ=/Œèã/Ñç D€×uxP±>\ÖRî(zÂ(0ã5irUU4AI­£KŒjþuD½Ú¶ç¬RèuÓ–˜ê†8/Ȧ'ÀÓ Ô>Èp3¸1L +ÿÎÝ–SŠ–rf•UOë·ÌfÆyÒ1µ§B¥'’LØ£´ÛUkÕ0°š 4ßjÌ&¤–„ŸÄ˜lì~Õqj³Ÿí‡lC IgaÑ>¢. ÷ðÀÉìPŽW5æ2D_Ö÷ÕP/Ós³,Òs>d`̤&&ÄXÉ-šªÊ7ï}ʺ -¤‡Õ¬©Zz…U›ó)?ÑGhß)¸‡ù z¦!ÓkÚrQú}U—Ʋq]åsJ0&qž-RdŒËìÐIÒíS;x -ýaìƃˆ…,®ºGÄ9=Ÿ‡Í5Íî°5Ûn½í~h¶ô¶.|‚%É|qÉ×Å~ï@•Ä!Ô‰,}B*ãÝšoQЀû|4Ìòù[Ȩ–„Dô{tXžÛõèê¡B D¨^O¨¤`÷l™ÌXfÕcdò²óS§ÅòaCoæVN)û®ŒÙ4‹ Vùq£YcʘWUxöö”aC¢ªšo^R™Ø)Tªàíø#£Z5 êÑnÐ85hú²Ä2Bi°Ë%©J‡Ž- • Þãó¾QñóN÷ë tâVùpRøþ!S.|ËQ;ïÒBÌ,oQ5É»þ%eÖï‚d˜~wt‡Å–,†ˆöïòÙ -p£ä.wƒnÂB+?(<%x§* %þzÝijNøÉ™VÜ>éŒà”è òv¨“.eÖió( ê@ïþJa÷RütéEñéùýùóf'À±íº÷eXès¸I^{G$LR|ÏW몸¸R -z-vß<~œª±ä—êr1dÏPÿ«'(Ș.š{4¸<”ŒÝ&ŸûJ%Ž{´êq€ê•ã*DF¿øÁ„wÍعV¿ÓÕˆý`Gˆ¥Ô–„gÿÕ ‚xN‹b^®òŠ|TÂ54üYÐ%Æë|±( kg‡>%¼£<2Ø#N)Ÿbq -Qãk^Vù¬Šig -¸Ã'š4Ý _ýÛùÒð!§RÆ•Œ¶j)0žY¹Ô·ú!ŒÍ;BnO!‡ÔL»½¦õÖ˜Q®;Xµ‚|?j‚,A“÷Äñ“Ä{q*‰À÷AÃçÚEÃ;ð‚i-c&óûpH»Öµ áJÛõš`ÖŒ”1ÌŒMø( öínxØ;|¶˜¤\%uø=Âþ°•F;ç—|ØF!P»&Òsü xG¬ZHfygYúÈ$Oøfˆ„Ú¹§S5X“ö{B'uÓÏÚ¦ÚvÞˆ¥† ó}SªOšE¡ÅFÎ`kÔ™]öOÏA¶õÂG8xòõŽñlÌÍcú QÃ(áíž<²Äov«uÞ•³²*;L¤_%ðe‘oªÒçû01l{ 9oa-ËœÛyï¡'ÀŽvšã¿"bc´+±ÖCü±<¸¯Ë?)³4ôõ;•õ¢Gz@5\ªe;| 6>?ô­tŸvT¡íØÛ} 'vºìUY?X¸ié?‚NJe¡–C¿:á£(¤þËþ#¢¶X É៯H›1)_Ä.ÒË~€ —õ.ÿ?zÌ—endstream +xÚµYÝoÛ8Ï_á‡<ÈÀš¿ô±XàMÜž‰Ós¼ÛÅuû Øt,À¶Knšýëo†CÊR¬¦)z‹å˜ g†3?Î0¼Â?ÞÓ‹R‘öâT1rÝ›oÎÂÞ=¬½;ãŽgà™M®_ggoÞF¢—²4Qo¶lÈJX˜$¼7[| "&Y$„Áo&£þ@è0x;¾ŠK¥EpñïáûÙhJ ‘cýu<¹¤™”†‹›ÉÛñ»ß§Ã~¬‚ÙøfBÓÓÑÛÑt4¹õ?Í~;Íj•›fñP¢¾g?…½X÷ÛYÈdšèÞ#üOSÑÛœ)-™VRú™õÙíÙjUûi§›xÈ„—œúIuúI§,’BZ?ßLÇïÆ4Øeƒ]ÅL +ÃÈWšªDãyP­ ‹b“å[¤E°Í6Æ/gQùzMÔ!®l·3Û…Y8΂ÆlûDÄaûpÈÖù_a(ˆGû>O3/ì¸(áœ$—Á‡•qûfôåßÅÖmŸ;-QȾ¬Ð®ÞÀ›2àœ¥Z k‰Îp#®kŒ`-¸é’ÆÌ.Ë ßìÖù<¯œ¿šîå\3'©sX˱œ7‚;¾_ˆCÇ Ž˜Å*ñžGÛÖ¿§¢ : ê¥ãüW‡V-Q¬ã˜5S:õÊÌVÎîùaOnØv™ªKâZê !d-ulµ+A€þ.j¿“‡]TÙs“ðH·®Ü™y#HB:;QÆ©²QÊxœFßV‚„ ¯mfÍ¿?lдËÒþwIã¶pÙ]Y¬•a' +DL¥< +P*Òª¥Í +ÃÀ|É º ›+4iÙýáÃÿ8/&ÃkD²èëáx2¸Mÿ0;5*lïçu6‡üs¶®mƒS8Õ¹þVûíÙèÏáõû«»¸¹f¤´S%jkÒf<=“Ï–éHÔX­™ƒÐ8ŠAPê|<¹¸úýÒ÷e¾7ó*ÿlº­šq¦Ý>m«ìËÏûJÍ4”¿eŒ›¶k †K Ë\Ug`;}˜9÷ø±C”†X;†bŸßSt?“š%èibûD6w‰ƒhÚ§„Ê昢­hæ,Q’×òl> ÉY¨DÜŠ) Lå,;ýÅÜ”%­Pzy·6ÑÂ!TµRÉ«\Æ“=2·ƒM/ØÚ¦ü~<â0®nçëòl-ltèe—³Ê/æNø®€Oðò£`¼ì @¨„üæ1…à@™6! Ä7‰.œP±D§ÏnœÊGv­lF.÷¸ö˜W«Î‹NQÖHõZDƒ¼Nv—™›(8˜Ÿˆ.ð|ÌKsÄTK¼|#ðN?Vß«“7þ63‡ùq ÕLø ( TâOÆÒ®ÊGJ[JÚ•ºFÚÕ(@Ïg³w\Ö#G9 9¤$™0ùD³«Ìí·ÛçP‘œ|Ú7gqüm¼içàR>®ŠíÜ´ÄBDÁý‘@ØŽ¨f ­2çÌ;cÜ…èKöµ:Uó”)®õ« +U.XšÂytªÁ©dBDé×eÑw!Èr¤ÿ¢-êX÷+!TDÇzVöjóáfPpñÙœKšA§#Åmt†LCè¼{×fð¿N*xÆ€J'L¤2Á­{=ÄÍ4•ÄÔ ­­G؉7ã ï]`Q¯a”j_'5Mj4¾”Ò@`átܳqU¼¼šVÇÐŽ\`ß¾®³Òâ¾}2Ë}y1úR™m xò3¾Á4 +Ãów£Éh:D—ÎFÿ\F´v9 æê÷Pú+¾q6ëUÙUo –„âµÉÑa¿{äxì@è“iM¯°èðòrʆÓ÷èÌ¡—ç7`/½ru¼ÈA³å„` ¹ÃΧ9w‚3÷Æ  arK#=Ž×¯cmQ¼[1‘ç'/nç,|éÍOÿÀ›ypê‚.£øWŒ/Èa]‚Ä‹‚øK‚ž!¾ož¹\¼R¨xPÒ”±nDüZçWöëjçáÊÄ¿uü‘(¬‹þ“T£˜Ž™LÑìÎ÷Yœ0¨ˆ¤W +ÃÍýß®NUÿË9Ë> endobj -1162 0 obj << -/D [1160 0 R /XYZ 56.6929 794.5015 null] +1163 0 obj << +/D [1161 0 R /XYZ 56.6929 794.5015 null] >> endobj 502 0 obj << -/D [1160 0 R /XYZ 56.6929 602.6023 null] +/D [1161 0 R /XYZ 56.6929 653.8847 null] >> endobj -1163 0 obj << -/D [1160 0 R /XYZ 56.6929 580.3261 null] +1167 0 obj << +/D [1161 0 R /XYZ 56.6929 627.8019 null] >> endobj 506 0 obj << -/D [1160 0 R /XYZ 56.6929 499.3874 null] +/D [1161 0 R /XYZ 56.6929 405.3123 null] >> endobj -1164 0 obj << -/D [1160 0 R /XYZ 56.6929 472.2263 null] +1168 0 obj << +/D [1161 0 R /XYZ 56.6929 382.8411 null] >> endobj -1165 0 obj << -/D [1160 0 R /XYZ 56.6929 264.3736 null] +510 0 obj << +/D [1161 0 R /XYZ 56.6929 301.1931 null] >> endobj -1166 0 obj << -/D [1160 0 R /XYZ 56.6929 252.4185 null] +1169 0 obj << +/D [1161 0 R /XYZ 56.6929 273.8371 null] >> endobj -1159 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 797 0 R /F86 977 0 R /F77 703 0 R /F57 624 0 R /F14 608 0 R >> -/XObject << /Im1 790 0 R >> +1160 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F11 1166 0 R /F57 628 0 R /F77 707 0 R /F84 802 0 R /F86 982 0 R >> +/XObject << /Im1 795 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1169 0 obj << -/Length 1031 +1172 0 obj << +/Length 2368 /Filter /FlateDecode >> stream -xÚåWKsÛ6¾ëWðÐ5c¡x¯£âЮ2®œJì¥iŒYœ¡H•¤›¤¿¾xQb(ZÊÔ¹U:`µX,ß~X¬Põ‚Hdp - 6û žôÜýy›Yg4ë[½I&?ß1H fA²íù -‚$ûÞþ2ŸÄ«é S20QÃ7‹å[§‘n¸}\Þ-î_ͧ< -“ÅãÒ©Wñ]¼Š—·ñt†HD±v@¼‹?—±3º[<ÄÓÉ»IœCî Abâýkòá# 2}ºwˆ4ø¬@€¤ÄÁ~QhDH§)&ëÉoG‡½Y»t ¦À0%ÁŒa@˜ÆæÅmÝPoëEB`”v!I¹ž`€%Gè£>ô#@¡§0‚‰Å¾m Œ¶%=[n\R³…±YÔ&ÿB¬šéŒ ¶;elW[Mµõ -7CÂ'Uª:mUæôõ‰Pm*;fNP$E¸Ø:ã²jYsÜ)ëvÊ7õ9/ü^Ÿ”‰XǦnÂÄ6ȼܩ:·šŒ?7yùäD“ʪާ…W¶^ðëÒrã­ê©Ÿ ¥ct¸ô1ì¹)Ò¦GRÉ<|i™¸Bʉ·O Šö6›´t~ò‘ª²Uج;‹ŸÈõ™k'{ÈõO}mÀðP(64ìsçu|$’¢ï¶–¼Á¤8“LÇ+Å5ŠëkÆã³tä˜âŽ6į·:Cóoæz47úsšÄÃĒؘÖYîÓv³sJï ‡ÿTå€Ú¨w—á­[?z}ïâü¿xÛ'Äâ­&¼ø"œ¹ìV¼Ì[®Ë=•ô -o™à@BäKó׃ºJÛyë8vp€6[£]%æaU_ªy>ªÚ×dný7n&u«þ}²ºqêÛåü×øÆißeÎoÆ*ð\\î s¬°\_È\’×Á|Ê\Î÷»ìV¼œ9A£k*c:6 ¥E¢Þ]¯7ª¬Ú§ýËt¯lÉ€ábp¿]z«jšîÒ4ù>/ÒÚ$×>h•‹]sóÞa^Ð óS·s­}2k8äƒöé¿­êA¡Ë½¾µÁe¿í:k¿d@`ÉuZ‰v‡œ¹K+iS™®dHx~';5^Ó~\Vº—±nQ%“x„š%’È[g¹0ÚüoõmÂS7œº`õ¥Ue“WåàŠÙÞÉR$­½TmO£Û›ÌÝq¿Ê>5V2Fáå­iZKÝÑë£s]ŠfH×$‚…øèø«šA ¾Ì b¨­¾k¿’äapŽÛ‡ùz} -IÙ9»´è -núì‘WKÀ÷¶ó§¿4D‰uÈd¢&&Q¡f\OVÛ 6¹‡oo.¸£™y¢ÙêÇÅÅב˜$a‰h²XxÅ!‹c>Yd‚׿úu1¿»œ Í‚(¼œéˆ?ÞÜþD# 5¯ßÝ^ß¼ùíîêÒ¨`qóî–†ïæ×ó»ùíëùåŒK¥0ŽÅ?ßÝΉèúæíüòãâç‹ù¢y¸-Î$Êûï‹Ù$ƒÝý|ÁB™Äzò?XÈ“DL¶JËP+)ýHyñþâ=ÃÁW;uLMJÈ0ZNfR…q<¾bY™ÈÐ0s²ì7ËKÂ@ hý¼4/×õ3ŽYÍ8Wa¢ ¶g¢(Æ炇RJ=1š‡"’ÆZ¿I«ûÔr@m©ÆEj±)Z°e«´¢Î2§¶®lÇõšº‡š:ëºÙ¶»]GAÛ¥M7k»zçf5ÔÆh»|Б‘ n<«[äÆDÓv('êŽsNXÑp J’ÀŠí¾Í³)0â ¸ .”ïŽÉÚ¼£NWSËau¥£àª,iÀî)QHÇÑm8¦Uæ?{ÖÛ}ëx.ócYÉÕvu[tŧ<<õÍb0 øêЄß  ' "J#ÔŸàÙOykZƒ§'J½„5®q2U¹i¿i’³ ËÛUS,ó¶7%×UÞÐX•nýàú„ª¹äq·õÞvV9}¦ÑUmÛÌ-„öÇvéˆVD•vyŽ!îªzĸ†/ªûÒ;ÏpûTljÛÒ«±M‡:Òžà¦YV—eÚx¾÷ŒqÄ> ÚÇí².[úôPt›¢¢¸×§ks1.bÆñ×9BÅ¡K4m‘åÄ>¥­êïÊt•gôyùhõ1Îóct“îÁ}‹.oÒ]}JË= ~©$X\&"¨iüý;)5¯ÜäŠÚž[½ïv{ë~0÷±ÞÓh•£P–Ðñ¸¤»ü0ù©jNì8ftC¦œ^öh``(+#4Ëtõ¯¶LÛ Måj8•ƒFÂÍ­F˜Ðc.n4’‡÷á3…†‹ø„™8e¦Î@ìh5<“•ïÓ‹0aÂØ9^GjÙ¦¤z×u•–¥ûmÚ5`¹~°öÐ`L€Á°­³£{Þ´¤‡M±Ú`¼vc';LpP6(,×6zãïµ…i½¥)=YAHWPÕFÚC$/3·L‘uêb  ÖË´EØJ)‚_†B +m~?Šª#²½óƒ›†‰ÛrCß[f=”’ƒèPæëÎ1nÀ]pÀµ·Û<+ T•nAÒýÌ«<‚l’#•;P›g¼R#m¤8Å<6Óv,‰P¿ó8RÂ:×/áû`ôSk¹S4ÏÇ#œñOûØvÿUž!‚ëKn“)À®ŸÓí®Ì§#REI(5Óßmc3Á¦ršEX 2‰3Û82¹ Eg‡ï#«·ûeØél—‚¹$­wu W¬ö A¼êhÀFqp$Ž´kòíьظûÒMHAJŸ³|UlÓ’ÆèKÈ;NýîKN"Ívi–Y‚³¨÷]q—i2ïÃØÅ¢C*\áó)-ÊtYæŽÚžDfSRêŽ:>”ŽY‡‹’¶RQþ`ÍF,AUeøÁoù”,"æU<>¶H½êpI©ù³Kš0îÃn=² µL† ;›šbgPî÷vf¡8AFÞç?‚M™Èƒ eÔçcÃ<ßDzЂL¼ó¬­»LûÝŽL¾—ÆM`²À…=¬,A–¯S‹+ü†nZ…2ŠO´ê5Ç +sý‘Á‰õÍ>ì Ø”{0‡—ó—‘:"éö‘±~.8›Ê·è|rgÂHÇ^:›Nƒ*ªº#Æé²­Ë}‡Î¬¸?1`èòcÖ…”QÈ>¤¿»»yss;¶§Vï#$`‚ #Š]=ËWäãšòpÛÚLïG3ðkŠÔ:XÕÛ]ÚË¢,:›„(›!ÓÇÚ†@l‹*+ÀÎ÷º1ù ®bi©|é¾DƒæxÄäY+¹ÐÂÃFºùv̦LÃo˜ãøS˜Knüµ»›- Ü¦Ög8蘉à ^Ž@»,¼vmçZ7>pœÿ/Üñ½p+d˜œ½LÂÒÏx·ƒŒCòp Éa ² Í»—¯”¯:ÂØζÒ}B_êÊ^,ÀP )bݸ˜l,ÿ–¾ôY<Žÿº¸›ÒðëÛ«_æSý©ïÇÁÕtôBþÜá[9ÃÞ¾?c¹J¾M̓;Z'Ο8¨ÝŒç-§¥IÌK‡ªÒ"„ôOÓk$”³ˆÅÌöžš²—t:Hƒ)KVoSÙkÕ›'ƒ×«¼m½µÅ*¶†î0‰ ¤·g¬0ØÞ·©ì`…ÃÓÑÿâQsÃ؉ÙrÇ´5ÿ†õä-K²(Œ¤¤˜Å‡šÞüŽ 7÷Ц Õ&6î–=þõ)þ›ùíüÎÔ‹ùX±+CƤ¯^²Â!ø¾qlpÓbþ¹Ë+ÌÆOœÎfS"iãzõú$j!áÉÈëݬ/ô¥é’ t}¬ôSJ'³U¨­À;L˜HA:8È{üæí‰ .ðœ¦ÝîÞ“~-oOöñúíÕû÷‘ò2{Šcoˆéøh9òZÉ&/…¯}=¼+ƒ/b*=¤œP¨%ßx ¸ÅÂŒˆþN:SFendstream endobj -1168 0 obj << +1171 0 obj << /Type /Page -/Contents 1169 0 R -/Resources 1167 0 R +/Contents 1172 0 R +/Resources 1170 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1133 0 R +/Parent 1136 0 R >> endobj -1170 0 obj << -/D [1168 0 R /XYZ 85.0394 794.5015 null] +1173 0 obj << +/D [1171 0 R /XYZ 85.0394 794.5015 null] >> endobj -1167 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >> +1174 0 obj << +/D [1171 0 R /XYZ 85.0394 769.5949 null] +>> endobj +1175 0 obj << +/D [1171 0 R /XYZ 85.0394 769.5949 null] +>> endobj +1170 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F14 612 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1173 0 obj << +1178 0 obj << /Length 69 /Filter /FlateDecode >> stream xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream endobj -1172 0 obj << +1177 0 obj << /Type /Page -/Contents 1173 0 R -/Resources 1171 0 R +/Contents 1178 0 R +/Resources 1176 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1133 0 R +/Parent 1136 0 R >> endobj -1174 0 obj << -/D [1172 0 R /XYZ 56.6929 794.5015 null] +1179 0 obj << +/D [1177 0 R /XYZ 56.6929 794.5015 null] >> endobj -1171 0 obj << +1176 0 obj << /ProcSet [ /PDF ] >> endobj -1177 0 obj << +1182 0 obj << /Length 1550 /Filter /FlateDecode >> @@ -4571,750 +4599,733 @@ stream xÚ•ÛnÛ6ôÝ_!äÉ*Z¤îí0 MÛ-]1lMúÔöA–i[ˆ,ºº$͆ýûÎá!eÙR/Aè<<÷Íþ¸“„ÌóÓÀ‰Ó€…|?óœ-œý6ã'}¾‹‰S7ô&"vÜ!‘—·³å›@8ÂcQ$BçvÓóŠâ…©pn×çW»ìÐÊzáŠÐ›Ç‹Ï·oéVÀâ$æxË)ã¾ë /¯ÿ|EØ)}ndÞÕEûH«+U5ÅZÖY[ÔÓãóƒHzQ̸ç'š€ —{ž7¿ÌsÙ4=™¶V%-ÞMkIùNÊÒHD†’–I5ãín/x2' ¡ Ï>y¡wyõ®/†[Ñ<Ó¸’γõš–D,˜ï³6ßÑYy$Óî²–ÎUG[yVÐHsÔ ÍjM@UäwU¶7¬6ª&¼M×vCºÆEÕ[ðDmÎY†äÁ¬,Õƒ[©¶Øo¼¹ÚÐ÷ú/úÒM6Ìr'“RÁ¹ýП }3òüè+‘2/ÈW[¥ÖæÎZfS¡ÂY’Æ6ŒÑˆ¬³ôXÉSÊ\RÔ"åÃÒ¢Å1†G˜c(Ü9š-܈§P‰öE«cÇ—ýñe ¯)ì axXÿp­¸k.ôÕmaaJøB–Ɖ2÷½¬ZÚhJéÐ3Þ4ÅÊ›¯eUdå©ÛP¤"—Öï¡÷JÝ`%5WÛòÓðζYQ5íyè -2áíßå±zÚç$“I¿¯ÙþPÊS™vêR½Šê ëÒt¥ìp° :÷¹ ¡xÔL„ïQ[Z.Á_v·–Lü¢(ø:`Ž­ ¼X©m×T²m.hƒºBEY´*U~Gàû7W<å -šC–ËgSùgeyØ؉DÃà7Wû½ªP7-cc%)*KT©7-;ù‡M1Ér+ŸÕ–ÿÒÇcúo™¼ 5?[‹óówà)‹C!ùiD5†¢é-.”x”Ðfd6ÿ{ÑÏR&žè´j²µ„¦‹ú2ãy€.#­­¥©®Ñž9¬efl†ÕLÇB·_Éú¶üNìû•é¿£µú >Rù$÷4hZˆaO¸36)Ôh›¦€¡”Vôoˆ$&»þ“ |C¨cóRìÃõ§Hº“Æ™Ž¦TeX]˜ºÃ Ý.~hêöñ`îí³ºê¤ß6…Õãb¿’ÿŽIÇþȪÇSµ¿§ßäôܼ[é>÷ûqa*ÆÚ“8¦àJ¡ .°û< œÀ¾g¼¡:¼§UÒ·+\tUI𔆠ní2s¶’²"V¶8!u Ö>Ü^;iº$úY«¡Yí ß|¾WÇž# tÂ\¾×ï:¦¯°}†›>#ì˜Îí¨[tÄm jeÞÒm€ülƒ£FÎh¡ñlã ¨¢^`çÖË7W¯ß/àqp;5ÙÄ,…vlgÜõ}Ѩú‘C+Ò8Nô`ª8HÌ…_cöú¶\†ðp‹bïÓ qz€Òéc¡?Q{ÁÜÐoÑ“n;¢«s¢=<§(` ‹àÁ{’2Ë% °¬krY·LÕ[€—‡nµ4[K«îòò»pCliŠ¶ckzŠ5 DÄ’0Þ4B‹ùeöñ³ç¬AÁ·3ùi:°ðÐÎ~&àý$v]Înfïé¹G‚c½Q±$€Î ¡^k5üÇ)7zö÷8ç Oü{N þzÎÎþ0à‡ f˜âfQÜ#ýÂ0Œ>߈4¶„ôûÞÅ”ý½bÌîåÌMendstream endobj -1176 0 obj << +1181 0 obj << /Type /Page -/Contents 1177 0 R -/Resources 1175 0 R +/Contents 1182 0 R +/Resources 1180 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1183 0 R -/Annots [ 1181 0 R 1182 0 R ] +/Parent 1188 0 R +/Annots [ 1186 0 R 1187 0 R ] >> endobj -1181 0 obj << +1186 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] /Rect [513.6761 73.4705 539.579 85.5301] /Subtype/Link/A<> >> endobj -1182 0 obj << +1187 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] /Rect [84.0431 62.7606 448.7754 72.9224] /Subtype/Link/A<> >> endobj -1178 0 obj << -/D [1176 0 R /XYZ 85.0394 794.5015 null] +1183 0 obj << +/D [1181 0 R /XYZ 85.0394 794.5015 null] >> endobj -510 0 obj << -/D [1176 0 R /XYZ 85.0394 769.5949 null] +514 0 obj << +/D [1181 0 R /XYZ 85.0394 769.5949 null] >> endobj -1179 0 obj << -/D [1176 0 R /XYZ 85.0394 570.0146 null] +1184 0 obj << +/D [1181 0 R /XYZ 85.0394 570.0146 null] >> endobj -514 0 obj << -/D [1176 0 R /XYZ 85.0394 570.0146 null] +518 0 obj << +/D [1181 0 R /XYZ 85.0394 570.0146 null] >> endobj -1180 0 obj << -/D [1176 0 R /XYZ 85.0394 536.782 null] +1185 0 obj << +/D [1181 0 R /XYZ 85.0394 536.782 null] >> endobj -1175 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F11 1157 0 R >> +1180 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F11 1166 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1186 0 obj << -/Length 3204 +1191 0 obj << +/Length 3207 /Filter /FlateDecode >> stream xÚ¥ZKsã6¾ûWè¶t•EøÚÛ$ãIœÃÌd¬ÙÝT’DÁw(RáÊòë·Ý H‰.§jgÍÐèÇ×-‹EÿÅ"Šý8 ³E’)? D´È÷7Áb s?ÜæY:¦å˜ë»ÕÍý‡8\d~‡ñbõ<’•úAšŠÅjó«—ø¡ûûê§ûY0â ? -%ˆGžïüòéÓŠ¸&Uê+‘†Ìöîãû9I±J¡˜çéaõõñýœ(lsýDÁ‡O_n—ax_?>þ‡FO_n£Èû××'à·ð‚ͽû¼z`ÞÄ¿mÞw°KÉܧßýò¸ú…Þ¾ÿôñéñý×w·‰òVð†;ºyX :ë]úÇͯ¿‹ ¨ÿ§›À—Y-Žðø"ËÂÅþFEÒ””ŽRÞ<Ýü<ÍÚOgïQ PËõEªp!”/LŽo2Êü0MBw“·K—î診ÚР5]_ðõû\7—úmMóbšÖêÖÞ’£ -Ë0õã$“v¹O|”Fîó4vŸßÁ[¦¼¢#jÑß¡nÛb]¢v5Q›ÛÔë+¢ñ¥µ`Ùš¶Åc{‰ŸÎæ਷"õà¸f3³gûQ–8fS½Ä^íMÕѨ‹¾-ª-olgXÎØ:Eû©‚Œ_¾¢+™úadÌþÜWyWÔ•e¶‹®OøÑb)³ÌWA¨K!ü,Šè&ۃɋç“Ý“”Òî ¡÷[*VI2Z- ü4Lb^mÙÍlˆÄ ç_(ÇŠ®¸1ôš(õV;¼,\(×ÍïLy Q±?î^ ÚSÛ™=ñ·&;ÑÌšŸ‡Rç|ˆo×JbÙú|¨Ìt]ÿ‰Ã;ÒLú Ê)†‚ÕqWä;²ÕcQ–4*‹}ÁÆn…ƒÞë­×Šgö‰±¹óTKϼvÇÜ­ÙØЈ–F—É0¥8WÕ°~¨¯oÍs;QÂ{6ºëí׆&­ÃíK ¾$\Yx-(ŸÞëgâ`'ŠÝ’r‡‚^¥Õ±¥Öôh¼ÌF›½¬YŒæ÷¾:4ÅKQš-yŒ=ÝÈøà@Í9JÌX[F&.T/{bIÆ,ª”Šœù[‰×& ‰AâñX¡÷ïÛ,ôøÆÚ~»5-ß.µ"WÅkl]ˆ£çädDÎrÜÇÕæ}=L"?KE:ñõ9‡Œ•„.±îÞgß9R¦±3žÄòýhœH‘Ù;Ƨu7xš?õþPò$ØâÞ†o|)‹ŠÉxó–Rkžc×±ËÑsç’d %ÿƹ²(s÷Ëžy7#PI?'ïþE7÷•ÞÏÆa¸\ÈSŽõ?ö†³¹±-_¯ù.JS÷ù°Èb©Â²j–\ÄOJu3G u¨„åXšXI„ÿd‹OGŸ-Ýw“›¼ïÛ澬s]Þ¯‹Š¾Œ!ÿ‚OØ'ˆcBGÏ+…‹aß6ÁÊÈ"Hd&8£¯\`§öLgœÊæÓµò3Ð ¥=‚e¨0ñjk~<± -cÏ¢¤ÏYLœ@^âMƒ;Cn¼J²(UËëæQ8ÊLSžh®¨ÜNˆA7]‘÷¥ænHªÉ»º9Ëcð…]çn&bI°’t€ öœùH?Ž"5Í2¯q˜ùišd£ˆ…†œ„Þ©† —*处£Ê 1àÈ7<Á(iÐcBU ù<¼_)Ì~µÓ<*ª¼ì7¦efȧnGYÞÙõA®ØN—$òÑö”÷ÓÜeâ7(ìT³ àZa÷ÆgS^ -sÄØ<§bÀ1Iš‰¿ bÈìQââfÁëÆ 0Êž#²[›R ~ ‚°4„=àd -`Ë/¸)¼œç+Atöãšžzóß¾í.Ö{ÑeoÚa5«cX‰£©z+µu|3£Ñµó$pÌ0vëe˽VÄQ…‹'FÅšùò¬´C±Y’"æÜ1òã4¾ˆq:Ïë¾âÀ1@0¤–³•H D‹‹dõµâcn8ÝŽ„ÑMYþ±8¦e­(6 ¢%ÝÑÐ:Î1bCœr:6ËÓ¼W°ýL¸ýW³GO2¤¾hÌ Q\Q¾r+Q¥—™ä:¢Él€ïm§;Þ¯]¥ªï` -Eé¢%@ûø"í4…-Üa‚i|Ý覰—"d±‘gÈÂS´Û#Qœ' .ÊRïÇúˆÞ%+ª6M ŠLµ!8üñÐ8ËÄð -{§Ú&`Ä~G…Ý P÷úDܬÇÔ‚Ë 2.­rÂ< æSmÛK/˜–&B„K¸÷órÿ—iê9„ ý$Z s!F!*ScQ ø -´ËAˆ‘ê-ar,¬¬·s¾‰)0HÎÀÅÕÔ3¸XÜc™¦Ë tÅ~ÎMS‰nêìÏ°)é‹$N¯+õ¿NÑìU¥ÿKÏ·Â禨›±…SÀÍõŵKe©0þ;.•9Ç£ÅF‰ø‹Ö›—Ÿ@1†ç€ÖC 8“œá¢âÀѾJ%aa‚;R¾ÓÕÖ8º –ñÑ´-WL¶eÄ}½))×ÝP§ámÐ`¦&U4õ«H½Z`@îUÙ«êãÜõH,€×9HFçɘ’ײ†³@²F@@ûÞmiKQź0LnJÀ”="Ð8ŲX^Ç•Þ@¢È4]ñâ\µJnìåØÁÈDÞǺ3¤®8ðcø7‘„u ô§žózƒ<™e™zÛÐB¨O'†ÆÒ[zNÌ:”TG]3ßE‰”öwÃŒZ[@挣Êâµ6,‹:]x–šžP#l¦ -ôðeˆ¶kŠ¼s• N˜SMê¦k§½Œ‘×_w3H0ŠÜʸl$B PÆ2åÈ"9®¼?~‹œ;„‡îx™'×éy³AøŽ]J -Éžëd‰ÐÛ8ùHíY>ŽŸuΖŽoí®îË ×ü)é©dÛýÁÓ-¸ÇŠ¨DÁΧ¢à“!ÊhW0W&¹ì‰mŠÌ$#Iåmj~ß~[°V¤µn wJr¨L9ð*½ÇÏDЛ ß9D0W:NåíjªÎ8þŒÊ‰|ÌFšÃcÂ_ó&Ëb`e£~eé™OÈë—Žjµ0‚ZàVð604üIDÛÛŠÒW¦‰¯’Ì¥7@IõqÉ÷<[¤iìBü_Ü°KÏÝI …º“HÞ›nWoxL,†–éšo@̘›ó-w[‹›˜^®è*€$ðe @ñ"Rñwýà©÷õ=ª6Š5ÿF)¶et[XÜãgª½·ÖZ±ú®lkVwÝ [ÕNÄódó ]átÓ†—±ú¥®WJvðêÍÈ ä‰ß¸™åÀ>S -aôŠ]J/´YL5 kâ8A¶Ô/Ì:D®ðœf°VgPÚ¾% „¦óŽ¤ñ_è4ö‡)Î[Úk€¿ÍœÕçÔBäðÇb`ÄdÝux·š\3µÀwä|<’#ÓàH9‚=õ‡f¶šÙj|Fš¢ÖöŒ(> ok³uiçB Êئ‚KG€J÷3Ðò¼hp.-£löé\‹Ü´ç -`èÌ3õvd`ͧµuyÂG·¸1¾… Ï$j—lmx±_jlOÑJ² ”`°zY³ô¼9ºzÛèÃΕv8­{ØA…Õ^gXК×Ø]͇L4ÁÐ+”#­ÎÙ1blîo«¡)ÜB·ÕÓãÜïF¶y0€d9$ÅC~aþå\´`!2e4ŸÙ%$ö0º!Qð†yÚ''áÜ œ•Ü- ?^IìÁ–¥K<K£¼®:Xb ¾ºDÐg|Z\»§ú#%¼.]ÇÖÐäub”CGï ~]:p{4ë‹_Êáøåäqggîg¥jøq]eæ~˜õ™×í¯  ºÇ? ˜ù›€`èüßpþ38?MÃóL éÔW)áMÙº@]íÜý©ÂõÖÿH|½endstream +%ˆGžïüòéÓŠ¸&Uê+‘†Ìöîãû9I±J¡˜çéaõõñýœ(lsýDÁ‡O_n—ax_?>þ‡FO_n£Èû××'à·ð‚ͽû¼z`ÞÄ¿mÞw°KÉܧßýò¸ú…Þ¾ÿôñéñý×w·‰òVð†;ºyX :ë]úÇͯ¿‹ ¨ÿ§›À—Y-Žðø"ËÂÅþFEÒ””ŽRÞ<Ýü<ÍÚOgïQ PËõEªp!”/LŽo2Êü0MBw“·Kp¼]S×UWÖ€éú‚Ǩß纹ÔokšÓ´V·ö†”ÝP°X†©'™´Ë}ªà£4rŸ§±ûüÞ2åQ‹–øuÛëÒµ«‰Úܦ^_/ ¨ËÖ´(Û“Hü$p6—ïš[‘zp\³™Ù³Œý(K³©^ +b¯ö¦êh ÔEßÕ–7¶3,gl"ˆýT ‘[ã—¯èJ¦~³?÷UÞue™í¢ë~´XÊ,óUªÅR?‹"ºÉö`òâùd÷$¥´{‚Aèý†ŠU’ŒVK? “˜W[v3"ñÂùʱ¢ën ½&J½Õ/ ÊuEó;ShT줻C„öÔvfOü­Éû¦èN4³æç¡Ô9"äÛµ’X¶>ª3]×âðŽ4“†~‡rŠ¡`uÜùŽlõX”%Êb_°±[Eá`£÷zëÆuÅ£â™}blî<ÕÒ3¯Ý1÷Ek664¢åƒÑe2L)ÎU5,„ªÀë[óÜãN”ðžîzûµ¡IkÇ0AûRƒ¯ W^ ʧ÷ú™8Ø €b·¤Ü¡€ ×Eiul©5=/³Ñfïk£ù½¯MñR”fKcO72>8PsŽ3ÖB ‘‰ ÕËžX’1 „*¥"gþVâµIBbP8G|V(Eàýû6 =¾±¶ßnMË·KG­ÈUñ[âè99Q†³wÆqµƒ€y_“ÈÏR‘N|}ÎÇ!c%¡Kl£»÷Ù·AŽ”iìŒ'±|?g RdöŽñiÝ žæO½?”< ¶¸·á_Ê¢b2Þ¼¥Ôšçص@lÁrôܹdYCÉ¿q®,ÊÜý²gÞÍTÒÂÀÉ»ÑÍ}¥÷³q.ò”c½CǽálîDlË×+A¾‹ÒÔ}>,²Xª0„¬š%ñ“RÝÌÑH*a9Ö…&Vá?ÙâÓÑgK÷Ýä&ïû¶¹/ë\—÷ë¢â£/cÈ¿àö â˜ÐÑóJGábØ·M°2ò…’™ Îè+ØòQjÀtÆ©l>]+?S½PÚ#X† +¯¶æ·Á«0ö, +@úœÅÄ ä!Þ4°9äÆ«$‹ÒQոܱn¾…£ìÁ4å‰æŠÊí„tÓy_jÞ醤š¼«›± 0_Øuîf"–+IÈ`/Á™ôã(RÓ,󚇙Ÿ¦I6ŠXhÈIèj¸p©RNJ8ª Ž¬qÃŒ’=&T•ÏÃû•ÂìW;Í£¢ÊË~cZf†¼qêv”Uá]ÄáŠítIò'mOy8­ÑÉÝY&~ƒÂþA5Ë®v/`|65é¥0GŒÍs*“¤™ø;± †Ì%.n¼aœ£<á9"»µ)µÁà· KCØN¦¶ü‚›Â+Ày¾DW`?®é©7ÿíÛîb½]ö¦V³Ú1†•8šª‡°RëPÇ73];OÇ c§°^¶Ük…@U¸qbTœ ™/ÏJ;›%)bÎ#?N㋧ó¼î+ôCj9[‰B´¸HV_+>&à†cÑíIÝ”á‹cZÖŠbS*ZÒ ­sXÄr:,Ë““5ïl?nÿÕlÄÀ“ é„/ƒ"DqEùÊ­Da”^f’ëˆ&³¾·îÆ;¯êÆÁ;˜¢S@è†h Ð>¾HE;Ma w˜`_7º)¬Á¥Yl$ƲðíöHç ˆ‹²Ôû±>¢÷cÉŠªMˆâSmοE| 4Î21¼ÂÞ©¶ ±ßQ¡C÷Ô½>7ë1µàr‚ …K«œ0ƒùTÛöÒ ¦¥ ¤áîýƼÜÿešz!H?ɆVÂ\ˆQˆÊÔXT¾Bí2ÄDb¤zK˜ +ëíœob + ’3pq5õ .V÷X¦érB]±ŸsÓT¢›ºûs€lJú"‰Ók`àJý¯S4Ëu͹ÒÿÀ¥çÛásSÔÍØÂ)àæúâÚ¥²À‡Tÿ—ÊœãQb#„DüEëÍËO ˜Ãs@ë¡œIÎpQqà‚hß ¥’°0Á)ßéjkÝFPK‡øhÚ–+&Û2â¾ÞÈ”ën¨Óð6‡ h0S“*šzŠU¤Œ^-0 ÷ªl€Uõqîz$Àƒëœ$£ódÌNÉkY +ÃY Y#  }ﶴ¥¨b]¦Š 7%`ÊhœbY,¯ãJo Qä@š®xq®Z%7v€rlŠÎ`ä +"ïcÝRWø1ü›ÆHÂ:PúSÏy½AžÌ²L½mh!Ô§Ccé-='fJª#®™ï¢ŽDJ{Ž»aF­- sF•Å+ kmXuºð,5=¡FØL)èá#Êm×yç*œ0%¦š:ÔM×N{#¯¿îf`,¹•qÙH„ ?ŒeÊ‘Er\yý9wÝ×FäNÏ› ÂwìRRH®ð\'K„ÞÆÉGjÏòqü¬s¶t|kwu_nh¼æOIO%sØîžn©À=VD +~p†(8…Ÿ QF»‚¹ª<ÍõDŽ6Ef’‘¤ò65¿ï¿‚-X+ÒZ·„;%9T¦x•Þãg"è͆ïœ?"˜+§òv5UgFåD>f#Íá1á¯y“e1°²Q¿²ôLŽ'dˆõKGµZA-p+xþ$¢ímEé« ÓÄWIæÒ ¤ú¸ä{ž- Ò4v!þ/nØ¥çˆBÝI$ïM·«7¼ ¦CËtÍ7 @fÌÍy–»­‰ÅML/Wt@ø2 x©ø»~ðˆÔûúUaÅš#ˆ”Û2º-,n„ñ3ÕÞ[k­Ø}W¶5«»î†­j'ây²ù„®pºiÃËXýR×+%;xõfd†rÈÄoÜÌr`Ÿ)…0zÅ®@¥Ú, ¦š‚5qœ G[êf"WxN3Ø«3 (m߆GBÓŒyGR‡x‚/tûC„ç-í5ÀßfÎêsj!røŽÀc10â²î:¼Û M®™Úà;r>É‘ip¤œ¿ÁžúŽÆC3[Íl5>#MQk{FŸ†¿·µY„¿º´s !e‰‰lSÁ¥#@ ¥ûhy^48—–‡Ñ6ût®EnÚó 0t晎ú ;2°æÓÚº<ဣ[ÜßBgˆ µK¶6 ¼Ø/5¶§h%ÙJ0X½¬YzÞœ]½môaçJ;œÖ=ì Âj¯3,hÍkì®æC&š` èÊ‘Vçì16÷·ÕÐn‰ ¡Ûêéñîw#ÛŠ<& k²ñkøGd±¯Ô€„ߎ©™Ü|pXXÆ%U\sQmî£ ÁþˆöÍœhP/‚ã +oNIÛŒ\q¾ÀÐ +Ñòòg¬Û2l]®1J3·)ǘ– xW‚Á‹ûB¸"l°I„Q3 [e~K×!5-uYä§ùŠ1Jd|©-ë1‡î4(G¿¶ýªaMÔØýð @²’â!¿0ÿr.Z°™2šÏì{˜Ý(xÃ<í““pnN„Jî–†¯$öàËÒÀ%ž¿¥Q^W¬G±ß]¢è3>-®ÝSý‘^—®ckhò:1Ê¡£wqÀC¿.¸=šõÅ/åpüròƒ¸³3÷³R5ü¸Ž.È¿2Žs?ÌúÌë¿öWPÝãŸÌüM@0ôþï¿@8ÿ™ˆœŸ¦áù ¦…tê«„ð¦l] ®vîþTázëÿ2}endstream endobj -1185 0 obj << +1190 0 obj << /Type /Page -/Contents 1186 0 R -/Resources 1184 0 R +/Contents 1191 0 R +/Resources 1189 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1183 0 R ->> endobj -1187 0 obj << -/D [1185 0 R /XYZ 56.6929 794.5015 null] +/Parent 1188 0 R >> endobj -518 0 obj << -/D [1185 0 R /XYZ 56.6929 769.5949 null] ->> endobj -1191 0 obj << -/D [1185 0 R /XYZ 56.6929 747.0488 null] +1192 0 obj << +/D [1190 0 R /XYZ 56.6929 794.5015 null] >> endobj 522 0 obj << -/D [1185 0 R /XYZ 56.6929 613.0366 null] +/D [1190 0 R /XYZ 56.6929 769.5949 null] >> endobj -1192 0 obj << -/D [1185 0 R /XYZ 56.6929 586.6546 null] +1196 0 obj << +/D [1190 0 R /XYZ 56.6929 747.0488 null] >> endobj 526 0 obj << -/D [1185 0 R /XYZ 56.6929 473.2336 null] +/D [1190 0 R /XYZ 56.6929 613.0366 null] >> endobj -1193 0 obj << -/D [1185 0 R /XYZ 56.6929 445.9291 null] +1197 0 obj << +/D [1190 0 R /XYZ 56.6929 586.6546 null] >> endobj 530 0 obj << -/D [1185 0 R /XYZ 56.6929 376.148 null] +/D [1190 0 R /XYZ 56.6929 473.2336 null] >> endobj -969 0 obj << -/D [1185 0 R /XYZ 56.6929 340.4845 null] +1198 0 obj << +/D [1190 0 R /XYZ 56.6929 445.9291 null] >> endobj -1184 0 obj << -/Font << /F62 634 0 R /F90 1190 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F77 703 0 R /F58 627 0 R >> +534 0 obj << +/D [1190 0 R /XYZ 56.6929 376.148 null] +>> endobj +974 0 obj << +/D [1190 0 R /XYZ 56.6929 340.4845 null] +>> endobj +1189 0 obj << +/Font << /F62 638 0 R /F90 1195 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R /F57 628 0 R /F77 707 0 R /F58 631 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1196 0 obj << -/Length 1975 +1201 0 obj << +/Length 1962 /Filter /FlateDecode >> stream -xÚ¥Û’«Æñý|…ÞÌVY, 'ÇÞÛ—].Ÿ­J99y@0’È#à eýõéžî$qâTe÷AMߧoÓ 6ü‹M&ý ÊãMšÇ¾ „Ü”í»`sÚ·ïóÄ2òeEð°BÝÊ(óe¦›íRÉ×/￉ÃMøIÊÍË~²•¤™ŸGq¾y©þá=‹“QýÃ6”—=üóå¯$ûi– - À„ôÓ<ȬÀ˃Âëõ¸kÔpÔÚÔÝa±ÅIÈbIä§I@v2_Wj/½î_²gÑ&÷ó$LØ1O‹˜rMQ,¼ AƒnFSã!ñÉè {Æ`Ù‡ºfáMSÌœEWPꎽ\PëaÕààkݦxe/NýƒÈ °UQ~1t‹r°§X) † œ®,¬û6ðH.-Ëm©÷ߌ:²f>;Ö¼ÿ‰¦‰?L"Wó¡«ø®ìU NÔw†¡ƒ»Ã„žL}P}]4ÿ8¶;èñõRΠÇòÈÚû»î°^¢ꀤ£Hx•ˆP¸@!å_£­x@3ÏÌ¿»Ï˜£* Kê^aÅH踯ˆ¥Ñ†80õˆ8)}jX -*“`¢%”-~ôiéÃZUsu„Î6÷È ¨²B«ÉèäçfP(#4çám-†!GX~„úþ~øáýûŸö‰ôáÙ›+qwÄ‹³"ìN©Žp&e’l jí4S>Â$@Gø%üž€R·§FK]t¶•W+°Q€l8 #09œ¸Îgâ›*˜B9.˜¬*fª÷ükHúR7 ap2ãtˆítx›,wk-jzdR2¿œ-£§& 2v ¨º©p5‹0&=ÌJž€Y™Hb¯0 \4æ@úwjA¾WÍÊŠÙ¥ÔÍ–Éó æTU—XøŸ.J˜ýüf»¡c1À¥Ðxª¸aâÆF:sùɃÙÁ|‘H€5‹ÏŒ •Éœ_Í}q(ðïNøÞÊÊÁÜå>¢¶ %ãóŠóF.¼ÁK)Â)gŒjOæz²R,® _×¥>½ñøÞßXÁÀú“§),?°-¡§¦Û.K˜€é”™œc‰ š~ úq¡pæ’tú¥:>½S}žÔQ|gV9…ã†.ïn˜„Ì,´vÏ£8mH'ÕóäšÂ8\ÇöÿŠ'Ýü"Y,@¡ànè²-3ÀÐo2QŠª"B(â4΢$N‰ð1Aø1A$¶Ä­FEˆ¹ßíøŽÜ%£‹ê†“»L¸mB`†^™8Ì{2Øø!ƒ:¬…›j»Ňˆû?vC*ò:u! ›hž)Ñû"¢ÙhÙÜUeXó‘ŧš[˜ã} 7=éRtŒªÍ5óN±-ŠÃdÊÆlu^-ÒÏÝy(êî[d"^dþvTnó~ºÙË¿U\¥ß©æôåïo+/îxî Á:ŠPê}Ð{s¹šËOºtoê±¥g,ªçO\Nx…ì‘{ÏS=³noŠŠ5ô°b©‰—®„ñt¥| tót®Kf-ä…]Üø ûl|ýüãûµ0Ó;@xï¿{ú !ɳ`ÀÙ{í7¸'[Ž¶üf Ø®LÀË«Mk‹„ÉO|˜·7|8uSìpWpg[åqaƒT×]ÙŒ•Vôâ©Vnrj 8ô ÚDîž=ôE;`ùÅÐõ¡«qY.©T½ª‡R3x´sd®ÆÒQ(î˜*F9ëd|d3 d:v©ÁÒoªrÚj8¹îkóF2ûØx „Ýà×ûž7ªFk·Ý]eµ¦°)|«3óÁ¿ÂË›Á$FI%Kâ0øj”è7t?Å ðW‰|¤i0`˜’Èöç2D®eÁêT”¯Å¹kÈëÊq©Ò1?õîõö”‚–žl¤àw‹®ƒÔ•®æe÷tÔD¥©í‹Ú!ßñ%ÊëÙ°‚f`þk¯\Šm­àlS]¿Ù6aîÝÜXîkFõ…œÒVÝ8Øë;¥ÇDBÛ»æ• 7¯œ<·ëLŠoë¦( ‘ðÕôϠɧm•¿±˜c Ê—2IÁôáÈòî//Ó'(ÎaÆÙFD¡ŸÊŒ>ûõuã ïçO@“Àv!a¿Éta÷N/ZoaýÅÂíí?0Óý\dùµ?7Ÿ¡&¦;®Î~§ }øÓÊ°p}ä"ç¹ÀŸë¡æ@ó}”ئÁÔn£,óE*âëÚ¾¨/?Ôv«\ÉŠ”¾Lŧr"b¸Ãd@øYþ~R&‰íRä>+÷šíbaÌé‹ÇÇËåâsV][>rõ=ÞÕMA]…á7‰š¸îýºŠÇ½¶ÿ–*ü°H¡s›$u{ÁmØòË›ë´û*I¿q®yìX¶3}Þ\:ן…yê¡+©¼µ6},½7÷qj endstream +xÚ¥X_“㶠¿Oá·hgb­(‰ú“vš6{M²í$Íäv¦Óöú@K²­ž$:"µîæÓ @Y¶•¦3Ý}0€þ@B›þŦa””é&/ÓPFBnªþ]´9€ì›w‚uR™„2M¬H·2)BYÄùf»4òÕ˻ǯÓxGa–Åró²Ÿ}ey–IZn^êOGu²Íø°eÿ|ùMKüÈN‹À… ó2*Ü„—!D0êi×5樵m‡Ã*²…cãÕÆ7&4‰*=’vuã7ÁÓÄ©ÌçÇzX³gôWMln°¤…‘¢2'#x æU‹U¢‚¦_E?>U@^´8Ksœ oúu6Gù½¨^’s£ —î`æIö2i­–ÙÞ0|*,:›S3ú#ƧÑ\ß6ÿW>éÆÙ¢q‰EN¶†ì`úÍf‰ªkÄ"ÍÓ"ÉÒœ#Åc%b+` n-6Äà`Àʼn¿ ´ªo4¹æ„ïDæMšËý +.ÈƤšµt)ÛQêËtÒ!“¼chÎÄa÷QzŠ¯Â§n 5§X¶|äé3æî¸ÏêMO$:«Y­½VÞ5ì‹ò0»r9[½íÛϽÃAµÃÿÖ€$Ü€üõØøŽù馟þ¦a”~Ût§/½Ë ´E945P`e(>è½=_Îeà<éÁèѶSOcÕó‡'†0á ½§S=¢›Øgj-¡5jf]÷k¦Ó ŒÒ€S˜»²m+VUŠÂ5\†xØç:_=ÿ~-ÍÔ»GYðþÛ§ò¥› …~ôkìoFÝygˆÆ°P—{Þ-sœ8˜Ó⯪íÔ®ƒÏÏñ¾U>Èt;TÝT7fÅ.®j冥Jã²DâïÙèzƒðK¡ÚÃÐb“[TA½nM¥'Ê Ý9r™\O•—PÞ°# Žr¶É|׿ ˜Û ž~njo­…•ë±µoÄ 7q°›Äp÷zÝ“ìõ°ÝOCí¬æ€¿ÆìåÑ?ÁG—5®5…ë|à6¸®[<(1n¨~Êð¯™QÖ —jÚDö!j-ǽ®ª>©r>¶°¯+ËYl­Ä<ýgö´=\¦ào$Õ0ÀÖUóÈ¢®MrzM}¤ô±»6MÂÇ8è ë_Gå·ØËÖçŠêú³Æ•‘ˆËàæÆò¯%à‹ºcDÝd õé +{ÊËޯ̸xå¹ëésüʶª²$ÂOÊ߃¥>hùMCˆÅ9¦B)³‚Á~‹*ïþø2?Å$i iZlD‡¹,蹆¤Ÿ6žúóåéfž°]Ìp/72_ø½³‹Þ{8¬þböá68ÓÃRåu<7ÏG³Ò] Wk¿³…1ünå°p}”¢äùÄ¿¶¦µóçí + ní6)ŠPä"½Æö¹ÙqóCu€à°+»"e(sñK{"R¸Ãd D…Eÿú¦Ì3¶Ë)÷»roÙ5Öž¾x|<ŸÏ!ïÊ£/ËGFßãn²pÇ71ÞlÔ¬u×U>î­ý·­ÂÁèªK§jW\†=¿ï„·Aû×ÄD†ø6¹±WÙ^tèYr\Ca—¹7„¡äòÖÛüÈyïî?lYŽendstream endobj -1195 0 obj << +1200 0 obj << /Type /Page -/Contents 1196 0 R -/Resources 1194 0 R +/Contents 1201 0 R +/Resources 1199 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1183 0 R -/Annots [ 1203 0 R 1204 0 R ] +/Parent 1188 0 R +/Annots [ 1208 0 R 1209 0 R ] >> endobj -1203 0 obj << +1208 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] /Rect [348.3486 128.9523 463.9152 141.0119] /Subtype/Link/A<> >> endobj -1204 0 obj << +1209 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] /Rect [147.3629 116.9971 364.5484 129.0567] /Subtype/Link/A<> >> endobj -1197 0 obj << -/D [1195 0 R /XYZ 85.0394 794.5015 null] ->> endobj -534 0 obj << -/D [1195 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1198 0 obj << -/D [1195 0 R /XYZ 85.0394 576.7004 null] +1202 0 obj << +/D [1200 0 R /XYZ 85.0394 794.5015 null] >> endobj 538 0 obj << -/D [1195 0 R /XYZ 85.0394 576.7004 null] +/D [1200 0 R /XYZ 85.0394 769.5949 null] >> endobj -1199 0 obj << -/D [1195 0 R /XYZ 85.0394 548.3785 null] +1203 0 obj << +/D [1200 0 R /XYZ 85.0394 576.7004 null] >> endobj 542 0 obj << -/D [1195 0 R /XYZ 85.0394 548.3785 null] +/D [1200 0 R /XYZ 85.0394 576.7004 null] >> endobj -1200 0 obj << -/D [1195 0 R /XYZ 85.0394 518.5228 null] +1204 0 obj << +/D [1200 0 R /XYZ 85.0394 548.3785 null] >> endobj 546 0 obj << -/D [1195 0 R /XYZ 85.0394 460.6968 null] +/D [1200 0 R /XYZ 85.0394 548.3785 null] >> endobj -1201 0 obj << -/D [1195 0 R /XYZ 85.0394 425.0333 null] +1205 0 obj << +/D [1200 0 R /XYZ 85.0394 518.5228 null] >> endobj 550 0 obj << -/D [1195 0 R /XYZ 85.0394 260.2468 null] +/D [1200 0 R /XYZ 85.0394 460.6968 null] >> endobj -1202 0 obj << -/D [1195 0 R /XYZ 85.0394 224.698 null] +1206 0 obj << +/D [1200 0 R /XYZ 85.0394 425.0333 null] >> endobj -1194 0 obj << -/Font << /F42 597 0 R /F43 600 0 R /F11 1157 0 R /F57 624 0 R >> -/ProcSet [ /PDF /Text ] +554 0 obj << +/D [1200 0 R /XYZ 85.0394 260.2468 null] >> endobj 1207 0 obj << +/D [1200 0 R /XYZ 85.0394 224.698 null] +>> endobj +1199 0 obj << +/Font << /F42 601 0 R /F43 604 0 R /F11 1166 0 R /F57 628 0 R >> +/ProcSet [ /PDF /Text ] +>> endobj +1212 0 obj << /Length 69 /Filter /FlateDecode >> stream xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream endobj -1206 0 obj << +1211 0 obj << /Type /Page -/Contents 1207 0 R -/Resources 1205 0 R +/Contents 1212 0 R +/Resources 1210 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1183 0 R +/Parent 1188 0 R >> endobj -1208 0 obj << -/D [1206 0 R /XYZ 56.6929 794.5015 null] +1213 0 obj << +/D [1211 0 R /XYZ 56.6929 794.5015 null] >> endobj -1205 0 obj << +1210 0 obj << /ProcSet [ /PDF ] >> endobj -1211 0 obj << -/Length 2583 +1216 0 obj << +/Length 2598 /Filter /FlateDecode >> stream -xÚ}YÝsÛ8ï_‘·*3kWŸ–to‰Ó´›\&Nogîöh‰±y‘DU”âzÿúPV¼ÚNÇ$>H•à‡ÁE–,ý(/Ò<^&~\õ;ÿb¼Ïï–‰“h™ÄQ“î"‰²e’…éÅbºÈõÓ»Ÿâð"ô—«U˜\<={­Òt&ÙÅSùïªmeSªŸ—‹0ñ½«Ëÿ>}%µx™fi€j>l‘.ãUºšjÒŒÂA¼ŒâUÈ«dGiJÂËàrø>,]¼4úPÉrW˦ŸèËõJ] '$¨‰¬ÈêVÃA%ïVSèõ«ÅSo+ l1ãw{›rwÏ`€"×ÃÌ“¸&NR¾Y@ ü(Gà„†ñÆçtãÍb­›B¶vk ‘[`ðIªR½’Õx…‘;]>±ÌpºüŒé´ÙmÝVr’…QÈ[â`ÓÊÂú—€ƒ cPa–MöFÝ][áÀôÀV½4DZ·óa¯Š=¯RUs)3µzc¸a ?!”ïmUAbºEòåÊÏ©0=f¥£;ÓÓäºó…ÃㆀFFv¯pô4ö,¸ä^f¦¥ÖÝ_%\\ `L'¹ž¤ž[áoAØIv¤ß1`Ò&™w§‹ÑÊÞ&³!BÄ\"ºÛJRô õäãšOvº5‹Ð'B-Š½j¤!¹JCˆé ™goWâ’ßÇ6ª?òêÏ$°ÑÈt¼çZT -¬k”x϶Þ60¯G³@¡P‹9ëeSXKâtL¯ú¡ç "*߬·›[ÂX”¡¬‡Áæñ–ćÁðÀ³ˆõžâ~Ä,»ôÔ ¬%ª6‚å÷·kÜhIWô3f'ÀLbZèŽ묟4r.Æë%|€~-»YÉ#Í\ ¡}9`ˆl/‘øØ– Ò -Hä¥m–!yÌ2œ­y$ží9#€õ-o+æâ°#ìZ8­Pœáw׉r ˆôC¸ÁCÉÐ<›,ðKɃ7É2.NÒã­âÉ8šÒFĸyâϧªÿfÇ )ÜÈgÙ˜ùj_¾ -È1î𥑈6Hy •ÿ'‹ž3窄Š -ãéVQŽÜ¸Æ²d]þu2£ —RîóÒŒZKKé÷ìjÛA+^fˈx'tEfAÿ­ñ)ét| ¬uÝ”Ç@¦^‘÷=;(P>O"œRb­7Ÿùn„e&»¿#Œ¬V§`á±[A ‡¨,Ì€ÅÙu$ ˜Þ°WØx˜‚ïF¼ª’˜j·«ðP«”¯87ºÙAÎ44û7ôÜ$P‹RÍž(äv P&máªëæÏ3¢=Eœ`·—¢ÆEÛg†…Ôö åÐ\©±âzA#Ý8aW'ôs˜£ÔÝWÂű(”º‘oÁÿQT힆kQ·[YUlÔ7ù:_Èo†¦­52°—_5j§z2Ô÷>þT‹¥’DÖÜñŒi-¡”ê£dÄ%j%A0ŸšêàôfÂŒáý¬z‹ÀÔ-ɉ‹‹H -i~„„DœCÐÓí†VJc‚£„¶'JŠÍTœBB5Gbj,@Äo¥nmúYT†µ -Ý@ýÜTÝrný@„M -7Ûì!`•CÇ=ÜØl¢ЭÿöG¤”Ÿ Å7PƒÇfƒ°œäuBÁ2Q‚‰ß%!vy›ZëžXkÑU‹;ÕCŸ^U¬y§^$qï†ÁVúªj"^WZóº-U6Å’¯ÿœµ -³¿¼Xdƒ¸Hâ´„*7lü1€?*~6ïa›ÊÁç–‰´#Ž¾q®Wæì-ýÏ% $0 ˜.Yrïõ„š0‹—9ßÞ‹ ˜š¡è鉼•¶háÐ}ÃP¥HÚÈáCi³¶.G”§øbÈV$/“ ½½Ž6gž¶Å(…ë«·´ô|çâ4&¤{ÒúÓtÀé9nO>ÌNÞæãÊ¡@˜]š(¹©<ýÂëªÊ;ãÏ<½¼Fçéß%Põ Qì:@`)C¿Ü•¯Õ€·[ÛÝ~4¤¡Í‰È}8‚‹Ã^µÄ¡¯ÂÀ€ý:[º`Rœª F Œ\|¶äÜuQÎ͆ë³k]¡÷#Ôƒ$2oÝ× µä·‚q.+dÔ½•uÔ»OãŸÜ "ü¢ÍþñÁ‰,N2ô—‡éGöÈ_-³0OÝBh~šžï6þãÏÛýåsÏendstream +xÚ}YYsÛ8~ϯð[誑ÂS$÷Í–s8»\–³Sµ›}€HH˜V4¿~»ÑÍCîV*E  Ñèþº!{W.üó®’héix§á2r½è*+ß¹W{à}~ç±LË( ˜ÌpQ,£Ä¯ÓEn_Þ}øúW¾»\­üèêe7쵊“eñÕKþo禪¤Îկ녹ÎÍõ^¾’^¸Œ“ØC=öˆ–iäO2Ù ²^¸ •ϲ«`™ú¾GÂKïzá¹.¬œ½js,d¾/¥n'º¬õº»LÝdÕëŽÚdÞm­äŽ†_TÓšúDÃÄö ip÷¸¡Ð9«Þ?Þñ¦ÁUºLWþŠ÷ô£¥'loÑL·?€Nòr0øáû!ìá%Î×õ3% +¤o{í9r¯´VzOkÍTýΔBi?Š’©›SÓÊ’U²¬«kÜ@¢½Aâôò^šðFGÕ^ÚUuÛBe¢UF[ÃñTƒ_áTÏŸÖè„ÐI}÷7±§B'3´-ÎväÀ-Dizkx sÙdµÚZ›nm2ØЈ(ZÀ*Iâ‰o)Áòzø®óÉšbÊa•­1¤”ØÚYgNzóütúΖ-DNÂ}E®= N*:*¸ºS[.Mß\œÞ78‰œ{ÝÊ–eØ[™Ù{ñ` Ù´öä8A¿áWþªd­0ÂùR¸ë7Ëå›,LeÅ.A†EÖËg§¡hÔ¢Ù"ÏÉð¦¡ó\§ÉÒŒ­“á+èS‹Jåʼn&`8ÔÐoØgM À1¦~eiý¦è4ž®ÅOWΣ`ó-zžs”53wp¬UÛJkÓŠoÙ‹)T›ƒ  “ͱ½R¢´Ñ­4¹Â<ëe)ajɹFÆÇNn²Žà„ ‘•†¨® Tòn%]½y“ƒxìlE[ÌœÀfSÚç ÐCäz˜€y²×„QÌ™DÏ Bpq¾Ah2>¥Œok£3YÙ­FnÁ'‘©BµJ6¨Æ+ Üéò‘eúÓågB†6»/«BN¢0ðyKl*™Yÿp’!c¸T˜%Ó ;SïSÇÖA8hZà «ž7Dêª~çãAe^¥(æ>Àµ:3¼a Êu¶* 0ûE’¥›©]ä…0+¶]7-MÆ«‹0^øZ`¬ ˆaÔÈú Ž‡Ž—ÔÉÀL´غû«„Äí/ãI¬G±Ó¯Œð· ì‚ ;Ñ÷It´Qâ<˜ìUT²µÁÜ !b.ûl%)úB=ù¸& ‚©š…ï¡ÙAiÙ\aàŠé ‰c³+êƒßµ‚c7ª=ñê;ؘdjÞs- +Öi%Þ³­÷æå`(dj1g½Ô™µ$LA§iUÛµ|‰ˆÊß7ëÅýæž0e(êa°y¾'1Âa0Üs,b½ç€x0Ë.=5k‰jãF°Üâñ~-Iâ†>CÔq̤“…îÀ³ÎúE£ÞŘŽAÄ)ô[Y¿ÊBžhÖ—šQÑÇQ í%"ÛrR*¡±—¼´2$Q†“Ɖ=g°¾åmÅÜ=ì ûº +NëztÏðÝ×"ï"]2¸Ëgƒ¾,08 –a犣7pÖéÜÞ(ˆasÍ¢»±êŸí¸!…;¹“º™¯öù›€ãïY6’ Ñ)O´òŸ2k9rnr¨¨Ð9ŽYE1r×7%3èòÏk]@¸sŸ'ÔZZJ{`WÛXá2YÄÑ-ü·ÆÇtH§ãamʪ£82õŠ¼ïÅAòyrÃ1Özóü™s àZfü÷adµ/ ˆ½Ø +:h8Daa,ÎȺ& ÁØs„MA`?áaFÞxS91ŸÕ~_à¡V1§87Fï!f4Íþ=7 ”"—D³g +9d…”I[øÚwó—ùZ7N°ÛJQ≸ÛÃBl{ †rh®ÔÐq½ ‘ѽp_'Ì®=NŠQÜç+áâPr£å9ø?‹¢:Ðp-Êj+‹‚ú&ß. 9—ÄN¢²Fz6iðU£öª%C]çãÏNUX*IdÍÏÖJ©9IF\¢zPó©©öÆ7F ïgàÑ[¦ý’è@±¸ˆ$Ÿæ'H@Ä™sL²ZI(Ž"Úž(16Sa ¥OÄ4X€ˆ_ISÙð²(ÖÊŒ†ú¹í¨º¥Üú›n¶ÙCÀÊ»š{¸¡ÙD; [ÿìH!?Tß@ ›a9È«…‚e‚¿3rBì$p6¥1-±Ö¢.ª…>½(XóA½Jâ>t]Ó°ÒWUñ¶0†‡Ôm¡à ²É|í_କŸÌdùÛ‹Ôˆ‹tC–Påºm#và‚ŸÍئèásËDÚGß8Ö‹æâ-ý#\qËÓoÉÍâf3©ó6‚'ÌÂeÊ HËX +¾÷m5b%ÌØ +iÛuK![ÓiB¤ç ‘^&DjQQ›cÏ-+ñs[¨qçdn "€7jæ‚ †²QõKÙˆ,~kâúØ^ }>ZÁIšaoƒã +ž×ÀIÆ7ЊW‚WÞÿ +R‡€›ÁÓ°iç_3ÖYIä<TA£›¢_5áúl¶²F¯%+çcñSo +‹ ~+ø§‰¶×àfÖ.µUm¯r[Ÿ)³ÃXp=ͯØ#›Á,ôÈ<‘ëß½^ÌåbcÓK õ¾%ÕƒßU‰ï«¢P–ëcIk¦È‰ý$ì7;¸È«ê,`-µè½ÑÔ–ù[÷0”4(53¾|Q°Âöþ5qÀ$—£J4ëÝæþ.j#ׇͪz$þíغ½,~»H>‹Íl®ÝÛ—˜šÚ§dØC69ýh‚¹æãÌAZ¶Æ ?B!ɶ•ð¢œ¦±ÚC 6²Á€ôW}Bü]t|-c˜´u¦*1ûì›ÕBÿÀ5:Ʋì³à êh`6)@IhÃh.æ9ÍâM’ÐVÚ'иˆH¡K€ÁYû†'¢S1…ÁØÿãlsÞ9€ÂÚèÙ7\@«º’¡›~ñ³Ø] µŒÔ’´nßï@³u ã÷›uÿ\â‹™ûƈ ¢.·CéGÏ7®§'ôöfK:_ðl_!W,/êCHÓPÆ9Œ£¿¢ñÅŽTÞ4ï2DÝ©‰üD¢}Ͻ–wçmŠ;Æ> endobj -1212 0 obj << -/D [1210 0 R /XYZ 85.0394 794.5015 null] ->> endobj -554 0 obj << -/D [1210 0 R /XYZ 85.0394 769.5949 null] +/Parent 1188 0 R >> endobj -1213 0 obj << -/D [1210 0 R /XYZ 85.0394 573.5449 null] +1217 0 obj << +/D [1215 0 R /XYZ 85.0394 794.5015 null] >> endobj 558 0 obj << -/D [1210 0 R /XYZ 85.0394 573.5449 null] +/D [1215 0 R /XYZ 85.0394 769.5949 null] >> endobj -1214 0 obj << -/D [1210 0 R /XYZ 85.0394 539.0037 null] +1218 0 obj << +/D [1215 0 R /XYZ 85.0394 576.5762 null] >> endobj 562 0 obj << -/D [1210 0 R /XYZ 85.0394 539.0037 null] +/D [1215 0 R /XYZ 85.0394 576.5762 null] >> endobj -1215 0 obj << -/D [1210 0 R /XYZ 85.0394 510.2426 null] +1219 0 obj << +/D [1215 0 R /XYZ 85.0394 544.2616 null] >> endobj -1209 0 obj << -/Font << /F42 597 0 R /F43 600 0 R >> +566 0 obj << +/D [1215 0 R /XYZ 85.0394 544.2616 null] +>> endobj +1220 0 obj << +/D [1215 0 R /XYZ 85.0394 517.7268 null] +>> endobj +1214 0 obj << +/Font << /F42 601 0 R /F43 604 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1218 0 obj << -/Length 3135 +1223 0 obj << +/Length 3012 /Filter /FlateDecode >> stream -xÚÍZëoã6ÿž¿ÂßÎÖZ¾$‘é]l^M»—æb½C[àd[‰…•%×’“øþú›áz$v²½Mq»‹À|g~3ä ‡âÿù Œ‚È3ˆ -BÆÃÁlyÀwÐwqÀݘ‘4êŽú09x‰ L$¢Áä¶CKLk>˜Ì28 -løáòÃÇË/nŽ¯¿û×áH„lø+ ÙñÕ)UÆ?]\œ'g®zsv|zyuCøá(Ž __Ÿ]^þ“ú‘*kZOÎƇ¿M¾?8›4lwEãL"Ï¿üòÌAÂïX Pa7F –*”A¨¤ô-ùÁøà ÁN¯º*Î!–çX)1à* -:»`…&:,q8â ĺH‹tä$ëéÕؒަ봘¥T½,nËõ2©³²@ái ˜0´K°ÁH² Š¹öÄîÈ_^ßGD#™Ï×iU¥UG%ðÏâN4eGÅ@R¨À(®,IGFÇ–Ì!×COJëaB ÔÏ…M³šz²yZÔÙ!‡Õ˜H×n<ÈBc³¢N׷ɬ!TÌ©£JëŠJå­£ÔÙláŠi»¾h«å|3Kç~ê«)ŠŠÂ5èp„zl†uI¿°N–guR§T¯fIžLsW»DVŠ´¦-¶©³â Ušx8Y´ Á€¤[©TóÕíÊ -E+(ïâ{Dš £Žf¤ŠÐlR ó?Ù,©ê*”<ˆe3îBÄ´ i†Ôâ„­ 8#k˜È=F´»Mñab"R±V%ßìàR‹@j)ÜâÇÅv“Æ©“2’–I\­Ï$¶XÓÁÅ=?¨, |=¦ªo Á -<ßÁ×a ¥ˆÝºßäõ^M b.ß‚C‚W± ŒyÜ·Á–o´"ΆߵF»õÁýÎÓj¶Î¦®†öl wy9õgˆ7ˆfÓ;k¢†j¶H—©[ãÜnDh]–ÝŲö´yçf¥®ëæü„ -BÆ*h6S)èð™xž’»;"z—Ônóü!N‰Ç‘kKš¾©Ö'GBqwüL×L#°$xE›VŽà‡3Yâ^|¨¡AiОŸª´r8ÕŽãa¤Y8º«ç¨‚›‰·|¡PÐ.Û3æMaǬݗaB­µ±0_ã?1ùxìü-Ä&\…‚“1n•8^uû„ab8î¶Ä´\úMÜ´ïE’˜T_5’!„wZÅ¢A’ó’& ¸db‚+ÑîÿëŽ4bן¿ -ã!t½™æٌʓC#†åªÌË»­ QüXK³·8çQ®I;ªß>ZDa ¸–ƒ® _ ˆ -'¾né(ÐfÊD̃Ð(¨0pj:ú<ÆY>WÒh‡^¢¨;ñÛ½ößaóë…<œ‘‘Þ¥Œ¡ÆzA(¤zK½ÓþŸý ì•-'½R¾Ž5ÉaÞìö^ôÿð®B@¯a -®( -Çý Ú³‹šý€«“À>DÎ*4f·gðz…}ÆäAnbù'èj¸oI BìÃ8øÛϹt²0ˆ"ñ±Ø=ëψ4¼LpÝê=@i¼8D˜"†5‰¿á*Æ1¶l·k û±½}2Æý峋¬‚Ð\› ípñe‚!„"RTÊHÌ9Ä/C¥ “!÷â†8V fît}LïS#w¢h¼ý??'öÁ×åìë…Oó€+¾Ÿ†p^º›¨ É Ìn`»I«t}o/ûtop…M½é^k6Uº¬o -K°"¥z¬‚tŠÆz1k†QÙUúX¿‘™u˜úzÍ,Œ7 W‹ (Š°ëG÷: v ½v¶¾^ìÖòè„Ù‘¡€òòjrvs~ÛñÉY ¢â²5À—"Ÿ½pµœ¼ZŸÇü¾››8€p¿„¨\òÏŒbÆ@®^Žb¤Á#Óe›'”÷|š3@'â.~l®b‘?Ä9oîbÏ#Ú´.CŸÜ³É˜µ¢Tè}6·G1´L·ôKy*ØB›UEÙÙ4Y>›´¦–Òý^Ž¯¹06qi3nŽ(†.éz·È·ôn€³rí2H«C྘;¾lV·åBb2[íÀcwˆne?1W¤õC¹þ´+1¨p‡8ªtF›ôL¹\æòsØÐKnaÃ:)î0 'ŒÜ§¥à†«<Èté¯)' á:®»ÊÁY¤4p¶-7Ô>KÏÕfJ9mË·ŸV­`‹¢˜.76ãÞ•«J–”Q DC„ª^bÉhGsäT§E5i–Þc& -Iz¼mkV òl¿P]RÕ‹Ø L‘ÇMê»sÖØEŸœ5O¯kpÚ°¸Ÿö"맪ÔVÙVÇ…çyž9o’Üå{…4„yý|zÖ?ÿ¼ÛH\–4»O]‹ÃÃelÑø> ÃaV/ÜÉy}½{–Bõ¯<Ó4/t›-.}z·ó”õuR/ü}³^$nÝe2[dEZ>F·W 6);‰^ÑW.ÖgÉ*™âûÉ–êv7íß dO {‹‚–Nj ™>f”4ÚsE¥úUu„Æ`v0âf妩ïY¯³t¾ë1¨ÜÔ}•ÐcÊM1O`^õÎé "1º y»1(sŸlû¹ë“<©ª¼Is[ã<-—‰§vCIí=éäòô•ôµ :Z`QÏ¡²ði*,76Õ¥©›²)²ß7n¼•ÚÀPj .âÃ]Š¶âŠÐ±€p$â(“Ð0ÀÚN+ª6·ËX€RVíÒ‚'bz=Á!+¢'ïØSöFÄö­q]5óÚ7¨N·µ5{ DÔ™· —ºùCûb'zï(¥ä˜“Qçççgøk›Ò(žð™'¯±÷X؆¢Þ.ÇCAgЕ—)½§ÀfÈî -«Ø5u“%CÁ®ïY2¶¥lÐX”›|N­NDìw“får•ƒ§M—`jé< g¯ãÞ!ԓʽ$za¤ÔÇuV×H+¸CP)èÛ¦y9ûTQ¹JW V]عö Ä 5ÌÀ%öŽQ¸€}yšÌívÂÿ!'X:‚öѦ¡v-jY¢Ûõ£å[ê¼y+}¢°ô1HÒ£æ¾÷žÞ=<Á‹ò£ùT ø5G cPºEÞnnSÍÄTŠÝÏòÝÝïŽTóôùÌpðÜéÌé“Ê k, †äÙ§4ßR‡ÝE•ZÔtáòÐ a€èH[óÆMDbúÊÑ ³jV?RCtä&/’{×›³|C±"´'»\ãáomн­bi…»ÝÒ1 °âÒÚ_è7ÎË 9o-ƒšñDý÷ÑÑ_(nÄ4:lÉnÊHøMAÒÓv‚ÖUYUÎ!AÁA= hëØ‘Iê]"ͼƒEÝÔÞs.yÑôNÛ¤ÅÜû£|ëK³´ïü¬ÞÙÐ|(Ò~‹¼(5ûOvÜg"@¶¬¼['«Å¶õ< [ãÍBáY¹¡=ÕùtäÙç(p¥ÑÊ4ùÏQnRð8þÉ·ÉÔœ”KmIí,Sö¾áÀš»„Ô%Ø µT°ÙwxgÎNé ‰MKãôjüŽÈ¶GËTµ°§~Ïáx€£«¦ÑîC€§Ï’a Vˆs(´a­‘m©R L¨l5ø…]·À'öœªEYÛ¯ Bév‰W'ÔX?ã¦ãfªÒüÞ“k¥ƒÊÜfq +T§Ûý²°ÌP;+î ¢Lië`4kóIõ‰ºÏ)œ¹¹(ãåÙäÜÉÈŒ;Ó™Wg/Ò‡†qÝ­]¸[ãªK|A¡•%‡îrYvWJp¬7À@g -~ÏI‹ƒ|ò¬p÷YB…ó >,s5Ä -nëÕÑû÷(wUYÎ7ï³bdUó?®°ö—…Î5“É ÷oj;6…ÿƒÆõc½ëÅ(YûTÕ˳0Z¢0pá£|õ~øÒÝ4Š›0êÌ°)‰°+À3º¸zEþo9$Þgå®oðØàÕl×ç~ñ×¾úÁÕQê}™Â& ã˜BIbýŒsÿiàsÖÿ ì÷zendstream +xÚÍZmoã6þž_áo'kU|‘H¦wÒÝd›b›æ’z@[àd‰‰…Ê’+ÉÉú~ý 9¤,9òfïšâvƒ…ù:>3gDfü‘Yœ„‰¢j&ãˆÄ³l}Í ïý qc~Ðb8êÛ»“¯.:S¡Jh2»»Ð’a$%™Ýå?g! ç@! +ÞŸ_ßœ}˜/hï®n±ps~q~s~õö«—W?Þüp6<¸»üñj¾BÅÁÙõõùÕ»Ëâ˜3C0Š|ëÛóÛù¯wߟœßõwE"fØýýäç_£Y›ûþ$ +™’ñì *QH”¢³õ YsÆ|Kyr{ò÷žà ×ND‰D!e€Ès˜8›‚)VaÂ(³0}{yõn¾`Œºi‹ºÂ +7?,(Z¬Ö÷s"ƒ_¢ˆfEZ–;lÍõ¦1í:K;c[Z¹‚'ÌÆ„¥Ÿú¨Ëz³ÖU‡ ~¥¬®Ú"×H7Gë´¨:]¥U¦qØö‚PÅ1µ{¨+Ã%<(*ü½Oë‹À:ü2Çiéù12¥JW5ÖÓFöDßëFƒŠ:{Rk»¿=q¿ KœEa"HO<$Žüåõc‚4@Ø£v ÿÅÑüƒ_âh7¤ÍzBVfÐÑj‹8”,â†Òh¨žVE¶rE½_ßDÉäÛLç~ì;¢ˆºP ˆø ëeÑÁÀz›¥eŠê +µKÃJ¥;¬95èŠê?S"¸[í‚é°Ò­°æ«»ÝíFÍð!¾§(™8H†q‚dcØ…aþU‘¥m7!BFBÁúqæXÈ$°ç–AÉ XܦA*œ&’1F)ì“ …mö"ùz‚KIC&u‹ŸU»cL2ÇL²„Y&Íjc&M‹U³¸çLjÁ |#¦Ú¯¡Án8Ÿ`È8dƈáº?lËî(Œ*ä‚°×àá; "<¾è`ìù-⠾땈EtÜü°²mÖKW³VÒt?”õÒØÓèÂVÚ„#[0åkíÖ¸°¼Â°u=\¬Ø[³]¸\ZíV¼¹x‹cX,Å›©Ãô ¥ü½cÇØ™žëó Ù1 v¡ÐLšº^îVΦ8ñ!íÜI„Ö‡c뤇ëà†œ©vmißW–õžµ)÷+¦*ŒxŽÿ‚ªxìýo³<€r€ó" åŠ~ƘÔÞŽæHÆlÚ¹KX%fçöVQV t†p0ðÌ,JŒ[Á¹ŒÝ"æ’®%…ŽÈÂ=Ð>GÜjÊ€ø€ƒ?¸)hgCƒõŠ0EqH@ñ? S“$¨²×æ¸Ã¥s÷áÌ]Þà!Kx$Üšã$’àjØGœ§Ûa‹H åÒ[„¾ý(’&_IòŠHrÅB"ö B@*»:ã* EB‹ä_'Œ±`ël1X aþ#@×ÛeYdX¾›+xflê²~Ø9wǵ4G‹’„°Wé¨~sˆ3MâÉfƒ-ü!P`§¡Œà>Š¾hÝç’À¾•œ$Œç3.9ì&áŸ'³ÅmÑéçBZLÈ%I†¿9ªþC>¿\0Þ?O¦Ádʱ3.@5bB? ¦œ<‡cìá½phJÊØË`öñJ`ïƒÿÛ•RèU‡÷ÜGby¡àÃUÇ@ æI‘|::Â)yr¼AêèJ¸fåNägEzÀè' ý/±˜žõgx~Oð$Ràâ'G€’æ1£ÀŠ€MT‚ÑþU +‰¿ârp;/îÛ5bhûãþ)EÄ¿d‡Èrðó%Ð9.ÄߘNÀŸ ÁÙ±ˆ›‡Š)FÄ&G^†‚÷˜9óºø`3ÎýxÑQ:´GápöåÂ'bxª%ìøÀÖF Å#i]2e‚¶ÝêæÑǾúðØý¶Ûöy¨o[}¬¯ +yM°Ày)¡/€•ˆ€U´`¼VÇIÚ•þؽ’¢ Øúr-ßç%‹ÆbpjcŠ¾ìؽ— í¡3þÐ+A·çêËEŽ©0!‘|:Ž¶.ôxuw~saR)g}zåy‹²½þ}Êõ9 +×€•WÂëó=™?ãöÄÀ×vÀ…dL~¦CáÉÅœÛsÜ¡‚ƒs$X•™©c¨â<Èþ5–0¸‰!ýsì¹O 6&b±Úð ÌÂlPýXäÖ'.’¿˜€3´Ý´ìÕéúÙ¤[j÷{y{='TÙ8¨ à9¢Æyp1܇U¹³N„íÈêÆÅ6sà¾Ê_6H¼ç‚™Ø8ŸÀc!ãß²qœ¯ÒÍ/LĹ9#„VgxúAÎŽ"\Ñ4ŒÂ[¦¡I«msOì˜t8‡G.÷ ã+ÌL}I8`Å8“Cá˜YOƒ7p¶«·Øž¥Žçv»Ä¹åÛOk7pF"¬·6€?ÜW›®1@o6!(:?B[2Ò7!w¬ã¢%aK_™X”!éñ¶­Ee„gû)’j?‰5wÑGÒÆÆ.z`ll`n"1ÆOú-ËCQJ+l+ãÊóìK.|Láxƒ£7F¦@o¤.NZyi•ó]m’Ü.“ˆ¹©ýKéíå»#„ð¸¢dt£Fña0¬·6Ø¥¥›²­Šß·n¼Ý-´9€¡´WÐØ£ùs­£jÕ¯÷HÞ‘›¼J]oQeå}EhO§lŒñ·:èRµÆ´›»ß¡™Ll^umõ/ö‡y½Å $¡¨Øl,ê¿NOÿ‚~£ýÊ .ló S‹c;OÀì´>€.„{,Ð6Ð-$“vS‡:ó¬‘MçoîÊ…/úÞå>l‘ûû¨Üù’wüáglÑì(3þ!›ú”,š½ø~üÜ×qt2)D-úWcÊ$ä3ÎýnÏYÿôͯ‚endstream endobj -1217 0 obj << +1222 0 obj << /Type /Page -/Contents 1218 0 R -/Resources 1216 0 R +/Contents 1223 0 R +/Resources 1221 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1183 0 R -/Annots [ 1226 0 R 1227 0 R ] ->> endobj -1226 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [401.6435 61.5153 511.2325 73.5749] -/Subtype/Link/A<> ->> endobj -1227 0 obj << -/Type /Annot -/Border[0 0 0]/H/I/C[0 1 1] -/Rect [55.6967 30.8502 511.2325 44.7979] -/Subtype/Link/A<> ->> endobj -1219 0 obj << -/D [1217 0 R /XYZ 56.6929 794.5015 null] ->> endobj -566 0 obj << -/D [1217 0 R /XYZ 56.6929 769.5949 null] +/Parent 1188 0 R >> endobj -1220 0 obj << -/D [1217 0 R /XYZ 56.6929 748.2826 null] +1224 0 obj << +/D [1222 0 R /XYZ 56.6929 794.5015 null] >> endobj 570 0 obj << -/D [1217 0 R /XYZ 56.6929 748.2826 null] ->> endobj -809 0 obj << -/D [1217 0 R /XYZ 56.6929 720.3635 null] ->> endobj -1221 0 obj << -/D [1217 0 R /XYZ 56.6929 647.0664 null] +/D [1222 0 R /XYZ 56.6929 689.3212 null] >> endobj -1222 0 obj << -/D [1217 0 R /XYZ 56.6929 635.1112 null] +1225 0 obj << +/D [1222 0 R /XYZ 56.6929 654.5655 null] >> endobj -1223 0 obj << -/D [1217 0 R /XYZ 56.6929 529.3677 null] +574 0 obj << +/D [1222 0 R /XYZ 56.6929 654.5655 null] >> endobj -1224 0 obj << -/D [1217 0 R /XYZ 56.6929 517.4125 null] +814 0 obj << +/D [1222 0 R /XYZ 56.6929 626.6465 null] >> endobj -574 0 obj << -/D [1217 0 R /XYZ 56.6929 180.3481 null] +1226 0 obj << +/D [1222 0 R /XYZ 56.6929 541.3941 null] >> endobj -1225 0 obj << -/D [1217 0 R /XYZ 56.6929 143.7717 null] +1227 0 obj << +/D [1222 0 R /XYZ 56.6929 529.439 null] >> endobj -578 0 obj << -/D [1217 0 R /XYZ 56.6929 143.7717 null] +1228 0 obj << +/D [1222 0 R /XYZ 56.6929 423.6955 null] >> endobj -644 0 obj << -/D [1217 0 R /XYZ 56.6929 116.6563 null] +1229 0 obj << +/D [1222 0 R /XYZ 56.6929 411.7403 null] >> endobj -1216 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 1157 0 R /F77 703 0 R /F57 624 0 R >> +1221 0 obj << +/Font << /F62 638 0 R /F43 604 0 R /F42 601 0 R /F56 622 0 R /F11 1166 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1230 0 obj << -/Length 2591 +1232 0 obj << +/Length 2647 /Filter /FlateDecode >> stream -xÚ­Z[s£8~ϯð£]µV„lmm•c;wwÜ;½³³=ó@Û$¦Úà\æ×ï’@`{j·ò!tÄùÎå“dü¶W/qØšï—Q@†Ñ7õ^!WÛ° ò}‡«åþ£ s|än9ü} [ 'ÑoœcÔp’ó™ÅvEqü»XÄ`ìŠ<Æ 21Fc¤¸¾~}}EqT<¡4{¾Îž6ç¾!êaÊÜåÈãwû’–›b¾t6[Ÿ/qÄ]_[)2À.¢.äcðJˆ/¾<ÔõJÙUôeQ²‰òú%ýÉO0ߘr„}ˆ6!¼.ÂdfÛ¼/%xbjì{¶3¥Ên|ÊÙ\BóWpHÈ5îïggEÁvÕ•Ô¹næ™gà’ ÞP>KaœÈ¼¸ `*™> á²5MÁ€ÇBõƒdã6ÜÄû¸ˆ+Û6¢Ÿ;ˆyÜW˜ýM¾ò0Â$¢É²ï>Ý|Q‘Ź’Z¦/‘ eñ^ÂQ/"àÉœùô"†”-e Â,ˆØTˆ´u÷ b*¿ˆÈâpÜG‡()Â"N“.ëc´‰s²‘£]‰àgUjj‚#þ9 Ç»@L) DZJCp[ÌØ4µU÷ d꾇ò ˜Dz*âä¹…AY'DÄrýžÑ¡+XP 7šxL•õ ,¿}ŽTÿ‡09…Ù{ezuå¶1!. -|·™â²ô˜æ‘ö”K AžÀܽðL©~ì*©*¼‚À^VÕ5xgº»Ák(_$YõËR8þ'Md# “üI;¸Fp¶\wÁçb„=ßmÂw¯àû¼+BÕ59=ŸòBx½1ÃD/ØݲØ]Kv÷,v·©6ìÞÖÝcwSùD&ÚìÂ$Îòñ)UF~(AIÇBç˜ÂLceŸàuM´¦0×sg "„« Ö$ÇØ0~‹£¿Œä‡µãcHYðÑR‚© ›jŸ¶î|Lå³÷$<Äà´~9nÃBTêù¥ÿ‹NI¡¡Óšh‹ -%Åú0=Ž±WcA^c!f1±ƒkÕÿ¸Kyš¨Þ_ËØTC«èû®€实±Ì¿bè’L·RÜ`º7é)ÙjÌ™Nåys9ìËî‡Üªº†üLw7ä åÓ}˜A¦ˆF‘¶«ä½ä˜yàQ°çh„Ý -U ùÿæ”ïdk¾ÿS¶ÓþýG0æ0¤,Hh© - êø$lª $Úº{0•/£g0é‹ÎjáfW± -ô*~>EYí†í9&é.E“d+ ß«æq÷rÿ»ÙUv÷ûíDÂeÀRìv7¤,v×R•Ý}×B¬ª »·u÷ØÝT¾ŽyŸ²áÇè]6jnT¢”Š¤ˆ«¢’²‚AC qÚñ¸^TçKg•‰"ÇgØ@ ^ªK<@:t‡ñUu¢Áð³º;m¿r™ õ‡352ób,_¥¢‘øöáw]ëhùÕ: VÄõF¹Š<ßØïÁ ©§ôŸÄqœnÖ Û>ŸºøÇX§zŒ÷*I¶šqÍ¢—hŸCëóGêäòK$É”ê÷ÇJª"I¾o)ÂVÕµ?žéîödžò*ÈçoE”äçI9?i¦XÊâAþ‰²¼"I^WbœðÖ–o­ÐVE¶å zòÓ)†²®Iì,Ú4¶~ëÍÔ¥( —h’)eAHKUöb„lª „Úº{2•kîãGq—`Í}Ê^È)§,.Þåˆd.¾ƒ¸Ï fäz´ èòUhˆYHQ9âê°•zJ¤Dcªä?†§§C˜¨YôFQ2!­¨‘¬…–bŠ\ £à3¤,ði)ƒår |6Õ|mÝ=ð™ÊKpÔ¡o{‡.á4öêRBóâ2G•¼¸“ãbä’€5#l¦bH!Ù}»8èù~"˜xðÔú¹ØéP\D^•äw9ý·ôT´(Dë©Ç@Q_8^3¥ú= ’ªR,³¯YU×p¦»ÛÊaʈkD©xR»Ïo{ºè(ƒËQLôLÓLz"¢ï—Äa\ì̧m´W³Ï¢ã>}×ï—(”KHŸŠWu:|Šz qêC, Ã¹ÚÜT£¾ _ä‚uÕþ¼)R3_ÓÞ€'8s¹—à6¤,pk)nKEµª6ànëîÛT>MIÕ°fh'¨08—¨¦Y.ed!„õéù9‚|°•ý·ñ[÷&°I¾©[Þ]ŠI>ž¡Þ« -²öÉÙR˜y¯:§ªsÊ<.¹œž·sã$c&ÆÏm2§Ëû=0¬jŸü×\û‚ õ—0¥ú]¢’ªO¢|ÒïVÕµKœéîv‰†ò5ìŸôÁßòT³™ äƒÝ!zßy¡ÉsÏw¶Õ6¶e}s«k;`:Ëô˜{ˆr¯ut»Šòô”mT}ZE›4ÛêËÀ¾£Þc\ØŠKÛ ÖB•P… ö©A‹^À–âü ÍËè¾SÎÐX­TG$'’¸è£[Ž‹<1MaIŸnÅvÉ9æ/òšzfE)€‡ŸÔÐDý¿%+Ks%°R_ö{ˆÛDÍ+]ºëX/›·)’›éU5¼¤NoŠ›fâÛá­eúÑU2¸Ü±dl‹ÒÛ–Önh µ?Y®'ÚÓ…ß—§ ßï„—À.'à­‹½§½dίjt˜NÓ=ìwÞ éöŸsD¸‡/ü¦ê7¿ª÷ Üb›Þ€¶ânLÍ┞ðá}–;Oâ©ó 蛿%WÉsiGü”VG! ±H@øPuxò愨“cѨè6 *º ½½'ÇÔÁˆCã¨Ë2)& _ä•$ôÕ1F§É’*éiT„ÉO}%µ«æB×Ôxó=NòŠGµîÝ,×”!ñ{Ÿdœ*ÑÿÏ?+2Ûú=×oÔñ º®%¾›g?FÑ¿?:_úƒ¦endstream +xÚ­ZÛrÛ8}÷WèQªŠ`\^¶¶¶Ê¶d“ã±”ÍÌ-Á+©I_æë·AH‘Фv+Æ¥‰út7NC!# ÿÈ(ä³È‘‡8&|´ÚžáÑ3ÌÝœ-35BS[êryv~íÓQ„"Ÿú£å“µVˆp’Ñrým|q?¿›Ýþ{2¥/ÐdÊ16£WóÅdø‘œ`rÊÇãËÛËÞ~¹y¸¸ÿéWõÑo˜ã‹»™ê,¾ÞÜÌ˹î>Ì/f·w7 B&¿/?žÍ—Ͷí£Ìäžÿ8ûö;­á„Ï0bQÈG¯ÐÁˆDmÏ<Î÷3#éÙâìçfAk¶þ´ÏTœ…ˆ‡4豕GGÄCÌ›ÙÆâ¢a@•±›L ]&i’?ïãÝæý`…8[k+TÏÏ¢(…î>ˆxdÏÆ +JAçµ.<š2Š(1:ÑZÄ,£yÊ÷ªq•o·"+‹ƒÞ‡ë«ÂZœY ÃÚÔG^ùõê‹X%¿aLWq™äÙdÊ‚h¼ÎW•^QvkE,Äãr#ÔÈmVŠ}&JÕÛí'$çe¾ÊS5RTI)>L¦¡ã$[¥•<­šjÖ˜Ý->¨eãú{=¼«ÀÅFZJvc½‡]¼/•tþ$O%Ï¡,¦¬¤–¥ü`"ÙQ;‡ÆÁD²×2Q=Rˆ}"ô,(¨ÿ–bµÉ’Uœªn–—¢>Ïøxi´%@¬ö¿ÖŸÃN¶…H_Ìr‡ÓAg-¤­³útÐ}|oŸ…ZgÁ-3Což='™€Ö¦$x¼œD ô]M_çµ¢•þVžñv¾¼Ög„‘ÚeC­ ¸Ö‡Ei÷nÊÕÎ^QG2RËI“ögK¿"p\¡þæ2.ãDÙAd)tTû%‰Uãzy/Þ8.ÕÀS¹ûÛùùëë«<7JŠ‰uuždÓšsP¯ü=,g˜!0y›’{y{{ë + ˆÑPË ò­TB„´…¨l*¡¿wÓ—Ç0ŠBH¾ï¡€Qªòšþ>2­O‡ÜÓ|1µ?©s·p¼²Ü@cƵí§Ìã(òü°XIfråÅçݽ!Æx8ò9Eد/U6BSKªÞmÛLݵ¤úô£ûÆžÒŸ^7BKŽ …ŒzN)AØÃfÅD $ íîtœUÛG±Wí:ÈíIðžÆ•©råºu_ÙI‹\¶È8~‰“4~Lõ„vZk½_¤“ŠGý]Ÿ?ш£0ÄÁCq"?ò: 8ü©ùà –;­+µoJp'å@eÈçÜk;v5Q>¡|ÿ|¾Z{ðŸ0>ò=€–’°ßŒÔÔëñ££Õ†)@3¢Ã…z¸¼§\'”A‡ßgµìƒx{‘­D1t ×[PX¨T¿.†x gDn)tS2[JÑ ÖCÉ)©ùx#"ï÷#ƒs°L<Á©º‘:ÖÍ}Ûàü1ƒ·”Ïò-$jE-îâ­0,ƒÒÀ°0àΰ†ñ\Ç«$Mʤ±m;ßbÄýÀ$Üê“û ¡ÑýKýQcŸóÕ÷x'Ê}Rh©»üE¨8–=ð’ "B($N@Ä’r b¤,D¸—j ‘®îDlå'¹ÝîR!鎦t-\º„¯/‹RÄx“—Úà¨Îÿ"X7ÆŒ¸!²¥†!j¤ DQàˆ§æBGªûjéþ wƒ&úyUÖ ª…A}IȆ åâêƒm_°p¨‡¼(jãq¥­ÄxŸ¬Ÿ…ÿgU¼oLÜ6¥ÔòÚ)î~ŸïòÂ)'žGCéJÍ%åÀÎH5áEŽðrª¶ÀëêÏV~›­Ô•_GÆñ?y¦![N\ÿû8+žŒƒ¡¢éƒÏ#ˆø¡×†ï³†ï˦ŒõÐEõ\™ÚNïÇ †Õ>QûÛR»)Ëî¾Ãî.Õ–Ý»ºìn+¿Ð†ª+Î’bÛ)rïUù±Ý•&Ç”­ºUŽIR×Fë +Öz(¥È‡2Þ•ä8'o‰øQ|X|uâcK ãÓH|(a|œªøéîǧ¥|öžÅÛd„ÖÆ_w븬+\?¬ý_*î “Öd[ÞPJl8ÁÓ ñX°(8`!W±±“ =¾ÜäÛ"Ïôè¯ulê©ñ}åí$ðÌŠª†©H1ÝFqë)á2¯²µÁ|·7© ¾Æ˜&üä–”r#u€<$È]ª-È»º ·•_¥ñÞ +2M4ʼ{‹AÞû‹ÜVF8 ¬v¨i¨¿—U±Q­yú§¹Øªôý¯ éËòÓ„%å@ÂH5H0:p©¶èê@ÂV~'žÁ¤/&«Å«MÃ*LÒkPø¹RY=Ö‡ÒœPŸö_EÙZ]|¯†Ç}VÅïjÓØ=¶;äSÌù ®mK9ìn¤»‡žƒ 8U[vïê°»­|!4yŸññ'ñ®¯ôÄ|¸" (²2i.%¦ß eCÄÔóãrq{3ðBK¡þÆ!'JðÑáj‚¤CoœLÈXßN,ÑS7Õz ù«PY‘²p<Ó3ó¸(§*ñ5*Z%~7wSOš:ÄõR»ŠzÜHSpÂR驽EÇ'Å÷³N(ûBðkÃ:‰“uên’êü5[Æ5/"Íw’¡ ù#õ O¤KhØPÃÂÐq»ô|±«¸ßmÍMxÏßJ‘Ç鸨v»|¯ùÉí½úû"öECü¾”àSРSì-4Îúzíx)=~’¯ü[C_gbÕ*ú">˜+(…[€†ô8–”#Õä +ì;r…Sµ…OW÷@¶rÃz<Š5ëñ(1¬§…lRí“ò]ÍX@öàb„ʼn<ŸÕ¡\ +¡ Ñ +  þ•Å÷LÀ*=5R²q¥å?ÅÕÓ6Îô*¦DTÈ(j¥çKZªÙm©aø)‹ßÃð9Uà;ÒÝ_Ky Ž~ëíÖæ +N«JW†×Ù©fÄ½ì– F¼a3CÉþ¼ÛÇ>+yˆ`ê3¿T¿”Š·[™âL§õ´]/ÿ˜We‡> endobj -1231 0 obj << +1235 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 793.5053 539.579 807.4529] +/Rect [429.9899 660.9265 539.579 672.9861] /Subtype/Link/A<> >> endobj -1233 0 obj << +1236 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 756.4942 140.332 767.8862] +/Rect [84.0431 649.6389 140.332 661.031] /Subtype/Link/A<> >> endobj -1234 0 obj << +1237 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] -/Rect [507.6985 756.4942 539.579 767.8862] +/Rect [507.6985 649.6389 539.579 661.031] /Subtype/Link/A<> >> endobj -1235 0 obj << +1238 0 obj << /Type /Annot /Border[0 0 0]/H/I/C[0 1 1] -/Rect [84.0431 745.1168 199.6097 755.2785] +/Rect [84.0431 638.2615 199.6097 648.4233] /Subtype/Link/A<> >> endobj -1232 0 obj << -/D [1229 0 R /XYZ 85.0394 794.5015 null] +1233 0 obj << +/D [1231 0 R /XYZ 85.0394 794.5015 null] >> endobj -1236 0 obj << -/D [1229 0 R /XYZ 85.0394 694.0474 null] +578 0 obj << +/D [1231 0 R /XYZ 85.0394 769.5949 null] >> endobj -1237 0 obj << -/D [1229 0 R /XYZ 85.0394 694.0474 null] +1234 0 obj << +/D [1231 0 R /XYZ 85.0394 744.2337 null] >> endobj -1238 0 obj << -/D [1229 0 R /XYZ 85.0394 660.6469 null] +582 0 obj << +/D [1231 0 R /XYZ 85.0394 744.2337 null] +>> endobj +648 0 obj << +/D [1231 0 R /XYZ 85.0394 716.4931 null] >> endobj 1239 0 obj << -/D [1229 0 R /XYZ 85.0394 660.6469 null] +/D [1231 0 R /XYZ 85.0394 585.5597 null] >> endobj 1240 0 obj << -/D [1229 0 R /XYZ 85.0394 660.6469 null] +/D [1231 0 R /XYZ 85.0394 585.5597 null] >> endobj 1241 0 obj << -/D [1229 0 R /XYZ 85.0394 654.2654 null] +/D [1231 0 R /XYZ 85.0394 550.7275 null] >> endobj 1242 0 obj << -/D [1229 0 R /XYZ 85.0394 639.5008 null] +/D [1231 0 R /XYZ 85.0394 550.7275 null] >> endobj 1243 0 obj << -/D [1229 0 R /XYZ 85.0394 635.7135 null] +/D [1231 0 R /XYZ 85.0394 550.7275 null] >> endobj 1244 0 obj << -/D [1229 0 R /XYZ 85.0394 620.9489 null] +/D [1231 0 R /XYZ 85.0394 543.9179 null] >> endobj 1245 0 obj << -/D [1229 0 R /XYZ 85.0394 617.1617 null] +/D [1231 0 R /XYZ 85.0394 529.1534 null] >> endobj 1246 0 obj << -/D [1229 0 R /XYZ 85.0394 557.6417 null] ->> endobj -746 0 obj << -/D [1229 0 R /XYZ 85.0394 557.6417 null] +/D [1231 0 R /XYZ 85.0394 524.9381 null] >> endobj 1247 0 obj << -/D [1229 0 R /XYZ 85.0394 557.6417 null] +/D [1231 0 R /XYZ 85.0394 510.1735 null] >> endobj 1248 0 obj << -/D [1229 0 R /XYZ 85.0394 554.1294 null] +/D [1231 0 R /XYZ 85.0394 505.9582 null] >> endobj 1249 0 obj << -/D [1229 0 R /XYZ 85.0394 539.3648 null] +/D [1231 0 R /XYZ 85.0394 444.8058 null] +>> endobj +751 0 obj << +/D [1231 0 R /XYZ 85.0394 444.8058 null] >> endobj 1250 0 obj << -/D [1229 0 R /XYZ 85.0394 535.5776 null] +/D [1231 0 R /XYZ 85.0394 444.8058 null] >> endobj 1251 0 obj << -/D [1229 0 R /XYZ 85.0394 520.813 null] +/D [1231 0 R /XYZ 85.0394 440.8655 null] >> endobj 1252 0 obj << -/D [1229 0 R /XYZ 85.0394 517.0257 null] +/D [1231 0 R /XYZ 85.0394 426.1009 null] >> endobj 1253 0 obj << -/D [1229 0 R /XYZ 85.0394 490.306 null] +/D [1231 0 R /XYZ 85.0394 421.8857 null] >> endobj 1254 0 obj << -/D [1229 0 R /XYZ 85.0394 486.5187 null] +/D [1231 0 R /XYZ 85.0394 407.1211 null] >> endobj 1255 0 obj << -/D [1229 0 R /XYZ 85.0394 471.7541 null] +/D [1231 0 R /XYZ 85.0394 402.9058 null] >> endobj 1256 0 obj << -/D [1229 0 R /XYZ 85.0394 467.9669 null] +/D [1231 0 R /XYZ 85.0394 376.1861 null] >> endobj 1257 0 obj << -/D [1229 0 R /XYZ 85.0394 453.2621 null] +/D [1231 0 R /XYZ 85.0394 371.9708 null] >> endobj 1258 0 obj << -/D [1229 0 R /XYZ 85.0394 449.415 null] +/D [1231 0 R /XYZ 85.0394 357.2062 null] >> endobj 1259 0 obj << -/D [1229 0 R /XYZ 85.0394 377.9399 null] +/D [1231 0 R /XYZ 85.0394 352.9909 null] >> endobj 1260 0 obj << -/D [1229 0 R /XYZ 85.0394 377.9399 null] +/D [1231 0 R /XYZ 85.0394 338.2862 null] >> endobj 1261 0 obj << -/D [1229 0 R /XYZ 85.0394 377.9399 null] +/D [1231 0 R /XYZ 85.0394 334.0111 null] >> endobj 1262 0 obj << -/D [1229 0 R /XYZ 85.0394 374.4276 null] +/D [1231 0 R /XYZ 85.0394 260.9035 null] >> endobj 1263 0 obj << -/D [1229 0 R /XYZ 85.0394 359.7228 null] +/D [1231 0 R /XYZ 85.0394 260.9035 null] >> endobj 1264 0 obj << -/D [1229 0 R /XYZ 85.0394 355.8757 null] +/D [1231 0 R /XYZ 85.0394 260.9035 null] >> endobj 1265 0 obj << -/D [1229 0 R /XYZ 85.0394 331.806 null] +/D [1231 0 R /XYZ 85.0394 256.9632 null] >> endobj 1266 0 obj << -/D [1229 0 R /XYZ 85.0394 325.3687 null] +/D [1231 0 R /XYZ 85.0394 242.2585 null] >> endobj 1267 0 obj << -/D [1229 0 R /XYZ 85.0394 265.8487 null] +/D [1231 0 R /XYZ 85.0394 237.9833 null] >> endobj 1268 0 obj << -/D [1229 0 R /XYZ 85.0394 265.8487 null] +/D [1231 0 R /XYZ 85.0394 213.9136 null] >> endobj 1269 0 obj << -/D [1229 0 R /XYZ 85.0394 265.8487 null] +/D [1231 0 R /XYZ 85.0394 207.0483 null] >> endobj 1270 0 obj << -/D [1229 0 R /XYZ 85.0394 262.3364 null] +/D [1231 0 R /XYZ 85.0394 145.8959 null] >> endobj 1271 0 obj << -/D [1229 0 R /XYZ 85.0394 236.8919 null] +/D [1231 0 R /XYZ 85.0394 145.8959 null] >> endobj 1272 0 obj << -/D [1229 0 R /XYZ 85.0394 231.8294 null] +/D [1231 0 R /XYZ 85.0394 145.8959 null] >> endobj 1273 0 obj << -/D [1229 0 R /XYZ 85.0394 205.1097 null] +/D [1231 0 R /XYZ 85.0394 141.9556 null] >> endobj 1274 0 obj << -/D [1229 0 R /XYZ 85.0394 201.3224 null] +/D [1231 0 R /XYZ 85.0394 116.5111 null] >> endobj 1275 0 obj << -/D [1229 0 R /XYZ 85.0394 141.7069 null] +/D [1231 0 R /XYZ 85.0394 111.0206 null] >> endobj 1276 0 obj << -/D [1229 0 R /XYZ 85.0394 141.7069 null] +/D [1231 0 R /XYZ 85.0394 84.3008 null] >> endobj 1277 0 obj << -/D [1229 0 R /XYZ 85.0394 141.7069 null] ->> endobj -1278 0 obj << -/D [1229 0 R /XYZ 85.0394 138.2901 null] ->> endobj -1279 0 obj << -/D [1229 0 R /XYZ 85.0394 114.2204 null] ->> endobj -1280 0 obj << -/D [1229 0 R /XYZ 85.0394 107.7831 null] ->> endobj -1281 0 obj << -/D [1229 0 R /XYZ 85.0394 93.0186 null] ->> endobj -1282 0 obj << -/D [1229 0 R /XYZ 85.0394 89.2313 null] +/D [1231 0 R /XYZ 85.0394 80.0855 null] >> endobj -1228 0 obj << -/Font << /F62 634 0 R /F57 624 0 R /F11 1157 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >> +1230 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F77 707 0 R /F11 1166 0 R /F57 628 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1286 0 obj << -/Length 2680 +1281 0 obj << +/Length 2583 /Filter /FlateDecode >> stream -xÚ¥Z[“Ú:~Ÿ_Á#T¯%ßÉÀÉÉ\–™œs¶’<£WŒMl3Éì¯ß–uA6²È©-Ð¥¥OîOÝjµF.üÐ(0ÁÉ(J|'pQ0J÷Wîh }Ë+$d¦RhªK½¾ú×MˆG‰“„8=¿hsÅŽÇhô¼ù2ž9ž3ÜñûÛ÷Ÿn–«Ùã‡ÿL¦8pÇ_ÝÀÝÏyåéór¹xz^ˆêj1›ßÞ/AM¦Q˜¸ãÙããâ~~û7Y]Õz½xš|{þxµxVËÖ ¹[ó«/ßÜÑžðã•ëxIŒ~BÅuP’àÑþÊ<'ð=O¶äWOWÿVj½íP“ª”ÌÔóð/(4HœÐÞR¨ï™*¥˜B¿¬n®±àoýçEtôIÏ •Ô9vjØGN€£.öl2õP0žß?±‚?^­xÃKYñÂÓ¦ÙË[Vly½ÙQ.ù©LI“•o._„8­^³”Ö{–ÞÃc7q‡1,›A¿ƒjig#—Ç|]‘bSÓ‚@™÷_9³÷.³ßQ7Ë›³øO^±þb¶TeÛ]ó/Y^QjtO(íRO7­hN*o®+üK£ÄN¸.5L¸’R^û0áVèágØFÂ;Ø2ïåú"ïå*tdÜ -Y« Yëó!4.EGSÊ’õͪuÖT­«ã½•B˜5"afô¨pº¹ºCõ`N¶Ø,«²¦Åš÷¢ýŽ¼‰ü¥ÕO_Ÿtì]Šöu) RJÑ!ËÌ -­ÑØÇ6Ó¨c Bʼo §„®Û­9Ï÷mPbß8gŽtÉ{"Óˆ÷å+Ýë–7ÎM`ñI|AÏš”EÏRê¤çÄf.6hMÏ}l³žul¥Ny5íjûSI62ÈI‘¨Ûó!vèç“ž™““ñC•ÕiiÊ-ÀÕkPá®ë øRVO—²(\J$ß7X¡5…÷±Í -×±Åé\r©Ù:;ÛåÆËî,ÏåSäàA9èr𠢂Éq»#ÅÐÆήâ±·E6¾.5̃’:Ýcý`˜+ô‰‡3l#lu&„¾Ì´±"㸤x; ðÒŠ%Éè+pgJ#`ÇãHóø‰×¦ØÈ?rZÀÙÔ¶be¬ç/FN™¿ˆj KÑÿ°…ûöú­õˆb¸:.fÿ¼~‚ä@Àx!ÎÓ¥,tJ©¶—˜VhÎ>¶™N{¦î=¯ì=‡Œ¼n¤A‰° gzzŠµ6[žñd‡3Æý®­1¶.ä<ö&«t#»u]æ´é'³>Ùþ·¹Iç-~Á}$c-òÙV«ÁÀűƒ.ùUMh˜)¤… úm¸'öûÀFòu`~†áPOªcñb þ—´ÜVä°ËÒV5ÐòÉâECìÄAè/´ÐøÚáo¿BÓ<=mÀ!*LwÇü¿T´> ùÇœfMAÕÕº8‰Ð72p°nÊ"{'ìYâwìy J9ÛEìK¯ŸÀbkàɹn?u=¯ÈKcÚà.³A'öSk£â@Ž‚²ß~ìq;¯ù¬“¨ì+Txº,aºacx#»^qŽ`ü¦L2ÅóOØ?Iý]äEñ¥•ðw ¤þÎ…oJñÆ4ë#èÝQî%Ý®6ÅßÇí!Eìõ5-RÞšð{´‡ªŸß& p[ Ûg¿@cÝm{†@¹ýFnè+ÍË{>XQ˜ ñ­4[–ƒie”¾ØÀ”´ïu™M³jÁ2-tÙ} îòøÈ-Ÿm*ØdÀ/´î,òÆ2÷™Á‘Åv`,ÝHÔÞÞ¸T½+¹hmQYaMùÿcÉÝ ¶îÚÒL4ù­~ZÄBLÖ~(óF_¨ ‘9fòiZî§&~ìµ1›¹ãõÿç; -$sž®’¤Q"Bø´ ¡ò"=¶çj^m— ÿœEð âÓ‡Éñ.®D(ìÈ«˜„ð¿<{¡5,×ÚÝ -ÿuö‹öeÑìÄXØïr‰?ÁõìL*Vè+nÓÝÌç Ç®TÆʇÍéf¿~S/T3á`ûìJ‘W2Ôþb2¸_W¹‘ÿûƒ*-U9^î(Ë€`Ò(kI«âP®©P]å†_?N@ï{Z ¾%ÍEn|‚@MŠoŠ˜”RlO_—W—Eä[a êðC;´’:Æö áÐñqØž£?àõÏîVüb¹ôo×ÅyZ§EÞè¤÷*Èõ@­$€M°…>ÁSØ_:W“¾Æü–_“²nÐøFLM›ÿx|›ì’ïE%f—bö)ËvIž‹E“|Ç&ÇrñÛbý=ÙÓºLáiØhBnéœn÷ëºx†}4,ásA†]ìÄ$ôN0¬IY–RŠáÐ , Û 5†ûØf†ulN,¼úÝjú =3FL׌4v‡±F3È_8üÿ-”æ[~Ãib«‰ÙË"£Y–ˆgú6ÿ¹oØ UÅ• “7Å:a¦Ç%®sÞ©`œŠ‰ú•ò‹Y±KR1y—ìÄè꽪éÎ@+q‘ã3/ÚÒJX¯X,yK+1ÖÚLü>ñýqú3¥ÂâÔ2çÊñÂj“Ð;Ÿz§âZœŠYºþžæU‘ /I~HÊwu.‚ásá!pAÕös¡IYÎ…”’ç»>¶œ ´v.úØæs¡cù ÈçfJ×ø_6Ðœv±ÚÓuúòÞœ vßPÎ$Û#†‹!NË·tM+ÇÀ:vc¬±N€aæŠÙ“‹Cö\]Í9@C›Qg€Ýhg y\Úus Bç@ØYíÁOY»&eaUJ)VQ`‰«VhÕ>¶™Uû‰[2hBð×yMËœÖüŽÎæ 1VËžµ¿½þs¾ä——·ÿ\<»ÈŠç$ã×ÓÍF:ñ\²ß3pƒÑ{±ã!jé÷xž×,” £–b³b½~M‹£éõcì0Z]j˜^%¥Ñ Ók…né=Â6ÒÛÁf4;wL‚Æø0 ÇOyʈ⃽0 #ך×)Ë«hYñ¡ƒpùDúrS¾œ(_N¬¾œ8aäÝ—Ç<³Å’<¥_‚ûb¼u¤ÿv¨†•e°-Éõ!§Šèp˜è9A蟰c]ÊB´”RDcâZˆ¶AkD÷±ÍDëØ¿QqÆç?ׯI¾Š˜ÑŒne8î<¬Ãç“Iß­L™UäC!Cº‰•L¦u'Fös§Pz÷Nųã!¼4 !¢ÊU(V;S.i€S  íœêRÃœ*©¶æqÑ0§Vè–Ó#l#§l¥y¾.6*}ml˜åÉ´þQ”ßÅ ˜_ÕÓÞ=¨¯TE#VEãQ°ìQ—à6‚›ßõ›N=ÃÁ¾L3ÉyZžÆŽOÕ-º”…%)Õ²„-Ô +­±ÔÇ6³¤c/é?‡”G¶xͪg\m0ewŸ‹JJœKÝí³t­™¨¢ouØ61VwâcSë” ¸m³!ÚH \HòNt 4! %BH1âÇ6»±àj„ô€Í|hÀ*& £ºä1‰_×åa]ó€G{:×ü¥ÁÆ>8\âuÕþE˜ÅPK³O²ÞäñôõU¤çgÄî)ߥIY(R*Z8°Ak$ô±Í,èØ—YRUY“ë5Vpw>Í–ÎtÉýÊô#ꆗ +{Êþ,”=O79•îg!7‚ÍE£û¢¨û•]ϧµå™²h x±÷ ½¡àu¿§e¢šQ&ÂI— b'\—&\IµFG,„[¡[°„w°/‹ÝNº0¥‹YR'üê*ͨl¶ä,±ÜJÍéÍKÎYilíD¡ãžg P”–`àC-2h|ÄY'÷­… !¤ˆˆ‘¥N·áj<ô€Í4hÀFÔ‰L²žAü:Œ"Üåb&iHàÙГÃWô¹œDãvM Æs"ß;Q€éR2¤TÛ5A–¼Ü +­ÑÑÇ6ó¡céþ²L!!H“^š°wu´hùõ—©A‚˜é±"ïºVï×· M §LF“²Ð$¥Úò ÅšlÐM}l3M:öSE»Éµ2ži–&íguÜÛÖÉ‚ºß qßwÝ +>'»4«2?Y\ýÁl©L·¯õ/–W<‚ùÝ¥•ðvç%Í’šJÄ«ËÁp…ýÈñÂàD†¨K ®¤”—Ç>L¸º%üÛHx[ö½\Oô½\_¥Žl[!•©#}œ „Æ…˜¨ ™C²¹iùœÖeãêøl©¦µh˜=*D7Ww¨Öd'€­²,*š?'‡¿MÞEÿR<Õo_G:–¶D„œ(¾t) RªýÑYŠ/+´FcÛL£Ž-)²¾¶)}>l·æ>#r}Pbß8§ŽtÉ»D¶ïŠ7ºûØBMgÙ;Õ^Ò¥,z–R­žc›¹Ø 5=÷±ÍzÖ±•:eQÚÕöM‘ld%ùz@ÝăܡßIâ?ÂÈ6­Ö…©«¥×ÂQì:žœ¨Ÿt©a…+©6 y–¼Á +Ý*üÛ¨ð¶(n <ʤf«ô蔋Ýi–É_\L™k¿ËÁ½Ê +b> endobj +1282 0 obj << +/D [1280 0 R /XYZ 56.6929 794.5015 null] +>> endobj +1283 0 obj << +/D [1280 0 R /XYZ 56.6929 749.0893 null] +>> endobj +1284 0 obj << +/D [1280 0 R /XYZ 56.6929 749.0893 null] +>> endobj +1285 0 obj << +/D [1280 0 R /XYZ 56.6929 749.0893 null] +>> endobj +1286 0 obj << +/D [1280 0 R /XYZ 56.6929 745.5361 null] >> endobj 1287 0 obj << -/D [1285 0 R /XYZ 56.6929 794.5015 null] +/D [1280 0 R /XYZ 56.6929 721.4664 null] >> endobj 1288 0 obj << -/D [1285 0 R /XYZ 56.6929 769.5949 null] +/D [1280 0 R /XYZ 56.6929 714.8926 null] >> endobj 1289 0 obj << -/D [1285 0 R /XYZ 56.6929 771.5874 null] +/D [1280 0 R /XYZ 56.6929 700.128 null] >> endobj 1290 0 obj << -/D [1285 0 R /XYZ 56.6929 747.5177 null] +/D [1280 0 R /XYZ 56.6929 696.2043 null] >> endobj 1291 0 obj << -/D [1285 0 R /XYZ 56.6929 741.0838 null] +/D [1280 0 R /XYZ 56.6929 669.4845 null] >> endobj 1292 0 obj << -/D [1285 0 R /XYZ 56.6929 714.364 null] +/D [1280 0 R /XYZ 56.6929 665.5608 null] >> endobj 1293 0 obj << -/D [1285 0 R /XYZ 56.6929 710.5801 null] +/D [1280 0 R /XYZ 56.6929 641.4911 null] >> endobj 1294 0 obj << -/D [1285 0 R /XYZ 56.6929 683.8604 null] +/D [1280 0 R /XYZ 56.6929 634.9173 null] >> endobj 1295 0 obj << -/D [1285 0 R /XYZ 56.6929 680.0765 null] +/D [1280 0 R /XYZ 56.6929 608.1975 null] >> endobj 1296 0 obj << -/D [1285 0 R /XYZ 56.6929 623.4385 null] +/D [1280 0 R /XYZ 56.6929 604.2738 null] >> endobj 1297 0 obj << -/D [1285 0 R /XYZ 56.6929 623.4385 null] +/D [1280 0 R /XYZ 56.6929 577.554 null] >> endobj 1298 0 obj << -/D [1285 0 R /XYZ 56.6929 623.4385 null] +/D [1280 0 R /XYZ 56.6929 573.6303 null] >> endobj 1299 0 obj << -/D [1285 0 R /XYZ 56.6929 617.0603 null] +/D [1280 0 R /XYZ 56.6929 516.4589 null] >> endobj 1300 0 obj << -/D [1285 0 R /XYZ 56.6929 602.2957 null] +/D [1280 0 R /XYZ 56.6929 516.4589 null] >> endobj 1301 0 obj << -/D [1285 0 R /XYZ 56.6929 598.5118 null] +/D [1280 0 R /XYZ 56.6929 516.4589 null] >> endobj 1302 0 obj << -/D [1285 0 R /XYZ 56.6929 583.8071 null] +/D [1280 0 R /XYZ 56.6929 509.9409 null] >> endobj 1303 0 obj << -/D [1285 0 R /XYZ 56.6929 579.9633 null] +/D [1280 0 R /XYZ 56.6929 495.1763 null] >> endobj 1304 0 obj << -/D [1285 0 R /XYZ 56.6929 565.2586 null] +/D [1280 0 R /XYZ 56.6929 491.2525 null] >> endobj 1305 0 obj << -/D [1285 0 R /XYZ 56.6929 561.4149 null] +/D [1280 0 R /XYZ 56.6929 476.5478 null] >> endobj 1306 0 obj << -/D [1285 0 R /XYZ 56.6929 501.9076 null] +/D [1280 0 R /XYZ 56.6929 472.5642 null] >> endobj 1307 0 obj << -/D [1285 0 R /XYZ 56.6929 501.9076 null] +/D [1280 0 R /XYZ 56.6929 457.8595 null] >> endobj 1308 0 obj << -/D [1285 0 R /XYZ 56.6929 501.9076 null] +/D [1280 0 R /XYZ 56.6929 453.8759 null] >> endobj 1309 0 obj << -/D [1285 0 R /XYZ 56.6929 498.3987 null] +/D [1280 0 R /XYZ 56.6929 393.8353 null] >> endobj 1310 0 obj << -/D [1285 0 R /XYZ 56.6929 483.694 null] +/D [1280 0 R /XYZ 56.6929 393.8353 null] >> endobj 1311 0 obj << -/D [1285 0 R /XYZ 56.6929 479.8502 null] +/D [1280 0 R /XYZ 56.6929 393.8353 null] >> endobj 1312 0 obj << -/D [1285 0 R /XYZ 56.6929 465.0856 null] +/D [1280 0 R /XYZ 56.6929 390.1865 null] >> endobj 1313 0 obj << -/D [1285 0 R /XYZ 56.6929 461.3017 null] +/D [1280 0 R /XYZ 56.6929 375.4817 null] >> endobj 1314 0 obj << -/D [1285 0 R /XYZ 56.6929 446.5371 null] +/D [1280 0 R /XYZ 56.6929 371.4981 null] >> endobj 1315 0 obj << -/D [1285 0 R /XYZ 56.6929 442.7532 null] +/D [1280 0 R /XYZ 56.6929 356.7336 null] >> endobj 1316 0 obj << -/D [1285 0 R /XYZ 56.6929 386.1153 null] +/D [1280 0 R /XYZ 56.6929 352.8098 null] >> endobj 1317 0 obj << -/D [1285 0 R /XYZ 56.6929 386.1153 null] +/D [1280 0 R /XYZ 56.6929 338.0452 null] >> endobj 1318 0 obj << -/D [1285 0 R /XYZ 56.6929 386.1153 null] +/D [1280 0 R /XYZ 56.6929 334.1215 null] >> endobj 1319 0 obj << -/D [1285 0 R /XYZ 56.6929 379.7371 null] +/D [1280 0 R /XYZ 56.6929 276.9501 null] >> endobj 1320 0 obj << -/D [1285 0 R /XYZ 56.6929 355.6674 null] +/D [1280 0 R /XYZ 56.6929 276.9501 null] >> endobj 1321 0 obj << -/D [1285 0 R /XYZ 56.6929 349.2334 null] +/D [1280 0 R /XYZ 56.6929 276.9501 null] >> endobj 1322 0 obj << -/D [1285 0 R /XYZ 56.6929 334.5287 null] +/D [1280 0 R /XYZ 56.6929 270.4321 null] >> endobj 1323 0 obj << -/D [1285 0 R /XYZ 56.6929 330.6849 null] +/D [1280 0 R /XYZ 56.6929 246.3624 null] >> endobj 1324 0 obj << -/D [1285 0 R /XYZ 56.6929 315.9203 null] +/D [1280 0 R /XYZ 56.6929 239.7886 null] >> endobj 1325 0 obj << -/D [1285 0 R /XYZ 56.6929 312.1364 null] +/D [1280 0 R /XYZ 56.6929 225.0839 null] >> endobj 1326 0 obj << -/D [1285 0 R /XYZ 56.6929 297.3719 null] +/D [1280 0 R /XYZ 56.6929 221.1002 null] >> endobj 1327 0 obj << -/D [1285 0 R /XYZ 56.6929 293.5879 null] +/D [1280 0 R /XYZ 56.6929 206.3357 null] >> endobj 1328 0 obj << -/D [1285 0 R /XYZ 56.6929 269.5182 null] +/D [1280 0 R /XYZ 56.6929 202.4119 null] >> endobj 1329 0 obj << -/D [1285 0 R /XYZ 56.6929 263.0843 null] +/D [1280 0 R /XYZ 56.6929 187.6473 null] >> endobj 1330 0 obj << -/D [1285 0 R /XYZ 56.6929 203.5771 null] +/D [1280 0 R /XYZ 56.6929 183.7236 null] >> endobj 1331 0 obj << -/D [1285 0 R /XYZ 56.6929 203.5771 null] +/D [1280 0 R /XYZ 56.6929 159.6538 null] >> endobj 1332 0 obj << -/D [1285 0 R /XYZ 56.6929 203.5771 null] +/D [1280 0 R /XYZ 56.6929 153.0801 null] >> endobj 1333 0 obj << -/D [1285 0 R /XYZ 56.6929 200.0681 null] ->> endobj -582 0 obj << -/D [1285 0 R /XYZ 56.6929 159.3692 null] +/D [1280 0 R /XYZ 56.6929 93.0395 null] >> endobj 1334 0 obj << -/D [1285 0 R /XYZ 56.6929 131.475 null] +/D [1280 0 R /XYZ 56.6929 93.0395 null] >> endobj -1284 0 obj << -/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F42 597 0 R >> +1335 0 obj << +/D [1280 0 R /XYZ 56.6929 93.0395 null] +>> endobj +1336 0 obj << +/D [1280 0 R /XYZ 56.6929 89.3907 null] +>> endobj +1279 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R >> /ProcSet [ /PDF /Text ] >> endobj -1337 0 obj << -/Length 550 +1339 0 obj << +/Length 995 /Filter /FlateDecode >> stream -xÚ¥S]oÚ0}ϯðÛ‚´x×_‰½·£ª€‘LÚDy€¶ÑéHPÕýúÙ1¤aÐíaÊ‹ûqÎ=÷˜ ÐAR``Š£@q,€”n@:6rÈ1Ç;%yݬ~â|øäS¤°ò©’ûN/‰AJ‚’Í g³h2ëyT€âž'NQÜó_™3!Üþ¸;žŽæáìów[tÂÉÐ^⯣Q'Ññ:Âáx2Ò)¤·Lnœ(iiwG#À çŸÎb h£'¼q3%zÖÀD)Š¶ ÎØéOáÄΗ¶a'Ú”^“J0‰…¤Á­8E„`%=K(ì3ʬXZÖóh‰¦õc¶·CËô°Ívuuq]j{ìµ.znÛcÆý¦; VD5mçÙ}¶ÏviV½©€>ðlÿ5ÉÄ:Ë'LaÙ¶2À ²ü‘ÀRQòWÈ6éSø]L!° ˜8ÃN´§(wµÛ˜ƒß©ËØçXI½Ì¦ê½­™­…- -‹u^ÿ:ë$ÜÁ>OdµÍ¸Í¦ŠpwP>½ìó‡ÇÚ  h p.MìbS‹OxߣX[_;¥“w§ s…*¡@ª#WmMiùÄÙzUÕåSY4L4Áð£Lßͳ¼(^FÚ*KCµÔmìTÆOUU¦ùªÎ*ü–?˜ÀÆøWv­©ÿû}½:˜II¯;%ÕÂI™YäÅëoâ%õßY<›endstream +xÚ¥V_s£6÷§à­x&¨’@ úæÄNê››$uÜ™v’<`,M0ø'—~ú®´2Á÷^:~öÿîOË®™GáÇ<) ÓÈK҈ʄ—ïFÔÛ‚ìfÄœNpT +†Z—Ëѯ×1÷R’Æ<ö–›/I¨”Ì[®ýÉýýìv:ÿkpAý ‚Ò#÷jö0’85‚Јbê_Î/¿Îïn“ûßÿF£'*èävŠÄß77³‡åÌ‘‹Ùd:¿½6~^~Í–}ÚÃÒ MÎßFÏÔ[C…_F”„©Þ”°4åÞn‰ˆ( œrô0ú£w8ZÓsP‰P!yr«ˆ{Œ‘T~–HIòÁø8` šWj*ÕaÓ&Ût­)…Щðˆ¤‹¬‡•G+¸GÅù´µHYaÖŒ™ôö^¶E°66È|«›]mÑ~]燪Ððë ž]¡P~yVmu¥TãÌ…¿§ÜÏÚT¾®mÀ\Á£G ¤…z7Å™rz —ãhQéëj„I⫶UUŽÜÔ_\_µ†÷r›“¹ìѼÔ;]eÍ;2Û.Ûªï¦ +c¹V¯ª¬÷¦>È(N™?ßíKeèºqÞ{¼Œaž:]WjdUw.t}Z~h¹E`ÂÀkÚâ%³gèüç…~ÍÊ õ³Ê)w«Õõ¡t\Õ\V +Ïo‡ºSkT„-/׎Y|lÄÊ9ÛÔÍ.+‘9|_ U 0;ý<¯wÁ¹÷Ùg•¶ÞõWïxbGÀe­Û¼ÌôN5GAÖõ*Nù£ xâ<2=×"iÓ…_±Þ¢jÛ£‡".Eöêœdx”z£ZH)Û­p¶ú;^vuÕÎúý˜â[¡óâ\¡.c1̈µ* D™¹ï×Y/X9Sp¢çåÐÐYÄ}Ñ'£B‡‚0Fã~(„n(Ü ça:x/3YWõÁÍŠË9 ËÞoDÂ(îýR’²Ôº]¨jÌgÔþ×à)',fáÏwÂP çÜp<±0%<òÙ‰ýÈž Ê%2åìçQ{­ÏaE< +‘I(NÃNoaÝp*ÜwEã!Tìc˜¨æ¼µº@›ûìP¢Ñ¤\éîŸO¿jtþb§h|ÕcÅ"ÿªÞ¿7z[t¶©XÛ!Š¤Ù ”bR9Ƈùý?à¶",‘Þì’3©2N(•©Ë¶–Ä|Ô*k»z_ÛY#öjòJî~Y(]–8o¡aL¬ä‡±[¹Î´mkèdìÔs]­jvâ™×¢}SÿïÕûÑnQBB)ùùn iL$à\R¦ùéA¿£?§þ/.û9œendstream endobj -1336 0 obj << +1338 0 obj << /Type /Page -/Contents 1337 0 R -/Resources 1335 0 R +/Contents 1339 0 R +/Resources 1337 0 R /MediaBox [0 0 595.2756 841.8898] -/Parent 1283 0 R +/Parent 1278 0 R >> endobj -1338 0 obj << -/D [1336 0 R /XYZ 85.0394 794.5015 null] +1340 0 obj << +/D [1338 0 R /XYZ 85.0394 794.5015 null] >> endobj 586 0 obj << -/D [1336 0 R /XYZ 85.0394 769.5949 null] ->> endobj -1339 0 obj << -/D [1336 0 R /XYZ 85.0394 752.4085 null] ->> endobj -1340 0 obj << -/D [1336 0 R /XYZ 85.0394 717.7086 null] +/D [1338 0 R /XYZ 85.0394 769.5949 null] >> endobj 1341 0 obj << -/D [1336 0 R /XYZ 85.0394 717.7086 null] +/D [1338 0 R /XYZ 85.0394 752.4085 null] +>> endobj +590 0 obj << +/D [1338 0 R /XYZ 85.0394 668.8754 null] >> endobj 1342 0 obj << -/D [1336 0 R /XYZ 85.0394 717.7086 null] +/D [1338 0 R /XYZ 85.0394 644.5358 null] >> endobj 1343 0 obj << -/D [1336 0 R /XYZ 85.0394 717.7086 null] +/D [1338 0 R /XYZ 85.0394 609.8359 null] >> endobj -1335 0 obj << -/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F14 608 0 R >> +1344 0 obj << +/D [1338 0 R /XYZ 85.0394 609.8359 null] +>> endobj +1345 0 obj << +/D [1338 0 R /XYZ 85.0394 609.8359 null] +>> endobj +1346 0 obj << +/D [1338 0 R /XYZ 85.0394 609.8359 null] +>> endobj +1337 0 obj << +/Font << /F62 638 0 R /F42 601 0 R /F43 604 0 R /F56 622 0 R /F14 612 0 R >> /ProcSet [ /PDF /Text ] >> endobj -876 0 obj -[590 0 R /Fit] +881 0 obj +[594 0 R /Fit] endobj -1344 0 obj << +1347 0 obj << /Type /Encoding /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis] >> endobj -1189 0 obj << +1194 0 obj << /Length1 1628 /Length2 8040 /Length3 532 @@ -5324,7 +5335,7 @@ endobj stream xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä0 00Ì ÝÝÝÝ’‚R"‚´t ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü ¬‡¹rðpr‹ t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññà …;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜ ˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y {‚ÀN¿!v€ØÙââòø €¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ êõ'þÇëŸ ®.`¨ '&ïcNëcn[ “ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ -Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.] e-E¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 +Äü{fXE­á0¨ÀlƒÉ¥ w}L `þŸu™ó?×äÿ@‹ÿ# þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù €¸(B<ÁÖÚWÀ}¬Ô»Ìì …ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.EU 9U¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:# ¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì a.ÌÁAb¡ö™9Y® Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"› rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý %õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3 @@ -5347,78 +5358,81 @@ $O t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐ oQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ ¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ° gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd ÞyŠGÝ ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’ ¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý @¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š” ™v_Å [ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y ê<‹ý¹uÓ Z/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§ Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í; ¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç Žð=Ï añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGx d½DŽ…*~ÂJSÛ/ *ûÎÔF‹µëújQ‹jw Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô .óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘ p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ ñâSPÓKD³—dOj nÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“ _7T,Q1çTiHøBÕWL8­¡¾  ,œ²£.±ß u2†)¶=–Oš ¹ÿêÚ´­Ùê², Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê {>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM© Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³ ”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã ©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc -@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜ …@ƒi/_ A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬ -*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿdõ©endstream +*s"}Y ;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû ΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt ]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ  tv…;0ÿ¦õ›endstream endobj -1190 0 obj << +1195 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 67 /LastChar 85 -/Widths 1345 0 R -/BaseFont /RMHUOF+URWPalladioL-Bold-Slant_167 -/FontDescriptor 1188 0 R +/Widths 1348 0 R +/BaseFont /FJYMCJ+URWPalladioL-Bold-Slant_167 +/FontDescriptor 1193 0 R >> endobj -1188 0 obj << +1193 0 obj << /Ascent 708 /CapHeight 672 /Descent -266 -/FontName /RMHUOF+URWPalladioL-Bold-Slant_167 +/FontName /FJYMCJ+URWPalladioL-Bold-Slant_167 /ItalicAngle -9 /StemV 123 /XHeight 471 /FontBBox [-152 -301 1000 935] /Flags 4 /CharSet (/C/D/E/H/I/O/R/S/T/U) -/FontFile 1189 0 R +/FontFile 1194 0 R >> endobj -1345 0 obj +1348 0 obj [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ] endobj -1156 0 obj << +1165 0 obj << /Length1 771 /Length2 1151 /Length3 532 -/Length 1711 +/Length 1712 /Filter /FlateDecode >> stream -xÚíRkTבª¡¬òRIÕzX¹yL4„„0åý”˜™)É &4€ˆ*©Ê²ˆE—o‡kDÓ‘È¿Úoµÿ=fW2öVðúé§DÙF}{k¯½ÑÖɽr_ĬòáÄä—ÊÛÛÞSØ~×´ØœÞäñàGקw2ÏYׯ¾ñ«è#…3koÞxù87mcg¿ÉæKØu¨„–T~zõ$ú¿wŠ®LÜÆ«qSÍ¥ù‰ûž:¾2ÑÛn÷¤Ý²-Ê¥V×K}^Ìá¸k4hÚbSl™ 4B8{¡çµèŠR`ñ¾Ki¬oKs˜ô—ÙƒÝî‚A—Òw{$ù9%!1’¨ÑG+äµ T>Á5tK¤¡-¾Uí‹](07¬ÍwHkèâúCéM{ëRÆ_2~]²c擤çÏûž½6Ð[Èõ.ÎÇgÄxxí÷ËtóvïàЭ¯~ft‰“)¿¸KŠüBúlVÚÕÿöÈn“‚XÁõ<§G>s5qi÷„ãê½ÿ’Æ{|ÝlÜ(ÖZâ.bT=üùb«a?79( ¡/åLäMKuç«ë -f&›ƒ‚ª—4ÏÆ{ýç»ø:.ôžk'J4GåNÓ…mÑ}åÙlÞÄø¢cBÏ=/¼‡~(‰26ö\”k=´yAÚNÖýÈåz¯_¬Î…ե躼êN¿Ÿ·l/™Í\»7íXmXí6µî‘`Ξ£‚†‡UEöÙ'¢æïåD¨w Ûøt¹{;cýåºG¤]Qøóªçw¦µ #0óñq}&÷ÌGëyÞ‰©¯z|¯;X£ßµñÁ£›+m_OÚ ô -èéâOKr_oí ÖØØ‹›;LØÝ£¥·¿ïGƒ›Ï´×¸úÄ~µÔ·•^þ?c«Ö2¹öŠH=GçQh90Á€[ªÔuN ØÉ|É_–êfr6J¿•iaQ*P SjXKÖP*4@Ž)˜00H£ë&od€upŒg“ÂáQ`#œŠ Ö¤&)ªÂÿ- éÒߥ2a<ƒ¼¦dÒ)ÂP@°ŠÂZ‹‘Ý`RËCÖôâF³V¡,?åÔ_ò +-¢1üÎÀ´é:Æ ƒ`N…ߊ“Á¢ÓNÏJ …QŠÐT œ•LöÊ·8’!Aô0J5P)4ð£Ðt%¤S:X’H¹$8Öû÷¯JF(”ˆ2¤Ã€ý{*æü“&áˆ$°™l6‡$’ûÝ)iZ31ªÄ M\žPà¸Â@!‡ˆŒxÀÈ +ÁzëIÅ,&Šä@:“TN™üW6`iàŒŒIô-À¬ÔÉÙ#Ý›Äþú´  Lod¬à—G¶b¯ô|;çOD¥Ça”˜Ò w± +!=…a=¬¤XobJ¿­Ÿî;½½&W\ÕyÌžž±Ð|dkûùm§Ì~Ìá^?—ëxãOQðG¿9osþ9îT2þ Rñú¨§EÙ£œµ­ÇÙâèF¯Ø/ŸõP9œ˜<ãrY[ëÚƒ;îY¦7z?üÙóÙÝÌóöukîsø•Ô‘™5·n¾z’›¶©£Ïêð5ä9TBI*;³f/óÏ»EW'„bU˜µúòüÄýÏ\_[©­wºÓn;š¦2™Ý ³ÿË9lº^ÕßAáH[l+¬– g/ô¹Sn6ú{˜ãš›Âe¿Îè¢ <ÌïwKósJÂb¥Ñ£ ŽU¸(khüC«©¶p}ëúmz±`°>2ß%­¾“ë_ÌIoÜK[—2þŠöÛ’3Ÿ&½xÑûü‰ÚòPiô°q?1#ÖÛ÷@`¦—÷0½Mµ¿ö…Å#^¡þê! + ëuXejÓþ=°?»yLâ7òÜnýÂÓʥ܎k÷•ÿM¶ÞûÛ&ËžD±ÞF ý¸¿òÑ¿.µ˜p“%Á ½)g£ny_®m¸PâZ[03ÉÒ$‘T-išõ Í÷p]è7×I”8Ô»¬»õEÔç²]xã‹Ž }v¿ôú©$ÚÒ8rÄgQ®ýЖi»˜¢–}µ;^›bèô­=iùqÞ²}PT6#r_ÚñšðšíZÃcÁœ½Çõ8våÙ瞊š~P•áE Î+|Ó³åô6Ú†+µ §¢ˆ•)L<>ðlK+Š£ƒ'ƙܳŸlàù%¦¾î8²îPµq÷¦‡o­\´cEèÐß3  ¦‹?/É}³u´'Tçà,njO°¢÷Ž™ïü؇¶œ;ä¬óôûfi@ µîÂ?ÆVE2¸Îª(#[ï]hÛ?Aƒš+µµn4Èmðr"ÕËên‘¹~/}êŽZšÓMÛ%íð«“U%1¬ÜÁžU§|<ˆ5c•BT¾TzZ³ÜfÆ™cOJÜŸá›^ ã7”ï‚oWD¬­˜ð¿Û5¡Ës½2RØñË™2•ìM‚|oÊ|U–Aß9/«©«tS¹>˜áµõÌ'Æ/¹_65n¶™‡¯•F@ßÙªÛ·_w½ã¨ål‰è¹ÏÆuäÛ½ŸS¸šJý 5-­Óï¯ +ì;ºóRVô‡–»^1î¥â’׶ñ1uCí¶e‰‡¹B—Fec½iÏÅÊbÇc4ÁxiT¾²ívò–Õòº†»vp©³‹»æ4ÏZ¸sóÏn—eÊ+¾^pžŸŸsNÂë œó½çâ"5%çœ*WL½'î Ë~øÃÐ{ö!£KžÄž5¼T÷žñ-/–_éÝjÝC«íÒ4U—ì‘Í­qÙð^¨Óáö+ÂkNþ»Û‹ÛyŸµS—/_'œZîö­!¥ˆÒmzÚ²& B´`!Žk{]Ú™yy¢Ò ®»FÔÉ ×Ëò~A£å Ô‰¶ªýs8Ñy¬€¶Yøbݬû]ÿü»”jþÀØqKÒµž/G#wò_Z“Xô¤"†‚XÕÍ›gÝø4+âp~µ¶Ÿý.Êÿ üOPj`N`ZžFù7´þŒšendstream endobj -1157 0 obj << +1166 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1346 0 R +/Encoding 1349 0 R /FirstChar 60 /LastChar 62 -/Widths 1347 0 R -/BaseFont /ZZWIVJ+CMMI10 -/FontDescriptor 1155 0 R +/Widths 1350 0 R +/BaseFont /FQSFCW+CMMI10 +/FontDescriptor 1164 0 R >> endobj -1155 0 obj << +1164 0 obj << /Ascent 694 /CapHeight 683 /Descent -194 -/FontName /ZZWIVJ+CMMI10 +/FontName /FQSFCW+CMMI10 /ItalicAngle -14.04 /StemV 72 /XHeight 431 /FontBBox [-32 -250 1048 750] /Flags 4 /CharSet (/less/greater) -/FontFile 1156 0 R +/FontFile 1165 0 R >> endobj -1347 0 obj +1350 0 obj [778 0 778 ] endobj -1346 0 obj << +1349 0 obj << /Type /Encoding /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef] >> endobj -976 0 obj << +981 0 obj << /Length1 1608 /Length2 6751 /Length3 532 @@ -5431,135 +5445,130 @@ x  €RRRD줓; fgp™™róòòýËó;`ãþÈÍI4Ìà¸ùp‘NŽPæâ|…0öP€- ¨è<ÖÒÓpiè™4 (Ê0p¶ÃÀŠ@C¹¶Hþ—#ØïÖÐ7XJh€5íÃnŽAÝÀP§ß!>€åC£o¾04ÀeÀÜ̃À`¸3ä7¿-ò!'ò&Ãñ&vf€DcÐ`Ì ¸©j ªþOŒ½5æwm4ì& @ÚÞdB`çß-ý‰ÝÀÜD1Ö0€ºa~ײ 0´ÜÚý¦ö ˜ ö‡†3†°û> -jg‚À¡hô Ì öïéü«OÀëÞÚÉ îþç4òOÖ?9À0h(ÜV€(|SŒ¹©mC þ^-„-úËqvúGÌŠú3 ®ß;Ã}C‚DÀݨ-‘ sSÀõ?SYà?'ò@âÿˆÀÿyÿwâþ]£ÿv‰ÿ·÷ùïÐêÎp¸žµãÍüõÀn^4@ðûù¿r­ap÷“ý÷DSè_ ÿˆÆúf J»)„„þrÂÐê07(ĆÛl­á73úã7A@ (8 ½ÑòÏü@1±¿ÅŒíaàçˆßC—ú‚" g~#ÏÞ‚fº:†Æª¼MÿdܨŽ1vwº!ö_}è"!ÿ4~c(+#Ýžü@ ¿ˆÄÍeH‰Jyý›z€€ÿ²u­1(˜àÉMÓBÀ?­ÿ×ÿ_–åß`Ô`$ä÷ž€0ÖÈÍjýÓñ; vF¡nýsÛoZþ‡ýgÉ¡P7(˜hf – tHLI”ѾëP}ÒÞ -Äé -rÊ­4~Ÿå[‚lñI ]’*|vQ$P5(}Uï>±åt¹ªÍ³ÖÓJçlI€îf2x±q·eÝçø(Á»æ/h•Kš´mé¹7®³ˆk..ôhí뀡‘UÎãàGÁÞOn_6—,_ª'Nw¼Áo+¢©É«°(ʲ·¶9b¿ý<áììíîúÔrp»m•ž7=š]Æ—”#Â÷E:½‚¹I¡ç+›`lgI\kp› —ÈüôMõ¢À|ƒ°²<ë¹]­Aùù{jž[}ùŽù¡ÕMÿ“—hÈì‡x@Ã,ýÊùÛxÛ¤ «?l?G)xGµkiïú.Ï{hæÓ×ïh .—‰&nõ}~ž*Õ•w¸’Ž÷±ÌzH Ã7[àl¸öõÛ‡Õr¥„1TÐ6® ¢~ -œ…›±Ø§Ï«Fc³}m½}ä®V‡6Gr\> "KªYIó½1Ÿ·²Ÿ÷9Qg††1„K¬”(æ33óÞ5±§Kí9uæêMæŶ¯’–÷O÷‘™÷Å㣛RðsZ1ÆŒ^&}ÐùQ íívRæXnúv†e ^êÛ¤J³T×_+'wßsšßÚ&ŽŸjUH§¹ÿ0Ä~QzNÂí#(êyžJéêAB¢]±\ꞚǼû¼Å‰#¢»WwÀnãa`a%th¶0R2Äüýsh{ŒV-ý"þ¬¶ø£1Ffz÷¾î.;M|Jþ­å´òÿ·ÊÆoNz5˜zó£À¤hÝ¢û(fbaUáž©ŒZC5…°ŸXÙžQÀ]ùþ錬˜IÙ‹0b®“øtî"Ý/n9¡21¨AÑ Š<ž…Öš¥•8"•pÂÈ¡–O·Uëõ‹.Ó<–’‡ÁêSFA× Gß÷mŒvÓù pÊžUÅ]¦a%2]½·¾Ú›ZMo„âF½cÈÙ—Gµ¤î>|>dšŒCýIP6³±=˜¬-£þ<\¢D°„l\—åi{)ÚgX$ŸÔx‚M¡ˆÏ`k¹JKzv_OòQйRÖ´Yh9Uz² ¼êˆ°j¹!+òàt€†®K|$îÊçìÐy¨š¨rõî¢ý„ÑŸ3LIÏÊa´ÍÒrÖðG¶šl<ïÓü’v)9²†NÊôÖ0ˆ ³Z¾|ˆØ£Ð w)ƒÄ¡ÓnAzy—_;ÛtYûLlã|î×?£Åë~¸–6|(HÏàþõÄ?ÚèÊŠs4ø‚_¿”ÑR鱢ápÖD|’Xnó.}­ŒdŽÎõ”fF5¤÷%"62;0}ÛfPËOÏM¤€)%j‚éý±Á:*3_¦ÆŒßœ=9y°ÿ“–¦eÍø!Fdtz(dtC•2۳ܜUاuÔøÙÞ•F}¸â\bù°z[`”ÉàcY쯧‚ÚW.‘ª‘vé_§;6Csg>ª"žƒ×p걞̖3Ôu™ä²Ûر~"Ÿ\VþJÀj0ºÚ@_"PºV‘.p¤`G´”Â#pñú”e+üjmË]'ïà|ë¢~bĵ4ª<3¯ñœŒ|ˉeï2g÷s#ZNe*bÝpÈÖ[*B‰Ç.yXì¼qH8›­¸<Ò™Áà[иXYV†kàŒOëÒ{Êð¥=0=yÐl2¬>Õð °€–çõ[âr(33Rθ-W|hµš½˜úÃM -»øã}y{ꔣx$󙹕Ä7ì) –/ˆ„³Îé4»×c§zœïÈjYÔRy°©ûJæ—V‹V¦wß“ó ÚÞÆdêˆô÷Ô·³0øò…i°sOí?¡Ðd˜¹ò@ÏéÞcxL -çÚ“9q93š¹“Ù10Îd6NÞ”QáW}Þi¢ioRŠäqY"ã¿› &Ù‹²'IU{ö+º#Phq"!Ô}q§t°<>J*KIý s]/wûW3´¡Îú㌜LgŒq~2Ê΃U.{òªÄþ²Ô²LPšPPn -%5èëÖ,»;e9øüNŠ Y‘ vÅ—/<<vǨqA%EªŠ·Yv—ÇLß9‚äÔ^Ç$n<$.Œ -GáÊCÚÅ*¼ä7/*§Åín‹+¤½oèg¼cèÿ jÇ7^96Ü@xÕÙf}¡ñÂSµË¸õh‚AF—GÌ‘ÿZÙx~åÓ‹ú®2OBëðғͦ´z+! v2gÅÜ‹†‡´©h³+®,:®1wJ:ŒéÜÊéxK‰ûžq³¾êüX¢'ßV IUm;³ª€‡HS@ž=T_ê ÙöHWçËm_åè˜#hcWÂWF– ©R8O°rD›ö -­¯Àäzú~ø£<)¸4<~v -é‘XÜ…AÉ/½3JÈ…–ÆÊ¥íÆ„›€ˆÅèažÜ‹[òú6!C“KZvââ‰Ê¨\ïFfþÌIòÅê ”×½]’À"ÒÖ0ìª:ðžD¢Â“P•7vîÙú¶ß‘Øݬ¢š³›Å1]»õ¢[Æ0áë¥z‹Þ°3éØ)ÏuµO"n`·¥(mèžžMШ%m³©óºKà:Ô®L1"éNZ'Þtª“WG™>qè6ˆaïiÚoßÙ¨’^¸*§e°yŽU<<’wÎ%oJÃQuªô@âMJOÛˆwÐñ^ÏÁ¨RÜkZ(LQúaïSäy·ÊÅ3ÍäG«Þ™3µF‘ 0ëî-êÈ-ªäid—ÖBj‘åÅúEZp“Þ8W—0Ü/c-<þ1P§ºÚDÿ3 }oî -hY$7U3~ñ4päáÕLÔ -U¿ÍChùLð(+G ÞNÒ±˜¸å yB{v€SÐjñpÅʦDÀú´ÐFˆå¬ÞõËþÝýKxŠ|¢[ô‘tU¯™ÞUgkÿ*C‰wt{® Áå;»ïöøͪÍ%ç‚Ý'×k®DzÓ ±ri;Ìi/[ˆ?–¡zí¾ï‡÷$ƵèÜi“¤Ï+õÎqM­ÆJ:¯V£#NWßÕ}èõ˜{¤lŽ­.NPGIÀ}5ÙéŸ8rè“2–î±"`ÅîpMûspÏ~ÉŸr Õ[âÜ+\øv»•èkIʦEæÑØ./îœN3ÅEÒlÜ9‡f²AÊ“!ü¢µö›¹Jjÿ˜¸{…öÚ1U÷¼05§lî¸:—ŠÕ­¸”ä&öƒÝ]Ôßû%gÀŠ%ÉëO¶LK¹]ŠT”I¹eÓõ–FAh]A·Ã/@Ú>Pw"d:¹.ë”19M¦àÑ£ðs?Ù¢––~§wøÆÌ°£_ÙV ŽÏ^¯ÓåÝ_ì#ê97¸›6!”UñuŠÞE(ÚÃkj't…×É¿è9ÑSLy¥Ïyîqk·s»ùµ¾Á’yˆFQù¤ [Üëĉåûæ‘>s\N«:òܵ„Ø™³=7ZQØ··B¿gð*ù&¯½Œ}^&¾óDžgçµ|ÿODKoââÕ¯Oþƒ¤£j¤óÅʬ~Ö³Œ_ñådNT_/üd¥×’ÙH*$hç¤2/û-0Òó)Ëÿ ¸’(4æd‰nÿœLõIÊ=·ŠQª¢|kA89Ç»=¯°ãá>kŠv3ROn&Àñ‰ô9DÖ<}£º‚P³Õœ2~„û¸¶wÑ·Q±@HfÝÑ=RUˆ`¹”~k+³x˜’x·Š}Ì;a—r‘­2`å-Å0{ªÎ817™†Ý€)2hô»}hïë õÔÚ+W/5¼zæÖm(³ìxÿ›tŽú9B*«tË[p{•¾ò3\>ŽJï,ä6>à•ð좒D O±Áø¾¯F Þ8ýe–¡C»ÃÇž;õp§r^ƒ),"F±P¦ç@ÿ£)g -É7)¬G»ýØѱ†ùÛ#3/éµåhÈM -Z²Û¢: äL²%T1ãͨ—¥^‹?BAI_ì¹øŠ\3& …§Í-0ÙySŠ¨W³4¬«·;çæ±û«ˆk U,~уûáNp¾÷Uê¶]RÏìŒ{g|õóÒî8,-’-ë÷síKiØíÒ_zQP¢Y§Ï>3Y«ËÍgAg(æ)„ºkß-µE¤çÂuŠ¨émº.?}&í;!æ&B)ž(;H…uz\J.‡”é²ìQ·óˬŸÑËM:Û{gjÜt|ï¦Öz½ÚŒyfE.:ð“+ÿŠ~z=ŽóJñ¼Á@ÔHÈ:Âû¬º,À:¶ìâ5ôê ¾]؇ðI[í2ñêá×n­Þ/5mêÉ«¸¿-Êä’8\ëã“ãÌȺ)ÓIsN ~{ØE§Ÿ)n[,÷Úix„Ci?éÍÿ)ãTâëu|SÃ5^¦V²…÷èû ü¨HÖ°GîxWÖ"/‹Uí®lF³“ƒ™¨Îý@ÝZ{¤ë;!‘› ±À]¾dOÉ›ñ«²àýa0ØÇ««â}£@Ýä§oºtÍJF:ܺ²8Ê^œ1‘ûl§ªæEéRûošD?÷®=¼»=ÓX#ô9OR”ÿAÜnU±1bTþLò¥Hy¥\ 2¾Žÿ¾{…O¶q£LñW‹Î"ö]åGÄ"16äA™ô×zGL>.ms›,ì„~.’FT%ò— C¶|zÔ îÞÚ%ߤ¹M&ÜiPÇSœ÷‡åcª™lÛ-1ÝÔúÌíõn³ÇØ3e·x€_ëSqö›k% !Œ:kdi¼—)¢öõRG¿®-©%È—ü}µè‹Xi"¹[4Á£³KÁ¯â¥x5˜nH=|NâY`ù -]‹gkh ¢.@3‰\§NýVró²C#Ô?Ö¿`죋žÚªJò‘‰æt·×}sæ/Šq=ztÔQîiÖÄïŸp…ÿÐX'0¥Wq-Ö°?ß^z®µŸ(U/V~‘ ~[žw˜ËC(Ϭ²ï%7¿ Øž©AâîÇ>6ŽÖ:¶Ì^Žî„¯äýèz‘"=*†eöX8mìº6NÕ–šÕQtפÌËð9»7U…°4Þ™?”'Y¿Æú%Δ`a–73”dØÄd) ÄŸÀé1}n½|€–t¶ö“TaXÎRâ¤C"Ûc~Ðå7ut$spÛ=€ñæZs“>†‚Îñ­AfLÂõáH²€à™’Á‰5n/–ðÇá©”ËïœßýàŽ‚Ïåšô´_K‚m2·Áï9ÇÊ8üšýU”„=볶2ì®øX_Â.ØÂÒô³£³‚ýųïë–~+·¶ó϶Ìs¾z´aðû ›ÀÛë¥[Úý y¸t—6Fa9kcpیװÂMu×c÷ä5Ípû¼Õ°ÙËÄ£ãP&WIºU~_]îX_vªéâûåÄ]œØ{A]³}'ŠÚ³.¶üvÂÜ&êVò>=ÇS׈ü5ÝÉ¢<ñ–üÌI{ÏÕc}™6¾LÿhýĘOŸQòI7KD,uÅÚ6¬uÛ0¥¬ç>Y¦ÇÌôN=cöý =|1 ëÞï ÑoÊõ Hë³Ù ç2×ÁÖ}*Ä3ßN˜õÞ71]›<Ý×h;°)8¥ ¹WJ§(°+çKl)mÄŒ(¶å>ÂJV(rokÈ…ú]+Ñènd´ì§óÌoNæVÔ殊 ²R®yºn3àôØ"¯JÜe›ÔH O¦ÌÒ"ŸÈ‚¯bj—Fù)û¬7†‡Æ §§»ƒ˜fˆ%HÛk8qû'ì3X„ßh;‘×®KMïßG ?‚$õ¿i-T@/h³HyØVÂò™é¬¨ˆcCÛÜ‚œONp?·ÎË?b¹ƒkÖrbs¶å›¥úÎïº9ãúrrçÐךY9/3ÐC×[ëݹouíÜ'_ôYy«o–4'¹^Hˆ~Hº9¬S•®ò.áîÀmñûqÓC‡±á‰>mU»2ýxLæó¹R¹Oí‚ÈLh ejQs"ð2îã9šÜ&ü‡á°¤— #ö¼KÈ9Ú– -꧛qÚüw…£·ñb -Ðj¥×‰"̨"Œ 'ËÑ7úׯ‡Ø:W¼¤Fü¤H®b¹j†CV¿UÜLzßìÕ‡OSS\W$?KÍX uçP(îVš#ÒîøÇÌv¶×{ª'Z‰=ìx©oïUë*^„Í›Ú\^OiJdXÜÛÖoQy>lÞ)ˆöó(ÏXäãè÷[nÔGÑ‹®ÝWèq±ÎÿÍ‹³n/²1EÅlæqéF0Ÿ‚õ—¦ìk#BÕibÅÓ‰h>ªÓ™^IùÛGôÆ­d•³þÌcòZ3ƒ¯´Š:‹\0s¿ŽpK{>aÙQ«*-ô/~»XѼÒå|¢ñ­üHŒtÅ,CÍ¢ˆú0”ÜIU1Xi(Ró­»û1[ù…K¿P+—D&B⺖p1¤7»+÷yŒØ«Aú^Å[Á8—JCV­ñUÏ“_XÍ8ò“Ffh†ÏuðTy -ʃsdLðén4r¼™¼ Á=äÖ<º<@Úúšg×ʶÉÆ‘*<ã# bowP›$ÖÌç»ÂËlöh¼ŸrevVMRMÐ8t=jÀhqí»±¼bG P¹Cú•32°AöÍf»ïQ)‰•5W¤¹¶ÙŽà×¾€ ½>î‚ÒäÔC.ýR÷f‰9sï,çë„ : ~±+2ö$5è)ª8vM_wç¾Äè>ÉJˆûNn‚”ëäkƒãÀb6²F=kJÿÃÉ%1%c”oYfðkxÒ¶ZzhÛ~¡bÈÚô‘­’ó͈7VÒ®Óìç¢j0·Š«qW;éKsF‡·ÚZ;25߆o›2ÜKÉMšyh|µµÞ ˜{JæÀT\]·B/âfÇ@xP™‡ò|d1£z†Žî›Seå]MtÞSø:WRÊ*ÊŽØ[cñŽð"àPE?îk'ÚÓÆêù²ŒHûÀ#²²£×G®–®/5¿âiËÑÓP [ñ¹Û?1ðßÁm“·»×@ks)j[Q¡1bD"¯‹[kbî%Ö”àbéÞ¾ÄLwðžî–“écʽ¾ÍÝÉÈQî"å$×3Ѓuq²wžõ$GM³þßviJ¾ÔË×d=5g»S–¦þÃsÒ;êiYŽÃý…Rnä®&nÇô;\·ªLÙqÄü˜²Ir™˜íµ½5e¶f""Áµj£èÓÒãdÂFÆט)ûó§¸ïôeQ™²ÏºùH{u׎ÈzÝsš…0æ=q<¨œ\¤Z©ÇûR‡\¾óc;™)‚ƒpt`õV«c‚pãøf“€60±‚]%]çtv…~ýͨ‚¢$ÙÔpœSõÃÐÍéóÂ7mgíq‚2ì¹yßÚ±œL“­ªr ªÁ~y³Û †o¼ú îå~ácìðdùÊöæÕ«“B¨U/‡¬S¬è =g×´Fµ‰Æ#…Æܤ]gì¯_»}§Žý¸j¥Á%Ùù,Xξb ûIçñq཈PúxÉ~S©g'Ñ/¡·*gTžµƒó%•øf˜Úø šñÈy”U³^$­dxgGeß‘ gËkT]S·7j*,˜ï–µü MæÀê™áú“¦Ç…ظD¸‹Éÿn»†-°ü¹ZvñÉ…öÜSe’XkW¸)\&,ÎyêÞq_^–dQ(ÒýáÈÍRL†¢¡®V¸²ó`¼0ÏýÕKSí™ôYuæ–(,•{ƒý^E†G±©Zøõ}m5Ž'´{Z .µ^÷E?Ñë½,Û¯&§ ‘<-Aðâ]căýéâ>»; ©¡3! ÝÖ£tÓì{ݨ1”m­°>cbâï]NÏí­ ñj÷ªU²šÚ½‡M;ÄØFïf[¢žÖ½ß¿ðÇn\,–òù©}ËiÝZY} ›Š+8:¦N-¥?ù®÷²G1|®})Xz‹÷„ÆÑðÕ+štön©c¡p Õ;H¼\p“eÖpù% -v -Åõn`ÑSd)-Š…ÕY¤Ch§ÕÍt%-‡ÃÊ -ãFaàÁHœ1a™ŒƒÍ°.Ç®üØí*¹Ô0y‰FÝ -Ï6Ý_Uô]#ó±ä -ŠŽt39‡nßh˜ã ÀÑ0½1¢| =FL§d’æsÙ_Ù£“-"¦‹Ï*³8/©h…—¨ÃçäLrÏ¢·rb¥{›±\&®¼ jÌ I_¾l‰Ï¯ÔB² 2Ýݪ'Þô\E–j“Ðò͈?Kåd—¡·–Î#·È÷!t%)G¬”–Ò¼çF–ß?ϸˆ¼'ùY3{Ä&v(£ÑÅòÌïPA¨¦,‹vä@)!~®RìõôÉ7ЙF®è”{¸ûäº2™ vFéä9"¹nqx§Ä 4þ5;G\tHê!2ìM)­Ä‚E,vµæ-ô¿üý€ÿ'Àp¨5 -ƒt´F='ú?=Œžyendstream +jg‚À¡hô Ì öïéü«OÀëÞÚÉ îþç4òOÖ?9À0h(ÜV€(|SŒ¹©mC þ^-„-úËqvúGÌŠú3 ®ß;Ã}C‚DÀݨ-‘ sSÀõ?SYà?'ò@âÿˆÀÿyÿwâþ]£ÿv‰ÿ·÷ùïÐêÎp¸žµãÍüõÀn^4@ðûù¿r­ap÷“ý÷DSè_ ÿˆÆúf J»)„„þrÂÐê07(ĆÛl­á73úã7A@ (8 ½ÑòÏü@1±¿ÅŒíaàçˆßC—ú‚" g~#ÏÞ‚Æ Su#-Þ¿¿¦² nTÇ»;Ýû¯>t‘¿1”•‘nO~ „€_DHâæ² ‰¤D¥¼þM½?@ÀÙºÖÌ ðä¦i!àŸÖÿëÿ/Ëòo0j0ò{O@käfµþéø;£P7Šþ¹í7-ÿÃþ³äP¨L43‰Ë:$¦$aÊhßu ¨>ioât9åV¿Ïò-A¶ø$†.I>»( ¨”¾ªwŸØrº\ÕæYëi¥s¶$@w3¼Ø¸Û²îÎs|”à]ó´Ê%MÚ6ôÜ×YÄ5z´öuÀÐÈ*çqð£Š`ï'·/›K–/Õƒ§;Þà·ÑÔäUXeÙ[Û±ß~žpvövw}j9¸Ý¶JÏ›MÈ.ã‚KÊáû"^ÁܤÐó•M0¶³$®5¸Í„Kd~ú€¦zQ`¾AXYžõÜ.‡Ö üü=5Ï­¾|ÇÎüÐê¦ÿÉK4döC< a–~åüm¼mÒa†Õ¶Ÿ£¼£Úµ´w}—ç=4s‚éŽë÷ +´—ËD·ú>?O•êÊ;\IÇûXf=$Ðá›-p6\ûúíÃê¹R ªG h×Q?ÎÂÍXìÓçU£±Ù>¶Þ>rW«C›#9.P‘%Õ¬‚ǤùÞ˜ŠÏÛ?ÙÏûœ¨3CÃÂ%ž§Mç(w––<:rÉ™\a:èÓ]ô•êœö‹ŽcRd#_ÁPƒåxu +VJó™™yïšØÓ¥öŠœ:sõ&óbÛWIËû§ûÈLƒûâñÑM)øÀ9­cF¯ “>èü(Їöv;)s,7ý»NCƒ²¯ õmR¥Yªë¯•“»ï¹ÍomÇOµ*¤ŠÓÜb¿(='áöõ% ÿÖò Zùÿ[eã7'½L½ùQ`R´nÑ}3±°ªpÏTF­¡šBØO¬ˆlÏÎ(à®|ÿtFV̤ìE1×I|:w‘Œî·œP™Ô hEÏBkMÒJ‘J8aäP˧۪õúE—iKÉÃ`õ)£ ë…£ï{6F»é| 8eÏŠªÎâ‚.Ó0‹™®ƒÞ[_íM­¦7Bq£@‚Þ±ÀGäìË£ZRw>2MÆ¡þ$(›ÙØLÖ–Q.Q"ØNB6®Ëò´½í3,’‚Oj¼Á¦PÄg°µ\¥%=»Ç¯'ù(è\)kÚ,´œ*=Ù^uDXµÜyp:@C×%>HwåsvèDìQhÐŽƒ»”ÎÁ +âÐi· ½¼Ë¯mº¬}&¶q>÷ëŸÑâƒõ?\K>¤gpÿzâí teÅ9|Á¯_Êh©ôXÑáP8ë "H>I,·y—¾VF2GçzJ3£ +ÒûΙ˜¾m3¨å§ç&RÀ”5ÁôþØ`•™/ScFŠoΞœ<ØÿIKÓ2Œfü#2:=2º¡J™íYnÎ*ìÓ:jüÀloŠJ£>Üq.±|X½-0Êdð±‡,ö×SAí+—HÕÈN»ô¯ÓŒ›¡¹3U +ÏÁk8õXOfËêºLrÙŒmìX?‘O.+%`µN]m /(]«H8R°#ZJá¸x}ʲ~µ¶å®“wp¾uQ?1âƒZUž™×xNF¾åIJw™³û¹-§ˆ2ˆ1€¿n8dë-¡Äc—<,vÞ¸$œÍV\éÌ`ð-h\,,+Ã5pƧué=eøFŽÒ˜ž´ZÍ^Lýá&…]üñ¾¼=uÊQ<’ÎùÌÜJâö”ËDÂYçtšÝë±S=ÎÇwdµ,j©<ØÔý%s‡K«E+Ó»oÉùmoc2uDú{êÛY|ùÂ4ع§ö‡ŸPh2Ì\y çtï1<¦ …síÉ‹¸œÍÜÉìg2'oʨð«>ï4Ñ´7)Eò¸,‘ñßÍ“ìEÙ“¤ª=ûÝ(´8‘À꾸S:Xž¥•¥¤‡~йŠ®—»ý ‚«ÚPgýqFN¦3Æ8?eçÁ*—=yUbYjY&¨ +M((7…’ô‹uk–ݲ|~'Å…¬È»âKŒž»cÔ¸ ’"UEŽÇÛ,‹»Ëc¦ïArj¯c7F …£på!íb•^ò›—•Óâv·ÅˆÒÞ7ô3Þ1ôµã¯n ¼êl³¾Ð‡xá©ÚeÜz4Á £Ë#æÈ­l<¿òéE}W™'¡uxéÉfSZ½•P;™³bîEÃÃÚT4ŽÙWŒ×;%ÆtnåGŒt¼%áD}ÏǸYßu~,Ñ“oŠ¿ +PȤª¶YUÀC¤) Ϫ/uÐl{¤«ó嶯rtÌ´1Ž+á+#KÐT©œ'X9¢M{ …ÖW`r=}?üQž\?;…ôH,î ä—Þ%äB Kcå‹ÒvcÂÍ?@Äbô0OîŽÅ-y }›¡ÉÇ%-;qñDeT®w#3æ$ùbuPÊëÞ.I`ikvUxO"QaÈI¨Ê»‹÷áL}ÛïHìnÖ È@QÍŠŠÙM‡â˜®ÝzÑ-c˜ðõR½EoØ™tì”çºÚ'7°ÛR”6tO¸ž´†9¨©µ/ œq`Š‰?ˆWfì¿WÞ:$’àÍR×µK³ßÃÓ›æAsrQ¬°xwkzJrSù­q"r³ªÞŒÊæïÕMÙÆö¬ùò—zZ(v¤¥ëE?ÑÅ¢û¤œؤVšpþjóžTÆñ{«(v]i€ iG³H›âŽ’怿¦"æúSìFé6éPM +4œq©,JvJÊ6=Üßâ‚rȪO¬9ÂrY"äu¨ç_>Â7b§X/˜“$ïôvÍÆ™>Ò;Y¶Å°ù +ñ ¶ÐšÂ@ñ|#xìe+—njƒgö5m›¨‹^š.®EÏV[R¡ÚZ +0 $òÝÛ{ŒDlÀ5u . lQ"²ò‹1‹WOµ6i$×”H“¾V×}^õ‰+òÛµÄR|äWÌžÿ.ðl†RT†“âוé^Òýê_¶íßQ1›œÒj¬&ë/òpe×GÏ&hÔˆ¶ÙÔù Ý¥ðNjW&ƒ‡‘t'­o:ÕÉ«£LŸ8tÄ°÷4í·ïlTI/\•Ó2Ø<Ç*É;ç’7¥á¨:Uz ñ&¥§mÄ»èx¯ç` T)î5-¦(ý°÷)ò¼[åâ™fò£UïÌÆ™Z£H˜u÷uäUò4²Kk!µÈòbý"-8Ioœ+ƒKî—±ž?ÿ¨S]m¢ÿ™…¾7w´,’›ª¿x8òðj&j…ª_Šæ!4Ž|&x”•#o'éXLÜr†<¡‰=;À)hµx¸beS"àG}Zh#ÄrVïúeÿîÆþ%Ñ-úHºª×L荒µ•¡Ä;º=×…àŒòÝw{üfÕŠæ’sÁî“k5W"½é„X ¹´æ´—-ÄK‡¿P½vß÷Ã{ãZtî´IÒçÀŒz縦Vc%W«Ñ§«ïê>ôz̽R6ÇV'¨£$ྚìôO9ôIK÷X°bw¸¦ý9¸ç ¿äO9ê-qî.|»ÝJô5‹ƒ$eÓ"óhl—wN§™â"i6îœC³NÙ åÉ~Q„Z{ž8„êŽSŸÍ\%µŒLܽB{혪{^ ˜ŽS6wÜ +KÅêV\Jrû€Ánƒ.êïý‹’3`E’äõ'[¦¥\ˆ.Eª‹ Jˆ$‚ܲézK£ 4„® Ûá m¨;2\—uʘœ&Sð‚‡èÑ ø¹ŸlQKK¿Ó;|cfØѯl«Çg¯ƒ×éòî/öõœ› ÜM›ʪø:Eï"íá5µºÂŠëä_ôœè©¦¼Òç<÷¸µÛ¹ÝüZß`É/ßy"ϳóZ>ƒÿŒ'¢¥7qñê×'ÿAÒQ5ÒùbeV¿ ëYƯx H‚r2'ª‡¯~²ÒëÉl¤F4óRƒ—ˆý˜éù”å\É?s²D·N¦ú$ež[Å(UQ¾µ œœãÝžWØñpŸ5E»©'7àx‚Dú"ëž¾Q]A¨ÙjN?Â}\Û»èÛ¨X $³îè©*D°\J¿µ•Yæ‚°K¹ÈV°ò–b˜=Ugœ‰˜›LÃnÀ4ú]Š>´Š÷u†zjí•«ˆ^=së6”Yv¼ÿM:Gý!ŒU:ƒå-¸½J_ù.ÇŠ?¥wrðJxvQI +"ЧØ`|ßW# oœþ2ËСÝa‡cÏz¸S9¯Á£X(Ós ÿÑ”3…ä›Ö£Ý~ìèØ Ãüí‘™—ôÚr´ä&-ÙmQr +&Ùª˜ƒñfÔ‹ËR¯Å¡ ¤/ö\|E®a†ÂÓæ–˜Çì¼)EÔ«YÖÕÛsó‚ØýUĵ„*¿èÁ}Èp'8ßûÇ*uÛ.©gvƽ3¾úyiw–É–õŠû¹ö¥4ìvé/½((ѬÓgŸ™¬Õåæ³ 3óBÝ¿µï–Ú"ÒóaÁ:EÔô6Ý—Ÿ>ƒös“¡ O”¤B‚:=.% —CÊ¿€tYö(ŽÛùeÖÏèe&í½35n:¾wSk½ÞmÆ<³"xÎÉ• +E?½Çy¥xÞ` j$dá}V]`[ö?ñzõ_Œ.ìÇCø¤­v™xõðk7ŠVï—6u‚äUÜßerI®õñÉqæäÝ”é¤9§?¿=ì¢ÓÏŒ·- ƒ{mŠ4<¡´Ÿôæÿ”q*qõ:¾©á/S+ÙÂ{ô}P~T$kØ#w¼+k‘—ŪöW6£ÙÉÁLTç~ n­=Òõ€ÈÍŽ„Xà. ßÆ ²§ä͇øUYðþ0ìãÕ‚Uñ¾Q nòÓ7] ºf%#n]Ye/ÎÈý¶ÆSUó¢t©ý7M¢Ÿ{×ÞÝži¬z€œ')Êÿ n·ªØ1*&ùR¤¼R® _HÇß½Â' Û8áQ¦ø«Egû®ò#b‘ò Lzk½#&—6¹MvB?É@#ª’ùË„![>=êwoíƒoÒÜ&î‰4¨ã)ÎÀûÃò1ÕL6ƒŠí–˜nj}æöú ·Ùcì™2ƒ[<À/Šõ©8û͵‡’…F5²4ÞËQ{Èz©£_×–ÔäKþ¾ZôŠE¬4‘ÜÀ€-šàÑÙ¥àWñÒN¼L7¤>'ñ,°¿|…®Å3«‹Ù–QSF9N!¡bË|XH.¢f0 +Ÿµ4Q ™D®S§~+¹yÙ¡êŠë¿_0öÑEOmU%ùH€DsºÛë¾9óÆŸ=:ê(÷4kâ÷O8Âè ¬Ž˜Ò«¸kØŸo/=×ÚO”ª+¿H¿-Ï;Ìå! ”gVÙ÷’›_PlÏÔ q÷€cGk[f/GwÂWò~ô?½H‘Ã2{,œ6v]§jKÍê(ºkRf€eøœÇÆÝ›ª¿ƒBX +ïÌÊ“¬_cýgaJ°0Ë›J2lb²âOàô˜>·^>@K:[ûIª0,ç)qÒ!‘í1?èò›::’¹ ¸íÀxs­¹ICAçøÖ 3&áúp$Y@ðLÉàÄ·KøãðTÊå÷ Îï~pÇÁçrMzÚ¯%Á6™ ‹Ûà÷œce~Íþ*JžuÈY[™FvW|¬/aì aiúŠÙÑYÁþâÙ÷uK¿•[Ûùg[æ9_½Ú0ø}†MàmŒõÒ-íþ„<\ºÆK £°œµ1¸mÆkØFᦺë1‹{òšf¸}ÞjØŒ‡ìeâÑq(“Ž«$Ý*¿¯.÷wÇ[,‰/;Õtñýrâ.Nì½ ®Ù¾“EíÙ [~;anu+yŸžã©‰kDþšîäQžxK~椽çê±¾L_¦´~b̧π(ù¤›%"–ºâmÖºm˜RÖsŸ,Ócfz§ž1û~†¾˜„Îuï÷…è7åz¤uƒÙ‹l†s™ë`ëÆ>â™o'ÌzoŠ›˜®Mžîk4„؜҆Ü+¥SØ•ó%¶”6bFÛò?a%+¹·5äBý®Èht72ZöÓyæ7's +jsWEPY)×<]·pzl‘W%î²Mj$'Sfi‘OdÁW1µK£ü”}ÖÃC ã„ÓÓ݇ AL3Ä ’¤í5œ¸ýö,Âo´ÈëF×¥¦÷ï#A’‡ú_´* ´Ù¤ÑŠøV~$Fºb–¡fQD}J ¬´ ©ùÖÝý˜­üÂ¥_¨‚•K"!q]K¸Ò›‡Ý•û²÷ÏAQ=C G÷Í©²ò®&:ï)|+)eeGì­±øGGxp¨"Œ÷µ“€ íicõü€YF¤}à‡YÙÑë#WK׃—š_ñ´åèi(†-ƒøÜíŸ øïà¶ÉÛÝk µ¹µ­¨Ð1"‘×Å-Ž51÷kJp±to_b¦;xO÷ËÉô1å^߇æîddˆ(w‘r’ëèÁº8Ù;Ïz’£¦Yÿo»4%ß? êåk²žš3‹Ý)KSÿá¹éõ´,Ça‰‹þB)7rW·cúή[U¦ì8â + þ¿NÌ?Ù$¹ˆLÌváZˆÞš2[3‘àZµQôiéq2a#ãkÌ”ýùSÜwú²¨LÙg]‹|¤=ºˆëGd½î9ÍBóž8TN.R­Ôã}©Ã®߈ù1 ‡ÌÁA8:°€z«Õ±FA¸q|³I@›Æ˜XÁ®’®s:;ÈB¿þfÔ +AQ’lj8 Î)úaèæôyᛶ³ö8Á@ö‚ܼoíXN¦ÉVU¹Õ`¿¼ÙíÃ7^ý÷r¿ð1vx²À| eû@óêÕ‡I!Ôª—CÖ) Vô„ž3‡kZ£ÚDã‘BcnÒ®3ö‹‹×¯Ýˆ¾SÇ~\µÒà’ì|,g_1†ý¤óø8ð^DH(}¼d¿)Ô³“è—Ð[•3*ÏÚ€Áù’J|3LmüÍxä<ʪY/’Ö +²F¼³£²ïÈ…³å5*È.‡©Û5ÌwËZ~Ð&s`õÌpýIÓãBl\"ÜÅä·]ÃXþ\-»øäB{î©2I¬µ+Ü.çMÅS§–ÒŸŽ|×{Ù£>×¾ +Š,½ÅNŒû BãhøêMº‚ +{·Ô±P¸…ê$^®N¸É2ë ¸ü… ;…¿âú 7°è)²”ÅÂê,Ò!´SŠj‹fº’–ÈÃae…Šq£0ð`$Θ°LÆÁfX—cW~ìv•\j˜¼D£n…g›nŽ¯ª‰ +ú®‘ù‹Ø rEǺ™œŠC·o4Ìñ`‰h˜ÞQ¾…#¦S2Ió¹ì¯ˆìÑÉÓÅg•Ù? +œ—T´ÂKÔásr&¹gÑ‹[9±Ò½ÍX.WÞ‹5挤/_¶Î‰ÄçWj!Y…@™înÕoz®"KµÉhùfÄ‹Ÿ¥ƒò²ËÐ[Kç‘[äûº’”#VÊFKiÞs#ËïŸg\DÞ“Žü¬™=b;”шèbyæw¨ TS–E;r ”?W)özúäèL#WtÊ=Ü}r]™L;Œ £tòœF‘\·8¼Ó âÿš#.:$õö¦”VbÁ"»Zóú_þˆþ?Àÿ`8Ô…A:Z£žýÐ`ž~endstream endobj -977 0 obj << +982 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 36 /LastChar 121 -/Widths 1348 0 R -/BaseFont /XMLQTD+NimbusSanL-Bold -/FontDescriptor 975 0 R +/Widths 1351 0 R +/BaseFont /TSWFRI+NimbusSanL-Bold +/FontDescriptor 980 0 R >> endobj -975 0 obj << +980 0 obj << /Ascent 722 /CapHeight 722 /Descent -217 -/FontName /XMLQTD+NimbusSanL-Bold +/FontName /TSWFRI+NimbusSanL-Bold /ItalicAngle 0 /StemV 141 /XHeight 532 /FontBBox [-173 -307 1003 949] /Flags 4 /CharSet (/dollar/hyphen/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/i/l/n/o/p/q/r/s/t/u/y) -/FontFile 976 0 R +/FontFile 981 0 R >> endobj -1348 0 obj +1351 0 obj [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 0 278 0 0 278 0 611 611 611 611 389 556 333 611 0 0 0 556 ] endobj -796 0 obj << +801 0 obj << /Length1 1166 -/Length2 7700 +/Length2 7745 /Length3 544 -/Length 8516 +/Length 8567 /Filter /FlateDecode >> stream -xÚízUX\[Ö-A‚Cp‡Â*<¸Kî -(¤€ÂÝ!œàÜ î‚kÐ .Á\ƒ\Îéÿtß>Ý÷é¾Ýïîý°×šcî1çkì‡ú¾b¤U×┲r²Ë;AÝ8¹¹@ÂUˆ£…»«–9T™Slãx -ò›c02jCÜÀÿ?20°¹Ä *kîö„kÛºTÌa€$ z)ÌÏý´ñþ•è¨Ã ŽN>u°æ>A²N–îŽ`¨›–»³³l¥ vur‡Y‚]…ÖOýgU€Œ“³7 bcë`ÑÑÔcegçøW„[HH`áý»Bl ¦§…ØÁÉùJO -`(öÔ´Õ¹êÖærV·?ưغ¹9 ÎÖæৗ«5ìd}jTj%ãäø+ÆšÉB``˧¡¼×Íêä õý°5jõçHVîÎ@(ÄÅüJö’ŸBÿŠÙ€Ýü ˆv€½,m”Ôövÿ rÿ6‡Zùû:;9¬Í\ÁþkðÓÃ×ÕÜ pƒ¹ƒý}ÿwàßwÜÜ+ˆ¥Àlót ÿb -ƒ­ÿ±W1wƒA¼o@\ 7ôÇýÏ•ñÓZ9A¼ÿ•®jî µ däåÙÿ>û?³¤¥ž(9¹ùœ]×HQxrþçíй|t§áÈux¶É…Ø£Jj_FÁ—wñ2僬ú[ñª7H*HÏ"(äb=í…¤;¸Pñ Âñ£È¹êEU…±ŽÑX&O@½ä‰1¤i9{2ÞŠG´—Œâ2cøZNDT׆;».jÏ)¨+ -*ÑÕvgY…ˆoC~©):h?Ÿþ, ² ‰LÃTêlšºaV2Äl:¼"¨ìÀ7›™í“Æ朎PÀp«;¶ 0(þ<ÖÉsk[Þn}[3ì\À¯Äkì¼ÈÑ_x×4g»Ó³ð‰Ý>ïyri¬-&,aŸ,u³y¨J”žtÝ9?€)¥£éŒ{¼¥L§×`S93£~IÝ«äAÈ›¼V¯¢ÓõΪ!Δf -JÜj£A¾®Í×|¥Óqª'•¸Ù»¤ùÒØæ¿Ø!êåu ©ÜQÇËï:ê¡î:óL1%ë×ÓˆœªkÊ{(T¯¿ûà!QµÕû©cûëM§¾v×É樂‘ß®ø7^9¦w?€èÜñ ®ïØz|q¾ZÓoMÉ2廊—»†ùCšíàtŽ1äWEè¨nû0i|Q­\®$ßôUv>¤©[êœ0¡³T•áëL¬ -ÃaTÐ{³ã´òÈ"°ûì ø"»dѶ'ŸPÀ”LJï{Äg5—š5ü÷¾-\_&¯z«ç…u“Œ|XÒ,œ$Åï£ ¾â3ùåÖ Fo½Šõb~Ä4 -(ÈGK)›>>ÝQ9Âîw…&…!4£Cw‰fn·Þ§¡À˜9ˆ$Œ¥OÆQ -¬åB?C¿ÒM@'^ष=“ó¤y6ñ_ MóJU`âõ{Føbþ•yer~«tY”=ÙW,ƒ-ÉpÊÖ쨡È;‹ûìÀ·ªoºõæÉM?9CÒýÌsîoÈŒ0+C‹Ïö׊ŠÝv«íñ> |˜0mùðnmãÇCãÛ }qU tF. ¡±¨1ó:³H:q;ò¼$mÄt+G$EZ›ë»¨§ØØýÝÇ5EíÒHþ¥žl@W6¢cüžØAÍI";Oß B<¶ö-A¶/is¡ŠëḠã?dº²Ö÷¥÷Ó[FFÑïú¾˜NËKÿ*FÄ»õÿ„7ñA§+` Ü- ®Š£~”óó°À°6ÖÆZH"ˆÀ¥6|1­ýæø»4¼lȲ‰U --\»¸/³|Ô› 1œüEÛwLOÌJq ½3ðtª­â­jë96)[Gý ŒæC¡»çœ ³Cˆ±Rô -@ZÊøv7•±¦ŸHóþõ_í·®%ª¸ñéÞÛ„øÄ©)WÓ;k¯ásï¢U⸶¯&+©t,^¼(0+©×´MÀ7r—[˜ÉÑ`>®LU*v<\ -…«á#!]x€6+H*?¶ðU„5´[J‡™¿m gY+Ù×i?·ê=ظ¼2Ô;{çLâOž]V‰â„µIÞÈŸ¼:àu òÐì-ÝR¹Ù]ê\M4rчÔ_VèN ²“êjv¢!Ñ™:FPhR{ò^Ç•©K™÷F6Ûqö:çÌ äÃb÷[˜þîçÃd¯^™gi âe„faÛÞ%:²cÅ5GÞ Ti5+8áæñ6zj64Å÷¢Ùè:‡(ÍM¢ŸäŒr%ðÀS¦DBafŸr³=VeEõ§¤áÉ^ï1!L¶•1Wt‡½d¤Þ˜ô’ñÑT7i’SgÏÐHì1Ž8îO˜û­±ïÿ´š2ZÈ]â5íkŒZLª#ï0U"e¡·ÿdyBe:® -KñŠŒå€÷­L08ÞµÏnIÊ -ŸŽÆ¼³ Îæq±@å즤µ…üÔ2Œ{5Ä·P쫯BóQ “Ž$NŸ„ºŠ@qê>0¢Úøóû߆€ÐN#3ûó¶5HG ¤µ >zëÔ\@6ýÊ@ÚU"ýB‹Zwô¾"L;}X`¯Sç¼,˜—@BgY²%„rt…èsóÌgÎÕ„†€FCš†Áë—Ñìqa?¿s¬ÒUn L”!›ËVQ·¦2Í…ÒÔ…ªYýý OgfÏc¤¨ÙãjãØf<—uR05»šL(ÖF>©+vfQ©óuÛµ­C½£àO—†h¸ X¼)NÁ.e«©lzíÑþv#áQÎ,©‰–qc–ØËzöµám„©MLÝùxΆòüß^-ÑcÍ0®‹{ÃШ›‘…Ñú/0‰=˜ª´^I.ÚMܧ5 ®Â',Žï䪦&2 ‡Š¥Î™lWš¢(m±ˆÎÕB|›C°Mî^á* p~ ;ãùýŒe·ÍÊá ±ÊÑûR=Jçjâ­“óÖ~¤ó>˜H±Ôåª1O-èª9FäŒañH®×‹™ÏÁ­7"ÞG6ª@¡s²1\Ç_Rjc·{@CW¿S/O Õ±^D1¶¤Ç -‰PÄ—úõ=‘¸a·žM»çxó4^y²ÛVŽÚjÂA¨T\v—+ˆUmgÜô•!?5J»î%uwwl4²vde¥lº˜?R¹Œ£‰îN\ñhšzJÎî˜dgž°œ¶À"¤ÔSWõx×rò²çÿŽpá£«Ô ²Cê^ IoàE1£—ï5t.,©—rk·À2€á ñà§sÉf6$Y ÿ<úŒÜˆ&k¤Jj-|åîYI_l32ù>Uh×IlC ?ÞáÕyR1ðç´¨IÞO—r’÷^5{ µ”bCÉÑ:9ØoN¿OKÁ´òi Ý ?§€XÄíÙH~…NÐäRÉOûÂ}¼§ÚJ‹I¬>št5,qñŠûÝ!QnÆy[S­]µÇŒeâSÿrxÞ‚­ÓFú±Ml§ôVîp>HñµÝ>Y~+ @rdÚrÀ^Ç~º -n¤¸þzîaäÂXµÓ·+`;Z1„#!¦²xÄJýz”¢MÎÄ Ž6ctÿ;¬Âm@ÌÞ¼2Átòɨñ3(¾æó*ðÚ—÷ -—ë}f²JrÀ—.Ñ ÃM-ÚšóÙ(ÁÄá_9ƘÉÑ» <]ô!s+7TcSˆ9”µµXÙ1"QŽÁÎgÁœÉwn"ï“éNNJ?.(9®DåôQ›'¿¬ÂûðöÜ@fµ–€›Œ¥ñWj„r™‘û±øùüÉwÕZ3¬LŽ*„¡ Ó}¸?ÍЛ÷J|^NòýŽØ -?9«°fˆVQ/¹‚¾‚4÷vø‹¢¤¸| ௿õ!WµwúyÙ[BC—hÍ p-ubu†:7ÎÉ~<ïüÑ[Ì” ÆÉ 5<>bz¶ëŒ×g:{ºáó j èËñQæt¦u"yöƒuÅŠÂ}å†×ÁŽÂ‹AouLr6<ƒð•äß -­Âµ»+í"·}=ƒ1 iË>˜>1òÐ8AžÑ%£³­™ü!±u‚>i„Ake“Ù+”¤¦‘˜µ‚{Ð…àˆ -`*¡ µo‹™ËRÎ.AÝ7ŵ©¹m„º—·¿~Ñû²z³ö@âdTÏœ©Y³0ñ7",)xÑåºû«#ɤf· wKUé.@8ìw⺲NbH Žô;ï¥ Þø5 “‰ÏZ³QÅÏö×GOÛ,lÛÐ|‹†³©jç°3™^ JçU$hZ#TïÚY;.j>ˆnÔÖÎw²e¡ir˜Ð6ˆÂq -5mh»nÓùÑmÐ÷ú?Ÿn:41]T]k,Rìa˜RŸ,«Ò3Sï¿:¨|Í?ñgÞ‡õ73->!]7Òõuí͆N½›k‰Á¼ÝôÙ+ès…Î{™3~¢a(’:Œä£ip]–Ì kÍ%ÁZ½äöѲ!æ&ßB~ -T¬ôUU6. þúc€”«1Ö²E):ÅDµTòv%×õÀáƳ6nå+"úë^Aìõ‰Ïå¬Ry2Mþ@½•äjì·Sc‘˜=Êï?q°ë ÆS$•½·‹e]Œ\²Â«¯y¸ ɼ±;ÊúÌ%G7§ûg×O>¹Ø©L­÷̶VE^»‰f6ëê¹ûˆ VYRŒcJÎ@Åôº%*fI²=ïz äÉ&²ïáá;Ï›yú Ge ò‚z¶s”¢Âá_¬Kª¸»N’Ð)¸VW{Ú3÷>“ HuvGÂ'Ö1{uæõÉ¿nIÍü ˜Éøj_<Ñ,DÉ™öýRÀ°éU Î^²ø‰_¢ˤ¯ïç€âœULˆ2¶‰_™ªá@ø|fè3E¿ Îâlç"å¶B~§ZÐ:ŠòñÛ-EÅ×Èœ‚±{h -B Íç9ƒ|£ºŸÎ¢ÕC4ó©5û>âã)mgÃo<50¦7ºe«lûåˆ(‡?ãË“XòõÚº†@ö Héù¤(¤?ßáó::²×Åì¥á•;Ç}Fó|‘ã¢W¬»*èy«eCkäRÂóèj³q ¸”b™NéW§Žl‘¥ ÓìÉŠƒ'[Îf¯úõs¼5Œõä5S\°vwØŒp6¨mÕV(xXQ"ª:8»µ)9HÖù¢­bÜÇøIÍÞ¾¨3ˆ¤w’öηÔ|W´NšðÀM¢7âì¬ ÖVú¾ëóÐsÕL Iœ.œ!?ì¯w¾¶GÙPiŒ‹“Æ-Û®so$Ó²'Ôftä΃"¿Õ¯Fd~0G£ÒìÄpÒî³ÌÔ‰ëA3dª½0Pœ‘å~ÄâRÙèFÜKÿÚL8k¢&7•˜îK-ºfûHûà8ZWbxׯ‹Wpu xÜqN”—~2'ö‹þÊ¡”n`Õ3DEnˆõL,XJ 3ýÙ_}¿)àÚJÔ˜aÝ®–Ñ4ÒÛ›µ+ófî÷>à|¢É}†jÎ.¡1Ûü üÅØrPqñe猨ñÇñ˜"õs§@ê¤q_j;ATºä«Oc~<Ñ­ËîqÇBÝÓê°xÉ0U9Ž” ”~þÍã5)†¤/r5?ŽEK«ñë·D|7Ñ‘a`P)ú¾Ò—­ª,GLõÑ…÷‘€Ñ1¦M»o;y$EuQê‹R¬K-"Ë(`5™è  li%2lS"m"s·®©¢ÔA¯–Ó¹^4ªsÞa4Û-aD¿ÉSׯٖi»($y%Ýêô˜’B"+lKñ+ÕÛ_ÖD:?ËÛMR*ؼÀ­.?äËÅV¹Â><°y÷u„ËuOG›ùëgÛmg i®_ö,f4ªOÛ£HWšê  ½µ_I=¿ì.~_؇£v»Ë @vR¿ôã¤Ù.8n½Ýb˜ïÎp,1:èhˆÌµ%R%¬xª›¬ýÖ·¨>N ÐÎ{ÖR~ xÑÙßûÞw˜îAsð¦ ^l`|ÊçƒXE›åÂÇüsU¸e&âb÷½U[§¨ -Õòјâbžtk[nyN㦰H“òN,úŽÚ&z‰ê +Ká-5’fÁw#9¦­^üÁe8$V•"@ŠÃµ;~'ÂôJ–B°7ÍÞ#Ýr-„+íÝÑå› Ä‰’ñ'1ßN”,÷T|ÂD°eW‘Š‡ ëЧ -7„éô -BRC˜Sþ0–YÊ>Î2‘ÒËM)Xvþá•Tè+€Ä×g$ž>ï …^ƒc ™F -ŒD(©©³ÆBcýXÿ°‡C‹–¦Jcm̆äbp¥ú°¾¥j—*ãš—cô -«¡ÏDùs·òY„3+Pµ~ËÍñD lnóU?µÚx„4iÚÄtŽ¦=ÌkhE_îP[åh]{ ˆR›³Ñô»º®Ù‰®¡²îLà‰JÇ3»°h1‡¸{ð äI„ÆãÍ -ã;œû›±W2³1Ñjà|Ë4Ñ‹)èîZú£bìWyä鵇€~å%{“ÞÈýAyÏ {T$¡ž7J¬R½Í†Ú0ÒÏï>öêaÈ–÷Þ KL϶=‡ŸXò6ðÞz¿2þÔ³Ã~ÞK[[mxŒšVöÖ5'C,³;÷ÓdàPå¥æ"›  -dugç,gÿ¶ùgÛ'îpRH¯Ö[>궥¼˜+¯p~ktþ’3ø@mÚ³•bzo·V‚Hµêæ&W‰Ò­¢jkÂȸáÍQéÆ|ü7½œ?ëî£ÖÇqDégXEÚlßC#?œ|*JºýÜ}K˜vÅPi­‚SÝÎ=VÞ|òþ±ÙéeŒY3")¤²Î>Œt¸ö¼²A@—i·ó¾åØx倛l jÂ(µé -æ1Í‹êpÊ-oyÙØñòuuØ|˜E¦–Æ.›Îg7 ò0$§#Ðï«,((©)!ònà6nêdJ)aÓ)‚w^Å¿À_Šb±{zBÔíI&ºÏ,$c»¾HI²Wýîq†OrÊV\²/ɬ›"n;Iq¼¯Vøþ¸žÓEKýdu­Ï€C1ôF߯éjE¥o!íkõÅ2M2¾7²Ï·œÏM \ n•Rzå: ôÛ˜ò -Ç–fU7ó|rFyØz0£³¾²ÂÞ;VêÓ(:³>¢ŒoþàÐ# ~Êç¥ßÏ—Œ9zcH·ñÚ#kEçFy& Ô±|æ[B€ÖtÐJóåa”Ñ‹µgS™U+}(iP”€·µ&-´ç;’c4§¡ìÀó—>_ÏF~_ëh×8– ‘˜ÆS®E¡!•¸ h8°%hÛìõhÞ>| —Ü;º­Í€ ìÌÇ‚ÄÈF‡îç"N—K¤ìhÜå6à "Ðp†ÑhON’×±t’#ð§/&eÀàíÍÐ[u€ »™Ñ´æ–¦èJ—Ðö¡ÿMQLí¯vm¾ 7ÕyŒáH¤®Û‚G‚e6”úq\k—+ž•}¸Cz ÷L‚"}l¦Ý¡"an–øu†™Ò9Bƒ¥¨"ݪ@²&ëœÔЃ4 ùñ¶ÎçÄï[!œwpHvfCOmŽ»ÚÜÉ¢Ÿle‚(*÷–7šGy¡wª42Îœ¢$£íÚáÃHRp9¾åŽJ!á/lú¡^z×ÙÅ;ª.™Có¹ƒr{)²µÁñnqßÑ=÷é»cdÆ-‡è„˜’5—&Èì-…滇fk^`ØTØLj×]íy7«¡$áÓ|i)>Å—9í®g3Óß—?qkïz¡†sý,ÿ+¤åmÝ‚Hslgât: ˆ¬À^Öˆ]ÜÑæ>"^‰'ø¸Û®Ñʘ`‚IБ¸ïoá6föœíƒUcì¯u|'¡f3uá`ö»ï­ŒÎáb¡ŒŠòû†Ã -â/~ç&¾Zæ3Ð?ø2â­;ßÚ5B2Tâ]Øn0ïÏom01#Úsø£¹€UÙWÐAJ)ѣǗÏú¨¶¦äv ›|N)ˆ2Â{ØQ« »-%VÞ˜§Ä¯í39ˆ(n‹ª8½îgÉ”ñTU¯„°nîs<맊o”ºîƒ¹s ò8©Ù§ft­ª¸¢Ä–ŽØ¡.n¤7,þ8‹™¿.è˜Ào€ßèÃ˦^*,bá+£b£‰  é\»<¤Ø/øh+gn”NO«5ˆ=R5¹UÃ'Ûµd¼Öº§EÊœ÷±È/xÎØŒÅrâû½žY -íZ®}Ãeú ùT­+ǔŷ˜HRB! ÍbbgN\º]N)ývC¢1³*û¦hÄBÇúó2Iß‚ðþžé'RÜf¼šœÛÊ|)G̸~ 9Ô•ÙPÆdäÐ÷Ϊ‡­ƒªmµuçIÚà %­zû‹WœnלG’’eËŸŒÀ3x)Çm=ÅRûv|Ü•ò?ŽPŸ£'b:é¬D_›Îþ:éoš#ÅbžÃ¡|^†ôóuýt’²$yÔ¿­ì¾Zú—„©”Õ+cµ±j÷‰uQŠ¯O. «Ñì{ýivÁ±ÆØË'‰Rh<˜w¿4ו©r=fǽåŽx«~LýŠW·Õ¬[F_Ñ—¬ày0Wòïá ®>ußQÔŽCtžUuGö¢í¡µ%ª«±š1Þ˜¸>ú!È7[/ß½$i =J*–`œN6w³h·F¡Z_çeÚë¸sjhÙ-›Ÿ™|bZ8©_„ë¬l´g¸x•ÕU`•¶ž$ýΠeÛI˜P>¼JG q(â…³Ò¿@/fÎWEÖ+ êbòÞ$‡Å}ω]G5¨—È‚Û7ñ*ÒïÐ0cÐÎJ:/Þ²PÙduZ”3„M¿0sÒ0! ÅOŽ™  Žã¡Ý>ëÅ[ d`àd¿åe2´Ì ™&F¤íÿÆšj×®ï¥k—Ûë ?@,Å‘â8ÌzÞ6<Î|¤_Rö¦RM³šë·ioïOÝ i„î7}œï¾¥÷¶Ú³öK߉mŠýè"¢ÄYO=óÇY“Lï´Yƿ݇×R;uÚó.¬£e¼¥k„¡€¡•LԔˡÓõwžì™ÈGÚšž×¯“KÖ ªëÒïB™;„è]H*_?›ÎÞHº÷Y‰ÀÇÈépY›’Jñ¯yÑL€à¸×«¼3y cUêª<Ú ¹Ô×ÈÚ¹œ-Õ2#ØÏö€}ºþuÌÞ¢×5r`܇^¢ñøø -= -?Hb~Š rö¬ò{íÁ'8wÑ–î³dÄû´þÇo' QÈž†jOpöKGˆmú?—9&CÒäý=Œåì’dF¥})‰L^ M¿JÀ6\r¡ÁœÎÍíÌ‹—n–ÿÑ‹QÉaZÏ9A^:®ëž›àö -ï| îCg/}_··í–sÐTvF¨ù³êÖßH9ìr3"ü$h -÷&WI 9) €±*‰êÁZ1žÔxïÙú‡I¢,áY†å½¥ÔúÅGäu¬/Ñ ½+©T.Ô†?kÂڞǜs¶>û¼ßoeˆÐýK‡P6[mÌqû9,Ÿ‹€-ÐṆEѪAW*/à/Ùâ2 ÅGËD/¡ù}•§9-æýx†–rnÖb7²Ò ‡jz¤±T'ŸVŠ‚XbÔß’ nüô«oá‡ûk®Ç‡,줇ƒÝb3BèNæ^ÒæpîÏûùìb‚h™Ól3Ðÿå…ñÿ þŸ °t›ÃÜœÍaö¾0°«›ì±`ü/¼Äê‡endstream +xÚízeT\ݶ%šàîZ÷‚àR¸C +ª€B‹ªÂÝ!¸ îAÜ` ®A‚$M¾ûî½ý¾ûúWÿëÑçü8{ϹÎ\{ͽΨ±Ç(v¿<ÄÕªìê‚âJ´`ÎÖîH=°‹¿.ÔÎpŠ‚ñØÙõa('èÐ÷Ä3Œ‚¹º(‚Q÷¼¾½;@ŒB@) „”¨ÐýøøŸ®)svõ€ (( ærO)ºÚ¸;C]Pzîp¸ +Ñ…"]Ý6P¤Àö~eÿ™ðÌî€ÙÙ£\ºFܼ¼|ÿF„$%%ÖÞÿdŠP$ÌÎÀq?ð€:¹Âÿdº—Pº@÷‹†ü‰Ù‚• 0ÔŸr\ö(\JPn †ÞcH[(Jû~¡J.g®ÎxP{¡[+zçûA`Zlò²Mµf^Ê0Ù܇+³ÁÞð4IV…â.æ+krÞ>SP>a d÷6ªøR,ŠQˆCïôÑSÏeMÈtÖˆpøYáƒOoêòªÏp™yn·0»OG…=kSŠÀ˜–¯T°N÷î¥a"–˜2­Ô?«ý%Ofô‰i2±ÝK-±‰ç©ìÙKGŒàª”‚f…²hGÚi“­§á ͹ÑC‘·Öw¹QçZfÝFótVmpX& Ÿ~€sÎ݌ֿ*„½øÇÞzQ1j·Æ‘´m gÂêCNÌúÆö¯ö¨k9cY-A—¥€ÄfŒZA™çoð‹’¾Fž•àŒX¼‘NSPX”ÑãòñnÔð÷º´Ø’¿~Žæ€©' ’‡rÕÎB˜¬'nÐ`s’ÒÁÓ÷œ‚”§uKœg4c.T•üK8qâøö³†®×_¾‰+ìe~ýí›6±<ø¬<¬pXŒAzãßF:‘cÐI0PŽ +xWÍW?Æß1,6¬O°±’$,-v¡Ÿ½”Ñz}¼¨]6dÓÄ-®OXÜ—U¾ìMÔNÕ÷ýhô¢ºŒÛx:U‡SqÀS½õ€†§½žo€s{(t÷Œ?qöÕFœ<«Š CB+J3àÉÇwÌyØ—ÊiÇ­+¹j!²G©Ávb!þäñÚTÁ¬NTúëdB{8UDÈÖ/´%UÎÅRëƒç…/Š¤ëuíÇÉÌÝ•fÞèpW¥«;.$Ck²ùFBºH-X:(¡Ôe„­K·¼1"¿`å¥M6×zÉ^Lç‹„¹5ïÁÆ•=ì¡ÞÙ[8µ?]nY¶+Á&]£hàåþcT‡noáØ–æDw)¼†r.ä¼³¿ì­;K€ôN:òÅUšŽ\çëЙ¸0ò·–uq'©ž9Þãh<¾VÌuž½zs +eÓ òárø÷63æû¯É^£2Ï «Œ‹Ý·-ß.p±ü+®„1ùò¯] p1×^'^ÿ¾y95Ží{þÞD9‡¡ D däF’{j0`¢ñsOL…x~W¿ŽîO7I7'U¼úÆ6ÙRÆYÑZ$Áδ1¡ükÐSò™.ȲI ÄûJ? ©Ç"â¸?qîg®ÎzvxÛ*pÊ|!où±U_côRò;ºv+u.VÇ6›F«q•PDšWd_vßê›ómëìÖS¥S©Ó±Øk¦\a7ë‡¢ÃƒÝ ,¶cÙßõLãÕ†DŠ}5™+U(8ðQÇS3U“«NÝFÔXt¤þ4„vš{¸½p<«åY‡µ×bš›q²Ç®ˆ]ß²â|V3Q@*bCHô˜ ÇN²WB¤X>:¼ƒo`‰çÇ'R?²)Ù’Ä>ºÄð¹F÷™CZ2“3ë(0³yšÏ¿í…Ç©_æÅ"dØrÙ°I ìU k«2ܬÜ߃HX}:³z~Gʼø½Öøq3AÀ69˜‰WÛ!g§œÜ7³¤Þù¼e{}ëÀè(xÆÓí„íe¶ø“% Qù·G† ÍVŠ™=,G{_)ŽBˆfi,õ,žHÔ‹ñ®jEk—ßÄ7œOào(/øéõáåÇ÷ó;ÓÐèë‘…™úÑ +„\¾*¥ìÇ„^ðI1'mwE>[$£Qï»&nnžíZ옕P¦~¾Ø×çñì õJ«^’qpW:ƒNÁ$t+×C9_Ò'¤O3“ÉÔ[¥ãZ߯ÚÖ¥âEå.˜¡KŽ»ÓØVìß"¤&éý5œôª[š«˜Þ?*zà.ãëaø"²5[;'3ÞÚÊwËö»}¯÷ãÙ¡z½FQDûy¿“ØäDCvϘäeø>¢Å¾¶©=ÊFǯ^Ülë}[¾òÜÿ˜æ Ë d«ƒDÏnÊQé)ž‡Y;H7ÑøgcÞŒ4‚FZïR–eÁùAm¿¬4›/Ÿ.9LÞe4 ®eOªX«cÜ*UOM4¼ +¤*–?ã°_UiŠfc°' <Ó!÷ |Bhy«F¬>À?öCø':×n Äi¿±ÚÙûmp9eÍßÚ‹„ïA¹é—»:óLâHÝ”p<ëßtF½ø|ü/FdûhÇTè îB6†ß‰–”Ú9ìîppA· Terùö/Eô—¸aªDãò‡‹IT »õ<ú=Ç›§ “­„öJL 'É`qÙmž8AƒEpûKÌi¶‚ø‡ÑúÅÙ^ò··Çæ#ëGˆ†ÕRÁHÕ +‘îÃpwªŠßVé§t¼ÎÉàÄ•Œ 4.IcA#ê˜Ġ‰žs²[Š…J¤ü –Sú·XêÞÀó0*v/ß+—¹°ä^†­Ý*\r›63q‹Á¶3Ÿ§ïy0­ýóY_åE4¸#u°Óë²WoÑKúâÞcÑí1†vÄ5ú“\ž%WP1KudD·?}Üv§ôôΫö[Ó¡”—oÍN?Ë#ô +˜MQ‰¦i@.YÇAž}êÃÐ æÞIS-¥ÅÔJË®†e‘·²~·E˜ ›ñÞ¶Œë—­±³È˜| 4h¡©ly²Sz£t0Ÿ=H?Ýê„¥¼Pøth›úaŸ÷ïé´‘þjúÌäÆ^½Ó·+f?V1D$'¦¹tÄÍô|Œ¾EÉÒ+wÓû£Î%ϱ_-»Zeã¥ï·¬ :}ÞýØ ¡q*Õš‰£Ã¼ÇÙ›$ž€dz+6{²K[Rè⃧à¦EèdjŠÔLŽìÚï_)t$ðˆ›‹‹‡J)ƒ>½J6~›ÿK"MÎHú4‹Õ†føGª¸¦3›‡Â¨°ö£`h;YG/qç—íyãíù¶Oá;J +õÎu§æŽB_Ò¯ƒâZ ¼Í¶éëy©žÅ÷Î1uíŽ 8x²M÷½øóŒ á#:æxóÉÔß7’ÚjÑ,+1 r-°o<Èýìo%°mGÛfTqS4¹N‘Ò<^ñ™ªo–[^·_‘õžÐ¹œï±¼Øø°mòS–Ý‘L&q!„ÂUÀM.t ŒY-'zâ{EÛ,hy’Á†i½L]æïà +Ÿú üPÀneÑÿ K€!¦±f}i/YÿÛô Åò¡ɤ\\Ý#3•°¶<@$›!†i4Œ@ÆÏJÓO¢\íÈkÖJ¢ãñˆÞ·ÏgƒÅï» Ä)7Xߎä‰ð€§Ò‹«Ê ¸#vÏŠö_rg·3eØ]êJ~Ðd‘‘eOixh›o+ÍÿKøΠ¦„lÄN•\Âo2P÷šRä˧\›¢,¾jÔħN› ÞéýF„´ ¯=õ5™Áº‡†Ö˜sìlH¿îd6'íˆÄ€¼î€"@êÃôÙîÛ䇇A + S“)bêš•Ý‘ïS‡uà +Dk›R … ŽM +½u¬NB\ßw9pŠ[—0åäxÓn©±¼6ˆ¡$-Wnò£k=—.÷ªz³ç™4w¡áœñäîU7ìÐ䶟Òãl»;$êËq¿½€)áuI üîwêÍ,S±ŽÅj:M¤J1uáù“\5DõÓ5©ÖRrVô+`8ƸYâld%é”éÀç¤C˜Á1Æ¡ˆ÷–„»Œ”DC ØnÒÿ*7Ì‘y’~üóÇ­­ös_öôB¶àÆ¢¯ßÒ9^*ÛßÌ š-<É’Ø߇}¾ÀjÜp ²É&Ëlm0?J ”>Z˜àNMEü"m­9Güoø7e <_Wƒ“®Ì´ò¸§ß(ƒsŠÁå“+/Jª[tUßNñ–J„Q/Ãò·ÖnoÂÅp |´”,p2Ùì.cA‰£bíN%€<«ñ˜·^ +[ ò¾7ÒYçF†*XöyuÄCu%=g† ‹]›;Öó\ÐNNÚ[­º·;´[Ý\̬~äGGÃÙ¿]!G´‚7\¯Ìq}wÄÍøïæ4ò¨2GÊ"Ž + )¹Ýʤ Š[‡J¿&¬D`§¡HGýÐ~^¬Ö×ḸK±I*¼ +¢àLk`hË‘§|—–5<ð˜«=5mÖbv"‘ÍHÍ}XçÎ:X_¹¦üGaF)Ó=MÇ õÍøÚîq£ÅÉ5ëO±3›SÅ6IØI¼8ãÎâÚ¤áÏ*±5ê3n:Ó¦ gѵ5š¼JÜÞ®œ\‹‘P÷w’áÄ)· 4ï61†®õ,ªùOMæøî%’Wøš$ŸÄøƒÁįäª_Èÿà aópŠzîÁud·LŸµÕÉ¿ÑUè]¨FÊì0˜ff=( ?‘å­ô4" >Aæd§ýâBºDÿ«àYLþ[…¤>¨%—ïj×b“F-Á‘Zµ{ž7“ó43·“ +qïqNËzF¥üQª2eæ¦à¸Ô»Žš}DùäD—óÄЂˆl¯iE? FgkæUŸ¶•mFj2† qŽ`gô5H*f>¡¶ë“69=Ãâ¼·•¬þ^ê®°‚ý¦ ܹµ€ÈÇ7Œìº sJžìdÜâe¦ñŠ•ÛÛ¬ñh­†XI¦PÙ ‘ï?Èä6ÌJiNì7U±Â> 11²ûÎÿÄi|3ååCßSMì“DäO$ŽÎ4zä}߬E™WÐv©D6ºŠ$RðšAŒ’G?0ë€rßœŸ+f³`Þ‘»éíj_}ÌOóXdò˽ý—*Þè¸wäϽ YÔ¡q,©&ëš÷©à +QL¾ÌY®Ùv´)×õ-ËGÛj½z¤Ègh•Ù¡.†©æ&$RD LsúpûÂJ¿'+Ž*‡p-rÙÔsmD_ã.:.¸·WàlKº×Öe÷÷Ã)ƒhe<Ú†uDÂÍ]÷ +ºŸçzp·sB¬ƒúŠ†Ñ¬¿&˜çä×*=ÔƦ(“I¡X¥Rwýö¡…*ÈÌÁ¾žVŒJl–fF}ç¥Ë.G$=ˆ"Âü‰_dm-ní‚Õeßul}h ùøE×öG|d#±ÁðÕŒŒÉÿ¹‹û¸fê¢åW4íµÐ•(YÕq}Gk¡w¶u^ñI_Ýry*pŽ•t7AN gNØâôÙ7·Ì +_žŽ¨Ö‰›³:û0h"ÎQo¸…øÔ'û,E@îèò…ôjÄ€"p.a¸‚ðâ{«ôgòþñ(gæšpXÐØço +ƒ&+»ø‡±[%B–YZ£Jž4¸¸ûA£&“†ðÓÉ3/™çJ„Å­L׈”8æ¶ôr?¡.ÁBãu°‰§è´u±Îë·§£@uìQáý¯ö5™tÎ¥ßÈ÷˜ñï"Kã"Ýaz‹ëÈ$&ƒò%ôµË#»y¤õ «xÃæȲ+xS«ò"¨ˆÊL=˜#Éx÷{ž².^7‰‡…|íÒøŒ±ùîî°Na©9ìâUÙÐ<ªF'”ZB™–K-Ž¤BEÜ~l•Qî“TJÀ3‘äDYr> endobj -795 0 obj << +800 0 obj << /Ascent 712 /CapHeight 712 /Descent -213 -/FontName /ZTYCFF+NimbusSanL-Regu +/FontName /XOQSPH+NimbusSanL-Regu /ItalicAngle 0 /StemV 85 /XHeight 523 /FontBBox [-174 -285 1001 953] /Flags 4 -/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/nine/semicolon/B/C/D/F/I/N/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright) -/FontFile 796 0 R +/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/nine/semicolon/B/C/D/F/I/N/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash) +/FontFile 801 0 R >> endobj -1349 0 obj -[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 0 556 0 278 0 0 0 0 0 0 667 722 722 0 611 0 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ] +1352 0 obj +[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 0 556 0 278 0 0 0 0 0 0 667 722 722 0 611 0 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 1000 ] endobj -710 0 obj << +714 0 obj << /Length1 1624 /Length2 5655 /Length3 532 @@ -5572,57 +5581,56 @@ x Ä@df0@ˆŠDdddˆ¹*¤ êàˆÜ114ãåç¿û×Í/€×ŸÖ u€¸±îéc°ÿkG#€q„ì¡0@EOÿ‘–®àŽ†® @‡ €0€¾¶à!£!¼{ ûã!à`è¯ÒЂX.%4@#! (Ö â ‚ AwHÊŠFcŸP4À„c°=À P8æþ•öÞñ;!$ -µpÁbX2}ƒ¡ H U_Uý<1Ž@̯Øh( ì±–`ÈíWI¿1, Å¡p4ñÄüŠe€¡h$ è…%C¢ ¿ÓpCCáep€‚8Q`ÆÒ`¹uç¯:ÿT=‰„yýöFü¶úGP ³$ÅÆa°± pb¡_â·GD„ÿ¸»!ÿÄÜ!¨ß ºókfx±IÁ8Ì †Ø é"0Ø€;ÿ;•ÿs"ÿ$þü‘÷ß÷ïýÓKüï¾Ï§VwƒÁt.ØøcÉ°[xøµg¿«äø] 0¯áõwC3È™þ"û;¦…bÛ¡wÀJ" "*(üÇ5­õ„€õ¡#ÀÃvë÷½  AÁ pVÕß Å: ÿ 3v„‚œá¿Ú/ñƒÿž;V¨ß™ =2Ó6ÐTáÿW»õ·¥>v0Æ^Hà¿Ã˜é Àÿ8üâQVFx|$E¢RÒiqa€´”ˆß¿ˆø›F䯳ƒ‚z,………EØß?¿ÿF B€ÍŒcÇì¿` -…U÷÷›-úÏóï‡@§÷ªeg»~o(²°Öøe~@¢Í?=bQ¦Ôö¢2T°nXöò­×Äòç—|«ýít0ž¶TÈN‹ßmÞŽ|Êyî&)þÕ !ëB²Œm³ŸÝ®YH -›®.½30´.¸¸~k¸I uc÷„7à¶{~ ç1’ü (­æ)m3EUÕ‹­mcžî¾Þž¶}‚Ž/ÌüÏŸqɹ_#ãŽp}άhaRêÉ© 60DIb•¤4Ì1ëCö$Ò]—mVÜ ÷ˆr´˜V‘šµHM¨@a5¨w§µ_“ù‡s‘h0á«1î¶ ¼üòeï>÷©¦ýýØèùÚâÝç¼þ©Pëd¼dâÍO>v<*YTòÓv zE}qZÇ -ä÷wvÇ«éRèJV¡e’ìr¼9ùâ‚œô0˜"Än%Ÿ•MsÒºYìÎUBu¨9‡çͪ¸qæÍì}ÍlÓ} |e±ŸrºE©?G‚ü¯’ÍóEK0&•’O®&œ¾TÒ3©¢—]™7F=«Æo¬ÌS†åZ‘<%jÏâ¥g¾à§¿UÅiyÜ*.ìTÏh-ž‘2(’Tä¸ñW­BÌišùþp[MSÛ-²èu3»XwQÏGA¶4 ³ë´ÊöaVqªºUCKFXŠ£µ:¿[?pÈÞ©“’ªk,› .32.½ÑöL‚eýu-Õ +ˤ¹i0ªøØ>ÿgWcrBlñ§buSx‡p':Í=r÷ÌÔ×À09øóì[ˆê÷"çǵ¬Cú• ³ã¶Þ£ -8O,llH?I76µTèXD œö³Sè.NwiçD8T¥2u¼ÁÏÔ ÈCiÂUЛAJéTH®gÜöI”1MëM`*o•æ¾ÐbÔõô©¹,V-u4ý†ýCÝÑUOKz‚—âÛë—ëÄä5~%šct]­§h¤²ÛNå¹öÿ Ûö’ñ?‰·ÏÊ*åI“y[qo.oZqO—f4!OòìC'=[b°ëL‡ \ö¬WK+õîI¢œx–Í+ ·ÉÐÖ¨¬§ýÊîzMŠ|’þª»Y-ú¥ÊéŽCå@Õ5#JW_Ùû^¤k÷öcžs£–=å™Äfë¥7ƒ"Ý5[k jΛrA{\“²òb¯5ÎøÄÏ“¡_Þp~³3”Úš°)îx'¨Æ{¦è!go±°Gm)«¡‡d°\>²õÉo '¸µ±… -0…Ødgç•771ô|Ÿ¢‹y¾ÌõºbÓü–u0Æ_røªvùMc®ç¹ÃBÅ\n}HòýÇHyðîµ³p%Èuë@k+…–ß×ÏÔ\|©bû¬ç´ËOª?XçsË,[Õ©EWJaoD’ןÚªÙ‚(eT"Œµ6¼AhÒ7Y*¿é½|8 ÍÒäÒx5Ámê#)ѹ å€n_7¯Ë,f™·­ž³ö-üæS17É1I©wŠ—&ÍÄ°}ðnñô«ù\ t§kôaLs(‹‰Ó³ÅÇ?=1òJ8¹¬_Ãkvy˪7—‹´nK°°=içé0Â!O³v£þ@ë¬QueniÊ<¾³ÕµÑ”ÒÂIm¶ŽìQ#wœïa8úá‹ ï¶ù´eöä—ñsç•2´9µrœ%´5“Å%:ø”rBSÛÔ†Çàš¶/BÄ)¯o½ÑäNÜèÖ|ÂvthùL—XÿUš^ðöá÷FŽyÎö&•'i¹ÛuTL'oAÀqKR‚µ8R€A¨ØŒG­–•äÉÖ …ŠB‰£Fú²žÖŽF„»@óÄôdRÐqœLR9IRaû= -ÀÛËÏ›ë"±¦­\E‚ñ<\þìa#®0G£Í¾ìÑž÷š¶˜œ ƧW3K2aØ•Ê/Õn$¦y½–î•Þç ùÊ1(µVÓ"bªùº©:¢OÃOò†Ÿ–Å°.(±Šb}ç”i¢Â˜¬ÿqî‡É{+_V®¸Ä´$¥¢P_[QeYjçWZo—¡ÀŠæUYþÇ»®i):q #ÏÙ@öN­³…sèw^—”ŠÖ¬®I)kæ¤Å‘s˲QMµd9^bU·ü½çw£ -÷oŽCÒ^ï'‰¶>ù -ßX?zóä½ãÁÊñF—òû\šµæ–­ÎÆ:Û}|í.Mœ“îL#Ø*ê>~CÊ<Æ“¸R芧æx ê2¾D0ùÜšãæ­Üh—gIè0Û„^áÒ% ÃéRÃ~îïQñE¸È~R<™¯—ÆksRÜx¦õ4«œßg‰½V?^ `ÚÖݪ3G6PøAb+aDoU¯ïN—íhø h.Ó FPïÉÃàFñä"}†ü»Š— á º 㜒žêHÿG¯2‡Ä *e&è°Ôóå[CVÆk´ø“ìtùÊœo$ô‡ÄÓ¯­ûÐ< ¯Z ÁéEºð.œd¤˜]KȮ۰ūe«úž\¤Ã£ó.¥õ—ïæ :@Ú55,g|ßæö7úh;6XÄ/>¶"ynö#®¼QóÀ<³{5”–SÐ/8*У‹‹GO JøL©‚¼EzÆÄǪµR¥xÂ]åÁ½œÎ+ñ6ý§ƒ÷ÎÆ`bINÇQˆƒ›§ôý6†„øågÑåîp&Ã8”ËöaKÚdagØ[Ä~¢ÇS/e:¯|¯ñÞ昮¡»œY¶šÄÐî«ŒLnc¶{ÂÏzõ/+åæ_9@irø˜crûó—?VpK[´Áúùp÷ãÌWâi{m¶ÝšÍš^¯ƒkBlïøôô¾ ™™úN‰¼·9˜¶Ë8ƒØdX'E?Šª!6œi<Á· -MwY}6ŽûV¶Œ—n:÷ymO}€KQNUÁÆ®2¾)õ¼‘A”ɼÆÅ­…H?òês9úóØ‘)ª¦Ïý¥¼O8â­‰`ù£4ýÌÍͽ"/㬂ìÂ>ÂÇfSgL,D Ï\¤¶â2íÓ8MÇÇB3£[~„ûðü¡í)9ú{N»\˜"¯¬ê9AäÍÜBvLœ¿xa1ýÐÙ‡?¦•J§®2ˆÄ‹"]¥ø4wLôn´¼lûÚ¡ï§.|‚ ³®2èEs^Þ=ÒNQã·;\Ð2>“»ÕWlª”› -ÉZI²L%g}W f±½‘¸»=ñLù’óZۉ׎¬fž6‡û|vØz½¨ê¤Ù›«™œç«R};·C:)†æ½QßÈ›x» ¾ˆhQ ¤Ç¹Z&âþ±þ6(Õ†i”U·À·³•>ÖõðpÉúP9w1Oêë@Œ#Ú¢Ð\ÂH´èÅ“ˆ²]WúÔùýÁ—¨£ÐtGÓÑ{£ˆÜ «ìîë*Õj€¨ø61õ&¿<+Ç«Õ\Ô²Hº|ý¦ûì¬uáñ¾ªR+;Að¬·kü©è÷Ì[5g"P -/%É =Þ0gè‚ž•/Š ³=K%äØï˜méð©_8êZr1OIE¯}}FºæÙ÷Qí0 -ÓKd÷5>£FÇíêN^)+&yä¬>Ki?bKÃþÂ5Ih\ðpX1„¦ ;ñ OÁµýËw•¢:ÙÔãoŽgX÷‘5XË2R²‹£ŸöŒ¼Ôö· ¾9ëȶÇ@‹këtÛ 6~lŠlÖúÊ›§29BÍÊS$ÔÑд¢Ý!œ_4ÿ’‹Ó§GÂXH×rcbé>U&tã”%…àJ6ì dÌ$V{ -ßѦ@¤í¯,*ŽÈžÙÁc]ÆÞ͵T¶…†F?œ¸ØÇâMÌË4ú¦&:º³^vL%ƒƒq„¯/š¶åÖYœòæx†)ÈöþIŒnÐÏÞQa&/WÅé¹ôó”ÕVz©àîMö¶l?¹úsèkEòƒÁ4#Tå(í`¿<1 oz/÷Û/q¿Çkñ.ö‰ïÏã}ź„]Âñ"ÌM Œ‹ô¸º¦²Iˆ'(Þ´ôâœÝ¿,6%8ÛΪ¨¿…Ç2¸zÏ’oËKÄæŽF»èC^ûÊb”ŠDÒ}õQÇ1—C‘„ÖÜ”©øRÍð_qqKy¸”5g‘](@ñFž7ãæŒ #“R:¾©„w”_+åZ5°yùrØ¥:‰Må<8… ²Ž2ž\ØÞLþ*lh.É%Õ‰?‹³È*˜ |0Ï›•!qd #åfnè„ŸúÃ/¦<½–özšù«ÙwFäÐM§%«ùÇcÙo´‰?¼h¢`R\˜°äoTì<9›¶gô^l¾ø Ÿ>ÌÏÿ¸Þ󲺭I‚Ø”$|MbIþRZ7z®@¿… cõ«*ú’æ•rG½ªü9N<ïÇ{L -o>‡…~¼GYøüÈuQâ*³AÙŸK ¾ôµ‹«ñ–Åad|KtY;…Ü©_–èe 5ÍŸˆ¾#¾ïE’Ô{Éq;_þZˆ1ÔQ;—›ÎªD=!avhzìâ°l#<~á>Y×w<öì[oçü*Ös·ìûä(î·Æk*gÉç:]¢'‰!%y]¦Zd TŸšnS Uß\&xyu%S–9²îƒ'"šÇ†\ááº*ùx8"Üé÷žäæG»éÊB;âÊ(â',aò>ÌæY$–¹ý”27SxÊWpènK[çÄ1l 豬y¤i¦º·É ·öîáÅ,ïo²ÓØv®‹w’ÄE‹¿¶«>¨•–|߬±*ý( <ùi+~R.EF&-¯ÌóÕpzF>ç”ÁyOwÑU™sl 9FLlÌTiqÝéV‘éù)§jÍ«ëÜbÁ¼Ï‹…Ý ck-¿Z Çê0e%ÔÒÓhÿ¹ÌØFˆõ¾iòzwsªYÞÚîÑÈNYø‚.»sçÞÚE!58ÎìJ:Û;5`¤ŒTƒC¹¥ó§}á`­4…¶­€"Ì{>EÖôùÅ„Ù«Ìi¶X©6Ýh=ã’‹¼íîËgÊ»·µV®Ýï¤ÌˆÚ?éÜ;õI/ˆ¿ˆ|×Br\jUôÄÛ>‰,2Þ÷þˆL!‘ñôF-íÔ…Ni™ÓS -¥~-1ßÊ·Sí·ÃÔ:Ö©—JZFß”-¦ âJ²FDDµ©›¹â1ËîÓHâÌäÅÖÓ~ì†Þr·ÂCÅS#\iŸ5뫃OË=iåw—3v0|¯†FHFú®Q…k<Œ"X1Ë”vuÔ4–¼¶uèSŒöÀîÛ -Ú#ÎÝÅ)šjÀMs¤ârruRb&l^5!Í¢W#j !}Þ5ÒÊ@.ÌLж¨VJ=aAø|‘jž\íN[ã” ¦…‡%cÕ‘Ž¼ÁàCÞ”r;c¶Šb=vTA¢E1ÆUçCݽ0=ã$ÕÚ±qʾ ª‰Œ8!ÖM}šÀ ±šËÌ'─ÎE—º4ÎýZ&÷ï.9¼>vI†ÄûÔ®×ô/èÜÇ~à£jh¶ÌBW˜J±ý±2´*T¹Beß9dK.j^¤"{R;–®®´¿!|xÓšgm¢5uFcXx£Ãßä1“­’¯ÕnÄOÀ)6dQ×·¬³°W¼¡Ì¬ZÚZ+ ×Û3yíUèŽËþ˜"Ë©k±.—þ Ç·N(´¢ÿïz“-ܺŒ¨OóB%7g³¹I¹ûa¤ÆQØÿáh³0u^Ñ• Œ!7 A¥\ÇínT`£¯;þ{€|“é =Ï15zÍu–¼Ý­ÕÖO7ïQ$…ý(1•¬| Þq”XÄð.]®>ÊS’kM<óK`ö…dí‹*y’u#qµÑ#ôÊa6E§¾Œ!σ Øq›ÇokkQúæżtyî{+Zþ¢ ÝuWEœwGý˜óù í[„+«92\8å—ƒdbDËËÐ1ê™=*®esyƒU£fǭ㌧[Æ€^J7{بÍ|rÌÝ\Ó7¼åâ/MZ„î«|–œŠã~®n§‘Eˆ.£> ­6)ÄŸS5Së,ªÓ/Ä´$Ó—Ýž%¿ £]‚(óö~õǙЎã—TØ-Ý]Rf¥òíÜ»f0é~Ç7 Ú¼>žéçöåtKà}Ì9‚ÖUÜ©å±/¤à×û05ºÄ[¾ -¼RK·=Ž–ùóoú©G–c£m¨fk•óæo_s^^ž3XO¼ò1ˆ -³Ÿ“öÐ^£²P¶yWmnÏÄÄT‹Ë^­ZïÚ]:Ê>9mTl´ô£i¥OäáàÑýlú ±Ê(À•ªûjÊ,µrAAx-fLjpŒ >¬ŽÐþÐ3ú¾3êÔèû ŽTõvõZ¼c ”ì5¤uQÔ”YN¨pL…2ÌæôçV‹Ë@>‘ÈÞ N_"ˆ`†ù¦z§—¥„¯ -yîoÜlŒà㹶_ µ'Õ ÍO.׸µ6}¾Â£×˜^N!Ý´’»ÒvµA±çþð kOg -Ówí2ëƒ'Î`p+p ¬ã™CÏ?dÃÉ!¸äëõé)§»Å8Ë÷Ó»nübçG®ú•u™€ùw¾jaŸKè\¨§*A䦢3$ÚˆåúŸád‡9ðÖB¶€Á5 ³m({ôTá{~·sF'[‹»zèêæ±Hží:¼“þ"2ÉaÊøàý´ƒ¸KðÒ‹,—‚aQú²¤þ+¿9PáÝÄúÈMU:‰b2Ù œÂ áÆ–€œÉ§mle,sm&,Võ£r—“Gf—nÇßí ¥ú2ÑÅu´SEÈŒÀKG9é ìT\?µì/8—ù -—Ä:ê÷ðÝ åë„ a ø«}V+ -IÃ%¢§¸ÁMÏ­W[öÉ%ä¢*¿gš]T›®æÅÖX=„~íuÊÌ»Ñi©Xp ÓYÂaE´=pÃõ{ó­›óŽ¾™É"ö÷¥ F84ÒL”ÆÙžÌ[;ôé‹åŽ~ ¼ãl¸jä!@šjUâŸs5ÌÃO ‘Å7o­\)ÄÈ’±0øzi*‘ƒu[ä Ùxm3È!5œˆ £ x‚ɤ‚ówzç ‡®ÛjñE÷0URRïHOn!XU¸|ð¯øjiì¾ òŒrÙ—ã¥|ÁÆÝmÜ iV+O´Û–‡1îvaº—òⸯTÉöàŘëÃô§þ.0Íg ËÆ JæÂ]µZIbQ*g61·É5{áóCüÿÿ'@0…A¸QÎÄÿü>„Šendstream +µpÁbX2}ƒ¡ H U_Uý<1Ž@̯Øh( ì±–`ÈíWI¿1, Å¡p4ñÄüŠe€¡h$ è…%C¢ ¿ÓpCCáep€‚8Q`ÆÒ`¹uç¯:ÿT=‰„yýöFü¶úGP ³$ÅÆa°± pb¡_â·GD„ÿ¸»!ÿÄÜ!¨ß ºókfx±IÁ8Ì †Ø é"0Ø€;ÿ;•ÿs"ÿ$þü‘÷ß÷ïýÓKüï¾Ï§VwƒÁt.ØøcÉ°[xøµg¿«äø] 0¯áõwC3È™þ"û;¦…bÛ¡wÀJ" "*(üÇ5­õ„€õ¡#ÀÃvë÷½  AÁ pVÕß Å: ÿ 3v„‚œá¿Ú/ñƒÿž;V¨ß™ iëðÿ«ÝúÛR;c/$ðßaÌtà~ñ(+#<>’"Q)i€´¸0@ZJÄï_DüM#ò×YˆAA=–‚ÂÂ"ìïŸß¿NÿF£!À¿fÆ„ƒ±cö‹_0È …ªûûÍÇýçù÷ÀC žñô'H.Ä)=3SEŸÓûNÕ²³]¿7YXkü2? Ñ柱(Sj{Q*X7,{ùÖkb ùó˾Õþv:O[*d'Åï6oG>åAÇfþçO‰¸äܯ‘qG¸>gV´0)õ‰äTP¢$±JRæ˜õ!{é.ƒË6+n{D9ZÌ +«HMˆZ¤&T °Ô»ÓÚ¯É|ˆÃ¹H´˜ðU wÛ^~ù²wŸûTSþ~lô|mñîs^ÿT¨õ 2^2ñæ';•,ªùi»½¢¾8­còû;;ãÕt)t%«Ð2Iv9Þœ|qANzLb·’Ïʦ9iÝ,vç*¡:ÔœÃófÕ@Ü8sfö¾f¶é¾¾²ØO9Ý¢‚ÔŸ#AþWÉæù¢%“JÉ'WN_*é™TÑˮ̛?£ÎžUã7Væ)Ãr­HžµgñÒ3_ðÓߪâ´<nv*g4ÏH™I*rÜø€«V!æ4Í|8Œ­¦©íYôº™],»¨ç#Š [š†ÙuZe{ƒ0«8Uݪ¡% #,ÅÑZß­8dïÔIIÕ5–Í——Þh{&HÁ²þº–ê„‹•eÒÜ4ÕN|lŸÿ³«Ž19!¶øS±º)¼C¸æ¹{fêk`˜üyö-DõûF‘óãZÖ!ýŒÊ†Ùq[ïQœ'66¤Ÿ¤‡›Z*t,"Nû‹Ù)t§»´s"ªR™:Þà€gêä¡´Gá*háÍ ¥t*$×3nû$ʘ¦u&0•·Js_h1êzúÔÜ –+Ž–:š~Ãþ¡î誧%=ÁKñŒmõKŠubò¿ÍŠ1º®ÖS4RÙm§ò‚\ûm{ÉøŸÄÆÛg e•ò¤É¼­¸7—7­¿¸§K3š'yö¡“ž-1؇u¦Ã.{ Ö«¥•z÷$QN<Ëæ†ÛdhkTÖÓ~ew½&E>IÕݬýRåtÇ¡r êš¥«¯ì}/Òµû@û1ϹQˇžòLb³õR‹›A‘nÈš­55çM¹ ‰Î=®IYy±×g|âçÉÐ/ïF8¿ÙJmMØw¼Tã=Sô³·XØ£¶€”Õ‹ÐC2X.Ùú䷆܌ÚØB˜Bl²³óÊ››z¾OÑÅ<_æz]±i~Ë:ã/9|U»Šü¦1×óÜa!b.·>$ùþã¤<xw„ÚY¸äºu µ•BËïëƒgj.¾T±}V +ÈsÚå'Õ¬ó¹e +–­jŠTŽ¢+¥°7"ÉëO mÕlA”2*ÆZÞ 4é›,•ßô^>œ…fiò i¼‰šà6õ‘”è\ˆò@·¯›×e³Ì[ŠVÏYû +Ž~sƒÆΩ˜䘤Ô;ÅK“ŠfbØ>ø·xúÕ|®ºÓ5ú0¦9”ÅÄéÇÙâ㞘 +y%œ\Ö¯á5»Ž¼eÕ›ËEÚ·%XØž´ótá§Y»Q uVŽ¨º2·4eßÙêÚhJia¤6[Gö¨‘;Î÷0}H½Š3d6År9Ñ3:`¢H ”–«Í¤h~‘ÓÇ%`£ÓµaÖ8"N£KwŸðEˆ†wÛ|Ú2{òËø¹óJÚœÚ9ÎÚšÉâŽ|J9¡©mjÃcpMÛ!â”×·ÇÞhr'ntk>a;:´|¦K¬ÿ*M/xûðá[#Ç<g{“Ê“´Üí:*¦“· à¸%)ÁZ )À TlÆ£VËJòdkÐBE¡ÄQ#}YOkG#ÂÀ] ybz2)è8N&©œ$©°ýàíeŽçÍu‘XÓV®"ÁŠx.ö°W˜£Ñf_öhÏ{M[LNãÓ«™%‰0ìJå—j7Ó¼^K÷JïÀs†À|å”Z«i1UŠÆ| ÝTѧá' yÃÏ ËbX”XE±¾sÊ4QaLÖÿ8÷Ã何/+×@\bZ’RQ¨¯­¨²‹,µó+Œ ­·K‹P`Eóª,ÿã]×´8Бçl {§ÖÙÂ9ô;¯KJEkV×$‚”5sÒâȹeY‰¨¦Z²/±ª[ŽþÞŽó»Q…û7Ç‹!i¯÷ƒ“D[Ÿ|…o¬½ŠyòÞñ`å‰x£Ë ù}.MŽZsËVgcí>¾v—&ÎIw¦ì u¿!eãI\)tÅSs<u_"˜|nÍqóVn4žªX7® 7%M|Í°œ¬ÑœÓ% lš^0‹ŒE¼L‘I¦GÎüx±WªŽÎv´)]ëT‘¼þ\®Á¹}ä(i­2[”|, —æwE5³‘çêüŽêzÆ„AäÜè@¢—ü’Ù¹/$>Èyê¼ýVóuòÙu•òÚmïÍÂœ¥s2ræyÜøŠ7é ŸË³$t˜FŠmB¯pé’„áô ©a?÷÷¨ø"\d?)žÌ×K㈵9)n<ÓzšUÎï³Ä^«/0mënÕ™#(ü ±•0¢·ªWŽw§Ëv4üŽ‹4—ÎiP£ ¨÷äap +#xr‘>Cþ]ÅKpPÝ…qNIOu¤ƒ£W™Câ•2tXêùò­!+ã5ÚüIvº|eÎ7úCâé×Ö}hW­…àô"]xN2RÌ®%d×mØâÕ²U}O.ÒÇáQŠù —ÒúËws 횉3¾ï sû}´f_,â[‘<7ûWÞ(ˆyàFžÙ½JË)èèÑÅÅ£§%|¦TAÞÆ"½ˆcâ ‰cÕZ©R<á®òà^Nç•‹x›þÓÁ{gc°G±$§ãˆ(ÄÁÍSú~ÃGBüò³èò w8“aÊeû°%m²°‚3ì-b?QÈã©—2W¾×xosL×Ð]Î,[Mbh÷Õ@F&·1Û=ág½ú—•ró¯ 49|Ì1¹ýùË+¸¥-Ú`ý|¸ûqfH‰+ñ´½6ÛîHÍæM¯×Á5!¶Œw|zz_†ÌL}'ŽDÞÛLÛeœAl2¬“¢EÕÎ4žà[…¦»¬>Ç}+[ ÆK7û¼¶§>À¥(§ª`cWß”zÞÈ Êd^ãâÖB¤yõ¹ýyìÈ”?UÓçþÒGÞ'ñÖD0|„ÎQš~æææ^‘—qVAöáA Ÿ ác³©3&"Ðç.R[qöiœ¦ãc¡™ƒÑ­?Â}x‚ þÐö”ý=§].L‘WVõœ òfn!;&Î_¼°˜~èìÃÓJ¥ƒSWDâE‘®R|š;&z7Z^¶}íÐ÷S>AÐYWô¢9/ïé +§¨ñÛ +. hŸÉÝê+¶GUÊM…d­$Y¦’³¾«†@³ØÞHÜÝŽx¦|Éy­íƒÄëGV3O›Ã}>;l ½^TuÒìÍÕÌ?ÎóU©¾Û!CóÞ¨oäM¼]_D´¨„ Òã\-qÿX”jÃ4ʪ[àÛÙJ ëzx¸d}¨œ»˜'õu ÆmQh.áG$ZôâŽIÄ +Ù®+}êüþ‚`ÈKT‰Qhº£Šéè½QDn€@Uv÷õ•j µ @T|›˜z“_ž•ãÕj.jY$]¾~Ó}vV€ºðx_U©• xÖÛ5þTô{æ­š3(Œ—’dŒo˜3tAÏÊʼnٞ¥rìw̶tøÔ/u-¹˜ÎŒ§¤¢×¾>#]óìû¨v…é%²ûŸQ£Œãvu'¯” +“<òVŸ¥4Ž±¥aáš$4.x8¬˜ BSPx§àÚþå»JQìêñ7Ç3¬ûȬå )ÙÅÑO{F^jû[PßœudÛc ÅµuºíF ?6E6k}åÍS™¿¡få)êhhZÑîίFšIŒÅéÓ#a,¤k¹1±tŸ*º¿qÊ’Bp%v2f’N«=…ïhS Ò‰öƒW • GdÏìà±.cïæZ*HÛBC£Ÿ N\ìcq +&æe}S +ÝY/;¦’ÁÁ8Â×MÛrë,Nys<Ãd{Š$ƈ 7ègï¨0“—«âô\úù‡ Êj+½Tp÷&{[¶Ÿ\ýƒ9ôµ"ùÁ`šªr”v°_ž˜†7½—û툗¸ßãµx—aÛÄ÷çñ¾b]Â.áxæ¦ÆEz\]SÙ$ÄoZzq +Îî_ ›mgUÔßÂc\½çNÉ·å%bsG£]ô!¯ýe1JE"é¾ú¨ã˜Ë¡ÈBknÊT|©fø¯¸¸¥¿<\Ê‹š³È. x#Ï›qsƆ‘I)_TÂ;ʯŽr­šؼ|9ìRÄ&„r€ÂYGÏ +.lo&64—ä’êÄÇŸÅYdÌ>˜ŒçÍÊ82‘Šr37tÂOýáSž^K{=ÍüÕì;#r耦ӒÕüã±ì7ÚÄ^4Q° )®LXr‰7* vžœMÛ3z/6_|Oæç\ïyYÝÖ‡$ +AlJ¾&±$)­ =W ßÂ…±úU}IóJ¹£^Uþ'ž÷ã=&…7ŸŽÃB?Þ£,| ~äº(q•Ù ìÏ%_úÚÅÕxËâ0²¾%º‹¬BîÔ/Kô²†šæODß‘@ßw‚"Iê½ä¸ƒ/-Ä€Æê¨ËMgU¢ž0;4=vqX¶¿‚pŸ¬ë;{ö­·s~ëǹ[ö}r” ÷[ã5•³äs.Ñ“ÆÄ’¼ˆ.S-²ªOM·)*Žo.¼¼º’)ËÙG÷ÁÍcC.Žp‡p]•|<îô{Oró€£Ýte¡qe” q€–0 yfó,ËÜ~J™›)<å+8t·¥­sb6ôXÖˆ<ÒF„4SÝÛd[{÷ðb–÷7Ùil;×Å;Iâ¢Å_ÛUÔJK¾oVX•~Pžü´?)—"#“–Wæùê8=#ŸŽsÊ༧»èª‚Ì96Ð#&6fª´¸n?‰t«Èôü”SµæÕun±`^ƒçÅÂµ–_-Њcu˜²jéi´ÿ\fl#ÄÎzß4y½»9Õ,om÷hd§,|A—ݹóo탢gv%Îí0RFªÁ¡ÜÒùÓ¾p°VšBÛV@æ½ Ÿ"kúübÂìUæ4ÛN¬Ô›n´žqÉE^ö ÷e„3å]ÛZ«×îwRfD퟿tîú¤Ä_D¾k!9.µ*zâmŸÄï{D¦Èxz£–vêB§´Ìé)…R¿–˜‹oåÛ©öÛajFëÔK%-£ïFaÊÓq%Y#"¢ÚÔÀÍÜ@ñ˜e÷é +¤qfòbëéG?vCo¹[ᡃâ©®´ÏƒõÕÁ§Çåž´ò»Ë; ¾WC#$#}רÂ5 F¬ŠeJ»:êK^Û:ô)F{àN÷míçîâ¿”M5à¦9Rq9¹:)1H6¯fÑ«5Ð>ïie f&h[ +Ô+¥ž° |¾H5O®v§­qÊÓÂÃ’±êHGÞ`ð!oÊ?¹1[E±;ª Ñ¢ãªó¡î^˜žq’jíØ8e_PÕDFœë¦>Mà„XÍeæ‡ÇqJ@ç¢K]ç~-“ûw—Ç^»$Câ}j×kzŽ tî¿c?ð?ˆQ54[f¡ƒ+ÌN¥Ø‹þXZª\¡²ï²%5/R‘=©KWWÚß>¼iͳ6Ñš:£1¬ ¼Q‡Àáƒï ò˜ÉVÉ×j7â'à”²¨ë[ÖYØ«NÞPfV-m­†ëí™Ç¼öªtÇeL‘åÔµX—Kÿã['ZÑÈw=É¿nÝ@FÔ§y¡’›³€YŒ\¤Üý0Rã(ìÿp´ÇY˜:¯€èJPÆ› R®‡ãv7*°Ñ×ÿ=@¾Ét‹„žç˜š?½æ:KÞîÖj 맛w(’Â~”˜JV>‚†ï8J,bx—.WåN)ɵ¦ŽNžù%0ûB²öE•‰¼ɺ¸Úèzå0›¢ÓßÆgŠÁ†ì¸Íã·5µ(}ób^:ˆ¼ ÷½-Q"λ£~Ìùü†ö-BŽ•Õ.œòËA²1¢åeèõÌײ¹¼ÁªQ³ãÖqÆÆÓ-c@/¥›½lÔf>9æn®éÞrñ—&­B÷U>KNÅñG?W·ÓÈ"D—QV›âÏ©š©‰uÕiƒbZ’éËnÏ’_áÑ.A”y{ ¿úãLè ÇñK*ì–îƒ.)³Rùvî]3˜Çt¿€ãm ^Ïôsûrº%ð>æAë*îÔòØRpŠë}˜‡ˆ]â-_^©%ÛGËüù7ý‰Ô#˱Ñ6T³Æ5€Êù s·¯9//Ϭ'ÞGùD…ÙÏI{h¯QY +(Û¼«6·gbâNªÅe¯V­wí.eŸœ6*6ZúÑ´Ò'rˆpðè~6}†XåGàJ Õ} 5e–Z9‡ˆ  ¼3&58ÆŸ VGhè}ßujôýGªz»zŽ-Þ1†JöRº(jÊ,'T8¦Bfsús«Åe ŸHdo§/D0Ã|S½ÓËRÂW…<÷7n6FHðñ\ÛŒ/Ú“jÐæ'—kÜZ›>_áÑkL/§nZHÉ]i»Ú Øsÿ@ø†µ§3„Àé»v™uŽÁg0¸¸„ƒÖqÈÌ¡ç²áä\òõúô”ÓÝbœåûé]7~1Œó#WýʺŒLÀü;_µ°Ï%t.ÔÓ +• rSÑ mDrýÏŽp²Ãœ@xk![À` Šš†Ù6”=zªð=¿Û9£“-ŠÅ]=ôuóX$ÏvÞI™ä0åF|ð~ÚA\ƒ%xéE–KÁ°(}YRÿ•ß¨ðnb}ä¦*D±™ìNáÇŠ…pcK@ÎäÓ6¶2–¹6«úQ¹ËGÉ#³K·ãïv†R}™èb‰:Ú©"dFॣœôv*®ŸZ +ö„Ë|…Kbuƒ{ønÐòuÂ…0üÕ>«‰…¤áÑSÜà¦çÖ«-{ärQ•_3Í.ªMWóbk¬B¿v‹Ç:eæÝè4ŽT,¸†é,a°"Úž ¸áú½ùÖÍyGßÌd ûû‹Ò#œi&JãlOæ­úôÅÎrG?ÞŽq6\5ò Mµ*ñϹæᧅÈâ›·V®bdÉXü½4•ÈÁº-ò„l¼¶ƒäšND†Ñx ƒW| +µ4v_yF¹ìËñR¾à@ãî6î†4«•'ÚmËÃw» ž¹—†wX^Ê©ÚM<¿‡ž£˜#þ¾#r¾ôÚç§@*׈ÄgÛk­dU͘ÕxOù·‰ËYµO F@V2Þº7Ût(:?¬©Å·j}°<Þñ'ýêÝû"Ÿ0ÝKyqÜWªd{ðbÌõaúS˜Šæ3ec%sá®Z­$±Î(•3›Ž[‡äš½ð¿ù!þ‚ÿ ˆÂ \€(gâÿB:„—endstream endobj -711 0 obj << +715 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 46 /LastChar 122 -/Widths 1350 0 R -/BaseFont /YWKQHC+NimbusMonL-BoldObli -/FontDescriptor 709 0 R +/Widths 1353 0 R +/BaseFont /KQTSTM+NimbusMonL-BoldObli +/FontDescriptor 713 0 R >> endobj -709 0 obj << +713 0 obj << /Ascent 624 /CapHeight 552 /Descent -126 -/FontName /YWKQHC+NimbusMonL-BoldObli +/FontName /KQTSTM+NimbusMonL-BoldObli /ItalicAngle -12 /StemV 103 /XHeight 439 /FontBBox [-61 -278 840 871] /Flags 4 /CharSet (/period/a/c/e/i/l/m/n/o/s/v/w/z) -/FontFile 710 0 R +/FontFile 714 0 R >> endobj -1350 0 obj +1353 0 obj [600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 600 0 0 0 600 0 0 600 600 600 600 0 0 0 600 0 0 600 600 0 0 600 ] endobj -702 0 obj << +706 0 obj << /Length1 1630 /Length2 8144 /Length3 532 @@ -5630,71 +5638,57 @@ endobj /Filter /FlateDecode >> stream -xÚíwePœí²-î®Á Npww‡à>ÀÀƒw×à$¸;$¸w×à„@\.ÉwöÞ§¾»³ݺS5SïÓ«{u÷³úíª¡¥TÓd·t4Ê8:¸²°³² T@öæn.ÊŽJ,@k7Us0ðp£ÐÒJ:Í\AŽRf®@À[ %@ -hàà°óóó£Ð$!žÎ kW½¶Æ[&&æY~»Ì=ÿ¼Dº€¬¯_Ü`Gˆ=ÐÁõ…⨠\m€+TUÓ“W‘Ð˪hd@g30@Íí¥ €ÈèàdX9:ÀŽ– ß­¹°¾p‰»Ì. è% èa„ü†˜ ³=ÈÅåårX;›9¸¾Ü«#ä`v³ü]À‹ÝÊñOAgÇûì…LÍÑÅÕÅÂq¼dU“’ù«NW3×ß¹]@/0ÀÑêÅÓÒÑÂíwK°šÔÕ äàpz¸þÎeX‚\ `3Ï—Ü/dgП2Ü\@Öÿª€à ´6s¶]\^h^¸ßοúü·îÍ °çŸhÇ?^ÿ¬äê[±¢°s¼ä´p}Ém r@yó{Xä¬ìlÙ-Ý ÿÀÜÎ.ˆþ÷Ì0¼aféèöX­PÞ¨8º¾¤ÐÿÏTfýωüø?"ðDÞÿ¸×追ÄÿÛ÷ùïÔ2n`°Š™ýËüµd/[Æ ø½gÀf΀߻ÆÉ ø…™ÙƒÀžÿ&ðïŽoû_|‡å]Í^.EÜÁúEvV¶¿Ì ÐR äja°2¿ÜÙ»¶ƒ%Ð r¾hûçZ_‚ØØþ†iÙ€,ì~‹Àýt°ü{ù/rý)þª†œ¬¦Ó¿Û°<Õ^&ÁUËüWš·ÊŽ–ÿ<üæ‘pôx³ð°X88y¼¼\>vvß“ñ û¿ÎÊf®Î €+;àå÷ߌþF#í`áhù{r4]Í,_†íŸ†ß°…›³ó‹ÆÞÿ—¦ÿqþ3ö@ ÐeyÁÑB0Ä6=+õ–0w`LÊ ·›v RÒ U˜PíØ埱É_aúPÊÚ8!ðÔâ9yÜU`Üê&Óu¥?’úR3ôäc}ÝÆË´ôƸ=ãÇÛï“9¥ 8}6½­1u ãⲉ6Ng¤“k†j÷ü<š+†ŸEZ}<~;V#NmÁá×I߯¯è¾ ôwÁ÷ì’0åÄ#Ó -ºÃ¡¿ŽpÊ!Õ×®ðŽdÚ©Û£ˆëIÌå1ñ:–¹M !LŸ+ÏS·×Ö:çñkÏñù È [œÒ¡±Tlü+Û¿-ë•øET×—mÚjËl ò>õ _Ô‹vý,8èáÏ D›[©ºœÛ[3zoÃC±)·úˆyH cpeØhS‹GéZuk€ÉaëCkú–J†H‚O—ÕVf.~†÷þ䄺¥u5\càÞ91f&ê~ºLØéÂÌe_|Ÿr“7K5¸S¿iÊl–œiýæ£q­]%Ã['ßê‹t{YÎ(”o¢E -jEÅÖ*|ÝÊ|™w{›·þÃMѶ¦šx7Zmû ÉJgÜó]w2ÐÏ"|&&WŸÜ~±8Æjt -Ý–”èíC›ÇO/äÊBEQwÚüEšm˜§/ÞôRų#m ¨ŠçöØ -oJªb¯-ûÏ¥š¯:ÜÒmSÂcòªÄòGµ›½d–ÝÒ±çfÐ ‡ï*7? Œø¹éݦÕáˆú»2Âœ; ä!X25#ÐjÓ¯*™Zðg‰æ²M¦Û&=N„¡#‰ñô¤—l.gýiŽõŒ'S"œ+€êæíFý=õ1¸nWQ5’F”ÕØ#Äù4]P³sÀ‚Y~ך4Á†Ç®~„ír ݯ¨¨è&K‹F¶òmis–rùÐe'¶“ná}%’,Rñ|ë,ã>aL¦CÁ!0Y1'Ü¥çýüªPXXÊH<–êĨŸer¥¹ãyPå`C—@Gr›Ô!à–Áa•NºÎÄ{eBÀ…P}jlî'qþ z#„y ڬȧ¯úc ArÅþÃqf§7ÅFù{ÂÎ;x’›¨ÇOÇ™œØνC;óA%‰|ó;ÚŒHö“IÁi²Š1€À+,lÙFl¥ÁxI¢ŠØcØ,ûœÐ×­o±©yÞ<œ_4Žø&Ñ337c†u¯ëКuÞp¥Ò+¥ÖU´vûŒ±³Æ¡ŠyT$Aø<)^Ô1&‘»¿¶Ã †ídD™.w2ž¯œ$à°î„!ðØÌÎfíàUœÚ¾QbÓ“›Û™¾ù*¹»$‚ññ8Ÿ°íBŒaº¹?'‡emj#§„böm«]²x.+„ä¨ð.]Ã8$Goÿ“1ŸjÏ‘¯G…%Z%½3WÈs&¾CÏñ= é>4Méݲk×]GÕªßMÓN~|ð‰,ï0Jž±öfË”Äzž²"Ö,¨Àå¼A -/–Tª1KÄ"} žŒ"Ô,®ÿØmo¸Ny\ém< -~Ç€ŸFš[pcù¢3yŠ˜…Š\ØrJn‚Kµ ú‹ÙváçÔN_1oÞAM¤œ“*‘~à0sæQ@ÚtíÁ~Ȧ.ìó?–µçã’»ÿ˜ûnW¿ mC­åÚÅ‚¯•Rî“CùW&Þ„Ù-’ˆ»[—CxþѧgT`&1|ÑJã—1`~ PVƒs ÙÇ„ Ú)a4»ZÇ[X€ÆF¹”2‡;mS¢ª&ä GÅ*‚b˜Xõê¬ÌyÏë:°íMhÛÔÑÜ-¨‚Þ¦!anPÏÇ”díFÚüÚI·«³J 95ò«‹iYïIôÉúqËñú“=ŸÑÒ~±úMuk°¿„‡dbMTß\4 6ê:Úq-u.Á -fežÜrßCï£Üvµ~~1«e¥#Zç»×ÍÀ n®hÆÎJ/_Rîd{!ÏԺǤò3ìóðæ÷`¹’„¾%1íc-qlÇÙ‚iW¶tc L{þÂÄkIcl1‡E5Ã6Ѭ 3€wXGZ´/dÖýÞ=“?Â5¨r!>Æh~X ¾2 -×IÙ.Ch’Ŭø^AQ¾f!2¥ý+RS¢°k¾R•]ÍmËç ëDuÙ˸‡è™¨tÓv-º'÷W¿6ÐØW#ŽÛBÐô6Qº9É&˜7`~b8Ìêa²Èé’gΧñu NvA —’ÕW”Ÿm´ifø!:ú4$¹ ÷p_£¬eæš÷ײ‚®LO„yÆ0Ž6O Û—‡œjæýgWp„å^eÖTiDÞ6}Óû—FrV=+ì s¶ÔÈ·Þ:Û;§)^O¯©ótoibçWÒóÑ©„#þ²])Š2ã°À7 -ZC¨JBöjüÈ+>Å”æ½Ö^ƒ6iDõíݳâ‚<¼èLRX6Ž†šÙÏÛU®`¸ My“ïµ#.“O&Þ‡Ãü‹A©ˆóºÓb~öSÛ´¬Ô¹ZZy„ÆŠƒœ§Üy1=!µRÚ4)Ôm$UÃVAÛ—tÃ72?"P„t¹á„~F£¦ì±žÅ}e—9!©ÛFè÷çœÆ£ŠõN°Ð—ßC¼­õæ«Õ€nÇ“Ù,q÷|‰óÖ!šžŸ¶|Í+ø³fÖÏ· -|Ò‡ b9¢Ý—B”Óeß¡#Ï^+X¤½š^Ô€ã„R|ÿVöàÕâÞ¼ÒDNètúÁQµd¢L¤–²ž3TKâ³°Ñ.ëÚÑÕSÜO3†<—7?¿t—Æ<ôÆè¶?„^K”½û‰ßè€wºÌyÕ…O=ÑaÔ]:»4aNÚYW¦$ñX“S  «Ÿtq†(D=d¾qêN‚Cw#¢që£`"“AýÊ=×4}Æýn– Y“ª2<¨Ú÷åqñø'-¨iaŒ½¯©5GåsFHñ’]&à~ÿYkÚC¡ Ï‹…v^-¶ʺ%eö>¡pý"³ê+åß_5rÎÌð–rbaú‰%&ù -sÆ@es‘Xü>¹eéN!I±rÝ<¥ImÓávL^Vc°èé4%ÐvcŒ~ŽuŸÚ:æšÐ(^V©FšÉFÊ„5¦@w:¤ªO!¸Ò:¨M„Páüòonñ=¹/ )‰=D¬™‘x™( ;o•94‡Í‚¹m.Ïÿ&yj:f•… -ã¯ç´½y5âC̆7’gj óÄâ|ÈÂÚÔ¤à¤ò„[ZÓôÁûòúêFù³‚V"vÏ[´¯'›0¡'Øüˆu‡Haq>æ–‡›äã#‚wk¸WS½Ê9¤_,-Vˆ:´'Ù™ªÎSË^eæD¤‰0 -[ê©úɱշÆ#]ðN«³¼6m¥‰8\mm×–æO*Ídœà?Ôd&ùãͼbÀ`›ÂQ EÑöý¸R>™üý‡Âk<7½¢ŸhTª*ñ!þ™ï¹ûXâ%|‰ddu:Ò_'r䕯w–Möaª4¸Í(#在žÜköÓ?% sö)Y~;=N³2€†»F -ØŸ;Â[·^[VÕG ô…›Ë5a¯Õþ·«Ê/qhÃP៻AxàIèŽòÔ*a‰íŸñýi"ñ”Îèa¦J‚ãU«¿hè6[é¹Î]¶ú£^þ Wœ ­„úž@Ô úØÁq‚'QÞG«Á.·C—‡¬ö™Õš#ñÕY”…ý !A¦S3çìºâÆe²OÙð<è4ËÕhB\ÎÛ/f–Ѿ39ó6©ÇfžÝ†ÒanÂÁÏ×áá–>Ï€V=Æ]‘ïÈ|zˆ•T°¹ÝH’“=æö+•ÜÐ~áâ>è?¥ðR­M :Öª”¬¯¤1ÕUÓ2jmƒ<ì &oÅ•M<Ã,Aí‹KoLÇ/ ÝžKÅ7™ ¡„<¾Cšì+Í5Êhk£JVY+x°ÀBú€ÛH¬æó§˜W+°}_…{½FpÓV?aÐ:Š&2ìå;t‘Á(Ò#8UXÊÈÚèhÝk 'gY;ê8?çèX¯^a’öþOw£RêOé}O`)Ž}yªÔí*°¢ÑSK2qLØ,V¯`¢~Õ‚Íà6ÛÊ¢o&߬þÁñ÷©â¨)m[z2{i¤o‘ê&ÂÑÚ\Œ4æ™m’íõ;v¶,ÃT¼ó&æ·ñJö6yŸÎ4ôk¬`äÌrâœîL C¶ -Ún3!©E:qg^˜½“ çEÉHûK뵋Ùãi¬r°"×$n{G4.ö5b -C'75¾caÁ¢ãmƒž•å ûZ *œ®ÉÙ @œË¼,A¾‚úqhîA¨øy#³ -1j ÚlÑ&³¤=mÒ;HW3ßF]-˜b:¼a²-m½Í¸×8%3,Z¼RåØ;*…0â+1wf ž¡¸rA7DZ Ž»µ‡Á8Êœ”ÎR”Ä<¬¨ÅòBu%Ô_`î”Eû1B–Y«æ;7¢rœ–õôú[¦uÍê«‘âa® -Øcîmë5+ ¨38…y-5*6Ó¼'G†I¡s*Éžš<ªf'&Â÷ç)7+9Si|пŠ·ÖC7¿¦´kEª3¡1/`@;ý‚·ÕØ%T¿h¿÷m UBÉg€Kj2ç3gžE>Én+p×úˆlJ<2A1ƒÊÆø4œ/¥Epz¬&ôìÜ­ÿH\tõœÓ%±_~MgþD õ*ÖÆÇûÔ³ K½?€÷£–ò>#¹ëlY–ýaIø -•ªÿ­^²~wå0§÷>¬­i¡”Ðer;á2\ŸS2ûkÿÚÙJ=ñ8ªÓ;åȲ¦p«.©I*ΪoFãÄjèŸ*˜®$rرpVxO)ß-.LòV"ëàÁËð:¾ßOw(ʽ +X£ÏÕ½ÞÀ ¶aøz·#  OÈ.oðâ›7Õ̹Ήé.­² -B–y´S,¯K.Œ¾ÄJ'7Z¤Ýiõ•®G@QÀn•?—‰†Í_#ppÚ“úëslg°ˆ!PB0ŽÇ0!)ô j«ïY:FŒ›|ƒY Þ +[#’¯f•YÞifýP!`9†„øQ1º*˜¹’οçÿ1›†•Ò»=Iù NeõÉ #˜' g€"C-†óçþ9#Èï³Æ<4Wkë]i¤ê/£lŒ$%~î S,…@õŸ’Ñ– hŒµ£Nó+G“} Õ‘Üi­álNͯmÎ#ý#¾tK§·¢žZí%ᆠÕU©„#àš?,âŠãµ Ê…Å_gd4°‘½ÙÇTK°$:áÙO"LÁØнݳg¿Ò/Õ˜Hh¨1ÊõòþQD„ÒðügßÞ[2g¦¦.åy*)­½[Ö}vDÈ\ºpw3êÛÌ@Ĥ΄˜S_8]_÷á°Ô ®EØ6ä8—×w‡lʃ\²i©Tu^Oª±O§ µýä†ÉBâp;>'óV(œe6W¡¨ÀÙYÜ6fâ¢SÓz«ýPy çjÒ\ló”µ5”Ñ{mî0r\™\Ùp†?ㇱ9ŽìµFÚзæM(j -bvÑCª¶<áVÅák…î 4ÛFüÀãó´[OÝ­É›þ(œ6®°Gɹ|ðzCà"å:.B*´ -ÌÇý¦”ït†ˆQF'£•W”‚Jî‹ö¨RZ»å>Õ;v×òu"Bä—,IÆ÷ -?tBVå äÓÒ·&ŸõaðÎÑ3ã?ì‰ðˆz)ýþŠË¬MÜöõÇÈR‹[uY­Êâ™xŽ(ä©rLx¹d0©Ù¹9›—€¹`eîWœŠjÍ`« rëáeÕ0Eg—¬ÀpÛco:,Cú‰–èÓT` T콈l×ÓkŽÊ]5É_oÖÏFSPÁÈl`«@Y`…# Œ‹H…ÝÄN›Ëo¸¸˜D·è‘Í[ÏZ{¦ãg¹ù8|ü,1i•€Â~6Ûn„DQ¥ßæÊR¶ð‹š-΂ÈV÷²a~ªŸ´Hqef±ÐkçO;l§©ñ÷’É0ÒªÃê»ì™p细ÖKL8þoòÌ¥;»\Ç‚ÅæYq½ÉšŸ ëi_×ñ mÞÑ ‹MÙv{ëø– ÓŽÓÁp³*•âú½W±ÀCqJÞ}‰É‰ Vþ`õ¤›Ðòåâh"*f!)|÷Y² ªS]-×FÝåߧ˜Á'VnŸ Å7H­z2wt_›^9§ïqŠ;II+pÐÇ÷óÊé¥ôv$Á‘ƃèÙnô°ù.ûû˜'¶‹ò¢¹ùž)ײ°„Ã\f+5ôeP„œÅhQ¯5F-1á :ÝÛŠ«ëm&5£‚Êñ@Š"œ¥JdIrù’ÔW®VéTÿ]ìò‡¢ªÏ§Çñ¶ÛÑûÎQó×pàûŸVŸ¦«ãobXÆ[)íz;J}$ã%!ša˜¡(¤<¡Ú»álÀ¼ìHÅ­p$Èkßã:­xkuÂUö–È£×=#˜ôŠ»küÁV"‡´ÙCz{XgBSý¾ïĨf¸ùU&Ò´|-–â¡àÓïº :œ÷^NÈ0ˆnµKÃîòÜãwv5n¤_‹—b¶$‚Ò™‰§¹?<ßúÂ]^8y,»1!Œ¬y]¡ñùÂ׌óÒ&(YÑ÷³ÆLô››7“«uí’Î>ÔnžOÒ!œJµ=Ód&Ýhi%Âq³Û=xTR ¬ˆ'ï -¿Ø„× óF¶?0PA–ßâeP¼šxoyT×]ƒ ߯ q‚éWëÆóªVüš'ƒ³DŠgªš­µ©’((_«¿ª²*ÉêjÂÉÀhýìÀß,[Rz<™ð<ËXs×;åäÚg&Úö7· lj¥*j¼}Å3®³â=Bºê„YSÏë -¢…~/Œ%뺋 Í_g>êµÓ~ãYbŠ5| -ËÐÿÁÓ6æ›.æÏcÖ(‰…4Sü4ºÖ. ³îñ à“ò<¯¬ˆ.76Ÿ?õ#»Â oyù£ðc ™2ô2Íû>Úé \‘ðc"l誤çoIk§†²ÇÝ‘Ïs§§+Û¤ßÈ„ÊMðʪìW¯> ÕÅŠJ~à‹“ç—=6óÎ/QP<Ž}%´5*¦²ÍÌà‹r][¸„ìWMfRA¾.¼Ôã·v’ówØøÍÄVn®q»7OçÙ`°W¹(ã#ðmL¢mÚ¬61$"ã”’OãÙ¿ -F ]bI“•C·v0ô]ïsŠ×V*à&Æ:-H3Ÿº?éU#™”@¬dn -ö;)Ó5†90öê8’ÊøïSÏ]m/‚ƒÐ _èìûD"6ÅÐ -ó/ ¤¤IÝn×ャÃH£J©´Á×í£\^"^?m¸î#ÜÓã­¡]?Âǫ̀ôÍÄ?õ}ŸÔ½ºCCv‰ ØÕÅóØôÉ‹ŽcÄqÙÅÄ 1È‚ÓÏAK–&ÇqJáw‡í¥óðq-²º5{Ü9cúxsœ…vtàtf>Ø.V/èàl)]ÆüjEÞ)â06¦±/ˆÅˆÅðŸ—Â>¦O9L:»åcþ‘o†, 1ÜÊ È6dðdrx·±+ -þuch`’WZÔ6¿©Rì2oŒ`¨ÍÍj“( FM›c¢JëÊ<^=¢fÎ(V«¯|^z‹D­Þ»©ÚÇ«×4úóeÍQCf¼5-LØñè‹9¤ÓlêÏÈßiÚNŽKš.¨¿’ò+sÈî/ ÙXй'ŠÝSu÷ _g““X® d–²žÃ2ÈÄÀÅtÑ"ÝF2”Ðq×,aGÑ*Ù¾¿~}õÏ'Èzž@öýÆÊÈ5Têr]Àü)÷„Vݾ¿û‚{²î}v/G•wæ[;)¨nåj7cŒ7|íÛé¿,ø¯:!öUKÌSDßØeåÐbÜn ]`EŸñ;¸`“eŸ¶ØÉ`<6,¸“c΀Že^ðe£Þ”gœãÈÕ­&)׬H1ì¶SdrvëOËx0P(îée¬-ÒM`¢!03ðÜW‰M^®#YâX$››ú4 ºÂûgG/lPŠêÛΣ›îXßl’ìr„”Úå¨è$IãÔÒÅóJÔ¿ýä  {Ø蟉©U³ ´¨©O²Q×FÞ2ÐÒ{ïÛ#ÔQÍÁ@W®Zædˆ}óº-ÅÉæiW²…k¬6$ØÌ<ÝòÔá·º7_´UsÁÕˆ=·¯(!Ä ‚¥mÊ3ýÅÿ4Çà§í†+é–nævÎi©ÿdˆÍTOwˆ -.„²5ÚþÈÖñ^ž/|†Saï½ ô»ØIvê -Ý»ê}­€‘D=Tÿéâö·½‡žëÑG]#ÂâuöñçP2ÀÂ,NÈËpߣ¶ÓñuþE+ë¼íà0 Hû"C«™»‘ïìºúŒÛ[rzaD%ƽ¯ÅSØ×¹Òøç7 Á‡;"ó%O,Gaes:εç2g‘ÇÞtR%>”¥I æ7iÚµ;Øù,Î’`kõK%hDЈßXˆ“maîÝÇì’ …¥âœa ųáb•Ž-%ÎhÈà¨ñÔÀI• °{‘ÓÌÕ7g[{H"Ó·°G×(RJÖĤ®PgŒHºX­ó~ø6hv÷bÄ„)Nà‘o\jr¼ki´Û¥Z²ŽâÃ‹Ö -ï:/ÿ©Aàéžµ@vô®ž å—þA·žÈFàQ=á'ê²_Z»ÔÙÄη+YS1¹Êƒ”ÞTRcÖì`Qœú}V› v1g1ÒŒŠ$| OIq @Ýsêç?ú¾óã°!¾,»Ö.qðŠ×þeËŠ”l~a;$gõ…<¾9K„‹DüÆ©8®À¶IÁI3ýSȱ$FïßûBßP5åqÏ' KÇ|µˆ€€‰¥ÿî`Ëf_>´« Í@MãSì7nDAðùg·u{<úzoáiC&‘RÊVçÇTA¿Wb-ΟØ]2PÉ™Ð.8ÙËÍÙ.ò¯j|ƒz]÷ÞkZlü!½989Ÿðd¶aw¨É¾ ŽµQ 1ŸŒ¸9ŸTv2@&* •šíùAùÿÿOX€fήŽöfÎv(ÿã,bZendstream +xÚíwePœí²-î<øàNpwîî0ÀÀƒ— Á îîî$¸w×à„@\.ÉwöÞ§¾»³ݺS5SïÓ«{u÷³úíª¡¡PÕ`·t4Ê8:¸²°³² ”Aöæn.JŽŠ,ê@k7s0ðp£ÐÐH:Í\AŽRf®@€Ð ´ppØùùùQh’ŽOgµ+€^K]‡‰‰ù_–ß.sÏ /‘. kí˃;ì±:¸¾Pü5€@€« `’*ªzo•eô²ÊZY ÐÙ Pu{iÅ ²:¸VŽÎð_€…£ƒ%èwk.¬/\â.3€ hz zX!¿!fèlrqyy€\ÖÎf®/wàê9X€Ý,ðb·rüSÄÙñÅÃþ{!Sutqu±pA\/YU¥dþªÓÕÆÌõwnÐ p´zñ´t´pûÝÒì…æu59¸\®¿s™– ØÌó%÷ Äô§ 7ƒõ¿*`8­Íœ-Á@—šîß·ó¯>ÿ­{3ìù'Úñ×?k¹ºÁV¬(ì/9-\_r[ƒPÞü–·VŽv¶¿ì–n`î@ç?Dÿ{f^Š0³tt{,V(o”]_Rèÿg*³þçDþHüø?"ïÿNÜ¿kôß^âÿíûüwj70XÙÌþeþZ2€—-ãPüÞ3`3gÀï]ãäü¿ÂÌìA`ÏøwGà_Åþßßá·®f/—"î`ý" ;+Û_f‹ Èh© +rµ°X™_îì]ËÁè 9_´ýs­/AllÃ4m@v¿Eàþ :Xþ½ü¹þÿFUOEKV›éßmØ?žª/“àªé þ+Ž’£å?¿y$$=Þ,<ìN^//€Ý÷ßdüCÃþ¯³’™«3È`ÀÆÊÆÆxùýÇ÷_'£¿ÑH;X8Zþž W3Ë—aû§á7láæìü¢ñŸ÷ÿ¥éœÿŒ=è´@Y^p´ ¶MÍHs­%È“2èíf‡”4hæT;vù§†mòW˜>Ô„°6N<µxÎBwå÷†ºñÁt]ÉÀã<_*†ž|¬¯´m¼L{ïß— §ýЉò>™SÜ€ÓçaÓÞÛSS7.~@ hãtF:¹f rÏÀ¥¾‚`øY¤ÔÇ⵿j„®-8üA›ðýúŠîËðà@×|Ï.1Sv,2 ;:md€S6±¨¾V…w8ÓLÝyLO|¶Õ±ÌmR0þx`ê\y®š½–æ9_{¶O¦/lqR‡ú>R±ñ¯,[¼¶Œ×â5^_¶ir½IlqO›Á¼ß™Äö&Ê”¤Ë‘D¹a}SžU¶W~e5ÁüzÌx´.wíoÛ‰4Š{½#U–pO@¬ æ6Á»¼ÃiáâÍ0:Û¦±™§ëGþ®Ÿ0h3\i³NwÙ{ø…,òŒã·uÏZ!¤lÔppI ödp'$ß¿Í…ê)O2å¡8±â*Ú!|Eºg²Yñ¢º.€êYŒày¼F¼mÚ™¹@.Aút˺—µX[Y–"˦¢e¦ ’÷+çí¸Ùš¤œÝU—w3&4|Á| — ÃØ8¯‚ÄQ-Bâäkµ¨ÝOÕß·­‡×uyrŠ2¤îI¤ù§6èP\1ìZõ|lýa?‹õ(a §d¿Š¢Á!~±‚¼€Ã,F.ƒ4sýíÀOKúsÁ´H ]h\]çþêTÐÂÎE~£Îéâ 2üE2Î$ÏOt:ò« ŸÛˆC™ öQÄ–¬ëñçO$¶"æ$:,þa8§}îsž©*“v¥Ðš·ˆb½LÇïƒé]9v¦²=» +ÙAš×`aßy\Ò@§ÕY~Š“·Kã›–%’Â! +ŸíB(Ö†ðÖØ»±µŠ° ‹…,×ëb³’ª*w3¾é‡Öm‘$Œ +½@}ëœ){Çw“·µx´Ë‹D®¯ã#^Á2j¯õ–pÁŒ[‚‰³¡qòºãïùRì}¡LÓ¥›%'!*=wÑvÑ*……Ûš ,T«âˆè9Di‡Ù5[ÅÄHÄi‚=ÉÓz°%ÈûÔ'|Q/:Øõ³à ‡?mn¤ârnoÍè½ ŦÔê;@,æ!ŒÁ•f£E%¡keÔ­Ž~$ƒ­©é[*":]V]™¹øLÖû“è–ÖUw‚{çĘ¯ûéb0n§ 3‡}ñcÒMî,åpàNý¦)³Ybº ô›<ãZ»J'ßê‹T{YΔo¢EòªEÅÖÊ<ÝÊÌG¾ô»½Í[ÿá¦H[S ÜÍ<Û>hÒÒ÷|×4ôs£0Ÿ‰ÉÕ'·_,Ž±]ƒB·%EzûæñÓ ¹²QÔ6‘fæ鋽”±ìH[Â*â9‡=öÂÏÜˬ8U7&%ÍŒ’*XkËþó;geÉæ뇷tÛð˜¼ÊÑüífi‘̲²Z:öÜ ºáð\åæ„?7½[´:‘BWF}g<KªjZmúU%S þ,‘Í|BºÉ”dÛ¡Þ¤gÀ)€0t$/10žšGrÉæbpÖŸâXÏx"1%¹ˆ£jÞnÔßSƒ ã¶qU%nDY>BœOÑ5;·,˜ßîZ“ÄÙðØÕ°].¡ûÝÄb½Ò$ –­Ô)mÎP*ºìÄrÒ-¼¯D’E*žoeÜ'ˆJw(8&*d§»ô¼_¾Å–2¦<1ªÁc‚\iìx^#T9ØÐÅÑß&t¸å_A°Y¥®Óq_›às¡TÆ^Ÿ›ûIœ‚Þf^‚6+òé«Î«ÁO¬ØÁ{8Nïô&ß(ÿˆMÐyO|1ãøé8˹Wâahgþ}AI<_àüŽ#’ýd~PŠ¬ÂC ðê–ì#¶Ò GÜQ¬1,–}NèëƒV ,*ü7ç#~‡ ôÌAÌ͘¡ÝëÚ4f7\ÉôŠÉu-Ý>c#Fì¬1¨b• P>O +×#uŒ dî´vxcA°Œ(ÓåNÆó•“øÖ°á#ø›YY¬¼ +SÛ7Šlzrs;Ó7_%w—D0òŽó Ú.Ħ›k𲳩1PÖ¦6²KÈguZíÅsX!ÄG…w‘èêÆÁÙzûŸŒùTzŽ|=šÈ-Ñ*鹂ŸÓñzŽï‰Iö¡y¨Kï–]»î:b(WýnšvòcƒN„dy‡Qr ´6[¦$Ös•ä_Í‚ +\Τp£I¤3D,R·àIÉCÌbúÝÆcöè¥}p›¹kÞV%_²[¼Í®SW£¥ýbõ›jÖ`#~ Éøš©¾¹H,Ôu´ãZªüÌÊ\¹åP¾‡ÞG¸íjý¼bVËJG´Îw´ÍÀ÷Ý\‘Œ•^¾($܉öBžÉu ågXçš?‚åJâú–Ä´Ž5űg â¤]ÙR10í±ù 7â¯%±ÄnT ÛD3Þ›¼C;Rš ­xÑ ³î÷îéüa¾¨ï+b£Œæ‡Åà+#pœ”ìÒÄÁÌ +åÞÖ,„'µEjŠ–g-ÃS¬²«¹ cùüÞ:^Mö2æ!r¦*Õ´]“îÉýõ¯ 4öÕÇ°ã¶`4½MG”nNÒ æ ˜Ÿ³zG˜ìrºdéó)|ˆ“]È¥dõÅgy-š~ˆ¶>5qNÜ=Ü×k™¹æýµŒ÷W¦'«žv†9[jä[oíÓ¯§×Ð~º·4±ó+ îÉs*¡Çˆ½¬DWŒ H;,ðMAK¡†Vª’½?2ÀŠOq#¥x¯µ× MQ~{÷¬°ð^t&!4 []Õìçí*WÜ‹Æ[“ïµ#.“O&Þ‡Ãü‹ï“çu§Åü짶iX©r45s *Œ9O¹s£z‚k¥´¨=’¨Úˆ«†­Þo_Ò ßÈüCÒå^ „ú‰š´Çzó•]愤f¦ßŸ}‹*BÚ;ÁB_~ñ¶Ö›¯V]ºOfU8°ÄÜóÅÏ[Wkx~Úò5¯àϘY?ß*ðI2ˆæˆt_ +VJ•Ux‡Ž<{-o‘òzzQvŽnHᣎìÁëŽLÜÒxNèTúÁQÕdÂt¤–²ž3TK¢³ÐÑ.ëÚÑÕSíœO3†<—7?¿t—F=ôFé¶?^K”½û‰×è€{ºÌyÕ…G5ÑaÔ]:»4aNØYW¢ öX“Sà#«tqËG<¤¼qêN‚Cw#¤vë#g“AýÊ=×4}Æýn– Yƒ²2<¨Ò÷åqñø' ¨iaŒ€½¯©5[ùsZpñ’]:à~ÿYsÚC¾ ׋…f^5ºʺ%iö>®pý"½ê+Åß_5rÎÌð–rb¡úñ%&ùòsÆ@%s‘h¼>¹eéN!I±rÝ\ÅI-ÓávL^lVc°èé4ÐvcŒ~ŽuŸÊ:êšÀ(VV±FšÉFÊ„5ª@w:¤¢O.¸Ò:¨EˆPáüòkýÁâ{b_(R{°X3#Ñ2a@wî*sH6›! rÒ\žÿMòÔtÌ4":Û_Ïi{ójćˆ w<<8×Ôæ‰Åø=´©AÎIé ·´¦áƒû…öêFé³¼fîAz(`w|îwÝzmYE5Ðnv.Ç„½Vã4É®U‹ÚÄòŠsÃÀ®»›„äØÏIt£ã€;œ©Ø!‰ïmåF£0U?N#€‘Ô®ù\ã–mTù$5¦M…PÏ`‡Ðµn¹óòËj{Xá‘‹ëi&‹ß‚0û‰ —È÷”¾ŸÄ qDéªÂä’½É}ýS_gøë/ã1m“.d½¼Iö»8–areùƒAÕ?"ìoHàØÎG +Ö**ñgòñ¾]Užx9ˆC†ÿÜåx ž„î(O®–ØþÛŸÒè!Káüˆjª&8^µêð‹šn³•žëÜe«?âåßpÅÙÀÑJˆï D ¿Áó4lr™‚pFmiøÃ÷¦ð(cÏžƒWÐÈ(ò¾KÄQ$x*’)onud€F›f¿¡™²r*f ¿+báÖJº‰uX“>ïãFä~vSè>ÁÞùEYZ3íüúiÌH,ÂÒ‡èÁ9¼`£x¥Â-rñη,ÓŽ<‰ò1‚Hv¹5ºæÍSlVr&S ø o­‡n¦¥°kEª3¡6ÿP Á€vúw«±K¨~Ñ~ïÛª„¢Ï*:„‡Äd +ÎgÎ<Šl’ÝVà®õÙ86„hd‚b•…‹q?þh8_JƒàôXMàÙ¹[ŸGTtõœÝ%±_~MgþDõ:ÚÆÇëÔ³ ?ä•Zož¦Ò>#™ëlY†ýaɇ;eJÿ[½DýîRŠaNï}X[ÓB)¡ËÄv‚e>8¸>§DvZÿšÙJ=ñªÓÌÎrdYS¸U—äeg•‰7£1bµ‡?ôOåMWâ9ìX8+¼§”n‹ &y+‘¿‹uðà¦y ?;å^¬Ñçê^oàÛ0|½Û†Œ~HÈ.opc›7Õâ̹Ήé.­2 +‚—y´’,¯K.Œ¾DKÇ5Z¤Üiö•®‡A‘Ãn•?•‰†Î_#ppÚ“øëslg°ˆ!P@0ŽÇ0!IôqªyÕ÷ƒ,#ÆM>A,†o†•¬‹ÉV3Ê,ï42~(ã³ C‚ý(]åÍ\Hæ?òÿŒ½My•Ô»=Iñ NiõÉ -ˆ'{€¦jœ%á ÏÆÛÀŒ Ξý;û•î|©ÆxCõQ®"‚Ćç?C¡øötxäI™šº”æ)¥4÷nYoôÙ!s©ÂÝÍL¨:éˆ qQ§¾pº¾îáÉï¹aÛ3±/¯ïÙ”¹dS’)뼞Tð£ŸNjûÉ …Äáv|Næ­P8Ël®BP³³8mÌDE§¦õVû!oÕ«Ir°Ì3)Èjk("÷ÚÜaä¸Ò¹²à ÆcqÙkŽ´¡ÇoÍ›×,Åì"‡Tl1x>X X+„p§¡9Ø6⟧ÜzênMÞtÈó/@a·q…>JÎåƒ×)Öq’¡•aòö›’¾Óª#FŒV^Q*º/Ú£Jiî–ûTïØ]¿­ "»dI0¾—ÿ1 "¿*!›–¾5ù¬ƒ{î„ŒŸ›¹'ZÀ#ê¥økø+³QÛ×#K-nÕeµÊsˆgâMØ¢{¤Ê1áå’Á„f7ææ,^|æ‚m”¹_1Ê*5ƒ­6È]¬‡—UÃä]²Ãm½©8g¢² © 'š¢OS-PÑ÷"²u\O´•»ª’¿Â6Þ¬ŸŒ¦ ‚Ù +ÀV²À&rG\@¡2;º‰—ßpq1±nÑ#›·ž´ÖLÇÏróqøØY"’*ùý,¶Ý0‰¢ +¿Í•¥,á 4[ì‘­îeÃüd?i‘âÊôb!ZçO;í,§©ñ’‰0Ò*Ãj»ìép细ÖKLØþorÍ¥ã;»\Ç‚ÄæYq¼I›Ÿ êihëx6ïè„Ŧl»½µ}KÐiÆé`¸YKqü>ªŠXà¢8% De‡)eZ=éÆ5¹8šˆˆÚ@Hø°û,ÙÕ©¦šc£æò€çSÌàŽ-·ÏŒ·…âŽó^µz2gt_‹^)»ïqŠ;AQ3pÀÇ÷óÊé¥ôv8%þ¡úƒèÙnä°ù.ûÇ$˜'¶‹ò¢¹›·MWÇÞD±Œ· A~Xû×iÆZ«¬²·„Ñöà`Ò+p솭ñY‰Òduéì½: šê÷}'F4Ãɯ2‘¦ák±Ÿ~×eÐæ¼÷rB†A|t#¯]vË=~gWƒàFòµAp)jKâ}*3Ñ4W`æóý§/Ü兓DzÂÈ×êŸ/|Í8/mÞ'*ø~VŸ‰|sófbrµ®]ÒÙ‡ÊÍóI:˜S±¶gšÔ¤-¥D8fv»—RŠñä@þ›ðšaîèáÂb&%dY7üõÄGË£ºî¬ ø~%ˆôH¿j7Þ›×µâ× Øiœ%úS<ËPÕl­M•„ïãø5ûk *«B¬®&œ ŒÖÏüͲD ¥÷À“ ϱ´5w½S~A®}f `sÛÀ¦f²‚ºÎkž™Ú‹á‘IÞÓÁ¤P ;Сv¨5eñ¼® ZÈ÷ÂhÒ®»èü`qú£^kMà7ž5 ¦XÃw¡Ð4ýbrfZo½ t“õ—ó­ðëZ F•`\ð¤h’´V4ÐB¸Ë>únNŽ:I-Ÿx”YP†²1¢‘Å×¹·¯G§åøöЧÏ8­ˆ‹/Ò•wWûqº!œÔP§i(e¹y¯ÌÝÂÎlY1öjŒ›ëë”!êEoL]—ÝúL$ÂöjaãõµUÒ\\ ûÌèVþ@èd®@î§èB”³Â ºô°O«ÑUŠYÄ!÷œðéùìTmü ¯I¥â`%s’x´ÞI™®1̱VÇ‘”ÇßxŸzîjyá„LøBgÝDz)„T0˜i !Ièv»F*}TL¦ ºnåòñúiÃÝpæžk íšË3£Ü7süÔ÷}R÷6â Ùi$4`WÏeÓ'+:Žc8ÄvdƒÆ }ÿ˜zZ²49ŽQüpwØ^:Óâ «[³ÇÝ™=¦›—í,´£ §=“i»X½ ½%_tõ«!y§ˆÃ|ؘھx ú•@4†ÿ¼Ö1}ÒaÂÙ-ó|3diˆáVn@–!ƒ'“û]áè_§1†&yßB‹:Ðä7UŠ]æŽáµ¹Ym†"Á¨jqLT©»sU™Çª…ÕÌEkö•ÏKo«£Õ;`5UûÃa»qõšF^`¾¬9*ÈŒ·†… ;.}1ǃtŠMýÙ; ÛÉqIÓåµ×2C~eYý%Á Ú÷„Ñ{*î¤ãë¬brËuŒÀRÖsX™€(¸¨.¤àÀHš":Κ%ì(Z%ÒwÚ‡×ßù|Þ[ÏãË~ÜX²†*ãQY® ˜?å~€Ð¨Ù÷w_pOÖ}Ìjàå¨òN×±“R†êVªv3ÆxSqÁ×¾úË‚ÿªb_µÄ<1Eø}PV-ÊíÚFPô¯ƒ 6Qöi‹mÆcÂ;1ê èXæ_6êMqÆ9Îc÷&¿¡päxy Yšeì÷!jZ—vs@#ñ ó0涨løTŽoüS¯ Ö “D¦\Ýj‚RÍŠÃn;y:Wa·¾ñ´Œ¹Âž^ÚÚò Ýô&3Ï}•Øä¥á:’%Ž€Eò±¹©OÝ ëCÿìè…­JQ}ÛydÓ«ÎÁ&ñ.Gp©]¶²ÞI‚46~m ],¯D½Î']øèÃFÿtLÍš¡E }â"¸6²––Þ{ß¡Žjºr•2'C¬Ú¶$'›§]É®A°2Ø3ýtËS›ÜêÞp|ÑVÍW#VôÜþ½¢t†ƒê=,MS®é/þ§9?-7IÏ°t3·s¾˜HK=ø'Ct zºCä0ÈhTp!„­ÑöG–¶÷òüxá3œ2{ïÍx€Hè ßÅN¢SWÈÞU/­QuO}•ý*ÐÚ¥Æ&v¾]ÉšŒÉUþ^ñM%fÍÎ+ª‘S¿³Ïªs†]Ì™ƒ ¤4" ž?ˆ'%¸ î9 õƒó‹}ßùqØ]–]k•8xEký²eEJ4¿°’³úBÛœ!¿E,~ãŽTS`Û$螺úˆ)äÎX¥wç}¡‹g¨’ô¸ç¡m¾Z„Ï€ÄÒw°e³ÿ6¤« Í@MýSô7nDAðÙg·u{\úzoáiC&‘RŠVçÇdA¿W"MÎàŸX]2P‰éÐ.ØYËÍY.oiªƒúˆU÷ÑkZlü!µ9(1Ÿàd¶aw¨É¾ †µQ1Ÿ”¨9ŸDv2@&*•ŠíùAùÿÿOX€fήŽöfÎv(ÿxébmendstream endobj -703 0 obj << +707 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 40 /LastChar 122 -/Widths 1351 0 R -/BaseFont /ORHGST+NimbusMonL-ReguObli -/FontDescriptor 701 0 R +/Widths 1354 0 R +/BaseFont /PYOUGV+NimbusMonL-ReguObli +/FontDescriptor 705 0 R >> endobj -701 0 obj << +705 0 obj << /Ascent 625 /CapHeight 557 /Descent -147 -/FontName /ORHGST+NimbusMonL-ReguObli +/FontName /PYOUGV+NimbusMonL-ReguObli /ItalicAngle -12 /StemV 43 /XHeight 426 /FontBBox [-61 -237 774 811] /Flags 4 /CharSet (/parenleft/parenright/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z) -/FontFile 702 0 R +/FontFile 706 0 R >> endobj -1351 0 obj +1354 0 obj [600 600 0 0 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ] endobj -633 0 obj << +637 0 obj << /Length1 1630 /Length2 15731 /Length3 532 @@ -5704,7 +5698,7 @@ endobj stream xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™‰ ¦¬¡hdccd ´—¥W¶·5ü5³Ã‘“‹8™¹ííD\Ìxf¦Q3 €™››Ž bïàá´°tPýå ¦¥¥ûOË?.cGþF:-ì~˜ÙØ;ØšÙ¹ü¥ø¿T13¸XšÌ6fE-)y •„¼@ÂÌÎÌÉÈ èjl4ÈMÌìœÍ¨æöN›[LìíLÿlÍ™á/—3Ààì`füfænbæðDp0s²:;ÿ}NFv.{àbڙظšþSÀ_»¹ý¿ -rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªgT“W¤ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ +rp²ÿëaûûK¦hïìâlâtpüͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ3w—r›LÎ6Fsÿ%spþ« Wg ÅV@p2³0r2µ1svþKó—ûŸîüç>ÿËîl<þmÿ/¯ÿ¨èâlfcÎÇÌò7§‰ËßÜ@;8ÆFEÊÎÜÀÌôovSW‡Ç~˜9ý«ATÿÌ õß"ŒLííl<¦fæpŒòö.S¨þïTføïù¿Aâÿÿ[äý÷¿jô¿âÿ×óü_©Å]mlälÍþø÷; øç’±ûß¼l6ÿ'ÿÿê©aöoEþi¤\Œþ¶BÈÎâ¯ôÜ l\LÜÿÅîf¦Š@K€¹‘Íß^ýË®fgjæd´3û«é¿Ú  gfbú/˜ª%ÐÄÚîŸæ³ÿdfgú_ëÿ+Ó¿ªg”’ÑPR¡ýßîUz›¿óeÀÌÁùoŠ'ÁEÕÃÁ ð?ÓiÈÙ›þÇâ>aa{w€=3€ž…‹õïdap³±úürÿ‹ˆù?×rF.N@w€ó_Ò¾™þÉý€Þ¡³3±7ýgvT\ŒìLÿŽÛþM\œþªü¯àïöÿ}ý¯Á73s73[ûeoÂl•ž•áR‡72%ª3ÐÇ >âPÚ¨ZTè_cßë—¾Ë]iø^ÂÐ4ÃóÙî±|æðq(Ms4Ö‡eCÙ›jvU€ïCJÝ_ˆºEÑÉI{Ȩ_Š˜q®íu½$»¡ÍÁ¤~´7¥¤¬_òE0ÓÉêsýDíOú£ÐƒìÑÉ×$­!³ ¥ ­îçÙ9EÒéÓ#åÐøèÈpï dÿ!mn,9ïDŠ(Ç\<mµ ±ªVõ¶ý^Nc_ñõiܬ槕Q¿ÑŠÔ+«ñïPYŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n- ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­IZR » ˜Yâu#1¯› t,’‹¤×CMMW•M¬îÓ–$IÁ]•Ð}}™ß×(+X{—üÓHï=s]Ô½í<›Øáb57U‘Ct¸¹# ¹@ ²KCúFúØì¸5Ö0ë#‚OXíg½FC'ØÐÀ"¤¹ú,ï6çš#±VEÿú4Í ÙTÙ ƒ˜êççX}×¹F; yh ȱ½ýx˜!:Á<œ?-p©yó>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“ È ú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ ÷(ù)I¡É’!Ë[í¿7O’0 ™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í @@ -5776,35 +5770,35 @@ PпÜ  ªjDÒG@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥ #xA&¶#A×÷“š k‘ìÚIÍ!]i¿ƒ–A!’ª5•JN¾w¢O’ ˆvš·Ò‘*âô*,¥×¤Q*Þ=£•^¯ÄìP«Üé툘Ífó®U‰{™™®ºû¶®á·Rû™ÁØ aûp"ë¼[÷—– ®k=¡_„ ë¾´6÷g]Þs±ã¢V×/h_ëìË4J#gBó³Ä…¨Ýûí:½ôy­ã~ó•é«©W-ªuuàúàÒã£^N[pa*'õÖÀ+Z“XÁàæකÈ}†J~NZ_?ÿ}þiæxA‚ÂðòÎZÊ6š§Œ u£a£ÊýDAEËÿŒåkd'‡Œ®2Õ؇¯ V°î2»“u=œÕÏ"¨¡ ¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi GÕzBƒ¤ìò°ôÉy,£–¢€%ÝÞû.îcäG3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\ ”Ë`DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h ö˜85]‰„C¬…ù×UÎu×ÞÃ4]}+7ÄÝ Ú‰-¬ú‹O ›ë}KHE®r¹ çbÛŸÉwO0t©„oµÆuZ¶Rèt•qø’.ùã8M“ƽ7·ôº8m [lC)¤ŸÙ¾X<‡ø¢ø¨7¢rLÚIQº¹RоR>„OôºˆzMЃ·:¨ “Päkæ ŽwS´RnBßÆÆ<9Ų|<ø{_À+¾>¡zZL¼³S©6v˜I  ?0 -tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþô_ªendstream +tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìmœ¬áþ>ì¿endstream endobj -634 0 obj << +638 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 40 /LastChar 90 -/Widths 1352 0 R -/BaseFont /UIDBFP+URWPalladioL-Roma-Slant_167 -/FontDescriptor 632 0 R +/Widths 1355 0 R +/BaseFont /IKWPAS+URWPalladioL-Roma-Slant_167 +/FontDescriptor 636 0 R >> endobj -632 0 obj << +636 0 obj << /Ascent 715 /CapHeight 680 /Descent -282 -/FontName /UIDBFP+URWPalladioL-Roma-Slant_167 +/FontName /IKWPAS+URWPalladioL-Roma-Slant_167 /ItalicAngle -9 /StemV 84 /XHeight 469 /FontBBox [-166 -283 1021 943] /Flags 4 /CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z) -/FontFile 633 0 R +/FontFile 637 0 R >> endobj -1352 0 obj +1355 0 obj [333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ] endobj -626 0 obj << +630 0 obj << /Length1 1606 /Length2 15226 /Length3 532 @@ -5817,7 +5811,7 @@ x øk䀣 u9ƒìlÅŒœ¼  )@ h`e°ðððÀQDíì=AæÎj5e ::úÿ´ü0öøÏßN s[åßW µ½ ÐÖù/ÄÿñF àl˜¬QÅïZÒ ’jI5€$Ðèhd øîbl 2ÈL€¶N@€™#Àúß €‰­)èŸÒœÿb ;ŒNö@Ðßm@w ý?.z€=ÐÑääô÷r˜;Ù:ÿí³dkbíbú¿v3»²w´ûaó×÷컓³“‰#ÈÞð7ëw1‰ót¶0rþ'·è¯`gö7ÒÔÎÄ埒þåû ó×ël²u8ÝÿÉe ˜‚œì­<þæþ fïú '­ù2 8ÍM­NNaþbÿÓÿ¬ð¿Todooíñ¯ÝvÿŠúŸ@ÎN@k3F8Ö¿9Mœÿæ6ÙÂ1ý3(Ò¶fvæÛM]ìÿÃç tüWƒ¨ÿ™š¿$ŒLíl­=¦@38&;ç¿)Ôÿg*3þ÷‰üß ñ‹Àÿ-òþ߉û_5ú_ñÿíyþ¯Ð.ÖÖ -F6àß àï cüsÇü¿bl@Öÿ›èÿ¨ü7Ãÿˆ´³Ñß6Ûšÿ•‚™‘ùßF“Èhúälb03²þÛ£ÙÕlMŽÖ [à_-ÿÕF 3óñ©Z€L¬lÿi:Ç¿]@[ÓÿÊü¯<ÿâͤ¥)®¬&L÷_oÓE}ÿ«º³ª‡ý_bÿ£y;Óÿ¹øCDÄÎàÅÀÎ``åâpr³¸¹X|þ7ÙþÃòŸky#gG;@çoÉÌ,ÿ*ü¼ÿ¹Òû/0â¶&v¦ÿL‰Š³‘­éßÁúŸ†Ü&.ŽŽõü×Yÿ[ð¬ÿ5â@ ;ÐneÑ΄/Ø2=+ù;ohBL§¯‡b(ľì‡jq¡­]·_zø6O•á[]cÓ$ïÇ/…?öïû2´#=XÖTÝ©À‹2šÞBÔ Êv.ºƒ@&ý2ÄŒSh¯Ëy¹-HmNfõƒ %eýÒ7(ÂÉv6G˜ËG2×B ò{$_“´Æ8Ì”&0´ú¢?§”IÇT£ÃCƒÝ×_{÷ñérã`)ø\!)£ürñµÕª¼"h3Ç&¬±„N™Í»‡¤¹ï°8×ÂYÂù6ª†Ü|.°oŽ Uà‡í”†H\ά={“fzüñÛwšÌ(;InjÚß1$“.]dþ¬²¡ó»ç§c!˜-ÖÅH»FÄäôæÇ€;Ãõ=Ä|Û.ÛE‘e ë ¼ŒPxÏNV?±W£¶Æx›5VB¹®u%GñèêÍà©Ne„/GçÈƬ÷v^8 %1ÿƒš1KPè½qݤA‰?ÇèñQÚ!©æ6ø$Þqs/ª A{øƒOÅзëðÉx~X¹vÿØïîYÍaWtM=#à„‚&æ¦Çå@ÀЫ®2 å‚+°ƒ~YqWRcŽÏ67H­ŽÓüÛÚá7ªù« Õ0–† ¶_¼Œ¸F?‡ÚŠ‰½Ž ?B¡‰65Ôó½ø® +F6àß àï cüsÇü¿bl@Öÿ›èÿ¨ü7Ãÿˆ´³Ñß6Ûšÿ•‚™‘ùßF“Èhúälb03²þÛ£ÙÕlMŽÖ [à_-ÿÕF 3óñ©Z€L¬lÿi:Ç¿]@[ÓÿÊü¯<ÿâÍ$­$#¢)B÷_oÓE}ÿ«º³ª‡ý_bÿ£y;Óÿ¹øCDÄÎàÅÀÎ``åâpr³¸¹X|þ7ÙþÃòŸky#gG;@çoÉÌ,ÿ*ü¼ÿ¹Òû/0â¶&v¦ÿL‰Š³‘­éßÁúŸ†Ü&.ŽŽõü×Yÿ[ð¬ÿ5â@ ;ÐneÑ΄/Ø2=+ù;ohBL§¯‡b(ľì‡jq¡­]·_zø6O•á[]cÓ$ïÇ/…?öïû2´#=XÖTÝ©À‹2šÞBÔ Êv.ºƒ@&ý2ÄŒSh¯Ëy¹-HmNfõƒ %eýÒ7(ÂÉv6G˜ËG2×B ò{$_“´Æ8Ì”&0´ú¢?§”IÇT£ÃCƒÝ×_{÷ñérã`)ø\!)£ürñµÕª¼"h3Ç&¬±„N™Í»‡¤¹ï°8×ÂYÂù6ª†Ü|.°oŽ Uà‡í”†H\ά={“fzüñÛwšÌ(;InjÚß1$“.]dþ¬²¡ó»ç§c!˜-ÖÅH»FÄäôæÇ€;Ãõ=Ä|Û.ÛE‘e ë ¼ŒPxÏNV?±W£¶Æx›5VB¹®u%GñèêÍà©Ne„/GçÈƬ÷v^8 %1ÿƒš1KPè½qݤA‰?ÇèñQÚ!©æ6ø$Þqs/ª A{øƒOÅзëðÉx~X¹vÿØïîYÍaWtM=#à„‚&æ¦Çå@ÀЫ®2 å‚+°ƒ~YqWRcŽÏ67H­ŽÓüÛÚá7ªù« Õ0–† ¶_¼Œ¸F?‡ÚŠ‰½Ž ?B¡‰65Ôó½ø® ñ½¿Ý¡$ý6;›˜ ½S‘F‡‡9Lq®÷#7ùºÞAæOy«Æk™¬0\™òã)àÚŠ¯Põýè_°ÏÈ𸯪+WX½À4qW%¸3A pÇ‚yçNјŠhÙFƒ´¼òàH«Qûv¡;±0p•]ßt’~xd,Š‹÷xÂÍ6m$ˆ¤bŽè›a»èýa–Qº ÅZCE{˜Í¸V>$zytgC¿ Ëûž~^üZ΢ë—'¿4vÌ¢€œQ(߈¼ÚóE$9>RÛòvJr —Ž!V•Qê-¦  ç]kˆ«#L¹)N[ Y'L Ml%£:Tid„‡Í!³ÿ²|Ø=ðÐû})ñËHzÕøQ£ð·)k{U“›âí÷T£Â•¼hð-· ÚyX3ïIIìŸÐð¼íˆBÚþ# @@ -5862,35 +5856,35 @@ S --˜TÎÁ?åשּׁ~Ig.äs#IR³1Þdà0säÐl„ë¤)wÜÔC‚5ZêD¡˜A|aK]¾öQŒ)ŠÑßÛ¥fÜ-6wâœÌn¿Ô‘ëZ¬×ñÂe²€KQÊÉ!qäl†ä Ã;¼Â` ¯ˆ«Ýjƒ"àFd’(ñ¹%Ð¥å Ÿ¤­:ìKÐÙÖ»ûúj?ã0GLÝå/—‡ÕsÉmtèŠ7@F.°vš\õ`òƒ_¨à@ó+ß­'9/þ´îQöñ;*œî~¿ˆ\Ý‚°¥ù"@Ãw¥>£âÎ9sÄK’èe—©p¦ÑÌuqzžî-/”íÞÇyCO’V¶u˜n¼ø‘LȘãmí]…’aÛþ­FP´¶Õ…ØÚ7æwźôˆ%=³ÁÆ’m±UŧØÌýÔ†Çæ™Yne[BcÚ£´ºê« €šAB¶N —ýRÖµ`0¨¾Ö¬§Üx±±Õ\e äêò&½£Êixá>*ñ>:¡»_ /P-Báé57# Ck¨ym¯”KO=áÒ[-9o${ ÅÊQ™Uß›³ôQßü³¿iyÜÇ Ê `è“ÚP’ž{EÔ¦+çéÛo}ÙCC=ÑÒqÉu¯b¬Çæî¼@T``¥Ùݼ¼8Ô•z—Ó“Ênº¥OJðËOÔ5¨)!?ax}qç“,Šc¬éHbè¨éÇ­î7?ß ƒ[~Ãõ…žQf¬dÜ;i |›PjPJ­ô±n9øwÅ÷÷|·Õ+ÑíÔ˜Kdž˜„KŒÍ ^§s|ÔS°@Ã?åÝŠãeÙùÖ™õC©¢70c5ò¥Ò5Ÿ¼irù:ÂçXJ&d8݉²ý:ͨƒ]À„¯W"é&Õ3Kß/ͽìü1˜5Î#bŸfÌØ7ñ$ú#ב¾_öfÌfÍÅ›-”í=ò{Óqó/ êsTDõùù¢ïÆÖ_ÍÏPHŸÍVÜÓ ûŨãú{Úë ì†4Ó Ç}K«bÙ“¾ 'Ï+Ó¬;=A÷ßéZq<ª_6§VsL{Óë£?$£\ëY 1XHB« Å8Ç÷ÏD¥)Å„ëù¨àAb ’¦„ê7­È‚F8Âhï[ž±wœèßsÃ|H{ÒÊ6kô¡gKE÷ÂU‚?ÍâÍÁì«o¹mHl8‰bÆ©Dú£ð8p]áâzÒ#y\²JØÃ÷@yÊŃeŽYIi1ù°Íù×û=°ÕØÁN0Vn#ΦŠ{qšpX²dãûÁÐuƒû®§tD‰ëš½¤&â4Nü8ë»&\uþf«ÑOì_õbÊ8Ûb0pÏòkÃÀwÈJ±£ßÀ·¹$±ñk'o gà©È½£ÿ™Nù|:ŽÕ€¨Ö2ß,ßÆX@§¶ò‹@¯‘“<; aQ§*¢êŒmš' Ò «ñh²°þ;f&õÏý tYPXÉ(ÄÑ—îÿ*ìRâ͋MI.riAÛ³eBapX,&L˜”FÄqOÕi/zÌ-JîÙŽX!|½ôÔ{/¥Êl“”2êL¦›$ôéy¶r×òèt A3È׸„–MT•˹#“Ÿ_«ê±C˜Ä%3(ØBN®fMݱd[ï0i®§¬Þe˜nùÃ,2†•³>Q~Eó“l¤Ñ‡d¥K È ¿X¤ô á€S¥M†kh_v.ÊZ°XY–×~dŠZ£þq z3„=pÔÍ*SÈá£.rYÎ8xz¡ªm:è«íƒÂfkl®õ3V°yÇݪ"|pA´q+K¯ìñÄ5ÄÆòX”ñ3³S“K¸8”Xgúy6VœOÉÒÀn‹|@aµ»§Õÿþ\1-óò$jô½·Yâ6IÞåQˆÿ¨Û.†î†!ÿ" Žíë½#kÒŸ@nüšÂ.MV5âÒžpɾT “L$*jsK€kU3P"¢÷ÇÇ‚“\e,Ѷ™ßUeÅATIˆ¼Š#DRÏãþfž‡ïDŒ4ùä;¬«"_u´©+E¸8å´•È.a«MçeÉ™¸m»ÝbîBß_S¨—,ò5žL(Áœ½¼«lè„OÞÐë³,­ÜV"éˆeÛæÅ—¶‡~,¡¸ŸÆü€¾µ¦gq8¿¯Z‹—Å}á/Å'laÿ†SÙq³t‡º¶^H·âœNwÌútaES«¬¾lfœêð~,¯±Ni`—…Ïg Cž@2|§ãÓ>ú6.ûW˜ï>µ½Ø“M¿+Ÿ $g;µÆñGïÞ—ÆøE×®Ú§qkERãÒÆc{…ŽZ²ÊZd;_Pº· t‡Èû/QOûIàÏg»–%E:)‰7‰‹zz÷Ÿt¸ZúŠ -É9û×ÖN¨Ó©Þ¶Gn‚‰å”÷,Œó¹ñ:Ÿ5Å=©x¹=Z©¥…»Qò‚Gc]qŒð_¿³—«º'í(åDZþ´î€J®­‚Iç'«_ßÂ:ŸÇHjDõlÝå„,©qØ` G¾¬†\È@éø¦‚œ—éܪðX¢ÈQ<Ñi8ºÄ|#ñ°Åò­õ›O(m£mŸ8½7¸r¯já—"Tày¨ Zì|AúßPqéí [ÈÃù3Vìlî¾ ™VÉlb¼¤.ÛžF ûoŸJ¶ôËñdË&æfƒicÕÆð+wŸzH_e«ï?ž†éw¿*¦‡½þbž_’‰OÁiÏ‘+nRÛLžy‹TÏ}ƒö¿‡§#k=|œµÉ?£òønž:¯ž;]ÚâõPÐ2™¬ ÓxØêì4ÕLGõFöŽv2ÄШó$œ²í«!¿¯û[¦9Ó}ÝhHç8E7õÙÖË];#tø³;ÚçQ¤ÉTà¹BKÈhHËœ¦}3è¨.F˜Q8)IO ‡ùÿòûÿþ?`b 4rt¶³1r´‚û×Kd—endstream +É9û×ÖN¨Ó©Þ¶Gn‚‰å”÷,Œó¹ñ:Ÿ5Å=©x¹=Z©¥…»Qò‚Gc]qŒð_¿³—«º'í(åDZþ´î€J®­‚Iç'«_ßÂ:ŸÇHjDõlÝå„,©qØ` G¾¬†\È@éø¦‚œ—éܪðX¢ÈQ<Ñi8ºÄ|#ñ°Åò­õ›O(m£mŸ8½7¸r¯já—"Tày¨ Zì|AúßPqéí [ÈÃù3Vìlî¾ ™VÉlb¼¤.ÛžF ûoŸJ¶ôËñdË&æfƒicÕÆð+wŸzH_e«ï?ž†éw¿*¦‡½þbž_’‰OÁiÏ‘+nRÛLžy‹TÏ}ƒö¿‡§#k=|œµÉ?£òønž:¯ž;]ÚâõPÐ2™¬ ÓxØêì4ÕLGõFöŽv2ÄШó$œ²í«!¿¯û[¦9Ó}ÝhHç8E7õÙÖË];#tø³;ÚçQ¤ÉTà¹BKÈhHËœ¦}3è¨.F˜Q8)IO ‡ùÿòûÿþ?`b 4rt¶³1r´‚û„Ðdyendstream endobj -627 0 obj << +631 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 34 /LastChar 125 -/Widths 1353 0 R -/BaseFont /YXERUA+NimbusMonL-Bold -/FontDescriptor 625 0 R +/Widths 1356 0 R +/BaseFont /IQJBXB+NimbusMonL-Bold +/FontDescriptor 629 0 R >> endobj -625 0 obj << +629 0 obj << /Ascent 624 /CapHeight 552 /Descent -126 -/FontName /YXERUA+NimbusMonL-Bold +/FontName /IQJBXB+NimbusMonL-Bold /ItalicAngle 0 /StemV 101 /XHeight 439 /FontBBox [-43 -278 681 871] /Flags 4 /CharSet (/quotedbl/hyphen/period/slash/zero/one/two/five/six/seven/eight/semicolon/A/B/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright) -/FontFile 626 0 R +/FontFile 630 0 R >> endobj -1353 0 obj +1356 0 obj [600 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 0 0 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 0 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ] endobj -623 0 obj << +627 0 obj << /Length1 1612 /Length2 18545 /Length3 532 @@ -5900,8 +5894,7 @@ endobj stream xÚ¬·c”fÝÒ%š¶Yé'UiVÚ¶m?iÛ¶]i³Ò¶mÛ¨´Ué¼õžÓÝ_sûþéûýØcìkÆŒ˜±ÖØ›œXA™NÐÄÎ(fgëLÇDÏȳ°1rq’µ³•¡Sš¹þYáÈÉ…†Îv¶"†Î@.€:Ð 403˜899áÈÂvöŽfæÎJU%u*Úÿ²ü0òøŸž¿;,Ìlßÿ¾¸­íìm€¶Î!þ¯7*gs ÀÔ–WД”PŠË©Ķ@GCk€‚‹‘µ…1@ÆÂh뤘Ú9¬ÿ½ÛÙšXüSšý_,A'€!ÀÉhlñwÐÝhÿ‹`t´±prúû°p˜9Ú:ÿí³ÀÂÖØÚÅäí¦vÿ"dïh÷7Âæ¯ï/˜‚“³“±£…½3àoV±ót67tþ'·“Å_7ÀÎôo¤‰±Ë?%ýË÷æ¯×ÙÐÂÖ à twþ'—`bádomèñ7÷_0{G‹Ñpq²°5û/´G ™¡£‰5ÐÉé/Ì_ìºó_uþ·ê íí­=þµÛî_Qÿ‹ƒ…³ÐÚ”Ž‰ùoNc翹Í,láþI[S;ã¿í&.öÿÓç tüWƒ(ÿ™ª¿$ Mìl­=&@S89;ç¿)”ÿw*Óÿ÷‰üß ñ‹Àÿ-òþÿ÷?5úßñÿßóüŸÐb.ÖÖr†6àß àï cüsÇX:þ¿Â m,¬=þþ3Pøo’ÿ8’Ά›!hköWFzÆ-œÄ,Ü& -ÎÆæSCë¿ú—]ÕÖèhma ü«è¿š  cbdüŸŠ¹…±•í?­gý· hkòŸäÿŠô/ê ² -âª*B4ÿy§þ+Já¯öÎ*ö‰ýRdíLþ×â !!;w€ÝßHÇüƒÀö7!“Ïÿ!Û¿`˜þk-kèìháÐþ[2#Ó¿ +ÎÆæSCë¿ú—]ÕÖèhma ü«è¿š  cbdüŸŠ¹…±•í?­gý· hkòŸäÿŠô/ê š*"²²Ê4ÿy§þ+Já¯öÎ*ö‰ýRdíLþ×â !!;w€ÝßHÇüƒÀö7!“Ïÿ!Û¿`˜þk-kèìháÐþ[2#Ó¿ ÿÏ­tÿFÔÖØÎäŸYQv6´5ù;^ÿËðÛØÅÑñ¯ªÿ:ñ þŸë :è4†[[¶3æ¶LËLw®ÅΞÑîïe±/mP)*ð¯¶ëñK ßå¬0x¯ ¡oœæúlóX:³ÿ8”¢þ=Ú‹eMÑ“ ¼ÊÇ÷!¥ê+@ÝúÞÁNó;A¯1ý\=ÚëzQfB‹Qí÷Þ¤¢’^É;ÁtÇG˜ë?Tþ¤®þdOöH¾Æ?ëã0;QAÐj Ïο'üy¢ê¹…ì;ģɉƒ%çv…@üåïƒÇ¯¥ZáA•Þ„€wÛ~ýI¤Þí¥—GN†Ki#óª`–¿nÛ.óž ™ÞÎÏ“$ë(ÑzX©u3?Å#˜4Í9—ûµáB.ê„ÍÓ„?Ô7kE4“ ]O8üvCÙïîUkSMýÚ‡”»02£ØYZïÖuHÎH7áR‰$ÜjïD"$m|/Ë·K|ZT7âí質9—1ÉÕu¬Íü¦@ÖvŠyÚÄVhØx+20%3Ôt£%7!AZ|®èÑá{åÚG–PîóÄ¥¡ _•öÀÐXªÚÙ"³ ò'y´»¸ ¹Ío)8[”Ì—3 !œ,ž Ëh!k> endobj -622 0 obj << +626 0 obj << /Ascent 625 /CapHeight 557 /Descent -147 -/FontName /MPGUTB+NimbusMonL-Regu +/FontName /YTDMMS+NimbusMonL-Regu /ItalicAngle 0 /StemV 41 /XHeight 426 /FontBBox [-12 -237 650 811] /Flags 4 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright) -/FontFile 623 0 R +/FontFile 627 0 R >> endobj -1354 0 obj +1357 0 obj [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ] endobj -617 0 obj << +621 0 obj << /Length1 1620 /Length2 19156 /Length3 532 @@ -6011,7 +6004,7 @@ endobj stream xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌ L\U%uCkkC ;zIgCkÀ_3,9¹°#ÐÐÙÂÎVÄÐÈPšD€Æ3''',9@ØÎÞÃÑÂÌÜ@õ—ƒš––î?-ÿ¸Œ<þùédaf  øûà ´¶³·Ú:ÿ¥øTÎæ@€©…5 ,¯ ))' —SˆmŽ›Pp1²¶0ÈXm€ÔS;G€õ¿c;[‹ZsbøË%è08Ù-þ†Ýöÿ@t{ £…“Óßg€…ÀÌÑÐÖùï œí¶ÆÖ.&ÿð×nj÷¯‚ìíþzØüÅþ’)Ø99;;ZØ;þfUûwÎæ†Îÿäv²ø ìLÿzšØ»üÓÒ¿°¿4QgC ['€3ÐÝùŸ\F@€‰…“½µ¡ÇßÜÉì-þU†‹“…­ÙV@pš:šXœþÒüåþg:ÿÙ'àëÞÐÞÞÚã_Ñvÿòú_5X8;­M`™Yþæ4vþ›ÛÌ–ñŸ­"ikj`fú·ÝÄÅþ?0W ã¿DõÏž¡þ[„¡‰­µÀh -Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xF%%-IqÚÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ ä´“[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å +Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1À?—Œ…ñÿánhcaíñ ø¯žêÀW©4s±6tü¯ð¿émÍþ*BÏÉÀöo«…“˜…;ÐDÁÂÙØ`jhýwVÿ²«Úš­-l5ý×8ôÌLLÿS1·0¶²ýgølÿ†€¶&ÿµü¿2ý«xF uYÚÿó^ý—ŸÂ_ýU<ì€ÿ™D]ÖÎä-þa²sxÑ3s0èY™Øþ»¿ó;³Ïÿ%㿈˜ÿs-kèìháÐfb`bbüýþÏ®tÿ ¨­±É?;FÙÙÐÖäï&û_†`cGÇ¿ÚþëÜÿmú?ÖÿÚî@ ;ÐveÑΘ;Ø2=+ù+ohBD»¿—|(ÄþWƒJq¡µ]_zø6g…Á{MCã×g›ÇŸSû})šƒ‘^LkÊžTàe¾)u_!ÊEíA £Þ/„Œ3õh¯«™--v&µƒ E%½ŸïPS¬Ž0WOÔþ¤®…þèdöˆ¾ÆiõqÈ ¨µE§gIÇO”¿G‡‡{n ûöñhs㾑s»B PDù;äâñk©–‹V6½8mN¨Œ Ávìòø›½ ä´“[¬{[Ëû^ ¬jÄî Öæð¡'¦E½à3õ%­µK$cÿŒæ^55`wzý´æ]ŠÛê{ÌFx9].òn1[Em™QBÏ•[ï¹öضé3MºÔí¡v»ùV¹\¢ ³*2m jVöˆ¨pz/’]6r w™ÇR‚I%Poýpc75ÈÔ'¶ÈhÀƒ W7JUϳ`K¡$¥ÀsÎ<Ä7:^ƒÉXÖë}†¿?Gæ;¦D»Ëc|y´—GðCK”Ï?eñ!AÊ¥c£VÖnPW±6HãÊQ9+–hh8©SfŠŸ0gÒËÑÍÁýh7F(Í¡7öؽŽa¸Z®/„y®I­1‚ÐÖÊ®kZºíRø»ÓÐð±‰ÌN²NNÆnôâT7%ÿÑ'ϳ7i"Å HkÑò¶ xÀΙsTºÜºí F¥$_2à¤ÝéØæú¢úÆÒ†êéÓ÷j%ôÜvk†Êœæ%¢d` ;ÝSêdù/áÉ]‘¶S¡¼ÀËÒKa÷Ï ëö³‘#&[K^˜µ+»UTƒdak¦“Ÿ–fUX©u¢¸5ÐJçCL8KÔR®<‚öwm.¦LË‚&ØwLCœ¾a!~6]íeîkZ77º?ž†,˜ˆÁóñ0a£%Æà \P3ÏØ©®â%ª«Q¶°sy1*õŸƒð3›Wž®õ;7 K³y²mÇZÉh\HÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±ÏO„…£b{m㔿/£HŽç,Û»MEr2ï©Åèg(ãw„†Ó¤,DûJ.pW£?W؃ð›'HÂMcÕ‹~[5 j´iÝ "£õëÈbýN¿”òà–`˜ä§×ÛÉ™ÍeÒÔ“Ç먄lŸyú¿ýw¬ª±›ä»~¤J!“A=ÐÃé8êâ N1&ƒ¨8#vŠ:ÚQ™¡ù 0 RÛ¤T(þ×ût„Í$þbwF˜ß® 7)ÒZ¥ëî±´X¾;dãQ¡ÅC…sNÏÚ‘!jCù‚#XÎäüÃ_Ä÷ €mK1”£»ãß:¹Õ˜z_#å *’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±ãxÂZ©–\å.ÉÉq™5í—]Í_ãÓ~w X~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾$þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞ :\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚»pR¸ÿÍ‹°E²(oh~÷ƒ¸hkå……DÛ–‡[ÒÆ¥oÖ™ziUèɉ±-Ïòk^Mï•ôÌ,öêf¬”ñx” ŸGS6 »æÐ>²+5XÛ•½åfìÔm·ë×®þv*¦Øp ëÔ,ÆêWàÅ{+"‹ÜV¦Å—iÂÿÆ6ë,Y¶ÍSßl£ÐãìÖH”þœÙ¶‚;»£:Jb†öÿcÂ2üâ' í½dn”»†õ¥ÂJz]è°^kSâ…v‡Æ¤>fÊýQÌ’Ñ飺˜N•½º%ÞAäÙiÁO…Ûoñ­¢/ÝvÙŸHMpÿdÓ.š8yиæâ<·ûÌTêüÈÏöé]øÝYØzÔ0óYJöÊVêôøÿ¦/=¢W"ýÓ:Cè¡Êà^+ósZ…íôqÜvOø$ÕiÚøVýq${zìxŽÊ«Q‘c²ârÞQ¨Uz™F`Ô4ùjþ1gæ\xEŠ „ûɘÄEÕ¬«‰~*U;³Ù ¿É› Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔL ùR„wOƒùͳ¬¯ãƲ¹ûx¥óuj2a™ dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W 3‚èíRõѹc§EsšN1}œÇ‹”Çžácž!\°­1£,,ᄬ¨\XMÔ›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®©YGŽ¿¸éí s¬zÖÃÔcü„Xnú°à¬KNT‡E}Í®¶ˆjYMr5†Ò™NgeƒËÝ Ë ªòÒ •õ¼š3÷1¨vypæËj6µ}åI_ói­EÅÎq¸'½ šþñ+„žb2ä÷R…‚¶~UÞci„eù‹Pz©k!ïÊ×2oˆáûv)³!> ­ZJ®‰ÙGj]ÙîWðH:‘”·Y«äMŽ˜‚Ïéì©qîmuëO#/3K®ÈíöiEpë×3ä‡ÔO@â0¡á‹5!³ÑŒ¯ Ü8ßï;*UbÊS”ßÖq—2,Â#h=ÕM x'üÁROª…ÙB!É<Áq ݘ87¥3üB$ò:ÿÕzÆOE:óP¶%õŠkÄ´{@æÿíÿ€ÿ -ÀÝÏói<ÐÿiŒö?›ª¶endstream +ÀÝÏói<ÐÿiŒö?¥lªÀendstream endobj -618 0 obj << +622 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 2 /LastChar 151 -/Widths 1355 0 R -/BaseFont /RRZLIG+URWPalladioL-Ital -/FontDescriptor 616 0 R +/Widths 1358 0 R +/BaseFont /XDWPTM+URWPalladioL-Ital +/FontDescriptor 620 0 R >> endobj -616 0 obj << +620 0 obj << /Ascent 722 /CapHeight 693 /Descent -261 -/FontName /RRZLIG+URWPalladioL-Ital +/FontName /XDWPTM+URWPalladioL-Ital /ItalicAngle -9.5 /StemV 78 /XHeight 482 /FontBBox [-170 -305 1010 941] /Flags 4 /CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash) -/FontFile 617 0 R +/FontFile 621 0 R >> endobj -1355 0 obj +1358 0 obj [528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ] endobj -607 0 obj << +611 0 obj << /Length1 862 /Length2 1251 /Length3 532 @@ -6131,184 +6124,193 @@ endobj >> stream xÚíUkTgnõJÀ+Å€€¸ -æ2@ Š,š–K© ÉäI& ¨ÀŠ T¨\*­”Ö °@¹¬(xjD(ÈM£`‚•«® ;€»ôçî¯=;ógÞçy¾÷{æy¿s> 3¦/Á…ÃnˆHB‰ põð=’HÆYX¸¢0$á#¢]¦ £#¸H¹HÈ4 -™FuÀY®HX$Êçò$€•ë' "ÀE£|$< b=XðEX|XI\Àga…ðÅ0³‰8Ø|–†¹|Ž´àˆ!â €ÃÌ–†½¥"`TŒ™¬0“Ÿ˜E6"Dl˜ƒ#y"Ø^0æä¿ajys7©@à Ú/¦ôò‘oˆ0L*QÀaèh¹Ô^2ç³ùRár–!|–‹ˆ+€hG$ÛR—¾Ø/ƒÙL¾„Å8@ /â°ˆ½Ü -ߢÝõÀ^¦Í›¹.’Lˆ/’ì ƒò;õb ¾«±”P¾  ÉdbïÛ¯Àe›}&b!l¾ˆ P¨ö„¢P$;AXE¢A€/bÃ2–aŽID"Á–X4G‚âÆ -Ú$e `ÖÂÔ$ ìAHÁXæðŸ 2ÃPˆ `ΟaÛ7ðÒÐßáö¡ï, `…Š˜·ÿ58:‘E(ŽÁÑû´¨GÿMÈ’¢(,’,žM,þ·5‡ †e0 ×Ó…°œCr«’Êc>;wûûH:/Z+4=ÚMþ51y|öQ_êYo3®¤d¤Hu帪4üœåtR½l”î™öåT±þ…+©…eþ™qÔFb·/>2!U¾ê•åC¾ÿTþ×*cZ#úðÌ7[¶öLm‰mÕ;ËVÓžk˜èÒ]oísÂÚ|£CÏyíþ÷7à#ûwlž¨‰Í½¾5~ëž;ƒ‰»¥Z*9κÁSÐÌ#\ 'B©´ñvi¾«V1dÏ­õJk =1M1O¶xÖâ[&›N1Žþýf˜6þNÊhzÑôW^:¸FSúµþÛŠÄë*RFÜîSw“Ö‡¶¼—<åqɶ+.×µ…<Ú÷s%˜üZ­½±4æyš_cºëITøwuÛg÷áÓ¿¨:uàiIB·«ÎÔßq·Ç5ãEŽg»V*ÅCzeF^Ã;>JÂÙµwÝÞ]ò0NøžžÑ·_yVãÒ½ ·WZéÍCÇ®…QtÌå&–_îÉXY¶Z\lµA\|1n4Öw¬¼ÑÑ ÞW¥ÊŽaL0R r¸Wãa9αҺi½¼Ö »úŒ\Ñ«gªÝ§ÊŒ2PšÉ+$A|ÎiÝ™Œ´tf §·ÿZ±‡šr½Ÿi4½ÏËŸ–"g¶nŠõÓ$1Ž·¼·™ùêÒ.v–ø'Âëí¦óµ]ÊάU3”HvÛ ºÿ…½¼‚¤,^ÔdÊÙßÌ_Äü1ñÝúÂÂÑÖƒãZÈÍ=YÓ±ÃF'JyÏT^µNU¥¦fÄÇ1‡Äîœ3*OlS­z‚¿aÔqpÏ}ŠixlæáðQ3¦–¾W™ü²“n|¼PÃsßD™Ïè -Íþg…rJÔbBý˜™®êÙ¼m×ćº—ò}†OnûQC±–¶|[½—tªj߆×ûŸµÓ s> -ý‡þŒ¿æexîÜá!Í1µ—¼Wq ÷~^ƒì{á,™_›wõ¦âª‚èFhoé»YhOUy0¡ºVq}TZÃÉRNRÝ¢ì‹?É(Éõ»ðƒÆ+’uYmõ¨²±¡»v.9h@<ÝUV~L›C9OÝÆÊ&*JhŸúîù5–*áœpyþËIÒë„®çZµ-2“R?zeòäT±NËëÍÌ̶A¯ù¬5RµJº§‰¤:îì3Þ¶‹3{þw™cóš1?eB´£ž·Ágý¡Þ“Ÿî4í|ÅË{zL+:Y1THÇ'¬ ¸§^¡Öœ2 £ÝS–k RÏÿê¹£@•œ4±)oðZCùŽý¹Œ&ßæÇÖÍ4¾L°R“QÉ4_iZÔ;_\з iòû? I¶–ö{„Fh¬ñO ãëÛÙý³ÒìúœølOÅå(rÆã¤È¿ÅN¯ _Ô}IܵŽ2i­®¼ý÷ç#k¦ïÜ…Sê -ä£îêÑÚ½Fúw:ÜJGô[ækØ;›o8‡ º\Õ‘ Zµš—l  ýrÓ´§íÖ% fÙic]ù[ ×d™ì&qø°Æ9ücꃙÍÞöc“Y4—¼ÆC ¡ò17úœÙ_GV¬ù¹·ÙP][{øTGg’_Œ»ùl›,ù´jrýö¶.ÂñY^'z?§»ŸÖê›Uè¬L,‹a·‡ÔÙ¡±¤ÝG³|´zä¼üÕA=9åœ÷ôÈÿáƒûƒÿ‰ØÕ ¡D¡¡¸œïþiendstream +æ2@ Š,’–K© É„’ L P. (‚€`P¡r¨´RZ/Àåb°¢à©¡ 7‚ V®º‚îzìÒŸ»¿öìÌŸyŸçùÞï™çýÎùÌL˜>'6» B1$‚4ÀÙÝç H@"gfæŒÂ˜‡÷@b˜€öö à$ @*@¶£QÈ4ªÎ pFÂ"Q^0W X8²(²œ0ÊcABÀsaÖƒñ„ŃőDÀ‰Ï¼WˆoX£0›ˆA€Íc‰ 8˜'Ä‘1„°[†Ù’°·TŒŠ0S€fò³ÈF„üH€ sp$Û Æœü7L­lî"áó= Ábû¥”þÂC?ò„IÄ0 +¸#l®”úÂËæÜa6O"XÉ2ÄŸÇróa€ÚÉÖÔe‚'ráIa6“'fqÄÁK8,d¯´‚Å·d„äâÊôuu·z3×%’ ñ„â}‘a0@~§^ªÁw5–Ê“þd"™ bBì}û°b³Ï„,„ͪ-¡(‰ÃNVQhà Ù°€¥˜cQˆˆ±%M ÀAPÜâXAk€Äâ¡,>ÌZœšx‘]&¨)ËþD¦` +±`>Ìù3lý^ú;ÜÃ!ô€e€¬Pq—à¿G§#ÒhÅ ØÛb?‚¶€5æß„, ŠÂBñÒÙÄâ[sxØÈ`X +³p½ÝË!)$¯:¹"ö³s·¿ÿ€¤õ¢­RÝ«ÙìW›ÏcÇøPÏz™‹KG‹•WŽËñ¡ +ýÏY'uÑËé_N—è^¸’VTî—Om"öøà#Ódk^Y™2äáN|­4¤5¡Ï|³m{ïô¶¸6³lýйƹÁní–Þ',M7Ûõž×x>ràqçÖÉÚ¸¼ë;Y·î¹1˜x‘Kš¹‚ã¨4 Í>Âp" ++¯§–»*åQ}öüzÏô&éãTÓ³g­>åÒ™´XÃèßo†iâ癩eÏ|å©…k2¦_¸-Oº®$eÆïm4v3j{hÍ}¹¹ÍÊCöQ0yÐzÕÅ‘ZƒöGû®S^«47—Å>/‡B jr÷<‰ +ÿ®~çÜ~|F ñ‹êSŸ–Ö˵»ëõ@Ý]w{3_jyth¤QÜ%WfeµÜãc$üð¸MG÷í½¥ãïé|û•W@ .Ãry¥‘Ñ2-JhègÌuIrrr<䗣șK‘b¿Vr|qOô%Q÷8ʨ­¦!àößSv­›¹sN­/”¹©VEköèÞét)Õm]¨eïn¹5ê2ätUKÄoÓüiAv¨)$òÍKל±Ùˆ˜ä¤Œwl×7\—m´—ÄáûãÚæñ©f·z ÚŽOeÓœò›3ŠÇÁÑçL~ø:êˆjÄmøèÏ}-úªºº#§:»’}cÝLçÚ¥)§•Sw¶wŽïÊö|Ä8Ñ÷9Ýí´Fÿœ\kuRy,»#¤Þ;(é‰ÉöÖè•q ÖöæVpÞÓ!ÿ‡îÿ þ'`W7„Š„†âþHÊþ_endstream endobj -608 0 obj << +612 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1356 0 R +/Encoding 1359 0 R /FirstChar 13 /LastChar 110 -/Widths 1357 0 R -/BaseFont /BCYTRP+CMSY10 -/FontDescriptor 606 0 R +/Widths 1360 0 R +/BaseFont /FHPWHM+CMSY10 +/FontDescriptor 610 0 R >> endobj -606 0 obj << +610 0 obj << /Ascent 750 /CapHeight 683 /Descent -194 -/FontName /BCYTRP+CMSY10 +/FontName /FHPWHM+CMSY10 /ItalicAngle -14.035 /StemV 85 /XHeight 431 /FontBBox [-29 -960 1116 775] /Flags 4 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash) -/FontFile 607 0 R +/FontFile 611 0 R >> endobj -1357 0 obj +1360 0 obj [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ] endobj -1356 0 obj << +1359 0 obj << /Type /Encoding /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef] >> endobj -599 0 obj << +603 0 obj << /Length1 1616 -/Length2 24746 +/Length2 24976 /Length3 532 -/Length 25639 +/Length 25864 /Filter /FlateDecode >> stream -xÚ¬ºSek´&š•¶Í•¶mÛ¶mÛvf¥mÛf¥mVªÒ¶}kïÓ§OÇé~êÛ3bþßÀ7þ±VLRBeZA{#S1{;ZF:.€ª’º‚¡¡‰¥½ ­’½­!௘š”TØÉÔÐÅÒÞNÄÐÅ”  nj1501999¡IÂöžN–æ.Š¿”ÔÔ4ÿ%ùÇ`äùŸš¿žÎ–æv²¿/n¦6ö¶¦v.!þ¯•MM.¦3KS€°¼‚¦¤œ8€B\N njgêdhPp5²±4ÈX›Ú9›RÌì6ÿqÛÛ™XþSš3Ý_,Ag€!ÀÙÁÔØò¯›©‡±©Ã?*€ƒ©“­¥³óßw€¥3ÀÜÉÐÎåo\ì–vÆ6®&ÿ$ðWnfÿoBNö-lÿêþ‚)Ø;»8;Y:¸þFUû<], ]þ‰ílùW °7ûkiboìúOIÿêþÂüÕºZÚ9\L=\þ‰ed -0±tv°1ôüû/˜ƒ“å¿i¸:[Ú™ÿW4'SsC'Sgç¿0±ÿéÎÕ ø_ª7tp°ñü×Ûþ_«ÿ™ƒ¥‹³©4#ÓߘÆ.c›[ÚAÓÿ3*’vföF†ÿ›¸:ü§ÎÍÔéßQü33”“04±·³ñ˜˜šAÓËÙ»ü  ø¿c™îÿÉÿ(þBðÿzÿÿ‘ûß9ú_.ñÿßûüß¡Å\mlä mMÿuüçŽÈþY2vÿ›µ¡­¥çÿÉþ¿[ª›þG’ÿGIÿ­´3ÿKÃ-Å,=LM,]Œ-f†6ûô¯\ÕÎÄÔÉÆÒÎô/Ÿÿ¶@ËÈÀðßt*–ÆÖvÿ4žõ?T¦v&ÿ=÷¿ý›9½š¸œº¸õÿ¾SÿµSø˽‹Š§ÃßÔþG)²ö&ÿóðŠ½À›–‘ @ËÄÁü÷Ê118Y˜}ÿÿbü¯³¬¡‹“¥@ûoÙ Œÿÿ?žÿ:éþ7Q;c{“¦EÙÅÐÎäï€ýOÁ?jcW'§¿¼þ{çÿýŸçGÝÔÔÃÔz}ÅÞ˜;Ä*=+Ã¥#odJD{ Ÿd$Ô¡¬I¥¸0 Ö¾Ï?=âg•ÁG](]ó ×W‡çò™ÃçÕáX?º y_ªéU®/1å¯B¤-².vêà z½2¸Œsõïë%™P-6µÃÝ)E%½Òp¼™.f'ÈëgÊb·ÂT’'x?ã´Æx´nÄf äú¢³s²¤“ç'ò¡ñÑ‘á¾[°_8Ô¹ñP¤Ün pdÑŽ¹8üZª•¢Õmjí{}ÚìF~b¿?¥ä]°C³ZžWGýG+S¯¬ÆyÀ'‚²¿÷i5G¶ú¸m¦txS7ÃæPÃo¢Z-žÔ¦×âÚÑk·ðßÄoP¿5ã<Æ=v0_ž ÔYqÆ­%~hÝýÉåc P>U:­`ï½züôTSÓö{¿4NKªeu„0Š¿m$æõü‹â êóT•EÖQaQe®ÿ²%Jg‡õPÁ÷ø½Ìçƒm˜•@¨õ‡ôÍPç#ó·ˆkûy6¯e§‹ÕÜT%hÁÁ:Ø¿Ä%Ð*âwâ§Ç­±ÆYHa\üëu*¡‰ËäWGy‘ýÆ÷:â|“J*”•Cö8 -å< (&.ÕÃè25)hTbp§bâßVv*—èTï/o;eÚ0&±º¥Œ¤8FOX5Éávדñ9Ä– ªA àÊü·Sog´ mY²mÄl?dEŠL0ç…ÿœæ¿Ô¸Å¤ÍÙl\Õ–lfñm³lvÑ+bžþTê¢Jd‚þâ•*®%ß^÷%Mzú,yGºð¢È¨Nï‰ð,-’ Ó`Êá® Ø'J˜Kn árËÏÅ%?ÙÜ\óÿâÞõý#„-îÌC½Jœn)„¦Á‚…`ªXS“.ôR°ßµPË,Ñ?Ž™·w©&|!Ž|Õfœ9p-¡BÝÕŸ—þBÐ9’ÐÇ1#ÄÙ€‹ —i&®¼Úß= Ň’—cú²LcDvØ·÷GüS >*²)œ&ü9?·»b“Ä);âxˆðpÆò÷«AtãSZøx®Ñ‘k˜Í˜û°3!‰¨M$nò…4¯k< ±ÅÛGw¢­šÁ©uš`›n] `ð½VÏ.q>Á¦d¯ëžÏAd@rwir?¤ûQ·éEÐ#¦7,Ký[y¶»}å5:}¡\ƒOÆ͵z4«[®×2KO­z¹ÝBr•§§N— …ÛM♊»0xÒ]¿[•ƒf—<#’¼uë9ÿŠT1~¤+.ïwù.ŸB➥^Iì²—Üv–•à…=rÿ­¼ÆIçcLª¨+ÚTŽÐ©f{ëøoyHëu2ÊØhÚŸcJxPå]âÌW0¿§YוÀLð³ÆÀ´È µ4€£Šô2ÀWO#ÛüIiv%R‘,rØìk$™Ž.ëì câ¡´åj›ß\!†¨ª—ÌoéšÈ¼á¤Ž \(ù jv rx±1½gòaÐr_ù¦Âðõéhyô¸ñ -Xf’W9wðc -æl®Ù¥èÝ}£AIS ˜çèÕeCkCh Õ":Êâ$nOn‰²î¬ü›T1†õPXÅÎÈ‚«Hͤ» "ä ‹?gìé8ék@Mdùi¿ÖšB\µôÁÍ•#з4Í÷–ç¹tÔ‚©±* ×£+!·_§ -¶Ãp¿I~!½æÀV(®Ž·SXF|3Áq‚åh½Ím~Û Xã3w™úN# ’ L>¯·åíF½Ì½3H/L2A$D†—„çYw2ýä•_M„çi­-cp\¸“ƒk=प4çÙqUÏ^™ÔÉþD?Ç›ýCúö±¨-/pØ<'ž³”Ù‚äžûa‰¶ÀâÝPÿ]ßÂcÛìË~úsph -D$¹\¨ q ìk[; $å;£W­>wFc)F%‚WF)ˆWJd½‚L›Me©F}qyY÷×¾+¼¸ç³óVRhÉ”¶Úþ¥¸â¤Æs¬[¶ÈªCŠ"ÔÛÒº:-«J™$ -&ÿ%hr½ÚoçLá3ï³°4:®ò¨ç“ë°×6pvh‘«F€Å*±‰ƒTêœWÏÁ ¼ÕÆÆ#®’Š,§~Õ\ÀoØ5¸Øgk¼ÁÐ<7dYiÕʦ|¹ªROØò5z&< Hú½Ü”B(îwâšÕÃp”Õ†A§êžé¯hï…‰’ªZÛeÃÓ¦{äÛ«¢ù}Ë÷ r8±PȈ½WhPÁîŒ ËŸ"=°:³zã>ÖP¼ þ-´mÆfX´ädÄòt´ÊD©Ÿx‚Ìr†u¥‰çP;õj ÓzužØ¼ô¦F "YµŠ†'–$Y5häâ<<ÄËaÚ![.)ýâfÙL¯s¡Føǘ…ÌÍ þ-KJþÎ~Þ(™Ø™ôi.xˆÚ’øÓcºTQ[ CN^|*TOû;¨:ãEò–NÚ–.›$Çòþõéº=òR€ÙDg1´¡øk¥Œ-ûÑñÚ”c šc²» ˜Ç:Øз‰ôœp¸Â®²:±÷Î PâiÈÅ´Vý Û9*k c-J|ý#$ e öy6?ãgÙ—šNÝÌaÅó3Z×iÑF?$‡Kd4Š:?\ôp¥ðYvŽRp¾_Ñ#Õaä–!/ ‰é6ã˜7(LáöÏj¾ŒÍ­†/Cz=ôõ7WxR„àQrGÈ(/èñ¼ßômãˆ9¶À{‹Âi’©±•f~õhi5ÄRX`²\ãYq ¥.ܦ|ÌFŒÅ6YÚ„ÊõiSXI?ùêT• ú×~Įrl„Rü°±SÆñŸ3„@]½[ÏŽýõ~_Œ r*Œ~Ûp’°7™õÇ2-û±ˆT¬8Ug>^-š=´é5Ö_¯¡oU,Žr¦õWÙª¯1Çû: Ã÷°ÝQÀ°‹klRW&Àüq-î¿\bú›!@ïÞP[þ!0¹ºQ°‚7hh`ª1 ½å4 èÉ_}~Ýz——7u~+ À¤ãTÏ91ê‘m] Ûoq¦p´#­!ÓÒ¤20 f9–ºHŒÎ¬¡)[!ˆƒ‘‹m -3ï•r¤Ü×\¹û Hj±Z9ôÛšWò0R1öë<üëJÃBU²æ©6.Èj¯¥SB?ú%ig-š ô" Ózõg- -»µmF È÷06úgûFíÊ%;'iòºó°0`Í0“s*aÙ¨6 xcAˆðÄW»Û_‡’è{õÖ¬þÔÐ…1‰’6j† -­ñJñ¶LöP£4R'Ç¡rkuÌ [Xñ1H'°à‘ñ£Û¤Ÿ"‘m¼LÐAÈ{~íë£Q§³Î•‡\%"ÞÔn¿ƒKZÖÕxKiߣƒEÁÅ-\´!ˆ|’ w§©ÊB> -âœ]qO%¦Ÿ™¼^–ÖiÆ¡²Þ-ËÔHZr«ûÿq£ýº‹)CÁn‰ð²Ìf„J¸W¿ÍÕRýýâk[f5*ÂÎKýB É{œläã]» ÄTdõô1€Oë#Š’<‰p²…)Œ™Í©—ÍcL æãà%–´§’ˆ»{™.²=2ôr-*ýk» -éæÉçz¸ùëS%¸ªB(\ɤP›<î‚jßuäF4gºË »©_}VÞoJ ¶Œ[†óOLÊaYë)¨vZÏÛR"ó†ôµ4¥%)eÈöüDÁ¥‚˜û ;Ïhúg(—óÏ>’Å“àýßYÝó±‹<¾l¨1y-i•éö`ãx­3ú Ø_š±ÚúÖí÷‚ï…(F·01æ?_y­|P.Êd<¹91†Î…9ÓÜVô¡ms"jHÒ+fkµnäPBüdI 1†Ý—xiµÿ„ík#vý$b{ÙVv)+W¦dŽò™Œ“Û‘VöJd•UþÞ€ôÓŠè7V!KC.Pw¶‘ÙðNF/åó´žœ0ºøÖCýÑ4söûÒcÂâ©Bü9+ןxDå>÷Ü%÷LèÐäpï2…âÌ2Ka .ÉfÏš=Þmi'ªn#Ú7}@G™?õ -íY»7üTç¶Ù®©´!È©»5ad&- 5ìÜ° +@ô«³RbHïÚƾñäuò±›¿T¤;§ÑjÜŸ]q¸Kïê¥]6ýT½µ‰ù¦P°u"ÌÝ*p¯œ]D ÜZHÆ@Ð^Ä/x"sRCšSÊxVéûdzJãâeG»ÍwQE£5·ÕZ…X,ö²IÒ;ö]¦M~­ˆÏž˜0sßgµk¥Š~@ ëó øœt]­+ -J9¦êhÉ[Aºª¿é0C»òc²œ=µfÞš]E©I@˜üuŽomÏ z£ Í¥#¨Ûw+iu” 0Ðo÷Ìí,ŠFi=«ï`ÈB£Ú‰­€a¸³ÄEnfYQ‡íÎ3ZCr#¿RŠÖþ4G—-Å°§Ôr%ø¹‡WC‚ -v<Ò„O·Â¸‘óÓ¼”I ÿ´õ™6ŸÜ(Œ¡ˆ|lc`kÖ‰àøûÅ1õ”¾JK¾àÕ¶e8KœÛBTÿíü  ”«>ÏüoD2‚‰Žtý¯üW ßéZFTJ -ú=úCÓÜYMÑÕÇÓ#J$ø_Ò¶jRbqš©Ÿc¶ G2Aê£ü/-Öt³/?¶Mº½´¯’yÖØg½h -¯ìØEV‹¤uíw üÔ—ì{’ZÞ䢜çtÒU'àÃùº'à(>€µÏHUo-XY¾tCßNƒÿ4Éh³GoWøíntOï ¬°nû‚½—W´²éÝÌ[¤´*KQÝ•_ŠFãLX¥hš|=Ú«nµ;)Ú^Û×™¯ÏÖÙY ”ðæŒÌ˜vK€„ BUfC›ŠA…>¢.¬¶Á_BÅ13Á¢ñ-=Ÿ?£ n¦€!ܰ°›&re€Õð$åŒKúÔx`:—=T"Ðu¢ö­TL'ë;õ¦üÄsÂxë9"§¥PicRQ#‹;Ðœ|§°lèö„¨jÂÓSdÎqSdÒB¢´ŸdƘ4I{r¹ëKºÿ($ÉɯcºVUÉj˜3>…2==LN§p\zNO¼cð“6nX ‰·nLLgŸòåÜÖLh•ÒþÅnÞÆèÙÂÈâªôŠ«½ -Ò\¨4›± “ÙHIB™4ÍÀ4ÄÍ\Üidfùæý„³Ù••çÆLYmýNYv ž«:ÿË Øg$e*#åÕa>zÑ™çüƒä*:Šêþ7yl‰@,‚~¢X~cþžúÌx}tÚ´¢ºîÉàÄÛŒcšž+ÊšÝoŠúÆßÉ®‹¢Äñl…ÀD0N°E·¼C´N¨, –t3‡H±aÓpÒ¯a%é 3L„’¾— (¥¹¦H„»mÏM,§ðX© i  «›dý  îÏãAugUd=-– þ‘ýkÙŸÉù_‚ЋÜøæuÂ,ªëöW³b°/ô l£³'ÛJÒIœ(\c º¡ýkC!7¸Ëtä­¡Ã+Š•~O÷]IiÖΠ›éP?áSñÀì®sð~ÌÏý1¥âŒþVÿ~@à¨sÍÄô·ð³¤³ªˆkSGÄߧðY”X3GB„ üIj5ÓÎ2\J5ÍIÚáŸwÀ¥7ó>MÅÒð‹¼”%¤½÷Xu´tYð"wàK±>,Ö5:™Í œ'ÓûÊ Éïš$šPéÅ™emÕaÎh7‚¶»<ö]Çc6Ô}Ñ „yÛŒ×áF¶º…[`w$ù#¼FcÛ·âû²XG5wžâé[ Ǿ§Þ€ømõ §Q¼JfÐ2hÒPÙ+š%t q“àk Ó.Ói¥4ôÞ”³·P<» Чã'*€¯îËþ””ìôzÚðÔ…ÿ$Äâ¿"lTœÜÝA‘ãê…älOaW”æi‘?û Иñ2Z‘6Ü°7…úZê|Ôü9—Í#ˆ‡YE Bs þãÍ[ã)YVîUuä½”Åõ³κ(Ð{D¾ÿe»1i™ëã1­Öu®|ã\®@sW12ïz·mL½+O$;Œä¾mÉu…™ÏXF?y­ ]¼„a×7f(üÙþ×–ÛTÒ¢äÃùݺîÒ‰èhî`(\Äƾ´5–$ ð²ïOÖ*µóŸËÎñÆö0àE…guÉØ… -‰Ë2„Ò,Å>Ô@BCRÑ;ueAíßÑN06»Øa¶Uy Ì;N.£ýÜõ¤4«%ræ›Õª6£eŒÔ:³WãQ2“b.[o Á!ñÀv è2¦ïü¸à|ƒ^TX§^Ã/¨ã*ÂÒ+pÙR.x¢d½tFšòo˜šÇÄ_°¿#Ö=£÷#ªÒ›»"ž/×ïͬävUÅ­oÈÃê`WI3wï[õ<;,¹X¬š£}y¨^%±¤õ©5µˆ]ôO®ej¯¯·a"­›LáÜ]¿Ä8ÀnÕ¨dà©PÏ[œ¢Auï9]m´~sÀŒËó°¬&¹¬Ú{Éóû™¥‚4£¡GÜë µxôár‚î¸)üX*î û’™ãì’ žÜëصåY—Áûp.µ0E«bŠ v[Ów'I7[­…ÑFut°ÂÂ,åƒp¡Oô×ÅäX_⹓SÔ;¹!—ƒA‚ «rí‘<îc{<'Uù¿H½ògÓe -oBší=Ñ¢KÓ·\ôV×±õŒ!ªEö¯î÷Ì«ŽŸ¥ÇýEWÕ’±mB¹_Š$X ¢Jª‘$â¨YL¿¸¶’Æ‚'¯ä½,ê¦'ÈnÃáå¨X¸Y;x*J_gÀåÂíìd²p\b’&“—®p×îšêà¬ìî—?í9{•¦,žýߟh-ã£ÙâYutX -–Òê¸e$ö$®á-MÖFÅØ…ÝëöýJ|Kü„#?¥®¤ìÈ#‚!Óp'v%`qÊ!žÀy‹œnäÎçN—/+‹.Ì"¬ã@Љ­¢•ým·a•µ‰RÙD9oe É ¤› iHÉVb¿†Ï")Pê`ò]^€Æ¶T®†˜¿†§†- §ÅÛÖÁ Oó³þŒåeFXƒ$ÊS¸Ÿ¯÷kŽŠòÍ™fL¢˜šëʲF‘9‚‰_«õï+Ê‹\™¿¢úƒª¸QÏís‘ʲH§µÈ=ÉŽ±ÿˆ `# -”—¦e•>KDØ£8ë<^=\üH93Ñ2W‡¡aàÚÃÉø\þAݪˆøZä¨"ú<¦å­O±gVV­S´je먌(“ïÂÞ°¸6EPÀf­ßÁ×zÍ°Ÿ©/†¥eÝ鳨7µ‹&‹öŠôºG2agD±ˆÀ|6Àí 9s ö¦€Ý1c`¼×멘îªÙHv-Ë3ðîß‹áü«ACrÔÇš¼^=YãZ¨ÐzT]'¹Û‚MÏì™ÓbÑÚØ»-Ó®1eZ.Ò+£¦ä5Ú×#í7h¿Øþµ.'ÏŸMï°òR¢ÔÂÅ+oê·ûåþhMí_W6"u¦ +&V“‚…ÞWÑ0{‚!ýÓ2üqô¨_š?Yob|_‡™ŠA«¼ƒKµËà<¾í¿oD÷"é†dÃåv©ùÑøŒ¿ ´Â§¸“ ÁO?%cÅùoÑÞK«›àc¾ƒLÀùKè:+y7H³àÉ×ÊuЪhCtd8ü;|£ðÐÐT/Ô2,uÉz˜}ôÚP8ºø~úàµL˜î¥1XÓ…çE'9ìQWKöu@a2ø -}zˆ‹Àœë D1ÝÆ54­º +²ZW™jEá&+jJ”Nr·°ˆZNj“Ût³ÅDwû+gõ(ê¦ÎáߪYð]p‚'fNùä“#É™’UŠÉ }¯Û))âO]¨Üõ -·. ';A^… ?Aǵä(_F%XybS¶Öiî™y6]_¤¹¢ÅBe¦â:æc§Ø騋vÁ„äܦæû_©×µ)¦beÿø×/*ãš"m#æݹ©ÅóS)x äÝTßBã<óê´0î âqe h´>ëj™­ÌWDOÆÉa†³üKã›jLLŸL" -¼ÁjõŒ8^–ScŽ…O¥–"};J¸„1 8—šP£íÝFÁ[²òéMÊqT,ø®}«ó³1YQÍ‹ã$ð'ˆ[_ÜÚ üÄÜ¥l˜VX)¯4’ÍҌÜ)%èyjµý0Oê¼-ª ÄˆÈ¶wÕ:¢¢diËƇmZ·]„ûòB-½_ëd“8¡4Û=ѴúK(÷ãô×Ú±Žÿ!>:*ÒHˆÙÂWæŽ!B¸ýË!Aȱò‡âGù¸8íÃqWA‚?×Éb%˜$1£€8:&ëg‘%PöŸXû—±Á¬ì˜%þS¹KT;½k·¢sq,yS‰ïŠ¢Çßš?˜TM~þû×1z€l¦=sÂvÙ$ÙRñ s¡û§}Lz½´ç„UüCÉê¥2Ÿ&bŒ*tÛKLèÄôýd³…:©oñI†¥cWXÖ‰dÐÍÏ”§ØѤÜÀuóü¨ìè¬$÷ð¾s¿÷d»ûËó0ߟ Zìè¦LwÐ4#Š¬ˆßó¢,cÜŠË©ä&?â -øE«µÉØó Ê\Þ°f¼Ê쾑²3‚ ü׬؅é+±&—€q ¼¤§Ù:ª²³ \²ü™ýIݦ³e.©ÍìLO%T£{èeEvqÂêµ1l3n,!ŽÎZˆâÚÄØS%"øêÔ  Ð‹Ÿ;Öl FËŸ\ŽJ±²k.ߘµ¯ì*œo»±ÊTŸgº?²"6ì$~¢÷™n¸…>¨º²¡ë›=gs_÷ÎnÀÀ‰AÓU´E^ºšZlj5¤¤7îîSÉÐ ¨ Çõ¶OÈäQµ¸t)HDúîj)ÝÇí­&-Íb[ prG¦Ú‚Ÿ‰E%¸/8ø Ôã;DÁ·-Ý^-,[äxÆd°¸HÃØb…ÁQFK¦…ßH—ULñm¼N#–…¨ð›Eá²5éÖ¿?1½Ò‡¡¼î“] þ–ø¥sŠÿd2¸.ä=æ†L?Ë l¦ÚŽºðÚ¶L÷YV._’)”Ñ9öÀ(#ž¤pi/Òb;¦= cèªÙq±î Ü=xº!ËN,‹i›(×Y©gtX¤ @¡€›D|Y]'(Ý?¾Å{Dj²®½VÌË¿»[‚}KaO rI¯ WðJ-›º!H§¿õĪÛ=ûlóHWÍ•„5lHÏ˦‹ëá¥ld7lèéøXì2Þvç ÂòÔêOµ–áu–hrî§ûâü|½t\:@KWEÚÓÓ{$Záû¸ZAGêŽkèþ>#gû1B ‘i!±Wœæ¢Žå -jGžvCÂÚ,ÿ»â.éø*â QÖlþØóR™äæåU÷Ù;[å]w”‘}{·X~=dðƒ½7¼—æËy©Ÿ†Lâ¦q4ÇÐûr4Sg$ØE…cø¢Å!q‘F8dS}gìY?èOÚÛ–¯W_ü'¼Î£A9nc?R¿p.?t3G¿ÝþBîÞ×prƒp´Ô¹ÓV«§í¯á|»¹5ÄQEû^Khóð{"²µ·‡ŸÎ²ý®0=ü½NX¤é}±·ÅZõÖRÒs,ûïÁ7ýC&¨ž–×ÁX‚f.ë½1l ú”0âu!–Œì·ýÎSÁ69¨…îl¹Z^îØÏhûiR±oæÊw•¼™"Çý„˜’Ј”.Ò¢; …xb“LôLiÇø}¤CÈú­¶ÈFe‰ÞŸ¨ùŠ¡wG¸¢%à°Ù寃áÞËÛ¯†žxÅÉts9ýwI©Ã¶ -­/h`p¦‚ùЃþ¾nA´JWŠ¯C;ÜyúûV¹¡zŽíx웋(ŸêªÞŸ2Iµ‰Vd“7%ÈL«X3u”‚Ô¡\•µñ\¨ÁkœÅÝõ×ÑëVñD`„<òú%#ŠÀC.-Ýw¿U©IAÍ\¿eXÕëʲ¹8¾q4׸¿\Éë»sø?®(P=2r±>¾)—x÷…~Ü¥3dn©å\Û-=âÁ_Iø´ytTl§w`˜»q¯eIÁ4š“é‚°§¹ô[K¬¯dV´ÏW~†å¬­Œ¹¶ø'Î_lûoú7³rÍÈ<¹*Î]?…÷ ù6°·ßIË)òzâÇt‡o$pCt$Ôó_dŽVè@2]FwA ¤‹Ð®Û€¸‡}–ðKÖ·'û~$¥Ï•*€‘þ~… º èax̢㒲¬ \ÏBó©œR]Æÿe´úx( øêådKi7ö…•Øà§l@.q]®É%vò~k5öwð{]ÉF׋|¤pÕÑ¡M -$Uù‡:ƒ sŽßHQºš§p¯ìn©"¯‚Nux€yRÂL -"a¹Âz£t°p[ÅH¯cAq˜h½>þ… ûsö¡i®¡k%lûÖ.›Wz¥"*Gb&øÆB<Aza¾ØXâ«‹\¬Ë#9ÜY »é†vÿò7]î½(\ÚŸô*2÷v -°ÞQd›vèµw89’9.„[>;häe¸ c\_ë‘Yf`¢ÆZCº$ò5ˆÕn!Ûɦ æÞ¤sx½®ÄrR=*À@:×9ï+Û»%êÓ­fþ -‚BàuÀT·n*ÏŒ ÜóÙRF”àêkRà? ™mD)ÙÊ$¾Ôô‡6õÆcíؔʊÊfú[አ-‘HòGNè½W¯¸;¡Máן!ÒPÆAÞò?‘é©ú@ãß}{¿Bß”ZŽŽ2ÐeXk®ÍÑ=&"Òp¯.$Yªûïññœ´é¢q{ónÂ#K÷¼Õß,SÊ×z¥vçSÅ`/r´ÔtUnέ¯¥IàÓé´{y{õ‹¸%—ÃhIËÉ3”27—Ôë¤"YOK Ý~Lƒ&ºA7?¾ð."nzš+Ø´z'î,`J)D—ˆ*ª× OUym‚ `•–  W7Ð!p u6†Æè4âœêq÷9!¯³îÑ3T‘!?9šFÙºÿY %ìär9göó&ÇjÅ-jw­„ ‰µ??˜‚U¶†?3Ýö·5dœ•àÕ).b[yÀë53àí­¶cÄEw yQ}NdIF,kéAŽ…Ù¶`'9¨ÊðôÀϲ…R‹úÚ£?èôî¬lКZ6~N³{þVš‰Ï[Úp³Æz»œJ`Ž¿9ÉT¢cšåZXø»z4×Zul=Ñ6»p né´¿–KN -‘IÜ11‡yÔÞ·k—J؉÷…Êy~Úµá*'t†&.{^åÜùÉuö×ßW_wûeð{2?X%KûN›ÏÈ‚œ={T;‡d}5ËŽœ¼uo{µÓæ®mEi7hRïáÈyNo0P2ûI8Õí'Üàü5FÈ5rjuñµãÖm´‰Ý5‘ ±Á#âÓ ¹~³»''Óm=^mÌ%°ÞJU#Í?çgE||ë÷£}HréƒÿàVŠD6åËÌq^CLwˆ|Gƒén‡ : 0ኽæïR _ÆV1†øQ/Ú à­¯ˆ¨`QN¿T7ŒÔöi@ÍÌ®åθ »MÔEì¾ Ì´®CÅ 8;mžT­í£J2«X8K˜èº­í¿û³1ĆQÈ}ñ ÄU â…îäî'&5«{ƒpF^¸GœÒò†…&'²›1C‰L‡°EÜðL´SØмïô½zÆòR©âs¦]ÆF§IaY#„Iö(ɵs3\Ø ÐËêFÊôÉ©kWê½ÀµX%öý’W€oÓó{À–„œîJוâÊ_màó3îñ^R ì°¿=ÔÛ¹øñ ¥òs£?èÐ3ÿÒ¥­_ |J:Y£™O²ª¼ ž•lV•d’ú606Ö^ŠAé] N‰V™Ìˆ/‚:ëÝjæ`0…f“f¹ðÝ^eëãnÃÈQ@¾kÕ4Þú©‚ÔŽCtyé#|°H’ζ+EÃïÒ*`Ëh÷]\ê2 –>àOÉfêäNšqjuVÞ2©Žï$Ûˆ©5ŸñÎO©T–Š,S6ª:“\ìÐ¥Wå r¯# D}»D/ßx ûfç\ÚÜX˜,árßÎ9¤!IP™<,IßÊ?ëøzT©0|妑¤8Ód‹PµHüj ŸK(X¡szº"ÙØX;~´_ñˆ½à_Ëä< ?]Ö¨½Á,[£X}Ëe -§ŠçÍ%Vš›)|CÓîÏ9vÉÓôpXRH.…]ÃÌ ò›øþTu{¾zÖÚ9p†a«hÿ Ž©æµ¨󞽘Q\5KñíÀعQòJØysé±–W?yj,S=¦¥¾jCÃYd…ÂNˆ£¶YHzŠb^Pkè¾ $Ôs1¥\ÂQü[ê`Ƽ$˱ÞÒNr·äæJŸ¾óáv½_ ·»~xu 4“õ¼P&;±¤Ï=ÓÇAÒógÁÂ_ |0™›¾À:ÔqE9®uÜ Ïqr„.aaéeõßÁûì6Ī/ÝûàtvˆË -ªDÌ1ñÕ ò X¿äzcƒ>2ë4c"fî -t­Q:ÔÄ|éòýÞ~¾Ÿ/:Øü  U` ì(›ËwzæÖÃÚS3dú@xN%jFîjüÚcZÂè) 8\"}Gˆö—}×ì0!ñÃ/ñŠFÙqhÕL`è_ -†ÊµßhÂĺ3Þ#4RÀ© “ì×›Q&êI([êtÚ¬—ægCVÆÀ_‰aΆY: „Ô‡É2ÖQ¾×]ìù¶³QœzQ¥íûI¿„Hù·ÚP¢aÑ‘X‰Dfk"&G¦Ü­ª -‡Û6Òú×ë_ ‰kYhJÛœN*A?7ƒƒ~åjØîZ€ás/ä MTÉ:¾ãÃÝò¦³NŒ²¹é+ <í|0N<ûDCÌ2@@Ð"‹Ržâ‚4g*%ZŸóĺk‹y™OÁÕ.ŒZâõ³Ø×7ö<üÎe¼‰å³À’Šp÷^ú…*˜U‚§äfäQÔÏF -ùf¶Bïô;‹y9ûWu FjÁ ô…Õ2~pls%BUî-ÖŸ^ é”†ß‡‡Ø÷q‡×¹Óv*j9•¬ï®£"›ƒ~¼cR;ôÚ™ØÕà„°™}tkà>9ÂÛ9­Üq é ÏÃ$ ‹,ˆ''Ä8íæ.ÏO¢û7…~Ù,“ÏtÄírã¦EH•±×Œ¤—79—Á²iÁ£giÖ‹úC–8Lí3£sžºaâã XÿhœBù 2äüa"òê›þ6»qrUãô•~{GRkÍ è%©Á*‹6…zAáwÝHˆ×ñ˜i߉’šþ§£Mxòx‡ÓØ -=%?“Ž·ðV‰üì?´ë|ÜúHä/§ _«IæˆrCÒioìÓ€±•£ò¢€<'¤tuÌΖÌdÕ«eM~Æ4"žôüO= hTQà xT ^,6§EÈ'C’|“à—-ЗŸA4ˆ#Ì %ŽIù.e›Ò“ŽòYžÞd¶tvó]³ß Dóßã­ø®åtÉÁÚœ1qHo²#^ØšÀ&šÅÞÏÐç÷ZT,þ”Ç=… ä9ΩµWN0™­ §¦DÚ¨®–®«„¥Ä¿pzú6+ZTÜ=µ÷™{牞Êü)Úð8é=±¾€ÍrUW˜AÊ/>¤¡J»®_³]ï£çj’Ý“E¯û¡ ƒ÷Ò÷òÚkž‡…æxÖ¨u8xŒRO7#0'k¸×É ¦Ù3¸úó+Ô¤ÞLݤ‰LÄ -Çžž–ˆJç\þ,ûÀŽF×T|©xöA4ªàJe"7³(ý ü±^|›üfŸ×Ÿ†ÁÒþÊ$¯«éFòK0Y²ÖoÔ‰ÁÁúSƒ`ÍjTT¨C¨¾øÆä¹<·}1L¹œ7óˆÙÑEÚäHµ×gÞ\ ] ¬äÀº©–•ùh´GÉh¯úr¯PGáÒªÚ(_aœSå‹a‰·ê0Ù|ýP_v$kø£Yù%ùœ~‚:\á‚‚É–~NÖCIÂAíÕ]˜¯¿n0» «'‚pu”¢é·|õõ /@ҸȊ{]Ðt”v&_ Ô~8u‡îªfîX§‡µø´“Íî”5Öž+- À=‹™ˆnü0 î¸:ߊ]ÔÚ?ëïÅ»÷0MRƒñ?mª¼P°U¨'/:ÖŠ½TZŠ2„!Ĭ½%û¸,pÅÛÁbÙüÒhÖr\:ýÜ™Œô[éï×y¯^аçu¡íe*öë•.øntY"|­ÈåŠ †4V¹RH¯áæ¾á¡· >[/ éú?”3^Þ‘f±Æ<ÈÄðD{àçÂ5?ß9sôbð4ôTssGbh6 -¥³mÈ*¤tZ®œf‘k™Qr‚ŸiµYéJ–“ríÃ;¶˜”æŽ×uqµlŽ/Í£ëûñQò3ÆNQé[!›`SJ9†v/ú9ï1ѹ¶qã~‘—:‹^º¨˜Q¥žcsö²¹¶tÃò³™AÎmé9tüpP¦ úµ•E’Åég·³‡»?>c2ÒVvýƒŠª“C§ý#¯Èu}·Yµ¢é9ù J™åáoXLV¾#]LxÄS»6’ËÍo˜³ÛŒ‰# -«ó/¶õ<øvçsK³~¨’mxÒ£€'´…ðîðRûPȆÏé‰= ¢6X7º -å‚3Ÿ»¶¥+FL{‘¥™É¸Ê{¦›d wE<Ûðöuª¡b~$.› o1PYyàZ°„íãq»÷ê6›Kw¨Ð@Òøm!p–wB¢ÓxÙpܾâÏÆšuÖŒP9IL“Fˆü“VðW¡˜N¾«5Šoé -¹;~—ÿ409±‰z…:Ƀ˲Ïl'ˆÅÉO‡:⼤ßTÿŸg½0Ö‘ãC -‰)`Ül®Èå©` —«dÛeö‚÷PÅ=õ>©k¿Ç“ù1UâÔÏÎS9¾8¦¸ÉÏh(óÛÔA»SmÖIˆUH~bóŠ`®õ¥P>ÊÛD²D£¾æ¦“³ÂiϸlZE¼ jJ2à‹£®£ž¼òÑÆ;JäüÈ»Iúâòã–øèÑz¸ ;4ýƒoŽÕz¿ÍnÑŒlœv»fºü±±7†p•Efí¤t”ͤêNy(IF(¼Á_ ¥Î -’p6°’{çOt\AŠw2¢VúaMŸxJäÑÈ®BZ骿² rL?¯1 -G”=Ëò…#†Õ4ä ñK"´µð°“Þy¿Ä½¬ãpÜ-Ñ[É~JheæÉŽraaî%7UŸÔòŒ”1², ûWæ³Û/¨^ -$9mhoàpÝ0V™/>Ý ×ÚÊ H2†>Å3¡ª_?ã…îÅr8ç½…Šu6³é±*K6ݱ -ÍÔ¼¦³ÂØ´VEíRÔ æ¹^ hÊ;2¾'ºîGÂ"òåå㊻¥ÉG‰Ò½’ïÛH £-êí'Ee›_·á•žŽk² ȼ\éÑ,úa+¾Ð¡};½#&Sÿ¦á*²ôhP³Ñ¯sn ·×7o¶EŠbÎÞsî\ô·oÛê` -ò‚ -â†tãÓˆ'—%CVÓIšb¤–§µë~ç&à!;°ë-GÂÞ YÞœÇê+ÄNä‚b|—AtFÄÅwÇóZ;žÌfíáLÖ#•«µ Zzêdí8žÁ Ê,`Pðª°àògqæó ýhí¾>¾ÆþPÐZ7“:®fìãèrÖΰ¦xÑ]Ôãa‘s~ç»+Vúšu\X`…À䌜÷ǧ”ÖÍÕÏîõ€4+3wQt1ûAYh¯‰/~òÙÉøM‡ô¦øÈ_—³•œi0!šœäjª÷yÙl±‚r€ éED -蘭(Æ|(h„ÈA½®îÈGs%ÛA’Ã+© Ûb2ý—¼ŠÊÆ·ÍšíhÁó¹)[ǃ¥ Ôµ ︌2¾½¡'ÔÃ,N]¼tâÕå[²u&Ô˜?!&ôP{PÌóÀ´êì0Yͱ=·ºe ÖÁ¸‰‹ûyŽÆ»ZAKÕª}-¬þäs3C:3 ,»€DŸÃ#‡ÒÓ¼°Ÿ)þD°;·Zßj °’êp_$S¢¸=\<8âg(Êî/vSÈÍTõŒ¥¤r Ù ߦ8N‹‡mpl;û|~kPæiÀä?¦ ÁDͦœ1ÜwÆ#EÏ’dï"ñ`S¤!²ÒœC:lCÌô~}WìÙP–3")Z&ýn2ôYp•Ä:Ï~¢rÓu}²6dÅMCO¹¹6+‡$€'@®Mm`Å-º6V^¹SWnwFbJgG¦h_[¡3³MWÂWmÎ -¼Ÿ'Ïû¨H³·Âë ä!ªEüñžë£?ßFïíÉs+ØšˆO¢)þç½ð²Ç’×QúSòiãF& v¬¨5ef˜ï2xœÀPÔk»ã±5ekÒ;Êx¿Ï•fa?E–õéè•yMhΣ ºr yìVáå09Âf ¹®ÑÁÈ?Lö²©«’â¾­^爛0è8ðvr·áj;øë{Yèâr¡_›LÐÎ<ë‚6ã‰!týÕÍ㳌+MÆ’$,ËúåIòrJAÏR§9sÄŽH:{ÇRÿ¹•FÜ]Šß[ñB¾ù[^¢Wu¸ÛE ¤89„Õ'ùêâÒIŽyü†ê=º—ÌÒ£6æžê:´:žåGëZ{<ï!ÈLãóUýÁ¯öå¾8)yÁ´²'ÛNWÃð#bžÃ««óXU›þ|>KÞ°_Ñ£(Z¯ûÞYåx™O÷6tB™W³ÈÊZ#Ç ¥Ù.W@£7eÌá=j¶ÇÅ[t›~SØÀf[Þ¿”8#E í´KlkäJIó°ünQ²&»ŸäbeɾdÅb«B˦àJ ³…PçȽ#ïExwö÷W+ü(3  Ü3ß¾ÎâÐ"¶lTƤ%Âç5™“˜ÉÍÌ|¢Î—ùªPk$ã4·‹r{$‹¬ä— è½0 ˜ã1–òÂÈm_—ö\ùfɸ…ìÄäƒïSÚ‡» '93!Åœ,ùÏkÅõ®“ù³§Z`Ì:v÷D)™éŸüJÔÙ³…6<åY¢'°~S渊ØNÝ]öËPNGˆÔ”F]g$p€9K†ûÐ:ÉÊÜ®f­Ù˜N£o/¿Ò§Ð+÷TìxÝgä—J.ì#­^Id—§jè›ð{O†>ÈÝqYãºUj -Vèp ‡—-,9,©Áz*[5í¶V‰µ}¶ÔµNÛK­`TRøðôÐå}¼Ëº,5®¼SƒÚ }U^æbôžK N˜‹1¤åÎo ]½§½X&îŒÃJl±s§‹hÙÕü† -’!c«ý”ý¢F)0ÀðJXÜ|—Y«N¯ÛØ¡ O1:ï¢f2˜³ë¡»ž ï¦Ì+‘L,xÂ9¢Þ¸rQÒ'䘞ˆ˜lÏF~‚æ—Ã?a¾Ý0YZùCÀQ/Èk ã4G“ç+Ž´,´õÔ§‰ÎŠ[ Š€‡Ø× S&s áïF¦¡÷2ܳ™ û„K¶‚m÷Ä)þqêÔÜnpæÂ.¬¢6Û‰±št -gñc¦ÕŽ™¡Ü3€ä˜î¸î -Nïƒ_8B÷Œý±?·¡R¨[œå7Ø\ë!“Û¤QIÜ](äãZ9/!;aßîJ7(d§¹.·òŽíÙ"ÁãP[½ô¯t*ë·ZŸÏu2ÖX¿hrG¢éùÞ¿P¹÷$plñbì%4ªÝù£7-ÿ¬eØ­uLôùôfŸ šZÆw¤–H9»S?à5ùö\¸$$iÄh±Àßj ½}æøè—.3’L—íçv"X£ÇŒKfd”v¿ï[}™<‹âÍÁ,Ô:&—â„)Wßͦ¿¾öHâ¨o·±‰@ꃼZe2Þí1›È÷2ȸA@/ ½Lj¡=Ø-æ©.ò&ŒÔ‘þObw æØ CJ\q¦û6_¼AÅèØJæÖ´ö˜Øë2ÊB÷ ©zhÛúXQ½îò# ETÄÝ*lÊ6×ÖOéþéetX%í$TÉÊȃËrrÙË«³Raµ'p¤›€®Þ½ÐüB:ËbF“•¢õ”«Ú0dieš†¡¬Í|iÄYõÿ6ü dòžsu #EËên³ø…>°‡&¾%TÅÄêâúÔ>¡)TÀ8ì2‹Rà?ì)œñÎJ“F7J ]ÚkúDG‰œ·^ßÂÑ$”mË8?äò›U–ãêw8”dR׎º™þ×)Uªžàa*Ç%n' -5”û´¦LÀu¬cA‹æ¤(ž¯ÏúÓ/YNRZÕcù˽Ð)€¾¢_M\¼íöú£˜: l#¶Q_DE¶¶ü’yÓ ðL©NlKõß·h„#£3įÎ/Þ>€ºL&?Ê6æÂcr›zö96 Ï—9²uD¿†nEÓ;†#YƒwA+ÎIíš×çyéAcÖ£ÝUTýR óJïk„Á GY”#JŽÔÈr: ËA¨µÕúÆßÇa6 2œ­Êò›€ÄŸêÖuXÄ}û9—º€X›æ) K­]¸8å¡5·ʼ«„Ë$Yµ,6z—±íHþúÙa“šËþ:8eš‡ÀoŸÏ0‚CONY˜L°-Â)ùúc s_±Þ w‘‰‰PÕõî -sìm<ßò“ûöüàÏû@n6“$ZÿbáÌóå•h -ßÄCù  6#11ß7ÎQb­Üc󨮎ê*„QÖżÿ°H¾ tü˜á±Oá\jz£Ï)v;<’)›Ûù;•a ò>å5`Zæ?µ»qòŸhš¨—Æš—jäž -–|Ú–¨ZjVሠ¡~ü;È»¬«ójoœ ¸Ö’@·Î§,1ؾ~hW2Ѻ¦“sËRsIÛiv‰XCt”€™Wg$Œe0‘.Öƒg†-‰>HÒ¬jÉ4!™¢'±ßõãÈ2Jt°™ñ/£ºÌQ>Yý¤ª•IŽá’,ÊV;á._—7€yØ«UËbG dŽcÖ^]Œð -' Œä××6nÕ÷_¨ïo=›öÊ`Êp˜—#aèôhëܺÂqá’Ÿ槆71|uå,'ÿ P w\=X•ËÎWB«¸¸ñ|_<­8Œ¥ùè×᪗é”|À¶ šÀ8Ýø²:yº„>¥‚x߉¸[Ð} °8}Ì‘™÷‘¡K³Ô–ða\“…¬¼ëDŠ±ýi9®±eËš€¬üKýÄ…ÿ ’"€ØSJqÎT.ŸêŠ—BRÝ„ðú“W¢@Ú(| í!lÝ4Ð:°ŠŸ-TËWSÞX“Bo‹ëÇ£’¬\U‰ -lŸUÄÙ!1îõJ k&eüù'Ègw¹Còd¯ "ýú{['^Ì3Y»G Ñ{K¾|ˆ‹-ï?1âɳZöQ™±šjA!ÏqÎp¦D9Ï°1‰æ—ßÏñšyªJ߇Àè€ü?±2àÙ°«³´~w¨‹Æ¢˜˜‘°vN*·nø‚(Y/¿åã^Uûºö¶+FDû±_HÿOŸ˜­ìw] \˜Ó—1é6+Û“†CE]Ïï›l¦Zh8{BÂjP1æöÐÑÕ2ÌS9Y–Ïð-Æ^èØi<¬ÞÀÏl$Þ‚ˆgY\î·e]ø‡·‰í¤LH¨V_àó-AhRah—JéÂ2­ÍX\L/ê [ºÚ1qNd„Ì@­µÏÛ÷ -¨ë cR÷aƒ>½x™&¥\—Kº>VG—Gá·oT&Íe'\¥«Ð"9kƒ^´•÷ûq™qà£|I“¢·ÉÌ)‰ò¿l8lM©”iìc^$]ý-¬h^¿3:Uؘa¤ËÏübA¥J:Mn¥ó‚,L{µF }rÝ}æÉz¦2;!{„U-zE­¨*ñ†ÄðP -÷¿ÏTÊRáÕä´ã—ámñ[©“Ö¢ÈÕoÜTÔr³I,¨ìÚâƒèr“DÒk×.iOGEÃŒïpì} dö¤™È}-wÆNMÛýV«*oðË]|VN×ÉÄÐdIÍ]n[ìJ!&°žc,ÂÙ„~G3^>Ðb&b÷6›$¤qUUø[S K^“€“8U³æ1xâºòq³ÛÆïw …:×=€%¦¥¶äÄF·)–Ê]&$©†‚9vaDËiŽù¶­¿ÈF v_íó\ä]]W bãSGЬ>1­ßæ\ϬÏÏ¿àðÓÒ,؃H_T$$Ý“¿\¯†q¶Mk~7…ÒNA¹'a\버Æ-Ÿš©÷ †®$ÊdáFä(·—¾9Wí®‹ºièÀZ†¤•zÐáÈ=Ê ±÷Q¡Þ`^SâQ©¸ôŠgòJFñ¯Ë±ƒpr~|vÇÞéÆvý ù4p¥v -Ò0ÃøNðE»L`À÷%ìë±ðQËš/À{ú.-ävÓoo@W éÒ¯ñ2wCÍÈí$_±NÁ³æq˜FÔfTiu׳Ï5uò¶û¾¼l¼«õ‰à-Xˆ&½²æ'ù€ L©¬ÿÃÏBeZYIgŽïÝ;š!< $B…ýíÁXI±<ƒ”@hš³¬÷DP.·æBúþ­€dö"¢žHÀ½¦©e|B܇K É£û'c~{…±Kí!FfBýÊ>5—ÅË@Ge!¯{Óô^aÐÏë ñR@Í‹N„¤ú£…Q@â`c?èá»ä¦Ý»ÁŒ#Ì/cáôPä²´µêÍÞ=¡±Ÿ/Wgžƒö“ Ã]íµ¹š[ÊŸ 0t¶wpí,øß:œ Œ!*}_›Ï¨œ=ËCiN@“Fk(2‰Æ!¿Ðì´V•Á£Ü¿7š@×Ímãå@Ð$5ÚÜ´V+«ÐqqãÞ fÖˤׄð²:ħirmhѲP&#ãê`Ä/Û¶<Še´ZmbÉÒbÖ^ë€8ø2¸Ê-æ½èž~¦»¦¤¥ÕeY"é"¿èßÔÕB*Šÿëæ"#¼1’/EzÎH,6M¼¼„•ê­ÏĦ¯àÈí_[‰z ‹‹ì…A؈å~×\ñâ´¹êÃu;ÖN/CÜ~ê,NÌ“÷üÙ¿‚NÙÇûhü³Ù1ê¹VK -#7k9+~FÑØ™¤wI¡Ý5?xIõMœb»o~—9ûn`Bâñ«ƒ›ù=—ì¨Þâ¡Ó=:R®Üæ±³§Ïýë;Ü Þ°ë2©p¡ÔWì (˜=ÝYr„9òç$ž:®ãBZ:óæ²È¾HwE>…T²;ëÐÑš?Eg:Ç/BóÃ"gwCšíYŠ+•9¨Ñ(©öþ‹)ÍTVƒ±Ù¹/žãÇŠp0þ 8RÌ×ó€€Y÷Žˆ6øÑþÆÈ]“aVÅ;6 ̃.ÊÏË7NFðeÆ»‰¥É]±•è ×¬ý©·qÇjKÎèùÑs/Ki(OÙëÅkpI]Ô~© -×C&©ü7ÙÖì€ÓåÅ;¨Ý.ô©qF…0W¬tÛ€¸œ&Æ,0þ¯ÆÝx }B¹âáÃÍÃlr²ÁÿCPZ_>Y>÷ñu%ëÓTÁÊè@6%ë»î(_þOÒ[})ì׌#*¶XgËñ{u•8×€.´7Z˜gJ‚Hz Õ -½»ôúaDz—\n T£î©Ãc¢@ºÍšèU#í´j,*'YimщA­Ø*–WÀ°;šQôÜø A¼ê.ŸcmˆD9Ò>#ÉôÅÿdUÚ¾ÞRÓU=þ”äê1ËPžÿRÇýÉžÀÂŒÇ7 ÉçKpÁ&‹ž¿ØßA4›DP§­¬ã²4äôCðQ?è≠-i7Žk¯¢¦Vúìë1=:—1nÁƒd‰ÄÇbŠê€ñ-þÞ2–R–,*ؼB²:¦È½ WŠãŠ’Ïæ8ªóŽ[MTÄmëA¸Ûr Š -®?ìÑÈ:Ì>n.¦„Ú…†AWy1ÔÑ3mÕ]}íËd¯‰Ïá¼!yÂú/1½º²6Ⱦž»(…è5ÅßÞ-S©-פlÝHÄÒÙ$øªèÿõ\ú²ÍÚBašÔCSQ¬?{÷Õn‚Å©"¦R꟢âLJ­ÿYz–œÁã5¡4dÁ/* Þ÷ÊJïYÁ³ož–yh\Y< ¼&ÊoKqÐfÜÚüà xÙµµÓÝO…+åb|ìý­Þ·â˜¸ :$eÂ]ä‹[}"{µËq:V¬yšèBA ¨äì¨Ú‚þÚVNF¼ÃÚW¨$Æý·qÝ?j¥W ж1mPe6SôóJÛõ˜Šy°·KZeë*X.º’Àm›¬*/—"÷Ë\ŸŒdõ}˜Æ LºŠ@/å>n®ÚÐÒHT‹ƒÌŽÆAÊõx$ôA.Äž@'¨ç‡š, -T!}³Ý Îäýð†â £/=Åÿcvz#þ#k”ˆ£ÉÄ㻑„ì¿aÝ f…¼…$â”3|t(Ž¾4hléŒØ×ÿw®ˆ[Žë;ÕØ¿©í?O¶ÿ¼3–a}+Æj¹3Fm˜¸"ÝM £lçòþ¤VÊ I‡ §iÊßà‡‡ãDù¤‹¬…9þû.ƈú›£’à@¤=KTxçyO nZ[Ž/Bý®g\ÝÅi‰ KÖÒMýœÆ}jÿ+ë±5d7í:oæc¨‰€!póúŸDͽ†/Gªæ‰·ŽTï0î#E/ÃrÉM~+ À.…*ó'©oŒžã˜qÑàöB¹ÇÉm£ÅéúÝò‚9hnì˜ÕM~£Y:À¬ª|å_SÑ÷E¤÷Jåƒè@¸¤&_÷ä¾iº /×E>UR'UàÍm˜óµ¦•k`°¡«Íù¤@); sžŸC¦²áB?§°[RIx ¯‹‰"5ÌZ÷Æß•3 tm›Ð²ýÀ«B«Ïc”õŸj'Áþqƒt„® -pS>FŽÇ_è|/ÉQ꣰–—þù"t5@Óºá÷Qу;vä=­íÚ[|r9>t4™ynÓry>lä<þ“ýÖˆ•ÑÓpeBïaÂ)&ÓôF(ÜlŽª<ÖÆÑÇÚ‹çÊ6B¹ìÎÑd¹p†¯UÝwŠø ¦šŠœ}J%æN.៷-Yg¦I&ÞÅoÂÂÝáòŒÖÝ ’ëüîÅ%ÙºR¹å‡fǼ¶øáSŸ¦RNëê·P¹ Žý§ RVª,ukªZž5ð°dã ê/z’#ѱ‰·V„ÆáÛ5åcSŸaŸ®ÔŽ½YŒg<^ƒßL‘àŒ>îâô?8}˜fý£Ö,}$ú릷;Úã5ÒÌZQø$k»o^ËòøC@„Çlª Zƒ]TÐá·[îHâf(Š|ìKçê1ŽæÀYÞøæFÄû‡6ÕÈb7ì9ôêýq³ŒG¿ìn¿7jù¯£ænØÁ”Wç^•VVÑY‚dXh.‚Ë“gà oRåB¦´H§VÿQ-Qú×Ilìeì§wçYýäÊJý§cµò'(ûŸ\.ó<~ž'Ä -L€-²¥ø»¼Jîýý -¡YÆS4{Ú0…b3ð?°äVf‹±Ò‚"©†¾£:iHß^Áa1`IÊRŠOÊGë½qPÌŽ3†aµæÁ¶ìêÒZ (¾QûÈ´µ*½TÌ~4Wl?tnt49$ºÚÉ-zs^"ΉTŽ ¿ÚLi‹¨'}ãN~)™ØËžIS–+×XC” œï€tsai9£–Óv4êø&O¶ê¾ùš\CV昃ÉZLÞRÈÇHýI½…àV8’ãÚ«#w}Ýá¸û"--xõôLd:ÞÂ9cœBŒÂÙ*ï#»Ã¡áÕô„u ‰¨Ù³)ŸáB¤É®…uÏÎÛoU†LÁÄÙWsÞ×£ö>ÅÉÚéH\"ü…ô›šu0a& † ¸V•Úð¥;T§’›î:¾Ð×'—LÕ=¸‡ Bí;`51&®séUÐœ`¤‘ øŽºT¸‹¥{1ƒA'’‡É{²&šðS›çaÁ¤õ÷r7ÿ>‚Gª4:9êi*§ö‚–îÛ0¡ëõõû¼§{m-O:ÁO­Â\Q·„+›Á+ÝÛöbwDù­ f ³N$™½€’祼¡‡Ä\Ä?D%Ç”æD/ú°èÅFqàx·0‚ŒuùÁÿšgCp=R“±‡‰D•M¤³¾Çƒ:ûÆ“Q{J6_GR'ÀÓCÇvæŸØÔÞöI¼ax9³•ðDaDÖòÔü$«GóÅ ç:SÌáI1«^žÀõpFbJ³v*Æý™“`ú=þ÷…ÄߤÒÔj–†´k“Èû­[=*¤Q+ÔCµ‹âüdŒ?Ö é¤7Ýò±FÌ(¶¼+h6bslhïIÀÁ#ËšnjGôqH‰²‹9VjLÅÉ£pñSŠRñ¢Ô†„Ñî”su0LÄø”M¬õ ^oÙ±§9‡ÆcL$:? ðˆKIÐâÉ.û¼…˜Ýhöª“-ëªx? é¼±ÙœJ–Ë]©\ß1ÖB LqOcZ8pWMt×÷S«åKJ DSõ¡™üM®R}»çc;”uÂ:¬~×gkwlš]òVÆ/}Å¢K”ƒXƒaïŸyÇ‚yårÞ¸›5Jš ±urç;@…¿¸£Î  ­.ïƒüvZ›@W}˹RÙ†4˜½wU±ÉžÒn$N4NŸ3©{Wç&cMû%”¨>Ö#.µûQœ1sò1‚ÌTäêy“¥d4'l -Ð]ŸXêy‘ß²oÓ€$ð ;ñ^¯ $bМǒƒeR¨õJQ°~ð’½¢h•ƒöjtÁð’£ Aš–ÝHFþŒßæ¦>ù~~ÛŽÂÒ“]Ž3 Îk¥@\-`y-Œì|Šòg.3÷–ÑÇhEw²ê0þö•¹¦4ȹœÅVL_呧 ‰=ÙÒ­µ,¾ø‘ø°ÁLn$c‘_½ŒGÙ<üJ âcÌ”Mi/Ó¥¯œ7ƽ -o<Ã;…‘ÇØÙLGAPýª‡”W&ÙŽÂù¡›Ù"—¾(9Û¿ºµw¾óÞ¦˜‘Šl ]uÁDRpñuwAU.—Õg±ç=ÙŽj‚’ÄMkAAÄ´ì* â™"æg×äjwr:Ó-*å<çéZ<·ïuŸXD,’%E±È—VÍN¬JoÙ˜U®ã ,¥#ˆk„å9„ÕÄܼ'ºàv}é%©@Ûµ;¯1/ò5¶T_/B£uÄEŽÛK,: -8¨™€¢íuÉu( {¤”ðßÁá*¬Ï‡pr^!Þ¢ë0SQPVÆ;”M°(ÎE0’A æÛ£Ÿq E©¸›sFÍ5Ñ¥·¬XÌÖX;q¡{{ïHäP'Iðmå¨u葅ʲz­~Ì|™Á¦­¤Ê×춻r­ŠŸ2µÕГ(ÚÆDÕ Š·Ž¾Lb`Ån\a#ð-7ÊaÐ@ß™HÙ¶-dØä.`séBÈ‹Å(Óâ‚4æ/gËÏÂ1‹´ˆ¶êC-u’E'ÛS«ßñ£»ýàœVqóô‚à׉’§NŒÆ€ÓL\”b¶Ààhö‡6T‰ Ëÿâÿÿ'3{ 7G;ÄÿÀ#endstream +xÚ¬ºc”¤]°%\]ª.Û¶mÛ¶mÛ¶m»Ëv—mÛúú}ïܹ³î̯ùæG®õœˆ8;vÄ>'Öz2“˜@N‘šßÈÖÀXÄÖƉšž†Ž ¬ *§oe¥odn+E­`k­økf†"&t0Öw2·µÒw2樄Œ  zvvv(b€ ­»ƒ¹©™€ì/9%%ÕYþ ¸ÿ§çïNGsSÉßc+[;kc§¿ÿ×NfÆs+c€ ¬œº¸Œ(€LTF jlcì os6°27H™Û8“LlVÿ±ÚÚ™ÿSš#Í_,~G€>ÀÑÎØÐüï6c7Cc»\T;cksGÇ¿ÏsG€©ƒ¾Óß8ÙÌm ­œþ!ð×nbû/!;Û¿Ö}Áäl Ìíœ³Ê ‰üO'3}§r;šÿulMþFÙ:ÿSÒ¿¾¿0½Núæ6Ž'c7§rŒÌí¬ôÝÿæþ fç`þ/ gGsÓÿb@p06Õw0²2vtü óûŸîüW€ÿ¥z};;+÷wÛþõ?9˜;9[™Ð@Ñ3üÍièô7·©¹ í?GEÜÆÄ@O÷v#g»ÿô¹;üÛ ²Î ù_úF¶6Vî#c(Z[§¿)dÿw*Óü¿ùÿÄÿOþ"ïÿ?qÿ»FÿË%þÿ{Ÿÿ;´ˆ³••Œ¾µñ¿›ÿ9cR€†ŒÍÿ­omnåþŠÿÆÿAòÿ#î¤ÿ·ü6¦å £¡û£¹£ˆ¹›±‘œ¹“¡ÀDßêoŸþµ+Û;X™ÛÿÕóßV¨ééèþ›OÉÌÜÐÒæŸÆ3ÿ‡ËØÆè¿sÿ+Ñ¿Ìiå¥øedd(ÿ÷™úoœÜ_í”ÜíþRû¥HÛýÏÅ?(¶nOjz5ãß+Ç@`gbôþ?düˆþ¿ÖÒúNænÍ¿eÓÑÿ[üÿøü×Jû¿ÁÛÚýsZômŒþ°ÿiøÇmèìàðW×ïüߢÿsýïQ76v36„ZýckÈd‘–™îT‡ž;<)¤ù»d8Ø®´Q©¨À¯Æ¶×7-l‡½Rï£6˜¦išã«Ý}éÌîó@‚âp´ÍŠ´7Åø*Ç›ˆ¼¿q“¤“•ò0€V§6ý\5ÊózQjTƒ…NåpwR^A§äwº“Ñòú™ÜÈ¥ÀåדœajC,jBR]áÙ9IâÉóéàØÈðPï-Xÿ6eNìObNPX’H?ûl^ å +áªV•¶½^MV‘µO Y'¬àÌæçåß‘Š”+‹1.ðñ€Lÿ/ú}jõá­ú^N«I-®„”Y”Лˆ³'•©•˜6´šM¼7Ñ”oõ·1·mŒ—'=Ufì1K±w;9<ô~Š§ +§Õ|¬½#W¯Ÿžª"*š>ïwü†©‰5Ì€ zÑ·õ„Üî_?F#ØhzÝ•¥‘´”˜”€ë¾¬ ÓèDaÜ”ðÜÖ–x¼°ô3ã 4vˆ_Põ…°?2Ö„ô˜Ûγ¸Í;œ,f'+@³ñVÁ¶yÅæÉv(ˆÞ‰žší7Gfì qðª}-W)¨Æ/“^íe…ö§éßk‰òŒ*(|‘ÿ²Æ)æýdà€P>Œ,U‘à‹D¡"w("Z³°QºD£xyÛ.Õ„þ0ŠÖ.¹ 'Æ6h¬NÒ µ¹žˆÍ&2§SWäåÂ]*¸NÕÏý=â×µª!Æ’ûY™­ N‹ 50º3êèºfEp»%…Z‘˜æj¤§kÜ\}–Ê€}—}Í’P«¨s}ò#U7ÉHÁ…€¬ðk´¾ëÜFµÐ<¸iβµõt.4N?”7Å{©v‹A1¼Ñ°¬)æßD7ìÝjÞä¤S,À8õ©ÔI‘Èüíç–(ª!ÝZõ&N|ú,~E¼ð K¯JëŽs/)#QcH—â¬öÛ#ŒŸKnõâpÉËÁ!=ÙØXñýâÜõÞÀuä¢\&Ê +5@Uc„7VC¨ªNxÉßaëŽÃÈÝ»T¼E uFB¾j5̘ò»–…P¢ììËM{ÁoÇ Žïe›`¯ÇÁÍ° UÜíëšøɃœ›­ú´ Le€rØ»·#ú©ÞJúì—ÓU>ƒñË!+ìxàpÚ|mŽ¨-ZÆ +~E+dDˆ¹w|/ŠR«Zu+SÈ1Δ/¸™ÑÜÊ:ë4i¾‘ñÁ®ša¡‹¬ƒÚ<ÓãˆÒ,k foQM¯kž Ÿ‰n,g£€:ud +c N½ïTï9a/gº$^6·5§i©â-Ÿ¹ß[Ûh*(‚aK+ØjlLöWËXm°d +š[_]ÓpÑjŸÆ–ùaŸHj¨ü-.Åüøiâ©žôbLC°Ñáö6õ|Æcþ®#Snu„þŸr‡QfÅ—‚5Ôîwšmo3àðF‰ ]ÂÐÜ:î:vÎê%l²©•³¸aêñƒ+öÜ×$­¸‡„ý ·bzý ”Âïò´Úê`Y¥ÃÄ5QКBvPbdÁ‰[OQWú´ŠØ Á4Ðë+Ëv1ö§z'à£R'4ÅšŠ‚„&üg½ºW y¦µ÷Àú»ˆ˜Ð«òÎB.¯¹nIhS_×ïŠÝ‡PhoÚן\ݦa¿kLfDHô ¥PUƒ7z€Ù2‘‘D=ʬG÷Á œÅúú#&Ž‚’4»nå¬ßÌ +lô³%î@p® ’´¤rEcžÌ E‰;LÙƒ +-.P8í^NrÁOÎw¢êåÃPäåú‡ªî©¯HÏùñâÊë%ýÓÆ{¤Û«Â¹}ó÷ßéB¤°"Áa{¯P üÙœééæqBÝ0Z3:c^í–?¹ã}›©[Ë M0©I;Hˆdi¨? S>ó×/pùeôkKÎn×µ«€NéÔºcqÓÔ eÖÀË럘ÿjϬF%åç"Z +Ñ zÜtJî5Ébx-Ÿ V3À;8Æp+`lš÷mn_TðuôñDÎÀÊ M5sÂEÐÇ+ŸÕ¦ˆØtðàQ¢xÚßFqÓ+”5wÐ4wÚøu,ë[—¦Þ-+˜y@PrA=ˆ½þ¥¾i;2V“|,FuLr½ýX ü6ž–ÝD/ÇQZ+2ìÚJ4¥¾:Ϭ›n$Ca‰n¨AŽ§{„(¦hÆ:ÇâÃfø¬$ýRÝ­1$ßlzFí<%Üàƒhw‰„JV냃ª:Ã*%¿WîËÓ9\Bjþô’f5†qƒœÎjû¬âMßÖ¢ÿ2¨ÓM[ws…+A!s„„ü‚Ëý-FÛ:†ý` ¼· ˜*n—ÍVaâS‡šZM$ &Í1–3VâÄiÌÃh@_d•©I X—:‰™Ç P¥¨¨×½öIdôG‘a!àU;€ ‹ž4Œýœ&êìÙÌ÷{¶ï«kðÑû¢Ÿ—Q¢÷Ù2ƒ‡¹É¨;–jÞF `Æ®<óòhVï¦N«¶üz ~«Äg²—1®»ÊR~j?Þ׊º‡éŠƒYXa‘¸2æivíwŠêk€½{çCiþ;¦ÁdjGÜ>Àòß è €)FÑu–R &¶©~yëòj×9½¼©ºñÚY ¨ø&è'»½IH‰Pέk«YÖDBQ4K‹IÀÌe˜jÃíÐ;n 0'­ †/¶ÈLè<ÿ”!æ¼æÈÜ@RŠk‰‘Ù¬lÑ‹A¾‡°Ð>Û6hV,Ú8H’Öž‡„«‡S¨ IG´ªÁzñC„&¼ÚÜöŠ¡ì‘ÕY2ûRBD%ˆ[•«èËéµÀÇ*ÄZ3Øþé ’ø}r¬,³RËH·‰…x²ƒ ‡HÙ*ùŽô°`åa„BÚÝ¿{¬‹VH™ZÄ<[t”€pS³õ.n^[í)¡y3Ñ +/ôI"Ø•ª, ù(T€}vÄ8™xfôzY X¥û™w·$U-nΩê»ãBý!xCŠŒÕþe‰'Ä…`¯n‹£¹êûÅÛ§ÔbDŠ ›ò_û8ÉÈ˳f^¡Ðâéã7µ—06HðüÉ&† F»N´!5˜=´‡HâžRvôîešXÐÖðà˵°TÿV%âÍ“×õPÓ×!»)r`ÕÏrP£MÒ˜ Š}çáShá`ì©N¬Æ>ÕYŸI˜RN)ö¨z*ßäÃÒ–SP¬Ôî·ÅÆutÉkIrsbò ­¹ñüK9!0×V®‘|´Ï`ǸÞ_ 'õºk|™]sÑ \Þ,(Q¹Íþ©i¶`cvù¸-Óº X_êÑšº–m÷üïÈ·ÐQ¦zq¯Ü^È¥Rîœìèƒç‚ì©.t¡¬säªÉ¥•ÏÔhòÝÈ ùH%ü‚B$p]ä¦ÖÜ >Ú×DèŒ#dyÙRt*-S$g}Žðšˆ‘Ù–TôH`–Vü^‡ôQ ë3T&KEÊWu´’ZwNB-áq·œ×¼øÖAùÑ8}¶vé6nöT.úœ™ãŒG4¬tŸsó@"ð@`t¸w™Lvfž)¿ˆ›hµgÉ벸Q»éö[K‘7å +õY³ 'ôTë¶É¦±¤>À¡«%~x:5%ä\¿ÓOø«£BbPçÚʶáäuⱋ·D¨+» ÁbÌ—U~¨Sçê¥M:•õTµ¥‘ñ¦€¿e<ÌͯŒUˆ¯ÌR@Jß–ÿ—OàxÆ„š$»„áŒÂ÷ÉÔ¤ÚÅ˶f«÷‚’ZKN‹¥‘Hôe£¸gô»T«ìJ- `ú¾×b×8Bí€Æ«øœxU¥3â§6RTåÑ¢§œ&Te_ãaºfÅÇDkJõœ9«’B#Ÿ éë,ÏÊžÔz'2ª=r{@—÷fâò¾¿¿Ïî˜Ë!X•Âjf/ÏÁ ™Z•K>ÝPG±“Ìô’¼Ë{¤š0äz.o¤µíi¶6K +²~w‰ùŸÀç:ln51 +˜±pO%œrÃö~†9•ŸFþ $¼S–gš<2#ÐúB²Ñ þ-™'ücïÇ”“ºJÍyüWOXæ¡L1.ó}7Ös/¼Å?½t¹æ®¸Ã’à´$ëúóêÕ¼§jèQÈɨ¬h÷hsf´Ô…—çíOÈááú%­U$DbÔS>G­ë¤TGx_š-if^~luyh^%q­°ÎxP\Ù° +-JjÛîæû&8Ö«.ÖÛv'6¿ÉD8Îj¥)Ã…òtÃ’}÷·MKTmÎ[˜¿tAÝNÆ¥·Ú¢µÉ}t5¸¦µ”[¶Š|ÁÜËÊ[GXõlä.[‹$+ïÊ.F¢²Ç/“5N¼íU +¶Øœ” +lýÝך«ËÒÚž'ódÏú=å €¢È‚:…uDY{FFÙöLDÔ}¹nf3Hè0B3¢æNÌ“ø©Å÷Àp 3&}¨€¯í@é]!JÒ{ ìIþ‰.ã€þÖ }DJM¦ÔÊ ¤Bs >ñNf^ßåþ“¯²WGž1ÛNFi€AW‘Üö}‚q}Â(õÉé®7ñþ£àWNTÎ\-Xæµ²Rfý¬±àéOã#Ðä42ûÅç´„;:/0IÃúù_±– i¬“Þ\[êñ-šý¬¦­ôîÍôLN  +¯8šû§ MZ°@3éóZ¹ ä¿È§è9‹  Ll1Âß<_°7:3s]É«,ßÉKÁs”çú°€½†“'Ó“_íæ"¹ÎïÐ]EFP<À­AFóEÃë&ˆä5äí©NÕE¦NÉ«jŸ Œ¿MÛ§ê8#Ï¢Ú¬‘Õ5¬%9/“Ųº©A;ÀÞºqR; 0Õ›ÓL"F‡LÁJ¾†¸§L3ˆ{_Ò!—ä#ŒïŠµ>72Âa¦Ð¥ÖÛÕw,oô‚º>„ÕžU’t7“™û×û†÷¡¯d}&å}µóC-pâ™Ö +2)¯Ú^͈À¼Ð‚°ŒÌœl]ø)H&²›!sŒÎÃk÷­ Ýà,Ѷý‘¯ðyºoèLLe³tÝHû—‚ fsûcštvǘ‚=ò[õûž­Öõ5Ã×ÌǜƢ<¬UoŸÌkAfô÷Š)"¬±ÅtÓ(p Å;q»{lî5׿" ®‘½Ð‘˜V–íf vÃ!¨»Ê¢ßµÜf‚]\@·L¸ín¤«š9ùv‡“>B«Õ¶¼Ë¿/K€µ”sæÈž¾UH°m»«àôßÏ°jEË$zͶ°Aõ=™—7YðÞzRmR +ƒïÙ{óEƒ1°0[]^Â|¸ªÞ¬OqñΧuwm¸OLÞ+‚Æù‰ÝmdŽHö¶dVyI®fÙ³|µiƒ?’úë¶Æ?¿;Õãf³¸øÃcÃ+)A(£®Á¢zª=%I˼*¿—09¿À³wÀZÖù{Ëö½l5¤1,q|<ú£Ö8Ï–í£ŸËä«ïʇç^ﶎÊ! uæ +e…üºo]tþÃÈc(¥ƒ´Òˆ&ZL·ëŒŒ5úlÛ¿é2™¸ ùp~·ª½x¢:’3 ¶¾/i‰)ÎļäÇ\i§r>ïuÙ1VOß¼ ÷¬*ž 3ŸL&vY +_²)ß‹âOàvH,|§ªÈ¯¹émµ‹b]™ ʸíðà4Ò§ÇYGLU¾\,cºQ¥l5RJO©5Ãv51.5!â´ùF× l‚&eü΋³ûÛ;àE‰yò5ô‚2¦<$­‡….ùRŽ+BÚCk¸‘.iTôë;lÕ=r?Lþ¨2­©3ìÉMtY=Ç£,T èóÒpõÞÄ"^fWYÔò†4¤î7ÌÃ~âŒÝû÷vs&‹¦Ho.ŠWqÌIJu ÂC'Ý“k©jÿëë­Çc~èpËFcXWç/6° +i?8 +”óf‡ÈcPí{vg+56è‘cYÞÖ1½ÕD§eë|"Y^/ “&T´ü{­Áf^vÐm¹‹EÝ!_R³ìbD{í»ÖìëR¸Ž%fƨ• á.+º®¿ÒL–k 5Qì]ý,°b”ð@8Ñ&øj½b°-ˆÎpÝÉÈëœÜÉ@#B‡T:w‹Ÿõ²<ž+ýˆ½_ ü³³a€<‰;.Éòž`Ö)€á]&|«mßr F—€þ³Yú·vmúUËÇÜíþ¢³rÑÐ:¾Ì'Y¬A)Å@áGD¼´†Ï0lkqCþ“GÒ^&eãÈ.ý¡¥ˆhØ8 +roGÀåüíÌD’`LB¢:ƒ‡¶`çîŠòÀŒôî—•/õ9k¥º4®—íßW´æ†Ç±‘ô,ÑÌZL9sIUœÒ_¶l¿œC›Û- Š°Â +ºVmûðÊyy Ö‡ã$®$lË"€!Qq&tÆc²ËÀžÀ¹ŠønçeÎgO—.+ +/LÂ,c@P‰,"}­·`5 SX„Ùo¥ôIô$!©øˆIþD …“!×Bç9½nÚ)] Å3~ M™L‰¶ù­‚œæeîŒæf„Y‚à'È’¹ž¯ö©ó̦O ›jK3G؃‰^«ôíËË +]™¾¢ø‚*¹PÎîsËù2I¦¶èÉ\üH>3žÖ0U…¦¢ãØÃNÿ\úAÙ,ðZh¯$ü<ªá©K¶gRZ¥U¸lam¯ˆ• •çĆV¿°:‰ŸÏb©ÛÎÓ|M·Ÿ®+‚©aÙáĵ 3‡¹‹*úŠðº÷kÜ(Æ‘lžñì7'–;ä(ô5Ø›Vû´žá^G¸|š³zɵ4פ߻oºc½šøˆ—%i(Z’Ú?a刪VR—‹,®É3»Ù‚¥¡g +j†%lCò”L¸Gzuñk¤Ž[êh-¯Èþ¥;¾×N»ºgHY aJÁ•'åÛýR_$¼ºfÿ••P­ñü73#‹ þO³‹¿£hˆ5^Ÿöi î¸[rÄ'Õƒ—¤§!¶—'žÍÄY¯EΌΩÊËi`µêm£¢>TÃñ1šN›¤'ü±i“‚R|ÿ€‘)XòÊÊ—¥p,‡½ÓW¥ÂØr×!C’ÂÆàü` ‡ž„Õ`Gl®/­Øúæ.r”ÈÙä+ú<7›ƒ\©?zlõ£b©UÀ{S‹l€h•I‘æ>…uL ‹®¾„,qÊxnï#çs{êºÝÂIor(®Œ•!ç‰âõv/ˆÏñó÷†éÈBDßÑÑ#¹Iâ—D‡W¸°÷+š(ЛЃ‹_åwE\PðOdzIMãßa50 áühç[rEÎù†}Ø̨ÅÄ*}“ˆòGð»jnKŒI}#K®Øp9fêuGªñ÷×5‰ÅŠ¨Iyyk]©M åBÈQJˆK¶É_ô×ðÑç†{É'–¯€Ñ¯NB“uè'uh+d“§j‹Ï³R¸+ÛRÇïÕi£6ÝösÚ“}/}˜[ØhsÐF•rJ,Ò¦ 0ý|:šX÷¨#u®´‡R›–òº©|¹ìäñˆàò³|£"{+E¡á%uÈæ‰PÃ@Éö×™³ÕŸ¹›Ë9.Þ=°ÁœðùÒj[þ´ÛIj?h†“;•5ìn@hD4+/‡¼&õÖ,Ãz<=W=†Õ«êë-£,£«½O£lŠCßu¸ì¼­ð›°KE»V]·úo:}ºÏxˆ“®ð3 þ¸Üꞎ\cìÎ#Ì›fTXªäá•–ÖªN,¬îf7 ¯A+¹|v.¦· %´¤ÝöNÍŽëbòRãXÕM¢•W²“/–QÐ,æqaÏb™Â–h96ÅçñA‹þn±QÒ»T \ì˜D£*`]Ö;ØädîMgýi²CÌ8‚ +µ3ð²ŽÚ̈þì0¾† +g¾½Å8‹g!¥9? ®D1ãAJ-z +šR;tØ^~°Ê;ѧÔíÊ5“7Ë•ƒãÓš‹ˆ&Q•ååݶvó ¼N3(*³ëOÉ‹ÊcøõS#t‘3jÌ/áTþS‚™uhX¡B(šòÖðKgc³ ͯúä´†Ý} +)Z>>¢˜ž¶q©\Šf§N9±Hï]õ#…û˜½ÐÄÅ,3xvÎðäCkð3‘ˆx×y;ŸßuØ|DvpÀ­‹…·WóKfÙîQéLN’ÐÖ˜!°gäaÇâþ©¡7’¥å“<ë¯SGc¥ÁÐJ¼&8,: uïO ¯´¡„È/Ä{ç$WükbýZ§xOF«àž£.H´3ÜÀz©Êm(ó¯­K4Ÿe`e²Å食~ôR¢‰r—¶|ÉÍÖ£šC°QúÎêí÷±èû¡vŠ]7 ëB0¬DÒÖ 2í:‡…r|dr8‰D—Uµü’}c› ÑGÄF«š+Eܼ»»ÅX·d¶” —´r2ù¯”Ò)ëü4º›OÌÚ]3ÏVø1U‰˜Cú´Ü,Ú8.Š6Cf^ìòENc­wî , O-¾+ÉagÙ€ÆAÇ>š/öÏ×KûÅÔ4eÄ=GÂe!ž«?h¨@]1õ]ßg¤,?æNÈ!2ÌÄöª’RT1AmHSo~17‰GÁ­•ß%_…=!H›Ìb\*þºyyÕ~vÃÃÊR:FÓáA`BÛÚ-’]Mø`­Â m‚Å¡úð`\ì£"ƒ¸iÉÖ÷¼ÉÐtRbºh¶KX Œÿµ¡»º½ ö¬°“ú¶éíÑwà§õ¨W†ÓЇØ'˜Ã ÕÄÖg³?Ÿ³÷5”T/)qî°ÙânÝ?„g3»‚0"oÛcezO¨Vºòöç(Ýç ÝÍÛã€IœÖ}ÛQ¤‘_g)!9Ë´ÿxÓ7hÔŽŽân~ˆÉoâ´ÚÅæ¢K-ZdNÏ +Ûç8Øn•RàÊ’£ááŠõŒºŸ*ýfªx—PÁ!tÜG€!…p@î$)¼ R€+2Á@ËÊwŒ×;N<ˆ¤Ûb=ŽTnPú˜àù‰’'¿¬vw„#\ “Uö:ê¹´õªïŽ[”ÔÑA3›Ýw—ˆž2d-§×ò‚ +kÌŸ5ð{ÈÛÛÌ%€ZáJþup{=3Wwß"ç XçÀ¾C¬ —ucùSUÙóS*±&Á‚d⦉aSlº–œŸ2˜£â¢&‚%pŽ¨«î:rÕ"–ŒŒ€KV·xXxЩ¹ënM™’ÔÄù[JŽYµ¶4Sžƒí[}…óˉŸ´®“?›÷㊜Å-=óãá›|‘{_àÇ]]ƦJöµÍâ#.Ü•˜Wk€[{ùVZ;º© çJ¦ø tƒ)‰6kªSŸ¥ØêŸ ýòÖ¢¹ŠÏì•?£Î;IÀŸs[¾¾MÌÓÒzOÎò³…×O¡}Þõ~¬ÇmDw’2òÜîxQ]¡ëñœíñu¼##åZ —‘P|iBÔ«V ®!ŸÅ¼âu-EIÞIGi³%r`…Äk¯÷ ~Ýt™4æ5þ«™¨¾B“ÊKxýˇ|ü¯Ö¤6PY¹£;ÈÌDzï\¥¿UiVe¢'î7—£×³Ö¯w¾È† VZ%CÂR”}¨ÒIq9fû vc£©¸ öHï–ÈsËiU…úy‘&ÆO'#ÀÒ”YÉÍ£5X@ +¶–÷Øç…×éâ ’ñ»>g­ó—âè{1WÀ´mî²x¤UÈ£°… d€¯ÏwÃaâ§䉌&¼:ÉD;ý0‘Á™º›ªoó-{ÓæÜ‹À¡Ž£U’º·‘ƒñŒ Ù°k·A«¹ÃÎÏv"ØôÚF%-Å¡åøZ Ï46ÔÔþ%[PåÔ¾•dLgêIì7‹ÛsáL$#Ñ­ „®uýþñgk·XuªÅÄWŽ_¼˜âÖRé™”s.KÂà‘\uE<ÎQŸÑJ˜œµ¿Tì;!DAwpCg,Ú†EQþwiaétßoøØÂÄ_yÃ'´ž¯8; ŒaýWŸ!R‘Ç@Þò>‘h)ê{Acß½{¾‚ßšŽÒѤ˜«¯MÑÜÆÃéRq®.Äù™ªúîñp4i"éqzroBÃíKöDaÍõ¦×G¢2ìˆôBËÜþÒŠL«ë¼èŒ!$ï™ïS¢p È8 Rmo ïÚf'ýýÙošÛ±±<\¼‹Á(b{³¡ëqTB#ü‡"ÿ»ÈÞá- +¬8ø°× Ól°å¨…JÐkáݳ’pÎËy&©è-½AMK9èMI¢H(ð`Š_·rªVrKä>ž;ÈÏð®œO‹ø€’Ð&nuŒ¦s +œä^HZ²"nPK¨ÞqD%”s…x‚¼[Ê@úÜDóÑž’R—¤¦ +¯ Þó¡6~Û]ÜÚõª‰:îŸFÛÑÄÏÝSÇ’sg‚_ñ<åÐÞÀZ”1…fÙεœtÏ12Nã!!i¥ußûb¬VDÊ/]ûà46KrÊ„ŒQ±U ²t˜ý2=ѵêQaÓwùÚ–Èí* ¿E¼iòŽ}ÞâÞO‰†­~àûËÑ‘·—Næ9< ñê†`î©è3|À¿F¦Ö!u6|í1,btøì.¿‹Â„ûJ¿«·yá¹…#lØ4‡€ªÇÑu/ùƒeÚnÔ¡£]éïáõ(ý`UóÑ~í×™'èˆñ)šë´šÌë‚—¦gƒ†À_ !Žjú™Z ”‡IRþ–Þ׬yÖ3ì;=(’¶}Ä_ļ›­È‘0hˆL „B3Õa#“®•C­~©}«u/D 5LT%­'åþ ôý9jÖ»f`xœóÙƒã•Òöïx°wÜiÌã#,.ºrðOÛôãÏ^‘3tÔEÂä§8 M + –'E\Ñ®š"î°¦“°5ó#æ¸}L¶u =zk9ôÃÑ‚r$rÖ;!(DâA[Ýü}Ÿäáé˜Zf¿‰ø†ëf â×IÀŠd˜zó›kÆ#ÖµF¦[:ÃàµUq»ÔðÃ,¨ÒÐcZ…ÒÓ”CoÉ8ÿѽ$óEm.Sºæ™Þ1WU¿áñ¬o$F¾ì rî0iùMw‹Õƒ(©²aêJ·­=±¥úô’ÆXo›I“L5¿`›³v8HãxÔ¸÷DAE÷ÇÓÑH¬i¬Ýit¹Ž‚Qû[h‹X^2Öõ*§."éËéü×r¢)‚Ì dêë`ôÏQ=i¡_®bš*FGsF’òÕ’:/}*!WZÞ§žŽ˜Š0ð… +:7&‹Ãä“þ¯<£À—MЗ¸*„aFbûÄ<§Ò ?I³ {ÙLwOk›¹Î™o:¹ï1ü‹–<ç2š¤À Mv·¨öÄ7éá,u`#õ"Ïg¨ó{ Š³²˜§ ´ƒ\ûY•¶Šq“UÁ”äp+åå’Õ@e¿äØvwï&y³òû¯§¶^SÏ\áS©Âu·“žË ˜LgU¹iļ¢C*ŠÔëºëÕ^ZŽFé=i´ÚšÐ¸/½/¯=¦¹˜¨ög rþ‡Çè u4Ó|³Òú{,`ê]x±7Ëq˜ÁFu&ªF$Bض´,Ô„Zç²gYßVTšæ€ª¤KM„³Â9g +Ë™é岡3•‡EÞL›…à$® +„ "ŒÌ~»9Õ†Žâו¼¤ÔQ·Q/›Û5A“Î +NãŸ2¬8m¤Ç¿®«#}“+éûeH¸P!b'lŸä´ô¦W)°å»gÏ‘„±w‘£ô; +3¡=ôϧ‘¥Q” +z¾èL{E)¾¡gÎ"߬¯3‡ ”†îoÞƒ+ä[¦oáöàÔE™à­óéÁsÜk’{?$×E–ïFÝ1¼ö‡€‹¢µID‚\=žè9í ™y8ë\;·àÒ™‚p¨„úä ˆPÆômº_Į̀͢ÖtJ˜ŽUÀ%ÂðTç~q¦?2ÎƉRW‹êJС:¯¼ÈQòúÑ_Ì3Ø\OV´†¸Ü€×‚üH™’Ðm>¨ÆÏ©w•§ØÇl”Pè÷Gêg]ÐO0:ï¬ö»úËðugö â Þ¾Îûʈ§Îع[wгÃÑ6@ͧI¨!­£²ô°¦¥1A•¼“׬šÍ\uPDGLkWRÓCׇ³Azè›)"86Ó©A±Y†ð +çâŸ"Õ=ÖŒí¨¶Ò¡¦•kÏFpf“´,×HÌ|çœÚ)ƒò®0d±õ*¿‘u`%R ~Ƕߦ¯×!GÏq_>pdR +m"awo`¡îÒ½ˆ5dP³¶£~—˜þtÏ–!…´¤˜µ†¤rØdh”“hQκ®J!ÐôkAîæ:YõäcT…›<–E\+Çáv+¼'á‘Ö"vM£áËæ~»Of;¯&€ß‰¥ã…EÖµðÔß»¢¼$.%¨ +Û¥ú@_Õ\è +4bÙ<…í /§A¤S;wñùjÿ†éœlÅÇÛÜ=¿ +0©@™.†XSæ…Ó¶:†&X¨±oÈ*Õmôñ¿q‡6°†Òªo#–y CÉ +¢«,¤Òæyák7̪‡v“ 'z—xjy%Ïw…e³òdªŽëÀ/ Ì$ñ›’õm·ü=¨Âåí×÷`Òâ&¿¹ ;UfàHé»næíM-ÖUÜÝàœvxÚå–ß"«³mƒ\aÆaCöÕX×ñTK£ +Ó¨&Õ°9än‹Þ,V•Ï„[ûñk¬`¤»PÕù„ÖƒX;ýæPG!]-êÂÆôI’e(Š¥,V/%ÃErÀÎ9£‘ü`ÖIú÷ýµÙ–º@´"wÝe‰ ŽãX8¨5y¸M4* aÀ-&N(›ŸóšôQ·Éo w ×Ð]š¥I.†üÙ“µŽ§¼@‰Æê8ŸçÿùÿYV\ˆ%Øæ1þÜg£ßÃIÈbŽí‘÷‹ 9ÂæÁ™gȸþ©ÄŸt³J €"…·ë©Úˆúõ7ÃKšä=#ÓÉ[ÿ2žÂGÚª~À^ª) +52­Á9)ú¯…Ź£—3þ'៼þïœU¥ºfmአc’žû8î}!ÅvàG!’ìš&¶ð‘yhŸóó§Tï7&`Ø4myœîŒD¹±U`K°@$Q¾š`:µwºŠõ)Ì­CPTàj\‚S·QÜeo»n»ð@°G²z¾¾kSç¯?\)…cN0LÐo¿ ö­Œ$­º'Ôp>v±~GñZXø‰Ë—JìØKÄã46וg©“ÇF¥¸j¯}Û²­…‹Â(OÃØàâÑ)&l¾YB”]G•â?s¬Heú´,ÛïJ@Ûm8X|t©Ÿõ¬Ä6ñˆ@¶ +fî$ªs¦dJ¸lw Ä쳪…P(EŸfºI©@0ìù¡°|’› «%ðK”!kÅàëˆÓ¬YZá¹³äÖ…^SnÙñ_ý¦];:@8xI]%ØÅ­cм«IhiÐtW²ÌeõáÖVéÁß?HÝj É«ÎPüb«±‰’ŠR ¿Ð¶s OôÅMæáv°Í€pxüh ^¡PܶR²ÆE'M$T?‘No½+Ø—ñ H]>‘·)JÓ`ñwŸ&s0øyT±5ÃÀ)$cÍÓr1SŽ¶ÞV—˜Ç:n&n›bMˆBv—t©ÀL`Å;ó¾£—Ë鄪·¹V¢P©‡!’µEÃß +éI%)ÊGJê¶æÀQÉ7J Ù~‘NdШ§F´ŸUÏ]®%öXÏe˜à~ÜHÀQ—DîÓlÈ_í*±&·Ú”ÙÎûeúxU&|@E†sM¶ûü>Ç’5¡X?ÿ\Ôü¹ç0YÐ6ç+|Wñíé‘(‡î×ÕËfìCö‚ÔjOGÌ¿îUˉ‚û‘ßv•Ù0U¤ŒÌã ¾hƒ’jù²ºÍ#ñÎÀ‚5^ÏYµp`<›Ô"{¦ùå¸G_ {»xŠué»Ëy˜…x«,*QM™ðKk\â³ Ç#_ˆ©*ÌPûÜhÊÀéÂR¢Kš*çÛ°¸)œS92aÕ-ÍñW„cC‚ÙS„Yø`¨ù÷/c¸øØKLdâq{"1…Ä ·âj$ª¦rxÑŒs†ºñ$FªÁŸè¢ˆ]xLÇ‹* «:Æe²HÒÀšèDöéàÓ™ñK©ù£Ú±ÔåC’hï!Ð,¸A©¤¦¥†Üm&yÍ2pïbî¢w{>T~ØŸæó-ä²0ôÎJJi«N>3©¼ôou2˜çoíL:Ô¸?°v¹7øÜVGê°_ÊKψMËÌœrY³ù“Bù6õS¿&ÑéM¤«ÓvK°¹!¯f[ŒK‡€èzs.¤ŸsÆK€©rõÒ9;'n’®,m1áö“Rm¡hÅ¢X\ÂÁ^ÿ(_ú‹3ΡÝoü\ÌËÞê$¶²–Ç:ª/:÷a‘R)ÓÏ";ãYS=CÑÌέŸiVÁ±ïÜ!@î.Œ“:†*f™Jž¿©­šGFêØÝbˆ5+nJ9$Øò~r¼_¹TÄ9×¾ãá6˜ÊIГ¥zêçŶ]T¥ª½˜²“Å“Vu‹5ì`Y$Vï¼E 5Ó_a´ÚégÕ/—æûqw§@_2»¡WîêN½ +ÕBjîhÔý2Ö]‘ÍÛY×ß”iSv[¹¬¯ùíf—0Ï_¡=A\¶¼Á¥¸ Rµñ÷m²³Ú¸™þÃ7غ¿°º¦®W|ð]g_ò‹Êàw\~De„8±pxÚ^¹ÅF^VDÚ(œì–oÛ ¢‹?åW¥oý‚¤5 x‡àÐoA`O¸€&úT8¦oL”xjóÛï”nc Í»7ÆÐYºá‚³—ÀÕMÿŸ$‘ÁÏã¬÷¦€w¿ñ®ÛÌFôd]¨ò” fÁÃI8^‰S‰äÕØy­e¤ÛF;#¯J &©ÕÌŒœÞ˜0€ˆ­,]ˆã\AIŽxØ9é œŒa8~Ì4 ©[×#ÔiÉ1vf¶ "rÁ¡Ýe^pÃöÑ>lVÉÜqvka¨D8¡ô0ûUBÐQLÑÞÕ!·ÜTe¸ü˜?—çð¢]Ú:ÛN¼µ/7¸Ñh‹ êÉŠ†GF|ª&@Z~«?3×”Hš/4‰ûpBå†]}ñš‡êiˆA’Ú­ä&æÏ8 +Ù¯ñÈïpMÑÛ9½`A.'p™ÁŠd‰}°¼N®-ø¼ç4<±*#ñ‡ ¶³¦h䪲ˆ@ÂcïhÆÿÈäß~(hI˜Ñô!q)kPI ¸V'ýú=äu–¨æ±­ëU £Bào¿o°õb„“{ö°sï›ò3æÙYv¤…ß©DR +Ö¤…Í4ˆæpªþˆê„ß»è€Ã.qØœ”@ªÙ˜ûËZ¸š( +f'§ËçbÖ­;-4Ó|Û¶²Ìn¨XÇsㆃ,†ÙÄïÒJØîĤæêéÄ̱ó‚6T&µ³¿%y²n +¦1.^Üq[4P~çw],ÜPÛìðÅØ>JjŠN!}6Óçj'ÈU }ŽvB.K·.¬{[ÅÁðTôËœÉäýØ–[‚|çR›íÀH%C/8­¶3º8»‰èbä‰ ÙþŒÂ(®t„“}ßžÒ~n°òŸàš{ßwŠvÃÏ ƒo =M9ô›_¤¿·†-Žb˜pʧÈr¶Ž„—BÀíOéÅOX®îqƒ^Á’»üâfÉ‘*j²’‡r¬ÿ&HŒ¾ÞWOFÝnšŸ´¹cæ4Ï æ|Sgµü½‚Ï…nv!¯‰7º*…4ëE–Bž$·2 n3͈9ÂÛc†òÀ0²y¢^œ•†Ê¨©J7hôp¸o2¯ ôî-µº•×3=\={:Ù ­4ør{p#h'OæbÄA›²á°±t‘D}Z‘ç­æ¼óéçÒÀCÏ‘·Xþ¸f5…§›<ÀîûÝÂ/Þ{7Ý1<Ù\¯tϱÆ;‡v†"üb£?½ž®US½‹x×kXE@ܸ¶X7™u6PÜlPÊIf¿5CÂçüüÀ€Ý$ë·¥¥!|}³‘ÿ€ÓÏÞN ÏÝÎù¼S`Ƚ•1{§Ù+±oµÄË×xWG<0µœÑ; –E÷ñœ%'Tîæ96eýšÑðaC–ÌsrÖÖ,OŒsÎÖwŽ‡fÚ);ÞÏô¥ïaâX…o½É»3¯nÖ–“EþIÉÄÍJ…jêýýÃlÏЛ +:$ø“ÏÊ-jF,™T‹®ãŸzùZ cM"Â@*ØâL—ÚQn’5;žÒ/I«‰q}Äp“j[©º¹R vLij÷¨tgÄ‹ðw£ìjÓÌvbhk:’ò­Hão:sŒ’ïß­pÂÔ(*f”Mo¬OÆqÒý#³¢›ò‘Ò_iǸÏ…èCÿÀôÕÚ¤Þµuªvnh†=PÎN£w­ßê³*k?lFwþ‚.eÕºžÓ„†y©ÁùÑÚŒ).»¸¨~åZÝ,p] ÷a"Ìýúo=n¬ú¤²-€‡vÉ°é‘iT•xüwŽ‰H@›ú9Úƒ8²¨Måò‹c0+™¯b6…$€×û8ó¦6YI7ö`™?ó*Í\¼ñ +k9çÒÿL±Yéç¦'Øx WöÓÅ60¦8¸»|R“õa«Zò÷ì\\œ*)[5‹ŸS»LÇ æx1ß0C# ¯ +å©ÚÝ…]ƒo'€­@ç«2ë1‘WÔò€äZ´Þ;^Þ`£'Þ®´DHŽÛSWi¯22¹ icŽ©„‹.ꟃßxçá'/¹fÄ-¸qýúu,XXè «ÌN÷^ËÇ°Ñ(ÔVð|"0rÖ §3*€ +YÔQƒô\H`ÓÐ*à˪±hT9}ü¶åJ} n)'Gf†ž—‘jê~ ?W®ù§?%à Úè²H£³¬žÍ1HI}ì^¢ˆl4»9p1â5·Gpk(üEWÈ“õÇ‚1߃µ‰ö½CäŒòßT#¦ê½¤_zÉ¢Â=Ücâ Êp²q´×…$\ç‹›Üî–üSº¬–‚^&SŽ°¬ÊÄ$9ÿg>ÐÑψÎ*% â}½â¾Š[qÇ Ôá˜>(ðˆ'K½ý‰Nâý½Ò ‰ WŸL¨&OQ$èýwG$y³ûò¸Á’<h0¼ZJL$9‡fm_¦ûÙZ"ÖÇå„’Ž°)s¸Ó°C™Õ&¸’P®ýÛÓä/C/<Ó•J§/±›Ó‹œK +lç\žïAAµÇúbɱ&ÎM k=-ÏʉV>•a72˜¼ñ®¨ô-ÒcŸ«šS%Q@$° r9Ø$”ÚÉ Ü"è ZnL¿rJH9€ç‰ÆÃÓ>±")Nÿ‘a­­Ž‡æÏS ¤ëWƒÿV ‚¤+œ:-$ëˆÆÑÕYìÅ°¾®MÓ¸ötÒÛçf®ºAOmì•—i5ßÓ[• £¹«¸qž²„]ÜÂÌŠuG$ +Ìi®ýßC‡„­—ðøÞJ{q…Ýd¢úmSÖ«ü÷øånKJ;¡”õq¶åemò^( º`HÔ²rG!*{Œ¿~ RÑOB%‘c€ ¨âæªn¨+šñý©úXøìu*+,&_Uê6}¶ãšYwq@‰¬öLía¯šï<Õ˜DïÀÑãYËɃ˜h¿¤‡ç{øPj¥z{Öû­ÿsv†x3¶^T% ÞÚ§\\»š–ú{ÉÜ<§-ñòzÚWÕlÙqFÑÙª–ÜI7‡ªý ¼×ÂOÅþºž[Ê´¤°¨‡¬«Ógœ…Ô”;øIêÕÙÈZ_eÉüŸD¬¨ÅdÆEÕ±6ªr­¸}‚•a¯O#ÿE2[ló`½4 hÙÅ(iÓ0ú +E™F`ÃbËÊ” )&îZ ØkDXH<'Ò–ø%;š àÁ1ÈÚ†Ρa2†@8Â÷:ƒð›—eSe8pä¿û‰j·ú…‡UæplÔê–y·y·‡Y-±ñŒñÐ,uªúÕó½y›H°íQ"ü•n¨g¼<. ++s^µSVÒxU¿Ò¢7Iù;®Ð›Pe55† mXH. …¢f­¶¼ L’=܇@ù©¼<)¢öÍ÷C¬ý ˵àÔ‹z<”Mêæø,ëM5xñ,ð:‘T8Ó;…†K!½|sƒÖEð¬rØAVé+0s®‰ˆNØ Ü6Ú¬ÌÚÇö…Gàù×uŸ4{xþ^©‰ÊQTÕñ +  p1X‚FÇ_QWV·<-]ˆà%”}­Ù«\_õÁ"L˜TcHr11Udó{åÒBb&Ù`Ž¥+‡†ªb<‚-Þ}´üÅú£%ê§@éoh«É»’¶ï¼w +AZ8Ì:ÏjšUºcÒ'`.SÀVZÆÿD0Y\Î ëHùcW\±cóÏôOÍq£OBŠC ûõsO“ö_=sÊ°*Œóò…œTWÊ0I´œCB,Ýíà}›zæŽÉ;Š³[¦Ž"UÆ‘JS'€ %éØf©Ð¸í4"êÖÚP¶à·îˆÚyZ}ˆ¾+°¸Øj_Ëaé ÿ!Û´dÛs€L^t—¾j[ËEnI­ ¯Á†á“b#öÀ%8ú•°ã>Êô…H]T!¼¨Ñ}`ü~&¥‘Š ¿¾òÝÙó€ßƒwSaã ö]p+‰¦àWËíQ!(wR æ÷¦ûrAÀ82>XSíEQ²ê¯çÅ¢ªyX¿ ÿ¸Eüº¯Ee'®xù™5 ÕËMÖ\1÷Ãë½9V9Ƹ(žov¥®€ÜÕ×Pˆ +>¡¨Ü¹žwjSåeëŒDÞ—`,â%ÔŠæ¾y*´_ ŠÞb~sŸjÐàÈn.Ål.¨I3ÁGÉ{l~?å²RœÍ…3½ÖÝX§˜«—‚t­„¢‘9=U8Ó:3¢Ã".µÈ“žÝŸÙk¹€‘W‚ §;À"Àj^¡+8EÄ(˜¯¼EÜ­Úz¯ÆB¬õæ2~[‡›e=›sWUË€Û¾ÝxI?ШæöÓôöB5ÐxcD±Âü²¿\ãêD°¼ägÔ÷eÁ©•È眀ëw¬ØÃsPëáÀtIéìV}åV<åz·ßE­ƒç#ßH* +a¦ÍÑ„@´™É¿!øoëY-6Ì`ýÝïWˆöµ…’EV$Xê&MòWð¹ÜËÌ—Ð ÎBÃfÃ7‡ÆpBHæIÌÊŽ6Eöz¿½H\„k}•º í¿Y­U%6µ,k¯ó®¢$0›ƒ£€‘Êøäo?{ýcSÅÞõá7$fG oviñh1÷G·•p¦ÇVúcò^5Žúœ†¢2v»?á‡Ê”0ƒs` »>$þ†Ú«Ÿ#ê:L¬Ò&í.]´Q˜ê?¢pÈ>&wÐ{Š:‰þ‹Y÷!d§4±\Wõýìøq¾£áx±ÉP°w™Äãé™6t ~ËŸ&Ørwµzªà•äŽV™#€HÓ7ÝB9(å^»ôºöO}˜–lM‡W ítÿ0¿*/Zkü÷^™lXÓ\/)ÒQ´[ÚÓ,=†?3Íyh0"ÐMǸ‰ÉÊWQN?Ö<Še~®q¨(ïŸóùUÈ#æ_¦Ø™\Y.H¯RZ™…q¶ÒØ 3¤ü:ºèåÑ ™2EhªºX*ð`º@fœPþxÀl¿h}Ûµ†óˆU¯¡TeÓy¿díõŽ™ôS8W«jµ‘’ÙëC×X¿Ðí…éÒïePxO]i ÄÍ›ø VD)Œ%§KU2'$ÏuÇÛž‚1ttKÒ›´H,ˆ9àF…\[Q‡æ0½>QU³ÌUEÔ¡Q™î$â:݆m©;ï1ÏLn”=êp]=­Vm÷¶Ã‹0ô·@néýœjOÔ?¹­~soS÷Ÿý»Æj‹— \Œžç¶=x¬O KãNðûo=4ô=•O»Rþ4@Ë gs®`¥Ÿu#§6ÒǼA×l€¤1ªˆég‘õMý¿‚œB6DÌmeº#!M½ý[¥«õË\^ÚlCÞûÖÉI0…È)×t]lìÁ€òû=qv¾jºXmî]ê§Ú½Rû(#Qí°úý±{ZIrØý~î=4¢v)Ü©g† ƒ`÷:8ûgN}Ìd;éÞX‘ÏXG+–vˆ‘EÄ`ÄMÔžè·¨ËPŒ øXéd–tõª2·ÖŠþZúBÁ.à—r˯Å2gtYΫጎ?1¢½&TCsâb2‡*Åá‚ #›AÐ…qˆv-fu‡æîTi:Ð̓rÇênS±†§œK&ÌØÞÀ®O`5»N¢Þ|Ylι-žÑ¡ÊŠ«µîÈ“s…IsqñŸ×md%T¯¹ÕtLAüUcP.Yp­²Ìdãr|B‹®D9?U¬‹¡÷èx¥f{Q¢hÜÈ?rE :Š¶ k¦íp(¦(>aåù­XP6x$³ ·"·Äd% ïŽ¨æ ³)0 +,`0ŽwÁƒoëtDD¹ð†ÕrŠÝot-B~ön«­­+Š2?g6šøwÿÀ€ÊV[+bÈ2~­Û]VÈdÜy‚õz1ròŽƒ€k´—ñàaŒKày÷ÚtƉzWå§Z&¬ìjÁ³=kÉ +b) O@.°,Ñ&?±—nü–§Ðjƶ9º0Õ[IM*¹ë$IâÊ”L^§6ðkz·É5¼‰X¿R¤Õÿ}ù‘̧0à«¿Ô55x†\Q¬â‘%}à1šÏÝšc@J÷¼±Ë’!rî?wnÊ#s"ëçWPp{”Î'·h -âÏ÷:5AJâ©%×rwT&qXo+räp9µ„,¤Ðý05•‹ó˜’yþíüªÃ´sýbdNÅ37‡Þ>\¹fx^XïE\˜ñÎåÌ¿#êÞʪèâÒ ¦{¶LHæ·ù´ƒ÷Q¥ñö¬ÝVýW¼ñá á[}Æ$©°ÚyqÃ$߇)ù7.ÚD¤S­v†]×…;øÿ¬¯òo‡œ¼«P‰ÕòH¤U•[¹ÓÄÌW ö3E Ãâ_2C@ Š2MõëCSôz0ý¬Üñï†öU£TD·…ƒO"ªöd÷Ò(„ÛÂ9•­ñ–†öÆ_ïÙ, +ÅöÙ$>‰ËÍdoTR=÷ïÍ°­T—8̃/#/'›Ö¼y/Gç*(ï÷4½ÃG¹‘CååôˆVQÕ#´¸EMŒ~9¥z +Àä@ň$tɃð]\(í%È#Œõè(j#„N¨5?[Ÿì[L20Qÿ“”¥h„’üÄ/1¯€*¡­ÀÕ½‘Ïä‹œ,à$äPc.Ç.ÅãÞF/üÉó›;Q:_ÂeÜŠØŵ­0ÞtªC£+ëŒ*]ò"=qVòZ§¿´˜ŒøÛ@ +ã‡} )IæW4÷ÍFtMPïÄ Î…&Î8Éíôj]OÄàÓ’´-¤þÎûÀ¦îÃ)&»2Ðs¬¦˜Ïñ( +s:7%¦L7úÚ1KÕ÷=a<¦h rˆ7í-° .pr7ª[üìÐ×ÒœRÈÛ^ý£Ñ$àjc†ºPUóäb ~ø¸*›è–(t¬/)“}¥ŽSUÓâvŸë¤Ž²L>(0møë„n.¿Hª˜ÎZó–Z\Òz˜X Ëëm¬‹½Uùu–p¢\V!yÒ¾í:wkfà›@^æW¡i6Àl…‚*O¡sŒ,ÂÜÛ”-Î[r˜žû,¦ƒEØlùF.ï˹2£Érl{1Æ}_CñÈù›=Ç–{{'¼$RÙ½L +"ü¢]Œ\CG^9Ö$tTPïCMHÍs*$dM0ÓðÊ)ȹ=½4ªÃJiÅrpHi“šŽz@«Ó_9ð6Àc×Q÷Ϋ¨5Ž¾äùS£·tW¾ªv<"û, ‘Qº­ž!v×Ó†tÿ\ñ©ƒƒ*Ø>ÊÕ•iÐ6’Å-{P…!Ô¥ð¿F¿Ç}G¨ÚümÛ?q*PÞôs4x*!ª*§°d¸W#QlgŒ¤º[5 Ÿ cî×¢ +‡ +CNÛ"ï9ã•äîVT8œê +ªÛMÊïÝ,5Ôh~èb„ÿ .”"YÒqä1IsLs^ÖÒŒàt(çÒSœ¯£#Ú·mbN°× ]Z8Cî–ðã³ å›ý:ÎØ8#¡ ª&,éfŒD·Ž¸„æÅpæ\;ѶÔAÁg¬ ¤ƒ{]rJ–)ñ¶[Ë>õa@É6øÒ«l¦\'õy8 2æ˜Ü™åîÄœÙ4²o•µÊr-}˜ëÒ¡|<øÐŒTþ^ð)U<5€jMû•1_ŽÛW©¶mî#8“Ýᆩ35¥þ–w¹Ÿþþ!O,ë¤1Ù 6•Mmâ¹m¬û:+ öO®¤m]7:Gí·y—9Û ½ãt© c»×RzªÜlŠDq—à”·vGÔô£Dü(ìR•;É”-u«Ÿ“²¢ÆÔè? +»³eI?´1k½š¹†N´ÑúU~^òù–sæòñÒ¤¾O—ô2N®#,ëÞ>¥¯»úþ‡UÅQÅ?c"xè ÓKm¨òôÉÁ˜AÍç|ú¨ÜX±ýé°­Ž˜åDSZM©*,üèô^X䢨è xp{MäÜŽ ]æ2bþh7îä§ðkü<ºö.£`ùLˆ¸¡lv ¿w§ óß; ±w˜xS(¯†N¦51àô›¼KÃ|…RJæÙÊ7ÎðÔÔÊä †öç!êß+ïùßæÃ[Åu;r+ØåKœê0«Ú&-‰_ëRKØì¹ß¸Øë^”&6b]Aœdî2Æö4»»§ß:Ó¿}ÅÞbRžß©;aìÿ^ñ}³´à ýk»DÐ"<‘í}†]H¡¥¥04(8¤\Ê/‰´ÝKãñ°cÛÁ¼ ®åÿŸ\S»‹Y]ß/Õá‚vµö 9x‰D>bÁ^Veüå à“é;YèQôÿo£×éÐ[ w˜ž5ä]vŒ:YÃVðÏàš3kãÒ˜’¯ÄqY6®¡D=ןvÒØåiª_Xß&åw¯ýÐx•ªk?õå’jªcª@ÀÇ:Ø»–%¢îåq¶˜¢5%­)ÙüMí7Åî‚e¿°0˜Ì!0õÎrWØb®oƒ …)mJ§HyŽI*§räƒ" £ $X÷”P[‰@î„ë(”º<ª”sx`!­"Läã4Âf¡LƒÞ}j!%«›Þ¿}¿òs(3Ç©¶m€úéЃ„³ØÐè" kµªô ùñ ß#›Ú¡ð… îÉ‘òkge8„ÛŽGNþÌ €_ÑA„Ì]ø+£Vú4}§×:‡Î5ûìƒd?¤£³¢xÃ,£qš+žÐúûªûQªº½‡¡lQ?:òOæpiƒ%v€E`£¹·aBÈ +i­³^jm˜3²÷¾ÏO3Ò¤÷/v¨+¿©¨ÇE÷ÕÖõCD¶Ù+Å2áÃ3ÊWœ-CÃR*ݤ¸é9¼d<‘[ºþþ¢9Žxu¨öúi$•EáyZ¼ +–t0¼=Æ&A™_Ü39 õM䮩Ôø¨ˆõ gF‘¶@1Bz*¢·ù. +4:o€Íg¿€t2+,dÇ@w¾/-¡ ækÎû’lä*Øè!ª|¥3‘µ¤ü…ÖãÔcÀ¿7ûlSî°ü/ûÁÿ ©¹±³«ƒ½±³-Üÿ^rºendstream endobj -600 0 obj << +604 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 2 -/LastChar 151 -/Widths 1358 0 R -/BaseFont /VGNWGZ+URWPalladioL-Roma -/FontDescriptor 598 0 R +/LastChar 216 +/Widths 1361 0 R +/BaseFont /QLANNN+URWPalladioL-Roma +/FontDescriptor 602 0 R >> endobj -598 0 obj << +602 0 obj << /Ascent 715 /CapHeight 680 /Descent -282 -/FontName /VGNWGZ+URWPalladioL-Roma +/FontName /QLANNN+URWPalladioL-Roma /ItalicAngle 0 /StemV 84 /XHeight 469 /FontBBox [-166 -283 1021 943] /Flags 4 -/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash) -/FontFile 599 0 R +/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash/Oslash) +/FontFile 603 0 R >> endobj -1358 0 obj -[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 0 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ] +1361 0 obj +[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 0 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ] endobj -596 0 obj << +600 0 obj << /Length1 1614 /Length2 24485 /Length3 532 @@ -6317,7 +6319,7 @@ endobj >> stream xÚ¬zceß³eÙ¶ë–m£Ë¶mÛ¶mWuÙ¶mÛ6»Œ®.×ôïÿ4ñf>ͼ'âìÌÜ+WæʽãÞˆCF¤ L'hbod*foçBÇDÏÈ PURW0´±14±´—¡²·1ü5³Á‘ ;™ºXÚÛ‰º˜rÔMM"¦Æff @ØÞÁÓÉÒÜÂ@ùƒŠ††ö¿,ÿ„Œ<ÿÃów§³¥¹€üï‹›©½ƒ­©Ë_ˆÿçʦ¦ S€™¥)@X^ASRN@).§ -7µ3u2´(¸ÙXd,MíœM©föN›[ŒííL,ÿ)Í™þ/– 3Ààì`jlùw›©‡±©Ã?.Z€ƒ©“­¥³óßw€¥3ÀÜÉÐÎåo\ì–vÆ6®&ÿøk7³ÿ!'û¿¶}Áì]œ,\³*ˆˆýO C—r;[þuìÍþFšØ»þSÒ¿|aþz] -íœ.¦.ÿä22˜X:;ØzþÍýÌÁÉò_4\-íÌÿ‹-ÀÉÔÜÐÉÄÆÔÙù/Ì_ìºó_uþ·ê l<ÿµÛþ_QÿÉÁÒÅÙÔÆŒ†‰ùoNc—¿¹Í-í`þI;3{ã¿ÙM\þÃçfêô¯Qþ33TIšØÛÙxLLÍ`äì]þ¦Pþ¿©Lÿ?'òÿ€Äÿ#ÿÈûÿ'î×è;Äÿ¿çù¿C‹¹ÚØÈÚšþkà?î€ àŸKæÿ6´µ´ñü¿…ÿ÷HuÓãøC‘t1üÛA;ó¿b0Ò3þ›ÑÒYÌÒÃÔDÁÒÅØ`fhó·Kÿ²«Ú™˜:ÙXÚ™þUó_Ð112þ7ŸŠ…¥±µÝ?mgû7—©É§þW gÔQT“§ù?oÔÅ)üUÞEÅÓá/µ¯DÖÞä?ÿ  Ù{¼é˜Ø˜t,ŒLÜ_>\,l¾ÿ—Œÿbú¯µ¬¡‹“¥@ûoÙwþSü¿?ÿµÒýo0¢vÆö&ÿÌŠ²‹¡ÉßñúOÃ?ncW'§¿ªþëÄÿ-ú?ÖÿtSSSc˜U{cž«ŒŸ™.õ˜y£Ó"ÚƒýL £¡eM*Å…µö}þû\Uu¡ôͳÜ_ž+¿>¥¨OÆû1l(úÒLo +7µ3u2´(¸ÙXd,MíœM©föN›[ŒííL,ÿ)Í™þ/– 3Ààì`jlùw›©‡±©Ã?.Z€ƒ©“­¥³óßw€¥3ÀÜÉÐÎåo\ì–vÆ6®&ÿøk7³ÿ!'û¿¶}Áì]œ,\³*ˆˆýO C—r;[þuìÍþFšØ»þSÒ¿|aþz] -íœ.¦.ÿä22˜X:;ØzþÍýÌÁÉò_4\-íÌÿ‹-ÀÉÔÜÐÉÄÆÔÙù/Ì_ìºó_uþ·ê l<ÿµÛþ_QÿÉÁÒÅÙÔÆŒ†‰ùoNc—¿¹Í-í`þI;3{ã¿ÙM\þÃçfêô¯Qþ33TIšØÛÙxLLÍ`äì]þ¦Pþ¿©Lÿ?'òÿ€Äÿ#ÿÈûÿ'î×è;Äÿ¿çù¿C‹¹ÚØÈÚšþkà?î€ àŸKæÿ6´µ´ñü¿…ÿ÷HuÓãøC‘t1üÛA;ó¿b0Ò3þ›ÑÒYÌÒÃÔDÁÒÅØ`fhó·Kÿ²«Ú™˜:ÙXÚ™þUó_Ð112þ7ŸŠ…¥±µÝ?mgû7—©É§þW g”SV¢ù?oÔÅ)üUÞEÅÓá/µ¯DÖÞä?ÿ  Ù{¼é˜Ø˜t,ŒLÜ_>\,l¾ÿ—Œÿbú¯µ¬¡‹“¥@ûoÙwþSü¿?ÿµÒýo0¢vÆö&ÿÌŠ²‹¡ÉßñúOÃ?ncW'§¿ªþëÄÿ-ú?ÖÿtSSSc˜U{cž«ŒŸ™.õ˜y£Ó"ÚƒýL £¡eM*Å…µö}þû\Uu¡ôͳÜ_ž+¿>¥¨OÆû1l(úÒLo ð|I¨ ‘wÈ»8hN‚ôÊà3/Õc¼o—eöÀ´ØÕN¦•ôJ? ðg»Xœ nÿP¸ ‘>; ø§7Æ£w#5¡Ôýº$O>ÿóL1<16:Òw>pŒK“MÆãOà˜‹Ë¯¥Z)ZÝL~Ó‘mÂ{ôÔ*’»RÆ¢)ï0=ã½Ég —\"nsYâ‚{s’?ËçžiE«vY«Ôè€9¡ÇΗ©5{ý‰÷r=Fa‘ŠÚòBLÖÔ—J|‚íuÿáq™ßx&™å2‹r&G-H.‹Û"]pYÝÝÝÜÝé&èJtfRÅÝEÇN ¦÷å»Íਠx'YÓŸ6töà‡­ã•c7éË#ÖñJÝ5ÛÁ+cÃú:v{y)ŽË4øö¢·—ÇØé½V,ã³Î3ê "+0TjêkÉ™”“Œ†yF¶6mœæ ¹{¯ òÙ¼¾žÐbâB¥} ÁŒn’Eötµ•tqx‰xͤ¡"„³úï¯È÷ñ#£Àó©hÆ<‚Ê&1¥útö¦I0ÕˆT¦YR0ÐC²åôÉz‘g‘Ú¢ö!¯9dÌnžîƒƒ³úëg0.›™c˜ Šöh‘ïZd¡{yz©J‰™™I‡\®\ñù¿¹ @@ -6424,938 +6426,946 @@ L 6_mŠq'2~‹Ò=aFŠ†þÐœ²?Ç ¯Z¡._|;l[×OX˜àJÁ+QGýiÜZÉP&Yyf2—<²è•rŒG Ü75·ïá3òŽÃ#z‡FF⨾ãúF4þN¸ü5àcíÚ6P·¡“eä è‡Ék¢œu_KŸ¥°L‹*·éñ0MH¼CrœT>Ü㇟x FÿàRÂB_!äµi¨NÙ%$hâ]tÞ ‰¢èÛîûs¶¼ª=nù<ü¨òÁËY©ÞØîƒQKñ™ÆýgF==ˆ3šöùsCì¶G’Ð!YŠ WaðŠ +·Yà¾]ˆh‘!{â#iŽ»¤"”¯ùù4bwËZ¨X à2&£‘.¿l=b, ¢,ÙlÔúAœ¦Gôì©5W0!ÒãBîV\Êå6ÔÔëߥåíýŽá;RЭ$øžv(Ó@ÃICM«Çv¹Ì_§/# È ÙÌÑ‚§õ±Á¿2å 6ôw’ä{0ëó¬+/6A3C¿X ¬Ÿ?ö¹¤Ñ<ÛˆUëœ"¸¢R2ìú6ÉOôi¦Æ·:+tÝ•;¯–fnÎÇ -¥0©j T™¶„qÚ]¡ÁÂ'DY¸ ö.g¬Âñ¨û ;AJÒ´á¿ÔÍ­[ßÇHûaA@Ôñ ?ÍJµAì»tI•%[Ø­$ Òð³"ɾs™ÿ?÷€ÿS;sc7G{c[¸ÿúð˜endstream +¥0©j T™¶„qÚ]¡ÁÂ'DY¸ ö.g¬Âñ¨û ;AJÒ´á¿ÔÍ­[ßÇHûaA@Ôñ ?ÍJµAì»tI•%[Ø­$ Òð³"ɾs™ÿ?÷€ÿS;sc7G{c[¸ÿâÿƒendstream endobj -597 0 obj << +601 0 obj << /Type /Font /Subtype /Type1 -/Encoding 1344 0 R +/Encoding 1347 0 R /FirstChar 2 /LastChar 151 -/Widths 1359 0 R -/BaseFont /IZDQVO+URWPalladioL-Bold -/FontDescriptor 595 0 R +/Widths 1362 0 R +/BaseFont /INPKTB+URWPalladioL-Bold +/FontDescriptor 599 0 R >> endobj -595 0 obj << +599 0 obj << /Ascent 708 /CapHeight 672 /Descent -266 -/FontName /IZDQVO+URWPalladioL-Bold +/FontName /INPKTB+URWPalladioL-Bold /ItalicAngle 0 /StemV 123 /XHeight 471 /FontBBox [-152 -301 1000 935] /Flags 4 /CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash) -/FontFile 596 0 R +/FontFile 600 0 R >> endobj -1359 0 obj +1362 0 obj [611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ] endobj -601 0 obj << +605 0 obj << /Type /Pages /Count 6 -/Parent 1360 0 R -/Kids [590 0 R 603 0 R 610 0 R 629 0 R 646 0 R 657 0 R] +/Parent 1363 0 R +/Kids [594 0 R 607 0 R 614 0 R 633 0 R 650 0 R 661 0 R] >> endobj -672 0 obj << +676 0 obj << /Type /Pages /Count 6 -/Parent 1360 0 R -/Kids [664 0 R 674 0 R 679 0 R 687 0 R 698 0 R 706 0 R] +/Parent 1363 0 R +/Kids [668 0 R 678 0 R 683 0 R 691 0 R 702 0 R 710 0 R] >> endobj -717 0 obj << +721 0 obj << /Type /Pages /Count 6 -/Parent 1360 0 R -/Kids [713 0 R 720 0 R 727 0 R 739 0 R 748 0 R 753 0 R] +/Parent 1363 0 R +/Kids [717 0 R 724 0 R 731 0 R 743 0 R 753 0 R 758 0 R] >> endobj -764 0 obj << +769 0 obj << /Type /Pages /Count 6 -/Parent 1360 0 R -/Kids [757 0 R 766 0 R 776 0 R 784 0 R 792 0 R 802 0 R] +/Parent 1363 0 R +/Kids [762 0 R 771 0 R 781 0 R 789 0 R 797 0 R 807 0 R] >> endobj -817 0 obj << +822 0 obj << /Type /Pages /Count 6 -/Parent 1360 0 R -/Kids [811 0 R 819 0 R 823 0 R 833 0 R 839 0 R 847 0 R] +/Parent 1363 0 R +/Kids [816 0 R 824 0 R 828 0 R 838 0 R 844 0 R 852 0 R] >> endobj -862 0 obj << +867 0 obj << /Type /Pages /Count 6 -/Parent 1360 0 R -/Kids [854 0 R 864 0 R 878 0 R 885 0 R 889 0 R 895 0 R] +/Parent 1363 0 R +/Kids [859 0 R 869 0 R 883 0 R 890 0 R 894 0 R 900 0 R] >> endobj -908 0 obj << +913 0 obj << /Type /Pages /Count 6 -/Parent 1361 0 R -/Kids [901 0 R 910 0 R 917 0 R 921 0 R 926 0 R 932 0 R] +/Parent 1364 0 R +/Kids [906 0 R 915 0 R 922 0 R 926 0 R 931 0 R 937 0 R] >> endobj -947 0 obj << +950 0 obj << /Type /Pages /Count 6 -/Parent 1361 0 R -/Kids [938 0 R 950 0 R 954 0 R 964 0 R 971 0 R 979 0 R] +/Parent 1364 0 R +/Kids [943 0 R 953 0 R 959 0 R 967 0 R 976 0 R 984 0 R] >> endobj -987 0 obj << +991 0 obj << /Type /Pages /Count 6 -/Parent 1361 0 R -/Kids [983 0 R 989 0 R 997 0 R 1003 0 R 1010 0 R 1017 0 R] +/Parent 1364 0 R +/Kids [988 0 R 993 0 R 1002 0 R 1007 0 R 1015 0 R 1022 0 R] >> endobj -1031 0 obj << +1035 0 obj << /Type /Pages /Count 6 -/Parent 1361 0 R -/Kids [1026 0 R 1033 0 R 1039 0 R 1048 0 R 1052 0 R 1056 0 R] +/Parent 1364 0 R +/Kids [1028 0 R 1038 0 R 1043 0 R 1052 0 R 1057 0 R 1061 0 R] >> endobj -1067 0 obj << +1072 0 obj << /Type /Pages /Count 6 -/Parent 1361 0 R -/Kids [1064 0 R 1069 0 R 1081 0 R 1096 0 R 1109 0 R 1121 0 R] +/Parent 1364 0 R +/Kids [1065 0 R 1074 0 R 1086 0 R 1096 0 R 1112 0 R 1124 0 R] >> endobj -1133 0 obj << +1136 0 obj << /Type /Pages /Count 6 -/Parent 1361 0 R -/Kids [1126 0 R 1135 0 R 1147 0 R 1160 0 R 1168 0 R 1172 0 R] +/Parent 1364 0 R +/Kids [1130 0 R 1138 0 R 1149 0 R 1161 0 R 1171 0 R 1177 0 R] >> endobj -1183 0 obj << +1188 0 obj << /Type /Pages /Count 6 -/Parent 1362 0 R -/Kids [1176 0 R 1185 0 R 1195 0 R 1206 0 R 1210 0 R 1217 0 R] +/Parent 1365 0 R +/Kids [1181 0 R 1190 0 R 1200 0 R 1211 0 R 1215 0 R 1222 0 R] >> endobj -1283 0 obj << +1278 0 obj << /Type /Pages /Count 3 -/Parent 1362 0 R -/Kids [1229 0 R 1285 0 R 1336 0 R] +/Parent 1365 0 R +/Kids [1231 0 R 1280 0 R 1338 0 R] >> endobj -1360 0 obj << +1363 0 obj << /Type /Pages /Count 36 -/Parent 1363 0 R -/Kids [601 0 R 672 0 R 717 0 R 764 0 R 817 0 R 862 0 R] +/Parent 1366 0 R +/Kids [605 0 R 676 0 R 721 0 R 769 0 R 822 0 R 867 0 R] >> endobj -1361 0 obj << +1364 0 obj << /Type /Pages /Count 36 -/Parent 1363 0 R -/Kids [908 0 R 947 0 R 987 0 R 1031 0 R 1067 0 R 1133 0 R] +/Parent 1366 0 R +/Kids [913 0 R 950 0 R 991 0 R 1035 0 R 1072 0 R 1136 0 R] >> endobj -1362 0 obj << +1365 0 obj << /Type /Pages /Count 9 -/Parent 1363 0 R -/Kids [1183 0 R 1283 0 R] +/Parent 1366 0 R +/Kids [1188 0 R 1278 0 R] >> endobj -1363 0 obj << +1366 0 obj << /Type /Pages /Count 81 -/Kids [1360 0 R 1361 0 R 1362 0 R] +/Kids [1363 0 R 1364 0 R 1365 0 R] >> endobj -1364 0 obj << +1367 0 obj << /Type /Outlines /First 7 0 R -/Last 555 0 R +/Last 559 0 R /Count 9 >> endobj +591 0 obj << +/Title 592 0 R +/A 589 0 R +/Parent 579 0 R +/Prev 587 0 R +>> endobj 587 0 obj << /Title 588 0 R /A 585 0 R -/Parent 575 0 R +/Parent 579 0 R /Prev 583 0 R +/Next 591 0 R >> endobj 583 0 obj << /Title 584 0 R /A 581 0 R -/Parent 575 0 R -/Prev 579 0 R +/Parent 579 0 R /Next 587 0 R >> endobj 579 0 obj << /Title 580 0 R /A 577 0 R -/Parent 575 0 R -/Next 583 0 R +/Parent 559 0 R +/Prev 571 0 R +/First 583 0 R +/Last 591 0 R +/Count -3 >> endobj 575 0 obj << /Title 576 0 R /A 573 0 R -/Parent 555 0 R -/Prev 567 0 R -/First 579 0 R -/Last 587 0 R -/Count -3 +/Parent 571 0 R >> endobj 571 0 obj << /Title 572 0 R /A 569 0 R -/Parent 567 0 R +/Parent 559 0 R +/Prev 563 0 R +/Next 579 0 R +/First 575 0 R +/Last 575 0 R +/Count -1 >> endobj 567 0 obj << /Title 568 0 R /A 565 0 R -/Parent 555 0 R -/Prev 559 0 R -/Next 575 0 R -/First 571 0 R -/Last 571 0 R -/Count -1 +/Parent 563 0 R >> endobj 563 0 obj << /Title 564 0 R /A 561 0 R /Parent 559 0 R +/Next 571 0 R +/First 567 0 R +/Last 567 0 R +/Count -1 >> endobj 559 0 obj << /Title 560 0 R /A 557 0 R -/Parent 555 0 R -/Next 567 0 R +/Parent 1367 0 R +/Prev 539 0 R /First 563 0 R -/Last 563 0 R -/Count -1 +/Last 579 0 R +/Count -3 >> endobj 555 0 obj << /Title 556 0 R /A 553 0 R -/Parent 1364 0 R -/Prev 535 0 R -/First 559 0 R -/Last 575 0 R -/Count -3 +/Parent 539 0 R +/Prev 551 0 R >> endobj 551 0 obj << /Title 552 0 R /A 549 0 R -/Parent 535 0 R -/Prev 547 0 R +/Parent 539 0 R +/Prev 543 0 R +/Next 555 0 R >> endobj 547 0 obj << /Title 548 0 R /A 545 0 R -/Parent 535 0 R -/Prev 539 0 R -/Next 551 0 R +/Parent 543 0 R >> endobj 543 0 obj << /Title 544 0 R /A 541 0 R /Parent 539 0 R +/Next 551 0 R +/First 547 0 R +/Last 547 0 R +/Count -1 >> endobj 539 0 obj << /Title 540 0 R /A 537 0 R -/Parent 535 0 R -/Next 547 0 R +/Parent 1367 0 R +/Prev 515 0 R +/Next 559 0 R /First 543 0 R -/Last 543 0 R -/Count -1 +/Last 555 0 R +/Count -3 >> endobj 535 0 obj << /Title 536 0 R /A 533 0 R -/Parent 1364 0 R -/Prev 511 0 R -/Next 555 0 R -/First 539 0 R -/Last 551 0 R -/Count -3 +/Parent 515 0 R +/Prev 523 0 R >> endobj 531 0 obj << /Title 532 0 R /A 529 0 R -/Parent 511 0 R -/Prev 519 0 R +/Parent 523 0 R +/Prev 527 0 R >> endobj 527 0 obj << /Title 528 0 R /A 525 0 R -/Parent 519 0 R -/Prev 523 0 R +/Parent 523 0 R +/Next 531 0 R >> endobj 523 0 obj << /Title 524 0 R /A 521 0 R -/Parent 519 0 R -/Next 527 0 R +/Parent 515 0 R +/Prev 519 0 R +/Next 535 0 R +/First 527 0 R +/Last 531 0 R +/Count -2 >> endobj 519 0 obj << /Title 520 0 R /A 517 0 R -/Parent 511 0 R -/Prev 515 0 R -/Next 531 0 R -/First 523 0 R -/Last 527 0 R -/Count -2 +/Parent 515 0 R +/Next 523 0 R >> endobj 515 0 obj << /Title 516 0 R /A 513 0 R -/Parent 511 0 R -/Next 519 0 R +/Parent 1367 0 R +/Prev 243 0 R +/Next 539 0 R +/First 519 0 R +/Last 535 0 R +/Count -3 >> endobj 511 0 obj << /Title 512 0 R /A 509 0 R -/Parent 1364 0 R -/Prev 239 0 R -/Next 535 0 R -/First 515 0 R -/Last 531 0 R -/Count -3 +/Parent 467 0 R +/Prev 495 0 R >> endobj 507 0 obj << /Title 508 0 R /A 505 0 R -/Parent 463 0 R -/Prev 491 0 R +/Parent 495 0 R +/Prev 503 0 R >> endobj 503 0 obj << /Title 504 0 R /A 501 0 R -/Parent 491 0 R +/Parent 495 0 R /Prev 499 0 R +/Next 507 0 R >> endobj 499 0 obj << /Title 500 0 R /A 497 0 R -/Parent 491 0 R -/Prev 495 0 R +/Parent 495 0 R /Next 503 0 R >> endobj 495 0 obj << /Title 496 0 R /A 493 0 R -/Parent 491 0 R -/Next 499 0 R +/Parent 467 0 R +/Prev 491 0 R +/Next 511 0 R +/First 499 0 R +/Last 507 0 R +/Count -3 >> endobj 491 0 obj << /Title 492 0 R /A 489 0 R -/Parent 463 0 R +/Parent 467 0 R /Prev 487 0 R -/Next 507 0 R -/First 495 0 R -/Last 503 0 R -/Count -3 +/Next 495 0 R >> endobj 487 0 obj << /Title 488 0 R /A 485 0 R -/Parent 463 0 R +/Parent 467 0 R /Prev 483 0 R /Next 491 0 R >> endobj 483 0 obj << /Title 484 0 R /A 481 0 R -/Parent 463 0 R -/Prev 479 0 R +/Parent 467 0 R +/Prev 471 0 R /Next 487 0 R >> endobj 479 0 obj << /Title 480 0 R /A 477 0 R -/Parent 463 0 R -/Prev 467 0 R -/Next 483 0 R +/Parent 471 0 R +/Prev 475 0 R >> endobj 475 0 obj << /Title 476 0 R /A 473 0 R -/Parent 467 0 R -/Prev 471 0 R +/Parent 471 0 R +/Next 479 0 R >> endobj 471 0 obj << /Title 472 0 R /A 469 0 R /Parent 467 0 R -/Next 475 0 R +/Next 483 0 R +/First 475 0 R +/Last 479 0 R +/Count -2 >> endobj 467 0 obj << /Title 468 0 R /A 465 0 R -/Parent 463 0 R -/Next 479 0 R +/Parent 243 0 R +/Prev 275 0 R /First 471 0 R -/Last 475 0 R -/Count -2 +/Last 511 0 R +/Count -6 >> endobj 463 0 obj << /Title 464 0 R /A 461 0 R -/Parent 239 0 R -/Prev 271 0 R -/First 467 0 R -/Last 507 0 R -/Count -6 +/Parent 447 0 R +/Prev 459 0 R >> endobj 459 0 obj << /Title 460 0 R /A 457 0 R -/Parent 443 0 R +/Parent 447 0 R /Prev 455 0 R +/Next 463 0 R >> endobj 455 0 obj << /Title 456 0 R /A 453 0 R -/Parent 443 0 R +/Parent 447 0 R /Prev 451 0 R /Next 459 0 R >> endobj 451 0 obj << /Title 452 0 R /A 449 0 R -/Parent 443 0 R -/Prev 447 0 R +/Parent 447 0 R /Next 455 0 R >> endobj 447 0 obj << /Title 448 0 R /A 445 0 R -/Parent 443 0 R -/Next 451 0 R +/Parent 275 0 R +/Prev 443 0 R +/First 451 0 R +/Last 463 0 R +/Count -4 >> endobj 443 0 obj << /Title 444 0 R /A 441 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 439 0 R -/First 447 0 R -/Last 459 0 R -/Count -4 +/Next 447 0 R >> endobj 439 0 obj << /Title 440 0 R /A 437 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 435 0 R /Next 443 0 R >> endobj 435 0 obj << /Title 436 0 R /A 433 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 431 0 R /Next 439 0 R >> endobj 431 0 obj << /Title 432 0 R /A 429 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 427 0 R /Next 435 0 R >> endobj 427 0 obj << /Title 428 0 R /A 425 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 423 0 R /Next 431 0 R >> endobj 423 0 obj << /Title 424 0 R /A 421 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 419 0 R /Next 427 0 R >> endobj 419 0 obj << /Title 420 0 R /A 417 0 R -/Parent 271 0 R -/Prev 415 0 R +/Parent 275 0 R +/Prev 347 0 R /Next 423 0 R >> endobj 415 0 obj << /Title 416 0 R /A 413 0 R -/Parent 271 0 R -/Prev 343 0 R -/Next 419 0 R +/Parent 347 0 R +/Prev 411 0 R >> endobj 411 0 obj << /Title 412 0 R /A 409 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 407 0 R +/Next 415 0 R >> endobj 407 0 obj << /Title 408 0 R /A 405 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 403 0 R /Next 411 0 R >> endobj 403 0 obj << /Title 404 0 R /A 401 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 399 0 R /Next 407 0 R >> endobj 399 0 obj << /Title 400 0 R /A 397 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 395 0 R /Next 403 0 R >> endobj 395 0 obj << /Title 396 0 R /A 393 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 391 0 R /Next 399 0 R >> endobj 391 0 obj << /Title 392 0 R /A 389 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 387 0 R /Next 395 0 R >> endobj 387 0 obj << /Title 388 0 R /A 385 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 383 0 R /Next 391 0 R >> endobj 383 0 obj << /Title 384 0 R /A 381 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 379 0 R /Next 387 0 R >> endobj 379 0 obj << /Title 380 0 R /A 377 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 375 0 R /Next 383 0 R >> endobj 375 0 obj << /Title 376 0 R /A 373 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 371 0 R /Next 379 0 R >> endobj 371 0 obj << /Title 372 0 R /A 369 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 367 0 R /Next 375 0 R >> endobj 367 0 obj << /Title 368 0 R /A 365 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 363 0 R /Next 371 0 R >> endobj 363 0 obj << /Title 364 0 R /A 361 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 359 0 R /Next 367 0 R >> endobj 359 0 obj << /Title 360 0 R /A 357 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 355 0 R /Next 363 0 R >> endobj 355 0 obj << /Title 356 0 R /A 353 0 R -/Parent 343 0 R +/Parent 347 0 R /Prev 351 0 R /Next 359 0 R >> endobj 351 0 obj << /Title 352 0 R /A 349 0 R -/Parent 343 0 R -/Prev 347 0 R +/Parent 347 0 R /Next 355 0 R >> endobj 347 0 obj << /Title 348 0 R /A 345 0 R -/Parent 343 0 R -/Next 351 0 R +/Parent 275 0 R +/Prev 343 0 R +/Next 419 0 R +/First 351 0 R +/Last 415 0 R +/Count -17 >> endobj 343 0 obj << /Title 344 0 R /A 341 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 339 0 R -/Next 415 0 R -/First 347 0 R -/Last 411 0 R -/Count -17 +/Next 347 0 R >> endobj 339 0 obj << /Title 340 0 R /A 337 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 335 0 R /Next 343 0 R >> endobj 335 0 obj << /Title 336 0 R /A 333 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 331 0 R /Next 339 0 R >> endobj 331 0 obj << /Title 332 0 R /A 329 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 327 0 R /Next 335 0 R >> endobj 327 0 obj << /Title 328 0 R /A 325 0 R -/Parent 271 0 R -/Prev 323 0 R +/Parent 275 0 R +/Prev 315 0 R /Next 331 0 R >> endobj 323 0 obj << /Title 324 0 R /A 321 0 R -/Parent 271 0 R -/Prev 311 0 R -/Next 327 0 R +/Parent 315 0 R +/Prev 319 0 R >> endobj 319 0 obj << /Title 320 0 R /A 317 0 R -/Parent 311 0 R -/Prev 315 0 R +/Parent 315 0 R +/Next 323 0 R >> endobj 315 0 obj << /Title 316 0 R /A 313 0 R -/Parent 311 0 R -/Next 319 0 R +/Parent 275 0 R +/Prev 311 0 R +/Next 327 0 R +/First 319 0 R +/Last 323 0 R +/Count -2 >> endobj 311 0 obj << /Title 312 0 R /A 309 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 307 0 R -/Next 323 0 R -/First 315 0 R -/Last 319 0 R -/Count -2 +/Next 315 0 R >> endobj 307 0 obj << /Title 308 0 R /A 305 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 303 0 R /Next 311 0 R >> endobj 303 0 obj << /Title 304 0 R /A 301 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 299 0 R /Next 307 0 R >> endobj 299 0 obj << /Title 300 0 R /A 297 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 295 0 R /Next 303 0 R >> endobj 295 0 obj << /Title 296 0 R /A 293 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 291 0 R /Next 299 0 R >> endobj 291 0 obj << /Title 292 0 R /A 289 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 287 0 R /Next 295 0 R >> endobj 287 0 obj << /Title 288 0 R /A 285 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 283 0 R /Next 291 0 R >> endobj 283 0 obj << /Title 284 0 R /A 281 0 R -/Parent 271 0 R +/Parent 275 0 R /Prev 279 0 R /Next 287 0 R >> endobj 279 0 obj << /Title 280 0 R /A 277 0 R -/Parent 271 0 R -/Prev 275 0 R +/Parent 275 0 R /Next 283 0 R >> endobj 275 0 obj << /Title 276 0 R /A 273 0 R -/Parent 271 0 R -/Next 279 0 R +/Parent 243 0 R +/Prev 247 0 R +/Next 467 0 R +/First 279 0 R +/Last 447 0 R +/Count -24 >> endobj 271 0 obj << /Title 272 0 R /A 269 0 R -/Parent 239 0 R -/Prev 243 0 R -/Next 463 0 R -/First 275 0 R -/Last 443 0 R -/Count -24 +/Parent 263 0 R +/Prev 267 0 R >> endobj 267 0 obj << /Title 268 0 R /A 265 0 R -/Parent 259 0 R -/Prev 263 0 R +/Parent 263 0 R +/Next 271 0 R >> endobj 263 0 obj << /Title 264 0 R /A 261 0 R -/Parent 259 0 R -/Next 267 0 R +/Parent 247 0 R +/Prev 251 0 R +/First 267 0 R +/Last 271 0 R +/Count -2 >> endobj 259 0 obj << /Title 260 0 R /A 257 0 R -/Parent 243 0 R -/Prev 247 0 R -/First 263 0 R -/Last 267 0 R -/Count -2 +/Parent 251 0 R +/Prev 255 0 R >> endobj 255 0 obj << /Title 256 0 R /A 253 0 R -/Parent 247 0 R -/Prev 251 0 R +/Parent 251 0 R +/Next 259 0 R >> endobj 251 0 obj << /Title 252 0 R /A 249 0 R /Parent 247 0 R -/Next 255 0 R +/Next 263 0 R +/First 255 0 R +/Last 259 0 R +/Count -2 >> endobj 247 0 obj << /Title 248 0 R /A 245 0 R /Parent 243 0 R -/Next 259 0 R +/Next 275 0 R /First 251 0 R -/Last 255 0 R +/Last 263 0 R /Count -2 >> endobj 243 0 obj << /Title 244 0 R /A 241 0 R -/Parent 239 0 R -/Next 271 0 R +/Parent 1367 0 R +/Prev 231 0 R +/Next 515 0 R /First 247 0 R -/Last 259 0 R -/Count -2 +/Last 467 0 R +/Count -3 >> endobj 239 0 obj << /Title 240 0 R /A 237 0 R -/Parent 1364 0 R -/Prev 227 0 R -/Next 511 0 R -/First 243 0 R -/Last 463 0 R -/Count -3 +/Parent 231 0 R +/Prev 235 0 R >> endobj 235 0 obj << /Title 236 0 R /A 233 0 R -/Parent 227 0 R -/Prev 231 0 R +/Parent 231 0 R +/Next 239 0 R >> endobj 231 0 obj << /Title 232 0 R /A 229 0 R -/Parent 227 0 R -/Next 235 0 R +/Parent 1367 0 R +/Prev 131 0 R +/Next 243 0 R +/First 235 0 R +/Last 239 0 R +/Count -2 >> endobj 227 0 obj << /Title 228 0 R /A 225 0 R -/Parent 1364 0 R -/Prev 131 0 R -/Next 239 0 R -/First 231 0 R -/Last 235 0 R -/Count -2 +/Parent 219 0 R +/Prev 223 0 R >> endobj 223 0 obj << /Title 224 0 R /A 221 0 R -/Parent 215 0 R -/Prev 219 0 R +/Parent 219 0 R +/Next 227 0 R >> endobj 219 0 obj << /Title 220 0 R /A 217 0 R -/Parent 215 0 R -/Next 223 0 R +/Parent 131 0 R +/Prev 203 0 R +/First 223 0 R +/Last 227 0 R +/Count -2 >> endobj 215 0 obj << /Title 216 0 R /A 213 0 R -/Parent 131 0 R -/Prev 199 0 R -/First 219 0 R -/Last 223 0 R -/Count -2 +/Parent 203 0 R +/Prev 211 0 R >> endobj 211 0 obj << /Title 212 0 R /A 209 0 R -/Parent 199 0 R +/Parent 203 0 R /Prev 207 0 R +/Next 215 0 R >> endobj 207 0 obj << /Title 208 0 R /A 205 0 R -/Parent 199 0 R -/Prev 203 0 R +/Parent 203 0 R /Next 211 0 R >> endobj 203 0 obj << /Title 204 0 R /A 201 0 R -/Parent 199 0 R -/Next 207 0 R +/Parent 131 0 R +/Prev 199 0 R +/Next 219 0 R +/First 207 0 R +/Last 215 0 R +/Count -3 >> endobj 199 0 obj << /Title 200 0 R /A 197 0 R /Parent 131 0 R /Prev 195 0 R -/Next 215 0 R -/First 203 0 R -/Last 211 0 R -/Count -3 +/Next 203 0 R >> endobj 195 0 obj << /Title 196 0 R /A 193 0 R /Parent 131 0 R -/Prev 191 0 R +/Prev 159 0 R /Next 199 0 R >> endobj 191 0 obj << /Title 192 0 R /A 189 0 R -/Parent 131 0 R -/Prev 155 0 R -/Next 195 0 R +/Parent 159 0 R +/Prev 187 0 R >> endobj 187 0 obj << /Title 188 0 R /A 185 0 R -/Parent 155 0 R +/Parent 159 0 R /Prev 183 0 R +/Next 191 0 R >> endobj 183 0 obj << /Title 184 0 R /A 181 0 R -/Parent 155 0 R +/Parent 159 0 R /Prev 179 0 R /Next 187 0 R >> endobj 179 0 obj << /Title 180 0 R /A 177 0 R -/Parent 155 0 R +/Parent 159 0 R /Prev 175 0 R /Next 183 0 R >> endobj 175 0 obj << /Title 176 0 R /A 173 0 R -/Parent 155 0 R -/Prev 171 0 R +/Parent 159 0 R +/Prev 163 0 R /Next 179 0 R >> endobj 171 0 obj << /Title 172 0 R /A 169 0 R -/Parent 155 0 R -/Prev 159 0 R -/Next 175 0 R +/Parent 163 0 R +/Prev 167 0 R >> endobj 167 0 obj << /Title 168 0 R /A 165 0 R -/Parent 159 0 R -/Prev 163 0 R +/Parent 163 0 R +/Next 171 0 R >> endobj 163 0 obj << /Title 164 0 R /A 161 0 R /Parent 159 0 R -/Next 167 0 R +/Next 175 0 R +/First 167 0 R +/Last 171 0 R +/Count -2 >> endobj 159 0 obj << /Title 160 0 R /A 157 0 R -/Parent 155 0 R -/Next 171 0 R +/Parent 131 0 R +/Prev 151 0 R +/Next 195 0 R /First 163 0 R -/Last 167 0 R -/Count -2 +/Last 191 0 R +/Count -6 >> endobj 155 0 obj << /Title 156 0 R /A 153 0 R -/Parent 131 0 R -/Prev 151 0 R -/Next 191 0 R -/First 159 0 R -/Last 187 0 R -/Count -6 +/Parent 151 0 R >> endobj 151 0 obj << /Title 152 0 R /A 149 0 R /Parent 131 0 R /Prev 147 0 R -/Next 155 0 R +/Next 159 0 R +/First 155 0 R +/Last 155 0 R +/Count -1 >> endobj 147 0 obj << /Title 148 0 R @@ -7388,11 +7398,11 @@ endobj 131 0 obj << /Title 132 0 R /A 129 0 R -/Parent 1364 0 R +/Parent 1367 0 R /Prev 91 0 R -/Next 227 0 R +/Next 231 0 R /First 135 0 R -/Last 215 0 R +/Last 219 0 R /Count -9 >> endobj 127 0 obj << @@ -7462,7 +7472,7 @@ endobj 91 0 obj << /Title 92 0 R /A 89 0 R -/Parent 1364 0 R +/Parent 1367 0 R /Prev 67 0 R /Next 131 0 R /First 95 0 R @@ -7505,7 +7515,7 @@ endobj 67 0 obj << /Title 68 0 R /A 65 0 R -/Parent 1364 0 R +/Parent 1367 0 R /Prev 7 0 R /Next 91 0 R /First 71 0 R @@ -7614,1414 +7624,1417 @@ endobj 7 0 obj << /Title 8 0 R /A 5 0 R -/Parent 1364 0 R +/Parent 1367 0 R /Next 67 0 R /First 11 0 R /Last 23 0 R /Count -4 >> endobj -1365 0 obj << -/Names [(Access_Control_Lists) 1180 0 R (Bv9ARM.ch01) 613 0 R (Bv9ARM.ch02) 667 0 R (Bv9ARM.ch03) 682 0 R (Bv9ARM.ch04) 730 0 R (Bv9ARM.ch05) 814 0 R (Bv9ARM.ch06) 826 0 R (Bv9ARM.ch07) 1179 0 R (Bv9ARM.ch08) 1198 0 R (Bv9ARM.ch09) 1213 0 R (Configuration_File_Grammar) 850 0 R (DNSSEC) 782 0 R (Doc-Start) 594 0 R (Setting_TTLs) 1143 0 R (access_control) 960 0 R (acl) 858 0 R (address_match_lists) 831 0 R (admin_tools) 704 0 R (appendix.A) 554 0 R (bibliography) 1225 0 R (boolean_options) 736 0 R (builtin) 1022 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 510 0 R (chapter.8) 534 0 R (cite.RFC1034) 1241 0 R (cite.RFC1035) 1243 0 R (cite.RFC1101) 1299 0 R (cite.RFC1123) 1301 0 R (cite.RFC1183) 1278 0 R (cite.RFC1464) 1319 0 R (cite.RFC1535) 1270 0 R (cite.RFC1536) 1272 0 R (cite.RFC1537) 1309 0 R (cite.RFC1591) 1303 0 R (cite.RFC1706) 1280 0 R (cite.RFC1712) 1333 0 R (cite.RFC1713) 1321 0 R (cite.RFC1794) 1323 0 R (cite.RFC1876) 1282 0 R (cite.RFC1886) 1262 0 R (cite.RFC1912) 1311 0 R (cite.RFC1982) 1274 0 R (cite.RFC1995) 1248 0 R (cite.RFC1996) 1250 0 R (cite.RFC2010) 1313 0 R (cite.RFC2052) 1289 0 R (cite.RFC2065) 1264 0 R (cite.RFC2136) 1252 0 R (cite.RFC2137) 1266 0 R (cite.RFC2163) 1291 0 R (cite.RFC2168) 1293 0 R (cite.RFC2181) 1254 0 R (cite.RFC2219) 1315 0 R (cite.RFC2230) 1295 0 R (cite.RFC2240) 1325 0 R (cite.RFC2308) 1256 0 R (cite.RFC2317) 1305 0 R (cite.RFC2345) 1327 0 R (cite.RFC2352) 1329 0 R (cite.RFC2845) 1258 0 R (cite.RFC974) 1245 0 R (cite.id2492168) 1342 0 R (configuration_file_elements) 827 0 R (controls_statement_definition_and_usage) 718 0 R (diagnostic_tools) 655 0 R (dynamic_update) 734 0 R (dynamic_update_policies) 774 0 R (dynamic_update_security) 969 0 R (historical_dns_information) 1220 0 R (id2465089) 615 0 R (id2465144) 614 0 R (id2466440) 619 0 R (id2466449) 620 0 R (id2467046) 684 0 R (id2467062) 685 0 R (id2467084) 690 0 R (id2467101) 691 0 R (id2467443) 635 0 R (id2467586) 637 0 R (id2467606) 638 0 R (id2467728) 994 0 R (id2467914) 639 0 R (id2467998) 642 0 R (id2468073) 649 0 R (id2468096) 652 0 R (id2468117) 653 0 R (id2468136) 654 0 R (id2468165) 660 0 R (id2468333) 661 0 R (id2468359) 662 0 R (id2468459) 668 0 R (id2468484) 669 0 R (id2468494) 670 0 R (id2468508) 671 0 R (id2468517) 677 0 R (id2469143) 694 0 R (id2469148) 695 0 R (id2470313) 723 0 R (id2470325) 724 0 R (id2470669) 745 0 R (id2471232) 761 0 R (id2471248) 762 0 R (id2471282) 763 0 R (id2471298) 769 0 R (id2471306) 770 0 R (id2471414) 771 0 R (id2471466) 772 0 R (id2471510) 779 0 R (id2471524) 780 0 R (id2471573) 781 0 R (id2471776) 787 0 R (id2471843) 788 0 R (id2471986) 789 0 R (id2472123) 805 0 R (id2472250) 807 0 R (id2472270) 808 0 R (id2472371) 815 0 R (id2472509) 828 0 R (id2473074) 836 0 R (id2473100) 837 0 R (id2473262) 842 0 R (id2473277) 843 0 R (id2473306) 844 0 R (id2473520) 851 0 R (id2473816) 857 0 R (id2473858) 859 0 R (id2474053) 861 0 R (id2474330) 869 0 R (id2474345) 870 0 R (id2474368) 871 0 R (id2474389) 872 0 R (id2474460) 881 0 R (id2474586) 882 0 R (id2474707) 883 0 R (id2475401) 898 0 R (id2475861) 904 0 R (id2476002) 905 0 R (id2476133) 913 0 R (id2476177) 914 0 R (id2476192) 915 0 R (id2477760) 935 0 R (id2478765) 957 0 R (id2478816) 959 0 R (id2479131) 968 0 R (id2479288) 974 0 R (id2479898) 986 0 R (id2479914) 992 0 R (id2482177) 1000 0 R (id2482583) 1014 0 R (id2483049) 1029 0 R (id2483880) 1043 0 R (id2483928) 1044 0 R (id2484078) 1046 0 R (id2485225) 1059 0 R (id2485232) 1060 0 R (id2485236) 1061 0 R (id2485538) 1072 0 R (id2485569) 1073 0 R (id2486536) 1106 0 R (id2486695) 1112 0 R (id2486713) 1113 0 R (id2486734) 1116 0 R (id2486874) 1118 0 R (id2487525) 1124 0 R (id2487634) 1130 0 R (id2487792) 1131 0 R (id2488012) 1138 0 R (id2488128) 1140 0 R (id2488146) 1141 0 R (id2488519) 1144 0 R (id2488625) 1150 0 R (id2488638) 1151 0 R (id2488798) 1153 0 R (id2488818) 1154 0 R (id2488873) 1158 0 R (id2488936) 1163 0 R (id2488967) 1164 0 R (id2489028) 1165 0 R (id2489356) 1191 0 R (id2489500) 1192 0 R (id2489694) 1193 0 R (id2489765) 1199 0 R (id2489770) 1200 0 R (id2489782) 1201 0 R (id2489799) 1202 0 R (id2489929) 1214 0 R (id2489934) 1215 0 R (id2490057) 1221 0 R (id2490369) 1223 0 R (id2490713) 1237 0 R (id2490715) 1239 0 R (id2490724) 1244 0 R (id2490747) 1240 0 R (id2490771) 1242 0 R (id2490808) 1253 0 R (id2490834) 1255 0 R (id2490859) 1247 0 R (id2490884) 1249 0 R (id2490907) 1251 0 R (id2490963) 1257 0 R (id2491024) 1260 0 R (id2491038) 1261 0 R (id2491077) 1263 0 R (id2491116) 1265 0 R (id2491144) 1268 0 R (id2491153) 1269 0 R (id2491178) 1271 0 R (id2491245) 1273 0 R (id2491282) 1276 0 R (id2491287) 1277 0 R (id2491345) 1279 0 R (id2491382) 1292 0 R (id2491417) 1281 0 R (id2491472) 1288 0 R (id2491511) 1290 0 R (id2491538) 1294 0 R (id2491564) 1297 0 R (id2491572) 1298 0 R (id2491597) 1300 0 R (id2491621) 1302 0 R (id2491642) 1304 0 R (id2491689) 1307 0 R (id2491697) 1308 0 R (id2491722) 1310 0 R (id2491749) 1312 0 R (id2491785) 1314 0 R (id2491825) 1317 0 R (id2491845) 1318 0 R (id2491867) 1320 0 R (id2491960) 1322 0 R (id2491985) 1324 0 R (id2492007) 1326 0 R (id2492053) 1328 0 R (id2492077) 1331 0 R (id2492084) 1332 0 R (id2492156) 1339 0 R (id2492166) 1341 0 R (id2492168) 1343 0 R (incremental_zone_transfers) 742 0 R (internet_drafts) 1334 0 R (ipv6addresses) 809 0 R (journal) 735 0 R (lwresd) 816 0 R (notify) 731 0 R (options) 924 0 R (page.1) 593 0 R (page.10) 689 0 R (page.11) 700 0 R (page.12) 708 0 R (page.13) 715 0 R (page.14) 722 0 R (page.15) 729 0 R (page.16) 741 0 R (page.17) 750 0 R (page.18) 755 0 R (page.19) 759 0 R (page.2) 605 0 R (page.20) 768 0 R (page.21) 778 0 R (page.22) 786 0 R (page.23) 794 0 R (page.24) 804 0 R (page.25) 813 0 R (page.26) 821 0 R (page.27) 825 0 R (page.28) 835 0 R (page.29) 841 0 R (page.3) 612 0 R (page.30) 849 0 R (page.31) 856 0 R (page.32) 866 0 R (page.33) 880 0 R (page.34) 887 0 R (page.35) 891 0 R (page.36) 897 0 R (page.37) 903 0 R (page.38) 912 0 R (page.39) 919 0 R (page.4) 631 0 R (page.40) 923 0 R (page.41) 928 0 R (page.42) 934 0 R (page.43) 940 0 R (page.44) 952 0 R (page.45) 956 0 R (page.46) 966 0 R (page.47) 973 0 R (page.48) 981 0 R (page.49) 985 0 R (page.5) 648 0 R (page.50) 991 0 R (page.51) 999 0 R (page.52) 1005 0 R (page.53) 1012 0 R (page.54) 1019 0 R (page.55) 1028 0 R (page.56) 1035 0 R (page.57) 1041 0 R (page.58) 1050 0 R (page.59) 1054 0 R (page.6) 659 0 R (page.60) 1058 0 R (page.61) 1066 0 R (page.62) 1071 0 R (page.63) 1083 0 R (page.64) 1098 0 R (page.65) 1111 0 R (page.66) 1123 0 R (page.67) 1128 0 R (page.68) 1137 0 R (page.69) 1149 0 R (page.7) 666 0 R (page.70) 1162 0 R (page.71) 1170 0 R (page.72) 1174 0 R (page.73) 1178 0 R (page.74) 1187 0 R (page.75) 1197 0 R (page.76) 1208 0 R (page.77) 1212 0 R (page.78) 1219 0 R (page.79) 1232 0 R (page.8) 676 0 R (page.80) 1287 0 R (page.81) 1338 0 R (page.9) 681 0 R (proposed_standards) 746 0 R (rfcs) 644 0 R (rndc) 876 0 R (rrset_ordering) 696 0 R (sample_configuration) 683 0 R (section*.1) 1236 0 R (section*.10) 1330 0 R (section*.11) 1340 0 R (section*.2) 1238 0 R (section*.3) 1246 0 R (section*.4) 1259 0 R (section*.5) 1267 0 R (section*.6) 1275 0 R (section*.7) 1296 0 R (section*.8) 1306 0 R (section*.9) 1316 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 462 0 R (section.7.1) 514 0 R (section.7.2) 518 0 R (section.7.3) 530 0 R (section.8.1) 538 0 R (section.8.2) 546 0 R (section.8.3) 550 0 R (section.A.1) 558 0 R (section.A.2) 566 0 R (section.A.3) 574 0 R (server_statement_definition_and_usage) 948 0 R (server_statement_grammar) 1036 0 R (statsfile) 930 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.23) 438 0 R (subsection.6.2.24) 442 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 466 0 R (subsection.6.3.2) 478 0 R (subsection.6.3.3) 482 0 R (subsection.6.3.4) 486 0 R (subsection.6.3.5) 490 0 R (subsection.6.3.6) 506 0 R (subsection.7.2.1) 522 0 R (subsection.7.2.2) 526 0 R (subsection.8.1.1) 542 0 R (subsection.A.1.1) 562 0 R (subsection.A.2.1) 570 0 R (subsection.A.3.1) 578 0 R (subsection.A.3.2) 582 0 R (subsection.A.3.3) 586 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 446 0 R (subsubsection.6.2.24.2) 450 0 R (subsubsection.6.2.24.3) 454 0 R (subsubsection.6.2.24.4) 458 0 R (subsubsection.6.3.1.1) 470 0 R (subsubsection.6.3.1.2) 474 0 R (subsubsection.6.3.5.1) 494 0 R (subsubsection.6.3.5.2) 498 0 R (subsubsection.6.3.5.3) 502 0 R (table.1.1) 621 0 R (table.1.2) 636 0 R (table.3.1) 692 0 R (table.3.2) 725 0 R (table.6.1) 829 0 R (table.6.10) 1117 0 R (table.6.11) 1119 0 R (table.6.12) 1129 0 R (table.6.13) 1132 0 R (table.6.14) 1139 0 R (table.6.15) 1142 0 R (table.6.16) 1145 0 R (table.6.17) 1152 0 R (table.6.18) 1166 0 R (table.6.2) 852 0 R (table.6.3) 860 0 R (table.6.4) 899 0 R (table.6.5) 936 0 R (table.6.6) 1015 0 R (table.6.7) 1030 0 R (table.6.8) 1062 0 R (table.6.9) 1107 0 R (table.A.1) 1222 0 R (table.A.2) 1224 0 R (the_category_phrase) 893 0 R (the_sortlist_statement) 1006 0 R (topology) 1001 0 R (tsig) 760 0 R (tuning) 1020 0 R (types_of_resource_records_and_when_to_use_them) 643 0 R (view_statement_grammar) 1024 0 R (zone_statement_grammar) 962 0 R (zone_transfers) 737 0 R] +1368 0 obj << +/Names [(Access_Control_Lists) 1185 0 R (Bv9ARM.ch01) 617 0 R (Bv9ARM.ch02) 671 0 R (Bv9ARM.ch03) 686 0 R (Bv9ARM.ch04) 734 0 R (Bv9ARM.ch05) 819 0 R (Bv9ARM.ch06) 831 0 R (Bv9ARM.ch07) 1184 0 R (Bv9ARM.ch08) 1203 0 R (Bv9ARM.ch09) 1218 0 R (Configuration_File_Grammar) 855 0 R (DNSSEC) 787 0 R (Doc-Start) 598 0 R (Setting_TTLs) 1152 0 R (access_control) 970 0 R (acl) 863 0 R (address_match_lists) 836 0 R (admin_tools) 708 0 R (appendix.A) 558 0 R (bibliography) 1234 0 R (boolean_options) 740 0 R (builtin) 1031 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 514 0 R (chapter.8) 538 0 R (cite.RFC1034) 1244 0 R (cite.RFC1035) 1246 0 R (cite.RFC1101) 1302 0 R (cite.RFC1123) 1304 0 R (cite.RFC1183) 1286 0 R (cite.RFC1464) 1322 0 R (cite.RFC1535) 1273 0 R (cite.RFC1536) 1275 0 R (cite.RFC1537) 1312 0 R (cite.RFC1591) 1306 0 R (cite.RFC1706) 1288 0 R (cite.RFC1712) 1336 0 R (cite.RFC1713) 1324 0 R (cite.RFC1794) 1326 0 R (cite.RFC1876) 1290 0 R (cite.RFC1886) 1265 0 R (cite.RFC1912) 1314 0 R (cite.RFC1982) 1277 0 R (cite.RFC1995) 1251 0 R (cite.RFC1996) 1253 0 R (cite.RFC2010) 1316 0 R (cite.RFC2052) 1292 0 R (cite.RFC2065) 1267 0 R (cite.RFC2136) 1255 0 R (cite.RFC2137) 1269 0 R (cite.RFC2163) 1294 0 R (cite.RFC2168) 1296 0 R (cite.RFC2181) 1257 0 R (cite.RFC2219) 1318 0 R (cite.RFC2230) 1298 0 R (cite.RFC2240) 1328 0 R (cite.RFC2308) 1259 0 R (cite.RFC2317) 1308 0 R (cite.RFC2345) 1330 0 R (cite.RFC2352) 1332 0 R (cite.RFC2845) 1261 0 R (cite.RFC974) 1248 0 R (cite.id2492151) 1345 0 R (configuration_file_elements) 832 0 R (controls_statement_definition_and_usage) 722 0 R (diagnostic_tools) 659 0 R (dynamic_update) 738 0 R (dynamic_update_policies) 779 0 R (dynamic_update_security) 974 0 R (historical_dns_information) 1225 0 R (id2465952) 643 0 R (id2466044) 619 0 R (id2466730) 623 0 R (id2466739) 624 0 R (id2466914) 639 0 R (id2467034) 618 0 R (id2467398) 641 0 R (id2467418) 642 0 R (id2467436) 996 0 R (id2467452) 997 0 R (id2467554) 999 0 R (id2467742) 646 0 R (id2467817) 653 0 R (id2467840) 656 0 R (id2467861) 657 0 R (id2467880) 658 0 R (id2467977) 664 0 R (id2468009) 665 0 R (id2468035) 666 0 R (id2468135) 672 0 R (id2468160) 673 0 R (id2468170) 674 0 R (id2468184) 675 0 R (id2468193) 681 0 R (id2468224) 688 0 R (id2468240) 689 0 R (id2468330) 694 0 R (id2468346) 695 0 R (id2468613) 698 0 R (id2468618) 699 0 R (id2469880) 727 0 R (id2469892) 728 0 R (id2470305) 749 0 R (id2470322) 750 0 R (id2470869) 766 0 R (id2470885) 767 0 R (id2470919) 768 0 R (id2470935) 774 0 R (id2470944) 775 0 R (id2470983) 776 0 R (id2471035) 777 0 R (id2471147) 784 0 R (id2471161) 785 0 R (id2471210) 786 0 R (id2471413) 792 0 R (id2471480) 793 0 R (id2471623) 794 0 R (id2471692) 810 0 R (id2471819) 812 0 R (id2471840) 813 0 R (id2471940) 820 0 R (id2472078) 833 0 R (id2472779) 841 0 R (id2472806) 842 0 R (id2472968) 847 0 R (id2472983) 848 0 R (id2473012) 849 0 R (id2473089) 856 0 R (id2473658) 862 0 R (id2473700) 864 0 R (id2473827) 866 0 R (id2474104) 874 0 R (id2474121) 875 0 R (id2474144) 876 0 R (id2474167) 877 0 R (id2474238) 886 0 R (id2474433) 887 0 R (id2474553) 888 0 R (id2475111) 903 0 R (id2475571) 909 0 R (id2475643) 910 0 R (id2475774) 918 0 R (id2475818) 919 0 R (id2475833) 920 0 R (id2477449) 940 0 R (id2478728) 962 0 R (id2478778) 964 0 R (id2478957) 973 0 R (id2479114) 979 0 R (id2482003) 1005 0 R (id2482477) 1019 0 R (id2482944) 1033 0 R (id2483640) 1048 0 R (id2483690) 1049 0 R (id2483774) 1055 0 R (id2484992) 1068 0 R (id2484998) 1069 0 R (id2485002) 1070 0 R (id2485236) 1077 0 R (id2485403) 1078 0 R (id2486371) 1115 0 R (id2486530) 1117 0 R (id2486548) 1118 0 R (id2486569) 1121 0 R (id2486777) 1127 0 R (id2487428) 1133 0 R (id2487537) 1135 0 R (id2487558) 1141 0 R (id2487915) 1143 0 R (id2488030) 1145 0 R (id2488049) 1146 0 R (id2488354) 1153 0 R (id2488528) 1155 0 R (id2488541) 1156 0 R (id2488633) 1158 0 R (id2488652) 1159 0 R (id2488708) 1167 0 R (id2488771) 1168 0 R (id2488802) 1169 0 R (id2488862) 1174 0 R (id2489260) 1196 0 R (id2489336) 1197 0 R (id2489394) 1198 0 R (id2489601) 1204 0 R (id2489606) 1205 0 R (id2489618) 1206 0 R (id2489635) 1207 0 R (id2489833) 1219 0 R (id2489838) 1220 0 R (id2489972) 1226 0 R (id2490352) 1228 0 R (id2490628) 1240 0 R (id2490630) 1242 0 R (id2490638) 1247 0 R (id2490730) 1243 0 R (id2490754) 1245 0 R (id2490791) 1256 0 R (id2490817) 1258 0 R (id2490842) 1250 0 R (id2490867) 1252 0 R (id2490890) 1254 0 R (id2490946) 1260 0 R (id2491006) 1263 0 R (id2491021) 1264 0 R (id2491060) 1266 0 R (id2491099) 1268 0 R (id2491127) 1271 0 R (id2491136) 1272 0 R (id2491161) 1274 0 R (id2491228) 1276 0 R (id2491265) 1284 0 R (id2491270) 1285 0 R (id2491328) 1287 0 R (id2491365) 1295 0 R (id2491400) 1289 0 R (id2491454) 1291 0 R (id2491494) 1293 0 R (id2491521) 1297 0 R (id2491547) 1300 0 R (id2491555) 1301 0 R (id2491580) 1303 0 R (id2491604) 1305 0 R (id2491625) 1307 0 R (id2491740) 1310 0 R (id2491748) 1311 0 R (id2491773) 1313 0 R (id2491800) 1315 0 R (id2491836) 1317 0 R (id2491876) 1320 0 R (id2491896) 1321 0 R (id2491918) 1323 0 R (id2491943) 1325 0 R (id2491968) 1327 0 R (id2491990) 1329 0 R (id2492036) 1331 0 R (id2492060) 1334 0 R (id2492067) 1335 0 R (id2492139) 1342 0 R (id2492149) 1344 0 R (id2492151) 1346 0 R (incremental_zone_transfers) 746 0 R (internet_drafts) 1341 0 R (ipv6addresses) 814 0 R (journal) 739 0 R (lwresd) 821 0 R (notify) 735 0 R (options) 929 0 R (page.1) 597 0 R (page.10) 693 0 R (page.11) 704 0 R (page.12) 712 0 R (page.13) 719 0 R (page.14) 726 0 R (page.15) 733 0 R (page.16) 745 0 R (page.17) 755 0 R (page.18) 760 0 R (page.19) 764 0 R (page.2) 609 0 R (page.20) 773 0 R (page.21) 783 0 R (page.22) 791 0 R (page.23) 799 0 R (page.24) 809 0 R (page.25) 818 0 R (page.26) 826 0 R (page.27) 830 0 R (page.28) 840 0 R (page.29) 846 0 R (page.3) 616 0 R (page.30) 854 0 R (page.31) 861 0 R (page.32) 871 0 R (page.33) 885 0 R (page.34) 892 0 R (page.35) 896 0 R (page.36) 902 0 R (page.37) 908 0 R (page.38) 917 0 R (page.39) 924 0 R (page.4) 635 0 R (page.40) 928 0 R (page.41) 933 0 R (page.42) 939 0 R (page.43) 945 0 R (page.44) 955 0 R (page.45) 961 0 R (page.46) 969 0 R (page.47) 978 0 R (page.48) 986 0 R (page.49) 990 0 R (page.5) 652 0 R (page.50) 995 0 R (page.51) 1004 0 R (page.52) 1009 0 R (page.53) 1017 0 R (page.54) 1024 0 R (page.55) 1030 0 R (page.56) 1040 0 R (page.57) 1045 0 R (page.58) 1054 0 R (page.59) 1059 0 R (page.6) 663 0 R (page.60) 1063 0 R (page.61) 1067 0 R (page.62) 1076 0 R (page.63) 1088 0 R (page.64) 1098 0 R (page.65) 1114 0 R (page.66) 1126 0 R (page.67) 1132 0 R (page.68) 1140 0 R (page.69) 1151 0 R (page.7) 670 0 R (page.70) 1163 0 R (page.71) 1173 0 R (page.72) 1179 0 R (page.73) 1183 0 R (page.74) 1192 0 R (page.75) 1202 0 R (page.76) 1213 0 R (page.77) 1217 0 R (page.78) 1224 0 R (page.79) 1233 0 R (page.8) 680 0 R (page.80) 1282 0 R (page.81) 1340 0 R (page.9) 685 0 R (proposed_standards) 751 0 R (rfcs) 648 0 R (rndc) 881 0 R (rrset_ordering) 700 0 R (sample_configuration) 687 0 R (section*.1) 1239 0 R (section*.10) 1333 0 R (section*.11) 1343 0 R (section*.2) 1241 0 R (section*.3) 1249 0 R (section*.4) 1262 0 R (section*.5) 1270 0 R (section*.6) 1283 0 R (section*.7) 1299 0 R (section*.8) 1309 0 R (section*.9) 1319 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 466 0 R (section.7.1) 518 0 R (section.7.2) 522 0 R (section.7.3) 534 0 R (section.8.1) 542 0 R (section.8.2) 550 0 R (section.8.3) 554 0 R (section.A.1) 562 0 R (section.A.2) 570 0 R (section.A.3) 578 0 R (server_statement_definition_and_usage) 951 0 R (server_statement_grammar) 1041 0 R (statsfile) 935 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 326 0 R (subsection.6.2.12) 330 0 R (subsection.6.2.13) 334 0 R (subsection.6.2.14) 338 0 R (subsection.6.2.15) 342 0 R (subsection.6.2.16) 346 0 R (subsection.6.2.17) 418 0 R (subsection.6.2.18) 422 0 R (subsection.6.2.19) 426 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 430 0 R (subsection.6.2.21) 434 0 R (subsection.6.2.22) 438 0 R (subsection.6.2.23) 442 0 R (subsection.6.2.24) 446 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 470 0 R (subsection.6.3.2) 482 0 R (subsection.6.3.3) 486 0 R (subsection.6.3.4) 490 0 R (subsection.6.3.5) 494 0 R (subsection.6.3.6) 510 0 R (subsection.7.2.1) 526 0 R (subsection.7.2.2) 530 0 R (subsection.8.1.1) 546 0 R (subsection.A.1.1) 566 0 R (subsection.A.2.1) 574 0 R (subsection.A.3.1) 582 0 R (subsection.A.3.2) 586 0 R (subsection.A.3.3) 590 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.16.1) 350 0 R (subsubsection.6.2.16.10) 386 0 R (subsubsection.6.2.16.11) 390 0 R (subsubsection.6.2.16.12) 394 0 R (subsubsection.6.2.16.13) 398 0 R (subsubsection.6.2.16.14) 402 0 R (subsubsection.6.2.16.15) 406 0 R (subsubsection.6.2.16.16) 410 0 R (subsubsection.6.2.16.17) 414 0 R (subsubsection.6.2.16.2) 354 0 R (subsubsection.6.2.16.3) 358 0 R (subsubsection.6.2.16.4) 362 0 R (subsubsection.6.2.16.5) 366 0 R (subsubsection.6.2.16.6) 370 0 R (subsubsection.6.2.16.7) 374 0 R (subsubsection.6.2.16.8) 378 0 R (subsubsection.6.2.16.9) 382 0 R (subsubsection.6.2.24.1) 450 0 R (subsubsection.6.2.24.2) 454 0 R (subsubsection.6.2.24.3) 458 0 R (subsubsection.6.2.24.4) 462 0 R (subsubsection.6.3.1.1) 474 0 R (subsubsection.6.3.1.2) 478 0 R (subsubsection.6.3.5.1) 498 0 R (subsubsection.6.3.5.2) 502 0 R (subsubsection.6.3.5.3) 506 0 R (table.1.1) 625 0 R (table.1.2) 640 0 R (table.3.1) 696 0 R (table.3.2) 729 0 R (table.6.1) 834 0 R (table.6.10) 1122 0 R (table.6.11) 1128 0 R (table.6.12) 1134 0 R (table.6.13) 1142 0 R (table.6.14) 1144 0 R (table.6.15) 1147 0 R (table.6.16) 1154 0 R (table.6.17) 1157 0 R (table.6.18) 1175 0 R (table.6.2) 857 0 R (table.6.3) 865 0 R (table.6.4) 904 0 R (table.6.5) 941 0 R (table.6.6) 1020 0 R (table.6.7) 1034 0 R (table.6.8) 1071 0 R (table.6.9) 1116 0 R (table.A.1) 1227 0 R (table.A.2) 1229 0 R (the_category_phrase) 898 0 R (the_sortlist_statement) 1011 0 R (topology) 1010 0 R (tsig) 765 0 R (tuning) 1025 0 R (types_of_resource_records_and_when_to_use_them) 647 0 R (view_statement_grammar) 1036 0 R (zone_statement_grammar) 965 0 R (zone_transfers) 741 0 R] /Limits [(Access_Control_Lists) (zone_transfers)] >> endobj -1366 0 obj << -/Kids [1365 0 R] +1369 0 obj << +/Kids [1368 0 R] >> endobj -1367 0 obj << -/Dests 1366 0 R +1370 0 obj << +/Dests 1369 0 R >> endobj -1368 0 obj << +1371 0 obj << /Type /Catalog -/Pages 1363 0 R -/Outlines 1364 0 R -/Names 1367 0 R +/Pages 1366 0 R +/Outlines 1367 0 R +/Names 1370 0 R /PageMode /UseOutlines -/OpenAction 589 0 R +/OpenAction 593 0 R >> endobj -1369 0 obj << +1372 0 obj << /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords() -/CreationDate (D:20061128121044+11'00') +/CreationDate (D:20080403035022Z) /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4) >> endobj xref -0 1370 +0 1373 0000000001 65535 f 0000000002 00000 f 0000000003 00000 f 0000000004 00000 f 0000000000 00000 f 0000000009 00000 n -0000018863 00000 n -0000490048 00000 n +0000018969 00000 n +0000491464 00000 n 0000000054 00000 n 0000000086 00000 n -0000018987 00000 n -0000489976 00000 n +0000019093 00000 n +0000491392 00000 n 0000000133 00000 n 0000000173 00000 n -0000019112 00000 n -0000489890 00000 n +0000019218 00000 n +0000491306 00000 n 0000000221 00000 n 0000000273 00000 n -0000019237 00000 n -0000489804 00000 n +0000019343 00000 n +0000491220 00000 n 0000000321 00000 n 0000000377 00000 n -0000023672 00000 n -0000489694 00000 n +0000023633 00000 n +0000491110 00000 n 0000000425 00000 n 0000000478 00000 n -0000023796 00000 n -0000489620 00000 n +0000023758 00000 n +0000491036 00000 n 0000000531 00000 n 0000000572 00000 n -0000023921 00000 n -0000489533 00000 n +0000023883 00000 n +0000490949 00000 n 0000000625 00000 n 0000000674 00000 n -0000024046 00000 n -0000489446 00000 n +0000024008 00000 n +0000490862 00000 n 0000000727 00000 n 0000000757 00000 n -0000028194 00000 n -0000489322 00000 n +0000028318 00000 n +0000490738 00000 n 0000000810 00000 n 0000000861 00000 n -0000028319 00000 n -0000489248 00000 n +0000028443 00000 n +0000490664 00000 n 0000000919 00000 n 0000000964 00000 n -0000028444 00000 n -0000489161 00000 n +0000028568 00000 n +0000490577 00000 n 0000001022 00000 n 0000001062 00000 n -0000028569 00000 n -0000489087 00000 n +0000028693 00000 n +0000490503 00000 n 0000001120 00000 n 0000001162 00000 n -0000031482 00000 n -0000488963 00000 n +0000031606 00000 n +0000490379 00000 n 0000001215 00000 n 0000001260 00000 n -0000031607 00000 n -0000488902 00000 n +0000031731 00000 n +0000490318 00000 n 0000001318 00000 n 0000001355 00000 n -0000031732 00000 n -0000488828 00000 n +0000031856 00000 n +0000490244 00000 n 0000001408 00000 n 0000001463 00000 n -0000034120 00000 n -0000488703 00000 n +0000034244 00000 n +0000490119 00000 n 0000001509 00000 n 0000001556 00000 n -0000034245 00000 n -0000488629 00000 n +0000034369 00000 n +0000490045 00000 n 0000001604 00000 n 0000001648 00000 n -0000034370 00000 n -0000488542 00000 n +0000034494 00000 n +0000489958 00000 n 0000001696 00000 n 0000001735 00000 n -0000034493 00000 n -0000488455 00000 n +0000034617 00000 n +0000489871 00000 n 0000001783 00000 n 0000001825 00000 n -0000034617 00000 n -0000488368 00000 n +0000034741 00000 n +0000489784 00000 n 0000001873 00000 n 0000001936 00000 n -0000035653 00000 n -0000488294 00000 n +0000035777 00000 n +0000489710 00000 n 0000001984 00000 n 0000002034 00000 n -0000037331 00000 n -0000488166 00000 n +0000037455 00000 n +0000489582 00000 n 0000002080 00000 n 0000002126 00000 n -0000037455 00000 n -0000488053 00000 n +0000037579 00000 n +0000489469 00000 n 0000002174 00000 n 0000002218 00000 n -0000037580 00000 n -0000487977 00000 n +0000037704 00000 n +0000489393 00000 n 0000002271 00000 n 0000002323 00000 n -0000037705 00000 n -0000487900 00000 n +0000037829 00000 n +0000489316 00000 n 0000002377 00000 n 0000002436 00000 n -0000040321 00000 n -0000487809 00000 n +0000040461 00000 n +0000489225 00000 n 0000002485 00000 n 0000002523 00000 n -0000040572 00000 n -0000487692 00000 n +0000040712 00000 n +0000489108 00000 n 0000002572 00000 n 0000002618 00000 n -0000040698 00000 n -0000487574 00000 n +0000040838 00000 n +0000488990 00000 n 0000002672 00000 n 0000002739 00000 n -0000043877 00000 n -0000487495 00000 n +0000044023 00000 n +0000488911 00000 n 0000002798 00000 n 0000002842 00000 n -0000044003 00000 n -0000487416 00000 n +0000044149 00000 n +0000488832 00000 n 0000002901 00000 n 0000002949 00000 n -0000053920 00000 n -0000487337 00000 n +0000054288 00000 n +0000488753 00000 n 0000003003 00000 n 0000003036 00000 n -0000057191 00000 n -0000487205 00000 n +0000057561 00000 n +0000488621 00000 n 0000003083 00000 n 0000003126 00000 n -0000057317 00000 n -0000487126 00000 n +0000057687 00000 n +0000488542 00000 n 0000003175 00000 n 0000003205 00000 n -0000057443 00000 n -0000486994 00000 n +0000057813 00000 n +0000488410 00000 n 0000003254 00000 n 0000003292 00000 n -0000057568 00000 n -0000486929 00000 n +0000057938 00000 n +0000488345 00000 n 0000003346 00000 n 0000003388 00000 n -0000062008 00000 n -0000486836 00000 n +0000062257 00000 n +0000488252 00000 n 0000003437 00000 n 0000003496 00000 n -0000062134 00000 n -0000486743 00000 n +0000062383 00000 n +0000488120 00000 n 0000003545 00000 n 0000003578 00000 n -0000068838 00000 n -0000486611 00000 n -0000003627 00000 n -0000003655 00000 n -0000068964 00000 n -0000486493 00000 n -0000003709 00000 n -0000003778 00000 n -0000069090 00000 n -0000486414 00000 n -0000003837 00000 n -0000003885 00000 n -0000069216 00000 n -0000486335 00000 n -0000003944 00000 n -0000003989 00000 n -0000072218 00000 n -0000486242 00000 n -0000004043 00000 n -0000004111 00000 n -0000072344 00000 n -0000486149 00000 n -0000004165 00000 n -0000004235 00000 n -0000072470 00000 n -0000486056 00000 n -0000004289 00000 n -0000004352 00000 n -0000072596 00000 n -0000485963 00000 n -0000004406 00000 n -0000004461 00000 n -0000076316 00000 n -0000485884 00000 n -0000004515 00000 n -0000004547 00000 n -0000076442 00000 n -0000485791 00000 n -0000004596 00000 n -0000004624 00000 n -0000076567 00000 n -0000485698 00000 n -0000004673 00000 n -0000004705 00000 n -0000076693 00000 n -0000485566 00000 n -0000004754 00000 n -0000004784 00000 n -0000080149 00000 n -0000485487 00000 n -0000004838 00000 n -0000004879 00000 n -0000080274 00000 n -0000485394 00000 n -0000004933 00000 n -0000004975 00000 n -0000080400 00000 n -0000485315 00000 n -0000005029 00000 n -0000005074 00000 n -0000087840 00000 n -0000485197 00000 n -0000005123 00000 n -0000005169 00000 n -0000087966 00000 n -0000485118 00000 n -0000005223 00000 n -0000005283 00000 n -0000088092 00000 n -0000485039 00000 n -0000005337 00000 n -0000005406 00000 n -0000090527 00000 n -0000484906 00000 n -0000005453 00000 n -0000005506 00000 n -0000090653 00000 n -0000484827 00000 n -0000005555 00000 n -0000005611 00000 n -0000090779 00000 n -0000484748 00000 n -0000005660 00000 n -0000005709 00000 n -0000094890 00000 n -0000484615 00000 n -0000005756 00000 n -0000005808 00000 n -0000095016 00000 n -0000484497 00000 n -0000005857 00000 n -0000005908 00000 n -0000099160 00000 n -0000484379 00000 n -0000005962 00000 n -0000006007 00000 n -0000099285 00000 n -0000484300 00000 n -0000006066 00000 n -0000006100 00000 n -0000099410 00000 n -0000484221 00000 n -0000006159 00000 n -0000006207 00000 n -0000102688 00000 n -0000484103 00000 n -0000006261 00000 n -0000006301 00000 n -0000102814 00000 n -0000484024 00000 n -0000006360 00000 n -0000006394 00000 n -0000102940 00000 n -0000483945 00000 n -0000006453 00000 n -0000006501 00000 n -0000106666 00000 n -0000483812 00000 n -0000006550 00000 n -0000006600 00000 n -0000110504 00000 n -0000483733 00000 n -0000006654 00000 n -0000006701 00000 n -0000110630 00000 n -0000483640 00000 n -0000006755 00000 n -0000006815 00000 n -0000110880 00000 n -0000483547 00000 n -0000006869 00000 n -0000006921 00000 n -0000111006 00000 n -0000483454 00000 n -0000006975 00000 n -0000007040 00000 n -0000115636 00000 n -0000483361 00000 n -0000007094 00000 n -0000007145 00000 n -0000115762 00000 n -0000483268 00000 n -0000007199 00000 n -0000007263 00000 n -0000115888 00000 n -0000483175 00000 n -0000007317 00000 n -0000007364 00000 n -0000116014 00000 n -0000483082 00000 n -0000007418 00000 n -0000007478 00000 n -0000118956 00000 n -0000482989 00000 n -0000007532 00000 n -0000007583 00000 n -0000119082 00000 n -0000482857 00000 n -0000007638 00000 n -0000007703 00000 n -0000119208 00000 n -0000482778 00000 n -0000007763 00000 n -0000007810 00000 n -0000129617 00000 n -0000482699 00000 n -0000007870 00000 n -0000007918 00000 n -0000133330 00000 n -0000482606 00000 n +0000062509 00000 n +0000488055 00000 n +0000003632 00000 n +0000003681 00000 n +0000069370 00000 n +0000487923 00000 n +0000003730 00000 n +0000003758 00000 n +0000069496 00000 n +0000487805 00000 n +0000003812 00000 n +0000003881 00000 n +0000069621 00000 n +0000487726 00000 n +0000003940 00000 n +0000003988 00000 n +0000069747 00000 n +0000487647 00000 n +0000004047 00000 n +0000004092 00000 n +0000072749 00000 n +0000487554 00000 n +0000004146 00000 n +0000004214 00000 n +0000072875 00000 n +0000487461 00000 n +0000004268 00000 n +0000004338 00000 n +0000073001 00000 n +0000487368 00000 n +0000004392 00000 n +0000004455 00000 n +0000073127 00000 n +0000487275 00000 n +0000004509 00000 n +0000004564 00000 n +0000076860 00000 n +0000487196 00000 n +0000004618 00000 n +0000004650 00000 n +0000076986 00000 n +0000487103 00000 n +0000004699 00000 n +0000004727 00000 n +0000077111 00000 n +0000487010 00000 n +0000004776 00000 n +0000004808 00000 n +0000077237 00000 n +0000486878 00000 n +0000004857 00000 n +0000004887 00000 n +0000080688 00000 n +0000486799 00000 n +0000004941 00000 n +0000004982 00000 n +0000080813 00000 n +0000486706 00000 n +0000005036 00000 n +0000005078 00000 n +0000080939 00000 n +0000486627 00000 n +0000005132 00000 n +0000005177 00000 n +0000088379 00000 n +0000486509 00000 n +0000005226 00000 n +0000005272 00000 n +0000088505 00000 n +0000486430 00000 n +0000005326 00000 n +0000005386 00000 n +0000088631 00000 n +0000486351 00000 n +0000005440 00000 n +0000005509 00000 n +0000091066 00000 n +0000486218 00000 n +0000005556 00000 n +0000005609 00000 n +0000091192 00000 n +0000486139 00000 n +0000005658 00000 n +0000005714 00000 n +0000091318 00000 n +0000486060 00000 n +0000005763 00000 n +0000005812 00000 n +0000095439 00000 n +0000485927 00000 n +0000005859 00000 n +0000005911 00000 n +0000095565 00000 n +0000485809 00000 n +0000005960 00000 n +0000006011 00000 n +0000099709 00000 n +0000485691 00000 n +0000006065 00000 n +0000006110 00000 n +0000099834 00000 n +0000485612 00000 n +0000006169 00000 n +0000006203 00000 n +0000099959 00000 n +0000485533 00000 n +0000006262 00000 n +0000006310 00000 n +0000103241 00000 n +0000485415 00000 n +0000006364 00000 n +0000006404 00000 n +0000103367 00000 n +0000485336 00000 n +0000006463 00000 n +0000006497 00000 n +0000103493 00000 n +0000485257 00000 n +0000006556 00000 n +0000006604 00000 n +0000107219 00000 n +0000485124 00000 n +0000006653 00000 n +0000006703 00000 n +0000111057 00000 n +0000485045 00000 n +0000006757 00000 n +0000006804 00000 n +0000111183 00000 n +0000484952 00000 n +0000006858 00000 n +0000006918 00000 n +0000111433 00000 n +0000484859 00000 n +0000006972 00000 n +0000007024 00000 n +0000111559 00000 n +0000484766 00000 n +0000007078 00000 n +0000007143 00000 n +0000116189 00000 n +0000484673 00000 n +0000007197 00000 n +0000007248 00000 n +0000116315 00000 n +0000484580 00000 n +0000007302 00000 n +0000007366 00000 n +0000116441 00000 n +0000484487 00000 n +0000007420 00000 n +0000007467 00000 n +0000116567 00000 n +0000484394 00000 n +0000007521 00000 n +0000007581 00000 n +0000119509 00000 n +0000484301 00000 n +0000007635 00000 n +0000007686 00000 n +0000119635 00000 n +0000484169 00000 n +0000007741 00000 n +0000007806 00000 n +0000119761 00000 n +0000484090 00000 n +0000007866 00000 n +0000007913 00000 n +0000130170 00000 n +0000484011 00000 n 0000007973 00000 n -0000008023 00000 n -0000133456 00000 n -0000482513 00000 n -0000008078 00000 n -0000008141 00000 n -0000135194 00000 n -0000482420 00000 n -0000008196 00000 n -0000008248 00000 n -0000135320 00000 n -0000482327 00000 n -0000008303 00000 n -0000008368 00000 n -0000135446 00000 n -0000482234 00000 n -0000008423 00000 n -0000008475 00000 n -0000140719 00000 n -0000482101 00000 n -0000008530 00000 n -0000008595 00000 n -0000144791 00000 n -0000482022 00000 n -0000008655 00000 n -0000008699 00000 n -0000162452 00000 n -0000481929 00000 n -0000008759 00000 n -0000008798 00000 n -0000162576 00000 n -0000481836 00000 n -0000008858 00000 n -0000008905 00000 n -0000162702 00000 n -0000481743 00000 n -0000008965 00000 n +0000008021 00000 n +0000133886 00000 n +0000483918 00000 n +0000008076 00000 n +0000008126 00000 n +0000134012 00000 n +0000483825 00000 n +0000008181 00000 n +0000008244 00000 n +0000135742 00000 n +0000483732 00000 n +0000008299 00000 n +0000008351 00000 n +0000135868 00000 n +0000483639 00000 n +0000008406 00000 n +0000008471 00000 n +0000135994 00000 n +0000483546 00000 n +0000008526 00000 n +0000008578 00000 n +0000141175 00000 n +0000483413 00000 n +0000008633 00000 n +0000008698 00000 n +0000145209 00000 n +0000483334 00000 n +0000008758 00000 n +0000008802 00000 n +0000162726 00000 n +0000483241 00000 n +0000008862 00000 n +0000008901 00000 n +0000162852 00000 n +0000483148 00000 n +0000008961 00000 n 0000009008 00000 n -0000166677 00000 n -0000481650 00000 n +0000166993 00000 n +0000483055 00000 n 0000009068 00000 n -0000009107 00000 n -0000169550 00000 n -0000481557 00000 n -0000009167 00000 n -0000009209 00000 n -0000173583 00000 n -0000481464 00000 n -0000009269 00000 n +0000009111 00000 n +0000167119 00000 n +0000482962 00000 n +0000009171 00000 n +0000009210 00000 n +0000170214 00000 n +0000482869 00000 n +0000009270 00000 n 0000009312 00000 n -0000177138 00000 n -0000481371 00000 n +0000173956 00000 n +0000482776 00000 n 0000009372 00000 n -0000009419 00000 n -0000181163 00000 n -0000481278 00000 n -0000009479 00000 n -0000009540 00000 n -0000181289 00000 n -0000481185 00000 n -0000009601 00000 n -0000009653 00000 n -0000184888 00000 n -0000481092 00000 n -0000009714 00000 n -0000009767 00000 n -0000185015 00000 n -0000480999 00000 n -0000009828 00000 n -0000009866 00000 n -0000189024 00000 n -0000480906 00000 n -0000009927 00000 n -0000009979 00000 n -0000192176 00000 n -0000480813 00000 n -0000010040 00000 n -0000010084 00000 n -0000196560 00000 n -0000480720 00000 n -0000010145 00000 n -0000010181 00000 n -0000196689 00000 n -0000480627 00000 n -0000010242 00000 n -0000010305 00000 n -0000200114 00000 n -0000480548 00000 n -0000010366 00000 n -0000010415 00000 n -0000204331 00000 n -0000480455 00000 n -0000010470 00000 n -0000010521 00000 n -0000204460 00000 n -0000480362 00000 n -0000010576 00000 n -0000010640 00000 n -0000208218 00000 n -0000480269 00000 n -0000010695 00000 n -0000010752 00000 n -0000208347 00000 n -0000480176 00000 n -0000010807 00000 n -0000010877 00000 n -0000208476 00000 n -0000480083 00000 n -0000010932 00000 n -0000010981 00000 n -0000208605 00000 n -0000479990 00000 n -0000011036 00000 n -0000011098 00000 n -0000211144 00000 n -0000479897 00000 n -0000011153 00000 n -0000011202 00000 n -0000214243 00000 n -0000479779 00000 n -0000011257 00000 n -0000011319 00000 n -0000214372 00000 n -0000479700 00000 n -0000011379 00000 n -0000011418 00000 n -0000223329 00000 n -0000479607 00000 n -0000011478 00000 n -0000011512 00000 n -0000223458 00000 n -0000479514 00000 n -0000011572 00000 n -0000011613 00000 n -0000233632 00000 n -0000479435 00000 n -0000011673 00000 n -0000011725 00000 n -0000237666 00000 n -0000479317 00000 n -0000011774 00000 n -0000011807 00000 n -0000237795 00000 n -0000479199 00000 n -0000011861 00000 n -0000011933 00000 n -0000237923 00000 n -0000479120 00000 n -0000011992 00000 n +0000009415 00000 n +0000181576 00000 n +0000482683 00000 n +0000009475 00000 n +0000009522 00000 n +0000181702 00000 n +0000482590 00000 n +0000009582 00000 n +0000009643 00000 n +0000181828 00000 n +0000482497 00000 n +0000009704 00000 n +0000009756 00000 n +0000185325 00000 n +0000482404 00000 n +0000009817 00000 n +0000009870 00000 n +0000189658 00000 n +0000482311 00000 n +0000009931 00000 n +0000009969 00000 n +0000189787 00000 n +0000482218 00000 n +0000010030 00000 n +0000010082 00000 n +0000192689 00000 n +0000482125 00000 n +0000010143 00000 n +0000010187 00000 n +0000196435 00000 n +0000482032 00000 n +0000010248 00000 n +0000010284 00000 n +0000200400 00000 n +0000481939 00000 n +0000010345 00000 n +0000010408 00000 n +0000200529 00000 n +0000481860 00000 n +0000010469 00000 n +0000010518 00000 n +0000204050 00000 n +0000481767 00000 n +0000010573 00000 n +0000010624 00000 n +0000204177 00000 n +0000481674 00000 n +0000010679 00000 n +0000010743 00000 n +0000208304 00000 n +0000481581 00000 n +0000010798 00000 n +0000010855 00000 n +0000208431 00000 n +0000481488 00000 n +0000010910 00000 n +0000010980 00000 n +0000208559 00000 n +0000481395 00000 n +0000011035 00000 n +0000011084 00000 n +0000211978 00000 n +0000481302 00000 n +0000011139 00000 n +0000011201 00000 n +0000213555 00000 n +0000481209 00000 n +0000011256 00000 n +0000011305 00000 n +0000218410 00000 n +0000481091 00000 n +0000011360 00000 n +0000011422 00000 n +0000218539 00000 n +0000481012 00000 n +0000011482 00000 n +0000011521 00000 n +0000223490 00000 n +0000480919 00000 n +0000011581 00000 n +0000011615 00000 n +0000223619 00000 n +0000480826 00000 n +0000011675 00000 n +0000011716 00000 n +0000233806 00000 n +0000480747 00000 n +0000011776 00000 n +0000011828 00000 n +0000237977 00000 n +0000480629 00000 n +0000011877 00000 n +0000011910 00000 n +0000238106 00000 n +0000480511 00000 n +0000011964 00000 n 0000012036 00000 n -0000245477 00000 n -0000479041 00000 n +0000238234 00000 n +0000480432 00000 n 0000012095 00000 n -0000012148 00000 n -0000249238 00000 n -0000478948 00000 n -0000012202 00000 n -0000012252 00000 n -0000249496 00000 n -0000478855 00000 n -0000012306 00000 n -0000012344 00000 n -0000252743 00000 n -0000478762 00000 n -0000012398 00000 n +0000012139 00000 n +0000245968 00000 n +0000480353 00000 n +0000012198 00000 n +0000012251 00000 n +0000249552 00000 n +0000480260 00000 n +0000012305 00000 n +0000012355 00000 n +0000252912 00000 n +0000480167 00000 n +0000012409 00000 n 0000012447 00000 n -0000253002 00000 n -0000478630 00000 n +0000253170 00000 n +0000480074 00000 n 0000012501 00000 n -0000012553 00000 n -0000253131 00000 n -0000478551 00000 n -0000012612 00000 n -0000012664 00000 n -0000253260 00000 n -0000478458 00000 n -0000012723 00000 n -0000012776 00000 n -0000256913 00000 n -0000478379 00000 n -0000012835 00000 n -0000012884 00000 n -0000257042 00000 n -0000478300 00000 n +0000012550 00000 n +0000253428 00000 n +0000479942 00000 n +0000012604 00000 n +0000012656 00000 n +0000253557 00000 n +0000479863 00000 n +0000012715 00000 n +0000012767 00000 n +0000256438 00000 n +0000479770 00000 n +0000012826 00000 n +0000012879 00000 n +0000256567 00000 n +0000479691 00000 n 0000012938 00000 n -0000013018 00000 n -0000261560 00000 n -0000478167 00000 n -0000013065 00000 n -0000013117 00000 n -0000261689 00000 n -0000478088 00000 n -0000013166 00000 n -0000013210 00000 n -0000265419 00000 n -0000477956 00000 n -0000013259 00000 n -0000013321 00000 n -0000265548 00000 n -0000477877 00000 n -0000013375 00000 n -0000013423 00000 n -0000265677 00000 n -0000477798 00000 n -0000013477 00000 n -0000013528 00000 n -0000265806 00000 n -0000477719 00000 n -0000013577 00000 n -0000013624 00000 n -0000268736 00000 n -0000477586 00000 n -0000013671 00000 n -0000013708 00000 n -0000268865 00000 n -0000477468 00000 n -0000013757 00000 n -0000013796 00000 n -0000268994 00000 n -0000477403 00000 n -0000013850 00000 n -0000013928 00000 n -0000269123 00000 n -0000477310 00000 n -0000013977 00000 n -0000014044 00000 n -0000269252 00000 n -0000477231 00000 n -0000014093 00000 n -0000014138 00000 n -0000272731 00000 n -0000477112 00000 n -0000014186 00000 n -0000014218 00000 n -0000272860 00000 n -0000476994 00000 n -0000014267 00000 n -0000014306 00000 n -0000272989 00000 n -0000476929 00000 n -0000014360 00000 n -0000014421 00000 n -0000276996 00000 n -0000476797 00000 n -0000014470 00000 n -0000014527 00000 n -0000277125 00000 n -0000476732 00000 n -0000014581 00000 n +0000012987 00000 n +0000256696 00000 n +0000479612 00000 n +0000013041 00000 n +0000013121 00000 n +0000262565 00000 n +0000479479 00000 n +0000013168 00000 n +0000013220 00000 n +0000262694 00000 n +0000479400 00000 n +0000013269 00000 n +0000013313 00000 n +0000266427 00000 n +0000479268 00000 n +0000013362 00000 n +0000013424 00000 n +0000266556 00000 n +0000479189 00000 n +0000013478 00000 n +0000013526 00000 n +0000266685 00000 n +0000479110 00000 n +0000013580 00000 n +0000013631 00000 n +0000266814 00000 n +0000479031 00000 n +0000013680 00000 n +0000013727 00000 n +0000269731 00000 n +0000478898 00000 n +0000013774 00000 n +0000013811 00000 n +0000269860 00000 n +0000478780 00000 n +0000013860 00000 n +0000013899 00000 n +0000269989 00000 n +0000478715 00000 n +0000013953 00000 n +0000014031 00000 n +0000270118 00000 n +0000478622 00000 n +0000014080 00000 n +0000014147 00000 n +0000270247 00000 n +0000478543 00000 n +0000014196 00000 n +0000014241 00000 n +0000273741 00000 n +0000478424 00000 n +0000014289 00000 n +0000014321 00000 n +0000273870 00000 n +0000478306 00000 n +0000014370 00000 n +0000014409 00000 n +0000273999 00000 n +0000478241 00000 n +0000014463 00000 n +0000014524 00000 n +0000277498 00000 n +0000478109 00000 n +0000014573 00000 n 0000014630 00000 n -0000277513 00000 n -0000476614 00000 n -0000014679 00000 n -0000014741 00000 n -0000277642 00000 n -0000476535 00000 n -0000014795 00000 n -0000014850 00000 n -0000290746 00000 n -0000476442 00000 n -0000014904 00000 n -0000014945 00000 n -0000291808 00000 n -0000476363 00000 n -0000014999 00000 n -0000015051 00000 n -0000015407 00000 n -0000015655 00000 n -0000015104 00000 n -0000015529 00000 n -0000015592 00000 n -0000473205 00000 n -0000447541 00000 n -0000473031 00000 n -0000446492 00000 n -0000420557 00000 n -0000446318 00000 n -0000474210 00000 n -0000016313 00000 n -0000016128 00000 n -0000015740 00000 n -0000016250 00000 n -0000419872 00000 n -0000417727 00000 n -0000419708 00000 n -0000019488 00000 n -0000018678 00000 n -0000016398 00000 n -0000018800 00000 n -0000018924 00000 n -0000019049 00000 n -0000019174 00000 n -0000416873 00000 n -0000396515 00000 n -0000416699 00000 n -0000019299 00000 n -0000019362 00000 n -0000019425 00000 n -0000395566 00000 n -0000375814 00000 n -0000395393 00000 n -0000375087 00000 n -0000358703 00000 n -0000374914 00000 n -0000024171 00000 n -0000022989 00000 n -0000019612 00000 n -0000023483 00000 n -0000358168 00000 n -0000341251 00000 n -0000357984 00000 n -0000023546 00000 n -0000023609 00000 n -0000023733 00000 n -0000023858 00000 n -0000023983 00000 n -0000023139 00000 n -0000023332 00000 n -0000024108 00000 n -0000237859 00000 n -0000277706 00000 n -0000028694 00000 n -0000027659 00000 n -0000024295 00000 n -0000028131 00000 n -0000028256 00000 n -0000027809 00000 n -0000027971 00000 n -0000028381 00000 n -0000028506 00000 n -0000028631 00000 n -0000043940 00000 n -0000031856 00000 n -0000031297 00000 n +0000277627 00000 n +0000478044 00000 n +0000014684 00000 n +0000014733 00000 n +0000281814 00000 n +0000477926 00000 n +0000014782 00000 n +0000014844 00000 n +0000281943 00000 n +0000477847 00000 n +0000014898 00000 n +0000014953 00000 n +0000292558 00000 n +0000477754 00000 n +0000015007 00000 n +0000015048 00000 n +0000292687 00000 n +0000477675 00000 n +0000015102 00000 n +0000015154 00000 n +0000015507 00000 n +0000015755 00000 n +0000015207 00000 n +0000015629 00000 n +0000015692 00000 n +0000474516 00000 n +0000448852 00000 n +0000474342 00000 n +0000447664 00000 n +0000421504 00000 n +0000447490 00000 n +0000475521 00000 n +0000016419 00000 n +0000016234 00000 n +0000015840 00000 n +0000016356 00000 n +0000420819 00000 n +0000418674 00000 n +0000420655 00000 n +0000019594 00000 n +0000018784 00000 n +0000016504 00000 n +0000018906 00000 n +0000019030 00000 n +0000019155 00000 n +0000019280 00000 n +0000417820 00000 n +0000397462 00000 n +0000417646 00000 n +0000019405 00000 n +0000019468 00000 n +0000019531 00000 n +0000396513 00000 n +0000376761 00000 n +0000396340 00000 n +0000376034 00000 n +0000359650 00000 n +0000375861 00000 n +0000024132 00000 n +0000022950 00000 n +0000019718 00000 n +0000023444 00000 n +0000359115 00000 n +0000342198 00000 n +0000358931 00000 n +0000023507 00000 n +0000023570 00000 n +0000023695 00000 n +0000023820 00000 n +0000023945 00000 n +0000023100 00000 n +0000023293 00000 n +0000024070 00000 n +0000238170 00000 n +0000282007 00000 n 0000028818 00000 n -0000031419 00000 n -0000031544 00000 n -0000031669 00000 n +0000027783 00000 n +0000024256 00000 n +0000028255 00000 n +0000028380 00000 n +0000027933 00000 n +0000028095 00000 n +0000028505 00000 n +0000028630 00000 n +0000028755 00000 n +0000044086 00000 n +0000031980 00000 n +0000031421 00000 n +0000028942 00000 n +0000031543 00000 n +0000031668 00000 n 0000031793 00000 n -0000034742 00000 n -0000033935 00000 n -0000031967 00000 n -0000034057 00000 n -0000034182 00000 n -0000034307 00000 n -0000034432 00000 n -0000034554 00000 n -0000034679 00000 n -0000474328 00000 n -0000035778 00000 n -0000035468 00000 n -0000034827 00000 n -0000035590 00000 n -0000035715 00000 n -0000037831 00000 n -0000037146 00000 n -0000035876 00000 n -0000037268 00000 n -0000037393 00000 n +0000031917 00000 n +0000034866 00000 n +0000034059 00000 n +0000032091 00000 n +0000034181 00000 n +0000034306 00000 n +0000034431 00000 n +0000034556 00000 n +0000034678 00000 n +0000034803 00000 n +0000475639 00000 n +0000035902 00000 n +0000035592 00000 n +0000034951 00000 n +0000035714 00000 n +0000035839 00000 n +0000037955 00000 n +0000037270 00000 n +0000036000 00000 n +0000037392 00000 n 0000037517 00000 n -0000037642 00000 n -0000037768 00000 n -0000040824 00000 n -0000039957 00000 n -0000037929 00000 n -0000040258 00000 n -0000040384 00000 n -0000040447 00000 n -0000040509 00000 n -0000040099 00000 n -0000040635 00000 n -0000040761 00000 n -0000192240 00000 n -0000044129 00000 n -0000043692 00000 n -0000040935 00000 n -0000043814 00000 n -0000340724 00000 n -0000331415 00000 n -0000340547 00000 n -0000044066 00000 n -0000047728 00000 n -0000047543 00000 n -0000044253 00000 n -0000047665 00000 n -0000330972 00000 n -0000324173 00000 n -0000330795 00000 n -0000051997 00000 n -0000051607 00000 n -0000047891 00000 n -0000051934 00000 n -0000051749 00000 n -0000474446 00000 n -0000111069 00000 n -0000054170 00000 n -0000053735 00000 n -0000052134 00000 n -0000053857 00000 n -0000053983 00000 n -0000054044 00000 n -0000054107 00000 n -0000057694 00000 n -0000056656 00000 n -0000054294 00000 n -0000057128 00000 n -0000057254 00000 n -0000057380 00000 n -0000056806 00000 n -0000056967 00000 n -0000057505 00000 n -0000057631 00000 n -0000144854 00000 n -0000173646 00000 n -0000062260 00000 n -0000061469 00000 n -0000057792 00000 n -0000061945 00000 n -0000062071 00000 n -0000061619 00000 n -0000061784 00000 n -0000062197 00000 n -0000282256 00000 n -0000065099 00000 n -0000064727 00000 n -0000062410 00000 n -0000065036 00000 n -0000064869 00000 n -0000066255 00000 n -0000066070 00000 n -0000065223 00000 n -0000066192 00000 n -0000069342 00000 n -0000068653 00000 n -0000066353 00000 n -0000068775 00000 n -0000068901 00000 n -0000069027 00000 n -0000069153 00000 n -0000069279 00000 n -0000474564 00000 n -0000072722 00000 n -0000071845 00000 n -0000069479 00000 n -0000072155 00000 n -0000072281 00000 n -0000072407 00000 n -0000072533 00000 n -0000072659 00000 n -0000071987 00000 n -0000233696 00000 n -0000076818 00000 n -0000076131 00000 n -0000072859 00000 n -0000076253 00000 n -0000076379 00000 n -0000076505 00000 n -0000076630 00000 n -0000076755 00000 n -0000080524 00000 n -0000079964 00000 n -0000076942 00000 n -0000080086 00000 n -0000080211 00000 n -0000080337 00000 n -0000080461 00000 n -0000083525 00000 n -0000085224 00000 n -0000083403 00000 n -0000080648 00000 n -0000085161 00000 n -0000323354 00000 n -0000314545 00000 n -0000323182 00000 n -0000084993 00000 n -0000085050 00000 n -0000085139 00000 n -0000088218 00000 n -0000087476 00000 n -0000085376 00000 n -0000087777 00000 n -0000087903 00000 n -0000087618 00000 n -0000088029 00000 n -0000088155 00000 n -0000277189 00000 n -0000090905 00000 n -0000090342 00000 n -0000088342 00000 n -0000090464 00000 n -0000090590 00000 n -0000090716 00000 n -0000090842 00000 n -0000474682 00000 n -0000091337 00000 n -0000091152 00000 n +0000037641 00000 n +0000037766 00000 n +0000037892 00000 n +0000040964 00000 n +0000040097 00000 n +0000038053 00000 n +0000040398 00000 n +0000040524 00000 n +0000040587 00000 n +0000040649 00000 n +0000040239 00000 n +0000040775 00000 n +0000040901 00000 n +0000192753 00000 n +0000044275 00000 n +0000043838 00000 n +0000041075 00000 n +0000043960 00000 n +0000341671 00000 n +0000332362 00000 n +0000341494 00000 n +0000044212 00000 n +0000047975 00000 n +0000047790 00000 n +0000044399 00000 n +0000047912 00000 n +0000331919 00000 n +0000325120 00000 n +0000331742 00000 n +0000052340 00000 n +0000051949 00000 n +0000048138 00000 n +0000052277 00000 n +0000052091 00000 n +0000475757 00000 n +0000111622 00000 n +0000054540 00000 n +0000054103 00000 n +0000052477 00000 n +0000054225 00000 n +0000054351 00000 n +0000054414 00000 n +0000054477 00000 n +0000058064 00000 n +0000057026 00000 n +0000054664 00000 n +0000057498 00000 n +0000057624 00000 n +0000057750 00000 n +0000057176 00000 n +0000057337 00000 n +0000057875 00000 n +0000058001 00000 n +0000145272 00000 n +0000174019 00000 n +0000062635 00000 n +0000061718 00000 n +0000058162 00000 n +0000062194 00000 n +0000062320 00000 n +0000061868 00000 n +0000062033 00000 n +0000062446 00000 n +0000062572 00000 n +0000282786 00000 n +0000065550 00000 n +0000065178 00000 n +0000062785 00000 n +0000065487 00000 n +0000065320 00000 n +0000066735 00000 n +0000066550 00000 n +0000065674 00000 n +0000066672 00000 n +0000069873 00000 n +0000069185 00000 n +0000066833 00000 n +0000069307 00000 n +0000069433 00000 n +0000069559 00000 n +0000069684 00000 n +0000069810 00000 n +0000475875 00000 n +0000073253 00000 n +0000072376 00000 n +0000070010 00000 n +0000072686 00000 n +0000072812 00000 n +0000072938 00000 n +0000073064 00000 n +0000073190 00000 n +0000072518 00000 n +0000233870 00000 n +0000077362 00000 n +0000076675 00000 n +0000073390 00000 n +0000076797 00000 n +0000076923 00000 n +0000077049 00000 n +0000077174 00000 n +0000077299 00000 n +0000081063 00000 n +0000080503 00000 n +0000077486 00000 n +0000080625 00000 n +0000080750 00000 n +0000080876 00000 n +0000081000 00000 n +0000084064 00000 n +0000085763 00000 n +0000083942 00000 n +0000081187 00000 n +0000085700 00000 n +0000324285 00000 n +0000315425 00000 n +0000324113 00000 n +0000085532 00000 n +0000085589 00000 n +0000085678 00000 n +0000088757 00000 n +0000088015 00000 n +0000085915 00000 n +0000088316 00000 n +0000088442 00000 n +0000088157 00000 n +0000088568 00000 n +0000088694 00000 n +0000277691 00000 n +0000091444 00000 n +0000090881 00000 n +0000088881 00000 n 0000091003 00000 n -0000091274 00000 n -0000095267 00000 n -0000094519 00000 n -0000091378 00000 n -0000094827 00000 n -0000094953 00000 n -0000095078 00000 n -0000095141 00000 n -0000095204 00000 n -0000094661 00000 n -0000099223 00000 n -0000099536 00000 n -0000098975 00000 n -0000095365 00000 n -0000099097 00000 n -0000099347 00000 n -0000099473 00000 n -0000103066 00000 n -0000102503 00000 n -0000099673 00000 n -0000102625 00000 n -0000102751 00000 n -0000102877 00000 n -0000103003 00000 n -0000105678 00000 n -0000106917 00000 n -0000105556 00000 n -0000103177 00000 n -0000106603 00000 n -0000106729 00000 n -0000106792 00000 n -0000106855 00000 n -0000111132 00000 n -0000110319 00000 n -0000107069 00000 n -0000110441 00000 n -0000110567 00000 n -0000110691 00000 n -0000110754 00000 n -0000110817 00000 n -0000110943 00000 n -0000474800 00000 n -0000116140 00000 n -0000114574 00000 n -0000111243 00000 n -0000115573 00000 n -0000114748 00000 n -0000114898 00000 n -0000115699 00000 n -0000115825 00000 n -0000115951 00000 n -0000116077 00000 n -0000115056 00000 n -0000115207 00000 n -0000115391 00000 n -0000292322 00000 n -0000119334 00000 n -0000118771 00000 n -0000116277 00000 n -0000118893 00000 n -0000119019 00000 n -0000119145 00000 n -0000119271 00000 n -0000123845 00000 n -0000123660 00000 n -0000119471 00000 n -0000123782 00000 n -0000126880 00000 n -0000126510 00000 n -0000123956 00000 n -0000126817 00000 n -0000126652 00000 n -0000129680 00000 n -0000129869 00000 n -0000129432 00000 n -0000126991 00000 n -0000129554 00000 n -0000129743 00000 n -0000129806 00000 n -0000133582 00000 n -0000132814 00000 n -0000129980 00000 n -0000133267 00000 n -0000133393 00000 n -0000133519 00000 n -0000132964 00000 n -0000133115 00000 n -0000474918 00000 n -0000135572 00000 n -0000135009 00000 n -0000133693 00000 n -0000135131 00000 n -0000135257 00000 n -0000135383 00000 n -0000135509 00000 n -0000137122 00000 n -0000136937 00000 n -0000135683 00000 n -0000137059 00000 n -0000140844 00000 n -0000140534 00000 n -0000137220 00000 n -0000140656 00000 n -0000140781 00000 n -0000144917 00000 n -0000144432 00000 n -0000140968 00000 n -0000144728 00000 n -0000144574 00000 n -0000200178 00000 n -0000148826 00000 n -0000148515 00000 n -0000145041 00000 n -0000148637 00000 n -0000148700 00000 n -0000148763 00000 n -0000153958 00000 n -0000152681 00000 n -0000148950 00000 n -0000153895 00000 n -0000152863 00000 n -0000153016 00000 n -0000153172 00000 n -0000153355 00000 n -0000153527 00000 n -0000153711 00000 n -0000475036 00000 n -0000204524 00000 n -0000158215 00000 n -0000158030 00000 n -0000154136 00000 n -0000158152 00000 n -0000162828 00000 n -0000161906 00000 n -0000158352 00000 n -0000162389 00000 n -0000162515 00000 n -0000162056 00000 n -0000162639 00000 n -0000162765 00000 n -0000162224 00000 n -0000211208 00000 n -0000166803 00000 n -0000166302 00000 n -0000162952 00000 n -0000166614 00000 n -0000166444 00000 n -0000166740 00000 n -0000265869 00000 n -0000169676 00000 n -0000169365 00000 n -0000166927 00000 n -0000169487 00000 n -0000169613 00000 n -0000314019 00000 n -0000306129 00000 n -0000313846 00000 n -0000173709 00000 n -0000173398 00000 n -0000169841 00000 n -0000173520 00000 n -0000177262 00000 n -0000176953 00000 n -0000173820 00000 n -0000177075 00000 n -0000177200 00000 n -0000475154 00000 n -0000181415 00000 n -0000180623 00000 n -0000177414 00000 n -0000181100 00000 n -0000181226 00000 n -0000180773 00000 n -0000181352 00000 n -0000180946 00000 n -0000185142 00000 n -0000184703 00000 n -0000181526 00000 n -0000184825 00000 n -0000184951 00000 n -0000185078 00000 n -0000189153 00000 n -0000188487 00000 n -0000185294 00000 n -0000188959 00000 n -0000189088 00000 n -0000188642 00000 n -0000188804 00000 n -0000192432 00000 n -0000191796 00000 n -0000189319 00000 n -0000192111 00000 n -0000191942 00000 n -0000192303 00000 n -0000192367 00000 n -0000196818 00000 n -0000196012 00000 n -0000192598 00000 n -0000196495 00000 n -0000196624 00000 n -0000196167 00000 n -0000196753 00000 n -0000196329 00000 n -0000208540 00000 n -0000200372 00000 n -0000199923 00000 n -0000196984 00000 n -0000200049 00000 n -0000200242 00000 n -0000200307 00000 n -0000475275 00000 n -0000204588 00000 n -0000203968 00000 n -0000200484 00000 n -0000204266 00000 n -0000204395 00000 n -0000204115 00000 n -0000208734 00000 n -0000207681 00000 n -0000204700 00000 n -0000208153 00000 n -0000207837 00000 n -0000208282 00000 n -0000208411 00000 n -0000207999 00000 n -0000208669 00000 n -0000211272 00000 n -0000210953 00000 n -0000208846 00000 n -0000211079 00000 n -0000212676 00000 n -0000212485 00000 n -0000211384 00000 n -0000212611 00000 n -0000214630 00000 n -0000214052 00000 n -0000212775 00000 n -0000214178 00000 n -0000214307 00000 n -0000214436 00000 n -0000214501 00000 n -0000214566 00000 n -0000218616 00000 n -0000218425 00000 n -0000214742 00000 n -0000218551 00000 n -0000475400 00000 n -0000223587 00000 n -0000222083 00000 n -0000218728 00000 n -0000223264 00000 n -0000223393 00000 n -0000223522 00000 n -0000222275 00000 n -0000222437 00000 n -0000222599 00000 n -0000222761 00000 n -0000222932 00000 n -0000223103 00000 n -0000228876 00000 n -0000226808 00000 n -0000223699 00000 n -0000228811 00000 n -0000227045 00000 n -0000227208 00000 n -0000227369 00000 n -0000227531 00000 n -0000227692 00000 n -0000227854 00000 n -0000228016 00000 n -0000228170 00000 n -0000228332 00000 n -0000228494 00000 n -0000228653 00000 n -0000233890 00000 n -0000232249 00000 n -0000229001 00000 n -0000233567 00000 n -0000232450 00000 n -0000232612 00000 n -0000232774 00000 n -0000232935 00000 n -0000233089 00000 n -0000233250 00000 n -0000233405 00000 n -0000233760 00000 n -0000233825 00000 n -0000238310 00000 n -0000237113 00000 n -0000234015 00000 n -0000237601 00000 n -0000237730 00000 n -0000237987 00000 n -0000237269 00000 n -0000237439 00000 n -0000238052 00000 n -0000238117 00000 n -0000238181 00000 n -0000238246 00000 n -0000241771 00000 n -0000241516 00000 n -0000238448 00000 n -0000241642 00000 n -0000241707 00000 n -0000245736 00000 n -0000245221 00000 n -0000241870 00000 n -0000245347 00000 n -0000245412 00000 n -0000245541 00000 n -0000245606 00000 n -0000245671 00000 n -0000475525 00000 n -0000249753 00000 n -0000248917 00000 n -0000245848 00000 n -0000249043 00000 n -0000249108 00000 n -0000249173 00000 n -0000249302 00000 n -0000249367 00000 n -0000249431 00000 n -0000249559 00000 n -0000249624 00000 n -0000249688 00000 n -0000253388 00000 n -0000252552 00000 n -0000249878 00000 n -0000252678 00000 n -0000252807 00000 n -0000252872 00000 n -0000252937 00000 n -0000253066 00000 n -0000253195 00000 n -0000305774 00000 n -0000303777 00000 n -0000305609 00000 n -0000253323 00000 n -0000257301 00000 n -0000256722 00000 n -0000253594 00000 n -0000256848 00000 n -0000256977 00000 n -0000257106 00000 n -0000257171 00000 n -0000257236 00000 n -0000258796 00000 n -0000258605 00000 n -0000257493 00000 n -0000258731 00000 n -0000259236 00000 n -0000259045 00000 n -0000258895 00000 n -0000259171 00000 n -0000261817 00000 n -0000260909 00000 n -0000259278 00000 n -0000261495 00000 n -0000261624 00000 n -0000261753 00000 n -0000261065 00000 n -0000261280 00000 n -0000475650 00000 n -0000265933 00000 n -0000265228 00000 n -0000261943 00000 n -0000265354 00000 n -0000303456 00000 n -0000294243 00000 n -0000303270 00000 n -0000265483 00000 n -0000265612 00000 n -0000265741 00000 n -0000269380 00000 n -0000268154 00000 n -0000266098 00000 n -0000268671 00000 n -0000268800 00000 n -0000268929 00000 n -0000269058 00000 n -0000269187 00000 n -0000269316 00000 n -0000268310 00000 n -0000268482 00000 n -0000269834 00000 n -0000269643 00000 n -0000269493 00000 n -0000269769 00000 n -0000273118 00000 n -0000272540 00000 n -0000269876 00000 n -0000272666 00000 n -0000272795 00000 n -0000272924 00000 n -0000273053 00000 n -0000277770 00000 n -0000276420 00000 n -0000273204 00000 n -0000276931 00000 n -0000277060 00000 n -0000277253 00000 n -0000277318 00000 n -0000277383 00000 n -0000277448 00000 n -0000277577 00000 n -0000276576 00000 n -0000276754 00000 n -0000284654 00000 n -0000280594 00000 n -0000277922 00000 n -0000280768 00000 n -0000281476 00000 n -0000280946 00000 n -0000281124 00000 n -0000281300 00000 n -0000281541 00000 n -0000281606 00000 n -0000281671 00000 n -0000281736 00000 n -0000281801 00000 n -0000281866 00000 n -0000281931 00000 n -0000281996 00000 n -0000282061 00000 n -0000282126 00000 n -0000282191 00000 n -0000282320 00000 n -0000282385 00000 n -0000282450 00000 n -0000282515 00000 n -0000282580 00000 n -0000282644 00000 n -0000282709 00000 n -0000282773 00000 n -0000282838 00000 n -0000282903 00000 n -0000282968 00000 n -0000283033 00000 n -0000283097 00000 n -0000283162 00000 n -0000283227 00000 n -0000283292 00000 n -0000283357 00000 n -0000283422 00000 n -0000283487 00000 n -0000283551 00000 n -0000283616 00000 n -0000283681 00000 n -0000283746 00000 n -0000283811 00000 n -0000283876 00000 n -0000283941 00000 n -0000284006 00000 n -0000284071 00000 n -0000284136 00000 n -0000284201 00000 n -0000284266 00000 n -0000284331 00000 n -0000284396 00000 n -0000284461 00000 n -0000284526 00000 n -0000284590 00000 n -0000475775 00000 n -0000290874 00000 n -0000287567 00000 n -0000284806 00000 n -0000287693 00000 n -0000287758 00000 n -0000287823 00000 n -0000287888 00000 n -0000287953 00000 n -0000288018 00000 n -0000288082 00000 n -0000288147 00000 n -0000288212 00000 n -0000288277 00000 n -0000288342 00000 n -0000288407 00000 n -0000288472 00000 n -0000288537 00000 n -0000288602 00000 n -0000288667 00000 n -0000288732 00000 n -0000288797 00000 n -0000288862 00000 n -0000288927 00000 n -0000288992 00000 n -0000289057 00000 n -0000289122 00000 n -0000289187 00000 n -0000289251 00000 n -0000289316 00000 n -0000289381 00000 n -0000289446 00000 n -0000289511 00000 n -0000289576 00000 n -0000289641 00000 n -0000289706 00000 n -0000289771 00000 n -0000289836 00000 n -0000289901 00000 n -0000289966 00000 n -0000290031 00000 n -0000290096 00000 n -0000290161 00000 n -0000290226 00000 n -0000290291 00000 n -0000290356 00000 n -0000290421 00000 n -0000290486 00000 n -0000290551 00000 n -0000290616 00000 n -0000290681 00000 n -0000290810 00000 n -0000292197 00000 n -0000291617 00000 n -0000290986 00000 n -0000291743 00000 n -0000291872 00000 n -0000291937 00000 n -0000292002 00000 n -0000292067 00000 n -0000292132 00000 n -0000292354 00000 n -0000303698 00000 n -0000306021 00000 n -0000305990 00000 n -0000314294 00000 n -0000323752 00000 n -0000331214 00000 n -0000341010 00000 n -0000358508 00000 n -0000375495 00000 n -0000396134 00000 n -0000417277 00000 n -0000420359 00000 n -0000420129 00000 n -0000447046 00000 n -0000473724 00000 n -0000475873 00000 n +0000091129 00000 n +0000091255 00000 n +0000091381 00000 n 0000475993 00000 n -0000476116 00000 n -0000476205 00000 n -0000476287 00000 n -0000490158 00000 n -0000502158 00000 n -0000502199 00000 n -0000502239 00000 n -0000502373 00000 n +0000091876 00000 n +0000091691 00000 n +0000091542 00000 n +0000091813 00000 n +0000095816 00000 n +0000095068 00000 n +0000091917 00000 n +0000095376 00000 n +0000095502 00000 n +0000095627 00000 n +0000095690 00000 n +0000095753 00000 n +0000095210 00000 n +0000099772 00000 n +0000100085 00000 n +0000099524 00000 n +0000095914 00000 n +0000099646 00000 n +0000099896 00000 n +0000100022 00000 n +0000103619 00000 n +0000103056 00000 n +0000100222 00000 n +0000103178 00000 n +0000103304 00000 n +0000103430 00000 n +0000103556 00000 n +0000106231 00000 n +0000107470 00000 n +0000106109 00000 n +0000103730 00000 n +0000107156 00000 n +0000107282 00000 n +0000107345 00000 n +0000107408 00000 n +0000111685 00000 n +0000110872 00000 n +0000107622 00000 n +0000110994 00000 n +0000111120 00000 n +0000111244 00000 n +0000111307 00000 n +0000111370 00000 n +0000111496 00000 n +0000476111 00000 n +0000116693 00000 n +0000115127 00000 n +0000111796 00000 n +0000116126 00000 n +0000115301 00000 n +0000115451 00000 n +0000116252 00000 n +0000116378 00000 n +0000116504 00000 n +0000116630 00000 n +0000115609 00000 n +0000115760 00000 n +0000115944 00000 n +0000293201 00000 n +0000119887 00000 n +0000119324 00000 n +0000116830 00000 n +0000119446 00000 n +0000119572 00000 n +0000119698 00000 n +0000119824 00000 n +0000124398 00000 n +0000124213 00000 n +0000120024 00000 n +0000124335 00000 n +0000127433 00000 n +0000127063 00000 n +0000124509 00000 n +0000127370 00000 n +0000127205 00000 n +0000130233 00000 n +0000130422 00000 n +0000129985 00000 n +0000127544 00000 n +0000130107 00000 n +0000130296 00000 n +0000130359 00000 n +0000134138 00000 n +0000133370 00000 n +0000130533 00000 n +0000133823 00000 n +0000133949 00000 n +0000134075 00000 n +0000133520 00000 n +0000133671 00000 n +0000476229 00000 n +0000136120 00000 n +0000135557 00000 n +0000134249 00000 n +0000135679 00000 n +0000135805 00000 n +0000135931 00000 n +0000136057 00000 n +0000137666 00000 n +0000137481 00000 n +0000136231 00000 n +0000137603 00000 n +0000141301 00000 n +0000140990 00000 n +0000137764 00000 n +0000141112 00000 n +0000141238 00000 n +0000145334 00000 n +0000144849 00000 n +0000141425 00000 n +0000145146 00000 n +0000144991 00000 n +0000200593 00000 n +0000149374 00000 n +0000149063 00000 n +0000145458 00000 n +0000149185 00000 n +0000149248 00000 n +0000149311 00000 n +0000153964 00000 n +0000153073 00000 n +0000149485 00000 n +0000153901 00000 n +0000153239 00000 n +0000153392 00000 n +0000153548 00000 n +0000153730 00000 n +0000476347 00000 n +0000204241 00000 n +0000158684 00000 n +0000158103 00000 n +0000154129 00000 n +0000158621 00000 n +0000158253 00000 n +0000158437 00000 n +0000162978 00000 n +0000162353 00000 n +0000158821 00000 n +0000162663 00000 n +0000162789 00000 n +0000162495 00000 n +0000162915 00000 n +0000213619 00000 n +0000167245 00000 n +0000166445 00000 n +0000163102 00000 n +0000166930 00000 n +0000167056 00000 n +0000166595 00000 n +0000166760 00000 n +0000167182 00000 n +0000266877 00000 n +0000170339 00000 n +0000170029 00000 n +0000167369 00000 n +0000170151 00000 n +0000170276 00000 n +0000314899 00000 n +0000307009 00000 n +0000314726 00000 n +0000174082 00000 n +0000173771 00000 n +0000170504 00000 n +0000173893 00000 n +0000177641 00000 n +0000177456 00000 n +0000174221 00000 n +0000177578 00000 n +0000476465 00000 n +0000181954 00000 n +0000181036 00000 n +0000177806 00000 n +0000181513 00000 n +0000181639 00000 n +0000181765 00000 n +0000181187 00000 n +0000181891 00000 n +0000181360 00000 n +0000185454 00000 n +0000185135 00000 n +0000182106 00000 n +0000185260 00000 n +0000185389 00000 n +0000189915 00000 n +0000189121 00000 n +0000185607 00000 n +0000189593 00000 n +0000189722 00000 n +0000189850 00000 n +0000189276 00000 n +0000189438 00000 n +0000192947 00000 n +0000192309 00000 n +0000190081 00000 n +0000192624 00000 n +0000192455 00000 n +0000192817 00000 n +0000192882 00000 n +0000196563 00000 n +0000196062 00000 n +0000193059 00000 n +0000196370 00000 n +0000196499 00000 n +0000196208 00000 n +0000200787 00000 n +0000200020 00000 n +0000196742 00000 n +0000200335 00000 n +0000200464 00000 n +0000200167 00000 n +0000200657 00000 n +0000200722 00000 n +0000476587 00000 n +0000208623 00000 n +0000204304 00000 n +0000203859 00000 n +0000200899 00000 n +0000203985 00000 n +0000204114 00000 n +0000208688 00000 n +0000207608 00000 n +0000204416 00000 n +0000208239 00000 n +0000207773 00000 n +0000207924 00000 n +0000208366 00000 n +0000208494 00000 n +0000208085 00000 n +0000212106 00000 n +0000211787 00000 n +0000208800 00000 n +0000211913 00000 n +0000212042 00000 n +0000213683 00000 n +0000213364 00000 n +0000212218 00000 n +0000213490 00000 n +0000215059 00000 n +0000214868 00000 n +0000213795 00000 n +0000214994 00000 n +0000218796 00000 n +0000218219 00000 n +0000215158 00000 n +0000218345 00000 n +0000218474 00000 n +0000218603 00000 n +0000218668 00000 n +0000218733 00000 n +0000476712 00000 n +0000223748 00000 n +0000222246 00000 n +0000218908 00000 n +0000223425 00000 n +0000223554 00000 n +0000223683 00000 n +0000222438 00000 n +0000222600 00000 n +0000222762 00000 n +0000222924 00000 n +0000223095 00000 n +0000223265 00000 n +0000228568 00000 n +0000227339 00000 n +0000223860 00000 n +0000228503 00000 n +0000227531 00000 n +0000227694 00000 n +0000227856 00000 n +0000228018 00000 n +0000228178 00000 n +0000228340 00000 n +0000233934 00000 n +0000231575 00000 n +0000228693 00000 n +0000233741 00000 n +0000231821 00000 n +0000231974 00000 n +0000232136 00000 n +0000232298 00000 n +0000232460 00000 n +0000232622 00000 n +0000232784 00000 n +0000232946 00000 n +0000233108 00000 n +0000233262 00000 n +0000233423 00000 n +0000233578 00000 n +0000238491 00000 n +0000237294 00000 n +0000234059 00000 n +0000237782 00000 n +0000237847 00000 n +0000237912 00000 n +0000238041 00000 n +0000238298 00000 n +0000237450 00000 n +0000237620 00000 n +0000238363 00000 n +0000238427 00000 n +0000242086 00000 n +0000241765 00000 n +0000238616 00000 n +0000241891 00000 n +0000241956 00000 n +0000242021 00000 n +0000246097 00000 n +0000245647 00000 n +0000242185 00000 n +0000245773 00000 n +0000245838 00000 n +0000245903 00000 n +0000246032 00000 n +0000476837 00000 n +0000249811 00000 n +0000249101 00000 n +0000246222 00000 n +0000249227 00000 n +0000249292 00000 n +0000249357 00000 n +0000249422 00000 n +0000249487 00000 n +0000249616 00000 n +0000249681 00000 n +0000249746 00000 n +0000253684 00000 n +0000252721 00000 n +0000249936 00000 n +0000252847 00000 n +0000252976 00000 n +0000253041 00000 n +0000253106 00000 n +0000253234 00000 n +0000253298 00000 n +0000253363 00000 n +0000253492 00000 n +0000253620 00000 n +0000256825 00000 n +0000256247 00000 n +0000253876 00000 n +0000256373 00000 n +0000306654 00000 n +0000304656 00000 n +0000306489 00000 n +0000256502 00000 n +0000256631 00000 n +0000256760 00000 n +0000259788 00000 n +0000259467 00000 n +0000257018 00000 n +0000259593 00000 n +0000259658 00000 n +0000259723 00000 n +0000260241 00000 n +0000260050 00000 n +0000259900 00000 n +0000260176 00000 n +0000262822 00000 n +0000261914 00000 n +0000260283 00000 n +0000262500 00000 n +0000262629 00000 n +0000262758 00000 n +0000262070 00000 n +0000262285 00000 n +0000476962 00000 n +0000266941 00000 n +0000266236 00000 n +0000262948 00000 n +0000266362 00000 n +0000304335 00000 n +0000295122 00000 n +0000304149 00000 n +0000266491 00000 n +0000266620 00000 n +0000266749 00000 n +0000270375 00000 n +0000269149 00000 n +0000267106 00000 n +0000269666 00000 n +0000269795 00000 n +0000269924 00000 n +0000270053 00000 n +0000270182 00000 n +0000270311 00000 n +0000269305 00000 n +0000269477 00000 n +0000270829 00000 n +0000270638 00000 n +0000270488 00000 n +0000270764 00000 n +0000274128 00000 n +0000273550 00000 n +0000270871 00000 n +0000273676 00000 n +0000273805 00000 n +0000273934 00000 n +0000274063 00000 n +0000278014 00000 n +0000277307 00000 n +0000274214 00000 n +0000277433 00000 n +0000277562 00000 n +0000277755 00000 n +0000277820 00000 n +0000277884 00000 n +0000277949 00000 n +0000284668 00000 n +0000280868 00000 n +0000278140 00000 n +0000281749 00000 n +0000281878 00000 n +0000281042 00000 n +0000281221 00000 n +0000281398 00000 n +0000281573 00000 n +0000282071 00000 n +0000282136 00000 n +0000282201 00000 n +0000282266 00000 n +0000282331 00000 n +0000282396 00000 n +0000282461 00000 n +0000282526 00000 n +0000282591 00000 n +0000282656 00000 n +0000282721 00000 n +0000282850 00000 n +0000282915 00000 n +0000282980 00000 n +0000283045 00000 n +0000283110 00000 n +0000283175 00000 n +0000283240 00000 n +0000283305 00000 n +0000283370 00000 n +0000283435 00000 n +0000283500 00000 n +0000283565 00000 n +0000283630 00000 n +0000283695 00000 n +0000283760 00000 n +0000283825 00000 n +0000283890 00000 n +0000283955 00000 n +0000284020 00000 n +0000284085 00000 n +0000284150 00000 n +0000284215 00000 n +0000284280 00000 n +0000284345 00000 n +0000284410 00000 n +0000284475 00000 n +0000284540 00000 n +0000284604 00000 n +0000477087 00000 n +0000291179 00000 n +0000287484 00000 n +0000284820 00000 n +0000287610 00000 n +0000287675 00000 n +0000287740 00000 n +0000287805 00000 n +0000287870 00000 n +0000287935 00000 n +0000288000 00000 n +0000288065 00000 n +0000288129 00000 n +0000288194 00000 n +0000288259 00000 n +0000288324 00000 n +0000288389 00000 n +0000288454 00000 n +0000288519 00000 n +0000288584 00000 n +0000288648 00000 n +0000288713 00000 n +0000288778 00000 n +0000288843 00000 n +0000288908 00000 n +0000288973 00000 n +0000289038 00000 n +0000289103 00000 n +0000289168 00000 n +0000289233 00000 n +0000289298 00000 n +0000289363 00000 n +0000289428 00000 n +0000289493 00000 n +0000289558 00000 n +0000289623 00000 n +0000289688 00000 n +0000289753 00000 n +0000289818 00000 n +0000289883 00000 n +0000289948 00000 n +0000290013 00000 n +0000290078 00000 n +0000290143 00000 n +0000290208 00000 n +0000290273 00000 n +0000290338 00000 n +0000290403 00000 n +0000290468 00000 n +0000290533 00000 n +0000290598 00000 n +0000290663 00000 n +0000290728 00000 n +0000290793 00000 n +0000290858 00000 n +0000290923 00000 n +0000290987 00000 n +0000291051 00000 n +0000291115 00000 n +0000293076 00000 n +0000292367 00000 n +0000291291 00000 n +0000292493 00000 n +0000292622 00000 n +0000292751 00000 n +0000292816 00000 n +0000292881 00000 n +0000292946 00000 n +0000293011 00000 n +0000293233 00000 n +0000304577 00000 n +0000306901 00000 n +0000306870 00000 n +0000315174 00000 n +0000324690 00000 n +0000332161 00000 n +0000341957 00000 n +0000359455 00000 n +0000376442 00000 n +0000397081 00000 n +0000418224 00000 n +0000421306 00000 n +0000421076 00000 n +0000448225 00000 n +0000475035 00000 n +0000477185 00000 n +0000477305 00000 n +0000477428 00000 n +0000477517 00000 n +0000477599 00000 n +0000491574 00000 n +0000503622 00000 n +0000503663 00000 n +0000503703 00000 n +0000503837 00000 n trailer << -/Size 1370 -/Root 1368 0 R -/Info 1369 0 R -/ID [<52936C5C32902731CDA6B6FA6B2205C2> <52936C5C32902731CDA6B6FA6B2205C2>] +/Size 1373 +/Root 1371 0 R +/Info 1372 0 R +/ID [ ] >> startxref -502637 +504095 %%EOF diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in index 88a54e30a5426..5d31ee40e6d8f 100644 --- a/doc/arm/Makefile.in +++ b/doc/arm/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001, 2002 Internet Software Consortium. +# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.8.2.2.8.5 2005/05/13 01:22:35 marka Exp $ +# $Id: Makefile.in,v 1.8.2.2.8.9 2007/08/28 07:19:12 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -52,12 +52,12 @@ Bv9ARM.tex: Bv9ARM-book.xml Bv9ARM.dvi: Bv9ARM.tex rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log - ${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@ - ${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@ - ${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@ + ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1) + ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1) + ${LATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1) Bv9ARM.pdf: Bv9ARM.tex rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@ - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@ - ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@ + ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1) + ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1) + ${PDFLATEX} '\batchmode\input Bv9ARM.tex' || (rm -f $@; exit 1) diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in index 81f13beee5cef..a052682066f88 100644 --- a/doc/misc/Makefile.in +++ b/doc/misc/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1.12.3 2004/03/08 09:04:25 marka Exp $ +# $Id: Makefile.in,v 1.1.12.8 2007/09/24 04:24:54 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -30,7 +30,19 @@ doc man:: ${MANOBJS} docclean manclean maintainer-clean:: rm -f options -options: ../../bin/tests/cfg_test - ../../bin/tests/cfg_test --named --grammar | \ - ${PERL} ${srcdir}/format-options.pl >options || \ - rm -f options +# Do not make options depend on ../../bin/tests/cfg_test, doing so +# will cause excessively clever versions of make to attempt to build +# that program right here, right now, if it is missing, which will +# cause make doc to bomb. + +CFG_TEST = ../../bin/tests/cfg_test + +options: FORCE + if test -x ${CFG_TEST} && \ + ${CFG_TEST} --named --grammar | \ + ${PERL} ${srcdir}/sort-options.pl | \ + ${PERL} ${srcdir}/format-options.pl >$@.new ; then \ + mv -f $@.new $@ ; \ + else \ + rm -f $@.new ; \ + fi diff --git a/doc/misc/dnssec b/doc/misc/dnssec index 79d91cf971a98..93ceea55ded9c 100644 --- a/doc/misc/dnssec +++ b/doc/misc/dnssec @@ -1,5 +1,5 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -Copyright (C) 2000-2002 Internet Software Consortium. +Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2000-2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. DNSSEC Release Notes @@ -81,4 +81,4 @@ future as we consider them inferior to the use of TSIG or SIG(0) to ensure the integrity of zone transfers. -$Id: dnssec,v 1.14.2.6.4.4 2004/03/08 09:04:25 marka Exp $ +$Id: dnssec,v 1.14.2.6.4.6 2007/01/18 00:06:08 marka Exp $ diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl index 5f0975ade820f..ed46fc15701a1 100644 --- a/doc/misc/format-options.pl +++ b/doc/misc/format-options.pl @@ -1,9 +1,9 @@ #!/usr/bin/perl # -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: format-options.pl,v 1.1.206.1 2004/03/06 13:16:19 marka Exp $ +# $Id: format-options.pl,v 1.1.206.3 2007/09/24 23:45:58 tbox Exp $ print <) { + chomp; s/\t/ /g; - if (length >= 79) { - m!^( *)!; - my $indent = $1; - s!^(.{0,75}) (.*)$!\1\n$indent \2!; + my $line = $_; + m!^( *)!; + my $indent = $1; + my $comment = ""; + if ( $line =~ m!//.*! ) { + $comment = $&; + $line =~ s!//.*!!; } - print; + my $start = ""; + while (length($line) >= 79 - length($comment)) { + $_ = $line; + # this makes sure that the comment has something in front of it + $len = 75 - length($comment); + m!^(.{0,$len}) (.*)$!; + $start = $start.$1."\n"; + $line = $indent." ".$2; + } + print $start.$line.$comment."\n"; } diff --git a/doc/misc/migration b/doc/misc/migration index af9fccb221e37..244570314a9c2 100644 --- a/doc/misc/migration +++ b/doc/misc/migration @@ -1,4 +1,4 @@ -Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000, 2001, 2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. @@ -134,9 +134,8 @@ characters. 3.1. EDNS0 BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It -also sets an EDNS flag bit in queries to indicate that it wishes to -receive DNSSEC responses; this flag bit usage is not yet standardised, -but we hope it will be. +also sets DO EDNS flag bit in queries to indicate that it wishes to +receive DNSSEC responses. Most older servers that do not support EDNS0, including prior versions of BIND, will send a FORMERR or NOTIMP response to these queries. @@ -173,6 +172,8 @@ http://support.microsoft.com/default.aspx?scid=kb;en-us;297936 4. Unrestricted Character Set + BIND 9.2 only + BIND 9 does not restrict the character set of domain names - it is fully 8-bit clean in accordance with RFC2181 section 11. @@ -192,6 +193,7 @@ no-check-names" in resolv.conf. BIND 9 provides no such protection; if applications with these flaws are still being used, they should be upgraded. + BIND 9.3 onwards implements check-names. 5. Server Administration Tools @@ -252,4 +254,4 @@ necessary, the umask should be set explicitly in the script used to start the named process. -$Id: migration,v 1.37.2.3.2.3 2004/11/22 22:33:09 marka Exp $ +$Id: migration,v 1.37.2.3.2.4 2007/09/07 06:35:24 marka Exp $ diff --git a/doc/misc/options b/doc/misc/options index 01546b72644ce..a1bcf779a3bf0 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -2,385 +2,388 @@ This is a summary of the named.conf options supported by this version of BIND 9. +acl { ; ... }; + +controls { + inet ( | | * ) [ port ( | * + ) ] allow { ; ... } [ keys { ; + ... } ]; + unix ; // not implemented +}; + +key { + algorithm ; + secret ; +}; + +logging { + category { ; ... }; + channel { + file ; + null; + print-category ; + print-severity ; + print-time ; + severity ; + stderr; + syslog ; + }; +}; + +lwres { + listen-on [ port ] { ( | ) + [ port ]; ... }; + ndots ; + search { ; ... }; + view ; +}; + +masters [ port ] { ( | [port + ] | [port ] ) [ key ]; ... }; + options { + additional-from-auth ; + additional-from-cache ; + allow-notify { ; ... }; + allow-query { ; ... }; + allow-recursion { ; ... }; + allow-transfer { ; ... }; + allow-update-forwarding { ; ... }; + allow-v6-synthesis { ; ... }; // obsolete + also-notify [ port ] { ( | + ) [ port ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) ]; + alt-transfer-source-v6 ( | * ) [ port ( | + * ) ]; + auth-nxdomain ; // default changed avoid-v4-udp-ports { ; ... }; avoid-v6-udp-ports { ; ... }; blackhole { ; ... }; + cache-file ; + check-names ( master | slave | response ) ( fail | warn | ignore ); + cleaning-interval ; coresize ; datasize ; deallocate-on-exit ; // obsolete + dialup ; directory ; + disable-algorithms { ; ... }; + dnssec-enable ; + dnssec-lookaside trust-anchor ; + dnssec-must-be-secure ; + dual-stack-servers [ port ] { ( [port + ] | [port ] | + [port ] ); ... }; dump-file ; + edns-udp-size ; fake-iquery ; // obsolete + fetch-glue ; // obsolete files ; + flush-zones-on-shutdown ; + forward ( first | only ); + forwarders [ port ] { ( | ) + [ port ]; ... }; has-old-clients ; // obsolete heartbeat-interval ; host-statistics ; // not implemented host-statistics-max ; // not implemented hostname ( | none ); interface-interval ; + ixfr-from-differences ; + key-directory ; + lame-ttl ; listen-on [ port ] { ; ... }; listen-on-v6 [ port ] { ; ... }; + maintain-ixfr-base ; // obsolete match-mapped-addresses ; + max-cache-size ; + max-cache-ttl ; + max-ixfr-log-size ; // obsolete + max-journal-size ; + max-ncache-ttl ; + max-refresh-time ; + max-retry-time ; + max-transfer-idle-in ; + max-transfer-idle-out ; + max-transfer-time-in ; + max-transfer-time-out ; memstatistics-file ; + min-refresh-time ; + min-retry-time ; + min-roots ; // not implemented + minimal-responses ; + multi-master ; multiple-cnames ; // obsolete named-xfer ; // obsolete + notify ; + notify-source ( | * ) [ port ( | * ) ]; + notify-source-v6 ( | * ) [ port ( | * ) ]; pid-file ( | none ); port ; + preferred-glue ; + provide-ixfr ; + query-source ; + query-source-v6 ; querylog ; - recursing-file ; random-device ; + recursing-file ; + recursion ; recursive-clients ; + request-ixfr ; + rfc2308-type1 ; // not yet implemented + root-delegation-only [ exclude { ; ... } ]; + rrset-order { [ class ] [ type ] [ name + ] ; ... }; serial-queries ; // obsolete serial-query-rate ; server-id ( | none |; + sig-validity-interval ; + sortlist { ; ... }; stacksize ; statistics-file ; statistics-interval ; // not yet implemented + suppress-initial-notify ; // not yet implemented tcp-clients ; tcp-listen-queue ; tkey-dhkey ; - tkey-gssapi-credential ; tkey-domain ; - transfers-per-ns ; + tkey-gssapi-credential ; + topology { ; ... }; // not implemented + transfer-format ( many-answers | one-answer ); + transfer-source ( | * ) [ port ( | * ) ]; + transfer-source-v6 ( | * ) [ port ( | * ) ]; transfers-in ; transfers-out ; + transfers-per-ns ; treat-cr-as-space ; // obsolete + use-alt-transfer-source ; use-id-pool ; // obsolete use-ixfr ; version ( | none ); - flush-zones-on-shutdown ; - allow-recursion { ; ... }; - allow-v6-synthesis { ; ... }; // obsolete - sortlist { ; ... }; - topology { ; ... }; // not implemented - auth-nxdomain ; // default changed - minimal-responses ; - recursion ; - rrset-order { [ class ] [ type ] [ name - ] ; ... }; + zone-statistics ; +}; + +server { + bogus ; + edns ; + keys ; provide-ixfr ; request-ixfr ; - fetch-glue ; // obsolete - rfc2308-type1 ; // not yet implemented + support-ixfr ; // obsolete + transfer-format ( many-answers | one-answer ); + transfer-source ( | * ) [ port ( | * ) ]; + transfer-source-v6 ( | * ) [ port ( | * ) ]; + transfers ; +}; + +trusted-keys { ; ... }; + +view { additional-from-auth ; additional-from-cache ; - query-source ; - query-source-v6 ; - cleaning-interval ; - min-roots ; // not implemented - lame-ttl ; - max-ncache-ttl ; - max-cache-ttl ; - transfer-format ( many-answers | one-answer ); - max-cache-size ; - check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file ; - suppress-initial-notify ; // not yet implemented - preferred-glue ; - dual-stack-servers [ port ] { ( [port - ] | [port ] | [port ] ); ... }; - edns-udp-size ; - root-delegation-only [ exclude { ; ... } ]; - disable-algorithms { ; ... }; - dnssec-enable ; - dnssec-lookaside trust-anchor ; - dnssec-must-be-secure ; + allow-notify { ; ... }; allow-query { ; ... }; + allow-recursion { ; ... }; allow-transfer { ; ... }; allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - notify ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; + allow-v6-synthesis { ; ... }; // obsolete also-notify [ port ] { ( | ) [ port ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) ]; + alt-transfer-source-v6 ( | * ) [ port ( | + * ) ]; + auth-nxdomain ; // default changed + cache-file ; + check-names ( master | slave | response ) ( fail | warn | ignore ); + cleaning-interval ; dialup ; + disable-algorithms { ; ... }; + dnssec-enable ; + dnssec-lookaside trust-anchor ; + dnssec-must-be-secure ; + dual-stack-servers [ port ] { ( [port + ] | [port ] | + [port ] ); ... }; + edns-udp-size ; + fetch-glue ; // obsolete forward ( first | only ); forwarders [ port ] { ( | ) [ port ]; ... }; ixfr-from-differences ; + key { + algorithm ; + secret ; + }; + key-directory ; + lame-ttl ; maintain-ixfr-base ; // obsolete + match-clients { ; ... }; + match-destinations { ; ... }; + match-recursive-only ; + max-cache-size ; + max-cache-ttl ; max-ixfr-log-size ; // obsolete max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; + max-ncache-ttl ; + max-refresh-time ; + max-retry-time ; max-transfer-idle-in ; max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; + max-transfer-time-in ; + max-transfer-time-out ; min-refresh-time ; + min-retry-time ; + min-roots ; // not implemented + minimal-responses ; multi-master ; + notify ; + notify-source ( | * ) [ port ( | * ) ]; + notify-source-v6 ( | * ) [ port ( | * ) ]; + preferred-glue ; + provide-ixfr ; + query-source ; + query-source-v6 ; + recursion ; + request-ixfr ; + rfc2308-type1 ; // not yet implemented + root-delegation-only [ exclude { ; ... } ]; + rrset-order { [ class ] [ type ] [ name + ] ; ... }; + server { + bogus ; + edns ; + keys ; + provide-ixfr ; + request-ixfr ; + support-ixfr ; // obsolete + transfer-format ( many-answers | one-answer ); + transfer-source ( | * ) [ port ( | + * ) ]; + transfer-source-v6 ( | * ) [ port ( + | * ) ]; + transfers ; + }; sig-validity-interval ; + sortlist { ; ... }; + suppress-initial-notify ; // not yet implemented + topology { ; ... }; // not implemented + transfer-format ( many-answers | one-answer ); transfer-source ( | * ) [ port ( | * ) ]; transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( | * ) - ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; + trusted-keys { + ; ... }; use-alt-transfer-source ; - zone-statistics ; - key-directory ; -}; - -controls { - inet ( | | * ) [ port ( | * - ) ] allow { ; ... } [ keys { ; ... } ]; - unix ; // not implemented -}; - -acl { ; ... }; - -masters [ port ] { ( | [port - ] | [port ] ) [ key ]; ... }; - -logging { - channel { - file ; - syslog ; - null; - stderr; - severity ; - print-time ; - print-severity ; - print-category ; - }; - category { ; ... }; -}; - -view { - match-clients { ; ... }; - match-destinations { ; ... }; - match-recursive-only ; - key { - algorithm ; - secret ; - }; zone { - type ( master | slave | stub | hint | forward | - delegation-only ); - allow-update { ; ... }; - file ; - ixfr-base ; // obsolete - ixfr-tmp-file ; // obsolete - masters [ port ] { ( | - [port ] | [port ] ) [ key ]; ... }; - pubkey ; // - obsolete - update-policy { ( grant | deny ) ( name | - subdomain | wildcard | self ) ; ... }; - database ; - delegation-only ; - check-names ( fail | warn | ignore ); + allow-notify { ; ... }; allow-query { ; ... }; allow-transfer { ; ... }; + allow-update { ; ... }; allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - notify ; - notify-source ( | * ) [ port ( | * - ) ]; - notify-source-v6 ( | * ) [ port ( - | * ) ]; also-notify [ port ] { ( | ) [ port ]; ... }; + alt-transfer-source ( | * ) [ port ( + | * ) ]; + alt-transfer-source-v6 ( | * ) [ port ( + | * ) ]; + check-names ( fail | warn | ignore ); + database ; + delegation-only ; dialup ; + file ; forward ( first | only ); forwarders [ port ] { ( | ) [ port ]; ... }; + ixfr-base ; // obsolete ixfr-from-differences ; + ixfr-tmp-file ; // obsolete + key-directory ; maintain-ixfr-base ; // obsolete + masters [ port ] { ( | + [port ] | [port ] ) [ + key ]; ... }; max-ixfr-log-size ; // obsolete max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; + max-refresh-time ; + max-retry-time ; max-transfer-idle-in ; max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; + max-transfer-time-in ; + max-transfer-time-out ; min-refresh-time ; + min-retry-time ; multi-master ; + notify ; + notify-source ( | * ) [ port ( | * + ) ]; + notify-source-v6 ( | * ) [ port ( + | * ) ]; + pubkey + ; // obsolete sig-validity-interval ; transfer-source ( | * ) [ port ( | * ) ]; transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( - | * ) ]; - alt-transfer-source-v6 ( | * ) [ port ( - | * ) ]; + type ( master | slave | stub | hint | forward | + delegation-only ); + update-policy { ( grant | deny ) ( name | + subdomain | wildcard | self ) ; + ... }; use-alt-transfer-source ; zone-statistics ; - key-directory ; }; - server { - bogus ; - provide-ixfr ; - request-ixfr ; - support-ixfr ; // obsolete - transfers ; - transfer-format ( many-answers | one-answer ); - keys ; - edns ; - transfer-source ( | * ) [ port ( | - * ) ]; - transfer-source-v6 ( | * ) [ port ( - | * ) ]; - }; - trusted-keys { - ; ... }; - allow-recursion { ; ... }; - allow-v6-synthesis { ; ... }; // obsolete - sortlist { ; ... }; - topology { ; ... }; // not implemented - auth-nxdomain ; // default changed - minimal-responses ; - recursion ; - rrset-order { [ class ] [ type ] [ name - ] ; ... }; - provide-ixfr ; - request-ixfr ; - fetch-glue ; // obsolete - rfc2308-type1 ; // not yet implemented - additional-from-auth ; - additional-from-cache ; - query-source ; - query-source-v6 ; - cleaning-interval ; - min-roots ; // not implemented - lame-ttl ; - max-ncache-ttl ; - max-cache-ttl ; - transfer-format ( many-answers | one-answer ); - max-cache-size ; - check-names ( master | slave | response ) ( fail | warn | ignore ); - cache-file ; - suppress-initial-notify ; // not yet implemented - preferred-glue ; - dual-stack-servers [ port ] { ( [port - ] | [port ] | [port ] ); ... }; - edns-udp-size ; - root-delegation-only [ exclude { ; ... } ]; - disable-algorithms { ; ... }; - dnssec-enable ; - dnssec-lookaside trust-anchor ; - dnssec-must-be-secure ; - allow-query { ; ... }; - allow-transfer { ; ... }; - allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - notify ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; - also-notify [ port ] { ( | - ) [ port ]; ... }; - dialup ; - forward ( first | only ); - forwarders [ port ] { ( | ) - [ port ]; ... }; - ixfr-from-differences ; - maintain-ixfr-base ; // obsolete - max-ixfr-log-size ; // obsolete - max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; - max-transfer-idle-in ; - max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; - min-refresh-time ; - multi-master ; - sig-validity-interval ; - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( | * ) - ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; - use-alt-transfer-source ; zone-statistics ; - key-directory ; -}; - -lwres { - listen-on [ port ] { ( | ) - [ port ]; ... }; - view ; - search { ; ... }; - ndots ; -}; - -key { - algorithm ; - secret ; }; zone { - type ( master | slave | stub | hint | forward | delegation-only ); - allow-update { ; ... }; - file ; - ixfr-base ; // obsolete - ixfr-tmp-file ; // obsolete - masters [ port ] { ( | [port - ] | [port ] ) [ key ]; ... }; - pubkey ; // obsolete - update-policy { ( grant | deny ) ( name | subdomain | - wildcard | self ) ; ... }; - database ; - delegation-only ; - check-names ( fail | warn | ignore ); + allow-notify { ; ... }; allow-query { ; ... }; allow-transfer { ; ... }; + allow-update { ; ... }; allow-update-forwarding { ; ... }; - allow-notify { ; ... }; - notify ; - notify-source ( | * ) [ port ( | * ) ]; - notify-source-v6 ( | * ) [ port ( | * ) ]; also-notify [ port ] { ( | ) [ port ]; ... }; + alt-transfer-source ( | * ) [ port ( | * ) ]; + alt-transfer-source-v6 ( | * ) [ port ( | + * ) ]; + check-names ( fail | warn | ignore ); + database ; + delegation-only ; dialup ; + file ; forward ( first | only ); forwarders [ port ] { ( | ) [ port ]; ... }; + ixfr-base ; // obsolete ixfr-from-differences ; + ixfr-tmp-file ; // obsolete + key-directory ; maintain-ixfr-base ; // obsolete + masters [ port ] { ( | [port + ] | [port ] ) [ key + ]; ... }; max-ixfr-log-size ; // obsolete max-journal-size ; - max-transfer-time-in ; - max-transfer-time-out ; + max-refresh-time ; + max-retry-time ; max-transfer-idle-in ; max-transfer-idle-out ; - max-retry-time ; - min-retry-time ; - max-refresh-time ; + max-transfer-time-in ; + max-transfer-time-out ; min-refresh-time ; + min-retry-time ; multi-master ; + notify ; + notify-source ( | * ) [ port ( | * ) ]; + notify-source-v6 ( | * ) [ port ( | * ) ]; + pubkey ; // obsolete sig-validity-interval ; transfer-source ( | * ) [ port ( | * ) ]; transfer-source-v6 ( | * ) [ port ( | * ) ]; - alt-transfer-source ( | * ) [ port ( | * ) - ]; - alt-transfer-source-v6 ( | * ) [ port ( | - * ) ]; + type ( master | slave | stub | hint | forward | delegation-only ); + update-policy { ( grant | deny ) ( name | subdomain | + wildcard | self ) ; ... }; use-alt-transfer-source ; zone-statistics ; - key-directory ; }; -server { - bogus ; - provide-ixfr ; - request-ixfr ; - support-ixfr ; // obsolete - transfers ; - transfer-format ( many-answers | one-answer ); - keys ; - edns ; - transfer-source ( | * ) [ port ( | * ) ]; - transfer-source-v6 ( | * ) [ port ( | * ) ]; -}; - -trusted-keys { ; ... }; - diff --git a/doc/misc/sort-options.pl b/doc/misc/sort-options.pl new file mode 100755 index 0000000000000..1f5437dd6b366 --- /dev/null +++ b/doc/misc/sort-options.pl @@ -0,0 +1,50 @@ +#!/bin/perl +# +# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sort-options.pl,v 1.2.2.2 2007/09/24 23:45:58 tbox Exp $ + +sub sortlevel() { + my @options = (); + my $fin = ""; + my $i = 0; + while (<>) { + if (/^\s*};$/) { + $fin = $_; + # print 2, $_; + last; + } + next if (/^$/); + if (/{$/) { + # print 3, $_; + my $sec = $_; + push(@options, $sec . sortlevel()); + } else { + push(@options, $_); + # print 1, $_; + } + $i++; + } + my $result = ""; + foreach my $i (sort @options) { + $result = ${result}.${i}; + $result = $result."\n" if ($i =~ /^[a-z]/i); + # print 5, ${i}; + } + $result = ${result}.${fin}; + return ($result); +} + +print sortlevel(); diff --git a/doc/rfc/index b/doc/rfc/index index 5c588db930169..990d4a90be042 100644 --- a/doc/rfc/index +++ b/doc/rfc/index @@ -101,3 +101,14 @@ 4035: Protocol Modifications for the DNS Security Extensions 4074: Common Misbehavior Against DNS Queries for IPv6 Addresses 4159: Deprecation of "ip6.int" +4193: Unique Local IPv6 Unicast Addresses +4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints +4343: Domain Name System (DNS) Case Insensitivity Clarification +4367: What's in a Name: False Assumptions about DNS Names +4398: Storing Certificates in the Domain Name System (DNS) +4431: The DNSSEC Lookaside Validation (DLV) DNS Resource Record +4408: Sender Policy Framework (SPF) for Authorizing Use of Domains + in E-Mail, Version 1 +4470: Minimally Covering NSEC Records and DNSSEC On-line Signing +4634: US Secure Hash Algorithms (SHA and HMAC-SHA) +4641: DNSSEC Operational Practices diff --git a/doc/rfc/rfc4193.txt b/doc/rfc/rfc4193.txt new file mode 100644 index 0000000000000..17e2c0b42daec --- /dev/null +++ b/doc/rfc/rfc4193.txt @@ -0,0 +1,899 @@ + + + + + + +Network Working Group R. Hinden +Request for Comments: 4193 Nokia +Category: Standards Track B. Haberman + JHU-APL + October 2005 + + + Unique Local IPv6 Unicast Addresses + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + This document defines an IPv6 unicast address format that is globally + unique and is intended for local communications, usually inside of a + site. These addresses are not expected to be routable on the global + Internet. + +Table of Contents + + 1. Introduction ....................................................2 + 2. Acknowledgements ................................................3 + 3. Local IPv6 Unicast Addresses ....................................3 + 3.1. Format .....................................................3 + 3.1.1. Background ..........................................4 + 3.2. Global ID ..................................................4 + 3.2.1. Locally Assigned Global IDs .........................5 + 3.2.2. Sample Code for Pseudo-Random Global ID Algorithm ...5 + 3.2.3. Analysis of the Uniqueness of Global IDs ............6 + 3.3. Scope Definition ...........................................6 + 4. Operational Guidelines ..........................................7 + 4.1. Routing ....................................................7 + 4.2. Renumbering and Site Merging ...............................7 + 4.3. Site Border Router and Firewall Packet Filtering ...........8 + 4.4. DNS Issues .................................................8 + 4.5. Application and Higher Level Protocol Issues ...............9 + 4.6. Use of Local IPv6 Addresses for Local Communication ........9 + 4.7. Use of Local IPv6 Addresses with VPNs .....................10 + + + +Hinden & Haberman Standards Track [Page 1] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + 5. Global Routing Considerations ..................................11 + 5.1. From the Standpoint of the Internet .......................11 + 5.2. From the Standpoint of a Site .............................11 + 6. Advantages and Disadvantages ...................................12 + 6.1. Advantages ................................................12 + 6.2. Disadvantages .............................................13 + 7. Security Considerations ........................................13 + 8. IANA Considerations ............................................13 + 9. References .....................................................13 + 9.1. Normative References ......................................13 + 9.2. Informative References ....................................14 + +1. Introduction + + This document defines an IPv6 unicast address format that is globally + unique and is intended for local communications [IPV6]. These + addresses are called Unique Local IPv6 Unicast Addresses and are + abbreviated in this document as Local IPv6 addresses. They are not + expected to be routable on the global Internet. They are routable + inside of a more limited area such as a site. They may also be + routed between a limited set of sites. + + Local IPv6 unicast addresses have the following characteristics: + + - Globally unique prefix (with high probability of uniqueness). + + - Well-known prefix to allow for easy filtering at site + boundaries. + + - Allow sites to be combined or privately interconnected without + creating any address conflicts or requiring renumbering of + interfaces that use these prefixes. + + - Internet Service Provider independent and can be used for + communications inside of a site without having any permanent or + intermittent Internet connectivity. + + - If accidentally leaked outside of a site via routing or DNS, + there is no conflict with any other addresses. + + - In practice, applications may treat these addresses like global + scoped addresses. + + This document defines the format of Local IPv6 addresses, how to + allocate them, and usage considerations including routing, site + border routers, DNS, application support, VPN usage, and guidelines + for how to use for local communication inside a site. + + + + +Hinden & Haberman Standards Track [Page 2] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +2. Acknowledgements + + The underlying idea of creating Local IPv6 addresses described in + this document has been proposed a number of times by a variety of + people. The authors of this document do not claim exclusive credit. + Credit goes to Brian Carpenter, Christian Huitema, Aidan Williams, + Andrew White, Charlie Perkins, and many others. The authors would + also like to thank Brian Carpenter, Charlie Perkins, Harald + Alvestrand, Keith Moore, Margaret Wasserman, Shannon Behrens, Alan + Beard, Hans Kruse, Geoff Huston, Pekka Savola, Christian Huitema, Tim + Chown, Steve Bellovin, Alex Zinin, Tony Hain, Bill Fenner, Sam + Hartman, and Elwyn Davies for their comments and suggestions on this + document. + +3. Local IPv6 Unicast Addresses + +3.1. Format + + The Local IPv6 addresses are created using a pseudo-randomly + allocated global ID. They have the following format: + + | 7 bits |1| 40 bits | 16 bits | 64 bits | + +--------+-+------------+-----------+----------------------------+ + | Prefix |L| Global ID | Subnet ID | Interface ID | + +--------+-+------------+-----------+----------------------------+ + + Where: + + Prefix FC00::/7 prefix to identify Local IPv6 unicast + addresses. + + L Set to 1 if the prefix is locally assigned. + Set to 0 may be defined in the future. See + Section 3.2 for additional information. + + Global ID 40-bit global identifier used to create a + globally unique prefix. See Section 3.2 for + additional information. + + Subnet ID 16-bit Subnet ID is an identifier of a subnet + within the site. + + Interface ID 64-bit Interface ID as defined in [ADDARCH]. + + + + +Hinden & Haberman Standards Track [Page 3] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +3.1.1. Background + + There were a range of choices available when choosing the size of the + prefix and Global ID field length. There is a direct tradeoff + between having a Global ID field large enough to support foreseeable + future growth and not using too much of the IPv6 address space + needlessly. A reasonable way of evaluating a specific field length + is to compare it to a projected 2050 world population of 9.3 billion + [POPUL] and the number of resulting /48 prefixes per person. A range + of prefix choices is shown in the following table: + + Prefix Global ID Number of Prefixes % of IPv6 + Length /48 Prefixes per Person Address Space + + /11 37 137,438,953,472 15 0.049% + /10 38 274,877,906,944 30 0.098% + /9 39 549,755,813,888 59 0.195% + /8 40 1,099,511,627,776 118 0.391% + /7 41 2,199,023,255,552 236 0.781% + /6 42 4,398,046,511,104 473 1.563% + + A very high utilization ratio of these allocations can be assumed + because the Global ID field does not require internal structure, and + there is no reason to be able to aggregate the prefixes. + + The authors believe that a /7 prefix resulting in a 41-bit Global ID + space (including the L bit) is a good choice. It provides for a + large number of assignments (i.e., 2.2 trillion) and at the same time + uses less than .8% of the total IPv6 address space. It is unlikely + that this space will be exhausted. If more than this were to be + needed, then additional IPv6 address space could be allocated for + this purpose. + +3.2. Global ID + + The allocation of Global IDs is pseudo-random [RANDOM]. They MUST + NOT be assigned sequentially or with well-known numbers. This is to + ensure that there is not any relationship between allocations and to + help clarify that these prefixes are not intended to be routed + globally. Specifically, these prefixes are not designed to + aggregate. + + This document defines a specific local method to allocate Global IDs, + indicated by setting the L bit to 1. Another method, indicated by + clearing the L bit, may be defined later. Apart from the allocation + method, all Local IPv6 addresses behave and are treated identically. + + + + + +Hinden & Haberman Standards Track [Page 4] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + The local assignments are self-generated and do not need any central + coordination or assignment, but have an extremely high probability of + being unique. + +3.2.1. Locally Assigned Global IDs + + Locally assigned Global IDs MUST be generated with a pseudo-random + algorithm consistent with [RANDOM]. Section 3.2.2 describes a + suggested algorithm. It is important that all sites generating + Global IDs use a functionally similar algorithm to ensure there is a + high probability of uniqueness. + + The use of a pseudo-random algorithm to generate Global IDs in the + locally assigned prefix gives an assurance that any network numbered + using such a prefix is highly unlikely to have that address space + clash with any other network that has another locally assigned prefix + allocated to it. This is a particularly useful property when + considering a number of scenarios including networks that merge, + overlapping VPN address space, or hosts mobile between such networks. + +3.2.2. Sample Code for Pseudo-Random Global ID Algorithm + + The algorithm described below is intended to be used for locally + assigned Global IDs. In each case the resulting global ID will be + used in the appropriate prefix as defined in Section 3.2. + + 1) Obtain the current time of day in 64-bit NTP format [NTP]. + + 2) Obtain an EUI-64 identifier from the system running this + algorithm. If an EUI-64 does not exist, one can be created from + a 48-bit MAC address as specified in [ADDARCH]. If an EUI-64 + cannot be obtained or created, a suitably unique identifier, + local to the node, should be used (e.g., system serial number). + + 3) Concatenate the time of day with the system-specific identifier + in order to create a key. + + 4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1]; + the resulting value is 160 bits. + + 5) Use the least significant 40 bits as the Global ID. + + 6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global + ID to create a Local IPv6 address prefix. + + This algorithm will result in a Global ID that is reasonably unique + and can be used to create a locally assigned Local IPv6 address + prefix. + + + +Hinden & Haberman Standards Track [Page 5] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +3.2.3. Analysis of the Uniqueness of Global IDs + + The selection of a pseudo random Global ID is similar to the + selection of an SSRC identifier in RTP/RTCP defined in Section 8.1 of + [RTP]. This analysis is adapted from that document. + + Since Global IDs are chosen randomly (and independently), it is + possible that separate networks have chosen the same Global ID. For + any given network, with one or more random Global IDs, that has + inter-connections to other such networks, having a total of N such + IDs, the probability that two or more of these IDs will collide can + be approximated using the formula: + + P = 1 - exp(-N**2 / 2**(L+1)) + + where P is the probability of collision, N is the number of + interconnected Global IDs, and L is the length of the Global ID. + + The following table shows the probability of a collision for a range + of connections using a 40-bit Global ID field. + + Connections Probability of Collision + + 2 1.81*10^-12 + 10 4.54*10^-11 + 100 4.54*10^-09 + 1000 4.54*10^-07 + 10000 4.54*10^-05 + + Based on this analysis, the uniqueness of locally generated Global + IDs is adequate for sites planning a small to moderate amount of + inter-site communication using locally generated Global IDs. + +3.3. Scope Definition + + By default, the scope of these addresses is global. That is, they + are not limited by ambiguity like the site-local addresses defined in + [ADDARCH]. Rather, these prefixes are globally unique, and as such, + their applicability is greater than site-local addresses. Their + limitation is in the routability of the prefixes, which is limited to + a site and any explicit routing agreements with other sites to + propagate them (also see Section 4.1). Also, unlike site-locals, a + site may have more than one of these prefixes and use them at the + same time. + + + + + + + +Hinden & Haberman Standards Track [Page 6] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +4. Operational Guidelines + + The guidelines in this section do not require any change to the + normal routing and forwarding functionality in an IPv6 host or + router. These are configuration and operational usage guidelines. + +4.1. Routing + + Local IPv6 addresses are designed to be routed inside of a site in + the same manner as other types of unicast addresses. They can be + carried in any IPv6 routing protocol without any change. + + It is expected that they would share the same Subnet IDs with + provider-based global unicast addresses, if they were being used + concurrently [GLOBAL]. + + The default behavior of exterior routing protocol sessions between + administrative routing regions must be to ignore receipt of and not + advertise prefixes in the FC00::/7 block. A network operator may + specifically configure prefixes longer than FC00::/7 for inter-site + communication. + + If BGP is being used at the site border with an ISP, the default BGP + configuration must filter out any Local IPv6 address prefixes, both + incoming and outgoing. It must be set both to keep any Local IPv6 + address prefixes from being advertised outside of the site as well as + to keep these prefixes from being learned from another site. The + exception to this is if there are specific /48 or longer routes + created for one or more Local IPv6 prefixes. + + For link-state IGPs, it is suggested that a site utilizing IPv6 local + address prefixes be contained within one IGP domain or area. By + containing an IPv6 local address prefix to a single link-state area + or domain, the distribution of prefixes can be controlled. + +4.2. Renumbering and Site Merging + + The use of Local IPv6 addresses in a site results in making + communication that uses these addresses independent of renumbering a + site's provider-based global addresses. + + When merging multiple sites, the addresses created with these + prefixes are unlikely to need to be renumbered because all of the + addresses have a high probability of being unique. Routes for each + specific prefix would have to be configured to allow routing to work + correctly between the formerly separate sites. + + + + + +Hinden & Haberman Standards Track [Page 7] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +4.3. Site Border Router and Firewall Packet Filtering + + While no serious harm will be done if packets with these addresses + are sent outside of a site via a default route, it is recommended + that routers be configured by default to keep any packets with Local + IPv6 addresses from leaking outside of the site and to keep any site + prefixes from being advertised outside of their site. + + Site border routers and firewalls should be configured to not forward + any packets with Local IPv6 source or destination addresses outside + of the site, unless they have been explicitly configured with routing + information about specific /48 or longer Local IPv6 prefixes. This + will ensure that packets with Local IPv6 destination addresses will + not be forwarded outside of the site via a default route. The + default behavior of these devices should be to install a "reject" + route for these prefixes. Site border routers should respond with + the appropriate ICMPv6 Destination Unreachable message to inform the + source that the packet was not forwarded. [ICMPV6]. This feedback is + important to avoid transport protocol timeouts. + + Routers that maintain peering arrangements between Autonomous Systems + throughout the Internet should obey the recommendations for site + border routers, unless configured otherwise. + +4.4. DNS Issues + + At the present time, AAAA and PTR records for locally assigned local + IPv6 addresses are not recommended to be installed in the global DNS. + + For background on this recommendation, one of the concerns about + adding AAAA and PTR records to the global DNS for locally assigned + Local IPv6 addresses stems from the lack of complete assurance that + the prefixes are unique. There is a small possibility that the same + locally assigned IPv6 Local addresses will be used by two different + organizations both claiming to be authoritative with different + contents. In this scenario, it is likely there will be a connection + attempt to the closest host with the corresponding locally assigned + IPv6 Local address. This may result in connection timeouts, + connection failures indicated by ICMP Destination Unreachable + messages, or successful connections to the wrong host. Due to this + concern, adding AAAA records for these addresses to the global DNS is + thought to be unwise. + + Reverse (address-to-name) queries for locally assigned IPv6 Local + addresses MUST NOT be sent to name servers for the global DNS, due to + the load that such queries would create for the authoritative name + servers for the ip6.arpa zone. This form of query load is not + specific to locally assigned Local IPv6 addresses; any current form + + + +Hinden & Haberman Standards Track [Page 8] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + of local addressing creates additional load of this kind, due to + reverse queries leaking out of the site. However, since allowing + such queries to escape from the site serves no useful purpose, there + is no good reason to make the existing load problems worse. + + The recommended way to avoid sending such queries to nameservers for + the global DNS is for recursive name server implementations to act as + if they were authoritative for an empty d.f.ip6.arpa zone and return + RCODE 3 for any such query. Implementations that choose this + strategy should allow it to be overridden, but returning an RCODE 3 + response for such queries should be the default, both because this + will reduce the query load problem and also because, if the site + administrator has not set up the reverse tree corresponding to the + locally assigned IPv6 Local addresses in use, returning RCODE 3 is in + fact the correct answer. + +4.5. Application and Higher Level Protocol Issues + + Application and other higher level protocols can treat Local IPv6 + addresses in the same manner as other types of global unicast + addresses. No special handling is required. This type of address + may not be reachable, but that is no different from other types of + IPv6 global unicast address. Applications need to be able to handle + multiple addresses that may or may not be reachable at any point in + time. In most cases, this complexity should be hidden in APIs. + + From a host's perspective, the difference between Local IPv6 and + other types of global unicast addresses shows up as different + reachability and could be handled by default in that way. In some + cases, it is better for nodes and applications to treat them + differently from global unicast addresses. A starting point might be + to give them preference over global unicast, but fall back to global + unicast if a particular destination is found to be unreachable. Much + of this behavior can be controlled by how they are allocated to nodes + and put into the DNS. However, it is useful if a host can have both + types of addresses and use them appropriately. + + Note that the address selection mechanisms of [ADDSEL], and in + particular the policy override mechanism replacing default address + selection, are expected to be used on a site where Local IPv6 + addresses are configured. + +4.6. Use of Local IPv6 Addresses for Local Communication + + Local IPv6 addresses, like global scope unicast addresses, are only + assigned to nodes if their use has been enabled (via IPv6 address + autoconfiguration [ADDAUTO], DHCPv6 [DHCP6], or manually). They are + + + + +Hinden & Haberman Standards Track [Page 9] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + not created automatically in the way that IPv6 link-local addresses + are and will not appear or be used unless they are purposely + configured. + + In order for hosts to autoconfigure Local IPv6 addresses, routers + have to be configured to advertise Local IPv6 /64 prefixes in router + advertisements, or a DHCPv6 server must have been configured to + assign them. In order for a node to learn the Local IPv6 address of + another node, the Local IPv6 address must have been installed in a + naming system (e.g., DNS, proprietary naming system, etc.) For these + reasons, controlling their usage in a site is straightforward. + + To limit the use of Local IPv6 addresses the following guidelines + apply: + + - Nodes that are to only be reachable inside of a site: The local + DNS should be configured to only include the Local IPv6 + addresses of these nodes. Nodes with only Local IPv6 addresses + must not be installed in the global DNS. + + - Nodes that are to be limited to only communicate with other + nodes in the site: These nodes should be set to only + autoconfigure Local IPv6 addresses via [ADDAUTO] or to only + receive Local IPv6 addresses via [DHCP6]. Note: For the case + where both global and Local IPv6 prefixes are being advertised + on a subnet, this will require a switch in the devices to only + autoconfigure Local IPv6 addresses. + + - Nodes that are to be reachable from inside of the site and from + outside of the site: The DNS should be configured to include + the global addresses of these nodes. The local DNS may be + configured to also include the Local IPv6 addresses of these + nodes. + + - Nodes that can communicate with other nodes inside of the site + and outside of the site: These nodes should autoconfigure global + addresses via [ADDAUTO] or receive global address via [DHCP6]. + They may also obtain Local IPv6 addresses via the same + mechanisms. + +4.7. Use of Local IPv6 Addresses with VPNs + + Local IPv6 addresses can be used for inter-site Virtual Private + Networks (VPN) if appropriate routes are set up. Because the + addresses are unique, these VPNs will work reliably and without the + need for translation. They have the additional property that they + will continue to work if the individual sites are renumbered or + merged. + + + +Hinden & Haberman Standards Track [Page 10] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +5. Global Routing Considerations + + Section 4.1 provides operational guidelines that forbid default + routing of local addresses between sites. Concerns were raised to + the IPv6 working group and to the IETF as a whole that sites may + attempt to use local addresses as globally routed provider- + independent addresses. This section describes why using local + addresses as globally-routed provider-independent addresses is + unadvisable. + +5.1. From the Standpoint of the Internet + + There is a mismatch between the structure of IPv6 local addresses and + the normal IPv6 wide area routing model. The /48 prefix of an IPv6 + local addresses fits nowhere in the normal hierarchy of IPv6 unicast + addresses. Normal IPv6 unicast addresses can be routed + hierarchically down to physical subnet (link) level and only have to + be flat-routed on the physical subnet. IPv6 local addresses would + have to be flat-routed even over the wide area Internet. + + Thus, packets whose destination address is an IPv6 local address + could be routed over the wide area only if the corresponding /48 + prefix were carried by the wide area routing protocol in use, such as + BGP. This contravenes the operational assumption that long prefixes + will be aggregated into many fewer short prefixes, to limit the table + size and convergence time of the routing protocol. If a network uses + both normal IPv6 addresses [ADDARCH] and IPv6 local addresses, these + types of addresses will certainly not aggregate with each other, + since they differ from the most significant bit onwards. Neither + will IPv6 local addresses aggregate with each other, due to their + random bit patterns. This means that there would be a very + significant operational penalty for attempting to use IPv6 local + address prefixes generically with currently known wide area routing + technology. + +5.2. From the Standpoint of a Site + + There are a number of design factors in IPv6 local addresses that + reduce the likelihood that IPv6 local addresses will be used as + arbitrary global unicast addresses. These include: + + - The default rules to filter packets and routes make it very + difficult to use IPv6 local addresses for arbitrary use across + the Internet. For a site to use them as general purpose unicast + addresses, it would have to make sure that the default rules + were not being used by all other sites and intermediate ISPs + used for their current and future communication. + + + + +Hinden & Haberman Standards Track [Page 11] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + - They are not mathematically guaranteed to be unique and are not + registered in public databases. Collisions, while highly + unlikely, are possible and a collision can compromise the + integrity of the communications. The lack of public + registration creates operational problems. + + - The addresses are allocated randomly. If a site had multiple + prefixes that it wanted to be used globally, the cost of + advertising them would be very high because they could not be + aggregated. + + - They have a long prefix (i.e., /48) so a single local address + prefix doesn't provide enough address space to be used + exclusively by the largest organizations. + +6. Advantages and Disadvantages + +6.1. Advantages + + This approach has the following advantages: + + - Provides Local IPv6 prefixes that can be used independently of + any provider-based IPv6 unicast address allocations. This is + useful for sites not always connected to the Internet or sites + that wish to have a distinct prefix that can be used to localize + traffic inside of the site. + + - Applications can treat these addresses in an identical manner as + any other type of global IPv6 unicast addresses. + + - Sites can be merged without any renumbering of the Local IPv6 + addresses. + + - Sites can change their provider-based IPv6 unicast address + without disrupting any communication that uses Local IPv6 + addresses. + + - Well-known prefix that allows for easy filtering at site + boundary. + + - Can be used for inter-site VPNs. + + - If accidently leaked outside of a site via routing or DNS, there + is no conflict with any other addresses. + + + + + + + +Hinden & Haberman Standards Track [Page 12] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +6.2. Disadvantages + + This approach has the following disadvantages: + + - Not possible to route Local IPv6 prefixes on the global Internet + with current routing technology. Consequentially, it is + necessary to have the default behavior of site border routers to + filter these addresses. + + - There is a very low probability of non-unique locally assigned + Global IDs being generated by the algorithm in Section 3.2.3. + This risk can be ignored for all practical purposes, but it + leads to a theoretical risk of clashing address prefixes. + +7. Security Considerations + + Local IPv6 addresses do not provide any inherent security to the + nodes that use them. They may be used with filters at site + boundaries to keep Local IPv6 traffic inside of the site, but this is + no more or less secure than filtering any other type of global IPv6 + unicast addresses. + + Local IPv6 addresses do allow for address-based security mechanisms, + including IPsec, across end to end VPN connections. + +8. IANA Considerations + + The IANA has assigned the FC00::/7 prefix to "Unique Local Unicast". + +9. References + +9.1. Normative References + + [ADDARCH] Hinden, R. and S. Deering, "Internet Protocol Version 6 + (IPv6) Addressing Architecture", RFC 3513, April 2003. + + [FIPS] "Federal Information Processing Standards Publication", + (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995. + + [GLOBAL] Hinden, R., Deering, S., and E. Nordmark, "IPv6 Global + Unicast Address Format", RFC 3587, August 2003. + + [ICMPV6] Conta, A. and S. Deering, "Internet Control Message + Protocol (ICMPv6) for the Internet Protocol Version 6 + (IPv6) Specification", RFC 2463, December 1998. + + + + + + +Hinden & Haberman Standards Track [Page 13] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + + [IPV6] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + + [NTP] Mills, D., "Network Time Protocol (Version 3) + Specification, Implementation and Analysis", RFC 1305, + March 1992. + + [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC 4086, + June 2005. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [SHA1] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 + (SHA1)", RFC 3174, September 2001. + +9.2. Informative References + + [ADDAUTO] Thomson, S. and T. Narten, "IPv6 Stateless Address + Autoconfiguration", RFC 2462, December 1998. + + [ADDSEL] Draves, R., "Default Address Selection for Internet + Protocol version 6 (IPv6)", RFC 3484, February 2003. + + [DHCP6] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and + M. Carney, "Dynamic Host Configuration Protocol for IPv6 + (DHCPv6)", RFC 3315, July 2003. + + [POPUL] Population Reference Bureau, "World Population Data Sheet + of the Population Reference Bureau 2002", August 2002. + + [RTP] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, July 2003. + + + + + + + + + + + + + + + + +Hinden & Haberman Standards Track [Page 14] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +Authors' Addresses + + Robert M. Hinden + Nokia + 313 Fairchild Drive + Mountain View, CA 94043 + USA + + Phone: +1 650 625-2004 + EMail: bob.hinden@nokia.com + + + Brian Haberman + Johns Hopkins University + Applied Physics Lab + 11100 Johns Hopkins Road + Laurel, MD 20723 + USA + + Phone: +1 443 778 1319 + EMail: brian@innovationslab.net + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Hinden & Haberman Standards Track [Page 15] + +RFC 4193 Unique Local IPv6 Unicast Addresses October 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Hinden & Haberman Standards Track [Page 16] + diff --git a/doc/rfc/rfc4255.txt b/doc/rfc/rfc4255.txt new file mode 100644 index 0000000000000..f350b7af95739 --- /dev/null +++ b/doc/rfc/rfc4255.txt @@ -0,0 +1,507 @@ + + + + + + +Network Working Group J. Schlyter +Request for Comments: 4255 OpenSSH +Category: Standards Track W. Griffin + SPARTA + January 2006 + + + Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes a method of verifying Secure Shell (SSH) host + keys using Domain Name System Security (DNSSEC). The document + defines a new DNS resource record that contains a standard SSH key + fingerprint. + +Table of Contents + + 1. Introduction ....................................................2 + 2. SSH Host Key Verification .......................................2 + 2.1. Method .....................................................2 + 2.2. Implementation Notes .......................................2 + 2.3. Fingerprint Matching .......................................3 + 2.4. Authentication .............................................3 + 3. The SSHFP Resource Record .......................................3 + 3.1. The SSHFP RDATA Format .....................................4 + 3.1.1. Algorithm Number Specification ......................4 + 3.1.2. Fingerprint Type Specification ......................4 + 3.1.3. Fingerprint .........................................5 + 3.2. Presentation Format of the SSHFP RR ........................5 + 4. Security Considerations .........................................5 + 5. IANA Considerations .............................................6 + 6. Normative References ............................................7 + 7. Informational References ........................................7 + 8. Acknowledgements ................................................8 + + + + +Schlyter & Griffin Standards Track [Page 1] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + +1. Introduction + + The SSH [6] protocol provides secure remote login and other secure + network services over an insecure network. The security of the + connection relies on the server authenticating itself to the client + as well as the user authenticating itself to the server. + + If a connection is established to a server whose public key is not + already known to the client, a fingerprint of the key is presented to + the user for verification. If the user decides that the fingerprint + is correct and accepts the key, the key is saved locally and used for + verification for all following connections. While some security- + conscious users verify the fingerprint out-of-band before accepting + the key, many users blindly accept the presented key. + + The method described here can provide out-of-band verification by + looking up a fingerprint of the server public key in the DNS [1][2] + and using DNSSEC [5] to verify the lookup. + + In order to distribute the fingerprint using DNS, this document + defines a new DNS resource record, "SSHFP", to carry the fingerprint. + + Basic understanding of the DNS system [1][2] and the DNS security + extensions [5] is assumed by this document. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [3]. + +2. SSH Host Key Verification + +2.1. Method + + Upon connection to an SSH server, the SSH client MAY look up the + SSHFP resource record(s) for the host it is connecting to. If the + algorithm and fingerprint of the key received from the SSH server + match the algorithm and fingerprint of one of the SSHFP resource + record(s) returned from DNS, the client MAY accept the identity of + the server. + +2.2. Implementation Notes + + Client implementors SHOULD provide a configurable policy used to + select the order of methods used to verify a host key. This document + defines one method: Fingerprint storage in DNS. Another method + defined in the SSH Architecture [6] uses local files to store keys + for comparison. Other methods that could be defined in the future + might include storing fingerprints in LDAP or other databases. A + + + +Schlyter & Griffin Standards Track [Page 2] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + + configurable policy will allow administrators to determine which + methods they want to use and in what order the methods should be + prioritized. This will allow administrators to determine how much + trust they want to place in the different methods. + + One specific scenario for having a configurable policy is where + clients do not use fully qualified host names to connect to servers. + In this scenario, the implementation SHOULD verify the host key + against a local database before verifying the key via the fingerprint + returned from DNS. This would help prevent an attacker from + injecting a DNS search path into the local resolver and forcing the + client to connect to a different host. + +2.3. Fingerprint Matching + + The public key and the SSHFP resource record are matched together by + comparing algorithm number and fingerprint. + + The public key algorithm and the SSHFP algorithm number MUST + match. + + A message digest of the public key, using the message digest + algorithm specified in the SSHFP fingerprint type, MUST match the + SSHFP fingerprint. + +2.4. Authentication + + A public key verified using this method MUST NOT be trusted if the + SSHFP resource record (RR) used for verification was not + authenticated by a trusted SIG RR. + + Clients that do validate the DNSSEC signatures themselves SHOULD use + standard DNSSEC validation procedures. + + Clients that do not validate the DNSSEC signatures themselves MUST + use a secure transport (e.g., TSIG [9], SIG(0) [10], or IPsec [8]) + between themselves and the entity performing the signature + validation. + +3. The SSHFP Resource Record + + The SSHFP resource record (RR) is used to store a fingerprint of an + SSH public host key that is associated with a Domain Name System + (DNS) name. + + The RR type code for the SSHFP RR is 44. + + + + + +Schlyter & Griffin Standards Track [Page 3] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + +3.1. The SSHFP RDATA Format + + The RDATA for a SSHFP RR consists of an algorithm number, fingerprint + type and the fingerprint of the public host key. + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | algorithm | fp type | / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / + / / + / fingerprint / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +3.1.1. Algorithm Number Specification + + This algorithm number octet describes the algorithm of the public + key. The following values are assigned: + + Value Algorithm name + ----- -------------- + 0 reserved + 1 RSA + 2 DSS + + Reserving other types requires IETF consensus [4]. + +3.1.2. Fingerprint Type Specification + + The fingerprint type octet describes the message-digest algorithm + used to calculate the fingerprint of the public key. The following + values are assigned: + + Value Fingerprint type + ----- ---------------- + 0 reserved + 1 SHA-1 + + Reserving other types requires IETF consensus [4]. + + For interoperability reasons, as few fingerprint types as possible + should be reserved. The only reason to reserve additional types is + to increase security. + + + + + + + +Schlyter & Griffin Standards Track [Page 4] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + +3.1.3. Fingerprint + + The fingerprint is calculated over the public key blob as described + in [7]. + + The message-digest algorithm is presumed to produce an opaque octet + string output, which is placed as-is in the RDATA fingerprint field. + +3.2. Presentation Format of the SSHFP RR + + The RDATA of the presentation format of the SSHFP resource record + consists of two numbers (algorithm and fingerprint type) followed by + the fingerprint itself, presented in hex, e.g.: + + host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890 + + The use of mnemonics instead of numbers is not allowed. + +4. Security Considerations + + Currently, the amount of trust a user can realistically place in a + server key is proportional to the amount of attention paid to + verifying that the public key presented actually corresponds to the + private key of the server. If a user accepts a key without verifying + the fingerprint with something learned through a secured channel, the + connection is vulnerable to a man-in-the-middle attack. + + The overall security of using SSHFP for SSH host key verification is + dependent on the security policies of the SSH host administrator and + DNS zone administrator (in transferring the fingerprint), detailed + aspects of how verification is done in the SSH implementation, and in + the client's diligence in accessing the DNS in a secure manner. + + One such aspect is in which order fingerprints are looked up (e.g., + first checking local file and then SSHFP). We note that, in addition + to protecting the first-time transfer of host keys, SSHFP can + optionally be used for stronger host key protection. + + If SSHFP is checked first, new SSH host keys may be distributed by + replacing the corresponding SSHFP in DNS. + + If SSH host key verification can be configured to require SSHFP, + SSH host key revocation can be implemented by removing the + corresponding SSHFP from DNS. + + + + + + + +Schlyter & Griffin Standards Track [Page 5] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + + As stated in Section 2.2, we recommend that SSH implementors provide + a policy mechanism to control the order of methods used for host key + verification. One specific scenario for having a configurable policy + is where clients use unqualified host names to connect to servers. + In this case, we recommend that SSH implementations check the host + key against a local database before verifying the key via the + fingerprint returned from DNS. This would help prevent an attacker + from injecting a DNS search path into the local resolver and forcing + the client to connect to a different host. + + A different approach to solve the DNS search path issue would be for + clients to use a trusted DNS search path, i.e., one not acquired + through DHCP or other autoconfiguration mechanisms. Since there is + no way with current DNS lookup APIs to tell whether a search path is + from a trusted source, the entire client system would need to be + configured with this trusted DNS search path. + + Another dependency is on the implementation of DNSSEC itself. As + stated in Section 2.4, we mandate the use of secure methods for + lookup and that SSHFP RRs are authenticated by trusted SIG RRs. This + is especially important if SSHFP is to be used as a basis for host + key rollover and/or revocation, as described above. + + Since DNSSEC only protects the integrity of the host key fingerprint + after it is signed by the DNS zone administrator, the fingerprint + must be transferred securely from the SSH host administrator to the + DNS zone administrator. This could be done manually between the + administrators or automatically using secure DNS dynamic update [11] + between the SSH server and the nameserver. We note that this is no + different from other key enrollment situations, e.g., a client + sending a certificate request to a certificate authority for signing. + +5. IANA Considerations + + IANA has allocated the RR type code 44 for SSHFP from the standard RR + type space. + + IANA has opened a new registry for the SSHFP RR type for public key + algorithms. The defined types are: + + 0 is reserved + 1 is RSA + 2 is DSA + + Adding new reservations requires IETF consensus [4]. + + + + + + +Schlyter & Griffin Standards Track [Page 6] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + + IANA has opened a new registry for the SSHFP RR type for fingerprint + types. The defined types are: + + 0 is reserved + 1 is SHA-1 + + Adding new reservations requires IETF consensus [4]. + +6. Normative References + + [1] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [2] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [4] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, October + 1998. + + [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, March + 2005. + + Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. + + Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", RFC + 4035, March 2005. + + [6] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) + Protocol Architecture", RFC 4251, January 2006. + + [7] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) + Transport Layer Protocol", RFC 4253, January 2006. + +7. Informational References + + [8] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document + Roadmap", RFC 2411, November 1998. + + + + + + +Schlyter & Griffin Standards Track [Page 7] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + + [9] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. + Wellington, "Secret Key Transaction Authentication for DNS + (TSIG)", RFC 2845, May 2000. + + [10] Eastlake 3rd, D., "DNS Request and Transaction Signatures + ( SIG(0)s )", RFC 2931, September 2000. + + [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic + Update", RFC 3007, November 2000. + +8. Acknowledgements + + The authors gratefully acknowledge, in no particular order, the + contributions of the following persons: + + Martin Fredriksson + + Olafur Gudmundsson + + Edward Lewis + + Bill Sommerfeld + +Authors' Addresses + + Jakob Schlyter + OpenSSH + 812 23rd Avenue SE + Calgary, Alberta T2G 1N8 + Canada + + EMail: jakob@openssh.com + URI: http://www.openssh.com/ + + + Wesley Griffin + SPARTA + 7075 Samuel Morse Drive + Columbia, MD 21046 + USA + + EMail: wgriffin@sparta.com + URI: http://www.sparta.com/ + + + + + + + + +Schlyter & Griffin Standards Track [Page 8] + +RFC 4255 DNS and SSH Fingerprints January 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Schlyter & Griffin Standards Track [Page 9] + diff --git a/doc/rfc/rfc4343.txt b/doc/rfc/rfc4343.txt new file mode 100644 index 0000000000000..621420a45f478 --- /dev/null +++ b/doc/rfc/rfc4343.txt @@ -0,0 +1,563 @@ + + + + + + +Network Working Group D. Eastlake 3rd +Request for Comments: 4343 Motorola Laboratories +Updates: 1034, 1035, 2181 January 2006 +Category: Standards Track + + + Domain Name System (DNS) Case Insensitivity Clarification + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + Domain Name System (DNS) names are "case insensitive". This document + explains exactly what that means and provides a clear specification + of the rules. This clarification updates RFCs 1034, 1035, and 2181. + +Table of Contents + + 1. Introduction ....................................................2 + 2. Case Insensitivity of DNS Labels ................................2 + 2.1. Escaping Unusual DNS Label Octets ..........................2 + 2.2. Example Labels with Escapes ................................3 + 3. Name Lookup, Label Types, and CLASS .............................3 + 3.1. Original DNS Label Types ...................................4 + 3.2. Extended Label Type Case Insensitivity Considerations ......4 + 3.3. CLASS Case Insensitivity Considerations ....................4 + 4. Case on Input and Output ........................................5 + 4.1. DNS Output Case Preservation ...............................5 + 4.2. DNS Input Case Preservation ................................5 + 5. Internationalized Domain Names ..................................6 + 6. Security Considerations .........................................6 + 7. Acknowledgements ................................................7 + Normative References................................................7 + Informative References..............................................8 + + + + + + + +Eastlake 3rd Standards Track [Page 1] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + +1. Introduction + + The Domain Name System (DNS) is the global hierarchical replicated + distributed database system for Internet addressing, mail proxy, and + other information. Each node in the DNS tree has a name consisting + of zero or more labels [STD13, RFC1591, RFC2606] that are treated in + a case insensitive fashion. This document clarifies the meaning of + "case insensitive" for the DNS. This clarification updates RFCs + 1034, 1035 [STD13], and [RFC2181]. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +2. Case Insensitivity of DNS Labels + + DNS was specified in the era of [ASCII]. DNS names were expected to + look like most host names or Internet email address right halves (the + part after the at-sign, "@") or to be numeric, as in the in-addr.arpa + part of the DNS name space. For example, + + foo.example.net. + aol.com. + www.gnu.ai.mit.edu. + or 69.2.0.192.in-addr.arpa. + + Case-varied alternatives to the above [RFC3092] would be DNS names + like + + Foo.ExamplE.net. + AOL.COM. + WWW.gnu.AI.mit.EDU. + or 69.2.0.192.in-ADDR.ARPA. + + However, the individual octets of which DNS names consist are not + limited to valid ASCII character codes. They are 8-bit bytes, and + all values are allowed. Many applications, however, interpret them + as ASCII characters. + +2.1. Escaping Unusual DNS Label Octets + + In Master Files [STD13] and other human-readable and -writable ASCII + contexts, an escape is needed for the byte value for period (0x2E, + ".") and all octet values outside of the inclusive range from 0x21 + ("!") to 0x7E ("~"). That is to say, 0x2E and all octet values in + the two inclusive ranges from 0x00 to 0x20 and from 0x7F to 0xFF. + + + + + +Eastlake 3rd Standards Track [Page 2] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + + One typographic convention for octets that do not correspond to an + ASCII printing graphic is to use a back-slash followed by the value + of the octet as an unsigned integer represented by exactly three + decimal digits. + + The same convention can be used for printing ASCII characters so that + they will be treated as a normal label character. This includes the + back-slash character used in this convention itself, which can be + expressed as \092 or \\, and the special label separator period + ("."), which can be expressed as and \046 or \. It is advisable to + avoid using a backslash to quote an immediately following non- + printing ASCII character code to avoid implementation difficulties. + + A back-slash followed by only one or two decimal digits is undefined. + A back-slash followed by four decimal digits produces two octets, the + first octet having the value of the first three digits considered as + a decimal number, and the second octet being the character code for + the fourth decimal digit. + +2.2. Example Labels with Escapes + + The first example below shows embedded spaces and a period (".") + within a label. The second one shows a 5-octet label where the + second octet has all bits zero, the third is a backslash, and the + fourth octet has all bits one. + + Donald\032E\.\032Eastlake\0323rd.example. + and a\000\\\255z.example. + +3. Name Lookup, Label Types, and CLASS + + According to the original DNS design decision, comparisons on name + lookup for DNS queries should be case insensitive [STD13]. That is + to say, a lookup string octet with a value in the inclusive range + from 0x41 to 0x5A, the uppercase ASCII letters, MUST match the + identical value and also match the corresponding value in the + inclusive range from 0x61 to 0x7A, the lowercase ASCII letters. A + lookup string octet with a lowercase ASCII letter value MUST + similarly match the identical value and also match the corresponding + value in the uppercase ASCII letter range. + + (Historical note: The terms "uppercase" and "lowercase" were invented + after movable type. The terms originally referred to the two font + trays for storing, in partitioned areas, the different physical type + elements. Before movable type, the nearest equivalent terms were + "majuscule" and "minuscule".) + + + + + +Eastlake 3rd Standards Track [Page 3] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + + One way to implement this rule would be to subtract 0x20 from all + octets in the inclusive range from 0x61 to 0x7A before comparing + octets. Such an operation is commonly known as "case folding", but + implementation via case folding is not required. Note that the DNS + case insensitivity does NOT correspond to the case folding specified + in [ISO-8859-1] or [ISO-8859-2]. For example, the octets 0xDD (\221) + and 0xFD (\253) do NOT match, although in other contexts, where they + are interpreted as the upper- and lower-case version of "Y" with an + acute accent, they might. + +3.1. Original DNS Label Types + + DNS labels in wire-encoded names have a type associated with them. + The original DNS standard [STD13] had only two types: ASCII labels, + with a length from zero to 63 octets, and indirect (or compression) + labels, which consist of an offset pointer to a name location + elsewhere in the wire encoding on a DNS message. (The ASCII label of + length zero is reserved for use as the name of the root node of the + name tree.) ASCII labels follow the ASCII case conventions described + herein and, as stated above, can actually contain arbitrary byte + values. Indirect labels are, in effect, replaced by the name to + which they point, which is then treated with the case insensitivity + rules in this document. + +3.2. Extended Label Type Case Insensitivity Considerations + + DNS was extended by [RFC2671] so that additional label type numbers + would be available. (The only such type defined so far is the BINARY + type [RFC2673], which is now Experimental [RFC3363].) + + The ASCII case insensitivity conventions only apply to ASCII labels; + that is to say, label type 0x0, whether appearing directly or invoked + by indirect labels. + +3.3. CLASS Case Insensitivity Considerations + + As described in [STD13] and [RFC2929], DNS has an additional axis for + data location called CLASS. The only CLASS in global use at this + time is the "IN" (Internet) CLASS. + + The handling of DNS label case is not CLASS dependent. With the + original design of DNS, it was intended that a recursive DNS resolver + be able to handle new CLASSes that were unknown at the time of its + implementation. This requires uniform handling of label case + insensitivity. Should it become desirable, for example, to allocate + a CLASS with "case sensitive ASCII labels", it would be necessary to + allocate a new label type for these labels. + + + + +Eastlake 3rd Standards Track [Page 4] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + +4. Case on Input and Output + + While ASCII label comparisons are case insensitive, [STD13] says case + MUST be preserved on output and preserved when convenient on input. + However, this means less than it would appear, since the preservation + of case on output is NOT required when output is optimized by the use + of indirect labels, as explained below. + +4.1. DNS Output Case Preservation + + [STD13] views the DNS namespace as a node tree. ASCII output is as + if a name were marshaled by taking the label on the node whose name + is to be output, converting it to a typographically encoded ASCII + string, walking up the tree outputting each label encountered, and + preceding all labels but the first with a period ("."). Wire output + follows the same sequence, but each label is wire encoded, and no + periods are inserted. No "case conversion" or "case folding" is done + during such output operations, thus "preserving" case. However, to + optimize output, indirect labels may be used to point to names + elsewhere in the DNS answer. In determining whether the name to be + pointed to (for example, the QNAME) is the "same" as the remainder of + the name being optimized, the case insensitive comparison specified + above is done. Thus, such optimization may easily destroy the output + preservation of case. This type of optimization is commonly called + "name compression". + +4.2. DNS Input Case Preservation + + Originally, DNS data came from an ASCII Master File as defined in + [STD13] or a zone transfer. DNS Dynamic update and incremental zone + transfers [RFC1995] have been added as a source of DNS data [RFC2136, + RFC3007]. When a node in the DNS name tree is created by any of such + inputs, no case conversion is done. Thus, the case of ASCII labels + is preserved if they are for nodes being created. However, when a + name label is input for a node that already exists in DNS data being + held, the situation is more complex. Implementations are free to + retain the case first loaded for such a label, to allow new input to + override the old case, or even to maintain separate copies preserving + the input case. + + For example, if data with owner name "foo.bar.example" [RFC3092] is + loaded and then later data with owner name "xyz.BAR.example" is + input, the name of the label on the "bar.example" node (i.e., "bar") + might or might not be changed to "BAR" in the DNS stored data. Thus, + later retrieval of data stored under "xyz.bar.example" in this case + can use "xyz.BAR.example" in all returned data, use "xyz.bar.example" + in all returned data, or even, when more than one RR is being + returned, use a mixture of these two capitalizations. This last case + + + +Eastlake 3rd Standards Track [Page 5] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + + is unlikely, as optimization of answer length through indirect labels + tends to cause only one copy of the name tail ("bar.example" or + "BAR.example") to be used for all returned RRs. Note that none of + this has any effect on the number or completeness of the RR set + returned, only on the case of the names in the RR set returned. + + The same considerations apply when inputting multiple data records + with owner names differing only in case. For example, if an "A" + record is the first resource record stored under owner name + "xyz.BAR.example" and then a second "A" record is stored under + "XYZ.BAR.example", the second MAY be stored with the first (lower + case initial label) name, the second MAY override the first so that + only an uppercase initial label is retained, or both capitalizations + MAY be kept in the DNS stored data. In any case, a retrieval with + either capitalization will retrieve all RRs with either + capitalization. + + Note that the order of insertion into a server database of the DNS + name tree nodes that appear in a Master File is not defined so that + the results of inconsistent capitalization in a Master File are + unpredictable output capitalization. + +5. Internationalized Domain Names + + A scheme has been adopted for "internationalized domain names" and + "internationalized labels" as described in [RFC3490, RFC3454, + RFC3491, and RFC3492]. It makes most of [UNICODE] available through + a separate application level transformation from internationalized + domain name to DNS domain name and from DNS domain name to + internationalized domain name. Any case insensitivity that + internationalized domain names and labels have varies depending on + the script and is handled entirely as part of the transformation + described in [RFC3454] and [RFC3491], which should be seen for + further details. This is not a part of the DNS as standardized in + STD 13. + +6. Security Considerations + + The equivalence of certain DNS label types with case differences, as + clarified in this document, can lead to security problems. For + example, a user could be confused by believing that two domain names + differing only in case were actually different names. + + Furthermore, a domain name may be used in contexts other than the + DNS. It could be used as a case sensitive index into some database + or file system. Or it could be interpreted as binary data by some + integrity or authentication code system. These problems can usually + be handled by using a standardized or "canonical" form of the DNS + + + +Eastlake 3rd Standards Track [Page 6] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + + ASCII type labels; that is, always mapping the ASCII letter value + octets in ASCII labels to some specific pre-chosen case, either + uppercase or lower case. An example of a canonical form for domain + names (and also a canonical ordering for them) appears in Section 6 + of [RFC4034]. See also [RFC3597]. + + Finally, a non-DNS name may be stored into DNS with the false + expectation that case will always be preserved. For example, + although this would be quite rare, on a system with case sensitive + email address local parts, an attempt to store two Responsible Person + (RP) [RFC1183] records that differed only in case would probably + produce unexpected results that might have security implications. + That is because the entire email address, including the possibly case + sensitive local or left-hand part, is encoded into a DNS name in a + readable fashion where the case of some letters might be changed on + output as described above. + +7. Acknowledgements + + The contributions to this document by Rob Austein, Olafur + Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana, + Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman + are gratefully acknowledged. + +Normative References + + [ASCII] ANSI, "USA Standard Code for Information Interchange", + X3.4, American National Standards Institute: New York, + 1968. + + [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, + August 1996. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, + "Dynamic Updates in the Domain Name System (DNS + UPDATE)", RFC 2136, April 1997. + + [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic + Update", RFC 3007, November 2000. + + + + + + +Eastlake 3rd Standards Track [Page 7] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + + [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record + (RR) Types", RFC 3597, September 2003. + + [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "Resource Records for the DNS Security + Extensions", RFC 4034, March 2005. + + [STD13] Mockapetris, P., "Domain names - concepts and + facilities", STD 13, RFC 1034, November 1987. + + Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + +Informative References + + [ISO-8859-1] International Standards Organization, Standard for + Character Encodings, Latin-1. + + [ISO-8859-2] International Standards Organization, Standard for + Character Encodings, Latin-2. + + [RFC1183] Everhart, C., Mamakos, L., Ullmann, R., and P. + Mockapetris, "New DNS RR Definitions", RFC 1183, October + 1990. + + [RFC1591] Postel, J., "Domain Name System Structure and + Delegation", RFC 1591, March 1994. + + [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS + Names", BCP 32, RFC 2606, June 1999. + + [RFC2929] Eastlake 3rd, D., Brunner-Williams, E., and B. Manning, + "Domain Name System (DNS) IANA Considerations", BCP 42, + RFC 2929, September 2000. + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC + 2671, August 1999. + + [RFC2673] Crawford, M., "Binary Labels in the Domain Name System", + RFC 2673, August 1999. + + [RFC3092] Eastlake 3rd, D., Manros, C., and E. Raymond, "Etymology + of "Foo"", RFC 3092, 1 April 2001. + + [RFC3363] Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T. + Hain, "Representing Internet Protocol version 6 (IPv6) + Addresses in the Domain Name System (DNS)", RFC 3363, + August 2002. + + + +Eastlake 3rd Standards Track [Page 8] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + + [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of + Internationalized Strings ("stringprep")", RFC 3454, + December 2002. + + [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, + "Internationalizing Domain Names in Applications + (IDNA)", RFC 3490, March 2003. + + [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep + Profile for Internationalized Domain Names (IDN)", RFC + 3491, March 2003. + + [RFC3492] Costello, A., "Punycode: A Bootstring encoding of + Unicode for Internationalized Domain Names in + Applications (IDNA)", RFC 3492, March 2003. + + [UNICODE] The Unicode Consortium, "The Unicode Standard", + . + +Author's Address + + Donald E. Eastlake 3rd + Motorola Laboratories + 155 Beaver Street + Milford, MA 01757 USA + + Phone: +1 508-786-7554 (w) + EMail: Donald.Eastlake@motorola.com + + + + + + + + + + + + + + + + + + + + + + + +Eastlake 3rd Standards Track [Page 9] + +RFC 4343 DNS Case Insensitivity Clarification January 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Eastlake 3rd Standards Track [Page 10] + diff --git a/doc/rfc/rfc4367.txt b/doc/rfc/rfc4367.txt new file mode 100644 index 0000000000000..f066b6468eb13 --- /dev/null +++ b/doc/rfc/rfc4367.txt @@ -0,0 +1,955 @@ + + + + + + +Network Working Group J. Rosenberg, Ed. +Request for Comments: 4367 IAB +Category: Informational February 2006 + + + What's in a Name: False Assumptions about DNS Names + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + The Domain Name System (DNS) provides an essential service on the + Internet, mapping structured names to a variety of data, usually IP + addresses. These names appear in email addresses, Uniform Resource + Identifiers (URIs), and other application-layer identifiers that are + often rendered to human users. Because of this, there has been a + strong demand to acquire names that have significance to people, + through equivalence to registered trademarks, company names, types of + services, and so on. There is a danger in this trend; the humans and + automata that consume and use such names will associate specific + semantics with some names and thereby make assumptions about the + services that are, or should be, provided by the hosts associated + with the names. Those assumptions can often be false, resulting in a + variety of failure conditions. This document discusses this problem + in more detail and makes recommendations on how it can be avoided. + + + + + + + + + + + + + + + + + + +Rosenberg Informational [Page 1] + +RFC 4367 Name Assumptions February 2006 + + +Table of Contents + + 1. Introduction ....................................................2 + 2. Target Audience .................................................4 + 3. Modeling Usage of the DNS .......................................4 + 4. Possible Assumptions ............................................5 + 4.1. By the User ................................................5 + 4.2. By the Client ..............................................6 + 4.3. By the Server ..............................................7 + 5. Consequences of False Assumptions ...............................8 + 6. Reasons Why the Assumptions Can Be False ........................9 + 6.1. Evolution ..................................................9 + 6.2. Leakage ...................................................10 + 6.3. Sub-Delegation ............................................10 + 6.4. Mobility ..................................................12 + 6.5. Human Error ...............................................12 + 7. Recommendations ................................................12 + 8. A Note on RFC 2219 and RFC 2782 ................................13 + 9. Security Considerations ........................................14 + 10. Acknowledgements ..............................................14 + 11. IAB Members ...................................................14 + 12. Informative References ........................................15 + +1. Introduction + + The Domain Name System (DNS) [1] provides an essential service on the + Internet, mapping structured names to a variety of different types of + data. Most often it is used to obtain the IP address of a host + associated with that name [2] [1] [3]. However, it can be used to + obtain other information, and proposals have been made for nearly + everything, including geographic information [4]. + + Domain names are most often used in identifiers used by application + protocols. The most well known include email addresses and URIs, + such as the HTTP URL [5], Real Time Streaming Protocol (RTSP) URL + [6], and SIP URI [7]. These identifiers are ubiquitous, appearing on + business cards, web pages, street signs, and so on. Because of this, + there has been a strong demand to acquire domain names that have + significance to people through equivalence to registered trademarks, + company names, types of services, and so on. Such identifiers serve + many business purposes, including extension of brand, advertising, + and so on. + + People often make assumptions about the type of service that is or + should be provided by a host associated with that name, based on + their expectations and understanding of what the name implies. This, + in turn, triggers attempts by organizations to register domain names + based on that presumed user expectation. Examples of this are the + + + +Rosenberg Informational [Page 2] + +RFC 4367 Name Assumptions February 2006 + + + various proposals for a Top-Level Domain (TLD) that could be + associated with adult content [8], the requests for creation of TLDs + associated with mobile devices and services, and even phishing + attacks. + + When these assumptions are codified into the behavior of an + automaton, such as an application client or server, as a result of + implementor choice, management directive, or domain owner policy, the + overall system can fail in various ways. This document describes a + number of typical ways in which these assumptions can be codified, + how they can be wrong, the consequences of those mistakes, and the + recommended ways in which they can be avoided. + + Section 4 describes some of the possible assumptions that clients, + servers, and people can make about a domain name. In this context, + an "assumption" is defined as any behavior that is expected when + accessing a service at a domain name, even though the behavior is not + explicitly codified in protocol specifications. Frequently, these + assumptions involve ignoring parts of a specification based on an + assumption that the client or server is deployed in an environment + that is more rigid than the specification allows. Section 5 + overviews some of the consequences of these false assumptions. + Generally speaking, these consequences can include a variety of + different interoperability failures, user experience failures, and + system failures. Section 6 discusses why these assumptions can be + false from the very beginning or become false at some point in the + future. Most commonly, they become false because the environment + changes in unexpected ways over time, and what was a valid assumption + before, no longer is. Other times, the assumptions prove wrong + because they were based on the belief that a specific community of + clients and servers was participating, and an element outside of that + community began participating. + + Section 7 then provides some recommendations. These recommendations + encapsulate some of the engineering mantras that have been at the + root of Internet protocol design for decades. These include: + + Follow the specifications. + + Use the capability negotiation techniques provided in the + protocols. + + Be liberal in what you accept, and conservative in what you send. + [18] + + Overall, automata should not change their behavior within a protocol + based on the domain name, or some component of the domain name, of + the host they are communicating with. + + + +Rosenberg Informational [Page 3] + +RFC 4367 Name Assumptions February 2006 + + +2. Target Audience + + This document has several audiences. Firstly, it is aimed at + implementors who ultimately develop the software that make the false + assumptions that are the subject of this document. The + recommendations described here are meant to reinforce the engineering + guidelines that are often understood by implementors, but frequently + forgotten as deadlines near and pressures mount. + + The document is also aimed at technology managers, who often develop + the requirements that lead to these false assumptions. For them, + this document serves as a vehicle for emphasizing the importance of + not taking shortcuts in the scope of applicability of a project. + + Finally, this document is aimed at domain name policy makers and + administrators. For them, it points out the perils in establishing + domain policies that get codified into the operation of applications + running within that domain. + +3. Modeling Usage of the DNS + + + +--------+ + | | + | | + | DNS | + |Service | + | | + +--------+ + ^ | + | | + | | + | | + /--\ | | + | | | V + | | +--------+ +--------+ + \--/ | | | | + | | | | | + ---+--- | Client |-------------------->| Server | + | | | | | + | | | | | + /\ +--------+ +--------+ + / \ + / \ + + User + Figure 1 + + + + +Rosenberg Informational [Page 4] + +RFC 4367 Name Assumptions February 2006 + + + Figure 1 shows a simple conceptual model of how the DNS is used by + applications. A user of the application obtains an identifier for + particular content or service it wishes to obtain. This identifier + is often a URL or URI that contains a domain name. The user enters + this identifier into its client application (for example, by typing + in the URL in a web browser window). The client is the automaton (a + software and/or hardware system) that contacts a server for that + application in order to provide service to the user. To do that, it + contacts a DNS server to resolve the domain name in the identifier to + an IP address. It then contacts the server at that IP address. This + simple model applies to application protocols such as HTTP [5], SIP + [7], RTSP [6], and SMTP [9]. + + >From this model, it is clear that three entities in the system can + potentially make false assumptions about the service provided by the + server. The human user may form expectations relating to the content + of the service based on a parsing of the host name from which the + content originated. The server might assume that the client + connecting to it supports protocols that it does not, can process + content that it cannot, or has capabilities that it does not. + Similarly, the client might assume that the server supports + protocols, content, or capabilities that it does not. Furthermore, + applications can potentially contain a multiplicity of humans, + clients, and servers, all of which can independently make these false + assumptions. + +4. Possible Assumptions + + For each of the three elements, there are many types of false + assumptions that can be made. + +4.1. By the User + + The set of possible assumptions here is nearly boundless. Users + might assume that an HTTP URL that looks like a company name maps to + a server run by that company. They might assume that an email from a + email address in the .gov TLD is actually from a government employee. + They might assume that the content obtained from a web server within + a TLD labeled as containing adult materials (for example, .sex) + actually contains adult content [8]. These assumptions are + unavoidable, may all be false, and are not the focus of this + document. + + + + + + + + + +Rosenberg Informational [Page 5] + +RFC 4367 Name Assumptions February 2006 + + +4.2. By the Client + + Even though the client is an automaton, it can make some of the same + assumptions that a human user might make. For example, many clients + assume that any host with a hostname that begins with "www" is a web + server, even though this assumption may be false. + + In addition, the client concerns itself with the protocols needed to + communicate with the server. As a result, it might make assumptions + about the operation of the protocols for communicating with the + server. These assumptions manifest themselves in an implementation + when a standardized protocol negotiation technique defined by the + protocol is ignored, and instead, some kind of rule is coded into the + software that comes to its own conclusion about what the negotiation + would have determined. The result is often a loss of + interoperability, degradation in reliability, and worsening of user + experience. + + Authentication Algorithm: Though a protocol might support a + multiplicity of authentication techniques, a client might assume + that a server always supports one that is only optional according + to the protocol. For example, a SIP client contacting a SIP + server in a domain that is apparently used to identify mobile + devices (for example, www.example.cellular) might assume that the + server supports the optional Authentication and Key Agreement + (AKA) digest technique [10], just because of the domain name that + was used to access the server. As another example, a web client + might assume that a server with the name https.example.com + supports HTTP over Transport Layer Security (TLS) [16]. + + Data Formats: Though a protocol might allow a multiplicity of data + formats to be sent from the server to the client, the client might + assume a specific one, rather than using the content labeling and + negotiation capabilities of the underlying protocol. For example, + an RTSP client might assume that all audio content delivered to it + from media.example.cellular uses a low-bandwidth codec. As + another example, a mail client might assume that the contents of + messages it retrieves from a mail server at mail.example.cellular + are always text, instead of checking the MIME headers [11] in the + message in order to determine the actual content type. + + Protocol Extensions: A client may attempt an operation on the server + that requires the server to support an optional protocol + extension. However, rather than implementing the necessary + fallback logic, the client may falsely assume that the extension + is supported. As an example, a SIP client that requires reliable + provisional responses to its request (RFC 3262 [17]) might assume + that this extension is supported on servers in the domain + + + +Rosenberg Informational [Page 6] + +RFC 4367 Name Assumptions February 2006 + + + sip.example.telecom. Furthermore, the client would not implement + the fallback behavior defined in RFC 3262, since it would assume + that all servers it will communicate with are in this domain and + that all therefore support this extension. However, if the + assumptions prove wrong, the client is unable to make any phone + calls. + + Languages: A client may support facilities for processing text + content differently depending on the language of the text. Rather + than determining the language from markers in the message from the + server, the client might assume a language based on the domain + name. This assumption can easily be wrong. For example, a client + might assume that any text in a web page retrieved from a server + within the .de country code TLD (ccTLD) is in German, and attempt + a translation to Finnish. This would fail dramatically if the + text was actually in French. Unfortunately, this client behavior + is sometimes exhibited because the server has not properly labeled + the language of the content in the first place, often because the + server assumed such a labeling was not needed. This is an example + of how these false assumptions can create vicious cycles. + +4.3. By the Server + + The server, like the client, is an automaton. Let us consider one + servicing a particular domain -- www.company.cellular, for example. + It might assume that all clients connecting to this domain support + particular capabilities, rather than using the underlying protocol to + make this determination. Some examples include: + + Authentication Algorithm: The server can assume that a client + supports a particular, optional, authentication technique, and it + therefore does not support the mandatory one. + + Language: The server can serve content in a particular language, + based on an assumption that clients accessing the domain speak a + particular language, or based on an assumption that clients coming + from a particular IP address speak a certain language. + + Data Formats: The server can assume that the client supports a + particular set of MIME types and is only capable of sending ones + within that set. When it generates content in a protocol + response, it ignores any content negotiation headers that were + present in the request. For example, a web server might ignore + the Accept HTTP header field and send a specific image format. + + + + + + + +Rosenberg Informational [Page 7] + +RFC 4367 Name Assumptions February 2006 + + + Protocol Extensions: The server might assume that the client supports + a particular optional protocol extension, and so it does not + support the fallback behavior necessary in the case where the + client does not. + + Client Characteristics: The server might assume certain things about + the physical characteristics of its clients, such as memory + footprint, processing power, screen sizes, screen colors, pointing + devices, and so on. Based on these assumptions, it might choose + specific behaviors when processing a request. For example, a web + server might always assume that clients connect through cell + phones, and therefore return content that lacks images and is + tuned for such devices. + +5. Consequences of False Assumptions + + There are numerous negative outcomes that can arise from the various + false assumptions that users, servers, and clients can make. These + include: + + Interoperability Failure: In these cases, the client or server + assumed some kind of protocol operation, and this assumption was + wrong. The result is that the two are unable to communicate, and + the user receives some kind of an error. This represents a total + interoperability failure, manifesting itself as a lack of service + to users of the system. Unfortunately, this kind of failure + persists. Repeated attempts over time by the client to access the + service will fail. Only a change in the server or client software + can fix this problem. + + System Failure: In these cases, the client or server misinterpreted a + protocol operation, and this misinterpretation was serious enough + to uncover a bug in the implementation. The bug causes a system + crash or some kind of outage, either transient or permanent (until + user reset). If this failure occurs in a server, not only will + the connecting client lose service, but other clients attempting + to connect will not get service. As an example, if a web server + assumes that content passed to it from a client (created, for + example, by a digital camera) is of a particular content type, and + it always passes image content to a codec for decompression prior + to storage, the codec might crash when it unexpectedly receives an + image compressed in a different format. Of course, it might crash + even if the Content-Type was correct, but the compressed bitstream + was invalid. False assumptions merely introduce additional + failure cases. + + + + + + +Rosenberg Informational [Page 8] + +RFC 4367 Name Assumptions February 2006 + + + Poor User Experience: In these cases, the client and server + communicate, but the user receives a diminished user experience. + For example, if a client on a PC connects to a web site that + provides content for mobile devices, the content may be + underwhelming when viewed on the PC. Or, a client accessing a + streaming media service may receive content of very low bitrate, + even though the client supported better codecs. Indeed, if a user + wishes to access content from both a cellular device and a PC + using a shared address book (that is, an address book shared + across multiple devices), the user would need two entries in that + address book, and would need to use the right one from the right + device. This is a poor user experience. + + Degraded Security: In these cases, a weaker security mechanism is + used than the one that ought to have been used. As an example, a + server in a domain might assume that it is only contacted by + clients with a limited set of authentication algorithms, even + though the clients have been recently upgraded to support a + stronger set. + +6. Reasons Why the Assumptions Can Be False + + Assumptions made by clients and servers about the operation of + protocols when contacting a particular domain are brittle, and can be + wrong for many reasons. On the server side, many of the assumptions + are based on the notion that a domain name will only be given to, or + used by, a restricted set of clients. If the holder of the domain + name assumes something about those clients, and can assume that only + those clients use the domain name, then it can configure or program + the server to operate specifically for those clients. Both parts of + this assumption can be wrong, as discussed in more detail below. + + On the client side, the notion is similar, being based on the + assumption that a server within a particular domain will provide a + specific type of service. Sub-delegation and evolution, both + discussed below, can make these assumptions wrong. + +6.1. Evolution + + The Internet and the devices that access it are constantly evolving, + often at a rapid pace. Unfortunately, there is a tendency to build + for the here and now, and then worry about the future at a later + time. Many of the assumptions above are predicated on + characteristics of today's clients and servers. Support for specific + protocols, authentication techniques, or content are based on today's + standards and today's devices. Even though they may, for the most + part, be true, they won't always be. An excellent example is mobile + devices. A server servicing a domain accessed by mobile devices + + + +Rosenberg Informational [Page 9] + +RFC 4367 Name Assumptions February 2006 + + + might try to make assumptions about the protocols, protocol + extensions, security mechanisms, screen sizes, or processor power of + such devices. However, all of these characteristics can and will + change over time. + + When they do change, the change is usually evolutionary. The result + is that the assumptions remain valid in some cases, but not in + others. It is difficult to fix such systems, since it requires the + server to detect what type of client is connecting, and what its + capabilities are. Unless the system is built and deployed with these + capability negotiation techniques built in to begin with, such + detection can be extremely difficult. In fact, fixing it will often + require the addition of such capability negotiation features that, if + they had been in place and used to begin with, would have avoided the + problem altogether. + +6.2. Leakage + + Servers also make assumptions because of the belief that they will + only be accessed by specific clients, and in particular, those that + are configured or provisioned to use the domain name. In essence, + there is an assumption of community -- that a specific community + knows and uses the domain name, while others outside of the community + do not. + + The problem is that this notion of community is a false one. The + Internet is global. The DNS is global. There is no technical + barrier that separates those inside of the community from those + outside. The ease with which information propagates across the + Internet makes it extremely likely that such domain names will + eventually find their way into clients outside of the presumed + community. The ubiquitous presence of domain names in various URI + formats, coupled with the ease of conveyance of URIs, makes such + leakage merely a matter of time. Furthermore, since the DNS is + global, and since it can only have one root [12], it becomes possible + for clients outside of the community to search and find and use such + "special" domain names. + + Indeed, this leakage is a strength of the Internet architecture, not + a weakness. It enables global access to services from any client + with a connection to the Internet. That, in turn, allows for rapid + growth in the number of customers for any particular service. + +6.3. Sub-Delegation + + Clients and users make assumptions about domains because of the + notion that there is some kind of centralized control that can + enforce those assumptions. However, the DNS is not centralized; it + + + +Rosenberg Informational [Page 10] + +RFC 4367 Name Assumptions February 2006 + + + is distributed. If a domain doesn't delegate its sub-domains and has + its records within a single zone, it is possible to maintain a + centralized policy about operation of its domain. However, once a + domain gets sufficiently large that the domain administrators begin + to delegate sub-domains to other authorities, it becomes increasingly + difficult to maintain any kind of central control on the nature of + the service provided in each sub-domain. + + Similarly, the usage of domain names with human semantic connotation + tends to lead to a registration of multiple domains in which a + particular service is to run. As an example, a service provider with + the name "example" might register and set up its services in + "example.com", "example.net", and generally example.foo for each foo + that is a valid TLD. This, like sub-delegation, results in a growth + in the number of domains over which it is difficult to maintain + centralized control. + + Not that it is not possible, since there are many examples of + successful administration of policies across sub-domains many levels + deep. However, it takes an increasing amount of effort to ensure + this result, as it requires human intervention and the creation of + process and procedure. Automated validation of adherence to policies + is very difficult to do, as there is no way to automatically verify + many policies that might be put into place. + + A less costly process for providing centralized management of + policies is to just hope that any centralized policies are being + followed, and then wait for complaints or perform random audits. + Those approaches have many problems. + + The invalidation of assumptions due to sub-delegation is discussed in + further detail in Section 4.1.3 of [8] and in Section 3.3 of [20]. + + As a result of the fragility of policy continuity across sub- + delegations, if a client or user assumes some kind of property + associated with a TLD (such as ".wifi"), it becomes increasingly more + likely with the number of sub-domains that this property will not + exist in a server identified by a particular name. For example, in + "store.chain.company.provider.wifi", there may be four levels of + delegation from ".wifi", making it quite likely that, unless the + holder of ".wifi" is working diligently, the properties that the + holder of ".wifi" wishes to enforce are not present. These + properties may not be present due to human error or due to a willful + decision not to adhere to them. + + + + + + + +Rosenberg Informational [Page 11] + +RFC 4367 Name Assumptions February 2006 + + +6.4. Mobility + + One of the primary value propositions of a hostname as an identifier + is its persistence. A client can change IP addresses, yet still + retain a persistent identifier used by other hosts to reach it. + Because their value derives from their persistence, hostnames tend to + move with a host not just as it changes IP addresses, but as it + changes access network providers and technologies. For this reason, + assumptions made about a host based on the presumed access network + corresponding to that hostname tend to be wrong over time. As an + example, a PC might normally be connected to its broadband provider, + and through dynamic DNS have a hostname within the domain of that + provider. However, one cannot assume that any host within that + network has access over a broadband link; the user could connect + their PC over a low-bandwidth wireless access network and still + retain its domain name. + +6.5. Human Error + + Of course, human error can be the source of errors in any system, and + the same is true here. There are many examples relevant to the + problem under discussion. + + A client implementation may make the assumption that, just because a + DNS SRV record exists for a particular protocol in a particular + domain, indicating that the service is available on some port, that + the service is, in fact, running there. This assumption could be + wrong because the SRV records haven't been updated by the system + administrators to reflect the services currently running. As another + example, a client might assume that a particular domain policy + applies to all sub-domains. However, a system administrator might + have omitted to apply the policy to servers running in one of those + sub-domains. + +7. Recommendations + + Based on these problems, the clear conclusion is that clients, + servers, and users should not make assumptions on the nature of the + service provided to, or by, a domain. More specifically, however, + the following can be said: + + Follow the specifications: When specifications define mandatory + baseline procedures and formats, those should be implemented and + supported, even if the expectation is that optional procedures + will most often be used. For example, if a specification mandates + a particular baseline authentication technique, but allows others + to be negotiated and used, implementations need to implement the + baseline authentication algorithm even if the other ones are used + + + +Rosenberg Informational [Page 12] + +RFC 4367 Name Assumptions February 2006 + + + most of the time. Put more simply, the behavior of the protocol + machinery should never change based on the domain name of the + host. + + Use capability negotiation: Many protocols are engineered with + capability negotiation mechanisms. For example, a content + negotiation framework has been defined for protocols using MIME + content [13] [14] [15]. SIP allows for clients to negotiate the + media types used in the multimedia session, as well as protocol + parameters. HTTP allows for clients to negotiate the media types + returned in requests for content. When such features are + available in a protocol, client and servers should make use of + them rather than making assumptions about supported capabilities. + A corollary is that protocol designers should include such + mechanisms when evolution is expected in the usage of the + protocol. + + "Be liberal in what you accept, and conservative in what you send" + [18]: This axiom of Internet protocol design is applicable here + as well. Implementations should be prepared for the full breadth + of what a protocol allows another entity to send, rather than be + limiting in what it is willing to receive. + + To summarize -- there is never a need to make assumptions. Rather + than doing so, utilize the specifications and the negotiation + capabilities they provide, and the overall system will be robust and + interoperable. + +8. A Note on RFC 2219 and RFC 2782 + + Based on the definition of an assumption given here, the behavior + hinted at by records in the DNS also represents an assumption. RFC + 2219 [19] defines well-known aliases that can be used to construct + domain names for reaching various well-known services in a domain. + This approach was later followed by the definition of a new resource + record, the SRV record [2], which specifies that a particular service + is running on a server in a domain. Although both of these + mechanisms are useful as a hint that a particular service is running + in a domain, both of them represent assumptions that may be false. + However, they differ in the set of reasons why those assumptions + might be false. + + A client that assumes that "ftp.example.com" is an FTP server may be + wrong because the presumed naming convention in RFC 2219 was not + known by, or not followed by, the owner of domain.com. With RFC + 2782, an SRV record for a particular service would be present only by + explicit choice of the domain administrator, and thus a client that + + + + +Rosenberg Informational [Page 13] + +RFC 4367 Name Assumptions February 2006 + + + assumes that the corresponding host provides this service would be + wrong only because of human error in configuration. In this case, + the assumption is less likely to be wrong, but it certainly can be. + + The only way to determine with certainty that a service is running on + a host is to initiate a connection to the port for that service, and + check. Implementations need to be careful not to codify any + behaviors that cause failures should the information provided in the + record actually be false. This borders on common sense for robust + implementations, but it is valuable to raise this point explicitly. + +9. Security Considerations + + One of the assumptions that can be made by clients or servers is the + availability and usage (or lack thereof) of certain security + protocols and algorithms. For example, a client accessing a service + in a particular domain might assume a specific authentication + algorithm or hash function in the application protocol. It is + possible that, over time, weaknesses are found in such a technique, + requiring usage of a different mechanism. Similarly, a system might + start with an insecure mechanism, and then decide later on to use a + secure one. In either case, assumptions made on security properties + can result in interoperability failures, or worse yet, providing + service in an insecure way, even though the client asked for, and + thought it would get, secure service. These kinds of assumptions are + fundamentally unsound even if the records themselves are secured with + DNSSEC. + +10. Acknowledgements + + The IAB would like to thank John Klensin, Keith Moore and Peter Koch + for their comments. + +11. IAB Members + + Internet Architecture Board members at the time of writing of this + document are: + + Bernard Aboba + + Loa Andersson + + Brian Carpenter + + Leslie Daigle + + Patrik Faltstrom + + + + +Rosenberg Informational [Page 14] + +RFC 4367 Name Assumptions February 2006 + + + Bob Hinden + + Kurtis Lindqvist + + David Meyer + + Pekka Nikander + + Eric Rescorla + + Pete Resnick + + Jonathan Rosenberg + +12. Informative References + + [1] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [2] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for + specifying the location of services (DNS SRV)", RFC 2782, + February 2000. + + [3] Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part + Three: The Domain Name System (DNS) Database", RFC 3403, + October 2002. + + [4] Davis, C., Vixie, P., Goodwin, T., and I. Dickinson, "A Means + for Expressing Location Information in the Domain Name System", + RFC 1876, January 1996. + + [5] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., + Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- + HTTP/1.1", RFC 2616, June 1999. + + [6] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time Streaming + Protocol (RTSP)", RFC 2326, April 1998. + + [7] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., + Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: + Session Initiation Protocol", RFC 3261, June 2002. + + [8] Eastlake, D., ".sex Considered Dangerous", RFC 3675, + February 2004. + + [9] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, + April 2001. + + + + +Rosenberg Informational [Page 15] + +RFC 4367 Name Assumptions February 2006 + + + [10] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer + Protocol (HTTP) Digest Authentication Using Authentication and + Key Agreement (AKA)", RFC 3310, September 2002. + + [11] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) Part One: Format of Internet Message Bodies", + RFC 2045, November 1996. + + [12] Internet Architecture Board, "IAB Technical Comment on the + Unique DNS Root", RFC 2826, May 2000. + + [13] Klyne, G., "Indicating Media Features for MIME Content", + RFC 2912, September 2000. + + [14] Klyne, G., "A Syntax for Describing Media Feature Sets", + RFC 2533, March 1999. + + [15] Klyne, G., "Protocol-independent Content Negotiation + Framework", RFC 2703, September 1999. + + [16] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. + + [17] Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional + Responses in Session Initiation Protocol (SIP)", RFC 3262, + June 2002. + + [18] Braden, R., "Requirements for Internet Hosts - Communication + Layers", STD 3, RFC 1122, October 1989. + + [19] Hamilton, M. and R. Wright, "Use of DNS Aliases for Network + Services", BCP 17, RFC 2219, October 1997. + + [20] Faltstrom, P., "Design Choices When Expanding DNS", Work in + Progress, June 2005. + +Author's Address + + Jonathan Rosenberg, Editor + IAB + 600 Lanidex Plaza + Parsippany, NJ 07054 + US + + Phone: +1 973 952-5000 + EMail: jdrosen@cisco.com + URI: http://www.jdrosen.net + + + + + +Rosenberg Informational [Page 16] + +RFC 4367 Name Assumptions February 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Rosenberg Informational [Page 17] + diff --git a/doc/rfc/rfc4398.txt b/doc/rfc/rfc4398.txt new file mode 100644 index 0000000000000..6437436e6a965 --- /dev/null +++ b/doc/rfc/rfc4398.txt @@ -0,0 +1,955 @@ + + + + + + +Network Working Group S. Josefsson +Request for Comments: 4398 March 2006 +Obsoletes: 2538 +Category: Standards Track + + + Storing Certificates in the Domain Name System (DNS) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + Cryptographic public keys are frequently published, and their + authenticity is demonstrated by certificates. A CERT resource record + (RR) is defined so that such certificates and related certificate + revocation lists can be stored in the Domain Name System (DNS). + + This document obsoletes RFC 2538. + + + + + + + + + + + + + + + + + + + + + + + +Josefsson Standards Track [Page 1] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. The CERT Resource Record ........................................3 + 2.1. Certificate Type Values ....................................4 + 2.2. Text Representation of CERT RRs ............................6 + 2.3. X.509 OIDs .................................................6 + 3. Appropriate Owner Names for CERT RRs ............................7 + 3.1. Content-Based X.509 CERT RR Names ..........................8 + 3.2. Purpose-Based X.509 CERT RR Names ..........................9 + 3.3. Content-Based OpenPGP CERT RR Names ........................9 + 3.4. Purpose-Based OpenPGP CERT RR Names .......................10 + 3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX ...........10 + 4. Performance Considerations .....................................11 + 5. Contributors ...................................................11 + 6. Acknowledgements ...............................................11 + 7. Security Considerations ........................................12 + 8. IANA Considerations ............................................12 + 9. Changes since RFC 2538 .........................................13 + 10. References ....................................................14 + 10.1. Normative References .....................................14 + 10.2. Informative References ...................................15 + Appendix A. Copying Conditions ...................................16 + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Josefsson Standards Track [Page 2] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +1. Introduction + + Public keys are frequently published in the form of a certificate, + and their authenticity is commonly demonstrated by certificates and + related certificate revocation lists (CRLs). A certificate is a + binding, through a cryptographic digital signature, of a public key, + a validity interval and/or conditions, and identity, authorization, + or other information. A certificate revocation list is a list of + certificates that are revoked, and of incidental information, all + signed by the signer (issuer) of the revoked certificates. Examples + are X.509 certificates/CRLs in the X.500 directory system or OpenPGP + certificates/revocations used by OpenPGP software. + + Section 2 specifies a CERT resource record (RR) for the storage of + certificates in the Domain Name System [1] [2]. + + Section 3 discusses appropriate owner names for CERT RRs. + + Sections 4, 7, and 8 cover performance, security, and IANA + considerations, respectively. + + Section 9 explains the changes in this document compared to RFC 2538. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [3]. + +2. The CERT Resource Record + + The CERT resource record (RR) has the structure given below. Its RR + type code is 37. + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | type | key tag | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | algorithm | / + +---------------+ certificate or CRL / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + + The type field is the certificate type as defined in Section 2.1 + below. + + The key tag field is the 16-bit value computed for the key embedded + in the certificate, using the RRSIG Key Tag algorithm described in + Appendix B of [12]. This field is used as an efficiency measure to + + + +Josefsson Standards Track [Page 3] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + pick which CERT RRs may be applicable to a particular key. The key + tag can be calculated for the key in question, and then only CERT RRs + with the same key tag need to be examined. Note that two different + keys can have the same key tag. However, the key MUST be transformed + to the format it would have as the public key portion of a DNSKEY RR + before the key tag is computed. This is only possible if the key is + applicable to an algorithm and complies to limits (such as key size) + defined for DNS security. If it is not, the algorithm field MUST be + zero and the tag field is meaningless and SHOULD be zero. + + The algorithm field has the same meaning as the algorithm field in + DNSKEY and RRSIG RRs [12], except that a zero algorithm field + indicates that the algorithm is unknown to a secure DNS, which may + simply be the result of the algorithm not having been standardized + for DNSSEC [11]. + +2.1. Certificate Type Values + + The following values are defined or reserved: + + Value Mnemonic Certificate Type + ----- -------- ---------------- + 0 Reserved + 1 PKIX X.509 as per PKIX + 2 SPKI SPKI certificate + 3 PGP OpenPGP packet + 4 IPKIX The URL of an X.509 data object + 5 ISPKI The URL of an SPKI certificate + 6 IPGP The fingerprint and URL of an OpenPGP packet + 7 ACPKIX Attribute Certificate + 8 IACPKIX The URL of an Attribute Certificate + 9-252 Available for IANA assignment + 253 URI URI private + 254 OID OID private + 255 Reserved + 256-65279 Available for IANA assignment + 65280-65534 Experimental + 65535 Reserved + + These values represent the initial content of the IANA registry; see + Section 8. + + The PKIX type is reserved to indicate an X.509 certificate conforming + to the profile defined by the IETF PKIX working group [8]. The + certificate section will start with a one-octet unsigned OID length + and then an X.500 OID indicating the nature of the remainder of the + + + + + +Josefsson Standards Track [Page 4] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + certificate section (see Section 2.3, below). (NOTE: X.509 + certificates do not include their X.500 directory-type-designating + OID as a prefix.) + + The SPKI and ISPKI types are reserved to indicate the SPKI + certificate format [15], for use when the SPKI documents are moved + from experimental status. The format for these two CERT RR types + will need to be specified later. + + The PGP type indicates an OpenPGP packet as described in [5] and its + extensions and successors. This is used to transfer public key + material and revocation signatures. The data is binary and MUST NOT + be encoded into an ASCII armor. An implementation SHOULD process + transferable public keys as described in Section 10.1 of [5], but it + MAY handle additional OpenPGP packets. + + The ACPKIX type indicates an Attribute Certificate format [9]. + + The IPKIX and IACPKIX types indicate a URL that will serve the + content that would have been in the "certificate, CRL, or URL" field + of the corresponding type (PKIX or ACPKIX, respectively). + + The IPGP type contains both an OpenPGP fingerprint for the key in + question, as well as a URL. The certificate portion of the IPGP CERT + RR is defined as a one-octet fingerprint length, followed by the + OpenPGP fingerprint, followed by the URL. The OpenPGP fingerprint is + calculated as defined in RFC 2440 [5]. A zero-length fingerprint or + a zero-length URL are legal, and indicate URL-only IPGP data or + fingerprint-only IPGP data, respectively. A zero-length fingerprint + and a zero-length URL are meaningless and invalid. + + The IPKIX, ISPKI, IPGP, and IACPKIX types are known as "indirect". + These types MUST be used when the content is too large to fit in the + CERT RR and MAY be used at the implementer's discretion. They SHOULD + NOT be used where the DNS message is 512 octets or smaller and could + thus be expected to fit a UDP packet. + + The URI private type indicates a certificate format defined by an + absolute URI. The certificate portion of the CERT RR MUST begin with + a null-terminated URI [10], and the data after the null is the + private format certificate itself. The URI SHOULD be such that a + retrieval from it will lead to documentation on the format of the + certificate. Recognition of private certificate types need not be + based on URI equality but can use various forms of pattern matching + so that, for example, subtype or version information can also be + encoded into the URI. + + + + + +Josefsson Standards Track [Page 5] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + The OID private type indicates a private format certificate specified + by an ISO OID prefix. The certificate section will start with a + one-octet unsigned OID length and then a BER-encoded OID indicating + the nature of the remainder of the certificate section. This can be + an X.509 certificate format or some other format. X.509 certificates + that conform to the IETF PKIX profile SHOULD be indicated by the PKIX + type, not the OID private type. Recognition of private certificate + types need not be based on OID equality but can use various forms of + pattern matching such as OID prefix. + +2.2. Text Representation of CERT RRs + + The RDATA portion of a CERT RR has the type field as an unsigned + decimal integer or as a mnemonic symbol as listed in Section 2.1, + above. + + The key tag field is represented as an unsigned decimal integer. + + The algorithm field is represented as an unsigned decimal integer or + a mnemonic symbol as listed in [12]. + + The certificate/CRL portion is represented in base 64 [16] and may be + divided into any number of white-space-separated substrings, down to + single base-64 digits, which are concatenated to obtain the full + signature. These substrings can span lines using the standard + parenthesis. + + Note that the certificate/CRL portion may have internal sub-fields, + but these do not appear in the master file representation. For + example, with type 254, there will be an OID size, an OID, and then + the certificate/CRL proper. However, only a single logical base-64 + string will appear in the text representation. + +2.3. X.509 OIDs + + OIDs have been defined in connection with the X.500 directory for + user certificates, certification authority certificates, revocations + of certification authority, and revocations of user certificates. + The following table lists the OIDs, their BER encoding, and their + length-prefixed hex format for use in CERT RRs: + + + + + + + + + + + +Josefsson Standards Track [Page 6] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + id-at-userCertificate + = { joint-iso-ccitt(2) ds(5) at(4) 36 } + == 0x 03 55 04 24 + id-at-cACertificate + = { joint-iso-ccitt(2) ds(5) at(4) 37 } + == 0x 03 55 04 25 + id-at-authorityRevocationList + = { joint-iso-ccitt(2) ds(5) at(4) 38 } + == 0x 03 55 04 26 + id-at-certificateRevocationList + = { joint-iso-ccitt(2) ds(5) at(4) 39 } + == 0x 03 55 04 27 + +3. Appropriate Owner Names for CERT RRs + + It is recommended that certificate CERT RRs be stored under a domain + name related to their subject, i.e., the name of the entity intended + to control the private key corresponding to the public key being + certified. It is recommended that certificate revocation list CERT + RRs be stored under a domain name related to their issuer. + + Following some of the guidelines below may result in DNS names with + characters that require DNS quoting as per Section 5.1 of RFC 1035 + [2]. + + The choice of name under which CERT RRs are stored is important to + clients that perform CERT queries. In some situations, the clients + may not know all information about the CERT RR object it wishes to + retrieve. For example, a client may not know the subject name of an + X.509 certificate, or the email address of the owner of an OpenPGP + key. Further, the client might only know the hostname of a service + that uses X.509 certificates or the Key ID of an OpenPGP key. + + Therefore, two owner name guidelines are defined: content-based owner + names and purpose-based owner names. A content-based owner name is + derived from the content of the CERT RR data; for example, the + Subject field in an X.509 certificate or the User ID field in OpenPGP + keys. A purpose-based owner name is a name that a client retrieving + CERT RRs ought to know already; for example, the host name of an + X.509 protected service or the Key ID of an OpenPGP key. The + content-based and purpose-based owner name may be the same; for + example, when a client looks up a key based on the From: address of + an incoming email. + + Implementations SHOULD use the purpose-based owner name guidelines + described in this document and MAY use CNAME RRs at content-based + owner names (or other names), pointing to the purpose-based owner + name. + + + +Josefsson Standards Track [Page 7] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + Note that this section describes an application-based mapping from + the name space used in a certificate to the name space used by DNS. + The DNS does not infer any relationship amongst CERT resource records + based on similarities or differences of the DNS owner name(s) of CERT + resource records. For example, if multiple labels are used when + mapping from a CERT identifier to a domain name, then care must be + taken in understanding wildcard record synthesis. + +3.1. Content-Based X.509 CERT RR Names + + Some X.509 versions, such as the PKIX profile of X.509 [8], permit + multiple names to be associated with subjects and issuers under + "Subject Alternative Name" and "Issuer Alternative Name". For + example, the PKIX profile has such Alternate Names with an ASN.1 + specification as follows: + + GeneralName ::= CHOICE { + otherName [0] OtherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } + + The recommended locations of CERT storage are as follows, in priority + order: + + 1. If a domain name is included in the identification in the + certificate or CRL, that ought to be used. + 2. If a domain name is not included but an IP address is included, + then the translation of that IP address into the appropriate + inverse domain name ought to be used. + 3. If neither of the above is used, but a URI containing a domain + name is present, that domain name ought to be used. + 4. If none of the above is included but a character string name is + included, then it ought to be treated as described below for + OpenPGP names. + 5. If none of the above apply, then the distinguished name (DN) + ought to be mapped into a domain name as specified in [4]. + + Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/ + DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a) + string "John (the Man) Doe", (b) domain name john-doe.com, and (c) + URI . The storage locations + recommended, in priority order, would be + + + +Josefsson Standards Track [Page 8] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + 1. john-doe.com, + 2. www.secure.john-doe.com, and + 3. Doe.com.xy. + + Example 2: An X.509v3 certificate is issued to /CN=James Hacker/ + L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a) + domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and + (c) string "James Hacker ". The + storage locations recommended, in priority order, would be + + 1. widget.foo.example, + 2. 201.13.251.10.in-addr.arpa, and + 3. hacker.mail.widget.foo.example. + +3.2. Purpose-Based X.509 CERT RR Names + + Due to the difficulty for clients that do not already possess a + certificate to reconstruct the content-based owner name, + purpose-based owner names are recommended in this section. + Recommendations for purpose-based owner names vary per scenario. The + following table summarizes the purpose-based X.509 CERT RR owner name + guidelines for use with S/MIME [17], SSL/TLS [13], and IPsec [14]: + + Scenario Owner name + ------------------ ---------------------------------------------- + S/MIME Certificate Standard translation of an RFC 2822 email + address. Example: An S/MIME certificate for + "postmaster@example.org" will use a standard + hostname translation of the owner name, + "postmaster.example.org". + + TLS Certificate Hostname of the TLS server. + + IPsec Certificate Hostname of the IPsec machine and/or, for IPv4 + or IPv6 addresses, the fully qualified domain + name in the appropriate reverse domain. + + An alternate approach for IPsec is to store raw public keys [18]. + +3.3. Content-Based OpenPGP CERT RR Names + + OpenPGP signed keys (certificates) use a general character string + User ID [5]. However, it is recommended by OpenPGP that such names + include the RFC 2822 [7] email address of the party, as in "Leslie + Example ". If such a format is used, the CERT + ought to be under the standard translation of the email address into + + + + + +Josefsson Standards Track [Page 9] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + a domain name, which would be leslie.host.example in this case. If + no RFC 2822 name can be extracted from the string name, no specific + domain name is recommended. + + If a user has more than one email address, the CNAME type can be used + to reduce the amount of data stored in the DNS. For example: + + $ORIGIN example.org. + smith IN CERT PGP 0 0 + john.smith IN CNAME smith + js IN CNAME smith + +3.4. Purpose-Based OpenPGP CERT RR Names + + Applications that receive an OpenPGP packet containing encrypted or + signed data but do not know the email address of the sender will have + difficulties constructing the correct owner name and cannot use the + content-based owner name guidelines. However, these clients commonly + know the key fingerprint or the Key ID. The key ID is found in + OpenPGP packets, and the key fingerprint is commonly found in + auxiliary data that may be available. In this case, use of an owner + name identical to the key fingerprint and the key ID expressed in + hexadecimal [16] is recommended. For example: + + $ORIGIN example.org. + 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ... + F835EDA21E94B565716F IN CERT PGP ... + B565716F IN CERT PGP ... + + If the same key material is stored for several owner names, the use + of CNAME may help avoid data duplication. Note that CNAME is not + always applicable, because it maps one owner name to the other for + all purposes, which may be sub-optimal when two keys with the same + Key ID are stored. + +3.5. Owner Names for IPKIX, ISPKI, IPGP, and IACPKIX + + These types are stored under the same owner names, both purpose- and + content-based, as the PKIX, SPKI, PGP, and ACPKIX types. + + + + + + + + + + + + +Josefsson Standards Track [Page 10] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +4. Performance Considerations + + The Domain Name System (DNS) protocol was designed for small + transfers, typically below 512 octets. While larger transfers will + perform correctly and work is underway to make larger transfers more + efficient, it is still advisable at this time that every reasonable + effort be made to minimize the size of certificates stored within the + DNS. Steps that can be taken may include using the fewest possible + optional or extension fields and using short field values for + necessary variable-length fields. + + The RDATA field in the DNS protocol may only hold data of size 65535 + octets (64kb) or less. This means that each CERT RR MUST NOT contain + more than 64kb of payload, even if the corresponding certificate or + certificate revocation list is larger. This document addresses this + by defining "indirect" data types for each normal type. + + Deploying CERT RRs to support digitally signed email changes the + access patterns of DNS lookups from per-domain to per-user. If + digitally signed email and a key/certificate lookup based on CERT RRs + are deployed on a wide scale, this may lead to an increased DNS load, + with potential performance and cache effectiveness consequences. + Whether or not this load increase will be noticeable is not known. + +5. Contributors + + The majority of this document is copied verbatim from RFC 2538, by + Donald Eastlake 3rd and Olafur Gudmundsson. + +6. Acknowledgements + + Thanks to David Shaw and Michael Graff for their contributions to + earlier works that motivated, and served as inspiration for, this + document. + + This document was improved by suggestions and comments from Olivier + Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch, Olaf M. + Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison Mankin, + Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck, Samuel + Weiler, and Florian Weimer. No doubt the list is incomplete. We + apologize to anyone we left out. + + + + + + + + + + +Josefsson Standards Track [Page 11] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +7. Security Considerations + + By definition, certificates contain their own authenticating + signatures. Thus, it is reasonable to store certificates in + non-secure DNS zones or to retrieve certificates from DNS with DNS + security checking not implemented or deferred for efficiency. The + results may be trusted if the certificate chain is verified back to a + known trusted key and this conforms with the user's security policy. + + Alternatively, if certificates are retrieved from a secure DNS zone + with DNS security checking enabled and are verified by DNS security, + the key within the retrieved certificate may be trusted without + verifying the certificate chain if this conforms with the user's + security policy. + + If an organization chooses to issue certificates for its employees, + placing CERT RRs in the DNS by owner name, and if DNSSEC (with NSEC) + is in use, it is possible for someone to enumerate all employees of + the organization. This is usually not considered desirable, for the + same reason that enterprise phone listings are not often publicly + published and are even marked confidential. + + Using the URI type introduces another level of indirection that may + open a new vulnerability. One method of securing that indirection is + to include a hash of the certificate in the URI itself. + + If DNSSEC is used, then the non-existence of a CERT RR and, + consequently, certificates or revocation lists can be securely + asserted. Without DNSSEC, this is not possible. + +8. IANA Considerations + + The IANA has created a new registry for CERT RR: certificate types. + The initial contents of this registry is: + + Decimal Type Meaning Reference + ------- ---- ------- --------- + 0 Reserved RFC 4398 + 1 PKIX X.509 as per PKIX RFC 4398 + 2 SPKI SPKI certificate RFC 4398 + 3 PGP OpenPGP packet RFC 4398 + 4 IPKIX The URL of an X.509 data object RFC 4398 + 5 ISPKI The URL of an SPKI certificate RFC 4398 + 6 IPGP The fingerprint and URL RFC 4398 + of an OpenPGP packet + 7 ACPKIX Attribute Certificate RFC 4398 + 8 IACPKIX The URL of an Attribute RFC 4398 + Certificate + + + +Josefsson Standards Track [Page 12] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + 9-252 Available for IANA assignment + by IETF Standards action + 253 URI URI private RFC 4398 + 254 OID OID private RFC 4398 + 255 Reserved RFC 4398 + 256-65279 Available for IANA assignment + by IETF Consensus + 65280-65534 Experimental RFC 4398 + 65535 Reserved RFC 4398 + + Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can + only be assigned by an IETF standards action [6]. This document + assigns 0x0001 through 0x0008 and 0x00FD and 0x00FE. Certificate + types 0x0100 through 0xFEFF are assigned through IETF Consensus [6] + based on RFC documentation of the certificate type. The availability + of private types under 0x00FD and 0x00FE ought to satisfy most + requirements for proprietary or private types. + + The CERT RR reuses the DNS Security Algorithm Numbers registry. In + particular, the CERT RR requires that algorithm number 0 remain + reserved, as described in Section 2. The IANA will reference the + CERT RR as a user of this registry and value 0, in particular. + +9. Changes since RFC 2538 + + 1. Editorial changes to conform with new document requirements, + including splitting reference section into two parts and + updating the references to point at latest versions, and to add + some additional references. + 2. Improve terminology. For example replace "PGP" with "OpenPGP", + to align with RFC 2440. + 3. In Section 2.1, clarify that OpenPGP public key data are binary, + not the ASCII armored format, and reference 10.1 in RFC 2440 on + how to deal with OpenPGP keys, and acknowledge that + implementations may handle additional packet types. + 4. Clarify that integers in the representation format are decimal. + 5. Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis + terminology. Improve reference for Key Tag Algorithm + calculations. + 6. Add examples that suggest use of CNAME to reduce bandwidth. + 7. In Section 3, appended the last paragraphs that discuss + "content-based" vs "purpose-based" owner names. Add Section 3.2 + for purpose-based X.509 CERT owner names, and Section 3.4 for + purpose-based OpenPGP CERT owner names. + 8. Added size considerations. + 9. The SPKI types has been reserved, until RFC 2692/2693 is moved + from the experimental status. + 10. Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX. + + + +Josefsson Standards Track [Page 13] + +RFC 4398 Storing Certificates in the DNS February 2006 + + + 11. An IANA registry of CERT type values was created. + +10. References + +10.1. Normative References + + [1] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [2] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [4] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri, + "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, + January 1998. + + [5] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, + "OpenPGP Message Format", RFC 2440, November 1998. + + [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, + October 1998. + + [7] Resnick, P., "Internet Message Format", RFC 2822, April 2001. + + [8] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 + Public Key Infrastructure Certificate and Certificate + Revocation List (CRL) Profile", RFC 3280, April 2002. + + [9] Farrell, S. and R. Housley, "An Internet Attribute Certificate + Profile for Authorization", RFC 3281, April 2002. + + [10] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, + January 2005. + + [11] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, + March 2005. + + [12] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. + + + + + +Josefsson Standards Track [Page 14] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +10.2. Informative References + + [13] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", + RFC 2246, January 1999. + + [14] Kent, S. and K. Seo, "Security Architecture for the Internet + Protocol", RFC 4301, December 2005. + + [15] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., + and T. Ylonen, "SPKI Certificate Theory", RFC 2693, + September 1999. + + [16] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", + RFC 3548, July 2003. + + [17] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions + (S/MIME) Version 3.1 Message Specification", RFC 3851, + July 2004. + + [18] Richardson, M., "A Method for Storing IPsec Keying Material in + DNS", RFC 4025, March 2005. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Josefsson Standards Track [Page 15] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +Appendix A. Copying Conditions + + Regarding the portion of this document that was written by Simon + Josefsson ("the author", for the remainder of this section), the + author makes no guarantees and is not responsible for any damage + resulting from its use. The author grants irrevocable permission to + anyone to use, modify, and distribute it in any way that does not + diminish the rights of anyone else to use, modify, and distribute it, + provided that redistributed derivative works do not contain + misleading author or version information. Derivative works need not + be licensed under similar terms. + +Author's Address + + Simon Josefsson + + EMail: simon@josefsson.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Josefsson Standards Track [Page 16] + +RFC 4398 Storing Certificates in the DNS February 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Josefsson Standards Track [Page 17] + diff --git a/doc/rfc/rfc4408.txt b/doc/rfc/rfc4408.txt new file mode 100644 index 0000000000000..bc1b3f539cadd --- /dev/null +++ b/doc/rfc/rfc4408.txt @@ -0,0 +1,2691 @@ + + + + + + +Network Working Group M. Wong +Request for Comments: 4408 W. Schlitt +Category: Experimental April 2006 + + + Sender Policy Framework (SPF) for + Authorizing Use of Domains in E-Mail, Version 1 + +Status of This Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +IESG Note + + The following documents (RFC 4405, RFC 4406, RFC 4407, and RFC 4408) + are published simultaneously as Experimental RFCs, although there is + no general technical consensus and efforts to reconcile the two + approaches have failed. As such, these documents have not received + full IETF review and are published "AS-IS" to document the different + approaches as they were considered in the MARID working group. + + The IESG takes no position about which approach is to be preferred + and cautions the reader that there are serious open issues for each + approach and concerns about using them in tandem. The IESG believes + that documenting the different approaches does less harm than not + documenting them. + + Note that the Sender ID experiment may use DNS records that may have + been created for the current SPF experiment or earlier versions in + this set of experiments. Depending on the content of the record, + this may mean that Sender-ID heuristics would be applied incorrectly + to a message. Depending on the actions associated by the recipient + with those heuristics, the message may not be delivered or may be + discarded on receipt. + + Participants relying on Sender ID experiment DNS records are warned + that they may lose valid messages in this set of circumstances. + aParticipants publishing SPF experiment DNS records should consider + the advice given in section 3.4 of RFC 4406 and may wish to publish + both v=spf1 and spf2.0 records to avoid the conflict. + + + + +Wong & Schlitt Experimental [Page 1] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Participants in the Sender-ID experiment need to be aware that the + way Resent-* header fields are used will result in failure to receive + legitimate email when interacting with standards-compliant systems + (specifically automatic forwarders which comply with the standards by + not adding Resent-* headers, and systems which comply with RFC 822 + but have not yet implemented RFC 2822 Resent-* semantics). It would + be inappropriate to advance Sender-ID on the standards track without + resolving this interoperability problem. + + The community is invited to observe the success or failure of the two + approaches during the two years following publication, in order that + a community consensus can be reached in the future. + +Abstract + + E-mail on the Internet can be forged in a number of ways. In + particular, existing protocols place no restriction on what a sending + host can use as the reverse-path of a message or the domain given on + the SMTP HELO/EHLO commands. This document describes version 1 of + the Sender Policy Framework (SPF) protocol, whereby a domain may + explicitly authorize the hosts that are allowed to use its domain + name, and a receiving host may check such authorization. + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Protocol Status ............................................4 + 1.2. Terminology ................................................5 + 2. Operation .......................................................5 + 2.1. The HELO Identity ..........................................5 + 2.2. The MAIL FROM Identity .....................................5 + 2.3. Publishing Authorization ...................................6 + 2.4. Checking Authorization .....................................6 + 2.5. Interpreting the Result ....................................7 + 2.5.1. None ................................................8 + 2.5.2. Neutral .............................................8 + 2.5.3. Pass ................................................8 + 2.5.4. Fail ................................................8 + 2.5.5. SoftFail ............................................9 + 2.5.6. TempError ...........................................9 + 2.5.7. PermError ...........................................9 + 3. SPF Records .....................................................9 + 3.1. Publishing ................................................10 + 3.1.1. DNS Resource Record Types ..........................10 + 3.1.2. Multiple DNS Records ...............................11 + 3.1.3. Multiple Strings in a Single DNS record ............11 + 3.1.4. Record Size ........................................11 + 3.1.5. Wildcard Records ...................................11 + + + +Wong & Schlitt Experimental [Page 2] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + 4. The check_host() Function ......................................12 + 4.1. Arguments .................................................12 + 4.2. Results ...................................................13 + 4.3. Initial Processing ........................................13 + 4.4. Record Lookup .............................................13 + 4.5. Selecting Records .........................................13 + 4.6. Record Evaluation .........................................14 + 4.6.1. Term Evaluation ....................................14 + 4.6.2. Mechanisms .........................................15 + 4.6.3. Modifiers ..........................................15 + 4.7. Default Result ............................................16 + 4.8. Domain Specification ......................................16 + 5. Mechanism Definitions ..........................................16 + 5.1. "all" .....................................................17 + 5.2. "include" .................................................18 + 5.3. "a" .......................................................19 + 5.4. "mx" ......................................................20 + 5.5. "ptr" .....................................................20 + 5.6. "ip4" and "ip6" ...........................................21 + 5.7. "exists" ..................................................22 + 6. Modifier Definitions ...........................................22 + 6.1. redirect: Redirected Query ................................23 + 6.2. exp: Explanation ..........................................23 + 7. The Received-SPF Header Field ..................................25 + 8. Macros .........................................................27 + 8.1. Macro Definitions .........................................27 + 8.2. Expansion Examples ........................................30 + 9. Implications ...................................................31 + 9.1. Sending Domains ...........................................31 + 9.2. Mailing Lists .............................................32 + 9.3. Forwarding Services and Aliases ...........................32 + 9.4. Mail Services .............................................34 + 9.5. MTA Relays ................................................34 + 10. Security Considerations .......................................35 + 10.1. Processing Limits ........................................35 + 10.2. SPF-Authorized E-Mail May Contain Other False + Identities ...............................................37 + 10.3. Spoofed DNS and IP Data ..................................37 + 10.4. Cross-User Forgery .......................................37 + 10.5. Untrusted Information Sources ............................38 + 10.6. Privacy Exposure .........................................38 + 11. Contributors and Acknowledgements .............................38 + 12. IANA Considerations ...........................................39 + 12.1. The SPF DNS Record Type ..................................39 + 12.2. The Received-SPF Mail Header Field .......................39 + 13. References ....................................................39 + 13.1. Normative References .....................................39 + 13.2. Informative References ...................................40 + + + +Wong & Schlitt Experimental [Page 3] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Appendix A. Collected ABNF .......................................42 + Appendix B. Extended Examples ....................................44 + B.1. Simple Examples ..........................................44 + B.2. Multiple Domain Example ..................................45 + B.3. DNSBL Style Example ......................................46 + B.4. Multiple Requirements Example ............................46 + +1. Introduction + + The current E-Mail infrastructure has the property that any host + injecting mail into the mail system can identify itself as any domain + name it wants. Hosts can do this at a variety of levels: in + particular, the session, the envelope, and the mail headers. + Although this feature is desirable in some circumstances, it is a + major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka spam). + Furthermore, many domain name holders are understandably concerned + about the ease with which other entities may make use of their domain + names, often with malicious intent. + + This document defines a protocol by which domain owners may authorize + hosts to use their domain name in the "MAIL FROM" or "HELO" identity. + Compliant domain holders publish Sender Policy Framework (SPF) + records specifying which hosts are permitted to use their names, and + compliant mail receivers use the published SPF records to test the + authorization of sending Mail Transfer Agents (MTAs) using a given + "HELO" or "MAIL FROM" identity during a mail transaction. + + An additional benefit to mail receivers is that after the use of an + identity is verified, local policy decisions about the mail can be + made based on the sender's domain, rather than the host's IP address. + This is advantageous because reputation of domain names is likely to + be more accurate than reputation of host IP addresses. Furthermore, + if a claimed identity fails verification, local policy can take + stronger action against such E-Mail, such as rejecting it. + +1.1. Protocol Status + + SPF has been in development since the summer of 2003 and has seen + deployment beyond the developers beginning in December 2003. The + design of SPF slowly evolved until the spring of 2004 and has since + stabilized. There have been quite a number of forms of SPF, some + written up as documents, some submitted as Internet Drafts, and many + discussed and debated in development forums. + + The goal of this document is to clearly document the protocol defined + by earlier draft specifications of SPF as used in existing + implementations. This conception of SPF is sometimes called "SPF + Classic". It is understood that particular implementations and + + + +Wong & Schlitt Experimental [Page 4] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + deployments may differ from, and build upon, this work. It is hoped + that we have nonetheless captured the common understanding of SPF + version 1. + +1.2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + This document is concerned with the portion of a mail message + commonly called "envelope sender", "return path", "reverse path", + "bounce address", "2821 FROM", or "MAIL FROM". Since these terms are + either not well defined or often used casually, this document defines + the "MAIL FROM" identity in Section 2.2. Note that other terms that + may superficially look like the common terms, such as "reverse-path", + are used only with the defined meanings from normative documents. + +2. Operation + +2.1. The HELO Identity + + The "HELO" identity derives from either the SMTP HELO or EHLO command + (see [RFC2821]). These commands supply the SMTP client (sending + host) for the SMTP session. Note that requirements for the domain + presented in the EHLO or HELO command are not always clear to the + sending party, and SPF clients must be prepared for the "HELO" + identity to be malformed or an IP address literal. At the time of + this writing, many legitimate E-Mails are delivered with invalid HELO + domains. + + It is RECOMMENDED that SPF clients not only check the "MAIL FROM" + identity, but also separately check the "HELO" identity by applying + the check_host() function (Section 4) to the "HELO" identity as the + . + +2.2. The MAIL FROM Identity + + The "MAIL FROM" identity derives from the SMTP MAIL command (see + [RFC2821]). This command supplies the "reverse-path" for a message, + which generally consists of the sender mailbox, and is the mailbox to + which notification messages are to be sent if there are problems + delivering the message. + + [RFC2821] allows the reverse-path to be null (see Section 4.5.5 in + RFC 2821). In this case, there is no explicit sender mailbox, and + such a message can be assumed to be a notification message from the + mail system itself. When the reverse-path is null, this document + + + +Wong & Schlitt Experimental [Page 5] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + defines the "MAIL FROM" identity to be the mailbox composed of the + localpart "postmaster" and the "HELO" identity (which may or may not + have been checked separately before). + + SPF clients MUST check the "MAIL FROM" identity. SPF clients check + the "MAIL FROM" identity by applying the check_host() function to the + "MAIL FROM" identity as the . + +2.3. Publishing Authorization + + An SPF-compliant domain MUST publish a valid SPF record as described + in Section 3. This record authorizes the use of the domain name in + the "HELO" and "MAIL FROM" identities by the MTAs it specifies. + + If domain owners choose to publish SPF records, it is RECOMMENDED + that they end in "-all", or redirect to other records that do, so + that a definitive determination of authorization can be made. + + Domain holders may publish SPF records that explicitly authorize no + hosts if mail should never originate using that domain. + + When changing SPF records, care must be taken to ensure that there is + a transition period so that the old policy remains valid until all + legitimate E-Mail has been checked. + +2.4. Checking Authorization + + A mail receiver can perform a set of SPF checks for each mail message + it receives. An SPF check tests the authorization of a client host + to emit mail with a given identity. Typically, such checks are done + by a receiving MTA, but can be performed elsewhere in the mail + processing chain so long as the required information is available and + reliable. At least the "MAIL FROM" identity MUST be checked, but it + is RECOMMENDED that the "HELO" identity also be checked beforehand. + + Without explicit approval of the domain owner, checking other + identities against SPF version 1 records is NOT RECOMMENDED because + there are cases that are known to give incorrect results. For + example, almost all mailing lists rewrite the "MAIL FROM" identity + (see Section 9.2), but some do not change any other identities in the + message. The scenario described in Section 9.3, sub-section 1.2, is + another example. Documents that define other identities should + define the method for explicit approval. + + It is possible that mail receivers will use the SPF check as part of + a larger set of tests on incoming mail. The results of other tests + may influence whether or not a particular SPF check is performed. + For example, finding the sending host's IP address on a local white + + + +Wong & Schlitt Experimental [Page 6] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + list may cause all other tests to be skipped and all mail from that + host to be accepted. + + When a mail receiver decides to perform an SPF check, it MUST use a + correctly-implemented check_host() function (Section 4) evaluated + with the correct parameters. Although the test as a whole is + optional, once it has been decided to perform a test it must be + performed as specified so that the correct semantics are preserved + between publisher and receiver. + + To make the test, the mail receiver MUST evaluate the check_host() + function with the arguments set as follows: + + - the IP address of the SMTP client that is emitting the + mail, either IPv4 or IPv6. + + - the domain portion of the "MAIL FROM" or "HELO" identity. + + - the "MAIL FROM" or "HELO" identity. + + Note that the argument may not be a well-formed domain name. + For example, if the reverse-path was null, then the EHLO/HELO domain + is used, with its associated problems (see Section 2.1). In these + cases, check_host() is defined in Section 4.3 to return a "None" + result. + + Although invalid, malformed, or non-existent domains cause SPF checks + to return "None" because no SPF record can be found, it has long been + the policy of many MTAs to reject E-Mail from such domains, + especially in the case of invalid "MAIL FROM". In order to prevent + the circumvention of SPF records, rejecting E-Mail from invalid + domains should be considered. + + Implementations must take care to correctly extract the from + the data given with the SMTP MAIL FROM command as many MTAs will + still accept such things as source routes (see [RFC2821], Appendix + C), the %-hack (see [RFC1123]), and bang paths (see [RFC1983]). + These archaic features have been maliciously used to bypass security + systems. + +2.5. Interpreting the Result + + This section describes how software that performs the authorization + should interpret the results of the check_host() function. The + authorization check SHOULD be performed during the processing of the + SMTP transaction that sends the mail. This allows errors to be + returned directly to the sending MTA by way of SMTP replies. + + + + +Wong & Schlitt Experimental [Page 7] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Performing the authorization after the SMTP transaction has finished + may cause problems, such as the following: (1) It may be difficult to + accurately extract the required information from potentially + deceptive headers; (2) legitimate E-Mail may fail because the + sender's policy may have since changed. + + Generating non-delivery notifications to forged identities that have + failed the authorization check is generally abusive and against the + explicit wishes of the identity owner. + +2.5.1. None + + A result of "None" means that no records were published by the domain + or that no checkable sender domain could be determined from the given + identity. The checking software cannot ascertain whether or not the + client host is authorized. + +2.5.2. Neutral + + The domain owner has explicitly stated that he cannot or does not + want to assert whether or not the IP address is authorized. A + "Neutral" result MUST be treated exactly like the "None" result; the + distinction exists only for informational purposes. Treating + "Neutral" more harshly than "None" would discourage domain owners + from testing the use of SPF records (see Section 9.1). + +2.5.3. Pass + + A "Pass" result means that the client is authorized to inject mail + with the given identity. The domain can now, in the sense of + reputation, be considered responsible for sending the message. + Further policy checks can now proceed with confidence in the + legitimate use of the identity. + +2.5.4. Fail + + A "Fail" result is an explicit statement that the client is not + authorized to use the domain in the given identity. The checking + software can choose to mark the mail based on this or to reject the + mail outright. + + If the checking software chooses to reject the mail during the SMTP + transaction, then it SHOULD use an SMTP reply code of 550 (see + [RFC2821]) and, if supported, the 5.7.1 Delivery Status Notification + (DSN) code (see [RFC3464]), in addition to an appropriate reply text. + The check_host() function may return either a default explanation + string or one from the domain that published the SPF records (see + Section 6.2). If the information does not originate with the + + + +Wong & Schlitt Experimental [Page 8] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + checking software, it should be made clear that the text is provided + by the sender's domain. For example: + + 550-5.7.1 SPF MAIL FROM check failed: + 550-5.7.1 The domain example.com explains: + 550 5.7.1 Please see http://www.example.com/mailpolicy.html + +2.5.5. SoftFail + + A "SoftFail" result should be treated as somewhere between a "Fail" + and a "Neutral". The domain believes the host is not authorized but + is not willing to make that strong of a statement. Receiving + software SHOULD NOT reject the message based solely on this result, + but MAY subject the message to closer scrutiny than normal. + + The domain owner wants to discourage the use of this host and thus + desires limited feedback when a "SoftFail" result occurs. For + example, the recipient's Mail User Agent (MUA) could highlight the + "SoftFail" status, or the receiving MTA could give the sender a + message using a technique called "greylisting" whereby the MTA can + issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the + first time the message is received, but accept it the second time. + +2.5.6. TempError + + A "TempError" result means that the SPF client encountered a + transient error while performing the check. Checking software can + choose to accept or temporarily reject the message. If the message + is rejected during the SMTP transaction for this reason, the software + SHOULD use an SMTP reply code of 451 and, if supported, the 4.4.3 DSN + code. + +2.5.7. PermError + + A "PermError" result means that the domain's published records could + not be correctly interpreted. This signals an error condition that + requires manual intervention to be resolved, as opposed to the + TempError result. Be aware that if the domain owner uses macros + (Section 8), it is possible that this result is due to the checked + identities having an unexpected format. + +3. SPF Records + + An SPF record is a DNS Resource Record (RR) that declares which hosts + are, and are not, authorized to use a domain name for the "HELO" and + "MAIL FROM" identities. Loosely, the record partitions all hosts + into permitted and not-permitted sets (though some hosts might fall + into neither category). + + + +Wong & Schlitt Experimental [Page 9] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + The SPF record is a single string of text. An example record is the + following: + + v=spf1 +mx a:colo.example.com/28 -all + + This record has a version of "spf1" and three directives: "+mx", + "a:colo.example.com/28" (the + is implied), and "-all". + +3.1. Publishing + + Domain owners wishing to be SPF compliant must publish SPF records + for the hosts that are used in the "MAIL FROM" and "HELO" identities. + The SPF records are placed in the DNS tree at the host name it + pertains to, not a subdomain under it, such as is done with SRV + records. This is the same whether the TXT or SPF RR type (see + Section 3.1.1) is used. + + The example above in Section 3 might be published via these lines in + a domain zone file: + + example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all" + smtp-out.example.com. TXT "v=spf1 a -all" + + When publishing via TXT records, beware of other TXT records + published there for other purposes. They may cause problems with + size limits (see Section 3.1.4). + +3.1.1. DNS Resource Record Types + + This document defines a new DNS RR of type SPF, code 99. The format + of this type is identical to the TXT RR [RFC1035]. For either type, + the character content of the record is encoded as [US-ASCII]. + + It is recognized that the current practice (using a TXT record) is + not optimal, but it is necessary because there are a number of DNS + server and resolver implementations in common use that cannot handle + the new RR type. The two-record-type scheme provides a forward path + to the better solution of using an RR type reserved for this purpose. + + An SPF-compliant domain name SHOULD have SPF records of both RR + types. A compliant domain name MUST have a record of at least one + type. If a domain has records of both types, they MUST have + identical content. For example, instead of publishing just one + record as in Section 3.1 above, it is better to publish: + + example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all" + example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all" + + + + +Wong & Schlitt Experimental [Page 10] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Example RRs in this document are shown with the TXT record type; + however, they could be published with the SPF type or with both + types. + +3.1.2. Multiple DNS Records + + A domain name MUST NOT have multiple records that would cause an + authorization check to select more than one record. See Section 4.5 + for the selection rules. + +3.1.3. Multiple Strings in a Single DNS record + + As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS + record (either TXT or SPF RR types) can be composed of more than one + string. If a published record contains multiple strings, then the + record MUST be treated as if those strings are concatenated together + without adding spaces. For example: + + IN TXT "v=spf1 .... first" "second string..." + + MUST be treated as equivalent to + + IN TXT "v=spf1 .... firstsecond string..." + + SPF or TXT records containing multiple strings are useful in + constructing records that would exceed the 255-byte maximum length of + a string within a single TXT or SPF RR record. + +3.1.4. Record Size + + The published SPF record for a given domain name SHOULD remain small + enough that the results of a query for it will fit within 512 octets. + This will keep even older DNS implementations from falling over to + TCP. Since the answer size is dependent on many things outside the + scope of this document, it is only possible to give this guideline: + If the combined length of the DNS name and the text of all the + records of a given type (TXT or SPF) is under 450 characters, then + DNS answers should fit in UDP packets. Note that when computing the + sizes for queries of the TXT format, one must take into account any + other TXT records published at the domain name. Records that are too + long to fit in a single UDP packet MAY be silently ignored by SPF + clients. + +3.1.5. Wildcard Records + + Use of wildcard records for publishing is not recommended. Care must + be taken if wildcard records are used. If a domain publishes + wildcard MX records, it may want to publish wildcard declarations, + + + +Wong & Schlitt Experimental [Page 11] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + subject to the same requirements and problems. In particular, the + declaration must be repeated for any host that has any RR records at + all, and for subdomains thereof. For example, the example given in + [RFC1034], Section 4.3.3, could be extended with the following: + + X.COM. MX 10 A.X.COM + X.COM. TXT "v=spf1 a:A.X.COM -all" + + *.X.COM. MX 10 A.X.COM + *.X.COM. TXT "v=spf1 a:A.X.COM -all" + + A.X.COM. A 1.2.3.4 + A.X.COM. MX 10 A.X.COM + A.X.COM. TXT "v=spf1 a:A.X.COM -all" + + *.A.X.COM. MX 10 A.X.COM + *.A.X.COM. TXT "v=spf1 a:A.X.COM -all" + + Notice that SPF records must be repeated twice for every name within + the domain: once for the name, and once with a wildcard to cover the + tree under the name. + + Use of wildcards is discouraged in general as they cause every name + under the domain to exist and queries against arbitrary names will + never return RCODE 3 (Name Error). + +4. The check_host() Function + + The check_host() function fetches SPF records, parses them, and + interprets them to determine whether a particular host is or is not + permitted to send mail with a given identity. Mail receivers that + perform this check MUST correctly evaluate the check_host() function + as described here. + + Implementations MAY use a different algorithm than the canonical + algorithm defined here, so long as the results are the same in all + cases. + +4.1. Arguments + + The check_host() function takes these arguments: + + - the IP address of the SMTP client that is emitting the + mail, either IPv4 or IPv6. + + - the domain that provides the sought-after authorization + information; initially, the domain portion of the "MAIL + FROM" or "HELO" identity. + + + +Wong & Schlitt Experimental [Page 12] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + - the "MAIL FROM" or "HELO" identity. + + The domain portion of will usually be the same as the + argument when check_host() is initially evaluated. However, + this will generally not be true for recursive evaluations (see + Section 5.2 below). + + Actual implementations of the check_host() function may need + additional arguments. + +4.2. Results + + The function check_host() can return one of several results described + in Section 2.5. Based on the result, the action to be taken is + determined by the local policies of the receiver. + +4.3. Initial Processing + + If the is malformed (label longer than 63 characters, zero- + length label not at the end, etc.) or is not a fully qualified domain + name, or if the DNS lookup returns "domain does not exist" (RCODE 3), + check_host() immediately returns the result "None". + + If the has no localpart, substitute the string "postmaster" + for the localpart. + +4.4. Record Lookup + + In accordance with how the records are published (see Section 3.1 + above), a DNS query needs to be made for the name, querying + for either RR type TXT, SPF, or both. If both SPF and TXT RRs are + looked up, the queries MAY be done in parallel. + + If all DNS lookups that are made return a server failure (RCODE 2), + or other error (RCODE other than 0 or 3), or time out, then + check_host() exits immediately with the result "TempError". + +4.5. Selecting Records + + Records begin with a version section: + + record = version terms *SP + version = "v=spf1" + + Starting with the set of records that were returned by the lookup, + record selection proceeds in two steps: + + + + + +Wong & Schlitt Experimental [Page 13] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + 1. Records that do not begin with a version section of exactly + "v=spf1" are discarded. Note that the version section is + terminated either by an SP character or the end of the record. A + record with a version section of "v=spf10" does not match and must + be discarded. + + 2. If any records of type SPF are in the set, then all records of + type TXT are discarded. + + After the above steps, there should be exactly one record remaining + and evaluation can proceed. If there are two or more records + remaining, then check_host() exits immediately with the result of + "PermError". + + If no matching records are returned, an SPF client MUST assume that + the domain makes no SPF declarations. SPF processing MUST stop and + return "None". + +4.6. Record Evaluation + + After one SPF record has been selected, the check_host() function + parses and interprets it to find a result for the current test. If + there are any syntax errors, check_host() returns immediately with + the result "PermError". + + Implementations MAY choose to parse the entire record first and + return "PermError" if the record is not syntactically well formed. + However, in all cases, any syntax errors anywhere in the record MUST + be detected. + +4.6.1. Term Evaluation + + There are two types of terms: mechanisms and modifiers. A record + contains an ordered list of these as specified in the following + Augmented Backus-Naur Form (ABNF). + + terms = *( 1*SP ( directive / modifier ) ) + + directive = [ qualifier ] mechanism + qualifier = "+" / "-" / "?" / "~" + mechanism = ( all / include + / A / MX / PTR / IP4 / IP6 / exists ) + modifier = redirect / explanation / unknown-modifier + unknown-modifier = name "=" macro-string + + name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) + + Most mechanisms allow a ":" or "/" character after the name. + + + +Wong & Schlitt Experimental [Page 14] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Modifiers always contain an equals ('=') character immediately after + the name, and before any ":" or "/" characters that may be part of + the macro-string. + + Terms that do not contain any of "=", ":", or "/" are mechanisms, as + defined in Section 5. + + As per the definition of the ABNF notation in [RFC4234], mechanism + and modifier names are case-insensitive. + +4.6.2. Mechanisms + + Each mechanism is considered in turn from left to right. If there + are no more mechanisms, the result is specified in Section 4.7. + + When a mechanism is evaluated, one of three things can happen: it can + match, not match, or throw an exception. + + If it matches, processing ends and the qualifier value is returned as + the result of that record. If it does not match, processing + continues with the next mechanism. If it throws an exception, + mechanism processing ends and the exception value is returned. + + The possible qualifiers, and the results they return are as follows: + + "+" Pass + "-" Fail + "~" SoftFail + "?" Neutral + + The qualifier is optional and defaults to "+". + + When a mechanism matches and the qualifier is "-", then a "Fail" + result is returned and the explanation string is computed as + described in Section 6.2. + + The specific mechanisms are described in Section 5. + +4.6.3. Modifiers + + Modifiers are not mechanisms: they do not return match or not-match. + Instead they provide additional information. Although modifiers do + not directly affect the evaluation of the record, the "redirect" + modifier has an effect after all the mechanisms have been evaluated. + + + + + + + +Wong & Schlitt Experimental [Page 15] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +4.7. Default Result + + If none of the mechanisms match and there is no "redirect" modifier, + then the check_host() returns a result of "Neutral", just as if + "?all" were specified as the last directive. If there is a + "redirect" modifier, check_host() proceeds as defined in Section 6.1. + + Note that records SHOULD always use either a "redirect" modifier or + an "all" mechanism to explicitly terminate processing. + + For example: + + v=spf1 +mx -all + or + v=spf1 +mx redirect=_spf.example.com + +4.8. Domain Specification + + Several of these mechanisms and modifiers have a + section. The string is macro expanded (see Section 8). + The resulting string is the common presentation form of a fully- + qualified DNS name: a series of labels separated by periods. This + domain is called the in the rest of this document. + + Note: The result of the macro expansion is not subject to any further + escaping. Hence, this facility cannot produce all characters that + are legal in a DNS label (e.g., the control characters). However, + this facility is powerful enough to express legal host names and + common utility labels (such as "_spf") that are used in DNS. + + For several mechanisms, the is optional. If it is not + provided, the is used as the . + +5. Mechanism Definitions + + This section defines two types of mechanisms. + + Basic mechanisms contribute to the language framework. They do not + specify a particular type of authorization scheme. + + all + include + + Designated sender mechanisms are used to designate a set of + addresses as being permitted or not permitted to use the for + sending mail. + + + + + +Wong & Schlitt Experimental [Page 16] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + a + mx + ptr + ip4 + ip6 + exists + + The following conventions apply to all mechanisms that perform a + comparison between and an IP address at any point: + + If no CIDR-length is given in the directive, then and the IP + address are compared for equality. (Here, CIDR is Classless Inter- + Domain Routing.) + + If a CIDR-length is specified, then only the specified number of + high-order bits of and the IP address are compared for equality. + + When any mechanism fetches host addresses to compare with , when + is an IPv4 address, A records are fetched, when is an IPv6 + address, AAAA records are fetched. Even if the SMTP connection is + via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513], Section + 2.5.5) MUST still be considered an IPv4 address. + + Several mechanisms rely on information fetched from DNS. For these + DNS queries, except where noted, if the DNS server returns an error + (RCODE other than 0 or 3) or the query times out, the mechanism + throws the exception "TempError". If the server returns "domain does + not exist" (RCODE 3), then evaluation of the mechanism continues as + if the server returned no error (RCODE 0) and zero answer records. + +5.1. "all" + + all = "all" + + The "all" mechanism is a test that always matches. It is used as the + rightmost mechanism in a record to provide an explicit default. + + For example: + + v=spf1 a mx -all + + Mechanisms after "all" will never be tested. Any "redirect" modifier + (Section 6.1) has no effect when there is an "all" mechanism. + + + + + + + + +Wong & Schlitt Experimental [Page 17] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +5.2. "include" + + include = "include" ":" domain-spec + + The "include" mechanism triggers a recursive evaluation of + check_host(). The domain-spec is expanded as per Section 8. Then + check_host() is evaluated with the resulting string as the . + The and arguments remain the same as in the current + evaluation of check_host(). + + In hindsight, the name "include" was poorly chosen. Only the + evaluated result of the referenced SPF record is used, rather than + acting as if the referenced SPF record was literally included in the + first. For example, evaluating a "-all" directive in the referenced + record does not terminate the overall processing and does not + necessarily result in an overall "Fail". (Better names for this + mechanism would have been "if-pass", "on-pass", etc.) + + The "include" mechanism makes it possible for one domain to designate + multiple administratively-independent domains. For example, a vanity + domain "example.net" might send mail using the servers of + administratively-independent domains example.com and example.org. + + Example.net could say + + IN TXT "v=spf1 include:example.com include:example.org -all" + + This would direct check_host() to, in effect, check the records of + example.com and example.org for a "Pass" result. Only if the host + were not permitted for either of those domains would the result be + "Fail". + + + + + + + + + + + + + + + + + + + + +Wong & Schlitt Experimental [Page 18] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Whether this mechanism matches, does not match, or throws an + exception depends on the result of the recursive evaluation of + check_host(): + + +---------------------------------+---------------------------------+ + | A recursive check_host() result | Causes the "include" mechanism | + | of: | to: | + +---------------------------------+---------------------------------+ + | Pass | match | + | | | + | Fail | not match | + | | | + | SoftFail | not match | + | | | + | Neutral | not match | + | | | + | TempError | throw TempError | + | | | + | PermError | throw PermError | + | | | + | None | throw PermError | + +---------------------------------+---------------------------------+ + + The "include" mechanism is intended for crossing administrative + boundaries. Although it is possible to use includes to consolidate + multiple domains that share the same set of designated hosts, domains + are encouraged to use redirects where possible, and to minimize the + number of includes within a single administrative domain. For + example, if example.com and example.org were managed by the same + entity, and if the permitted set of hosts for both domains was + "mx:example.com", it would be possible for example.org to specify + "include:example.com", but it would be preferable to specify + "redirect=example.com" or even "mx:example.com". + +5.3. "a" + + This mechanism matches if is one of the 's IP + addresses. + + A = "a" [ ":" domain-spec ] [ dual-cidr-length ] + + An address lookup is done on the . The is compared + to the returned address(es). If any address matches, the mechanism + matches. + + + + + + + +Wong & Schlitt Experimental [Page 19] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +5.4. "mx" + + This mechanism matches if is one of the MX hosts for a domain + name. + + MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] + + check_host() first performs an MX lookup on the . Then + it performs an address lookup on each MX name returned. The is + compared to each returned IP address. To prevent Denial of Service + (DoS) attacks, more than 10 MX names MUST NOT be looked up during the + evaluation of an "mx" mechanism (see Section 10). If any address + matches, the mechanism matches. + + Note regarding implicit MXs: If the has no MX records, + check_host() MUST NOT pretend the target is its single MX, and MUST + NOT default to an A lookup on the directly. This + behavior breaks with the legacy "implicit MX" rule. See [RFC2821], + Section 5. If such behavior is desired, the publisher should specify + an "a" directive. + +5.5. "ptr" + + This mechanism tests whether the DNS reverse-mapping for exists + and correctly points to a domain name within a particular domain. + + PTR = "ptr" [ ":" domain-spec ] + + First, the 's name is looked up using this procedure: perform a + DNS reverse-mapping for , looking up the corresponding PTR record + in "in-addr.arpa." if the address is an IPv4 one and in "ip6.arpa." + if it is an IPv6 address. For each record returned, validate the + domain name by looking up its IP address. To prevent DoS attacks, + more than 10 PTR names MUST NOT be looked up during the evaluation of + a "ptr" mechanism (see Section 10). If is among the returned IP + addresses, then that domain name is validated. In pseudocode: + + sending-domain_names := ptr_lookup(sending-host_IP); if more than 10 + sending-domain_names are found, use at most 10. for each name in + (sending-domain_names) { + IP_addresses := a_lookup(name); + if the sending-domain_IP is one of the IP_addresses { + validated-sending-domain_names += name; + } } + + Check all validated domain names to see if they end in the + domain. If any do, this mechanism matches. If no + validated domain name can be found, or if none of the validated + + + +Wong & Schlitt Experimental [Page 20] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + domain names end in the , this mechanism fails to match. + If a DNS error occurs while doing the PTR RR lookup, then this + mechanism fails to match. If a DNS error occurs while doing an A RR + lookup, then that domain name is skipped and the search continues. + + Pseudocode: + + for each name in (validated-sending-domain_names) { + if name ends in , return match. + if name is , return match. + } + return no-match. + + This mechanism matches if the is either an ancestor of + a validated domain name or if the and a validated + domain name are the same. For example: "mail.example.com" is within + the domain "example.com", but "mail.bad-example.com" is not. + + Note: Use of this mechanism is discouraged because it is slow, it is + not as reliable as other mechanisms in cases of DNS errors, and it + places a large burden on the arpa name servers. If used, proper PTR + records must be in place for the domain's hosts and the "ptr" + mechanism should be one of the last mechanisms checked. + +5.6. "ip4" and "ip6" + + These mechanisms test whether is contained within a given IP + network. + + IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] + IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ] + + ip4-cidr-length = "/" 1*DIGIT + ip6-cidr-length = "/" 1*DIGIT + dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] + + ip4-network = qnum "." qnum "." qnum "." qnum + qnum = DIGIT ; 0-9 + / %x31-39 DIGIT ; 10-99 + / "1" 2DIGIT ; 100-199 + / "2" %x30-34 DIGIT ; 200-249 + / "25" %x30-35 ; 250-255 + ; as per conventional dotted quad notation. e.g., 192.0.2.0 + ip6-network = + ; e.g., 2001:DB8::CD30 + + The is compared to the given network. If CIDR-length high-order + bits match, the mechanism matches. + + + +Wong & Schlitt Experimental [Page 21] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + If ip4-cidr-length is omitted, it is taken to be "/32". If + ip6-cidr-length is omitted, it is taken to be "/128". It is not + permitted to omit parts of the IP address instead of using CIDR + notations. That is, use 192.0.2.0/24 instead of 192.0.2. + +5.7. "exists" + + This mechanism is used to construct an arbitrary domain name that is + used for a DNS A record query. It allows for complicated schemes + involving arbitrary parts of the mail envelope to determine what is + permitted. + + exists = "exists" ":" domain-spec + + The domain-spec is expanded as per Section 8. The resulting domain + name is used for a DNS A RR lookup. If any A record is returned, + this mechanism matches. The lookup type is A even when the + connection type is IPv6. + + Domains can use this mechanism to specify arbitrarily complex + queries. For example, suppose example.com publishes the record: + + v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all + + The might expand to + "1.2.0.192.someuser._spf.example.com". This makes fine-grained + decisions possible at the level of the user and client IP address. + + This mechanism enables queries that mimic the style of tests that + existing anti-spam DNS blacklists (DNSBL) use. + +6. Modifier Definitions + + Modifiers are name/value pairs that provide additional information. + Modifiers always have an "=" separating the name and the value. + + The modifiers defined in this document ("redirect" and "exp") MAY + appear anywhere in the record, but SHOULD appear at the end, after + all mechanisms. Ordering of these two modifiers does not matter. + These two modifiers MUST NOT appear in a record more than once each. + If they do, then check_host() exits with a result of "PermError". + + Unrecognized modifiers MUST be ignored no matter where in a record, + or how often. This allows implementations of this document to + gracefully handle records with modifiers that are defined in other + specifications. + + + + + +Wong & Schlitt Experimental [Page 22] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +6.1. redirect: Redirected Query + + If all mechanisms fail to match, and a "redirect" modifier is + present, then processing proceeds as follows: + + redirect = "redirect" "=" domain-spec + + The domain-spec portion of the redirect section is expanded as per + the macro rules in Section 8. Then check_host() is evaluated with + the resulting string as the . The and + arguments remain the same as current evaluation of check_host(). + + The result of this new evaluation of check_host() is then considered + the result of the current evaluation with the exception that if no + SPF record is found, or if the target-name is malformed, the result + is a "PermError" rather than "None". + + Note that the newly-queried domain may itself specify redirect + processing. + + This facility is intended for use by organizations that wish to apply + the same record to multiple domains. For example: + + la.example.com. TXT "v=spf1 redirect=_spf.example.com" + ny.example.com. TXT "v=spf1 redirect=_spf.example.com" + sf.example.com. TXT "v=spf1 redirect=_spf.example.com" + _spf.example.com. TXT "v=spf1 mx:example.com -all" + + In this example, mail from any of the three domains is described by + the same record. This can be an administrative advantage. + + Note: In general, the domain "A" cannot reliably use a redirect to + another domain "B" not under the same administrative control. Since + the stays the same, there is no guarantee that the record at + domain "B" will correctly work for mailboxes in domain "A", + especially if domain "B" uses mechanisms involving localparts. An + "include" directive may be more appropriate. + + For clarity, it is RECOMMENDED that any "redirect" modifier appear as + the very last term in a record. + +6.2. exp: Explanation + + explanation = "exp" "=" domain-spec + + If check_host() results in a "Fail" due to a mechanism match (such as + "-all"), and the "exp" modifier is present, then the explanation + string returned is computed as described below. If no "exp" modifier + + + +Wong & Schlitt Experimental [Page 23] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + is present, then either a default explanation string or an empty + explanation string may be returned. + + The is macro expanded (see Section 8) and becomes the + . The DNS TXT record for the is fetched. + + If is empty, or there are any DNS processing errors + (any RCODE other than 0), or if no records are returned, or if more + than one record is returned, or if there are syntax errors in the + explanation string, then proceed as if no exp modifier was given. + + The fetched TXT record's strings are concatenated with no spaces, and + then treated as an , which is macro-expanded. This + final result is the explanation string. Implementations MAY limit + the length of the resulting explanation string to allow for other + protocol constraints and/or reasonable processing limits. Since the + explanation string is intended for an SMTP response and [RFC2821] + Section 2.4 says that responses are in [US-ASCII], the explanation + string is also limited to US-ASCII. + + Software evaluating check_host() can use this string to communicate + information from the publishing domain in the form of a short message + or URL. Software SHOULD make it clear that the explanation string + comes from a third party. For example, it can prepend the macro + string "%{o} explains: " to the explanation, such as shown in Section + 2.5.4. + + Suppose example.com has this record: + + v=spf1 mx -all exp=explain._spf.%{d} + + Here are some examples of possible explanation TXT records at + explain._spf.example.com: + + "Mail from example.com should only be sent by its own servers." + -- a simple, constant message + + "%{i} is not one of %{d}'s designated mail servers." + -- a message with a little more information, including the IP + address that failed the check + + "See http://%{d}/why.html?s=%{S}&i=%{I}" + -- a complicated example that constructs a URL with the + arguments to check_host() so that a web page can be + generated with detailed, custom instructions + + Note: During recursion into an "include" mechanism, an exp= modifier + from the MUST NOT be used. In contrast, when executing + + + +Wong & Schlitt Experimental [Page 24] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + a "redirect" modifier, an exp= modifier from the original domain MUST + NOT be used. + +7. The Received-SPF Header Field + + It is RECOMMENDED that SMTP receivers record the result of SPF + processing in the message header. If an SMTP receiver chooses to do + so, it SHOULD use the "Received-SPF" header field defined here for + each identity that was checked. This information is intended for the + recipient. (Information intended for the sender is described in + Section 6.2, Explanation.) + + The Received-SPF header field is a trace field (see [RFC2822] Section + 3.6.7) and SHOULD be prepended to the existing header, above the + Received: field that is generated by the SMTP receiver. It MUST + appear above all other Received-SPF fields in the message. The + header field has the following format: + + header-field = "Received-SPF:" [CFWS] result FWS [comment FWS] + [ key-value-list ] CRLF + + result = "Pass" / "Fail" / "SoftFail" / "Neutral" / + "None" / "TempError" / "PermError" + + key-value-list = key-value-pair *( ";" [CFWS] key-value-pair ) + [";"] + + key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string ) + + key = "client-ip" / "envelope-from" / "helo" / + "problem" / "receiver" / "identity" / + mechanism / "x-" name / name + + identity = "mailfrom" ; for the "MAIL FROM" identity + / "helo" ; for the "HELO" identity + / name ; other identities + + dot-atom = + quoted-string = + comment = + CFWS = + FWS = + CRLF = + + The header field SHOULD include a "(...)" style after the + result, conveying supporting information for the result, such as + , , and . + + + + +Wong & Schlitt Experimental [Page 25] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + The following key-value pairs are designed for later machine parsing. + SPF clients SHOULD give enough information so that the SPF results + can be verified. That is, at least "client-ip", "helo", and, if the + "MAIL FROM" identity was checked, "envelope-from". + + client-ip the IP address of the SMTP client + + envelope-from the envelope sender mailbox + + helo the host name given in the HELO or EHLO command + + mechanism the mechanism that matched (if no mechanisms matched, + substitute the word "default") + + problem if an error was returned, details about the error + + receiver the host name of the SPF client + + identity the identity that was checked; see the ABNF + rule + + Other keys may be defined by SPF clients. Until a new key name + becomes widely accepted, new key names should start with "x-". + + SPF clients MUST make sure that the Received-SPF header field does + not contain invalid characters, is not excessively long, and does not + contain malicious data that has been provided by the sender. + + Examples of various header styles that could be generated are the + following: + + Received-SPF: Pass (mybox.example.org: domain of + myname@example.com designates 192.0.2.1 as permitted sender) + receiver=mybox.example.org; client-ip=192.0.2.1; + envelope-from=; helo=foo.example.com; + + Received-SPF: Fail (mybox.example.org: domain of + myname@example.com does not designate + 192.0.2.1 as permitted sender) + identity=mailfrom; client-ip=192.0.2.1; + envelope-from=; + + + + + + + + + + +Wong & Schlitt Experimental [Page 26] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +8. Macros + +8.1. Macro Definitions + + Many mechanisms and modifiers perform macro expansion on part of the + term. + + domain-spec = macro-string domain-end + domain-end = ( "." toplabel [ "." ] ) / macro-expand + + toplabel = ( *alphanum ALPHA *alphanum ) / + ( 1*alphanum "-" *( alphanum / "-" ) alphanum ) + ; LDH rule plus additional TLD restrictions + ; (see [RFC3696], Section 2) + alphanum = ALPHA / DIGIT + + explain-string = *( macro-string / SP ) + + macro-string = *( macro-expand / macro-literal ) + macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) + / "%%" / "%_" / "%-" + macro-literal = %x21-24 / %x26-7E + ; visible characters except "%" + macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" / + "c" / "r" / "t" + transformers = *DIGIT [ "r" ] + delimiter = "." / "-" / "+" / "," / "/" / "_" / "=" + + A literal "%" is expressed by "%%". + + "%_" expands to a single " " space. + "%-" expands to a URL-encoded space, viz., "%20". + + The following macro letters are expanded in term arguments: + + s = + l = local-part of + o = domain of + d = + i = + p = the validated domain name of + v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 + h = HELO/EHLO domain + + + + + + + + +Wong & Schlitt Experimental [Page 27] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + The following macro letters are allowed only in "exp" text: + + c = SMTP client IP (easily readable format) + r = domain name of host performing the check + t = current timestamp + + A '%' character not followed by a '{', '%', '-', or '_' character is + a syntax error. So + + -exists:%(ir).sbl.spamhaus.example.org + + is incorrect and will cause check_host() to return a "PermError". + Instead, say + + -exists:%{ir}.sbl.spamhaus.example.org + + Optional transformers are the following: + + *DIGIT = zero or more digits + 'r' = reverse value, splitting on dots by default + + If transformers or delimiters are provided, the replacement value for + a macro letter is split into parts. After performing any reversal + operation and/or removal of left-hand parts, the parts are rejoined + using "." and not the original splitting characters. + + By default, strings are split on "." (dots). Note that no special + treatment is given to leading, trailing, or consecutive delimiters, + and so the list of parts may contain empty strings. Older + implementations of SPF prohibit trailing dots in domain names, so + trailing dots should not be published by domain owners, although they + must be accepted by implementations conforming to this document. + Macros may specify delimiter characters that are used instead of ".". + + The 'r' transformer indicates a reversal operation: if the client IP + address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1" + and the macro %{ir} would expand to "1.2.0.192". + + The DIGIT transformer indicates the number of right-hand parts to + use, after optional reversal. If a DIGIT is specified, the value + MUST be nonzero. If no DIGITs are specified, or if the value + specifies more parts than are available, all the available parts are + used. If the DIGIT was 5, and only 3 parts were available, the macro + interpreter would pretend the DIGIT was 3. Implementations MUST + support at least a value of 128, as that is the maximum number of + labels in a domain name. + + + + + +Wong & Schlitt Experimental [Page 28] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + The "s" macro expands to the argument. It is an E-Mail + address with a localpart, an "@" character, and a domain. The "l" + macro expands to just the localpart. The "o" macro expands to just + the domain part. Note that these values remain the same during + recursive and chained evaluations due to "include" and/or "redirect". + Note also that if the original had no localpart, the + localpart was set to "postmaster" in initial processing (see Section + 4.3). + + For IPv4 addresses, both the "i" and "c" macros expand to the + standard dotted-quad format. + + For IPv6 addresses, the "i" macro expands to a dot-format address; it + is intended for use in %{ir}. The "c" macro may expand to any of the + hexadecimal colon-format addresses specified in [RFC3513], Section + 2.2. It is intended for humans to read. + + The "p" macro expands to the validated domain name of . The + procedure for finding the validated domain name is defined in Section + 5.5. If the is present in the list of validated domains, it + SHOULD be used. Otherwise, if a subdomain of the is + present, it SHOULD be used. Otherwise, any name from the list may be + used. If there are no validated domain names or if a DNS error + occurs, the string "unknown" is used. + + The "r" macro expands to the name of the receiving MTA. This SHOULD + be a fully qualified domain name, but if one does not exist (as when + the checking is done by a MUA) or if policy restrictions dictate + otherwise, the word "unknown" SHOULD be substituted. The domain name + may be different from the name found in the MX record that the client + MTA used to locate the receiving MTA. + + The "t" macro expands to the decimal representation of the + approximate number of seconds since the Epoch (Midnight, January 1, + 1970, UTC). This is the same value as is returned by the POSIX + time() function in most standards-compliant libraries. + + When the result of macro expansion is used in a domain name query, if + the expanded domain name exceeds 253 characters (the maximum length + of a domain name), the left side is truncated to fit, by removing + successive domain labels until the total length does not exceed 253 + characters. + + Uppercased macros expand exactly as their lowercased equivalents, and + are then URL escaped. URL escaping must be performed for characters + not in the "uric" set, which is defined in [RFC3986]. + + + + + +Wong & Schlitt Experimental [Page 29] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Note: Care must be taken so that macro expansion for legitimate + E-Mail does not exceed the 63-character limit on DNS labels. The + localpart of E-Mail addresses, in particular, can have more than 63 + characters between dots. + + Note: Domains should avoid using the "s", "l", "o", or "h" macros in + conjunction with any mechanism directive. Although these macros are + powerful and allow per-user records to be published, they severely + limit the ability of implementations to cache results of check_host() + and they reduce the effectiveness of DNS caches. + + Implementations should be aware that if no directive processed during + the evaluation of check_host() contains an "s", "l", "o", or "h" + macro, then the results of the evaluation can be cached on the basis + of and alone for as long as the shortest Time To Live + (TTL) of all the DNS records involved. + +8.2. Expansion Examples + + The is strong-bad@email.example.com. + The IPv4 SMTP client IP is 192.0.2.3. + The IPv6 SMTP client IP is 2001:DB8::CB01. + The PTR domain name of the client IP is mx.example.org. + + macro expansion + ------- ---------------------------- + %{s} strong-bad@email.example.com + %{o} email.example.com + %{d} email.example.com + %{d4} email.example.com + %{d3} email.example.com + %{d2} example.com + %{d1} com + %{dr} com.example.email + %{d2r} example.email + %{l} strong-bad + %{l-} strong.bad + %{lr} strong-bad + %{lr-} bad.strong + %{l1r-} strong + + + + + + + + + + + +Wong & Schlitt Experimental [Page 30] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + macro-string expansion + -------------------------------------------------------------------- + %{ir}.%{v}._spf.%{d2} 3.2.0.192.in-addr._spf.example.com + %{lr-}.lp._spf.%{d2} bad.strong.lp._spf.example.com + + %{lr-}.lp.%{ir}.%{v}._spf.%{d2} + bad.strong.lp.3.2.0.192.in-addr._spf.example.com + + %{ir}.%{v}.%{l1r-}.lp._spf.%{d2} + 3.2.0.192.in-addr.strong.lp._spf.example.com + + %{d2}.trusted-domains.example.net + example.com.trusted-domains.example.net + + IPv6: + %{ir}.%{v}._spf.%{d2} 1.0.B.C.0.0.0.0. + 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6._spf.example.com + +9. Implications + + This section outlines the major implications that adoption of this + document will have on various entities involved in Internet E-Mail. + It is intended to make clear to the reader where this document + knowingly affects the operation of such entities. This section is + not a "how-to" manual, or a "best practices" document, and it is not + a comprehensive list of what such entities should do in light of this + document. + + This section is non-normative. + +9.1. Sending Domains + + Domains that wish to be compliant with this specification will need + to determine the list of hosts that they allow to use their domain + name in the "HELO" and "MAIL FROM" identities. It is recognized that + forming such a list is not just a simple technical exercise, but + involves policy decisions with both technical and administrative + considerations. + + It can be helpful to publish records that include a "tracking + exists:" mechanism. By looking at the name server logs, a rough list + may then be generated. For example: + + v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all + + + + + + + +Wong & Schlitt Experimental [Page 31] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +9.2. Mailing Lists + + Mailing lists must be aware of how they re-inject mail that is sent + to the list. Mailing lists MUST comply with the requirements in + [RFC2821], Section 3.10, and [RFC1123], Section 5.3.6, that say that + the reverse-path MUST be changed to be the mailbox of a person or + other entity who administers the list. Whereas the reasons for + changing the reverse-path are many and long-standing, SPF adds + enforcement to this requirement. + + In practice, almost all mailing list software in use already complies + with this requirement. Mailing lists that do not comply may or may + not encounter problems depending on how access to the list is + restricted. Such lists that are entirely internal to a domain (only + people in the domain can send to or receive from the list) are not + affected. + +9.3. Forwarding Services and Aliases + + Forwarding services take mail that is received at a mailbox and + direct it to some external mailbox. At the time of this writing, the + near-universal practice of such services is to use the original "MAIL + FROM" of a message when re-injecting it for delivery to the external + mailbox. [RFC1123] and [RFC2821] describe this action as an "alias" + rather than a "mail list". This means that the external mailbox's + MTA sees all such mail in a connection from a host of the forwarding + service, and so the "MAIL FROM" identity will not, in general, pass + authorization. + + There are three places that techniques can be used to ameliorate this + problem. + + 1. The beginning, when E-Mail is first sent. + + 1. "Neutral" results could be given for IP addresses that may be + forwarders, instead of "Fail" results. For example: + + "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all" + + This would cause a lookup on an anti-spam DNS blacklist + (DNSBL) and cause a result of "Fail" only for E-Mail coming + from listed sources. All other E-Mail, including E-Mail sent + through forwarders, would receive a "Neutral" result. By + checking the DNSBL after the known good sources, problems with + incorrect listing on the DNSBL are greatly reduced. + + + + + + +Wong & Schlitt Experimental [Page 32] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + 2. The "MAIL FROM" identity could have additional information in + the localpart that cryptographically identifies the mail as + coming from an authorized source. In this case, such an SPF + record could be used: + + "v=spf1 mx exists:%{l}._spf_verify.%{d} -all" + + Then, a specialized DNS server can be set up to serve the + _spf_verify subdomain that validates the localpart. Although + this requires an extra DNS lookup, this happens only when the + E-Mail would otherwise be rejected as not coming from a known + good source. + + Note that due to the 63-character limit for domain labels, + this approach only works reliably if the localpart signature + scheme is guaranteed either to only produce localparts with a + maximum of 63 characters or to gracefully handle truncated + localparts. + + 3. Similarly, a specialized DNS server could be set up that will + rate-limit the E-Mail coming from unexpected IP addresses. + + "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all" + + 4. SPF allows the creation of per-user policies for special + cases. For example, the following SPF record and appropriate + wildcard DNS records can be used: + + "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}" + + 2. The middle, when E-Mail is forwarded. + + 1. Forwarding services can solve the problem by rewriting the + "MAIL FROM" to be in their own domain. This means that mail + bounced from the external mailbox will have to be re-bounced + by the forwarding service. Various schemes to do this exist + though they vary widely in complexity and resource + requirements on the part of the forwarding service. + + 2. Several popular MTAs can be forced from "alias" semantics to + "mailing list" semantics by configuring an additional alias + with "owner-" prepended to the original alias name (e.g., an + alias of "friends: george@example.com, fred@example.org" would + need another alias of the form "owner-friends: localowner"). + + + + + + + +Wong & Schlitt Experimental [Page 33] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + 3. The end, when E-Mail is received. + + 1. If the owner of the external mailbox wishes to trust the + forwarding service, he can direct the external mailbox's MTA + to skip SPF tests when the client host belongs to the + forwarding service. + + 2. Tests against other identities, such as the "HELO" identity, + may be used to override a failed test against the "MAIL FROM" + identity. + + 3. For larger domains, it may not be possible to have a complete + or accurate list of forwarding services used by the owners of + the domain's mailboxes. In such cases, whitelists of + generally-recognized forwarding services could be employed. + +9.4. Mail Services + + Service providers that offer mail services to third-party domains, + such as sending of bulk mail, may want to adjust their setup in light + of the authorization check described in this document. If the "MAIL + FROM" identity used for such E-Mail uses the domain of the service + provider, then the provider needs only to ensure that its sending + host is authorized by its own SPF record, if any. + + If the "MAIL FROM" identity does not use the mail service provider's + domain, then extra care must be taken. The SPF record format has + several options for the third-party domain to authorize the service + provider's MTAs to send mail on its behalf. For mail service + providers, such as ISPs, that have a wide variety of customers using + the same MTA, steps should be taken to prevent cross-customer forgery + (see Section 10.4). + +9.5. MTA Relays + + The authorization check generally precludes the use of arbitrary MTA + relays between sender and receiver of an E-Mail message. + + Within an organization, MTA relays can be effectively deployed. + However, for purposes of this document, such relays are effectively + transparent. The SPF authorization check is a check between border + MTAs of different domains. + + For mail senders, this means that published SPF records must + authorize any MTAs that actually send across the Internet. Usually, + these are just the border MTAs as internal MTAs simply forward mail + to these MTAs for delivery. + + + + +Wong & Schlitt Experimental [Page 34] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + Mail receivers will generally want to perform the authorization check + at the border MTAs, specifically including all secondary MXs. This + allows mail that fails to be rejected during the SMTP session rather + than bounced. Internal MTAs then do not perform the authorization + test. To perform the authorization test other than at the border, + the host that first transferred the message to the organization must + be determined, which can be difficult to extract from the message + header. Testing other than at the border is not recommended. + +10. Security Considerations + +10.1. Processing Limits + + As with most aspects of E-Mail, there are a number of ways that + malicious parties could use the protocol as an avenue for a + Denial-of-Service (DoS) attack. The processing limits outlined here + are designed to prevent attacks such as the following: + + o A malicious party could create an SPF record with many references + to a victim's domain and send many E-Mails to different SPF + clients; those SPF clients would then create a DoS attack. In + effect, the SPF clients are being used to amplify the attacker's + bandwidth by using fewer bytes in the SMTP session than are used + by the DNS queries. Using SPF clients also allows the attacker to + hide the true source of the attack. + + o Whereas implementations of check_host() are supposed to limit the + number of DNS lookups, malicious domains could publish records + that exceed these limits in an attempt to waste computation effort + at their targets when they send them mail. Malicious domains + could also design SPF records that cause particular + implementations to use excessive memory or CPU usage, or to + trigger bugs. + + o Malicious parties could send a large volume of mail purporting to + come from the intended target to a wide variety of legitimate mail + hosts. These legitimate machines would then present a DNS load on + the target as they fetched the relevant records. + + Of these, the case of a third party referenced in the SPF record is + the easiest for a DoS attack to effectively exploit. As a result, + limits that may seem reasonable for an individual mail server can + still allow an unreasonable amount of bandwidth amplification. + Therefore, the processing limits need to be quite low. + + SPF implementations MUST limit the number of mechanisms and modifiers + that do DNS lookups to at most 10 per SPF check, including any + lookups caused by the use of the "include" mechanism or the + + + +Wong & Schlitt Experimental [Page 35] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + "redirect" modifier. If this number is exceeded during a check, a + PermError MUST be returned. The "include", "a", "mx", "ptr", and + "exists" mechanisms as well as the "redirect" modifier do count + against this limit. The "all", "ip4", and "ip6" mechanisms do not + require DNS lookups and therefore do not count against this limit. + The "exp" modifier does not count against this limit because the DNS + lookup to fetch the explanation string occurs after the SPF record + has been evaluated. + + When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro, + there MUST be a limit of no more than 10 MX or PTR RRs looked up and + checked. + + SPF implementations SHOULD limit the total amount of data obtained + from the DNS queries. For example, when DNS over TCP or EDNS0 are + available, there may need to be an explicit limit to how much data + will be accepted to prevent excessive bandwidth usage or memory usage + and DoS attacks. + + MTAs or other processors MAY also impose a limit on the maximum + amount of elapsed time to evaluate check_host(). Such a limit SHOULD + allow at least 20 seconds. If such a limit is exceeded, the result + of authorization SHOULD be "TempError". + + Domains publishing records SHOULD try to keep the number of "include" + mechanisms and chained "redirect" modifiers to a minimum. Domains + SHOULD also try to minimize the amount of other DNS information + needed to evaluate a record. This can be done by choosing directives + that require less DNS information and placing lower-cost mechanisms + earlier in the SPF record. + + For example, consider a domain set up as follows: + + example.com. IN MX 10 mx.example.com. + mx.example.com. IN A 192.0.2.1 + a.example.com. IN TXT "v=spf1 mx:example.com -all" + b.example.com. IN TXT "v=spf1 a:mx.example.com -all" + c.example.com. IN TXT "v=spf1 ip4:192.0.2.1 -all" + + Evaluating check_host() for the domain "a.example.com" requires the + MX records for "example.com", and then the A records for the listed + hosts. Evaluating for "b.example.com" requires only the A records. + Evaluating for "c.example.com" requires none. + + However, there may be administrative considerations: using "a" over + "ip4" allows hosts to be renumbered easily. Using "mx" over "a" + allows the set of mail hosts to be changed easily. + + + + +Wong & Schlitt Experimental [Page 36] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +10.2. SPF-Authorized E-Mail May Contain Other False Identities + + The "MAIL FROM" and "HELO" identity authorizations must not be + construed to provide more assurance than they do. It is entirely + possible for a malicious sender to inject a message using his own + domain in the identities used by SPF, to have that domain's SPF + record authorize the sending host, and yet the message can easily + list other identities in its header. Unless the user or the MUA + takes care to note that the authorized identity does not match the + other more commonly-presented identities (such as the From: header + field), the user may be lulled into a false sense of security. + +10.3. Spoofed DNS and IP Data + + There are two aspects of this protocol that malicious parties could + exploit to undermine the validity of the check_host() function: + + o The evaluation of check_host() relies heavily on DNS. A malicious + attacker could attack the DNS infrastructure and cause + check_host() to see spoofed DNS data, and then return incorrect + results. This could include returning "Pass" for an value + where the actual domain's record would evaluate to "Fail". See + [RFC3833] for a description of DNS weaknesses. + + o The client IP address, , is assumed to be correct. A + malicious attacker could spoof TCP sequence numbers to make mail + appear to come from a permitted host for a domain that the + attacker is impersonating. + +10.4. Cross-User Forgery + + By definition, SPF policies just map domain names to sets of + authorized MTAs, not whole E-Mail addresses to sets of authorized + users. Although the "l" macro (Section 8) provides a limited way to + define individual sets of authorized MTAs for specific E-Mail + addresses, it is generally impossible to verify, through SPF, the use + of specific E-Mail addresses by individual users of the same MTA. + + It is up to mail services and their MTAs to directly prevent + cross-user forgery: based on SMTP AUTH ([RFC2554]), users should be + restricted to using only those E-Mail addresses that are actually + under their control (see [RFC4409], Section 6.1). Another means to + verify the identity of individual users is message cryptography such + as PGP ([RFC2440]) or S/MIME ([RFC3851]). + + + + + + + +Wong & Schlitt Experimental [Page 37] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +10.5. Untrusted Information Sources + + SPF uses information supplied by third parties, such as the "HELO" + domain name, the "MAIL FROM" address, and SPF records. This + information is then passed to the receiver in the Received-SPF: trace + fields and possibly returned to the client MTA in the form of an SMTP + rejection message. This information must be checked for invalid + characters and excessively long lines. + + When the authorization check fails, an explanation string may be + included in the reject response. Both the sender and the rejecting + receiver need to be aware that the explanation was determined by the + publisher of the SPF record checked and, in general, not the + receiver. The explanation may contain malicious URLs, or it may be + offensive or misleading. + + This is probably less of a concern than it may initially seem since + such messages are returned to the sender, and the explanation strings + come from the sender policy published by the domain in the identity + claimed by that very sender. As long as the DSN is not redirected to + someone other than the actual sender, the only people who see + malicious explanation strings are people whose messages claim to be + from domains that publish such strings in their SPF records. In + practice, DSNs can be misdirected, such as when an MTA accepts an + E-Mail and then later generates a DSN to a forged address, or when an + E-Mail forwarder does not direct the DSN back to the original sender. + +10.6. Privacy Exposure + + Checking SPF records causes DNS queries to be sent to the domain + owner. These DNS queries, especially if they are caused by the + "exists" mechanism, can contain information about who is sending + E-Mail and likely to which MTA the E-Mail is being sent. This can + introduce some privacy concerns, which may be more or less of an + issue depending on local laws and the relationship between the domain + owner and the person sending the E-Mail. + +11. Contributors and Acknowledgements + + This document is largely based on the work of Meng Weng Wong and Mark + Lentczner. Although, as this section acknowledges, many people have + contributed to this document, a very large portion of the writing and + editing are due to Meng and Mark. + + This design owes a debt of parentage to [RMX] by Hadmut Danisch and + to [DMP] by Gordon Fecyk. The idea of using a DNS record to check + the legitimacy of an E-Mail address traces its ancestry further back + through messages on the namedroppers mailing list by Paul Vixie + + + +Wong & Schlitt Experimental [Page 38] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + [Vixie] (based on suggestion by Jim Miller) and by David Green + [Green]. + + Philip Gladstone contributed the concept of macros to the + specification, multiplying the expressiveness of the language and + making per-user and per-IP lookups possible. + + The authors would also like to thank the literally hundreds of + individuals who have participated in the development of this design. + They are far too numerous to name, but they include the following: + + The folks on the spf-discuss mailing list. + The folks on the SPAM-L mailing list. + The folks on the IRTF ASRG mailing list. + The folks on the IETF MARID mailing list. + The folks on #perl. + +12. IANA Considerations + +12.1. The SPF DNS Record Type + + The IANA has assigned a new Resource Record Type and Qtype from the + DNS Parameters Registry for the SPF RR type with code 99. + +12.2. The Received-SPF Mail Header Field + + Per [RFC3864], the "Received-SPF:" header field is added to the IANA + Permanent Message Header Field Registry. The following is the + registration template: + + Header field name: Received-SPF + Applicable protocol: mail ([RFC2822]) + Status: Experimental + Author/Change controller: IETF + Specification document(s): RFC 4408 + Related information: + Requesting SPF Council review of any proposed changes and + additions to this field are recommended. For information about + the SPF Council see http://www.openspf.org/Council + +13. References + +13.1. Normative References + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + + + + +Wong & Schlitt Experimental [Page 39] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + [RFC1123] Braden, R., "Requirements for Internet Hosts - Application + and Support", STD 3, RFC 1123, October 1989. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, + April 2001. + + [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April + 2001. + + [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format + for Delivery Status Notifications", RFC 3464, January + 2003. + + [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 + (IPv6) Addressing Architecture", RFC 3513, April 2003. + + [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration + Procedures for Message Header Fields", BCP 90, RFC 3864, + September 2004. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, RFC + 3986, January 2005. + + [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", RFC 4234, October 2005. + + [US-ASCII] American National Standards Institute (formerly United + States of America Standards Institute), "USA Code for + Information Interchange, X3.4", 1968. + + ANSI X3.4-1968 has been replaced by newer versions with slight + modifications, but the 1968 version remains definitive for + the Internet. + +13.2 Informative References + + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [RFC1983] Malkin, G., "Internet Users' Glossary", RFC 1983, August + 1996. + + [RFC2440] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, + "OpenPGP Message Format", RFC 2440, November 1998. + + + +Wong & Schlitt Experimental [Page 40] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + [RFC2554] Myers, J., "SMTP Service Extension for Authentication", + RFC 2554, March 1999. + + [RFC3696] Klensin, J., "Application Techniques for Checking and + Transformation of Names", RFC 3696, February 2004. + + [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain + Name System (DNS)", RFC 3833, August 2004. + + [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail + Extensions (S/MIME) Version 3.1 Message Specification", + RFC 3851, July 2004. + + [RFC4409] Gellens, R. and J. Klensin, "Message Submission for Mail", + RFC 4409, April 2006. + + [RMX] Danish, H., "The RMX DNS RR Type for light weight sender + authentication", Work In Progress + + [DMP] Fecyk, G., "Designated Mailers Protocol", Work In Progress + + [Vixie] Vixie, P., "Repudiating MAIL FROM", 2002. + + [Green] Green, D., "Domain-Authorized SMTP Mail", 2002. + + + + + + + + + + + + + + + + + + + + + + + + + + + +Wong & Schlitt Experimental [Page 41] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +Appendix A. Collected ABNF + + This section is normative and any discrepancies with the ABNF + fragments in the preceding text are to be resolved in favor of this + grammar. + + See [RFC4234] for ABNF notation. Please note that as per this ABNF + definition, literal text strings (those in quotes) are case- + insensitive. Hence, "mx" matches "mx", "MX", "mX", and "Mx". + + record = version terms *SP + version = "v=spf1" + + terms = *( 1*SP ( directive / modifier ) ) + + directive = [ qualifier ] mechanism + qualifier = "+" / "-" / "?" / "~" + mechanism = ( all / include + / A / MX / PTR / IP4 / IP6 / exists ) + + all = "all" + include = "include" ":" domain-spec + A = "a" [ ":" domain-spec ] [ dual-cidr-length ] + MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] + PTR = "ptr" [ ":" domain-spec ] + IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] + IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ] + exists = "exists" ":" domain-spec + + modifier = redirect / explanation / unknown-modifier + redirect = "redirect" "=" domain-spec + explanation = "exp" "=" domain-spec + unknown-modifier = name "=" macro-string + + ip4-cidr-length = "/" 1*DIGIT + ip6-cidr-length = "/" 1*DIGIT + dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] + + ip4-network = qnum "." qnum "." qnum "." qnum + qnum = DIGIT ; 0-9 + / %x31-39 DIGIT ; 10-99 + / "1" 2DIGIT ; 100-199 + / "2" %x30-34 DIGIT ; 200-249 + / "25" %x30-35 ; 250-255 + ; conventional dotted quad notation. e.g., 192.0.2.0 + ip6-network = + ; e.g., 2001:DB8::CD30 + + + + +Wong & Schlitt Experimental [Page 42] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + domain-spec = macro-string domain-end + domain-end = ( "." toplabel [ "." ] ) / macro-expand + toplabel = ( *alphanum ALPHA *alphanum ) / + ( 1*alphanum "-" *( alphanum / "-" ) alphanum ) + ; LDH rule plus additional TLD restrictions + ; (see [RFC3696], Section 2) + + alphanum = ALPHA / DIGIT + + explain-string = *( macro-string / SP ) + + macro-string = *( macro-expand / macro-literal ) + macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) + / "%%" / "%_" / "%-" + macro-literal = %x21-24 / %x26-7E + ; visible characters except "%" + macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" / + "c" / "r" / "t" + transformers = *DIGIT [ "r" ] + delimiter = "." / "-" / "+" / "," / "/" / "_" / "=" + + name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) + + header-field = "Received-SPF:" [CFWS] result FWS [comment FWS] + [ key-value-list ] CRLF + + result = "Pass" / "Fail" / "SoftFail" / "Neutral" / + "None" / "TempError" / "PermError" + + key-value-list = key-value-pair *( ";" [CFWS] key-value-pair ) + [";"] + + key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string ) + + key = "client-ip" / "envelope-from" / "helo" / + "problem" / "receiver" / "identity" / + mechanism / "x-" name / name + + identity = "mailfrom" ; for the "MAIL FROM" identity + / "helo" ; for the "HELO" identity + / name ; other identities + + dot-atom = + quoted-string = + comment = + CFWS = + FWS = + CRLF = + + + +Wong & Schlitt Experimental [Page 43] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +Appendix B. Extended Examples + + These examples are based on the following DNS setup: + + ; A domain with two mail servers, two hosts + ; and two servers at the domain name + $ORIGIN example.com. + @ MX 10 mail-a + MX 20 mail-b + A 192.0.2.10 + A 192.0.2.11 + amy A 192.0.2.65 + bob A 192.0.2.66 + mail-a A 192.0.2.129 + mail-b A 192.0.2.130 + www CNAME example.com. + + ; A related domain + $ORIGIN example.org. + @ MX 10 mail-c + mail-c A 192.0.2.140 + + ; The reverse IP for those addresses + $ORIGIN 2.0.192.in-addr.arpa. + 10 PTR example.com. + 11 PTR example.com. + 65 PTR amy.example.com. + 66 PTR bob.example.com. + 129 PTR mail-a.example.com. + 130 PTR mail-b.example.com. + 140 PTR mail-c.example.org. + + ; A rogue reverse IP domain that claims to be + ; something it's not + $ORIGIN 0.0.10.in-addr.arpa. + 4 PTR bob.example.com. + +B.1. Simple Examples + + These examples show various possible published records for + example.com and which values if would cause check_host() to + return "Pass". Note that is "example.com". + + v=spf1 +all + -- any passes + + v=spf1 a -all + -- hosts 192.0.2.10 and 192.0.2.11 pass + + + +Wong & Schlitt Experimental [Page 44] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + + v=spf1 a:example.org -all + -- no sending hosts pass since example.org has no A records + + v=spf1 mx -all + -- sending hosts 192.0.2.129 and 192.0.2.130 pass + + v=spf1 mx:example.org -all + -- sending host 192.0.2.140 passes + + v=spf1 mx mx:example.org -all + -- sending hosts 192.0.2.129, 192.0.2.130, and 192.0.2.140 pass + + v=spf1 mx/30 mx:example.org/30 -all + -- any sending host in 192.0.2.128/30 or 192.0.2.140/30 passes + + v=spf1 ptr -all + -- sending host 192.0.2.65 passes (reverse DNS is valid and is in + example.com) + -- sending host 192.0.2.140 fails (reverse DNS is valid, but not + in example.com) + -- sending host 10.0.0.4 fails (reverse IP is not valid) + + v=spf1 ip4:192.0.2.128/28 -all + -- sending host 192.0.2.65 fails + -- sending host 192.0.2.129 passes + +B.2. Multiple Domain Example + + These examples show the effect of related records: + + example.org: "v=spf1 include:example.com include:example.net -all" + + This record would be used if mail from example.org actually came + through servers at example.com and example.net. Example.org's + designated servers are the union of example.com's and example.net's + designated servers. + + la.example.org: "v=spf1 redirect=example.org" + ny.example.org: "v=spf1 redirect=example.org" + sf.example.org: "v=spf1 redirect=example.org" + + These records allow a set of domains that all use the same mail + system to make use of that mail system's record. In this way, only + the mail system's record needs to be updated when the mail setup + changes. These domains' records never have to change. + + + + + + +Wong & Schlitt Experimental [Page 45] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +B.3. DNSBL Style Example + + Imagine that, in addition to the domain records listed above, there + are these: + + $ORIGIN _spf.example.com. mary.mobile-users A + 127.0.0.2 fred.mobile-users A 127.0.0.2 + 15.15.168.192.joel.remote-users A 127.0.0.2 + 16.15.168.192.joel.remote-users A 127.0.0.2 + + The following records describe users at example.com who mail from + arbitrary servers, or who mail from personal servers. + + example.com: + + v=spf1 mx + include:mobile-users._spf.%{d} + include:remote-users._spf.%{d} + -all + + mobile-users._spf.example.com: + + v=spf1 exists:%{l1r+}.%{d} + + remote-users._spf.example.com: + + v=spf1 exists:%{ir}.%{l1r+}.%{d} + +B.4. Multiple Requirements Example + + Say that your sender policy requires both that the IP address is + within a certain range and that the reverse DNS for the IP matches. + This can be done several ways, including the following: + + example.com. SPF ( "v=spf1 " + "-include:ip4._spf.%{d} " + "-include:ptr._spf.%{d} " + "+all" ) + ip4._spf.example.com. SPF "v=spf1 -ip4:192.0.2.0/24 +all" + ptr._spf.example.com. SPF "v=spf1 -ptr +all" + + This example shows how the "-include" mechanism can be useful, how an + SPF record that ends in "+all" can be very restrictive, and the use + of De Morgan's Law. + + + + + + + +Wong & Schlitt Experimental [Page 46] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +Authors' Addresses + + Meng Weng Wong + Singapore + + EMail: mengwong+spf@pobox.com + + + Wayne Schlitt + 4615 Meredeth #9 + Lincoln Nebraska, NE 68506 + United States of America + + EMail: wayne@schlitt.net + URI: http://www.schlitt.net/spf/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Wong & Schlitt Experimental [Page 47] + +RFC 4408 Sender Policy Framework (SPF) April 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Wong & Schlitt Experimental [Page 48] + diff --git a/doc/rfc/rfc4431.txt b/doc/rfc/rfc4431.txt new file mode 100644 index 0000000000000..8b3887229c638 --- /dev/null +++ b/doc/rfc/rfc4431.txt @@ -0,0 +1,227 @@ + + + + + + +Network Working Group M. Andrews +Request for Comments: 4431 Internet Systems Consortium +Category: Informational S. Weiler + SPARTA, Inc. + February 2006 + + + The DNSSEC Lookaside Validation (DLV) DNS Resource Record + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document defines a new DNS resource record, called the DNSSEC + Lookaside Validation (DLV) RR, for publishing DNSSEC trust anchors + outside of the DNS delegation chain. + +1. Introduction + + DNSSEC [1] [2] [3] authenticates DNS data by building public-key + signature chains along the DNS delegation chain from a trust anchor, + ideally a trust anchor for the DNS root. + + This document defines a new resource record for publishing such trust + anchors outside of the DNS's normal delegation chain. Use of these + records by DNSSEC validators is outside the scope of this document, + but it is expected that these records will help resolvers validate + DNSSEC-signed data from zones whose ancestors either aren't signed or + refuse to publish delegation signer (DS) records for their children. + +2. DLV Resource Record + + The DLV resource record has exactly the same wire and presentation + formats as the DS resource record, defined in RFC 4034, Section 5. + It uses the same IANA-assigned values in the algorithm and digest + type fields as the DS record. (Those IANA registries are known as + the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm + Numbers" registries.) + + + + + +Andrews & Weiler Informational [Page 1] + +RFC 4431 DLV Resource Record February 2006 + + + The DLV record is a normal DNS record type without any special + processing requirements. In particular, the DLV record does not + inherit any of the special processing or handling requirements of the + DS record type (described in Section 3.1.4.1 of RFC 4035). Unlike + the DS record, the DLV record may not appear on the parent's side of + a zone cut. A DLV record may, however, appear at the apex of a zone. + +3. Security Considerations + + For authoritative servers and resolvers that do not attempt to use + DLV RRs as part of DNSSEC validation, there are no particular + security concerns -- DLV RRs are just like any other DNS data. + + Software using DLV RRs as part of DNSSEC validation will almost + certainly want to impose constraints on their use, but those + constraints are best left to be described by the documents that more + fully describe the particulars of how the records are used. At a + minimum, it would be unwise to use the records without some sort of + cryptographic authentication. More likely than not, DNSSEC itself + will be used to authenticate the DLV RRs. Depending on how a DLV RR + is used, failure to properly authenticate it could lead to + significant additional security problems including failure to detect + spoofed DNS data. + + RFC 4034, Section 8, describes security considerations specific to + the DS RR. Those considerations are equally applicable to DLV RRs. + Of particular note, the key tag field is used to help select DNSKEY + RRs efficiently, but it does not uniquely identify a single DNSKEY + RR. It is possible for two distinct DNSKEY RRs to have the same + owner name, the same algorithm type, and the same key tag. An + implementation that uses only the key tag to select a DNSKEY RR might + select the wrong public key in some circumstances. + + For further discussion of the security implications of DNSSEC, see + RFC 4033, RFC 4034, and RFC 4035. + +4. IANA Considerations + + IANA has assigned DNS type code 32769 to the DLV resource record from + the Specification Required portion of the DNS Resource Record Type + registry, as defined in [4]. + + The DLV resource record reuses the same algorithm and digest type + registries already used for the DS resource record, currently known + as the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm + Numbers" registries. + + + + + +Andrews & Weiler Informational [Page 2] + +RFC 4431 DLV Resource Record February 2006 + + +5. Normative References + + [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, + March 2005. + + [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. + + [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", + RFC 4035, March 2005. + + [4] Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain Name + System (DNS) IANA Considerations", BCP 42, RFC 2929, + September 2000. + +Authors' Addresses + + Mark Andrews + Internet Systems Consortium + 950 Charter St. + Redwood City, CA 94063 + US + + EMail: Mark_Andrews@isc.org + + + Samuel Weiler + SPARTA, Inc. + 7075 Samuel Morse Drive + Columbia, Maryland 21046 + US + + EMail: weiler@tislabs.com + + + + + + + + + + + + + + + +Andrews & Weiler Informational [Page 3] + +RFC 4431 DLV Resource Record February 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Andrews & Weiler Informational [Page 4] + diff --git a/doc/rfc/rfc4470.txt b/doc/rfc/rfc4470.txt new file mode 100644 index 0000000000000..ac12d65c44c1f --- /dev/null +++ b/doc/rfc/rfc4470.txt @@ -0,0 +1,451 @@ + + + + + + +Network Working Group S. Weiler +Request for Comments: 4470 SPARTA, Inc. +Updates: 4035, 4034 J. Ihren +Category: Standards Track Autonomica AB + April 2006 + + + Minimally Covering NSEC Records and DNSSEC On-line Signing + + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes how to construct DNSSEC NSEC resource records + that cover a smaller range of names than called for by RFC 4034. By + generating and signing these records on demand, authoritative name + servers can effectively stop the disclosure of zone contents + otherwise made possible by walking the chain of NSEC records in a + signed zone. + +Table of Contents + + 1. Introduction ....................................................1 + 2. Applicability of This Technique .................................2 + 3. Minimally Covering NSEC Records .................................2 + 4. Better Epsilon Functions ........................................4 + 5. Security Considerations .........................................5 + 6. Acknowledgements ................................................6 + 7. Normative References ............................................6 + +1. Introduction + + With DNSSEC [1], an NSEC record lists the next instantiated name in + its zone, proving that no names exist in the "span" between the + NSEC's owner name and the name in the "next name" field. In this + document, an NSEC record is said to "cover" the names between its + owner name and next name. + + + +Weiler & Ihren Standards Track [Page 1] + +RFC 4470 NSEC Epsilon April 2006 + + + Through repeated queries that return NSEC records, it is possible to + retrieve all of the names in the zone, a process commonly called + "walking" the zone. Some zone owners have policies forbidding zone + transfers by arbitrary clients; this side effect of the NSEC + architecture subverts those policies. + + This document presents a way to prevent zone walking by constructing + NSEC records that cover fewer names. These records can make zone + walking take approximately as many queries as simply asking for all + possible names in a zone, making zone walking impractical. Some of + these records must be created and signed on demand, which requires + on-line private keys. Anyone contemplating use of this technique is + strongly encouraged to review the discussion of the risks of on-line + signing in Section 5. + +1.2. Keywords + + The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [4]. + +2. Applicability of This Technique + + The technique presented here may be useful to a zone owner that wants + to use DNSSEC, is concerned about exposure of its zone contents via + zone walking, and is willing to bear the costs of on-line signing. + + As discussed in Section 5, on-line signing has several security + risks, including an increased likelihood of private keys being + disclosed and an increased risk of denial of service attack. Anyone + contemplating use of this technique is strongly encouraged to review + the discussion of the risks of on-line signing in Section 5. + + Furthermore, at the time this document was published, the DNSEXT + working group was actively working on a mechanism to prevent zone + walking that does not require on-line signing (tentatively called + NSEC3). The new mechanism is likely to expose slightly more + information about the zone than this technique (e.g., the number of + instantiated names), but it may be preferable to this technique. + +3. Minimally Covering NSEC Records + + This mechanism involves changes to NSEC records for instantiated + names, which can still be generated and signed in advance, as well as + the on-demand generation and signing of new NSEC records whenever a + name must be proven not to exist. + + + + + +Weiler & Ihren Standards Track [Page 2] + +RFC 4470 NSEC Epsilon April 2006 + + + In the "next name" field of instantiated names' NSEC records, rather + than list the next instantiated name in the zone, list any name that + falls lexically after the NSEC's owner name and before the next + instantiated name in the zone, according to the ordering function in + RFC 4034 [2] Section 6.1. This relaxes the requirement in Section + 4.1.1 of RFC 4034 that the "next name" field contains the next owner + name in the zone. This change is expected to be fully compatible + with all existing DNSSEC validators. These NSEC records are returned + whenever proving something specifically about the owner name (e.g., + that no resource records of a given type appear at that name). + + Whenever an NSEC record is needed to prove the non-existence of a + name, a new NSEC record is dynamically produced and signed. The new + NSEC record has an owner name lexically before the QNAME but + lexically following any existing name and a "next name" lexically + following the QNAME but before any existing name. + + The generated NSEC record's type bitmap MUST have the RRSIG and NSEC + bits set and SHOULD NOT have any other bits set. This relaxes the + requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at + names that did not exist before the zone was signed. + + The functions to generate the lexically following and proceeding + names need not be perfect or consistent, but the generated NSEC + records must not cover any existing names. Furthermore, this + technique works best when the generated NSEC records cover as few + names as possible. In this document, the functions that generate the + nearby names are called "epsilon" functions, a reference to the + mathematical convention of using the greek letter epsilon to + represent small deviations. + + An NSEC record denying the existence of a wildcard may be generated + in the same way. Since the NSEC record covering a non-existent + wildcard is likely to be used in response to many queries, + authoritative name servers using the techniques described here may + want to pregenerate or cache that record and its corresponding RRSIG. + + For example, a query for an A record at the non-instantiated name + example.com might produce the following two NSEC records, the first + denying the existence of the name example.com and the second denying + the existence of a wildcard: + + exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC ) + + \).com 3600 IN NSEC +.com ( RRSIG NSEC ) + + + + + + +Weiler & Ihren Standards Track [Page 3] + +RFC 4470 NSEC Epsilon April 2006 + + + Before answering a query with these records, an authoritative server + must test for the existence of names between these endpoints. If the + generated NSEC would cover existing names (e.g., exampldd.com or + *bizarre.example.com), a better epsilon function may be used or the + covered name closest to the QNAME could be used as the NSEC owner + name or next name, as appropriate. If an existing name is used as + the NSEC owner name, that name's real NSEC record MUST be returned. + Using the same example, assuming an exampldd.com delegation exists, + this record might be returned from the parent: + + exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC ) + + Like every authoritative record in the zone, each generated NSEC + record MUST have corresponding RRSIGs generated using each algorithm + (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as + described in RFC 4035 [3] Section 2.2. To minimize the number of + signatures that must be generated, a zone may wish to limit the + number of algorithms in its DNSKEY RRset. + +4. Better Epsilon Functions + + Section 6.1 of RFC 4034 defines a strict ordering of DNS names. + Working backward from that definition, it should be possible to + define epsilon functions that generate the immediately following and + preceding names, respectively. This document does not define such + functions. Instead, this section presents functions that come + reasonably close to the perfect ones. As described above, an + authoritative server should still ensure than no generated NSEC + covers any existing name. + + To increment a name, add a leading label with a single null (zero- + value) octet. + + To decrement a name, decrement the last character of the leftmost + label, then fill that label to a length of 63 octets with octets of + value 255. To decrement a null (zero-value) octet, remove the octet + -- if an empty label is left, remove the label. Defining this + function numerically: fill the leftmost label to its maximum length + with zeros (numeric, not ASCII zeros) and subtract one. + + In response to a query for the non-existent name foo.example.com, + these functions produce NSEC records of the following: + + + + + + + + + +Weiler & Ihren Standards Track [Page 4] + +RFC 4470 NSEC Epsilon April 2006 + + + fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG ) + + \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 + \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG ) + + The first of these NSEC RRs proves that no exact match for + foo.example.com exists, and the second proves that there is no + wildcard in example.com. + + Both of these functions are imperfect: they do not take into account + constraints on number of labels in a name nor total length of a name. + As noted in the previous section, though, this technique does not + depend on the use of perfect epsilon functions: it is sufficient to + test whether any instantiated names fall into the span covered by the + generated NSEC and, if so, substitute those instantiated owner names + for the NSEC owner name or next name, as appropriate. + +5. Security Considerations + + This approach requires on-demand generation of RRSIG records. This + creates several new vulnerabilities. + + First, on-demand signing requires that a zone's authoritative servers + have access to its private keys. Storing private keys on well-known + Internet-accessible servers may make them more vulnerable to + unintended disclosure. + + Second, since generation of digital signatures tends to be + computationally demanding, the requirement for on-demand signing + makes authoritative servers vulnerable to a denial of service attack. + + Last, if the epsilon functions are predictable, on-demand signing may + enable a chosen-plaintext attack on a zone's private keys. Zones + using this approach should attempt to use cryptographic algorithms + that are resistant to chosen-plaintext attacks. It is worth noting + that although DNSSEC has a "mandatory to implement" algorithm, that + is a requirement on resolvers and validators -- there is no + requirement that a zone be signed with any given algorithm. + + The success of using minimally covering NSEC records to prevent zone + walking depends greatly on the quality of the epsilon functions + + + +Weiler & Ihren Standards Track [Page 5] + +RFC 4470 NSEC Epsilon April 2006 + + + chosen. An increment function that chooses a name obviously derived + from the next instantiated name may be easily reverse engineered, + destroying the value of this technique. An increment function that + always returns a name close to the next instantiated name is likewise + a poor choice. Good choices of epsilon functions are the ones that + produce the immediately following and preceding names, respectively, + though zone administrators may wish to use less perfect functions + that return more human-friendly names than the functions described in + Section 4 above. + + Another obvious but misguided concern is the danger from synthesized + NSEC records being replayed. It is possible for an attacker to + replay an old but still validly signed NSEC record after a new name + has been added in the span covered by that NSEC, incorrectly proving + that there is no record at that name. This danger exists with DNSSEC + as defined in [3]. The techniques described here actually decrease + the danger, since the span covered by any NSEC record is smaller than + before. Choosing better epsilon functions will further reduce this + danger. + +6. Acknowledgements + + Many individuals contributed to this design. They include, in + addition to the authors of this document, Olaf Kolkman, Ed Lewis, + Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis, + Jakob Schlyter, Bill Manning, and Joao Damas. + + In addition, the editors would like to thank Ed Lewis, Scott Rose, + and David Blacka for their careful review of the document. + +7. Normative References + + [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, March + 2005. + + [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. + + [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", RFC + 4035, March 2005. + + [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + + + + +Weiler & Ihren Standards Track [Page 6] + +RFC 4470 NSEC Epsilon April 2006 + + +Authors' Addresses + + Samuel Weiler + SPARTA, Inc. + 7075 Samuel Morse Drive + Columbia, Maryland 21046 + US + + EMail: weiler@tislabs.com + + + Johan Ihren + Autonomica AB + Bellmansgatan 30 + Stockholm SE-118 47 + Sweden + + EMail: johani@autonomica.se + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Weiler & Ihren Standards Track [Page 7] + +RFC 4470 NSEC Epsilon April 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Weiler & Ihren Standards Track [Page 8] + diff --git a/doc/rfc/rfc4634.txt b/doc/rfc/rfc4634.txt new file mode 100644 index 0000000000000..b672df8a4455c --- /dev/null +++ b/doc/rfc/rfc4634.txt @@ -0,0 +1,6051 @@ + + + + + + +Network Working Group D. Eastlake 3rd +Request for Comments: 4634 Motorola Labs +Updates: 3174 T. Hansen +Category: Informational AT&T Labs + July 2006 + + + US Secure Hash Algorithms (SHA and HMAC-SHA) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + The United States of America has adopted a suite of Secure Hash + Algorithms (SHAs), including four beyond SHA-1, as part of a Federal + Information Processing Standard (FIPS), specifically SHA-224 (RFC + 3874), SHA-256, SHA-384, and SHA-512. The purpose of this document + is to make source code performing these hash functions conveniently + available to the Internet community. The sample code supports input + strings of arbitrary bit length. SHA-1's sample code from RFC 3174 + has also been updated to handle input strings of arbitrary bit + length. Most of the text herein was adapted by the authors from FIPS + 180-2. + + Code to perform SHA-based HMACs, with arbitrary bit length text, is + also included. + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 1] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +Table of Contents + + 1. Overview of Contents ............................................3 + 1.1. License ....................................................4 + 2. Notation for Bit Strings and Integers ...........................4 + 3. Operations on Words .............................................5 + 4. Message Padding and Parsing .....................................6 + 4.1. SHA-224 and SHA-256 ........................................7 + 4.2. SHA-384 and SHA-512 ........................................8 + 5. Functions and Constants Used ....................................9 + 5.1. SHA-224 and SHA-256 ........................................9 + 5.2. SHA-384 and SHA-512 .......................................10 + 6. Computing the Message Digest ...................................11 + 6.1. SHA-224 and SHA-256 Initialization ........................11 + 6.2. SHA-224 and SHA-256 Processing ............................11 + 6.3. SHA-384 and SHA-512 Initialization ........................13 + 6.4. SHA-384 and SHA-512 Processing ............................14 + 7. SHA-Based HMACs ................................................15 + 8. C Code for SHAs ................................................15 + 8.1. The .h File ...............................................18 + 8.2. The SHA Code ..............................................24 + 8.2.1. sha1.c .............................................24 + 8.2.2. sha224-256.c .......................................33 + 8.2.3. sha384-512.c .......................................45 + 8.2.4. usha.c .............................................67 + 8.2.5. sha-private.h ......................................72 + 8.3. The HMAC Code .............................................73 + 8.4. The Test Driver ...........................................78 + 9. Security Considerations .......................................106 + 10. Normative References .........................................106 + 11. Informative References .......................................106 + + + + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 2] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +1. Overview of Contents + + NOTE: Much of the text below is taken from [FIPS180-2] and assertions + therein of the security of the algorithms described are made by the + US Government, the author of [FIPS180-2], and not by the authors of + this document. + + The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], + SHA-256, SHA-384, and SHA-512, for computing a condensed + representation of a message or a data file. (SHA-1 is specified in + [RFC3174].) When a message of any length < 2^64 bits (for SHA-224 + and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to + one of these algorithms, the result is an output called a message + digest. The message digests range in length from 224 to 512 bits, + depending on the algorithm. Secure hash algorithms are typically + used with other cryptographic algorithms, such as digital signature + algorithms and keyed hash authentication codes, or in the generation + of random numbers [RFC4086]. + + The four algorithms specified in this document are called secure + because it is computationally infeasible to (1) find a message that + corresponds to a given message digest, or (2) find two different + messages that produce the same message digest. Any change to a + message in transit will, with very high probability, result in a + different message digest. This will result in a verification failure + when the secure hash algorithm is used with a digital signature + algorithm or a keyed-hash message authentication algorithm. + + The code provided herein supports input strings of arbitrary bit + length. SHA-1's sample code from [RFC3174] has also been updated to + handle input strings of arbitrary bit length. See Section 1.1 for + license information for this code. + + Section 2 below defines the terminology and functions used as + building blocks to form these algorithms. Section 3 describes the + fundamental operations on words from which these algorithms are + built. Section 4 describes how messages are padded up to an integral + multiple of the required block size and then parsed into blocks. + Section 5 defines the constants and the composite functions used to + specify these algorithms. Section 6 gives the actual specification + for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7 + provides pointers to the specification of HMAC keyed message + authentication codes based on the SHA algorithms. Section 8 gives + sample code for the SHA algorithms and Section 9 code for SHA-based + HMACs. The SHA-based HMACs will accept arbitrary bit length text. + + + + + + +Eastlake 3rd & Hansen Informational [Page 3] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +1.1. License + + Permission is granted for all uses, commercial and non-commercial, of + the sample code found in Section 8. Royalty free license to use, + copy, modify and distribute the software found in Section 8 is + granted, provided that this document is identified in all material + mentioning or referencing this software, and provided that + redistributed derivative works do not contain misleading author or + version information. + + The authors make no representations concerning either the + merchantability of this software or the suitability of this software + for any particular purpose. It is provided "as is" without express + or implied warranty of any kind. + +2. Notation for Bit Strings and Integers + + The following terminology related to bit strings and integers will be + used: + + a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , + F}. A hex digit is the representation of a 4-bit string. + Examples: 7 = 0111, A = 1010. + + b. A word equals a 32-bit or 64-bit string, which may be + represented as a sequence of 8 or 16 hex digits, respectively. + To convert a word to hex digits, each 4-bit string is converted + to its hex equivalent as described in (a) above. Example: + + 1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. + + Throughout this document, the "big-endian" convention is used + when expressing both 32-bit and 64-bit words, so that within + each word the most significant bit is shown in the left-most bit + position. + + c. An integer may be represented as a word or pair of words. + + An integer between 0 and 2^32 - 1 inclusive may be represented + as a 32-bit word. The least significant four bits of the + integer are represented by the right-most hex digit of the word + representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 = + 256+32+2+1 is represented by the hex word 00000123. + + The same holds true for an integer between 0 and 2^64-1 + inclusive, which may be represented as a 64-bit word. + + + + + +Eastlake 3rd & Hansen Informational [Page 4] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0 + <= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented + as words X and Y, respectively, z can be represented as the pair + of words (X,Y). + + d. block = 512-bit or 1024-bit string. A block (e.g., B) may be + represented as a sequence of 32-bit or 64-bit words. + +3. Operations on Words + + The following logical operators will be applied to words in all four + hash operations specified herein. SHA-224 and SHA-256 operate on + 32-bit words, while SHA-384 and SHA-512 operate on 64-bit words. + + In the operations below, x<>n + + d. The rotate right (circular right shift) operation ROTR^n(x), + where x is a w-bit word and n is an integer with 0 <= n < w, is + defined by + + ROTR^n(x) = (x>>n) OR (x<<(w-n)) + + e. The rotate left (circular left shift) operation ROTL^n(x), where + x is a w-bit word and n is an integer with 0 <= n < w, is + defined by + + ROTL^n(X) = (x<>w-n) + + Note the following equivalence relationships, where w is fixed + in each relationship: + + ROTL^n(x) = ROTR^(w-x)(x) + + ROTR^n(x) = ROTL^(w-n)(x) + +4. Message Padding and Parsing + + The hash functions specified herein are used to compute a message + digest for a message or data file that is provided as input. The + message or data file should be considered to be a bit string. The + length of the message is the number of bits in the message (the empty + message has length 0). If the number of bits in a message is a + multiple of 8, for compactness we can represent the message in hex. + The purpose of message padding is to make the total length of a + padded message a multiple of 512 for SHA-224 and SHA-256 or a + multiple of 1024 for SHA-384 and SHA-512. + + The following specifies how this padding shall be performed. As a + summary, a "1" followed by a number of "0"s followed by a 64-bit or + 128-bit integer are appended to the end of the message to produce a + padded message of length 512*n or 1024*n. The minimum number of "0"s + necessary to meet this criterion is used. The appended integer is + the length of the original message. The padded message is then + processed by the hash function as n 512-bit or 1024-bit blocks. + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 6] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +4.1. SHA-224 and SHA-256 + + Suppose a message has length L < 2^64. Before it is input to the + hash function, the message is padded on the right as follows: + + a. "1" is appended. Example: if the original message is + "01010000", this is padded to "010100001". + + b. K "0"s are appended where K is the smallest, non-negative + solution to the equation + + L + 1 + K = 448 (mod 512) + + c. Then append the 64-bit block that is L in binary representation. + After appending this block, the length of the message will be a + multiple of 512 bits. + + Example: Suppose the original message is the bit string + + 01100001 01100010 01100011 01100100 01100101 + + After step (a), this gives + + 01100001 01100010 01100011 01100100 01100101 1 + + Since L = 40, the number of bits in the above is 41 and K = 407 + "0"s are appended, making the total now 448. This gives the + following in hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 + + The 64-bit representation of L = 40 is hex 00000000 00000028. + Hence the final padded message is the following hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000028 + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 7] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +4.2. SHA-384 and SHA-512 + + Suppose a message has length L < 2^128. Before it is input to the + hash function, the message is padded on the right as follows: + + a. "1" is appended. Example: if the original message is + "01010000", this is padded to "010100001". + + b. K "0"s are appended where K is the smallest, non-negative + solution to the equation + + L + 1 + K = 896 (mod 1024) + + c. Then append the 128-bit block that is L in binary + representation. After appending this block, the length of the + message will be a multiple of 1024 bits. + + Example: Suppose the original message is the bit string + + 01100001 01100010 01100011 01100100 01100101 + + After step (a) this gives + + 01100001 01100010 01100011 01100100 01100101 1 + + Since L = 40, the number of bits in the above is 41 and K = 855 + "0"s are appended, making the total now 896. This gives the + following in hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + + The 128-bit representation of L = 40 is hex 00000000 00000000 + 00000000 00000028. Hence the final padded message is the + following hex: + + 61626364 65800000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + + + + + +Eastlake 3rd & Hansen Informational [Page 8] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000000 + 00000000 00000000 00000000 00000028 + +5. Functions and Constants Used + + The following subsections give the six logical functions and the + table of constants used in each of the hash functions. + +5.1. SHA-224 and SHA-256 + + SHA-224 and SHA-256 use six logical functions, where each function + operates on 32-bit words, which are represented as x, y, and z. The + result of each function is a new 32-bit word. + + CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) + + MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) + + BSIG0(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) + + BSIG1(x) = ROTR^6(x) XOR ROTR^11(x) XOR ROTR^25(x) + + SSIG0(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3(x) + + SSIG1(x) = ROTR^17(x) XOR ROTR^19(x) XOR SHR^10(x) + + SHA-224 and SHA-256 use the same sequence of sixty-four constant + 32-bit words, K0, K1, ..., K63. These words represent the first + thirty-two bits of the fractional parts of the cube roots of the + first sixty-four prime numbers. In hex, these constant words are as + follows (from left to right): + + 428a2f98 71374491 b5c0fbcf e9b5dba5 + 3956c25b 59f111f1 923f82a4 ab1c5ed5 + d807aa98 12835b01 243185be 550c7dc3 + 72be5d74 80deb1fe 9bdc06a7 c19bf174 + e49b69c1 efbe4786 0fc19dc6 240ca1cc + 2de92c6f 4a7484aa 5cb0a9dc 76f988da + 983e5152 a831c66d b00327c8 bf597fc7 + c6e00bf3 d5a79147 06ca6351 14292967 + 27b70a85 2e1b2138 4d2c6dfc 53380d13 + 650a7354 766a0abb 81c2c92e 92722c85 + a2bfe8a1 a81a664b c24b8b70 c76c51a3 + d192e819 d6990624 f40e3585 106aa070 + 19a4c116 1e376c08 2748774c 34b0bcb5 + + + + + +Eastlake 3rd & Hansen Informational [Page 9] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 + 748f82ee 78a5636f 84c87814 8cc70208 + 90befffa a4506ceb bef9a3f7 c67178f2 + +5.2. SHA-384 and SHA-512 + + SHA-384 and SHA-512 each use six logical functions, where each + function operates on 64-bit words, which are represented as x, y, and + z. The result of each function is a new 64-bit word. + + CH( x, y, z) = (x AND y) XOR ( (NOT x) AND z) + + MAJ( x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) + + BSIG0(x) = ROTR^28(x) XOR ROTR^34(x) XOR ROTR^39(x) + + BSIG1(x) = ROTR^14(x) XOR ROTR^18(x) XOR ROTR^41(x) + + SSIG0(x) = ROTR^1(x) XOR ROTR^8(x) XOR SHR^7(x) + + SSIG1(x) = ROTR^19(x) XOR ROTR^61(x) XOR SHR^6(x) + + SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit + words, K0, K1, ... K79. These words represent the first sixty-four + bits of the fractional parts of the cube roots of the first eighty + prime numbers. In hex, these constant words are as follows (from + left to right): + + 428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc + 3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118 + d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2 + 72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694 + e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65 + 2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5 + 983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4 + c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70 + 27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df + 650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b + a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30 + d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8 + 19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8 + 391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3 + 748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec + 90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b + ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178 + 06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b + 28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c + 4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817 + + + +Eastlake 3rd & Hansen Informational [Page 10] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +6. Computing the Message Digest + + The output of each of the secure hash functions, after being applied + to a message of N blocks, is the hash quantity H(N). For SHA-224 and + SHA-256, H(i) can be considered to be eight 32-bit words, H(i)0, + H(i)1, ... H(i)7. For SHA-384 and SHA-512, it can be considered to + be eight 64-bit words, H(i)0, H(i)1, ..., H(i)7. + + As described below, the hash words are initialized, modified as each + message block is processed, and finally concatenated after processing + the last block to yield the output. For SHA-256 and SHA-512, all of + the H(N) variables are concatenated while the SHA-224 and SHA-384 + hashes are produced by omitting some from the final concatenation. + +6.1. SHA-224 and SHA-256 Initialization + + For SHA-224, the initial hash value, H(0), consists of the following + 32-bit words in hex: + + H(0)0 = c1059ed8 + H(0)1 = 367cd507 + H(0)2 = 3070dd17 + H(0)3 = f70e5939 + H(0)4 = ffc00b31 + H(0)5 = 68581511 + H(0)6 = 64f98fa7 + H(0)7 = befa4fa4 + + For SHA-256, the initial hash value, H(0), consists of the following + eight 32-bit words, in hex. These words were obtained by taking the + first thirty-two bits of the fractional parts of the square roots of + the first eight prime numbers. + + H(0)0 = 6a09e667 + H(0)1 = bb67ae85 + H(0)2 = 3c6ef372 + H(0)3 = a54ff53a + H(0)4 = 510e527f + H(0)5 = 9b05688c + H(0)6 = 1f83d9ab + H(0)7 = 5be0cd19 + +6.2. SHA-224 and SHA-256 Processing + + SHA-224 and SHA-256 perform identical processing on messages blocks + and differ only in how H(0) is initialized and how they produce their + final output. They may be used to hash a message, M, having a length + of L bits, where 0 <= L < 2^64. The algorithm uses (1) a message + + + +Eastlake 3rd & Hansen Informational [Page 11] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + schedule of sixty-four 32-bit words, (2) eight working variables of + 32 bits each, and (3) a hash value of eight 32-bit words. + + The words of the message schedule are labeled W0, W1, ..., W63. The + eight working variables are labeled a, b, c, d, e, f, g, and h. The + words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which + will hold the initial hash value, H(0), replaced by each successive + intermediate hash value (after each message block is processed), + H(i), and ending with the final hash value, H(N), after all N blocks + are processed. They also use two temporary words, T1 and T2. + + The input message is padded as described in Section 4.1 above then + parsed into 512-bit blocks, which are considered to be composed of 16 + 32-bit words M(i)0, M(i)1, ..., M(i)15. The following computations + are then performed for each of the N message blocks. All addition is + performed modulo 2^32. + + For i = 1 to N + + 1. Prepare the message schedule W: + For t = 0 to 15 + Wt = M(i)t + For t = 16 to 63 + Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16) + + 2. Initialize the working variables: + a = H(i-1)0 + b = H(i-1)1 + c = H(i-1)2 + d = H(i-1)3 + e = H(i-1)4 + f = H(i-1)5 + g = H(i-1)6 + h = H(i-1)7 + + 3. Perform the main hash computation: + For t = 0 to 63 + T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt + T2 = BSIG0(a) + MAJ(a,b,c) + h = g + g = f + f = e + e = d + T1 + d = c + c = b + b = a + a = T1 + T2 + + + + +Eastlake 3rd & Hansen Informational [Page 12] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 4. Compute the intermediate hash value H(i): + H(i)0 = a + H(i-1)0 + H(i)1 = b + H(i-1)1 + H(i)2 = c + H(i-1)2 + H(i)3 = d + H(i-1)3 + H(i)4 = e + H(i-1)4 + H(i)5 = f + H(i-1)5 + H(i)6 = g + H(i-1)6 + H(i)7 = h + H(i-1)7 + + After the above computations have been sequentially performed for all + of the blocks in the message, the final output is calculated. For + SHA-256, this is the concatenation of all of H(N)0, H(N)1, through + H(N)7. For SHA-224, this is the concatenation of H(N)0, H(N)1, + through H(N)6. + +6.3. SHA-384 and SHA-512 Initialization + + For SHA-384, the initial hash value, H(0), consists of the following + eight 64-bit words, in hex. These words were obtained by taking the + first sixty-four bits of the fractional parts of the square roots of + the ninth through sixteenth prime numbers. + + H(0)0 = cbbb9d5dc1059ed8 + H(0)1 = 629a292a367cd507 + H(0)2 = 9159015a3070dd17 + H(0)3 = 152fecd8f70e5939 + H(0)4 = 67332667ffc00b31 + H(0)5 = 8eb44a8768581511 + H(0)6 = db0c2e0d64f98fa7 + H(0)7 = 47b5481dbefa4fa4 + + For SHA-512, the initial hash value, H(0), consists of the following + eight 64-bit words, in hex. These words were obtained by taking the + first sixty-four bits of the fractional parts of the square roots of + the first eight prime numbers. + + H(0)0 = 6a09e667f3bcc908 + H(0)1 = bb67ae8584caa73b + H(0)2 = 3c6ef372fe94f82b + H(0)3 = a54ff53a5f1d36f1 + H(0)4 = 510e527fade682d1 + H(0)5 = 9b05688c2b3e6c1f + H(0)6 = 1f83d9abfb41bd6b + H(0)7 = 5be0cd19137e2179 + + + + + + +Eastlake 3rd & Hansen Informational [Page 13] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +6.4. SHA-384 and SHA-512 Processing + + SHA-384 and SHA-512 perform identical processing on message blocks + and differ only in how H(0) is initialized and how they produce their + final output. They may be used to hash a message, M, having a length + of L bits, where 0 <= L < 2^128. The algorithm uses (1) a message + schedule of eighty 64-bit words, (2) eight working variables of 64 + bits each, and (3) a hash value of eight 64-bit words. + + The words of the message schedule are labeled W0, W1, ..., W79. The + eight working variables are labeled a, b, c, d, e, f, g, and h. The + words of the hash value are labeled H(i)0, H(i)1, ..., H(i)7, which + will hold the initial hash value, H(0), replaced by each successive + intermediate hash value (after each message block is processed), + H(i), and ending with the final hash value, H(N) after all N blocks + are processed. + + The input message is padded as described in Section 4.2 above, then + parsed into 1024-bit blocks, which are considered to be composed of + 16 64-bit words M(i)0, M(i)1, ..., M(i)15. The following + computations are then performed for each of the N message blocks. + All addition is performed modulo 2^64. + + For i = 1 to N + + 1. Prepare the message schedule W: + For t = 0 to 15 + Wt = M(i)t + For t = 16 to 79 + Wt = SSIG1(W(t-2)) + W(t-7) + SSIG0(t-15) + W(t-16) + + 2. Initialize the working variables: + a = H(i-1)0 + b = H(i-1)1 + c = H(i-1)2 + d = H(i-1)3 + e = H(i-1)4 + f = H(i-1)5 + g = H(i-1)6 + h = H(i-1)7 + + 3. Perform the main hash computation: + For t = 0 to 79 + T1 = h + BSIG1(e) + CH(e,f,g) + Kt + Wt + T2 = BSIG0(a) + MAJ(a,b,c) + h = g + g = f + f = e + + + +Eastlake 3rd & Hansen Informational [Page 14] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + e = d + T1 + d = c + c = b + b = a + a = T1 + T2 + + 4. Compute the intermediate hash value H(i): + H(i)0 = a + H(i-1)0 + H(i)1 = b + H(i-1)1 + H(i)2 = c + H(i-1)2 + H(i)3 = d + H(i-1)3 + H(i)4 = e + H(i-1)4 + H(i)5 = f + H(i-1)5 + H(i)6 = g + H(i-1)6 + H(i)7 = h + H(i-1)7 + + After the above computations have been sequentially performed for all + of the blocks in the message, the final output is calculated. For + SHA-512, this is the concatenation of all of H(N)0, H(N)1, through + H(N)7. For SHA-384, this is the concatenation of H(N)0, H(N)1, + through H(N)5. + +7. SHA-Based HMACs + + HMAC is a method for computing a keyed MAC (message authentication + code) using a hash function as described in [RFC2104]. It uses a key + to mix in with the input text to produce the final hash. + + Sample code is also provided, in Section 8.3 below, to perform HMAC + based on any of the SHA algorithms described herein. The sample code + found in [RFC2104] was written in terms of a specified text size. + Since SHA is defined in terms of an arbitrary number of bits, the + sample HMAC code has been written to allow the text input to HMAC to + have an arbitrary number of octets and bits. A fixed-length + interface is also provided. + +8. C Code for SHAs + + Below is a demonstration implementation of these secure hash + functions in C. Section 8.1 contains the header file sha.h, which + declares all constants, structures, and functions used by the sha and + hmac functions. Section 8.2 contains the C code for sha1.c, + sha224-256.c, sha384-512.c, and usha.c along with sha-private.h, + which provides some declarations common to all the sha functions. + Section 8.3 contains the C code for the hmac functions. Section 8.4 + contains a test driver to exercise the code. + + + + + +Eastlake 3rd & Hansen Informational [Page 15] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + For each of the digest length $$$, there is the following set of + constants, a structure, and functions: + + Constants: + SHA$$$HashSize number of octets in the hash + SHA$$$HashSizeBits number of bits in the hash + SHA$$$_Message_Block_Size + number of octets used in the intermediate + message blocks + shaSuccess = 0 constant returned by each function on success + shaNull = 1 constant returned by each function when + presented with a null pointer parameter + shaInputTooLong = 2 constant returned by each function when the + input data is too long + shaStateError constant returned by each function when + SHA$$$Input is called after SHA$$$FinalBits or + SHA$$$Result. + + Structure: + typedef SHA$$$Context + an opaque structure holding the complete state + for producing the hash + + Functions: + int SHA$$$Reset(SHA$$$Context *); + Reset the hash context state + int SHA$$$Input(SHA$$$Context *, const uint8_t *octets, + unsigned int bytecount); + Incorporate bytecount octets into the hash. + int SHA$$$FinalBits(SHA$$$Context *, const uint8_t octet, + unsigned int bitcount); + Incorporate bitcount bits into the hash. The bits are in + the upper portion of the octet. SHA$$$Input() cannot be + called after this. + int SHA$$$Result(SHA$$$Context *, + uint8_t Message_Digest[SHA$$$HashSize]); + Do the final calculations on the hash and copy the value + into Message_Digest. + + In addition, functions with the prefix USHA are provided that take a + SHAversion value (SHA$$$) to select the SHA function suite. They add + the following constants, structure, and functions: + + Constants: + shaBadParam constant returned by USHA functions when + presented with a bad SHAversion (SHA$$$) + parameter + + + + +Eastlake 3rd & Hansen Informational [Page 16] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA$$$ SHAversion enumeration values, used by usha + and hmac functions to select the SHA function + suite + + Structure: + typedef USHAContext + an opaque structure holding the complete state + for producing the hash + + Functions: + int USHAReset(USHAContext *, SHAversion whichSha); + Reset the hash context state. + int USHAInput(USHAContext *, + const uint8_t *bytes, unsigned int bytecount); + Incorporate bytecount octets into the hash. + int USHAFinalBits(USHAContext *, + const uint8_t bits, unsigned int bitcount); + Incorporate bitcount bits into the hash. + int USHAResult(USHAContext *, + uint8_t Message_Digest[USHAMaxHashSize]); + Do the final calculations on the hash and copy the value + into Message_Digest. Octets in Message_Digest beyond + USHAHashSize(whichSha) are left untouched. + int USHAHashSize(enum SHAversion whichSha); + The number of octets in the given hash. + int USHAHashSizeBits(enum SHAversion whichSha); + The number of bits in the given hash. + int USHABlockSize(enum SHAversion whichSha); + The internal block size for the given hash. + + The hmac functions follow the same pattern to allow any length of + text input to be used. + + Structure: + typedef HMACContext an opaque structure holding the complete state + for producing the hash + + Functions: + int hmacReset(HMACContext *ctx, enum SHAversion whichSha, + const unsigned char *key, int key_len); + Reset the hash context state. + int hmacInput(HMACContext *ctx, const unsigned char *text, + int text_len); + Incorporate text_len octets into the hash. + int hmacFinalBits(HMACContext *ctx, const uint8_t bits, + unsigned int bitcount); + Incorporate bitcount bits into the hash. + + + + +Eastlake 3rd & Hansen Informational [Page 17] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + int hmacResult(HMACContext *ctx, + uint8_t Message_Digest[USHAMaxHashSize]); + Do the final calculations on the hash and copy the value + into Message_Digest. Octets in Message_Digest beyond + USHAHashSize(whichSha) are left untouched. + + In addition, a combined interface is provided, similar to that shown + in RFC 2104, that allows a fixed-length text input to be used. + + int hmac(SHAversion whichSha, + const unsigned char *text, int text_len, + const unsigned char *key, int key_len, + uint8_t Message_Digest[USHAMaxHashSize]); + Calculate the given digest for the given text and key, and + return the resulting hash. Octets in Message_Digest beyond + USHAHashSize(whichSha) are left untouched. + +8.1. The .h File + +/**************************** sha.h ****************************/ +/******************* See RFC 4634 for details ******************/ +#ifndef _SHA_H_ +#define _SHA_H_ + +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The five hashes are defined in these sizes: + * SHA-1 20 byte / 160 bit + * SHA-224 28 byte / 224 bit + * SHA-256 32 byte / 256 bit + * SHA-384 48 byte / 384 bit + * SHA-512 64 byte / 512 bit + */ + +#include +/* + * If you do not have the ISO standard stdint.h header file, then you + + + +Eastlake 3rd & Hansen Informational [Page 18] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * must typedef the following: + * name meaning + * uint64_t unsigned 64 bit integer + * uint32_t unsigned 32 bit integer + * uint8_t unsigned 8 bit integer (i.e., unsigned char) + * int_least16_t integer of >= 16 bits + * + */ + +#ifndef _SHA_enum_ +#define _SHA_enum_ +/* + * All SHA functions return one of these values. + */ +enum { + shaSuccess = 0, + shaNull, /* Null pointer parameter */ + shaInputTooLong, /* input data too long */ + shaStateError, /* called Input after FinalBits or Result */ + shaBadParam /* passed a bad parameter */ +}; +#endif /* _SHA_enum_ */ + +/* + * These constants hold size information for each of the SHA + * hashing operations + */ +enum { + SHA1_Message_Block_Size = 64, SHA224_Message_Block_Size = 64, + SHA256_Message_Block_Size = 64, SHA384_Message_Block_Size = 128, + SHA512_Message_Block_Size = 128, + USHA_Max_Message_Block_Size = SHA512_Message_Block_Size, + + SHA1HashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, + SHA384HashSize = 48, SHA512HashSize = 64, + USHAMaxHashSize = SHA512HashSize, + + SHA1HashSizeBits = 160, SHA224HashSizeBits = 224, + SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, + SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits +}; + +/* + * These constants are used in the USHA (unified sha) functions. + */ +typedef enum SHAversion { + SHA1, SHA224, SHA256, SHA384, SHA512 +} SHAversion; + + + +Eastlake 3rd & Hansen Informational [Page 19] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * This structure will hold context information for the SHA-1 + * hashing operation. + */ +typedef struct SHA1Context { + uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */ + + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + + int_least16_t Message_Block_Index; /* Message_Block array index */ + /* 512-bit message blocks */ + uint8_t Message_Block[SHA1_Message_Block_Size]; + + int Computed; /* Is the digest computed? */ + int Corrupted; /* Is the digest corrupted? */ +} SHA1Context; + +/* + * This structure will hold context information for the SHA-256 + * hashing operation. + */ +typedef struct SHA256Context { + uint32_t Intermediate_Hash[SHA256HashSize/4]; /* Message Digest */ + + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + + int_least16_t Message_Block_Index; /* Message_Block array index */ + /* 512-bit message blocks */ + uint8_t Message_Block[SHA256_Message_Block_Size]; + + int Computed; /* Is the digest computed? */ + int Corrupted; /* Is the digest corrupted? */ +} SHA256Context; + +/* + * This structure will hold context information for the SHA-512 + * hashing operation. + */ +typedef struct SHA512Context { +#ifdef USE_32BIT_ONLY + uint32_t Intermediate_Hash[SHA512HashSize/4]; /* Message Digest */ + uint32_t Length[4]; /* Message length in bits */ +#else /* !USE_32BIT_ONLY */ + uint64_t Intermediate_Hash[SHA512HashSize/8]; /* Message Digest */ + uint64_t Length_Low, Length_High; /* Message length in bits */ +#endif /* USE_32BIT_ONLY */ + + + +Eastlake 3rd & Hansen Informational [Page 20] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + int_least16_t Message_Block_Index; /* Message_Block array index */ + /* 1024-bit message blocks */ + uint8_t Message_Block[SHA512_Message_Block_Size]; + + int Computed; /* Is the digest computed?*/ + int Corrupted; /* Is the digest corrupted? */ +} SHA512Context; + +/* + * This structure will hold context information for the SHA-224 + * hashing operation. It uses the SHA-256 structure for computation. + */ +typedef struct SHA256Context SHA224Context; + +/* + * This structure will hold context information for the SHA-384 + * hashing operation. It uses the SHA-512 structure for computation. + */ +typedef struct SHA512Context SHA384Context; + +/* + * This structure holds context information for all SHA + * hashing operations. + */ +typedef struct USHAContext { + int whichSha; /* which SHA is being used */ + union { + SHA1Context sha1Context; + SHA224Context sha224Context; SHA256Context sha256Context; + SHA384Context sha384Context; SHA512Context sha512Context; + } ctx; +} USHAContext; + +/* + * This structure will hold context information for the HMAC + * keyed hashing operation. + */ +typedef struct HMACContext { + int whichSha; /* which SHA is being used */ + int hashSize; /* hash size of SHA being used */ + int blockSize; /* block size of SHA being used */ + USHAContext shaContext; /* SHA context */ + unsigned char k_opad[USHA_Max_Message_Block_Size]; + /* outer padding - key XORd with opad */ +} HMACContext; + + + + + + +Eastlake 3rd & Hansen Informational [Page 21] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * Function Prototypes + */ + +/* SHA-1 */ +extern int SHA1Reset(SHA1Context *); +extern int SHA1Input(SHA1Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA1FinalBits(SHA1Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA1Result(SHA1Context *, + uint8_t Message_Digest[SHA1HashSize]); + +/* SHA-224 */ +extern int SHA224Reset(SHA224Context *); +extern int SHA224Input(SHA224Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA224FinalBits(SHA224Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA224Result(SHA224Context *, + uint8_t Message_Digest[SHA224HashSize]); + +/* SHA-256 */ +extern int SHA256Reset(SHA256Context *); +extern int SHA256Input(SHA256Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA256FinalBits(SHA256Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA256Result(SHA256Context *, + uint8_t Message_Digest[SHA256HashSize]); + +/* SHA-384 */ +extern int SHA384Reset(SHA384Context *); +extern int SHA384Input(SHA384Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA384FinalBits(SHA384Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA384Result(SHA384Context *, + uint8_t Message_Digest[SHA384HashSize]); + +/* SHA-512 */ +extern int SHA512Reset(SHA512Context *); +extern int SHA512Input(SHA512Context *, const uint8_t *bytes, + unsigned int bytecount); +extern int SHA512FinalBits(SHA512Context *, const uint8_t bits, + unsigned int bitcount); +extern int SHA512Result(SHA512Context *, + uint8_t Message_Digest[SHA512HashSize]); + + + +Eastlake 3rd & Hansen Informational [Page 22] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* Unified SHA functions, chosen by whichSha */ +extern int USHAReset(USHAContext *, SHAversion whichSha); +extern int USHAInput(USHAContext *, + const uint8_t *bytes, unsigned int bytecount); +extern int USHAFinalBits(USHAContext *, + const uint8_t bits, unsigned int bitcount); +extern int USHAResult(USHAContext *, + uint8_t Message_Digest[USHAMaxHashSize]); +extern int USHABlockSize(enum SHAversion whichSha); +extern int USHAHashSize(enum SHAversion whichSha); +extern int USHAHashSizeBits(enum SHAversion whichSha); + +/* + * HMAC Keyed-Hashing for Message Authentication, RFC2104, + * for all SHAs. + * This interface allows a fixed-length text input to be used. + */ +extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ + const unsigned char *text, /* pointer to data stream */ + int text_len, /* length of data stream */ + const unsigned char *key, /* pointer to authentication key */ + int key_len, /* length of authentication key */ + uint8_t digest[USHAMaxHashSize]); /* caller digest to fill in */ + +/* + * HMAC Keyed-Hashing for Message Authentication, RFC2104, + * for all SHAs. + * This interface allows any length of text input to be used. + */ +extern int hmacReset(HMACContext *ctx, enum SHAversion whichSha, + const unsigned char *key, int key_len); +extern int hmacInput(HMACContext *ctx, const unsigned char *text, + int text_len); + +extern int hmacFinalBits(HMACContext *ctx, const uint8_t bits, + unsigned int bitcount); +extern int hmacResult(HMACContext *ctx, + uint8_t digest[USHAMaxHashSize]); + +#endif /* _SHA_H_ */ + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 23] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +8.2. The SHA Code + + This code is primarily intended as expository and could be optimized + further. For example, the assignment rotations through the variables + a, b, ..., h could be treated as a cycle and the loop unrolled, + rather than doing the explicit copying. + + Note that there are alternative representations of the Ch() and Maj() + functions controlled by an ifdef. + +8.2.1. sha1.c + +/**************************** sha1.c ****************************/ +/******************** See RFC 4634 for details ******************/ +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The SHA-1 algorithm produces a 160-bit message digest for a + * given data stream. It should take about 2**n steps to find a + * message with the same digest as a given message and + * 2**(n/2) to find any two messages with the same digest, + * when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + * Portability Issues: + * SHA-1 is defined in terms of 32-bit "words". This code + * uses (included via "sha.h") to define 32 and 8 + * bit unsigned integer types. If your C compiler does not + * support 32 bit unsigned integers, this code is not + * appropriate. + * + * Caveats: + * SHA-1 is designed to work with messages less than 2^64 bits + * long. This implementation uses SHA1Input() to hash the bits + * that are a multiple of the size of an 8-bit character, and then + * uses SHA1FinalBits() to hash the final few bits of the input. + */ + + + +Eastlake 3rd & Hansen Informational [Page 24] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +#include "sha.h" +#include "sha-private.h" + +/* + * Define the SHA1 circular left shift macro + */ +#define SHA1_ROTL(bits,word) \ + (((word) << (bits)) | ((word) >> (32-(bits)))) + +/* + * add "length" to the length + */ +static uint32_t addTemp; +#define SHA1AddLength(context, length) \ + (addTemp = (context)->Length_Low, \ + (context)->Corrupted = \ + (((context)->Length_Low += (length)) < addTemp) && \ + (++(context)->Length_High == 0) ? 1 : 0) + +/* Local Function Prototypes */ +static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte); +static void SHA1PadMessage(SHA1Context *, uint8_t Pad_Byte); +static void SHA1ProcessMessageBlock(SHA1Context *); + +/* + * SHA1Reset + * + * Description: + * This function will initialize the SHA1Context in preparation + * for computing a new SHA1 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Reset(SHA1Context *context) +{ + if (!context) + return shaNull; + + context->Length_Low = 0; + context->Length_High = 0; + context->Message_Block_Index = 0; + + + + +Eastlake 3rd & Hansen Informational [Page 25] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + /* Initial Hash Values: FIPS-180-2 section 5.3.1 */ + context->Intermediate_Hash[0] = 0x67452301; + context->Intermediate_Hash[1] = 0xEFCDAB89; + context->Intermediate_Hash[2] = 0x98BADCFE; + context->Intermediate_Hash[3] = 0x10325476; + context->Intermediate_Hash[4] = 0xC3D2E1F0; + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA1Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int SHA1Input(SHA1Context *context, + const uint8_t *message_array, unsigned length) +{ + if (!length) + return shaSuccess; + + if (!context || !message_array) + return shaNull; + + if (context->Computed) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + + + +Eastlake 3rd & Hansen Informational [Page 26] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + return context->Corrupted; + + while (length-- && !context->Corrupted) { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + if (!SHA1AddLength(context, 8) && + (context->Message_Block_Index == SHA1_Message_Block_Size)) + SHA1ProcessMessageBlock(context); + + message_array++; + } + + return shaSuccess; +} + +/* + * SHA1FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int SHA1FinalBits(SHA1Context *context, const uint8_t message_bits, + unsigned int length) +{ + uint8_t masks[8] = { + /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, + /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, + /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, + /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE + }; + uint8_t markbit[8] = { + /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, + /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, + /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, + + + +Eastlake 3rd & Hansen Informational [Page 27] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 + }; + + if (!length) + return shaSuccess; + + if (!context) + return shaNull; + + if (context->Computed || (length >= 8) || (length == 0)) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + SHA1AddLength(context, length); + SHA1Finalize(context, + (uint8_t) ((message_bits & masks[length]) | markbit[length])); + + return shaSuccess; +} + +/* + * SHA1Result + * + * Description: + * This function will return the 160-bit message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 19th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA-1 hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + * + */ +int SHA1Result(SHA1Context *context, + uint8_t Message_Digest[SHA1HashSize]) +{ + int i; + + + + +Eastlake 3rd & Hansen Informational [Page 28] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + if (!context || !Message_Digest) + return shaNull; + + if (context->Corrupted) + return context->Corrupted; + + if (!context->Computed) + SHA1Finalize(context, 0x80); + + for (i = 0; i < SHA1HashSize; ++i) + Message_Digest[i] = (uint8_t) (context->Intermediate_Hash[i>>2] + >> 8 * ( 3 - ( i & 0x03 ) )); + + return shaSuccess; +} + +/* + * SHA1Finalize + * + * Description: + * This helper function finishes off the digest calculations. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * sha Error Code. + * + */ +static void SHA1Finalize(SHA1Context *context, uint8_t Pad_Byte) +{ + int i; + SHA1PadMessage(context, Pad_Byte); + /* message may be sensitive, clear it out */ + for (i = 0; i < SHA1_Message_Block_Size; ++i) + context->Message_Block[i] = 0; + context->Length_Low = 0; /* and clear length */ + context->Length_High = 0; + context->Computed = 1; +} + +/* + + + +Eastlake 3rd & Hansen Informational [Page 29] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * SHA1PadMessage + * + * Description: + * According to the standard, the message must be padded to an + * even 512 bits. The first padding bit must be a '1'. The last + * 64 bits represent the length of the original message. All bits + * in between should be 0. This helper function will pad the + * message according to those rules by filling the Message_Block + * array accordingly. When it returns, it can be assumed that the + * message digest has been computed. + * + * Parameters: + * context: [in/out] + * The context to pad + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * Nothing. + */ +static void SHA1PadMessage(SHA1Context *context, uint8_t Pad_Byte) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index >= (SHA1_Message_Block_Size - 8)) { + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + while (context->Message_Block_Index < SHA1_Message_Block_Size) + context->Message_Block[context->Message_Block_Index++] = 0; + + SHA1ProcessMessageBlock(context); + } else + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + + while (context->Message_Block_Index < (SHA1_Message_Block_Size - 8)) + context->Message_Block[context->Message_Block_Index++] = 0; + + /* + * Store the message length as the last 8 octets + */ + context->Message_Block[56] = (uint8_t) (context->Length_High >> 24); + context->Message_Block[57] = (uint8_t) (context->Length_High >> 16); + + + +Eastlake 3rd & Hansen Informational [Page 30] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + context->Message_Block[58] = (uint8_t) (context->Length_High >> 8); + context->Message_Block[59] = (uint8_t) (context->Length_High); + context->Message_Block[60] = (uint8_t) (context->Length_Low >> 24); + context->Message_Block[61] = (uint8_t) (context->Length_Low >> 16); + context->Message_Block[62] = (uint8_t) (context->Length_Low >> 8); + context->Message_Block[63] = (uint8_t) (context->Length_Low); + + SHA1ProcessMessageBlock(context); +} + +/* + * SHA1ProcessMessageBlock + * + * Description: + * This helper function will process the next 512 bits of the + * message stored in the Message_Block array. + * + * Parameters: + * None. + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + */ +static void SHA1ProcessMessageBlock(SHA1Context *context) +{ + /* Constants defined in FIPS-180-2, section 4.2.1 */ + const uint32_t K[4] = { + 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xCA62C1D6 + }; + int t; /* Loop counter */ + uint32_t temp; /* Temporary word value */ + uint32_t W[80]; /* Word sequence */ + uint32_t A, B, C, D, E; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for (t = 0; t < 16; t++) { + W[t] = ((uint32_t)context->Message_Block[t * 4]) << 24; + W[t] |= ((uint32_t)context->Message_Block[t * 4 + 1]) << 16; + W[t] |= ((uint32_t)context->Message_Block[t * 4 + 2]) << 8; + W[t] |= ((uint32_t)context->Message_Block[t * 4 + 3]); + } + + + +Eastlake 3rd & Hansen Informational [Page 31] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + for (t = 16; t < 80; t++) + W[t] = SHA1_ROTL(1, W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]); + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + + for (t = 0; t < 20; t++) { + temp = SHA1_ROTL(5,A) + SHA_Ch(B, C, D) + E + W[t] + K[0]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + for (t = 20; t < 40; t++) { + temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[1]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + for (t = 40; t < 60; t++) { + temp = SHA1_ROTL(5,A) + SHA_Maj(B, C, D) + E + W[t] + K[2]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + for (t = 60; t < 80; t++) { + temp = SHA1_ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; + E = D; + D = C; + C = SHA1_ROTL(30,B); + B = A; + A = temp; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + + + +Eastlake 3rd & Hansen Informational [Page 32] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + + context->Message_Block_Index = 0; +} + +8.2.2. sha224-256.c + +/*************************** sha224-256.c ***************************/ +/********************* See RFC 4634 for details *********************/ +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit + * message digests for a given data stream. It should take about + * 2**n steps to find a message with the same digest as a given + * message and 2**(n/2) to find any two messages with the same + * digest, when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + * Portability Issues: + * SHA-224 and SHA-256 are defined in terms of 32-bit "words". + * This code uses (included via "sha.h") to define 32 + * and 8 bit unsigned integer types. If your C compiler does not + * support 32 bit unsigned integers, this code is not + * appropriate. + * + * Caveats: + * SHA-224 and SHA-256 are designed to work with messages less + * than 2^64 bits long. This implementation uses SHA224/256Input() + * to hash the bits that are a multiple of the size of an 8-bit + * character, and then uses SHA224/256FinalBits() to hash the + * final few bits of the input. + */ + +#include "sha.h" +#include "sha-private.h" + + + +Eastlake 3rd & Hansen Informational [Page 33] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* Define the SHA shift, rotate left and rotate right macro */ +#define SHA256_SHR(bits,word) ((word) >> (bits)) +#define SHA256_ROTL(bits,word) \ + (((word) << (bits)) | ((word) >> (32-(bits)))) +#define SHA256_ROTR(bits,word) \ + (((word) >> (bits)) | ((word) << (32-(bits)))) + +/* Define the SHA SIGMA and sigma macros */ +#define SHA256_SIGMA0(word) \ + (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word)) +#define SHA256_SIGMA1(word) \ + (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word)) +#define SHA256_sigma0(word) \ + (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word)) +#define SHA256_sigma1(word) \ + (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word)) + +/* + * add "length" to the length + */ +static uint32_t addTemp; +#define SHA224_256AddLength(context, length) \ + (addTemp = (context)->Length_Low, (context)->Corrupted = \ + (((context)->Length_Low += (length)) < addTemp) && \ + (++(context)->Length_High == 0) ? 1 : 0) + +/* Local Function Prototypes */ +static void SHA224_256Finalize(SHA256Context *context, + uint8_t Pad_Byte); +static void SHA224_256PadMessage(SHA256Context *context, + uint8_t Pad_Byte); +static void SHA224_256ProcessMessageBlock(SHA256Context *context); +static int SHA224_256Reset(SHA256Context *context, uint32_t *H0); +static int SHA224_256ResultN(SHA256Context *context, + uint8_t Message_Digest[], int HashSize); + +/* Initial Hash Values: FIPS-180-2 Change Notice 1 */ +static uint32_t SHA224_H0[SHA256HashSize/4] = { + 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939, + 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4 +}; + +/* Initial Hash Values: FIPS-180-2 section 5.3.2 */ +static uint32_t SHA256_H0[SHA256HashSize/4] = { + 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, + 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19 +}; + + + + +Eastlake 3rd & Hansen Informational [Page 34] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * SHA224Reset + * + * Description: + * This function will initialize the SHA384Context in preparation + * for computing a new SHA224 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + */ +int SHA224Reset(SHA224Context *context) +{ + return SHA224_256Reset(context, SHA224_H0); +} + +/* + * SHA224Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int SHA224Input(SHA224Context *context, const uint8_t *message_array, + unsigned int length) +{ + return SHA256Input(context, message_array, length); +} + +/* + * SHA224FinalBits + * + + + +Eastlake 3rd & Hansen Informational [Page 35] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int SHA224FinalBits( SHA224Context *context, + const uint8_t message_bits, unsigned int length) +{ + return SHA256FinalBits(context, message_bits, length); +} + +/* + * SHA224Result + * + * Description: + * This function will return the 224-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 28th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + */ +int SHA224Result(SHA224Context *context, + uint8_t Message_Digest[SHA224HashSize]) +{ + return SHA224_256ResultN(context, Message_Digest, SHA224HashSize); +} + +/* + * SHA256Reset + + + +Eastlake 3rd & Hansen Informational [Page 36] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Description: + * This function will initialize the SHA256Context in preparation + * for computing a new SHA256 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + */ +int SHA256Reset(SHA256Context *context) +{ + return SHA224_256Reset(context, SHA256_H0); +} + +/* + * SHA256Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + */ +int SHA256Input(SHA256Context *context, const uint8_t *message_array, + unsigned int length) +{ + if (!length) + return shaSuccess; + + if (!context || !message_array) + return shaNull; + + if (context->Computed) { + context->Corrupted = shaStateError; + return shaStateError; + + + +Eastlake 3rd & Hansen Informational [Page 37] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + } + + if (context->Corrupted) + return context->Corrupted; + + while (length-- && !context->Corrupted) { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + if (!SHA224_256AddLength(context, 8) && + (context->Message_Block_Index == SHA256_Message_Block_Size)) + SHA224_256ProcessMessageBlock(context); + + message_array++; + } + + return shaSuccess; + +} + +/* + * SHA256FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int SHA256FinalBits(SHA256Context *context, + const uint8_t message_bits, unsigned int length) +{ + uint8_t masks[8] = { + /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, + /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, + /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, + /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE + }; + + + +Eastlake 3rd & Hansen Informational [Page 38] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + uint8_t markbit[8] = { + /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, + /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, + /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, + /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 + }; + + if (!length) + return shaSuccess; + + if (!context) + return shaNull; + + if ((context->Computed) || (length >= 8) || (length == 0)) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + SHA224_256AddLength(context, length); + SHA224_256Finalize(context, (uint8_t) + ((message_bits & masks[length]) | markbit[length])); + + return shaSuccess; +} + +/* + * SHA256Result + * + * Description: + * This function will return the 256-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 32nd element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + */ +int SHA256Result(SHA256Context *context, uint8_t Message_Digest[]) +{ + + + +Eastlake 3rd & Hansen Informational [Page 39] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + return SHA224_256ResultN(context, Message_Digest, SHA256HashSize); +} + +/* + * SHA224_256Finalize + * + * Description: + * This helper function finishes off the digest calculations. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * sha Error Code. + */ +static void SHA224_256Finalize(SHA256Context *context, + uint8_t Pad_Byte) +{ + int i; + SHA224_256PadMessage(context, Pad_Byte); + /* message may be sensitive, so clear it out */ + for (i = 0; i < SHA256_Message_Block_Size; ++i) + context->Message_Block[i] = 0; + context->Length_Low = 0; /* and clear length */ + context->Length_High = 0; + context->Computed = 1; +} + +/* + * SHA224_256PadMessage + * + * Description: + * According to the standard, the message must be padded to an + * even 512 bits. The first padding bit must be a '1'. The + * last 64 bits represent the length of the original message. + * All bits in between should be 0. This helper function will pad + * the message according to those rules by filling the + * Message_Block array accordingly. When it returns, it can be + * assumed that the message digest has been computed. + * + * Parameters: + * context: [in/out] + + + +Eastlake 3rd & Hansen Informational [Page 40] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * The context to pad + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * Nothing. + */ +static void SHA224_256PadMessage(SHA256Context *context, + uint8_t Pad_Byte) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) { + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + while (context->Message_Block_Index < SHA256_Message_Block_Size) + context->Message_Block[context->Message_Block_Index++] = 0; + SHA224_256ProcessMessageBlock(context); + } else + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + + while (context->Message_Block_Index < (SHA256_Message_Block_Size-8)) + context->Message_Block[context->Message_Block_Index++] = 0; + + /* + * Store the message length as the last 8 octets + */ + context->Message_Block[56] = (uint8_t)(context->Length_High >> 24); + context->Message_Block[57] = (uint8_t)(context->Length_High >> 16); + context->Message_Block[58] = (uint8_t)(context->Length_High >> 8); + context->Message_Block[59] = (uint8_t)(context->Length_High); + context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24); + context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16); + context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8); + context->Message_Block[63] = (uint8_t)(context->Length_Low); + + SHA224_256ProcessMessageBlock(context); +} + +/* + * SHA224_256ProcessMessageBlock + * + + + +Eastlake 3rd & Hansen Informational [Page 41] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Description: + * This function will process the next 512 bits of the message + * stored in the Message_Block array. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + */ +static void SHA224_256ProcessMessageBlock(SHA256Context *context) +{ + /* Constants defined in FIPS-180-2, section 4.2.2 */ + static const uint32_t K[64] = { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, + 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, + 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, + 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, + 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, + 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, + 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, + 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, + 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, + 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, + 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, + 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, + 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + }; + int t, t4; /* Loop counter */ + uint32_t temp1, temp2; /* Temporary word value */ + uint32_t W[64]; /* Word sequence */ + uint32_t A, B, C, D, E, F, G, H; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for (t = t4 = 0; t < 16; t++, t4 += 4) + W[t] = (((uint32_t)context->Message_Block[t4]) << 24) | + (((uint32_t)context->Message_Block[t4 + 1]) << 16) | + (((uint32_t)context->Message_Block[t4 + 2]) << 8) | + (((uint32_t)context->Message_Block[t4 + 3])); + + + + +Eastlake 3rd & Hansen Informational [Page 42] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + for (t = 16; t < 64; t++) + W[t] = SHA256_sigma1(W[t-2]) + W[t-7] + + SHA256_sigma0(W[t-15]) + W[t-16]; + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + F = context->Intermediate_Hash[5]; + G = context->Intermediate_Hash[6]; + H = context->Intermediate_Hash[7]; + + for (t = 0; t < 64; t++) { + temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; + temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C); + H = G; + G = F; + F = E; + E = D + temp1; + D = C; + C = B; + B = A; + A = temp1 + temp2; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + context->Intermediate_Hash[5] += F; + context->Intermediate_Hash[6] += G; + context->Intermediate_Hash[7] += H; + + context->Message_Block_Index = 0; +} + +/* + * SHA224_256Reset + * + * Description: + * This helper function will initialize the SHA256Context in + * preparation for computing a new SHA256 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + + + +Eastlake 3rd & Hansen Informational [Page 43] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * H0 + * The initial hash value to use. + * + * Returns: + * sha Error Code. + */ +static int SHA224_256Reset(SHA256Context *context, uint32_t *H0) +{ + if (!context) + return shaNull; + + context->Length_Low = 0; + context->Length_High = 0; + context->Message_Block_Index = 0; + + context->Intermediate_Hash[0] = H0[0]; + context->Intermediate_Hash[1] = H0[1]; + context->Intermediate_Hash[2] = H0[2]; + context->Intermediate_Hash[3] = H0[3]; + context->Intermediate_Hash[4] = H0[4]; + context->Intermediate_Hash[5] = H0[5]; + context->Intermediate_Hash[6] = H0[6]; + context->Intermediate_Hash[7] = H0[7]; + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA224_256ResultN + * + * Description: + * This helper function will return the 224-bit or 256-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 28th/32nd element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * HashSize: [in] + * The size of the hash, either 28 or 32. + * + * Returns: + + + +Eastlake 3rd & Hansen Informational [Page 44] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * sha Error Code. + */ +static int SHA224_256ResultN(SHA256Context *context, + uint8_t Message_Digest[], int HashSize) +{ + int i; + + if (!context || !Message_Digest) + return shaNull; + + if (context->Corrupted) + return context->Corrupted; + + if (!context->Computed) + SHA224_256Finalize(context, 0x80); + + for (i = 0; i < HashSize; ++i) + Message_Digest[i] = (uint8_t) + (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) )); + + return shaSuccess; +} + +8.2.3. sha384-512.c + +/*************************** sha384-512.c ***************************/ +/********************* See RFC 4634 for details *********************/ +/* + * Description: + * This file implements the Secure Hash Signature Standard + * algorithms as defined in the National Institute of Standards + * and Technology Federal Information Processing Standards + * Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2 + * published on August 1, 2002, and the FIPS PUB 180-2 Change + * Notice published on February 28, 2004. + * + * A combined document showing all algorithms is available at + * http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf + * + * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit + * message digests for a given data stream. It should take about + * 2**n steps to find a message with the same digest as a given + * message and 2**(n/2) to find any two messages with the same + * digest, when n is the digest size in bits. Therefore, this + * algorithm can serve as a means of providing a + * "fingerprint" for a message. + * + + + +Eastlake 3rd & Hansen Informational [Page 45] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Portability Issues: + * SHA-384 and SHA-512 are defined in terms of 64-bit "words", + * but if USE_32BIT_ONLY is #defined, this code is implemented in + * terms of 32-bit "words". This code uses (included + * via "sha.h") to define the 64, 32 and 8 bit unsigned integer + * types. If your C compiler does not support 64 bit unsigned + * integers, and you do not #define USE_32BIT_ONLY, this code is + * not appropriate. + * + * Caveats: + * SHA-384 and SHA-512 are designed to work with messages less + * than 2^128 bits long. This implementation uses + * SHA384/512Input() to hash the bits that are a multiple of the + * size of an 8-bit character, and then uses SHA384/256FinalBits() + * to hash the final few bits of the input. + * + */ + +#include "sha.h" +#include "sha-private.h" + +#ifdef USE_32BIT_ONLY +/* + * Define 64-bit arithmetic in terms of 32-bit arithmetic. + * Each 64-bit number is represented in a 2-word array. + * All macros are defined such that the result is the last parameter. + */ + +/* + * Define shift, rotate left and rotate right functions + */ +#define SHA512_SHR(bits, word, ret) ( \ + /* (((uint64_t)((word))) >> (bits)) */ \ + (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \ + ((word)[0] >> (bits)) : 0, \ + (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \ + ((bits) == 32) ? (word)[0] : \ + ((bits) >= 0) ? \ + (((word)[0] << (32 - (bits))) | \ + ((word)[1] >> (bits))) : 0 ) + +#define SHA512_SHL(bits, word, ret) ( \ + /* (((uint64_t)(word)) << (bits)) */ \ + (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \ + ((bits) == 32) ? (word)[1] : \ + ((bits) >= 0) ? \ + (((word)[0] << (bits)) | \ + ((word)[1] >> (32 - (bits)))) : \ + + + +Eastlake 3rd & Hansen Informational [Page 46] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 0, \ + (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \ + ((word)[1] << (bits)) : 0 ) + +/* + * Define 64-bit OR + */ +#define SHA512_OR(word1, word2, ret) ( \ + (ret)[0] = (word1)[0] | (word2)[0], \ + (ret)[1] = (word1)[1] | (word2)[1] ) + +/* + * Define 64-bit XOR + */ +#define SHA512_XOR(word1, word2, ret) ( \ + (ret)[0] = (word1)[0] ^ (word2)[0], \ + (ret)[1] = (word1)[1] ^ (word2)[1] ) + +/* + * Define 64-bit AND + */ +#define SHA512_AND(word1, word2, ret) ( \ + (ret)[0] = (word1)[0] & (word2)[0], \ + (ret)[1] = (word1)[1] & (word2)[1] ) + +/* + * Define 64-bit TILDA + */ +#define SHA512_TILDA(word, ret) \ + ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] ) + +/* + * Define 64-bit ADD + */ +#define SHA512_ADD(word1, word2, ret) ( \ + (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \ + (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) ) + +/* + * Add the 4word value in word2 to word1. + */ +static uint32_t ADDTO4_temp, ADDTO4_temp2; +#define SHA512_ADDTO4(word1, word2) ( \ + ADDTO4_temp = (word1)[3], \ + (word1)[3] += (word2)[3], \ + ADDTO4_temp2 = (word1)[2], \ + (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \ + ADDTO4_temp = (word1)[1], \ + + + +Eastlake 3rd & Hansen Informational [Page 47] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \ + (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) ) + +/* + * Add the 2word value in word2 to word1. + */ +static uint32_t ADDTO2_temp; +#define SHA512_ADDTO2(word1, word2) ( \ + ADDTO2_temp = (word1)[1], \ + (word1)[1] += (word2)[1], \ + (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) ) + +/* + * SHA rotate ((word >> bits) | (word << (64-bits))) + */ +static uint32_t ROTR_temp1[2], ROTR_temp2[2]; +#define SHA512_ROTR(bits, word, ret) ( \ + SHA512_SHR((bits), (word), ROTR_temp1), \ + SHA512_SHL(64-(bits), (word), ROTR_temp2), \ + SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) ) + +/* + * Define the SHA SIGMA and sigma macros + * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word) + */ +static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2], + SIGMA0_temp3[2], SIGMA0_temp4[2]; +#define SHA512_SIGMA0(word, ret) ( \ + SHA512_ROTR(28, (word), SIGMA0_temp1), \ + SHA512_ROTR(34, (word), SIGMA0_temp2), \ + SHA512_ROTR(39, (word), SIGMA0_temp3), \ + SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \ + SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) ) + +/* + * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word) + */ +static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2], + SIGMA1_temp3[2], SIGMA1_temp4[2]; +#define SHA512_SIGMA1(word, ret) ( \ + SHA512_ROTR(14, (word), SIGMA1_temp1), \ + SHA512_ROTR(18, (word), SIGMA1_temp2), \ + SHA512_ROTR(41, (word), SIGMA1_temp3), \ + SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \ + SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) ) + +/* + * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) + + + +Eastlake 3rd & Hansen Informational [Page 48] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + */ +static uint32_t sigma0_temp1[2], sigma0_temp2[2], + sigma0_temp3[2], sigma0_temp4[2]; +#define SHA512_sigma0(word, ret) ( \ + SHA512_ROTR( 1, (word), sigma0_temp1), \ + SHA512_ROTR( 8, (word), sigma0_temp2), \ + SHA512_SHR( 7, (word), sigma0_temp3), \ + SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \ + SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) ) + +/* + * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) + */ +static uint32_t sigma1_temp1[2], sigma1_temp2[2], + sigma1_temp3[2], sigma1_temp4[2]; +#define SHA512_sigma1(word, ret) ( \ + SHA512_ROTR(19, (word), sigma1_temp1), \ + SHA512_ROTR(61, (word), sigma1_temp2), \ + SHA512_SHR( 6, (word), sigma1_temp3), \ + SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \ + SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) ) + +#undef SHA_Ch +#undef SHA_Maj + +#ifndef USE_MODIFIED_MACROS +/* + * These definitions are the ones used in FIPS-180-2, section 4.1.3 + * Ch(x,y,z) ((x & y) ^ (~x & z)) + */ +static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; +#define SHA_Ch(x, y, z, ret) ( \ + SHA512_AND(x, y, Ch_temp1), \ + SHA512_TILDA(x, Ch_temp2), \ + SHA512_AND(Ch_temp2, z, Ch_temp3), \ + SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) ) +/* + * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z))) + */ +static uint32_t Maj_temp1[2], Maj_temp2[2], + Maj_temp3[2], Maj_temp4[2]; +#define SHA_Maj(x, y, z, ret) ( \ + SHA512_AND(x, y, Maj_temp1), \ + SHA512_AND(x, z, Maj_temp2), \ + SHA512_AND(y, z, Maj_temp3), \ + SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \ + SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) ) + + + + +Eastlake 3rd & Hansen Informational [Page 49] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +#else /* !USE_32BIT_ONLY */ +/* + * These definitions are potentially faster equivalents for the ones + * used in FIPS-180-2, section 4.1.3. + * ((x & y) ^ (~x & z)) becomes + * ((x & (y ^ z)) ^ z) + */ +#define SHA_Ch(x, y, z, ret) ( \ + (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \ + (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) ) + +/* + * ((x & y) ^ (x & z) ^ (y & z)) becomes + * ((x & (y | z)) | (y & z)) + */ +#define SHA_Maj(x, y, z, ret) ( \ + ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \ + ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) ) +#endif /* USE_MODIFIED_MACROS */ + +/* + * add "length" to the length + */ +static uint32_t addTemp[4] = { 0, 0, 0, 0 }; +#define SHA384_512AddLength(context, length) ( \ + addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ + (context)->Corrupted = (((context)->Length[3] == 0) && \ + ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \ + ((context)->Length[0] < 8)) ? 1 : 0 ) + +/* Local Function Prototypes */ +static void SHA384_512Finalize(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512PadMessage(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512ProcessMessageBlock(SHA512Context *context); +static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]); +static int SHA384_512ResultN( SHA512Context *context, + uint8_t Message_Digest[], int HashSize); + +/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ +static uint32_t SHA384_H0[SHA512HashSize/4] = { + 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A, + 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31, + 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D, + 0xBEFA4FA4 +}; + + + + +Eastlake 3rd & Hansen Informational [Page 50] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +static uint32_t SHA512_H0[SHA512HashSize/4] = { + 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372, + 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1, + 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19, + 0x137E2179 +}; + +#else /* !USE_32BIT_ONLY */ + +/* Define the SHA shift, rotate left and rotate right macro */ +#define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits)) +#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \ + (((uint64_t)(word)) << (64-(bits)))) + +/* Define the SHA SIGMA and sigma macros */ +#define SHA512_SIGMA0(word) \ + (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)) +#define SHA512_SIGMA1(word) \ + (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)) +#define SHA512_sigma0(word) \ + (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word)) +#define SHA512_sigma1(word) \ + (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word)) + +/* + * add "length" to the length + */ +static uint64_t addTemp; +#define SHA384_512AddLength(context, length) \ + (addTemp = context->Length_Low, context->Corrupted = \ + ((context->Length_Low += length) < addTemp) && \ + (++context->Length_High == 0) ? 1 : 0) + +/* Local Function Prototypes */ +static void SHA384_512Finalize(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512PadMessage(SHA512Context *context, + uint8_t Pad_Byte); +static void SHA384_512ProcessMessageBlock(SHA512Context *context); +static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]); +static int SHA384_512ResultN(SHA512Context *context, + uint8_t Message_Digest[], int HashSize); + +/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */ +static uint64_t SHA384_H0[] = { + 0xCBBB9D5DC1059ED8ll, 0x629A292A367CD507ll, 0x9159015A3070DD17ll, + 0x152FECD8F70E5939ll, 0x67332667FFC00B31ll, 0x8EB44A8768581511ll, + 0xDB0C2E0D64F98FA7ll, 0x47B5481DBEFA4FA4ll + + + +Eastlake 3rd & Hansen Informational [Page 51] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +}; +static uint64_t SHA512_H0[] = { + 0x6A09E667F3BCC908ll, 0xBB67AE8584CAA73Bll, 0x3C6EF372FE94F82Bll, + 0xA54FF53A5F1D36F1ll, 0x510E527FADE682D1ll, 0x9B05688C2B3E6C1Fll, + 0x1F83D9ABFB41BD6Bll, 0x5BE0CD19137E2179ll +}; + +#endif /* USE_32BIT_ONLY */ + +/* + * SHA384Reset + * + * Description: + * This function will initialize the SHA384Context in preparation + * for computing a new SHA384 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA384Reset(SHA384Context *context) +{ + return SHA384_512Reset(context, SHA384_H0); +} + +/* + * SHA384Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + + + +Eastlake 3rd & Hansen Informational [Page 52] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + */ +int SHA384Input(SHA384Context *context, + const uint8_t *message_array, unsigned int length) +{ + return SHA512Input(context, message_array, length); +} + +/* + * SHA384FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + * + */ +int SHA384FinalBits(SHA384Context *context, + const uint8_t message_bits, unsigned int length) +{ + return SHA512FinalBits(context, message_bits, length); +} + +/* + * SHA384Result + * + * Description: + * This function will return the 384-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 48th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + + + +Eastlake 3rd & Hansen Informational [Page 53] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Returns: + * sha Error Code. + * + */ +int SHA384Result(SHA384Context *context, + uint8_t Message_Digest[SHA384HashSize]) +{ + return SHA384_512ResultN(context, Message_Digest, SHA384HashSize); +} + +/* + * SHA512Reset + * + * Description: + * This function will initialize the SHA512Context in preparation + * for computing a new SHA512 message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * + * Returns: + * sha Error Code. + * + */ +int SHA512Reset(SHA512Context *context) +{ + return SHA384_512Reset(context, SHA512_H0); +} + +/* + * SHA512Input + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + + + +Eastlake 3rd & Hansen Informational [Page 54] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + */ +int SHA512Input(SHA512Context *context, + const uint8_t *message_array, + unsigned int length) +{ + if (!length) + return shaSuccess; + + if (!context || !message_array) + return shaNull; + + if (context->Computed) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + while (length-- && !context->Corrupted) { + context->Message_Block[context->Message_Block_Index++] = + (*message_array & 0xFF); + + if (!SHA384_512AddLength(context, 8) && + (context->Message_Block_Index == SHA512_Message_Block_Size)) + SHA384_512ProcessMessageBlock(context); + + message_array++; + } + + return shaSuccess; +} + +/* + * SHA512FinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + + + +Eastlake 3rd & Hansen Informational [Page 55] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + * + */ +int SHA512FinalBits(SHA512Context *context, + const uint8_t message_bits, unsigned int length) +{ + uint8_t masks[8] = { + /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80, + /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0, + /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8, + /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE + }; + uint8_t markbit[8] = { + /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40, + /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10, + /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04, + /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01 + }; + + if (!length) + return shaSuccess; + + if (!context) + return shaNull; + + if ((context->Computed) || (length >= 8) || (length == 0)) { + context->Corrupted = shaStateError; + return shaStateError; + } + + if (context->Corrupted) + return context->Corrupted; + + SHA384_512AddLength(context, length); + SHA384_512Finalize(context, (uint8_t) + ((message_bits & masks[length]) | markbit[length])); + + return shaSuccess; +} + +/* + * SHA384_512Finalize + * + * Description: + * This helper function finishes off the digest calculations. + + + +Eastlake 3rd & Hansen Informational [Page 56] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Parameters: + * context: [in/out] + * The SHA context to update + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * sha Error Code. + * + */ +static void SHA384_512Finalize(SHA512Context *context, + uint8_t Pad_Byte) +{ + int_least16_t i; + SHA384_512PadMessage(context, Pad_Byte); + /* message may be sensitive, clear it out */ + for (i = 0; i < SHA512_Message_Block_Size; ++i) + context->Message_Block[i] = 0; +#ifdef USE_32BIT_ONLY /* and clear length */ + context->Length[0] = context->Length[1] = 0; + context->Length[2] = context->Length[3] = 0; +#else /* !USE_32BIT_ONLY */ + context->Length_Low = 0; + context->Length_High = 0; +#endif /* USE_32BIT_ONLY */ + context->Computed = 1; +} + +/* + * SHA512Result + * + * Description: + * This function will return the 512-bit message + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 64th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + + + +Eastlake 3rd & Hansen Informational [Page 57] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * sha Error Code. + * + */ +int SHA512Result(SHA512Context *context, + uint8_t Message_Digest[SHA512HashSize]) +{ + return SHA384_512ResultN(context, Message_Digest, SHA512HashSize); +} + +/* + * SHA384_512PadMessage + * + * Description: + * According to the standard, the message must be padded to an + * even 1024 bits. The first padding bit must be a '1'. The + * last 128 bits represent the length of the original message. + * All bits in between should be 0. This helper function will + * pad the message according to those rules by filling the + * Message_Block array accordingly. When it returns, it can be + * assumed that the message digest has been computed. + * + * Parameters: + * context: [in/out] + * The context to pad + * Pad_Byte: [in] + * The last byte to add to the digest before the 0-padding + * and length. This will contain the last bits of the message + * followed by another single bit. If the message was an + * exact multiple of 8-bits long, Pad_Byte will be 0x80. + * + * Returns: + * Nothing. + * + */ +static void SHA384_512PadMessage(SHA512Context *context, + uint8_t Pad_Byte) +{ + /* + * Check to see if the current message block is too small to hold + * the initial padding bits and length. If so, we will pad the + * block, process it, and then continue padding into a second + * block. + */ + if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) { + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + while (context->Message_Block_Index < SHA512_Message_Block_Size) + context->Message_Block[context->Message_Block_Index++] = 0; + + + + +Eastlake 3rd & Hansen Informational [Page 58] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA384_512ProcessMessageBlock(context); + } else + context->Message_Block[context->Message_Block_Index++] = Pad_Byte; + + while (context->Message_Block_Index < (SHA512_Message_Block_Size-16)) + context->Message_Block[context->Message_Block_Index++] = 0; + + /* + * Store the message length as the last 16 octets + */ +#ifdef USE_32BIT_ONLY + context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24); + context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16); + context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8); + context->Message_Block[115] = (uint8_t)(context->Length[0]); + context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24); + context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16); + context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8); + context->Message_Block[119] = (uint8_t)(context->Length[1]); + + context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24); + context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16); + context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8); + context->Message_Block[123] = (uint8_t)(context->Length[2]); + context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24); + context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16); + context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8); + context->Message_Block[127] = (uint8_t)(context->Length[3]); +#else /* !USE_32BIT_ONLY */ + context->Message_Block[112] = (uint8_t)(context->Length_High >> 56); + context->Message_Block[113] = (uint8_t)(context->Length_High >> 48); + context->Message_Block[114] = (uint8_t)(context->Length_High >> 40); + context->Message_Block[115] = (uint8_t)(context->Length_High >> 32); + context->Message_Block[116] = (uint8_t)(context->Length_High >> 24); + context->Message_Block[117] = (uint8_t)(context->Length_High >> 16); + context->Message_Block[118] = (uint8_t)(context->Length_High >> 8); + context->Message_Block[119] = (uint8_t)(context->Length_High); + + context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56); + context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48); + context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40); + context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32); + context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24); + context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16); + context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8); + context->Message_Block[127] = (uint8_t)(context->Length_Low); +#endif /* USE_32BIT_ONLY */ + + + + +Eastlake 3rd & Hansen Informational [Page 59] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA384_512ProcessMessageBlock(context); +} + +/* + * SHA384_512ProcessMessageBlock + * + * Description: + * This helper function will process the next 1024 bits of the + * message stored in the Message_Block array. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * + * Returns: + * Nothing. + * + * Comments: + * Many of the variable names in this code, especially the + * single character names, were used because those were the + * names used in the publication. + * + * + */ +static void SHA384_512ProcessMessageBlock(SHA512Context *context) +{ + /* Constants defined in FIPS-180-2, section 4.2.3 */ +#ifdef USE_32BIT_ONLY + static const uint32_t K[80*2] = { + 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF, + 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538, + 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5, + 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, + 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74, + 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235, + 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786, + 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65, + 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC, + 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB, + 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7, + 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725, + 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85, + 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED, + 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB, + 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B, + 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70, + 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218, + 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070, + + + +Eastlake 3rd & Hansen Informational [Page 60] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53, + 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3, + 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373, + 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F, + 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC, + 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7, + 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C, + 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F, + 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, + 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5, + 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC, + 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C, + 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817 + }; + int t, t2, t8; /* Loop counter */ + uint32_t temp1[2], temp2[2], /* Temporary word values */ + temp3[2], temp4[2], temp5[2]; + uint32_t W[2*80]; /* Word sequence */ + uint32_t A[2], B[2], C[2], D[2], /* Word buffers */ + E[2], F[2], G[2], H[2]; + + /* Initialize the first 16 words in the array W */ + for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) { + W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) | + ((((uint32_t)context->Message_Block[t8 + 1])) << 16) | + ((((uint32_t)context->Message_Block[t8 + 2])) << 8) | + ((((uint32_t)context->Message_Block[t8 + 3]))); + W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) | + ((((uint32_t)context->Message_Block[t8 + 5])) << 16) | + ((((uint32_t)context->Message_Block[t8 + 6])) << 8) | + ((((uint32_t)context->Message_Block[t8 + 7]))); + } + + for (t = 16; t < 80; t++, t2 += 2) { + /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + + SHA512_sigma0(W[t-15]) + W[t-16]; */ + uint32_t *Wt2 = &W[t2-2*2]; + uint32_t *Wt7 = &W[t2-7*2]; + uint32_t *Wt15 = &W[t2-15*2]; + uint32_t *Wt16 = &W[t2-16*2]; + SHA512_sigma1(Wt2, temp1); + SHA512_ADD(temp1, Wt7, temp2); + SHA512_sigma0(Wt15, temp1); + SHA512_ADD(temp1, Wt16, temp3); + SHA512_ADD(temp2, temp3, &W[t2]); + } + + A[0] = context->Intermediate_Hash[0]; + + + +Eastlake 3rd & Hansen Informational [Page 61] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + A[1] = context->Intermediate_Hash[1]; + B[0] = context->Intermediate_Hash[2]; + B[1] = context->Intermediate_Hash[3]; + C[0] = context->Intermediate_Hash[4]; + C[1] = context->Intermediate_Hash[5]; + D[0] = context->Intermediate_Hash[6]; + D[1] = context->Intermediate_Hash[7]; + E[0] = context->Intermediate_Hash[8]; + E[1] = context->Intermediate_Hash[9]; + F[0] = context->Intermediate_Hash[10]; + F[1] = context->Intermediate_Hash[11]; + G[0] = context->Intermediate_Hash[12]; + G[1] = context->Intermediate_Hash[13]; + H[0] = context->Intermediate_Hash[14]; + H[1] = context->Intermediate_Hash[15]; + + for (t = t2 = 0; t < 80; t++, t2 += 2) { + /* + * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; + */ + SHA512_SIGMA1(E,temp1); + SHA512_ADD(H, temp1, temp2); + SHA_Ch(E,F,G,temp3); + SHA512_ADD(temp2, temp3, temp4); + SHA512_ADD(&K[t2], &W[t2], temp5); + SHA512_ADD(temp4, temp5, temp1); + /* + * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); + */ + SHA512_SIGMA0(A,temp3); + SHA_Maj(A,B,C,temp4); + SHA512_ADD(temp3, temp4, temp2); + H[0] = G[0]; H[1] = G[1]; + G[0] = F[0]; G[1] = F[1]; + F[0] = E[0]; F[1] = E[1]; + SHA512_ADD(D, temp1, E); + D[0] = C[0]; D[1] = C[1]; + C[0] = B[0]; C[1] = B[1]; + B[0] = A[0]; B[1] = A[1]; + SHA512_ADD(temp1, temp2, A); + } + + SHA512_ADDTO2(&context->Intermediate_Hash[0], A); + SHA512_ADDTO2(&context->Intermediate_Hash[2], B); + SHA512_ADDTO2(&context->Intermediate_Hash[4], C); + SHA512_ADDTO2(&context->Intermediate_Hash[6], D); + SHA512_ADDTO2(&context->Intermediate_Hash[8], E); + SHA512_ADDTO2(&context->Intermediate_Hash[10], F); + + + +Eastlake 3rd & Hansen Informational [Page 62] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + SHA512_ADDTO2(&context->Intermediate_Hash[12], G); + SHA512_ADDTO2(&context->Intermediate_Hash[14], H); + +#else /* !USE_32BIT_ONLY */ + static const uint64_t K[80] = { + 0x428A2F98D728AE22ll, 0x7137449123EF65CDll, 0xB5C0FBCFEC4D3B2Fll, + 0xE9B5DBA58189DBBCll, 0x3956C25BF348B538ll, 0x59F111F1B605D019ll, + 0x923F82A4AF194F9Bll, 0xAB1C5ED5DA6D8118ll, 0xD807AA98A3030242ll, + 0x12835B0145706FBEll, 0x243185BE4EE4B28Cll, 0x550C7DC3D5FFB4E2ll, + 0x72BE5D74F27B896Fll, 0x80DEB1FE3B1696B1ll, 0x9BDC06A725C71235ll, + 0xC19BF174CF692694ll, 0xE49B69C19EF14AD2ll, 0xEFBE4786384F25E3ll, + 0x0FC19DC68B8CD5B5ll, 0x240CA1CC77AC9C65ll, 0x2DE92C6F592B0275ll, + 0x4A7484AA6EA6E483ll, 0x5CB0A9DCBD41FBD4ll, 0x76F988DA831153B5ll, + 0x983E5152EE66DFABll, 0xA831C66D2DB43210ll, 0xB00327C898FB213Fll, + 0xBF597FC7BEEF0EE4ll, 0xC6E00BF33DA88FC2ll, 0xD5A79147930AA725ll, + 0x06CA6351E003826Fll, 0x142929670A0E6E70ll, 0x27B70A8546D22FFCll, + 0x2E1B21385C26C926ll, 0x4D2C6DFC5AC42AEDll, 0x53380D139D95B3DFll, + 0x650A73548BAF63DEll, 0x766A0ABB3C77B2A8ll, 0x81C2C92E47EDAEE6ll, + 0x92722C851482353Bll, 0xA2BFE8A14CF10364ll, 0xA81A664BBC423001ll, + 0xC24B8B70D0F89791ll, 0xC76C51A30654BE30ll, 0xD192E819D6EF5218ll, + 0xD69906245565A910ll, 0xF40E35855771202All, 0x106AA07032BBD1B8ll, + 0x19A4C116B8D2D0C8ll, 0x1E376C085141AB53ll, 0x2748774CDF8EEB99ll, + 0x34B0BCB5E19B48A8ll, 0x391C0CB3C5C95A63ll, 0x4ED8AA4AE3418ACBll, + 0x5B9CCA4F7763E373ll, 0x682E6FF3D6B2B8A3ll, 0x748F82EE5DEFB2FCll, + 0x78A5636F43172F60ll, 0x84C87814A1F0AB72ll, 0x8CC702081A6439ECll, + 0x90BEFFFA23631E28ll, 0xA4506CEBDE82BDE9ll, 0xBEF9A3F7B2C67915ll, + 0xC67178F2E372532Bll, 0xCA273ECEEA26619Cll, 0xD186B8C721C0C207ll, + 0xEADA7DD6CDE0EB1Ell, 0xF57D4F7FEE6ED178ll, 0x06F067AA72176FBAll, + 0x0A637DC5A2C898A6ll, 0x113F9804BEF90DAEll, 0x1B710B35131C471Bll, + 0x28DB77F523047D84ll, 0x32CAAB7B40C72493ll, 0x3C9EBE0A15C9BEBCll, + 0x431D67C49C100D4Cll, 0x4CC5D4BECB3E42B6ll, 0x597F299CFC657E2All, + 0x5FCB6FAB3AD6FAECll, 0x6C44198C4A475817ll + }; + int t, t8; /* Loop counter */ + uint64_t temp1, temp2; /* Temporary word value */ + uint64_t W[80]; /* Word sequence */ + uint64_t A, B, C, D, E, F, G, H; /* Word buffers */ + + /* + * Initialize the first 16 words in the array W + */ + for (t = t8 = 0; t < 16; t++, t8 += 8) + W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) | + ((uint64_t)(context->Message_Block[t8 + 1]) << 48) | + ((uint64_t)(context->Message_Block[t8 + 2]) << 40) | + ((uint64_t)(context->Message_Block[t8 + 3]) << 32) | + ((uint64_t)(context->Message_Block[t8 + 4]) << 24) | + ((uint64_t)(context->Message_Block[t8 + 5]) << 16) | + + + +Eastlake 3rd & Hansen Informational [Page 63] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + ((uint64_t)(context->Message_Block[t8 + 6]) << 8) | + ((uint64_t)(context->Message_Block[t8 + 7])); + + for (t = 16; t < 80; t++) + W[t] = SHA512_sigma1(W[t-2]) + W[t-7] + + SHA512_sigma0(W[t-15]) + W[t-16]; + + A = context->Intermediate_Hash[0]; + B = context->Intermediate_Hash[1]; + C = context->Intermediate_Hash[2]; + D = context->Intermediate_Hash[3]; + E = context->Intermediate_Hash[4]; + F = context->Intermediate_Hash[5]; + G = context->Intermediate_Hash[6]; + H = context->Intermediate_Hash[7]; + + for (t = 0; t < 80; t++) { + temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t]; + temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C); + H = G; + G = F; + F = E; + E = D + temp1; + D = C; + C = B; + B = A; + A = temp1 + temp2; + } + + context->Intermediate_Hash[0] += A; + context->Intermediate_Hash[1] += B; + context->Intermediate_Hash[2] += C; + context->Intermediate_Hash[3] += D; + context->Intermediate_Hash[4] += E; + context->Intermediate_Hash[5] += F; + context->Intermediate_Hash[6] += G; + context->Intermediate_Hash[7] += H; +#endif /* USE_32BIT_ONLY */ + + context->Message_Block_Index = 0; +} + +/* + * SHA384_512Reset + * + * Description: + * This helper function will initialize the SHA512Context in + * preparation for computing a new SHA384 or SHA512 message + + + +Eastlake 3rd & Hansen Informational [Page 64] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * H0 + * The initial hash value to use. + * + * Returns: + * sha Error Code. + * + */ +#ifdef USE_32BIT_ONLY +static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]) +#else /* !USE_32BIT_ONLY */ +static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]) +#endif /* USE_32BIT_ONLY */ +{ + int i; + if (!context) + return shaNull; + + context->Message_Block_Index = 0; + +#ifdef USE_32BIT_ONLY + context->Length[0] = context->Length[1] = 0; + context->Length[2] = context->Length[3] = 0; + + for (i = 0; i < SHA512HashSize/4; i++) + context->Intermediate_Hash[i] = H0[i]; +#else /* !USE_32BIT_ONLY */ + context->Length_High = context->Length_Low = 0; + + for (i = 0; i < SHA512HashSize/8; i++) + context->Intermediate_Hash[i] = H0[i]; +#endif /* USE_32BIT_ONLY */ + + context->Computed = 0; + context->Corrupted = 0; + + return shaSuccess; +} + +/* + * SHA384_512ResultN + * + * Description: + * This helper function will return the 384-bit or 512-bit message + + + +Eastlake 3rd & Hansen Informational [Page 65] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * digest into the Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 48th/64th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA hash. + * Message_Digest: [out] + * Where the digest is returned. + * HashSize: [in] + * The size of the hash, either 48 or 64. + * + * Returns: + * sha Error Code. + * + */ +static int SHA384_512ResultN(SHA512Context *context, + uint8_t Message_Digest[], int HashSize) +{ + int i; + +#ifdef USE_32BIT_ONLY + int i2; +#endif /* USE_32BIT_ONLY */ + + if (!context || !Message_Digest) + return shaNull; + + if (context->Corrupted) + return context->Corrupted; + + if (!context->Computed) + SHA384_512Finalize(context, 0x80); + +#ifdef USE_32BIT_ONLY + for (i = i2 = 0; i < HashSize; ) { + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8); + Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]); + } +#else /* !USE_32BIT_ONLY */ + for (i = 0; i < HashSize; ++i) + Message_Digest[i] = (uint8_t) + + + +Eastlake 3rd & Hansen Informational [Page 66] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) )); +#endif /* USE_32BIT_ONLY */ + + return shaSuccess; +} + +8.2.4. usha.c + +/**************************** usha.c ****************************/ +/******************** See RFC 4634 for details ******************/ +/* + * Description: + * This file implements a unified interface to the SHA algorithms. + */ + +#include "sha.h" + +/* + * USHAReset + * + * Description: + * This function will initialize the SHA Context in preparation + * for computing a new SHA message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * whichSha: [in] + * Selects which SHA reset to call + * + * Returns: + * sha Error Code. + * + */ +int USHAReset(USHAContext *ctx, enum SHAversion whichSha) +{ + if (ctx) { + ctx->whichSha = whichSha; + switch (whichSha) { + case SHA1: return SHA1Reset((SHA1Context*)&ctx->ctx); + case SHA224: return SHA224Reset((SHA224Context*)&ctx->ctx); + case SHA256: return SHA256Reset((SHA256Context*)&ctx->ctx); + case SHA384: return SHA384Reset((SHA384Context*)&ctx->ctx); + case SHA512: return SHA512Reset((SHA512Context*)&ctx->ctx); + default: return shaBadParam; + } + } else { + return shaNull; + + + +Eastlake 3rd & Hansen Informational [Page 67] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + } +} + +/* + * USHAInput + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int USHAInput(USHAContext *ctx, + const uint8_t *bytes, unsigned int bytecount) +{ + if (ctx) { + switch (ctx->whichSha) { + case SHA1: + return SHA1Input((SHA1Context*)&ctx->ctx, bytes, bytecount); + case SHA224: + return SHA224Input((SHA224Context*)&ctx->ctx, bytes, + bytecount); + case SHA256: + return SHA256Input((SHA256Context*)&ctx->ctx, bytes, + bytecount); + case SHA384: + return SHA384Input((SHA384Context*)&ctx->ctx, bytes, + bytecount); + case SHA512: + return SHA512Input((SHA512Context*)&ctx->ctx, bytes, + bytecount); + default: return shaBadParam; + } + } else { + return shaNull; + } +} + + + +Eastlake 3rd & Hansen Informational [Page 68] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * USHAFinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The SHA context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int USHAFinalBits(USHAContext *ctx, + const uint8_t bits, unsigned int bitcount) +{ + if (ctx) { + switch (ctx->whichSha) { + case SHA1: + return SHA1FinalBits((SHA1Context*)&ctx->ctx, bits, bitcount); + case SHA224: + return SHA224FinalBits((SHA224Context*)&ctx->ctx, bits, + bitcount); + case SHA256: + return SHA256FinalBits((SHA256Context*)&ctx->ctx, bits, + bitcount); + case SHA384: + return SHA384FinalBits((SHA384Context*)&ctx->ctx, bits, + bitcount); + case SHA512: + return SHA512FinalBits((SHA512Context*)&ctx->ctx, bits, + bitcount); + default: return shaBadParam; + } + } else { + return shaNull; + } +} + +/* + * USHAResult + * + + + +Eastlake 3rd & Hansen Informational [Page 69] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Description: + * This function will return the 160-bit message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the 19th element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the SHA-1 hash. + * Message_Digest: [out] + * Where the digest is returned. + * + * Returns: + * sha Error Code. + * + */ +int USHAResult(USHAContext *ctx, + uint8_t Message_Digest[USHAMaxHashSize]) +{ + if (ctx) { + switch (ctx->whichSha) { + case SHA1: + return SHA1Result((SHA1Context*)&ctx->ctx, Message_Digest); + case SHA224: + return SHA224Result((SHA224Context*)&ctx->ctx, Message_Digest); + case SHA256: + return SHA256Result((SHA256Context*)&ctx->ctx, Message_Digest); + case SHA384: + return SHA384Result((SHA384Context*)&ctx->ctx, Message_Digest); + case SHA512: + return SHA512Result((SHA512Context*)&ctx->ctx, Message_Digest); + default: return shaBadParam; + } + } else { + return shaNull; + } +} + +/* + * USHABlockSize + * + * Description: + * This function will return the blocksize for the given SHA + * algorithm. + * + * Parameters: + * whichSha: + * which SHA algorithm to query + + + +Eastlake 3rd & Hansen Informational [Page 70] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Returns: + * block size + * + */ +int USHABlockSize(enum SHAversion whichSha) +{ + switch (whichSha) { + case SHA1: return SHA1_Message_Block_Size; + case SHA224: return SHA224_Message_Block_Size; + case SHA256: return SHA256_Message_Block_Size; + case SHA384: return SHA384_Message_Block_Size; + default: + case SHA512: return SHA512_Message_Block_Size; + } +} + +/* + * USHAHashSize + * + * Description: + * This function will return the hashsize for the given SHA + * algorithm. + * + * Parameters: + * whichSha: + * which SHA algorithm to query + * + * Returns: + * hash size + * + */ +int USHAHashSize(enum SHAversion whichSha) +{ + switch (whichSha) { + case SHA1: return SHA1HashSize; + case SHA224: return SHA224HashSize; + case SHA256: return SHA256HashSize; + case SHA384: return SHA384HashSize; + default: + case SHA512: return SHA512HashSize; + } +} + +/* + * USHAHashSizeBits + * + * Description: + + + +Eastlake 3rd & Hansen Informational [Page 71] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * This function will return the hashsize for the given SHA + * algorithm, expressed in bits. + * + * Parameters: + * whichSha: + * which SHA algorithm to query + * + * Returns: + * hash size in bits + * + */ +int USHAHashSizeBits(enum SHAversion whichSha) +{ + switch (whichSha) { + case SHA1: return SHA1HashSizeBits; + case SHA224: return SHA224HashSizeBits; + case SHA256: return SHA256HashSizeBits; + case SHA384: return SHA384HashSizeBits; + default: + case SHA512: return SHA512HashSizeBits; + } +} + +8.2.5. sha-private.h + +/*************************** sha-private.h ***************************/ +/********************** See RFC 4634 for details *********************/ +#ifndef _SHA_PRIVATE__H +#define _SHA_PRIVATE__H +/* + * These definitions are defined in FIPS-180-2, section 4.1. + * Ch() and Maj() are defined identically in sections 4.1.1, + * 4.1.2 and 4.1.3. + * + * The definitions used in FIPS-180-2 are as follows: + */ + +#ifndef USE_MODIFIED_MACROS +#define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +#else /* USE_MODIFIED_MACROS */ +/* + * The following definitions are equivalent and potentially faster. + */ + +#define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z)) +#define SHA_Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z))) + + + +Eastlake 3rd & Hansen Informational [Page 72] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +#endif /* USE_MODIFIED_MACROS */ + +#define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z)) + +#endif /* _SHA_PRIVATE__H */ + +8.3 The HMAC Code + +/**************************** hmac.c ****************************/ +/******************** See RFC 4634 for details ******************/ +/* + * Description: + * This file implements the HMAC algorithm (Keyed-Hashing for + * Message Authentication, RFC2104), expressed in terms of the + * various SHA algorithms. + */ + +#include "sha.h" + +/* + * hmac + * + * Description: + * This function will compute an HMAC message digest. + * + * Parameters: + * whichSha: [in] + * One of SHA1, SHA224, SHA256, SHA384, SHA512 + * key: [in] + * The secret shared key. + * key_len: [in] + * The length of the secret shared key. + * message_array: [in] + * An array of characters representing the message. + * length: [in] + * The length of the message in message_array + * digest: [out] + * Where the digest is returned. + * NOTE: The length of the digest is determined by + * the value of whichSha. + * + * Returns: + * sha Error Code. + * + */ +int hmac(SHAversion whichSha, const unsigned char *text, int text_len, + const unsigned char *key, int key_len, + uint8_t digest[USHAMaxHashSize]) + + + +Eastlake 3rd & Hansen Informational [Page 73] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +{ + HMACContext ctx; + return hmacReset(&ctx, whichSha, key, key_len) || + hmacInput(&ctx, text, text_len) || + hmacResult(&ctx, digest); +} + +/* + * hmacReset + * + * Description: + * This function will initialize the hmacContext in preparation + * for computing a new HMAC message digest. + * + * Parameters: + * context: [in/out] + * The context to reset. + * whichSha: [in] + * One of SHA1, SHA224, SHA256, SHA384, SHA512 + * key: [in] + * The secret shared key. + * key_len: [in] + * The length of the secret shared key. + * + * Returns: + * sha Error Code. + * + */ +int hmacReset(HMACContext *ctx, enum SHAversion whichSha, + const unsigned char *key, int key_len) +{ + int i, blocksize, hashsize; + + /* inner padding - key XORd with ipad */ + unsigned char k_ipad[USHA_Max_Message_Block_Size]; + + /* temporary buffer when keylen > blocksize */ + unsigned char tempkey[USHAMaxHashSize]; + + if (!ctx) return shaNull; + + blocksize = ctx->blockSize = USHABlockSize(whichSha); + hashsize = ctx->hashSize = USHAHashSize(whichSha); + + ctx->whichSha = whichSha; + + /* + * If key is longer than the hash blocksize, + + + +Eastlake 3rd & Hansen Informational [Page 74] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * reset it to key = HASH(key). + */ + if (key_len > blocksize) { + USHAContext tctx; + int err = USHAReset(&tctx, whichSha) || + USHAInput(&tctx, key, key_len) || + USHAResult(&tctx, tempkey); + if (err != shaSuccess) return err; + + key = tempkey; + key_len = hashsize; + } + + /* + * The HMAC transform looks like: + * + * SHA(K XOR opad, SHA(K XOR ipad, text)) + * + * where K is an n byte key. + * ipad is the byte 0x36 repeated blocksize times + * opad is the byte 0x5c repeated blocksize times + * and text is the data being protected. + */ + + /* store key into the pads, XOR'd with ipad and opad values */ + for (i = 0; i < key_len; i++) { + k_ipad[i] = key[i] ^ 0x36; + ctx->k_opad[i] = key[i] ^ 0x5c; + } + /* remaining pad bytes are '\0' XOR'd with ipad and opad values */ + for ( ; i < blocksize; i++) { + k_ipad[i] = 0x36; + ctx->k_opad[i] = 0x5c; + } + + /* perform inner hash */ + /* init context for 1st pass */ + return USHAReset(&ctx->shaContext, whichSha) || + /* and start with inner pad */ + USHAInput(&ctx->shaContext, k_ipad, blocksize); +} + +/* + * hmacInput + * + * Description: + * This function accepts an array of octets as the next portion + * of the message. + + + +Eastlake 3rd & Hansen Informational [Page 75] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Parameters: + * context: [in/out] + * The HMAC context to update + * message_array: [in] + * An array of characters representing the next portion of + * the message. + * length: [in] + * The length of the message in message_array + * + * Returns: + * sha Error Code. + * + */ +int hmacInput(HMACContext *ctx, const unsigned char *text, + int text_len) +{ + if (!ctx) return shaNull; + /* then text of datagram */ + return USHAInput(&ctx->shaContext, text, text_len); +} + +/* + * HMACFinalBits + * + * Description: + * This function will add in any final bits of the message. + * + * Parameters: + * context: [in/out] + * The HMAC context to update + * message_bits: [in] + * The final bits of the message, in the upper portion of the + * byte. (Use 0b###00000 instead of 0b00000### to input the + * three bits ###.) + * length: [in] + * The number of bits in message_bits, between 1 and 7. + * + * Returns: + * sha Error Code. + */ +int hmacFinalBits(HMACContext *ctx, + const uint8_t bits, + unsigned int bitcount) +{ + if (!ctx) return shaNull; + /* then final bits of datagram */ + return USHAFinalBits(&ctx->shaContext, bits, bitcount); + + + +Eastlake 3rd & Hansen Informational [Page 76] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +} + +/* + * HMACResult + * + * Description: + * This function will return the N-byte message digest into the + * Message_Digest array provided by the caller. + * NOTE: The first octet of hash is stored in the 0th element, + * the last octet of hash in the Nth element. + * + * Parameters: + * context: [in/out] + * The context to use to calculate the HMAC hash. + * digest: [out] + * Where the digest is returned. + * NOTE 2: The length of the hash is determined by the value of + * whichSha that was passed to hmacReset(). + * + * Returns: + * sha Error Code. + * + */ +int hmacResult(HMACContext *ctx, uint8_t *digest) +{ + if (!ctx) return shaNull; + + /* finish up 1st pass */ + /* (Use digest here as a temporary buffer.) */ + return USHAResult(&ctx->shaContext, digest) || + + /* perform outer SHA */ + /* init context for 2nd pass */ + USHAReset(&ctx->shaContext, ctx->whichSha) || + + /* start with outer pad */ + USHAInput(&ctx->shaContext, ctx->k_opad, ctx->blockSize) || + + /* then results of 1st hash */ + USHAInput(&ctx->shaContext, digest, ctx->hashSize) || + + /* finish up 2nd pass */ + USHAResult(&ctx->shaContext, digest); +} + + + + + + + +Eastlake 3rd & Hansen Informational [Page 77] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +8.4. The Test Driver + + The following code is a main program test driver to exercise the code + in sha1.c, sha224-256.c, and sha384-512.c. The test driver can also + be used as a stand-alone program for generating the hashes. + + See also [RFC2202], [RFC4231], and [SHAVS]. + +/**************************** shatest.c ****************************/ +/********************* See RFC 4634 for details ********************/ +/* + * Description: + * This file will exercise the SHA code performing + * the three tests documented in FIPS PUB 180-2 + * (http://csrc.nist.gov/publications/fips/ + * fips180-2/fips180-2withchangenotice.pdf) + * one that calls SHAInput with an exact multiple of 512 bits + * the seven tests documented for each algorithm in + * "The Secure Hash Algorithm Validation System (SHAVS)", + * three of which are bit-level tests + * (http://csrc.nist.gov/cryptval/shs/SHAVS.pdf) + * + * This file will exercise the HMAC SHA1 code performing + * the seven tests documented in RFCs 2202 and 4231. + * + * To run the tests and just see PASSED/FAILED, use the -p option. + * + * Other options exercise: + * hashing an arbitrary string + * hashing a file's contents + * a few error test checks + * printing the results in raw format + * + * Portability Issues: + * None. + * + */ + +#include +#include +#include +#include +#include +#include "sha.h" + +static int xgetopt(int argc, char **argv, const char *optstring); +extern char *xoptarg; +static int scasecmp(const char *s1, const char *s2); + + + +Eastlake 3rd & Hansen Informational [Page 78] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * Define patterns for testing + */ +#define TEST1 "abc" +#define TEST2_1 \ + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +#define TEST2_2a \ + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" +#define TEST2_2b \ + "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" +#define TEST2_2 TEST2_2a TEST2_2b +#define TEST3 "a" /* times 1000000 */ +#define TEST4a "01234567012345670123456701234567" +#define TEST4b "01234567012345670123456701234567" + /* an exact multiple of 512 bits */ +#define TEST4 TEST4a TEST4b /* times 10 */ + +#define TEST7_1 \ + "\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" +#define TEST8_1 \ + "\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" +#define TEST9_1 \ + "\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\x1a\xe7\x02\x20" \ + "\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" \ + "\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf2\xcd\x03\xfe" \ + "\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" \ + "\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xa1\xb3\x2a" +#define TEST10_1 \ + "\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4f\xba\x15\xa1\xd5\x9f" \ + "\x3f\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" \ + "\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" \ + "\xbd\x57\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a\x84\xd0\xcf\x1f" \ + "\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04" \ + "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" \ + "\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8\x6e\x3b" \ + "\x33\xa1\x08\xb0\x53\x07\xc0\x0a\xff\x14\xa7\x68\xed\x73\x50\x60" \ + "\x6a\x0f\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57\x7f\x9b\x38\x80" \ + "\x7c\x7d\x52\x3d\x6d\x79\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" \ + "\xcd\xbb\xfb" +#define TEST7_224 \ + "\xf0\x70\x06\xf2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" +#define TEST8_224 \ + "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62" +#define TEST9_224 \ + "\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" \ + "\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" \ + "\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" \ + "\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1f\x06\xcc\x3b\x18\xb9\x1f" \ + + + +Eastlake 3rd & Hansen Informational [Page 79] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x3f\x55\x63\x3e\xcc\x30\x85\xf4\x90\x70\x60\xd2" +#define TEST10_224 \ + "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" \ + "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" \ + "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" \ + "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" \ + "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" \ + "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" \ + "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" \ + "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" \ + "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" \ + "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" \ + "\x87\x82\x73" +#define TEST7_256 \ + "\xbe\x27\x46\xc6\xdb\x52\x76\x5f\xdb\x2f\x88\x70\x0f\x9a\x73" +#define TEST8_256 \ + "\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" +#define TEST9_256 \ + "\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" \ + "\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf3\xc0\x07\x16\x6e\x49\xc1" \ + "\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" \ + "\x3a\x2b\xd9\x01\xe1\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff\x64\x06" \ + "\xa0\x7d\x54\x36\x4e\xff\x74\x2d\xa7\x79\xb0\xb3" +#define TEST10_256 \ + "\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1\x2b\x20\x52\x7a\xfe\xf0" \ + "\x4d\x8a\x05\x69\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" \ + "\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" \ + "\x7d\xab\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32\x5f\x8b\x23\x74" \ + "\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" \ + "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" \ + "\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" \ + "\x3f\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" \ + "\xa9\x7d\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" \ + "\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39" \ + "\x3d\x54\xd6" +#define TEST7_384 \ + "\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" +#define TEST8_384 \ + "\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1\x0a\x7f\x4e\x08\x59\x17\x39" +#define TEST9_384 \ + "\x68\xf5\x01\x79\x2d\xea\x97\x96\x76\x70\x22\xd9\x3d\xa7\x16\x79" \ + "\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1d\x40\xa1\xd0" \ + "\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" \ + "\x75\x32\x1a\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" \ + "\x04\xf2\x97\x10\x5d\x7b\x82\xff\xc0\x02\x1a\xeb\x1c\xcb\x67\x4f" \ + "\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1c\x5f\x62\xe5\xe9\xa2\xd8" \ + "\x08\x2f\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1c\xc0\x06\xce\x1b\xf6" \ + "\x0f\xf7\x19\xd4\x2f\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" \ + + + +Eastlake 3rd & Hansen Informational [Page 80] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x8f\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" +#define TEST10_384 \ + "\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" \ + "\x74\x79\x03\x49\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" \ + "\x3e\x7d\xc8\x7f\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" \ + "\xe1\xc8\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02\xfc\x3f\x50\x42" \ + "\xe6\xbf\x58\xcb\xa8\xa2\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71" \ + "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5f\x25\xcc\x22\xb5\xe8" \ + "\x77\x84\xa1\x2f\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a\x2c\xe6" \ + "\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" \ + "\x3a\xf3\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5\x1c\xc0\x27\xaa" \ + "\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" \ + "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15\x1c\xb9\xbc\x51\x25\xa4" \ + "\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" \ + "\x76\x71\x1c\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xc1\xf2\x2f\xbc" \ + "\x3c\x72\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77\x40\x86\x42\x14" \ + "\x7e\xd0\x96" +#define TEST7_512 \ + "\x08\xec\xb5\x2e\xba\xe1\xf7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" +#define TEST8_512 \ + "\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" +#define TEST9_512 \ + "\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" \ + "\xfc\x70\xac\xe2\x74\x4f\x7c\x6b\x27\x88\x15\x10\x28\xf7\xb6\xa2" \ + "\x55\x0f\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f\xc4\x54\x96\x6d\xc3" \ + "\x1d\x2e\x10\xda\x1f\x95\xce\x02\xbe\xb4\xbf\x87\x65\x57\x4c\xbd" \ + "\x6e\x83\x37\xef\x42\x0a\xdc\x98\xc1\x5c\xb6\xd5\xe4\xa0\x24\x1b" \ + "\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" \ + "\x4e\xe4\x14\x5b\xee\x2f\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" \ + "\x4f\x99\xcc\xad\x89\xa9\xa1\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" \ + "\xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\xf5\x49\x06" +#define TEST10_512 \ + "\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" \ + "\xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xe1\xde" \ + "\x69\x74\xbf\x49\x54\x69\xfc\x7f\x33\x8f\x80\x54\xd5\x8c\x26\xc4" \ + "\x93\x60\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d\x03\xe5\x6f\xf2" \ + "\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" \ + "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69\x4f\xcb\xba\xf8\x8d\x95" \ + "\x19\xe4\xeb\x50\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" \ + "\xc8\x82\x1a\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f" \ + "\x96\x90\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" \ + "\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" \ + "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" \ + "\xf8\xb2\x46\xf1\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" \ + "\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f\x47\x07\xfe\x1e\xa1\xa1\x79\x1b" \ + "\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" \ + "\xfb\x40\xd2" +#define SHA1_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" \ + + + +Eastlake 3rd & Hansen Informational [Page 81] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" +#define SHA224_SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" \ + "\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ + "\x27" +#define SHA256_SEED "\xf4\x1e\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" \ + "\x5a\xdc\xd5\x1c\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ + "\x27\x9c\x1c\xb0\xa7" +#define SHA384_SEED "\x82\x40\xbc\x51\xe4\xec\x7e\xf7\x6d\x18\xe3" \ + "\x52\x04\xa1\x9f\x51\xa5\x21\x3a\x73\xa8\x1d\x6f\x94\x46\x80\xd3" \ + "\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ + "\xa4\x84\xbe\x74\x53" +#define SHA512_SEED "\x47\x3f\xf1\xb9\xb3\xff\xdf\xa1\x26\x69\x9a" \ + "\xc7\xef\x9e\x8e\x78\x77\x73\x09\x58\x24\xc6\x42\x55\x7c\x13\x99" \ + "\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" \ + "\x4c\x1c\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1b\x00\x77" \ + "\x4b\x12\x27\x20\x39" + +#define TESTCOUNT 10 +#define HASHCOUNT 5 +#define RANDOMCOUNT 4 +#define HMACTESTCOUNT 7 + +#define PRINTNONE 0 +#define PRINTTEXT 1 +#define PRINTRAW 2 +#define PRINTHEX 3 +#define PRINTBASE64 4 + +#define PRINTPASSFAIL 1 +#define PRINTFAIL 2 + +#define length(x) (sizeof(x)-1) + +/* Test arrays for hashes. */ +struct hash { + const char *name; + SHAversion whichSha; + int hashsize; + struct { + const char *testarray; + int length; + long repeatcount; + int extrabits; + int numberExtrabits; + const char *resultarray; + } tests[TESTCOUNT]; + const char *randomtest; + const char *randomresults[RANDOMCOUNT]; + + + +Eastlake 3rd & Hansen Informational [Page 82] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +} hashes[HASHCOUNT] = { + { "SHA1", SHA1, SHA1HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "A9993E364706816ABA3E25717850C26C9CD0D89D" }, + /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, + "84983E441C3BD26EBAAE4AA1F95129E5E54670F1" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "34AA973CD4C4DAA4F61EEB2BDBAD27316534016F" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + "DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" }, + /* 5 */ { "", 0, 0, 0x98, 5, + "29826B003B906E660EFF4027CE98AF3531AC75BA" }, + /* 6 */ { "\x5e", 1, 1, 0, 0, + "5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2" }, + /* 7 */ { TEST7_1, length(TEST7_1), 1, 0x80, 3, + "6239781E03729919C01955B3FFA8ACB60B988340" }, + /* 8 */ { TEST8_1, length(TEST8_1), 1, 0, 0, + "82ABFF6605DBE1C17DEF12A394FA22A82B544A35" }, + /* 9 */ { TEST9_1, length(TEST9_1), 1, 0xE0, 3, + "8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, + /* 10 */ { TEST10_1, length(TEST10_1), 1, 0, 0, + "CB0082C8F197D260991BA6A460E76E202BAD27B3" } + }, SHA1_SEED, { "E216836819477C7F78E0D843FE4FF1B6D6C14CD4", + "A2DBC7A5B1C6C0A8BCB7AAA41252A6A7D0690DBC", + "DB1F9050BB863DFEF4CE37186044E2EEB17EE013", + "127FDEDF43D372A51D5747C48FBFFE38EF6CDF7B" + } }, + { "SHA224", SHA224, SHA224HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" }, + /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, + "75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "20794655980C91D8BBB4C1EA97618A4BF03F42581948B2EE4EE7AD67" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + "567F69F168CD7844E65259CE658FE7AADFA25216E68ECA0EB7AB8262" }, + /* 5 */ { "", 0, 0, 0x68, 5, + "E3B048552C3C387BCAB37F6EB06BB79B96A4AEE5FF27F51531A9551C" }, + /* 6 */ { "\x07", 1, 1, 0, 0, + "00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" }, + /* 7 */ { TEST7_224, length(TEST7_224), 1, 0xA0, 3, + "1B01DB6CB4A9E43DED1516BEB3DB0B87B6D1EA43187462C608137150" }, + /* 8 */ { TEST8_224, length(TEST8_224), 1, 0, 0, + "DF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, + /* 9 */ { TEST9_224, length(TEST9_224), 1, 0xE0, 3, + "54BEA6EAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" }, + + + +Eastlake 3rd & Hansen Informational [Page 83] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + /* 10 */ { TEST10_224, length(TEST10_224), 1, 0, 0, + "0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" } + }, SHA224_SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" + "2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" + "BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" + "F0F983D8D9AB32C34ADB34", "A2406481FC1BCAF24DD08E6752E844" + "709563FB916227FED598EB621F" + } }, + { "SHA256", SHA256, SHA256HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, "BA7816BF8F01CFEA4141" + "40DE5DAE2223B00361A396177A9CB410FF61F20015AD" }, + /* 2 */ { TEST2_1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" + "E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" + "81A1C7E284D73E67F1809A48A497200E046D39CCC7112CD0" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, "594847328451BDFA" + "85056225462CC1D867D877FB388DF0CE35F25AB5562BFBB5" }, + /* 5 */ { "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" + "09DB45E7823EB5079CE7A573A3760F95" }, + /* 6 */ { "\x19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" + "6A4E17F75F9518D843709C0C9BC3E3D4" }, + /* 7 */ { TEST7_256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" + "9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, + /* 8 */ { TEST8_256, length(TEST8_256), 1, 0, 0, "175EE69B02BA" + "9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABB4E8" }, + /* 9 */ { TEST9_256, length(TEST9_256), 1, 0xA0, 3, "3E9AD646" + "8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDB066E9" }, + /* 10 */ { TEST10_256, length(TEST10_256), 1, 0, 0, "97DBCA7D" + "F46D62C8A422C941DD7E835B8AD3361763F7E9B2D95F4F0DA6E1CCBC" }, + }, SHA256_SEED, { "83D28614D49C3ADC1D6FC05DB5F48037C056F8D2A4CE44" + "EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" + "5E529B3F954B8581621BB74D39", "8D4BE295BB64661CA3C7EFD129A2F7" + "25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" + "E31536B70FF906EC51B00447CA97D7DD97C12411F4" + } }, + { "SHA384", SHA384, SHA384HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "CB00753F45A35E8BB5A03D699AC65007272C32AB0EDED163" + "1A8B605A43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, + /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, + "09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" + "2FA08086E3B0F712FCC7C71A557E2DB966C3E9FA91746039" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "9D0E1809716474CB086E834E310A4A1CED149E9C00F24852" + "7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + + + +Eastlake 3rd & Hansen Informational [Page 84] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" + "BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A0D79FB4596" }, + /* 5 */ { "", 0, 0, 0x10, 5, + "8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" + "5F7D1149E09143AC1FFCFC56820E469F3878D957A15A3FE4" }, + /* 6 */ { "\xb9", 1, 1, 0, 0, + "BC8089A19007C0B14195F4ECC74094FEC64F01F90929282C" + "2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, + /* 7 */ { TEST7_384, length(TEST7_384), 1, 0xA0, 3, + "D8C43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" + "A898DE62C7A07E4293449C0B5FA70109F0783211CFC4BCE3" }, + /* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, + "C9A68443A005812256B8EC76B00516F0DBB74FAB26D66591" + "3F194B6FFB0E91EA9967566B58109CBC675CC208E4C823F7" }, + /* 9 */ { TEST9_384, length(TEST9_384), 1, 0xE0, 3, + "5860E8DE91C21578BB4174D227898A98E0B45C4C760F0095" + "49495614DAEDC0775D92D11D9F8CE9B064EEAC8DAFC3A297" }, + /* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, + "4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4AAF" + "38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" } + }, SHA384_SEED, { "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" + "57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", "F9C6D2" + "61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9C0FD7B503" + "DF1A0B9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" + "C6FD97384225B58343A88264847C18E4EF8AB7AEE4765FFBC3E30BD485D3" + "638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" + "5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" + } }, + { "SHA512", SHA512, SHA512HashSize, + { + /* 1 */ { TEST1, length(TEST1), 1, 0, 0, + "DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA2" + "0A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD" + "454D4423643CE80E2A9AC94FA54CA49F" }, + /* 2 */ { TEST2_2, length(TEST2_2), 1, 0, 0, + "8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA1" + "7299AEADB6889018501D289E4900F7E4331B99DEC4B5433A" + "C7D329EEB6DD26545E96E55B874BE909" }, + /* 3 */ { TEST3, length(TEST3), 1000000, 0, 0, + "E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" + "5632A803AFA973EBDE0FF244877EA60A4CB0432CE577C31B" + "EB009C5C2C49AA2E4EADB217AD8CC09B" }, + /* 4 */ { TEST4, length(TEST4), 10, 0, 0, + "89D05BA632C699C31231DED4FFC127D5A894DAD412C0E024" + "DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" + "0813A39CD5A84C4ACAA64D3F3FB7BAE9" }, + /* 5 */ { "", 0, 0, 0xB0, 5, + "D4EE29A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" + + + +Eastlake 3rd & Hansen Informational [Page 85] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "720A6BF4857D886A7ECB3C4E4C0FA8C7F95214E41DC1B0D2" + "1B22A84CC03BF8CE4845F34DD5BDBAD4" }, + /* 6 */ { "\xD0", 1, 1, 0, 0, + "9992202938E882E73E20F6B69E68A0A7149090423D93C81B" + "AB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA8306826C4A" + "D6E74CECE9631BFA8A549B4AB3FBBA15" }, + /* 7 */ { TEST7_512, length(TEST7_512), 1, 0x80, 3, + "ED8DC78E8B01B69750053DBB7A0A9EDA0FB9E9D292B1ED71" + "5E80A7FE290A4E16664FD913E85854400C5AF05E6DAD316B" + "7359B43E64F8BEC3C1F237119986BBB6" }, + /* 8 */ { TEST8_512, length(TEST8_512), 1, 0, 0, + "CB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75ACBD" + "D1C153C9828924C3DDEDAAFE669C5FDD0BC66F630F677398" + "8213EB1B16F517AD0DE4B2F0C95C90F8" }, + /* 9 */ { TEST9_512, length(TEST9_512), 1, 0x80, 3, + "32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902A4DC0A6" + "82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" + "526F8A0A510E5E53CAFED4355FE7C2F1" }, + /* 10 */ { TEST10_512, length(TEST10_512), 1, 0, 0, + "C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" + "C1A16A270D48719377966B957A878E720584779A62825C18" + "DA26415E49A7176A894E7510FD1451F5" } + }, SHA512_SEED, { "2FBB1E7E00F746BA514FBC8C421F36792EC0E11FF5EFC3" + "78E1AB0C079AA5F0F66A1E3EDBAEB4F9984BE14437123038A452004A5576" + "8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" + "000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" + "EF461AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" + "92E5C3F6C36547DA1C13DBB9EA4F73EA4CBBAF89411527906D35B1B06C1B" + "6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "46E36B007D" + "19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" + "6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2B0E79F" + } + } +}; + +/* Test arrays for HMAC. */ +struct hmachash { + const char *keyarray[5]; + int keylength[5]; + const char *dataarray[5]; + int datalength[5]; + const char *resultarray[5]; + int resultlength[5]; +} hmachashes[HMACTESTCOUNT] = { + { /* 1 */ { + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + "\x0b\x0b\x0b\x0b\x0b" + }, { 20 }, { + + + +Eastlake 3rd & Hansen Informational [Page 86] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ + }, { 8 }, { + /* HMAC-SHA-1 */ + "B617318655057264E28BC0B6FB378C8EF146BE00", + /* HMAC-SHA-224 */ + "896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F53684B22", + /* HMAC-SHA-256 */ + "B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32" + "CFF7", + /* HMAC-SHA-384 */ + "AFD03944D84895626B0825F4AB46907F15F9DADBE4101EC682AA034C7CEB" + "C59CFAEA9EA9076EDE7F4AF152E8B2FA9CB6", + /* HMAC-SHA-512 */ + "87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2787AD0B30545E1" + "7CDEDAA833B7D6B8A702038B274EAEA3F4E4BE9D914EEB61F1702E696C20" + "3A126854" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + { /* 2 */ { + "\x4a\x65\x66\x65" /* "Jefe" */ + }, { 4 }, { + "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74" + "\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" + /* "what do ya want for nothing?" */ + }, { 28 }, { + /* HMAC-SHA-1 */ + "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79", + /* HMAC-SHA-224 */ + "A30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E6148008FD05E44", + /* HMAC-SHA-256 */ + "5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" + "3843", + /* HMAC-SHA-384 */ + "AF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" + "445E8E2240CA5E69E2C78B3239ECFAB21649", + /* HMAC-SHA-512 */ + "164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" + "05549758BF75C05A994A6D034F65F8F0E6FDCAEAB1A34D4A6B4B636E070A" + "38BCE737" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + { /* 3 */ + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa" + }, { 20 }, { + + + +Eastlake 3rd & Hansen Informational [Page 87] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" + "\xdd\xdd\xdd\xdd\xdd" + }, { 50 }, { + /* HMAC-SHA-1 */ + "125D7342B9AC11CD91A39AF48AA17B4F63F175D3", + /* HMAC-SHA-224 */ + "7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69D1EC8333EA", + /* HMAC-SHA-256 */ + "773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" + "65FE", + /* HMAC-SHA-384 */ + "88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9FEBE83EF4E55966" + "144B2A5AB39DC13814B94E3AB6E101A34F27", + /* HMAC-SHA-512 */ + "FA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A3655F83E33B227" + "9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" + "E13292FB" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + { /* 4 */ { + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" + "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" + }, { 25 }, { + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" + "\xcd\xcd\xcd\xcd\xcd" + }, { 50 }, { + /* HMAC-SHA-1 */ + "4C9007F4026250C6BC8414F9BF50C86C2D7235DA", + /* HMAC-SHA-224 */ + "6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC012DE7AFEC5A", + /* HMAC-SHA-256 */ + "82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8077A2E3FF46729" + "665B", + /* HMAC-SHA-384 */ + "3E8A69B7783C25851933AB6290AF6CA77A9981480850009CC5577C6E1F57" + "3B4E6801DD23C4A7D679CCF8A386C674CFFB", + /* HMAC-SHA-512 */ + "B0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B872DE76F8050361E" + "E3DBA91CA5C11AA25EB4D679275CC5788063A5F19741120C4F2DE2ADEBEB" + "10A298DD" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + + + +Eastlake 3rd & Hansen Informational [Page 88] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + { /* 5 */ { + "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" + "\x0c\x0c\x0c\x0c\x0c" + }, { 20 }, { + "Test With Truncation" + }, { 20 }, { + /* HMAC-SHA-1 */ + "4C1A03424B55E07FE7F27BE1", + /* HMAC-SHA-224 */ + "0E2AEA68A90C8D37C988BCDB9FCA6FA8", + /* HMAC-SHA-256 */ + "A3B6167473100EE06E0C796C2955552B", + /* HMAC-SHA-384 */ + "3ABF34C3503B2A23A46EFC619BAEF897", + /* HMAC-SHA-512 */ + "415FAD6271580A531D4179BC891D87A6" + }, { 12, 16, 16, 16, 16 } + }, + { /* 6 */ { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + }, { 80, 131 }, { + "Test Using Larger Than Block-Size Key - Hash Key First" + }, { 54 }, { + /* HMAC-SHA-1 */ + "AA4AE5E15272D00E95705637CE8A3B55ED402112", + /* HMAC-SHA-224 */ + "95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7273FA6870E", + /* HMAC-SHA-256 */ + "60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5140546040F0EE3" + "7F54", + /* HMAC-SHA-384 */ + "4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B588F3CD11F05033A" + "C4C60C2EF6AB4030FE8296248DF163F44952", + /* HMAC-SHA-512 */ + "80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEEC1121B013783F8" + "F3526B56D037E05F2598BD0FD2215D6A1E5295E64F73F63F0AEC8B915A98" + "5D786598" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + }, + + + +Eastlake 3rd & Hansen Informational [Page 89] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + { /* 7 */ { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" + }, { 80, 131 }, { + "Test Using Larger Than Block-Size Key and " + "Larger Than One Block-Size Data", + "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20" + "\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20" + "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65" + "\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" + "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73" + "\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" + "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20" + "\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62" + "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68" + "\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68" + "\x6d\x2e" + /* "This is a test using a larger than block-size key and a " + "larger than block-size data. The key needs to be hashed " + "before being used by the HMAC algorithm." */ + }, { 73, 152 }, { + /* HMAC-SHA-1 */ + "E8E99D0F45237D786D6BBAA7965C7808BBFF1A91", + /* HMAC-SHA-224 */ + "3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", + /* HMAC-SHA-256 */ + "9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713938A7F51535C3A" + "35E2", + /* HMAC-SHA-384 */ + "6617178E941F020D351E2F254E8FD32C602420FEB0B8FB9ADCCEBB82461E" + "99C5A678CC31E799176D3860E6110C46523E", + /* HMAC-SHA-512 */ + "E37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289865DF5A32D20CD" + "C944B6022CAC3C4982B10D5EEB55C3E4DE15134676FB6DE0446065C97440" + "FA8C6A58" + }, { SHA1HashSize, SHA224HashSize, SHA256HashSize, + SHA384HashSize, SHA512HashSize } + } +}; + +/* + + + +Eastlake 3rd & Hansen Informational [Page 90] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * Check the hash value against the expected string, expressed in hex + */ +static const char hexdigits[] = "0123456789ABCDEF"; +int checkmatch(const unsigned char *hashvalue, + const char *hexstr, int hashsize) +{ + int i; + for (i = 0; i < hashsize; ++i) { + if (*hexstr++ != hexdigits[(hashvalue[i] >> 4) & 0xF]) + return 0; + if (*hexstr++ != hexdigits[hashvalue[i] & 0xF]) return 0; + } + return 1; +} + +/* + * Print the string, converting non-printable characters to "." + */ +void printstr(const char *str, int len) +{ + for ( ; len-- > 0; str++) + putchar(isprint((unsigned char)*str) ? *str : '.'); +} + +/* + * Print the string, converting non-printable characters to hex "## ". + */ +void printxstr(const char *str, int len) +{ + for ( ; len-- > 0; str++) + printf("%c%c ", hexdigits[(*str >> 4) & 0xF], + hexdigits[*str & 0xF]); +} + +/* + * Print a usage message. + */ +void usage(const char *argv0) +{ + fprintf(stderr, + "Usage:\n" + "Common options: [-h hash] [-w|-x] [-H]\n" + "Standard tests:\n" + "\t%s [-m] [-l loopcount] [-t test#] [-e]\n" + "\t\t[-r randomseed] [-R randomloop-count] " + "[-p] [-P|-X]\n" + "Hash a string:\n" + "\t%s [-S expectedresult] -s hashstr [-k key]\n" + + + +Eastlake 3rd & Hansen Informational [Page 91] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + "Hash a file:\n" + "\t%s [-S expectedresult] -f file [-k key]\n" + "Hash a file, ignoring whitespace:\n" + "\t%s [-S expectedresult] -F file [-k key]\n" + "Additional bits to add in: [-B bitcount -b bits]\n" + "-h\thash to test: " + "0|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" + "-m\tperform hmac test\n" + "-k\tkey for hmac test\n" + "-t\ttest case to run, 1-10\n" + "-l\thow many times to run the test\n" + "-e\ttest error returns\n" + "-p\tdo not print results\n" + "-P\tdo not print PASSED/FAILED\n" + "-X\tprint FAILED, but not PASSED\n" + "-r\tseed for random test\n" + "-R\thow many times to run random test\n" + "-s\tstring to hash\n" + "-S\texpected result of hashed string, in hex\n" + "-w\toutput hash in raw format\n" + "-x\toutput hash in hex format\n" + "-B\t# extra bits to add in after string or file input\n" + "-b\textra bits to add (high order bits of #, 0# or 0x#)\n" + "-H\tinput hashstr or randomseed is in hex\n" + , argv0, argv0, argv0, argv0); + exit(1); +} + +/* + * Print the results and PASS/FAIL. + */ +void printResult(uint8_t *Message_Digest, int hashsize, + const char *hashname, const char *testtype, const char *testname, + const char *resultarray, int printResults, int printPassFail) +{ + int i, k; + if (printResults == PRINTTEXT) { + putchar('\t'); + for (i = 0; i < hashsize ; ++i) { + putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); + putchar(hexdigits[Message_Digest[i] & 0xF]); + putchar(' '); + } + putchar('\n'); + } else if (printResults == PRINTRAW) { + fwrite(Message_Digest, 1, hashsize, stdout); + } else if (printResults == PRINTHEX) { + for (i = 0; i < hashsize ; ++i) { + + + +Eastlake 3rd & Hansen Informational [Page 92] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + putchar(hexdigits[(Message_Digest[i] >> 4) & 0xF]); + putchar(hexdigits[Message_Digest[i] & 0xF]); + } + putchar('\n'); + } + + if (printResults && resultarray) { + printf(" Should match:\n\t"); + for (i = 0, k = 0; i < hashsize; i++, k += 2) { + putchar(resultarray[k]); + putchar(resultarray[k+1]); + putchar(' '); + } + putchar('\n'); + } + + if (printPassFail && resultarray) { + int ret = checkmatch(Message_Digest, resultarray, hashsize); + if ((printPassFail == PRINTPASSFAIL) || !ret) + printf("%s %s %s: %s\n", hashname, testtype, testname, + ret ? "PASSED" : "FAILED"); + } +} + +/* + * Exercise a hash series of functions. The input is the testarray, + * repeated repeatcount times, followed by the extrabits. If the + * result is known, it is in resultarray in uppercase hex. + */ +int hash(int testno, int loopno, int hashno, + const char *testarray, int length, long repeatcount, + int numberExtrabits, int extrabits, const unsigned char *keyarray, + int keylen, const char *resultarray, int hashsize, int printResults, + int printPassFail) +{ + USHAContext sha; + HMACContext hmac; + int err, i; + uint8_t Message_Digest[USHAMaxHashSize]; + char buf[20]; + + if (printResults == PRINTTEXT) { + printf("\nTest %d: Iteration %d, Repeat %ld\n\t'", testno+1, + loopno, repeatcount); + printstr(testarray, length); + printf("'\n\t'"); + printxstr(testarray, length); + printf("'\n"); + + + +Eastlake 3rd & Hansen Informational [Page 93] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + printf(" Length=%d bytes (%d bits), ", length, length * 8); + printf("ExtraBits %d: %2.2x\n", numberExtrabits, extrabits); + } + + memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ + memset(&hmac, '\343', sizeof(hmac)); + err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, + keyarray, keylen) : + USHAReset(&sha, hashes[hashno].whichSha); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %sReset Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + + for (i = 0; i < repeatcount; ++i) { + err = keyarray ? hmacInput(&hmac, (const uint8_t *) testarray, + length) : + USHAInput(&sha, (const uint8_t *) testarray, + length); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %sInput Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + } + + if (numberExtrabits > 0) { + err = keyarray ? hmacFinalBits(&hmac, (uint8_t) extrabits, + numberExtrabits) : + USHAFinalBits(&sha, (uint8_t) extrabits, + numberExtrabits); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %sFinalBits Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + } + + err = keyarray ? hmacResult(&hmac, Message_Digest) : + USHAResult(&sha, Message_Digest); + if (err != shaSuccess) { + fprintf(stderr, "hash(): %s Result Error %d, could not " + "compute message digest.\n", keyarray ? "hmac" : "sha", err); + return err; + } + + sprintf(buf, "%d", testno+1); + + + +Eastlake 3rd & Hansen Informational [Page 94] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + printResult(Message_Digest, hashsize, hashes[hashno].name, + keyarray ? "hmac standard test" : "sha standard test", buf, + resultarray, printResults, printPassFail); + + return err; +} + +/* + * Exercise a hash series of functions. The input is a filename. + * If the result is known, it is in resultarray in uppercase hex. + */ +int hashfile(int hashno, const char *hashfilename, int bits, + int bitcount, int skipSpaces, const unsigned char *keyarray, + int keylen, const char *resultarray, int hashsize, + int printResults, int printPassFail) +{ + USHAContext sha; + HMACContext hmac; + int err, nread, c; + unsigned char buf[4096]; + uint8_t Message_Digest[USHAMaxHashSize]; + unsigned char cc; + FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin : + fopen(hashfilename, "r"); + + if (!hashfp) { + fprintf(stderr, "cannot open file '%s'\n", hashfilename); + return shaStateError; + } + + memset(&sha, '\343', sizeof(sha)); /* force bad data into struct */ + memset(&hmac, '\343', sizeof(hmac)); + err = keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, + keyarray, keylen) : + USHAReset(&sha, hashes[hashno].whichSha); + + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %sReset Error %d.\n", + keyarray ? "hmac" : "sha", err); + return err; + } + + if (skipSpaces) + while ((c = getc(hashfp)) != EOF) { + if (!isspace(c)) { + cc = (unsigned char)c; + err = keyarray ? hmacInput(&hmac, &cc, 1) : + USHAInput(&sha, &cc, 1); + + + +Eastlake 3rd & Hansen Informational [Page 95] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %sInput Error %d.\n", + keyarray ? "hmac" : "sha", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + } + } + else + while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { + err = keyarray ? hmacInput(&hmac, buf, nread) : + USHAInput(&sha, buf, nread); + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %s Error %d.\n", + keyarray ? "hmacInput" : "shaInput", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + } + + if (bitcount > 0) + err = keyarray ? hmacFinalBits(&hmac, bits, bitcount) : + USHAFinalBits(&sha, bits, bitcount); + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %s Error %d.\n", + keyarray ? "hmacResult" : "shaResult", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + + err = keyarray ? hmacResult(&hmac, Message_Digest) : + USHAResult(&sha, Message_Digest); + if (err != shaSuccess) { + fprintf(stderr, "hashfile(): %s Error %d.\n", + keyarray ? "hmacResult" : "shaResult", err); + if (hashfp != stdin) fclose(hashfp); + return err; + } + + printResult(Message_Digest, hashsize, hashes[hashno].name, "file", + hashfilename, resultarray, printResults, printPassFail); + + if (hashfp != stdin) fclose(hashfp); + return err; +} + +/* + * Exercise a hash series of functions through multiple permutations. + + + +Eastlake 3rd & Hansen Informational [Page 96] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * The input is an initial seed. That seed is replicated 3 times. + * For 1000 rounds, the previous three results are used as the input. + * This result is then checked, and used to seed the next cycle. + * If the result is known, it is in resultarrays in uppercase hex. + */ +void randomtest(int hashno, const char *seed, int hashsize, + const char **resultarrays, int randomcount, + int printResults, int printPassFail) +{ + int i, j; char buf[20]; + unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; + + /* INPUT: Seed - A random seed n bits long */ + memcpy(SEED, seed, hashsize); + if (printResults == PRINTTEXT) { + printf("%s random test seed= '", hashes[hashno].name); + printxstr(seed, hashsize); + printf("'\n"); + } + + for (j = 0; j < randomcount; j++) { + /* MD0 = MD1 = MD2 = Seed; */ + memcpy(MD[0], SEED, hashsize); + memcpy(MD[1], SEED, hashsize); + memcpy(MD[2], SEED, hashsize); + for (i=3; i<1003; i++) { + /* Mi = MDi-3 || MDi-2 || MDi-1; */ + USHAContext Mi; + memset(&Mi, '\343', sizeof(Mi)); /* force bad data into struct */ + USHAReset(&Mi, hashes[hashno].whichSha); + USHAInput(&Mi, MD[i-3], hashsize); + USHAInput(&Mi, MD[i-2], hashsize); + USHAInput(&Mi, MD[i-1], hashsize); + /* MDi = SHA(Mi); */ + USHAResult(&Mi, MD[i]); + } + + /* MDj = Seed = MDi; */ + memcpy(SEED, MD[i-1], hashsize); + + /* OUTPUT: MDj */ + sprintf(buf, "%d", j); + printResult(SEED, hashsize, hashes[hashno].name, "random test", + buf, resultarrays ? resultarrays[j] : 0, printResults, + (j < RANDOMCOUNT) ? printPassFail : 0); + } +} + + + + +Eastlake 3rd & Hansen Informational [Page 97] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +/* + * Look up a hash name. + */ +int findhash(const char *argv0, const char *opt) +{ + int i; + const char *names[HASHCOUNT][2] = { + { "0", "sha1" }, { "1", "sha224" }, { "2", "sha256" }, + { "3", "sha384" }, { "4", "sha512" } + }; + + for (i = 0; i < HASHCOUNT; i++) + if ((strcmp(opt, names[i][0]) == 0) || + (scasecmp(opt, names[i][1]) == 0)) + return i; + + fprintf(stderr, "%s: Unknown hash name: '%s'\n", argv0, opt); + usage(argv0); + return 0; +} + +/* + * Run some tests that should invoke errors. + */ +void testErrors(int hashnolow, int hashnohigh, int printResults, + int printPassFail) +{ + USHAContext usha; + uint8_t Message_Digest[USHAMaxHashSize]; + int hashno, err; + + for (hashno = hashnolow; hashno <= hashnohigh; hashno++) { + memset(&usha, '\343', sizeof(usha)); /* force bad data */ + USHAReset(&usha, hashno); + USHAResult(&usha, Message_Digest); + err = USHAInput(&usha, (const unsigned char *)"foo", 3); + if (printResults == PRINTTEXT) + printf ("\nError %d. Should be %d.\n", err, shaStateError); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaStateError))) + printf("%s se: %s\n", hashes[hashno].name, + (err == shaStateError) ? "PASSED" : "FAILED"); + + err = USHAFinalBits(&usha, 0x80, 3); + if (printResults == PRINTTEXT) + printf ("\nError %d. Should be %d.\n", err, shaStateError); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaStateError))) + + + +Eastlake 3rd & Hansen Informational [Page 98] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + printf("%s se: %s\n", hashes[hashno].name, + (err == shaStateError) ? "PASSED" : "FAILED"); + + err = USHAReset(0, hashes[hashno].whichSha); + if (printResults == PRINTTEXT) + printf("\nError %d. Should be %d.\n", err, shaNull); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaNull))) + printf("%s usha null: %s\n", hashes[hashno].name, + (err == shaNull) ? "PASSED" : "FAILED"); + + switch (hashno) { + case SHA1: err = SHA1Reset(0); break; + case SHA224: err = SHA224Reset(0); break; + case SHA256: err = SHA256Reset(0); break; + case SHA384: err = SHA384Reset(0); break; + case SHA512: err = SHA512Reset(0); break; + } + if (printResults == PRINTTEXT) + printf("\nError %d. Should be %d.\n", err, shaNull); + if ((printPassFail == PRINTPASSFAIL) || + ((printPassFail == PRINTFAIL) && (err != shaNull))) + printf("%s sha null: %s\n", hashes[hashno].name, + (err == shaNull) ? "PASSED" : "FAILED"); + } +} + +/* replace a hex string in place with its value */ +int unhexStr(char *hexstr) +{ + char *o = hexstr; + int len = 0, nibble1 = 0, nibble2 = 0; + if (!hexstr) return 0; + for ( ; *hexstr; hexstr++) { + if (isalpha((int)(unsigned char)(*hexstr))) { + nibble1 = tolower(*hexstr) - 'a' + 10; + } else if (isdigit((int)(unsigned char)(*hexstr))) { + nibble1 = *hexstr - '0'; + } else { + printf("\nError: bad hex character '%c'\n", *hexstr); + } + if (!*++hexstr) break; + if (isalpha((int)(unsigned char)(*hexstr))) { + nibble2 = tolower(*hexstr) - 'a' + 10; + } else if (isdigit((int)(unsigned char)(*hexstr))) { + nibble2 = *hexstr - '0'; + } else { + printf("\nError: bad hex character '%c'\n", *hexstr); + + + +Eastlake 3rd & Hansen Informational [Page 99] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + } + *o++ = (char)((nibble1 << 4) | nibble2); + len++; + } + return len; +} + +int main(int argc, char **argv) +{ + int i, err; + int loopno, loopnohigh = 1; + int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; + int testno, testnolow = 0, testnohigh; + int ntestnohigh = 0; + int printResults = PRINTTEXT; + int printPassFail = 1; + int checkErrors = 0; + char *hashstr = 0; + int hashlen = 0; + const char *resultstr = 0; + char *randomseedstr = 0; + int runHmacTests = 0; + char *hmacKey = 0; + int hmaclen = 0; + int randomcount = RANDOMCOUNT; + const char *hashfilename = 0; + const char *hashFilename = 0; + int extrabits = 0, numberExtrabits = 0; + int strIsHex = 0; + + while ((i = xgetopt(argc, argv, "b:B:ef:F:h:Hk:l:mpPr:R:s:S:t:wxX")) + != -1) + switch (i) { + case 'b': extrabits = strtol(xoptarg, 0, 0); break; + case 'B': numberExtrabits = atoi(xoptarg); break; + case 'e': checkErrors = 1; break; + case 'f': hashfilename = xoptarg; break; + case 'F': hashFilename = xoptarg; break; + case 'h': hashnolow = hashnohigh = findhash(argv[0], xoptarg); + break; + case 'H': strIsHex = 1; break; + case 'k': hmacKey = xoptarg; hmaclen = strlen(xoptarg); break; + case 'l': loopnohigh = atoi(xoptarg); break; + case 'm': runHmacTests = 1; break; + case 'P': printPassFail = 0; break; + case 'p': printResults = PRINTNONE; break; + case 'R': randomcount = atoi(xoptarg); break; + case 'r': randomseedstr = xoptarg; break; + + + +Eastlake 3rd & Hansen Informational [Page 100] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + case 's': hashstr = xoptarg; hashlen = strlen(hashstr); break; + case 'S': resultstr = xoptarg; break; + case 't': testnolow = ntestnohigh = atoi(xoptarg) - 1; break; + case 'w': printResults = PRINTRAW; break; + case 'x': printResults = PRINTHEX; break; + case 'X': printPassFail = 2; break; + default: usage(argv[0]); + } + + if (strIsHex) { + hashlen = unhexStr(hashstr); + unhexStr(randomseedstr); + hmaclen = unhexStr(hmacKey); + } + testnohigh = (ntestnohigh != 0) ? ntestnohigh: + runHmacTests ? (HMACTESTCOUNT-1) : (TESTCOUNT-1); + if ((testnolow < 0) || + (testnohigh >= (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || + (hashnolow < 0) || (hashnohigh >= HASHCOUNT) || + (hashstr && (testnolow == testnohigh)) || + (randomcount < 0) || + (resultstr && (!hashstr && !hashfilename && !hashFilename)) || + ((runHmacTests || hmacKey) && randomseedstr) || + (hashfilename && hashFilename)) + usage(argv[0]); + + /* + * Perform SHA/HMAC tests + */ + for (hashno = hashnolow; hashno <= hashnohigh; ++hashno) { + if (printResults == PRINTTEXT) + printf("Hash %s\n", hashes[hashno].name); + err = shaSuccess; + + for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess); + ++loopno) { + if (hashstr) + err = hash(0, loopno, hashno, hashstr, hashlen, 1, + numberExtrabits, extrabits, (const unsigned char *)hmacKey, + hmaclen, resultstr, hashes[hashno].hashsize, printResults, + printPassFail); + + else if (randomseedstr) + randomtest(hashno, randomseedstr, hashes[hashno].hashsize, 0, + randomcount, printResults, printPassFail); + + else if (hashfilename) + err = hashfile(hashno, hashfilename, extrabits, + + + +Eastlake 3rd & Hansen Informational [Page 101] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + numberExtrabits, 0, + (const unsigned char *)hmacKey, hmaclen, + resultstr, hashes[hashno].hashsize, + printResults, printPassFail); + + else if (hashFilename) + err = hashfile(hashno, hashFilename, extrabits, + numberExtrabits, 1, + (const unsigned char *)hmacKey, hmaclen, + resultstr, hashes[hashno].hashsize, + printResults, printPassFail); + + else /* standard tests */ { + for (testno = testnolow; + (testno <= testnohigh) && (err == shaSuccess); ++testno) { + if (runHmacTests) { + err = hash(testno, loopno, hashno, + hmachashes[testno].dataarray[hashno] ? + hmachashes[testno].dataarray[hashno] : + hmachashes[testno].dataarray[1] ? + hmachashes[testno].dataarray[1] : + hmachashes[testno].dataarray[0], + hmachashes[testno].datalength[hashno] ? + hmachashes[testno].datalength[hashno] : + hmachashes[testno].datalength[1] ? + hmachashes[testno].datalength[1] : + hmachashes[testno].datalength[0], + 1, 0, 0, + (const unsigned char *)( + hmachashes[testno].keyarray[hashno] ? + hmachashes[testno].keyarray[hashno] : + hmachashes[testno].keyarray[1] ? + hmachashes[testno].keyarray[1] : + hmachashes[testno].keyarray[0]), + hmachashes[testno].keylength[hashno] ? + hmachashes[testno].keylength[hashno] : + hmachashes[testno].keylength[1] ? + hmachashes[testno].keylength[1] : + hmachashes[testno].keylength[0], + hmachashes[testno].resultarray[hashno], + hmachashes[testno].resultlength[hashno], + printResults, printPassFail); + } else { + err = hash(testno, loopno, hashno, + hashes[hashno].tests[testno].testarray, + hashes[hashno].tests[testno].length, + hashes[hashno].tests[testno].repeatcount, + hashes[hashno].tests[testno].numberExtrabits, + + + +Eastlake 3rd & Hansen Informational [Page 102] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + hashes[hashno].tests[testno].extrabits, 0, 0, + hashes[hashno].tests[testno].resultarray, + hashes[hashno].hashsize, + printResults, printPassFail); + } + } + + if (!runHmacTests) { + randomtest(hashno, hashes[hashno].randomtest, + hashes[hashno].hashsize, hashes[hashno].randomresults, + RANDOMCOUNT, printResults, printPassFail); + } + } + } + } + + /* Test some error returns */ + if (checkErrors) { + testErrors(hashnolow, hashnohigh, printResults, printPassFail); + } + + return 0; +} + +/* + * Compare two strings, case independently. + * Equivalent to strcasecmp() found on some systems. + */ +int scasecmp(const char *s1, const char *s2) +{ + for (;;) { + char u1 = tolower(*s1++); + char u2 = tolower(*s2++); + if (u1 != u2) + return u1 - u2; + if (u1 == '\0') + return 0; + } +} + +/* + * This is a copy of getopt provided for those systems that do not + * have it. The name was changed to xgetopt to not conflict on those + * systems that do have it. Similarly, optarg, optind and opterr + * were renamed to xoptarg, xoptind and xopterr. + * + * Copyright 1990, 1991, 1992 by the Massachusetts Institute of + * Technology and UniSoft Group Limited. + + + +Eastlake 3rd & Hansen Informational [Page 103] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appear in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the names of MIT and UniSoft not + * be used in advertising or publicity pertaining to distribution of + * the software without specific, written prior permission. MIT and + * UniSoft make no representations about the suitability of this + * software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * $XConsortium: getopt.c,v 1.2 92/07/01 11:59:04 rws Exp $ + * NB: Reformatted to match above style. + */ + +char *xoptarg; +int xoptind = 1; +int xopterr = 1; + +static int xgetopt(int argc, char **argv, const char *optstring) +{ + static int avplace; + char *ap; + char *cp; + int c; + + if (xoptind >= argc) + return EOF; + + ap = argv[xoptind] + avplace; + + /* At beginning of arg but not an option */ + if (avplace == 0) { + if (ap[0] != '-') + return EOF; + else if (ap[1] == '-') { + /* Special end of options option */ + xoptind++; + return EOF; + } else if (ap[1] == '\0') + return EOF; /* single '-' is not allowed */ + } + + /* Get next letter */ + avplace++; + c = *++ap; + + + + +Eastlake 3rd & Hansen Informational [Page 104] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + + cp = strchr(optstring, c); + if (cp == NULL || c == ':') { + if (xopterr) + fprintf(stderr, "Unrecognised option -- %c\n", c); + return '?'; + } + + if (cp[1] == ':') { + /* There should be an option arg */ + avplace = 0; + if (ap[1] == '\0') { + /* It is a separate arg */ + if (++xoptind >= argc) { + if (xopterr) + fprintf(stderr, "Option requires an argument\n"); + return '?'; + } + xoptarg = argv[xoptind++]; + } else { + /* is attached to option letter */ + xoptarg = ap + 1; + ++xoptind; + } + } else { + /* If we are out of letters then go to next arg */ + if (ap[1] == '\0') { + ++xoptind; + avplace = 0; + } + + xoptarg = NULL; + } + return c; +} + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 105] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +9. Security Considerations + + This document is intended to provides the Internet community + convenient access to source code that implements the United States of + America Federal Information Processing Standard Secure Hash + Algorithms (SHAs) [FIPS180-2] and HMACs based upon these one-way hash + functions. See license in Section 1.1. No independent assertion of + the security of this hash function by the authors for any particular + use is intended. + +10. Normative References + + [FIPS180-2] "Secure Hash Standard", United States of America, + National Institute of Standards and Technology, Federal + Information Processing Standard (FIPS) 180-2, + http://csrc.nist.gov/publications/fips/fips180-2/ + fips180-2withchangenotice.pdf. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, February + 1997. + +11. Informative References + + [RFC2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and + HMAC-SHA-1", RFC 2202, September 1997. + + [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm + 1 (SHA1)", RFC 3174, September 2001. + + [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", + RFC 3874, September 2004. + + [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC + 4086, June 2005. + + [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- + 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC + 4231, December 2005. + + [SHAVS] "The Secure Hash Algorithm Validation System (SHAVS)", + http://csrc.nist.gov/cryptval/shs/SHAVS.pdf. + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 106] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +Authors' Addresses + + Donald E. Eastlake, 3rd + Motorola Laboratories + 155 Beaver Street + Milford, MA 01757 USA + + Phone: +1-508-786-7554 (w) + EMail: donald.eastlake@motorola.com + + + Tony Hansen + AT&T Laboratories + 200 Laurel Ave. + Middletown, NJ 07748 USA + + Phone: +1-732-420-8934 (w) + EMail: tony+shs@maillennium.att.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Eastlake 3rd & Hansen Informational [Page 107] + +RFC 4634 SHAs and HMAC-SHAs July 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Eastlake 3rd & Hansen Informational [Page 108] + diff --git a/doc/rfc/rfc4641.txt b/doc/rfc/rfc4641.txt new file mode 100644 index 0000000000000..0a013bcba5a8e --- /dev/null +++ b/doc/rfc/rfc4641.txt @@ -0,0 +1,1963 @@ + + + + + + +Network Working Group O. Kolkman +Request for Comments: 4641 R. Gieben +Obsoletes: 2541 NLnet Labs +Category: Informational September 2006 + + + DNSSEC Operational Practices + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2006). + +Abstract + + This document describes a set of practices for operating the DNS with + security extensions (DNSSEC). The target audience is zone + administrators deploying DNSSEC. + + The document discusses operational aspects of using keys and + signatures in the DNS. It discusses issues of key generation, key + storage, signature generation, key rollover, and related policies. + + This document obsoletes RFC 2541, as it covers more operational + ground and gives more up-to-date requirements with respect to key + sizes and the new DNSSEC specification. + + + + + + + + + + + + + + + + + + + + +Kolkman & Gieben Informational [Page 1] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. The Use of the Term 'key' ..................................4 + 1.2. Time Definitions ...........................................4 + 2. Keeping the Chain of Trust Intact ...............................5 + 3. Keys Generation and Storage .....................................6 + 3.1. Zone and Key Signing Keys ..................................6 + 3.1.1. Motivations for the KSK and ZSK Separation ..........6 + 3.1.2. KSKs for High-Level Zones ...........................7 + 3.2. Key Generation .............................................8 + 3.3. Key Effectivity Period .....................................8 + 3.4. Key Algorithm ..............................................9 + 3.5. Key Sizes ..................................................9 + 3.6. Private Key Storage .......................................11 + 4. Signature Generation, Key Rollover, and Related Policies .......12 + 4.1. Time in DNSSEC ............................................12 + 4.1.1. Time Considerations ................................12 + 4.2. Key Rollovers .............................................14 + 4.2.1. Zone Signing Key Rollovers .........................14 + 4.2.1.1. Pre-Publish Key Rollover ..................15 + 4.2.1.2. Double Signature Zone Signing Key + Rollover ..................................17 + 4.2.1.3. Pros and Cons of the Schemes ..............18 + 4.2.2. Key Signing Key Rollovers ..........................18 + 4.2.3. Difference Between ZSK and KSK Rollovers ...........20 + 4.2.4. Automated Key Rollovers ............................21 + 4.3. Planning for Emergency Key Rollover .......................21 + 4.3.1. KSK Compromise .....................................22 + 4.3.1.1. Keeping the Chain of Trust Intact .........22 + 4.3.1.2. Breaking the Chain of Trust ...............23 + 4.3.2. ZSK Compromise .....................................23 + 4.3.3. Compromises of Keys Anchored in Resolvers ..........24 + 4.4. Parental Policies .........................................24 + 4.4.1. Initial Key Exchanges and Parental Policies + Considerations .....................................24 + 4.4.2. Storing Keys or Hashes? ............................25 + 4.4.3. Security Lameness ..................................25 + 4.4.4. DS Signature Validity Period .......................26 + 5. Security Considerations ........................................26 + 6. Acknowledgments ................................................26 + 7. References .....................................................27 + 7.1. Normative References ......................................27 + 7.2. Informative References ....................................28 + Appendix A. Terminology ...........................................30 + Appendix B. Zone Signing Key Rollover How-To ......................31 + Appendix C. Typographic Conventions ...............................32 + + + + +Kolkman & Gieben Informational [Page 2] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +1. Introduction + + This document describes how to run a DNS Security (DNSSEC)-enabled + environment. It is intended for operators who have knowledge of the + DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC. + See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the + newly introduced Resource Records (RRs), and RFC 4035 [6] for the + protocol changes. + + During workshops and early operational deployment tests, operators + and system administrators have gained experience about operating the + DNS with security extensions (DNSSEC). This document translates + these experiences into a set of practices for zone administrators. + At the time of writing, there exists very little experience with + DNSSEC in production environments; this document should therefore + explicitly not be seen as representing 'Best Current Practices'. + + The procedures herein are focused on the maintenance of signed zones + (i.e., signing and publishing zones on authoritative servers). It is + intended that maintenance of zones such as re-signing or key + rollovers be transparent to any verifying clients on the Internet. + + The structure of this document is as follows. In Section 2, we + discuss the importance of keeping the "chain of trust" intact. + Aspects of key generation and storage of private keys are discussed + in Section 3; the focus in this section is mainly on the private part + of the key(s). Section 4 describes considerations concerning the + public part of the keys. Since these public keys appear in the DNS + one has to take into account all kinds of timing issues, which are + discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the + rollover, or supercession, of keys. Finally, Section 4.4 discusses + considerations on how parents deal with their children's public keys + in order to maintain chains of trust. + + The typographic conventions used in this document are explained in + Appendix C. + + Since this is a document with operational suggestions and there are + no protocol specifications, the RFC 2119 [7] language does not apply. + + This document obsoletes RFC 2541 [12] to reflect the evolution of the + underlying DNSSEC protocol since then. Changes in the choice of + cryptographic algorithms, DNS record types and type names, and the + parent-child key and signature exchange demanded a major rewrite and + additional information and explanation. + + + + + + +Kolkman & Gieben Informational [Page 3] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +1.1. The Use of the Term 'key' + + It is assumed that the reader is familiar with the concept of + asymmetric keys on which DNSSEC is based (public key cryptography + [17]). Therefore, this document will use the term 'key' rather + loosely. Where it is written that 'a key is used to sign data' it is + assumed that the reader understands that it is the private part of + the key pair that is used for signing. It is also assumed that the + reader understands that the public part of the key pair is published + in the DNSKEY Resource Record and that it is the public part that is + used in key exchanges. + +1.2. Time Definitions + + In this document, we will be using a number of time-related terms. + The following definitions apply: + + o "Signature validity period" The period that a signature is valid. + It starts at the time specified in the signature inception field + of the RRSIG RR and ends at the time specified in the expiration + field of the RRSIG RR. + + o "Signature publication period" Time after which a signature (made + with a specific key) is replaced with a new signature (made with + the same key). This replacement takes place by publishing the + relevant RRSIG in the master zone file. After one stops + publishing an RRSIG in a zone, it may take a while before the + RRSIG has expired from caches and has actually been removed from + the DNS. + + o "Key effectivity period" The period during which a key pair is + expected to be effective. This period is defined as the time + between the first inception time stamp and the last expiration + date of any signature made with this key, regardless of any + discontinuity in the use of the key. The key effectivity period + can span multiple signature validity periods. + + o "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum + value of the TTLs from the complete set of RRs in a zone. Note + that the minimum TTL is not the same as the MINIMUM field in the + SOA RR. See [11] for more information. + + + + + + + + + + +Kolkman & Gieben Informational [Page 4] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +2. Keeping the Chain of Trust Intact + + Maintaining a valid chain of trust is important because broken chains + of trust will result in data being marked as Bogus (as defined in [4] + Section 5), which may cause entire (sub)domains to become invisible + to verifying clients. The administrators of secured zones have to + realize that their zone is, to verifying clients, part of a chain of + trust. + + As mentioned in the introduction, the procedures herein are intended + to ensure that maintenance of zones, such as re-signing or key + rollovers, will be transparent to the verifying clients on the + Internet. + + Administrators of secured zones will have to keep in mind that data + published on an authoritative primary server will not be immediately + seen by verifying clients; it may take some time for the data to be + transferred to other secondary authoritative nameservers and clients + may be fetching data from caching non-authoritative servers. In this + light, note that the time for a zone transfer from master to slave is + negligible when using NOTIFY [9] and incremental transfer (IXFR) [8]. + It increases when full zone transfers (AXFR) are used in combination + with NOTIFY. It increases even more if you rely on full zone + transfers based on only the SOA timing parameters for refresh. + + For the verifying clients, it is important that data from secured + zones can be used to build chains of trust regardless of whether the + data came directly from an authoritative server, a caching + nameserver, or some middle box. Only by carefully using the + available timing parameters can a zone administrator ensure that the + data necessary for verification can be obtained. + + The responsibility for maintaining the chain of trust is shared by + administrators of secured zones in the chain of trust. This is most + obvious in the case of a 'key compromise' when a trade-off between + maintaining a valid chain of trust and replacing the compromised keys + as soon as possible must be made. Then zone administrators will have + to make a trade-off, between keeping the chain of trust intact -- + thereby allowing for attacks with the compromised key -- or + deliberately breaking the chain of trust and making secured + subdomains invisible to security-aware resolvers. Also see Section + 4.3. + + + + + + + + + +Kolkman & Gieben Informational [Page 5] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +3. Keys Generation and Storage + + This section describes a number of considerations with respect to the + security of keys. It deals with the generation, effectivity period, + size, and storage of private keys. + +3.1. Zone and Key Signing Keys + + The DNSSEC validation protocol does not distinguish between different + types of DNSKEYs. All DNSKEYs can be used during the validation. In + practice, operators use Key Signing and Zone Signing Keys and use the + so-called Secure Entry Point (SEP) [3] flag to distinguish between + them during operations. The dynamics and considerations are + discussed below. + + To make zone re-signing and key rollover procedures easier to + implement, it is possible to use one or more keys as Key Signing Keys + (KSKs). These keys will only sign the apex DNSKEY RRSet in a zone. + Other keys can be used to sign all the RRSets in a zone and are + referred to as Zone Signing Keys (ZSKs). In this document, we assume + that KSKs are the subset of keys that are used for key exchanges with + the parent and potentially for configuration as trusted anchors -- + the SEP keys. In this document, we assume a one-to-one mapping + between KSK and SEP keys and we assume the SEP flag to be set on all + KSKs. + +3.1.1. Motivations for the KSK and ZSK Separation + + Differentiating between the KSK and ZSK functions has several + advantages: + + o No parent/child interaction is required when ZSKs are updated. + + o The KSK can be made stronger (i.e., using more bits in the key + material). This has little operational impact since it is only + used to sign a small fraction of the zone data. Also, the KSK is + only used to verify the zone's key set, not for other RRSets in + the zone. + + o As the KSK is only used to sign a key set, which is most probably + updated less frequently than other data in the zone, it can be + stored separately from and in a safer location than the ZSK. + + o A KSK can have a longer key effectivity period. + + For almost any method of key management and zone signing, the KSK is + used less frequently than the ZSK. Once a key set is signed with the + KSK, all the keys in the key set can be used as ZSKs. If a ZSK is + + + +Kolkman & Gieben Informational [Page 6] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + compromised, it can be simply dropped from the key set. The new key + set is then re-signed with the KSK. + + Given the assumption that for KSKs the SEP flag is set, the KSK can + be distinguished from a ZSK by examining the flag field in the DNSKEY + RR. If the flag field is an odd number it is a KSK. If it is an + even number it is a ZSK. + + The Zone Signing Key can be used to sign all the data in a zone on a + regular basis. When a Zone Signing Key is to be rolled, no + interaction with the parent is needed. This allows for signature + validity periods on the order of days. + + The Key Signing Key is only to be used to sign the DNSKEY RRs in a + zone. If a Key Signing Key is to be rolled over, there will be + interactions with parties other than the zone administrator. These + can include the registry of the parent zone or administrators of + verifying resolvers that have the particular key configured as secure + entry points. Hence, the key effectivity period of these keys can + and should be made much longer. Although, given a long enough key, + the key effectivity period can be on the order of years, we suggest + planning for a key effectivity on the order of a few months so that a + key rollover remains an operational routine. + +3.1.2. KSKs for High-Level Zones + + Higher-level zones are generally more sensitive than lower-level + zones. Anyone controlling or breaking the security of a zone thereby + obtains authority over all of its subdomains (except in the case of + resolvers that have locally configured the public key of a subdomain, + in which case this, and only this, subdomain wouldn't be affected by + the compromise of the parent zone). Therefore, extra care should be + taken with high-level zones, and strong keys should be used. + + The root zone is the most critical of all zones. Someone controlling + or compromising the security of the root zone would control the + entire DNS namespace of all resolvers using that root zone (except in + the case of resolvers that have locally configured the public key of + a subdomain). Therefore, the utmost care must be taken in the + securing of the root zone. The strongest and most carefully handled + keys should be used. The root zone private key should always be kept + off-line. + + Many resolvers will start at a root server for their access to and + authentication of DNS data. Securely updating the trust anchors in + an enormous population of resolvers around the world will be + extremely difficult. + + + + +Kolkman & Gieben Informational [Page 7] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +3.2. Key Generation + + Careful generation of all keys is a sometimes overlooked but + absolutely essential element in any cryptographically secure system. + The strongest algorithms used with the longest keys are still of no + use if an adversary can guess enough to lower the size of the likely + key space so that it can be exhaustively searched. Technical + suggestions for the generation of random keys will be found in RFC + 4086 [14]. One should carefully assess if the random number + generator used during key generation adheres to these suggestions. + + Keys with a long effectivity period are particularly sensitive as + they will represent a more valuable target and be subject to attack + for a longer time than short-period keys. It is strongly recommended + that long-term key generation occur off-line in a manner isolated + from the network via an air gap or, at a minimum, high-level secure + hardware. + +3.3. Key Effectivity Period + + For various reasons, keys in DNSSEC need to be changed once in a + while. The longer a key is in use, the greater the probability that + it will have been compromised through carelessness, accident, + espionage, or cryptanalysis. Furthermore, when key rollovers are too + rare an event, they will not become part of the operational habit and + there is risk that nobody on-site will remember the procedure for + rollover when the need is there. + + From a purely operational perspective, a reasonable key effectivity + period for Key Signing Keys is 13 months, with the intent to replace + them after 12 months. An intended key effectivity period of a month + is reasonable for Zone Signing Keys. + + For key sizes that match these effectivity periods, see Section 3.5. + + As argued in Section 3.1.2, securely updating trust anchors will be + extremely difficult. On the other hand, the "operational habit" + argument does also apply to trust anchor reconfiguration. If a short + key effectivity period is used and the trust anchor configuration has + to be revisited on a regular basis, the odds that the configuration + tends to be forgotten is smaller. The trade-off is against a system + that is so dynamic that administrators of the validating clients will + not be able to follow the modifications. + + Key effectivity periods can be made very short, as in a few minutes. + But when replacing keys one has to take the considerations from + Section 4.1 and Section 4.2 into account. + + + + +Kolkman & Gieben Informational [Page 8] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +3.4. Key Algorithm + + There are currently three different types of algorithms that can be + used in DNSSEC: RSA, DSA, and elliptic curve cryptography. The + latter is fairly new and has yet to be standardized for usage in + DNSSEC. + + RSA has been developed in an open and transparent manner. As the + patent on RSA expired in 2000, its use is now also free. + + DSA has been developed by the National Institute of Standards and + Technology (NIST). The creation of signatures takes roughly the same + time as with RSA, but is 10 to 40 times as slow for verification + [17]. + + We suggest the use of RSA/SHA-1 as the preferred algorithm for the + key. The current known attacks on RSA can be defeated by making your + key longer. As the MD5 hashing algorithm is showing cracks, we + recommend the usage of SHA-1. + + At the time of publication, it is known that the SHA-1 hash has + cryptanalysis issues. There is work in progress on addressing these + issues. We recommend the use of public key algorithms based on + hashes stronger than SHA-1 (e.g., SHA-256), as soon as these + algorithms are available in protocol specifications (see [19] and + [20]) and implementations. + +3.5. Key Sizes + + When choosing key sizes, zone administrators will need to take into + account how long a key will be used, how much data will be signed + during the key publication period (see Section 8.10 of [17]), and, + optionally, how large the key size of the parent is. As the chain of + trust really is "a chain", there is not much sense in making one of + the keys in the chain several times larger then the others. As + always, it's the weakest link that defines the strength of the entire + chain. Also see Section 3.1.1 for a discussion of how keys serving + different roles (ZSK vs. KSK) may need different key sizes. + + Generating a key of the correct size is a difficult problem; RFC 3766 + [13] tries to deal with that problem. The first part of the + selection procedure in Section 1 of the RFC states: + + 1. Determine the attack resistance necessary to satisfy the + security requirements of the application. Do this by + estimating the minimum number of computer operations that the + attacker will be forced to do in order to compromise the + + + + +Kolkman & Gieben Informational [Page 9] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + security of the system and then take the logarithm base two of + that number. Call that logarithm value "n". + + A 1996 report recommended 90 bits as a good all-around choice + for system security. The 90 bit number should be increased by + about 2/3 bit/year, or about 96 bits in 2005. + + [13] goes on to explain how this number "n" can be used to calculate + the key sizes in public key cryptography. This culminated in the + table given below (slightly modified for our purpose): + + +-------------+-----------+--------------+ + | System | | | + | requirement | Symmetric | RSA or DSA | + | for attack | key size | modulus size | + | resistance | (bits) | (bits) | + | (bits) | | | + +-------------+-----------+--------------+ + | 70 | 70 | 947 | + | 80 | 80 | 1228 | + | 90 | 90 | 1553 | + | 100 | 100 | 1926 | + | 150 | 150 | 4575 | + | 200 | 200 | 8719 | + | 250 | 250 | 14596 | + +-------------+-----------+--------------+ + + The key sizes given are rather large. This is because these keys are + resilient against a trillionaire attacker. Assuming this rich + attacker will not attack your key and that the key is rolled over + once a year, we come to the following recommendations about KSK + sizes: 1024 bits for low-value domains, 1300 bits for medium-value + domains, and 2048 bits for high-value domains. + + Whether a domain is of low, medium, or high value depends solely on + the views of the zone owner. One could, for instance, view leaf + nodes in the DNS as of low value, and top-level domains (TLDs) or the + root zone of high value. The suggested key sizes should be safe for + the next 5 years. + + As ZSKs can be rolled over more easily (and thus more often), the key + sizes can be made smaller. But as said in the introduction of this + paragraph, making the ZSKs' key sizes too small (in relation to the + KSKs' sizes) doesn't make much sense. Try to limit the difference in + size to about 100 bits. + + + + + + +Kolkman & Gieben Informational [Page 10] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + Note that nobody can see into the future and that these key sizes are + only provided here as a guide. Further information can be found in + [16] and Section 7.5 of [17]. It should be noted though that [16] is + already considered overly optimistic about what key sizes are + considered safe. + + One final note concerning key sizes. Larger keys will increase the + sizes of the RRSIG and DNSKEY records and will therefore increase the + chance of DNS UDP packet overflow. Also, the time it takes to + validate and create RRSIGs increases with larger keys, so don't + needlessly double your key sizes. + +3.6. Private Key Storage + + It is recommended that, where possible, zone private keys and the + zone file master copy that is to be signed be kept and used in off- + line, non-network-connected, physically secure machines only. + Periodically, an application can be run to add authentication to a + zone by adding RRSIG and NSEC RRs. Then the augmented file can be + transferred. + + When relying on dynamic update to manage a signed zone [10], be aware + that at least one private key of the zone will have to reside on the + master server. This key is only as secure as the amount of exposure + the server receives to unknown clients and the security of the host. + Although not mandatory, one could administer the DNS in the following + way. The master that processes the dynamic updates is unavailable + from generic hosts on the Internet, it is not listed in the NS RR + set, although its name appears in the SOA RRs MNAME field. The + nameservers in the NS RRSet are able to receive zone updates through + NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism. This + approach is known as the "hidden master" setup. + + The ideal situation is to have a one-way information flow to the + network to avoid the possibility of tampering from the network. + Keeping the zone master file on-line on the network and simply + cycling it through an off-line signer does not do this. The on-line + version could still be tampered with if the host it resides on is + compromised. For maximum security, the master copy of the zone file + should be off-net and should not be updated based on an unsecured + network mediated communication. + + In general, keeping a zone file off-line will not be practical and + the machines on which zone files are maintained will be connected to + a network. Operators are advised to take security measures to shield + unauthorized access to the master copy. + + + + + +Kolkman & Gieben Informational [Page 11] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + For dynamically updated secured zones [10], both the master copy and + the private key that is used to update signatures on updated RRs will + need to be on-line. + +4. Signature Generation, Key Rollover, and Related Policies + +4.1. Time in DNSSEC + + Without DNSSEC, all times in the DNS are relative. The SOA fields + REFRESH, RETRY, and EXPIRATION are timers used to determine the time + elapsed after a slave server synchronized with a master server. The + Time to Live (TTL) value and the SOA RR minimum TTL parameter [11] + are used to determine how long a forwarder should cache data after it + has been fetched from an authoritative server. By using a signature + validity period, DNSSEC introduces the notion of an absolute time in + the DNS. Signatures in DNSSEC have an expiration date after which + the signature is marked as invalid and the signed data is to be + considered Bogus. + +4.1.1. Time Considerations + + Because of the expiration of signatures, one should consider the + following: + + o We suggest the Maximum Zone TTL of your zone data to be a fraction + of your signature validity period. + + If the TTL would be of similar order as the signature validity + period, then all RRSets fetched during the validity period + would be cached until the signature expiration time. Section + 7.1 of [4] suggests that "the resolver may use the time + remaining before expiration of the signature validity period of + a signed RRSet as an upper bound for the TTL". As a result, + query load on authoritative servers would peak at signature + expiration time, as this is also the time at which records + simultaneously expire from caches. + + To avoid query load peaks, we suggest the TTL on all the RRs in + your zone to be at least a few times smaller than your + signature validity period. + + o We suggest the signature publication period to end at least one + Maximum Zone TTL duration before the end of the signature validity + period. + + + + + + + +Kolkman & Gieben Informational [Page 12] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + Re-signing a zone shortly before the end of the signature + validity period may cause simultaneous expiration of data from + caches. This in turn may lead to peaks in the load on + authoritative servers. + + o We suggest the Minimum Zone TTL to be long enough to both fetch + and verify all the RRs in the trust chain. In workshop + environments, it has been demonstrated [18] that a low TTL (under + 5 to 10 minutes) caused disruptions because of the following two + problems: + + 1. During validation, some data may expire before the + validation is complete. The validator should be able to + keep all data until it is completed. This applies to all + RRs needed to complete the chain of trust: DSes, DNSKEYs, + RRSIGs, and the final answers, i.e., the RRSet that is + returned for the initial query. + + 2. Frequent verification causes load on recursive nameservers. + Data at delegation points, DSes, DNSKEYs, and RRSIGs + benefit from caching. The TTL on those should be + relatively long. + + o Slave servers will need to be able to fetch newly signed zones + well before the RRSIGs in the zone served by the slave server pass + their signature expiration time. + + When a slave server is out of sync with its master and data in + a zone is signed by expired signatures, it may be better for + the slave server not to give out any answer. + + Normally, a slave server that is not able to contact a master + server for an extended period will expire a zone. When that + happens, the server will respond differently to queries for + that zone. Some servers issue SERVFAIL, whereas others turn + off the 'AA' bit in the answers. The time of expiration is set + in the SOA record and is relative to the last successful + refresh between the master and the slave servers. There exists + no coupling between the signature expiration of RRSIGs in the + zone and the expire parameter in the SOA. + + If the server serves a DNSSEC zone, then it may well happen + that the signatures expire well before the SOA expiration timer + counts down to zero. It is not possible to completely prevent + this from happening by tweaking the SOA parameters. However, + the effects can be minimized where the SOA expiration time is + equal to or shorter than the signature validity period. The + consequence of an authoritative server not being able to update + + + +Kolkman & Gieben Informational [Page 13] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + a zone, whilst that zone includes expired signatures, is that + non-secure resolvers will continue to be able to resolve data + served by the particular slave servers while security-aware + resolvers will experience problems because of answers being + marked as Bogus. + + We suggest the SOA expiration timer being approximately one + third or one fourth of the signature validity period. It will + allow problems with transfers from the master server to be + noticed before the actual signature times out. We also suggest + that operators of nameservers that supply secondary services + develop 'watch dogs' to spot upcoming signature expirations in + zones they slave, and take appropriate action. + + When determining the value for the expiration parameter one has + to take the following into account: What are the chances that + all my secondaries expire the zone? How quickly can I reach an + administrator of secondary servers to load a valid zone? These + questions are not DNSSEC specific but may influence the choice + of your signature validity intervals. + +4.2. Key Rollovers + + A DNSSEC key cannot be used forever (see Section 3.3). So key + rollovers -- or supercessions, as they are sometimes called -- are a + fact of life when using DNSSEC. Zone administrators who are in the + process of rolling their keys have to take into account that data + published in previous versions of their zone still lives in caches. + When deploying DNSSEC, this becomes an important consideration; + ignoring data that may be in caches may lead to loss of service for + clients. + + The most pressing example of this occurs when zone material signed + with an old key is being validated by a resolver that does not have + the old zone key cached. If the old key is no longer present in the + current zone, this validation fails, marking the data "Bogus". + Alternatively, an attempt could be made to validate data that is + signed with a new key against an old key that lives in a local cache, + also resulting in data being marked "Bogus". + +4.2.1. Zone Signing Key Rollovers + + For "Zone Signing Key rollovers", there are two ways to make sure + that during the rollover data still cached can be verified with the + new key sets or newly generated signatures can be verified with the + keys still in caches. One schema, described in Section 4.2.1.2, uses + + + + + +Kolkman & Gieben Informational [Page 14] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + double signatures; the other uses key pre-publication (Section + 4.2.1.1). The pros, cons, and recommendations are described in + Section 4.2.1.3. + +4.2.1.1. Pre-Publish Key Rollover + + This section shows how to perform a ZSK rollover without the need to + sign all the data in a zone twice -- the "pre-publish key rollover". + This method has advantages in the case of a key compromise. If the + old key is compromised, the new key has already been distributed in + the DNS. The zone administrator is then able to quickly switch to + the new key and remove the compromised key from the zone. Another + major advantage is that the zone size does not double, as is the case + with the double signature ZSK rollover. A small "how-to" for this + kind of rollover can be found in Appendix B. + + Pre-publish key rollover involves four stages as follows: + + ---------------------------------------------------------------- + initial new DNSKEY new RRSIGs DNSKEY removal + ---------------------------------------------------------------- + SOA0 SOA1 SOA2 SOA3 + RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) + + DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 + DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 + DNSKEY11 DNSKEY11 + RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) + RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) + ---------------------------------------------------------------- + + Pre-Publish Key Rollover + + initial: Initial version of the zone: DNSKEY 1 is the Key Signing + Key. DNSKEY 10 is used to sign all the data of the zone, the Zone + Signing Key. + + new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no + signatures are generated with this key yet, but this does not + secure against brute force attacks on the public key. The minimum + duration of this pre-roll phase is the time it takes for the data + to propagate to the authoritative servers plus TTL value of the + key set. + + new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is + used to sign the data in the zone exclusively (i.e., all the + signatures from DNSKEY 10 are removed from the zone). DNSKEY 10 + remains published in the key set. This way data that was loaded + + + +Kolkman & Gieben Informational [Page 15] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + into caches from version 1 of the zone can still be verified with + key sets fetched from version 2 of the zone. The minimum time + that the key set including DNSKEY 10 is to be published is the + time that it takes for zone data from the previous version of the + zone to expire from old caches, i.e., the time it takes for this + zone to propagate to all authoritative servers plus the Maximum + Zone TTL value of any of the data in the previous version of the + zone. + + DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now + only containing DNSKEY 1 and DNSKEY 11, is re-signed with the + DNSKEY 1. + + The above scheme can be simplified by always publishing the "future" + key immediately after the rollover. The scheme would look as follows + (we show two rollovers); the future key is introduced in "new DNSKEY" + as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY + (II)": + + ---------------------------------------------------------------- + initial new RRSIGs new DNSKEY + ---------------------------------------------------------------- + SOA0 SOA1 SOA2 + RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2) + + DNSKEY1 DNSKEY1 DNSKEY1 + DNSKEY10 DNSKEY10 DNSKEY11 + DNSKEY11 DNSKEY11 DNSKEY12 + RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) + RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) + ---------------------------------------------------------------- + + ---------------------------------------------------------------- + new RRSIGs (II) new DNSKEY (II) + ---------------------------------------------------------------- + SOA3 SOA4 + RRSIG12(SOA3) RRSIG12(SOA4) + + DNSKEY1 DNSKEY1 + DNSKEY11 DNSKEY12 + DNSKEY12 DNSKEY13 + RRSIG1(DNSKEY) RRSIG1(DNSKEY) + RRSIG12(DNSKEY) RRSIG12(DNSKEY) + ---------------------------------------------------------------- + + Pre-Publish Key Rollover, Showing Two Rollovers + + + + + +Kolkman & Gieben Informational [Page 16] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + Note that the key introduced in the "new DNSKEY" phase is not used + for production yet; the private key can thus be stored in a + physically secure manner and does not need to be 'fetched' every time + a zone needs to be signed. + +4.2.1.2. Double Signature Zone Signing Key Rollover + + This section shows how to perform a ZSK key rollover using the double + zone data signature scheme, aptly named "double signature rollover". + + During the "new DNSKEY" stage the new version of the zone file will + need to propagate to all authoritative servers and the data that + exists in (distant) caches will need to expire, requiring at least + the Maximum Zone TTL. + + Double signature ZSK rollover involves three stages as follows: + + ---------------------------------------------------------------- + initial new DNSKEY DNSKEY removal + ---------------------------------------------------------------- + SOA0 SOA1 SOA2 + RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) + RRSIG11(SOA1) + + DNSKEY1 DNSKEY1 DNSKEY1 + DNSKEY10 DNSKEY10 DNSKEY11 + DNSKEY11 + RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) + RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) + RRSIG11(DNSKEY) + ---------------------------------------------------------------- + + Double Signature Zone Signing Key Rollover + + initial: Initial Version of the zone: DNSKEY 1 is the Key Signing + Key. DNSKEY 10 is used to sign all the data of the zone, the Zone + Signing Key. + + new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is + introduced into the key set and all the data in the zone is signed + with DNSKEY 10 and DNSKEY 11. The rollover period will need to + continue until all data from version 0 of the zone has expired + from remote caches. This will take at least the Maximum Zone TTL + of version 0 of the zone. + + DNSKEY removal: DNSKEY 10 is removed from the zone. All the + signatures from DNSKEY 10 are removed from the zone. The key set, + now only containing DNSKEY 11, is re-signed with DNSKEY 1. + + + +Kolkman & Gieben Informational [Page 17] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + At every instance, RRSIGs from the previous version of the zone can + be verified with the DNSKEY RRSet from the current version and the + other way around. The data from the current version can be verified + with the data from the previous version of the zone. The duration of + the "new DNSKEY" phase and the period between rollovers should be at + least the Maximum Zone TTL. + + Making sure that the "new DNSKEY" phase lasts until the signature + expiration time of the data in initial version of the zone is + recommended. This way all caches are cleared of the old signatures. + However, this duration could be considerably longer than the Maximum + Zone TTL, making the rollover a lengthy procedure. + + Note that in this example we assumed that the zone was not modified + during the rollover. New data can be introduced in the zone as long + as it is signed with both keys. + +4.2.1.3. Pros and Cons of the Schemes + + Pre-publish key rollover: This rollover does not involve signing the + zone data twice. Instead, before the actual rollover, the new key + is published in the key set and thus is available for + cryptanalysis attacks. A small disadvantage is that this process + requires four steps. Also the pre-publish scheme involves more + parental work when used for KSK rollovers as explained in Section + 4.2.3. + + Double signature ZSK rollover: The drawback of this signing scheme is + that during the rollover the number of signatures in your zone + doubles; this may be prohibitive if you have very big zones. An + advantage is that it only requires three steps. + +4.2.2. Key Signing Key Rollovers + + For the rollover of a Key Signing Key, the same considerations as for + the rollover of a Zone Signing Key apply. However, we can use a + double signature scheme to guarantee that old data (only the apex key + set) in caches can be verified with a new key set and vice versa. + Since only the key set is signed with a KSK, zone size considerations + do not apply. + + + + + + + + + + + +Kolkman & Gieben Informational [Page 18] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + -------------------------------------------------------------------- + initial new DNSKEY DS change DNSKEY removal + -------------------------------------------------------------------- + Parent: + SOA0 --------> SOA1 --------> + RRSIGpar(SOA0) --------> RRSIGpar(SOA1) --------> + DS1 --------> DS2 --------> + RRSIGpar(DS) --------> RRSIGpar(DS) --------> + + + Child: + SOA0 SOA1 --------> SOA2 + RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2) + --------> + DNSKEY1 DNSKEY1 --------> DNSKEY2 + DNSKEY2 --------> + DNSKEY10 DNSKEY10 --------> DNSKEY10 + RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY) + RRSIG2 (DNSKEY) --------> + RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) + -------------------------------------------------------------------- + + Stages of Deployment for a Double Signature Key Signing Key Rollover + + initial: Initial version of the zone. The parental DS points to + DNSKEY1. Before the rollover starts, the child will have to + verify what the TTL is of the DS RR that points to DNSKEY1 -- it + is needed during the rollover and we refer to the value as TTL_DS. + + new DNSKEY: During the "new DNSKEY" phase, the zone administrator + generates a second KSK, DNSKEY2. The key is provided to the + parent, and the child will have to wait until a new DS RR has been + generated that points to DNSKEY2. After that DS RR has been + published on all servers authoritative for the parent's zone, the + zone administrator has to wait at least TTL_DS to make sure that + the old DS RR has expired from caches. + + DS change: The parent replaces DS1 with DS2. + + DNSKEY removal: DNSKEY1 has been removed. + + The scenario above puts the responsibility for maintaining a valid + chain of trust with the child. It also is based on the premise that + the parent only has one DS RR (per algorithm) per zone. An + alternative mechanism has been considered. Using an established + trust relation, the interaction can be performed in-band, and the + removal of the keys by the child can possibly be signaled by the + parent. In this mechanism, there are periods where there are two DS + + + +Kolkman & Gieben Informational [Page 19] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + RRs at the parent. Since at the moment of writing the protocol for + this interaction has not been developed, further discussion is out of + scope for this document. + +4.2.3. Difference Between ZSK and KSK Rollovers + + Note that KSK rollovers and ZSK rollovers are different in the sense + that a KSK rollover requires interaction with the parent (and + possibly replacing of trust anchors) and the ensuing delay while + waiting for it. + + A zone key rollover can be handled in two different ways: pre-publish + (Section 4.2.1.1) and double signature (Section 4.2.1.2). + + As the KSK is used to validate the key set and because the KSK is not + changed during a ZSK rollover, a cache is able to validate the new + key set of the zone. The pre-publish method would also work for a + KSK rollover. The records that are to be pre-published are the + parental DS RRs. The pre-publish method has some drawbacks for KSKs. + We first describe the rollover scheme and then indicate these + drawbacks. + + -------------------------------------------------------------------- + initial new DS new DNSKEY DS/DNSKEY removal + -------------------------------------------------------------------- + Parent: + SOA0 SOA1 --------> SOA2 + RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2) + DS1 DS1 --------> DS2 + DS2 --------> + RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS) + + + Child: + SOA0 --------> SOA1 SOA1 + RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1) + --------> + DNSKEY1 --------> DNSKEY2 DNSKEY2 + --------> + DNSKEY10 --------> DNSKEY10 DNSKEY10 + RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY) + RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY) + -------------------------------------------------------------------- + + Stages of Deployment for a Pre-Publish Key Signing Key Rollover + + + + + + +Kolkman & Gieben Informational [Page 20] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + When the child zone wants to roll, it notifies the parent during the + "new DS" phase and submits the new key (or the corresponding DS) to + the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1 + and DNSKEY2, respectively. During the rollover ("new DNSKEY" phase), + which can take place as soon as the new DS set propagated through the + DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that + ("DS/DNSKEY removal" phase), it can notify the parent that the old DS + record can be deleted. + + The drawbacks of this scheme are that during the "new DS" phase the + parent cannot verify the match between the DS2 RR and DNSKEY2 using + the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a + "security lame" key (see Section 4.4.3). Finally, the child-parent + interaction consists of two steps. The "double signature" method + only needs one interaction. + +4.2.4. Automated Key Rollovers + + As keys must be renewed periodically, there is some motivation to + automate the rollover process. Consider the following: + + o ZSK rollovers are easy to automate as only the child zone is + involved. + + o A KSK rollover needs interaction between parent and child. Data + exchange is needed to provide the new keys to the parent; + consequently, this data must be authenticated and integrity must + be guaranteed in order to avoid attacks on the rollover. + +4.3. Planning for Emergency Key Rollover + + This section deals with preparation for a possible key compromise. + Our advice is to have a documented procedure ready for when a key + compromise is suspected or confirmed. + + When the private material of one of your keys is compromised it can + be used for as long as a valid trust chain exists. A trust chain + remains intact for + + o as long as a signature over the compromised key in the trust chain + is valid, + + o as long as a parental DS RR (and signature) points to the + compromised key, + + o as long as the key is anchored in a resolver and is used as a + starting point for validation (this is generally the hardest to + update). + + + +Kolkman & Gieben Informational [Page 21] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + While a trust chain to your compromised key exists, your namespace is + vulnerable to abuse by anyone who has obtained illegitimate + possession of the key. Zone operators have to make a trade-off if + the abuse of the compromised key is worse than having data in caches + that cannot be validated. If the zone operator chooses to break the + trust chain to the compromised key, data in caches signed with this + key cannot be validated. However, if the zone administrator chooses + to take the path of a regular rollover, the malicious key holder can + spoof data so that it appears to be valid. + +4.3.1. KSK Compromise + + A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable + as long as the compromised KSK is configured as trust anchor or a + parental DS points to it. + + A compromised KSK can be used to sign the key set of an attacker's + zone. That zone could be used to poison the DNS. + + Therefore, when the KSK has been compromised, the trust anchor or the + parental DS should be replaced as soon as possible. It is local + policy whether to break the trust chain during the emergency + rollover. The trust chain would be broken when the compromised KSK + is removed from the child's zone while the parent still has a DS + pointing to the compromised KSK (the assumption is that there is only + one DS at the parent. If there are multiple DSes this does not apply + -- however the chain of trust of this particular key is broken). + + Note that an attacker's zone still uses the compromised KSK and the + presence of a parental DS would cause the data in this zone to appear + as valid. Removing the compromised key would cause the attacker's + zone to appear as valid and the child's zone as Bogus. Therefore, we + advise not to remove the KSK before the parent has a DS to a new KSK + in place. + +4.3.1.1. Keeping the Chain of Trust Intact + + If we follow this advice, the timing of the replacement of the KSK is + somewhat critical. The goal is to remove the compromised KSK as soon + as the new DS RR is available at the parent. And also make sure that + the signature made with a new KSK over the key set with the + compromised KSK in it expires just after the new DS appears at the + parent, thus removing the old cruft in one swoop. + + The procedure is as follows: + + 1. Introduce a new KSK into the key set, keep the compromised KSK in + the key set. + + + +Kolkman & Gieben Informational [Page 22] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + 2. Sign the key set, with a short validity period. The validity + period should expire shortly after the DS is expected to appear + in the parent and the old DSes have expired from caches. + + 3. Upload the DS for this new key to the parent. + + 4. Follow the procedure of the regular KSK rollover: Wait for the DS + to appear in the authoritative servers and then wait as long as + the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet + and modify/extend the expiration time. + + 5. Remove the compromised DNSKEY RR from the zone and re-sign the + key set using your "normal" validity interval. + + An additional danger of a key compromise is that the compromised key + could be used to facilitate a legitimate DNSKEY/DS rollover and/or + nameserver changes at the parent. When that happens, the domain may + be in dispute. An authenticated out-of-band and secure notify + mechanism to contact a parent is needed in this case. + + Note that this is only a problem when the DNSKEY and or DS records + are used for authentication at the parent. + +4.3.1.2. Breaking the Chain of Trust + + There are two methods to break the chain of trust. The first method + causes the child zone to appear 'Bogus' to validating resolvers. The + other causes the child zone to appear 'insecure'. These are + described below. + + In the method that causes the child zone to appear 'Bogus' to + validating resolvers, the child zone replaces the current KSK with a + new one and re-signs the key set. Next it sends the DS of the new + key to the parent. Only after the parent has placed the new DS in + the zone is the child's chain of trust repaired. + + An alternative method of breaking the chain of trust is by removing + the DS RRs from the parent zone altogether. As a result, the child + zone would become insecure. + +4.3.2. ZSK Compromise + + Primarily because there is no parental interaction required when a + ZSK is compromised, the situation is less severe than with a KSK + compromise. The zone must still be re-signed with a new ZSK as soon + as possible. As this is a local operation and requires no + communication between the parent and child, this can be achieved + fairly quickly. However, one has to take into account that just as + + + +Kolkman & Gieben Informational [Page 23] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + with a normal rollover the immediate disappearance of the old + compromised key may lead to verification problems. Also note that as + long as the RRSIG over the compromised ZSK is not expired the zone + may be still at risk. + +4.3.3. Compromises of Keys Anchored in Resolvers + + A key can also be pre-configured in resolvers. For instance, if + DNSSEC is successfully deployed the root key may be pre-configured in + most security aware resolvers. + + If trust-anchor keys are compromised, the resolvers using these keys + should be notified of this fact. Zone administrators may consider + setting up a mailing list to communicate the fact that a SEP key is + about to be rolled over. This communication will of course need to + be authenticated, e.g., by using digital signatures. + + End-users faced with the task of updating an anchored key should + always validate the new key. New keys should be authenticated out- + of-band, for example, through the use of an announcement website that + is secured using secure sockets (TLS) [21]. + +4.4. Parental Policies + +4.4.1. Initial Key Exchanges and Parental Policies Considerations + + The initial key exchange is always subject to the policies set by the + parent. When designing a key exchange policy one should take into + account that the authentication and authorization mechanisms used + during a key exchange should be as strong as the authentication and + authorization mechanisms used for the exchange of delegation + information between parent and child. That is, there is no implicit + need in DNSSEC to make the authentication process stronger than it + was in DNS. + + Using the DNS itself as the source for the actual DNSKEY material, + with an out-of-band check on the validity of the DNSKEY, has the + benefit that it reduces the chances of user error. A DNSKEY query + tool can make use of the SEP bit [3] to select the proper key from a + DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is + sent. It can validate the self-signature over a key; thereby + verifying the ownership of the private key material. Fetching the + DNSKEY from the DNS ensures that the chain of trust remains intact + once the parent publishes the DS RR indicating the child is secure. + + Note: the out-of-band verification is still needed when the key + material is fetched via the DNS. The parent can never be sure + whether or not the DNSKEY RRs have been spoofed. + + + +Kolkman & Gieben Informational [Page 24] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +4.4.2. Storing Keys or Hashes? + + When designing a registry system one should consider which of the + DNSKEYs and/or the corresponding DSes to store. Since a child zone + might wish to have a DS published using a message digest algorithm + not yet understood by the registry, the registry can't count on being + able to generate the DS record from a raw DNSKEY. Thus, we recommend + that registry systems at least support storing DS records. + + It may also be useful to store DNSKEYs, since having them may help + during troubleshooting and, as long as the child's chosen message + digest is supported, the overhead of generating DS records from them + is minimal. Having an out-of-band mechanism, such as a registry + directory (e.g., Whois), to find out which keys are used to generate + DS Resource Records for specific owners and/or zones may also help + with troubleshooting. + + The storage considerations also relate to the design of the customer + interface and the method by which data is transferred between + registrant and registry; Will the child zone administrator be able to + upload DS RRs with unknown hash algorithms or does the interface only + allow DNSKEYs? In the registry-registrar model, one can use the + DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15], + which allows transfer of DS RRs and optionally DNSKEY RRs. + +4.4.3. Security Lameness + + Security lameness is defined as what happens when a parent has a DS + RR pointing to a non-existing DNSKEY RR. When this happens, the + child's zone may be marked "Bogus" by verifying DNS clients. + + As part of a comprehensive delegation check, the parent could, at key + exchange time, verify that the child's key is actually configured in + the DNS. However, if a parent does not understand the hashing + algorithm used by child, the parental checks are limited to only + comparing the key id. + + Child zones should be very careful in removing DNSKEY material, + specifically SEP keys, for which a DS RR exists. + + Once a zone is "security lame", a fix (e.g., removing a DS RR) will + take time to propagate through the DNS. + + + + + + + + + +Kolkman & Gieben Informational [Page 25] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +4.4.4. DS Signature Validity Period + + Since the DS can be replayed as long as it has a valid signature, a + short signature validity period over the DS minimizes the time a + child is vulnerable in the case of a compromise of the child's + KSK(s). A signature validity period that is too short introduces the + possibility that a zone is marked "Bogus" in case of a configuration + error in the signer. There may not be enough time to fix the + problems before signatures expire. Something as mundane as operator + unavailability during weekends shows the need for DS signature + validity periods longer than 2 days. We recommend an absolute + minimum for a DS signature validity period of a few days. + + The maximum signature validity period of the DS record depends on how + long child zones are willing to be vulnerable after a key compromise. + On the other hand, shortening the DS signature validity interval + increases the operational risk for the parent. Therefore, the parent + may have policy to use a signature validity interval that is + considerably longer than the child would hope for. + + A compromise between the operational constraints of the parent and + minimizing damage for the child may result in a DS signature validity + period somewhere between a week and months. + + In addition to the signature validity period, which sets a lower + bound on the number of times the zone owner will need to sign the + zone data and which sets an upper bound to the time a child is + vulnerable after key compromise, there is the TTL value on the DS + RRs. Shortening the TTL means that the authoritative servers will + see more queries. But on the other hand, a short TTL lowers the + persistence of DS RRSets in caches thereby increasing the speed with + which updated DS RRSets propagate through the DNS. + +5. Security Considerations + + DNSSEC adds data integrity to the DNS. This document tries to assess + the operational considerations to maintain a stable and secure DNSSEC + service. Not taking into account the 'data propagation' properties + in the DNS will cause validation failures and may make secured zones + unavailable to security-aware resolvers. + +6. Acknowledgments + + Most of the ideas in this document were the result of collective + efforts during workshops, discussions, and tryouts. + + At the risk of forgetting individuals who were the original + contributors of the ideas, we would like to acknowledge people who + + + +Kolkman & Gieben Informational [Page 26] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + were actively involved in the compilation of this document. In + random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael + Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette + Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger + Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch. + + Some material in this document has been copied from RFC 2541 [12]. + + Mike StJohns designed the key exchange between parent and child + mentioned in the last paragraph of Section 4.2.2 + + Section 4.2.4 was supplied by G. Guette and O. Courtay. + + Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of + the spelling and style issues. + + Kolkman and Gieben take the blame for introducing all miscakes (sic). + + While working on this document, Kolkman was employed by the RIPE NCC + and Gieben was employed by NLnet Labs. + +7. References + +7.1. Normative References + + [1] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [2] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System + KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) + Flag", RFC 3757, May 2004. + + [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, March + 2005. + + [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. + + [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", RFC + 4035, March 2005. + + + + + +Kolkman & Gieben Informational [Page 27] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +7.2. Informative References + + [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [8] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August + 1996. + + [9] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes + (DNS NOTIFY)", RFC 1996, August 1996. + + [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic + Update", RFC 3007, November 2000. + + [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", + RFC 2308, March 1998. + + [12] Eastlake, D., "DNS Security Operational Considerations", RFC + 2541, March 1999. + + [13] Orman, H. and P. Hoffman, "Determining Strengths For Public + Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, + April 2004. + + [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + [15] Hollenbeck, S., "Domain Name System (DNS) Security Extensions + Mapping for the Extensible Provisioning Protocol (EPP)", RFC + 4310, December 2005. + + [16] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key + Sizes", The Journal of Cryptology 14 (255-293), 2001. + + [17] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and + Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN + (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc., + 1996. + + [18] Rose, S., "NIST DNSSEC workshop notes", June 2001. + + [19] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource + Records in DNSSEC", Work in Progress, January 2006. + + [20] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS) + Resource Records (RRs)", RFC 4509, May 2006. + + + + + +Kolkman & Gieben Informational [Page 28] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + [21] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and + T. Wright, "Transport Layer Security (TLS) Extensions", RFC + 4366, April 2006. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kolkman & Gieben Informational [Page 29] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +Appendix A. Terminology + + In this document, there is some jargon used that is defined in other + documents. In most cases, we have not copied the text from the + documents defining the terms but have given a more elaborate + explanation of the meaning. Note that these explanations should not + be seen as authoritative. + + Anchored key: A DNSKEY configured in resolvers around the globe. + This key is hard to update, hence the term anchored. + + Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked + "Bogus" when a signature of an RRSet does not validate against a + DNSKEY. + + Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used + exclusively for signing the apex key set. The fact that a key is + a KSK is only relevant to the signing tool. + + Key size: The term 'key size' can be substituted by 'modulus size' + throughout the document. It is mathematically more correct to use + modulus size, but as this is a document directed at operators we + feel more at ease with the term key size. + + Private and public keys: DNSSEC secures the DNS through the use of + public key cryptography. Public key cryptography is based on the + existence of two (mathematically related) keys, a public key and a + private key. The public keys are published in the DNS by use of + the DNSKEY Resource Record (DNSKEY RR). Private keys should + remain private. + + Key rollover: A key rollover (also called key supercession in some + environments) is the act of replacing one key pair with another at + the end of a key effectivity period. + + Secure Entry Point (SEP) key: A KSK that has a parental DS record + pointing to it or is configured as a trust anchor. Although not + required by the protocol, we recommend that the SEP flag [3] is + set on these keys. + + Self-signature: This only applies to signatures over DNSKEYs; a + signature made with DNSKEY x, over DNSKEY x is called a self- + signature. Note: without further information, self-signatures + convey no trust. They are useful to check the authenticity of the + DNSKEY, i.e., they can be used as a hash. + + + + + + +Kolkman & Gieben Informational [Page 30] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + Singing the zone file: The term used for the event where an + administrator joyfully signs its zone file while producing melodic + sound patterns. + + Signer: The system that has access to the private key material and + signs the Resource Record sets in a zone. A signer may be + configured to sign only parts of the zone, e.g., only those RRSets + for which existing signatures are about to expire. + + Zone Signing Key (ZSK): A key that is used for signing all data in a + zone. The fact that a key is a ZSK is only relevant to the + signing tool. + + Zone administrator: The 'role' that is responsible for signing a zone + and publishing it on the primary authoritative server. + +Appendix B. Zone Signing Key Rollover How-To + + Using the pre-published signature scheme and the most conservative + method to assure oneself that data does not live in caches, here + follows the "how-to". + + Step 0: The preparation: Create two keys and publish both in your key + set. Mark one of the keys "active" and the other "published". + Use the "active" key for signing your zone data. Store the + private part of the "published" key, preferably off-line. The + protocol does not provide for attributes to mark a key as active + or published. This is something you have to do on your own, + through the use of a notebook or key management tool. + + Step 1: Determine expiration: At the beginning of the rollover make a + note of the highest expiration time of signatures in your zone + file created with the current key marked as active. Wait until + the expiration time marked in Step 1 has passed. + + Step 2: Then start using the key that was marked "published" to sign + your data (i.e., mark it "active"). Stop using the key that was + marked "active"; mark it "rolled". + + Step 3: It is safe to engage in a new rollover (Step 1) after at + least one signature validity period. + + + + + + + + + + +Kolkman & Gieben Informational [Page 31] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +Appendix C. Typographic Conventions + + The following typographic conventions are used in this document: + + Key notation: A key is denoted by DNSKEYx, where x is a number or an + identifier, x could be thought of as the key id. + + RRSet notations: RRs are only denoted by the type. All other + information -- owner, class, rdata, and TTL--is left out. Thus: + "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a + list of RRs. A example of this would be "A1, A2", specifying the + RRSet containing two "A" records. This could again be abbreviated to + just "A". + + Signature notation: Signatures are denoted as RRSIGx(RRSet), which + means that RRSet is signed with DNSKEYx. + + Zone representation: Using the above notation we have simplified the + representation of a signed zone by leaving out all unnecessary + details such as the names and by representing all data by "SOAx" + + SOA representation: SOAs are represented as SOAx, where x is the + serial number. + + Using this notation the following signed zone: + + example.net. 86400 IN SOA ns.example.net. bert.example.net. ( + 2006022100 ; serial + 86400 ; refresh ( 24 hours) + 7200 ; retry ( 2 hours) + 3600000 ; expire (1000 hours) + 28800 ) ; minimum ( 8 hours) + 86400 RRSIG SOA 5 2 86400 20130522213204 ( + 20130422213204 14 example.net. + cmL62SI6iAX46xGNQAdQ... ) + 86400 NS a.iana-servers.net. + 86400 NS b.iana-servers.net. + 86400 RRSIG NS 5 2 86400 20130507213204 ( + 20130407213204 14 example.net. + SO5epiJei19AjXoUpFnQ ... ) + 86400 DNSKEY 256 3 5 ( + EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14 + 86400 DNSKEY 257 3 5 ( + gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15 + 86400 RRSIG DNSKEY 5 2 86400 20130522213204 ( + 20130422213204 14 example.net. + J4zCe8QX4tXVGjV4e1r9... ) + + + + +Kolkman & Gieben Informational [Page 32] + +RFC 4641 DNSSEC Operational Practices September 2006 + + + 86400 RRSIG DNSKEY 5 2 86400 20130522213204 ( + 20130422213204 15 example.net. + keVDCOpsSeDReyV6O... ) + 86400 RRSIG NSEC 5 2 86400 20130507213204 ( + 20130407213204 14 example.net. + obj3HEp1GjnmhRjX... ) + a.example.net. 86400 IN TXT "A label" + 86400 RRSIG TXT 5 3 86400 20130507213204 ( + 20130407213204 14 example.net. + IkDMlRdYLmXH7QJnuF3v... ) + 86400 NSEC b.example.com. TXT RRSIG NSEC + 86400 RRSIG NSEC 5 3 86400 20130507213204 ( + 20130407213204 14 example.net. + bZMjoZ3bHjnEz0nIsPMM... ) + ... + + is reduced to the following representation: + + SOA2006022100 + RRSIG14(SOA2006022100) + DNSKEY14 + DNSKEY15 + + RRSIG14(KEY) + RRSIG15(KEY) + + The rest of the zone data has the same signature as the SOA record, + i.e., an RRSIG created with DNSKEY 14. + + + + + + + + + + + + + + + + + + + + + + + +Kolkman & Gieben Informational [Page 33] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +Authors' Addresses + + Olaf M. Kolkman + NLnet Labs + Kruislaan 419 + Amsterdam 1098 VA + The Netherlands + + EMail: olaf@nlnetlabs.nl + URI: http://www.nlnetlabs.nl + + + R. (Miek) Gieben + + EMail: miek@miek.nl + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kolkman & Gieben Informational [Page 34] + +RFC 4641 DNSSEC Operational Practices September 2006 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is provided by the IETF + Administrative Support Activity (IASA). + + + + + + + +Kolkman & Gieben Informational [Page 35] + diff --git a/lib/Makefile.in b/lib/Makefile.in index c72b3e7726075..3fd057c8ef64d 100644 --- a/lib/Makefile.in +++ b/lib/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1998-2001, 2003 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.15.2.2.8.4 2004/03/08 09:04:25 marka Exp $ +# $Id: Makefile.in,v 1.15.2.2.8.7 2007/08/28 07:19:12 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind/api b/lib/bind/api index 8632b1256a763..d4b1ecd36b2ba 100644 --- a/lib/bind/api +++ b/lib/bind/api @@ -1,3 +1,3 @@ LIBINTERFACE = 4 -LIBREVISION = 7 +LIBREVISION = 9 LIBAGE = 0 diff --git a/lib/bind/configure.in b/lib/bind/configure.in index 9c2877cdffbf2..8cc91e8e8fd58 100644 --- a/lib/bind/configure.in +++ b/lib/bind/configure.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -AC_REVISION($Revision: 1.83.2.5.2.31 $) +AC_REVISION($Revision: 1.83.2.5.2.38 $) AC_INIT(resolv/herror.c) AC_PREREQ(2.13) @@ -174,6 +174,7 @@ AC_CHECK_HEADERS(fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/selec AC_C_CONST AC_C_INLINE AC_TYPE_SIZE_T +AC_CHECK_TYPE(ssize_t,signed) AC_CHECK_TYPE(uintptr_t,unsigned long) AC_HEADER_TIME # @@ -458,6 +459,8 @@ AC_SUBST(WANT_IRS_THREADS_OBJS) AC_SUBST(WANT_THREADS_OBJS) AC_CHECK_FUNC(strlcat, AC_DEFINE(HAVE_STRLCAT)) +AC_CHECK_FUNC(memmove, AC_DEFINE(HAVE_MEMMOVE)) +AC_CHECK_FUNC(memchr, AC_DEFINE(HAVE_MEMCHR)) AC_CHECK_FUNC(if_nametoindex, [USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"], @@ -879,27 +882,12 @@ $isc_netinet6in6_hack ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"], [AC_MSG_RESULT(no -- disabling runtime ipv6 support) ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"]) - - AC_MSG_CHECKING(for sockaddr_storage) - AC_TRY_COMPILE([ -#include -#include -#include -$isc_netinetin6_hack -$isc_netinet6in6_hack -], - [struct sockaddr_storage xyzzy; return (0);], - [AC_MSG_RESULT(yes) - HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"], - [AC_MSG_RESULT(no) - HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"]) ;; no) HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS" NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY" ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO" HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1" - HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE" ISC_IPV6_H="ipv6.h" ISC_IPV6_O="ipv6.$O" ISC_ISCIPV6_O="unix/ipv6.$O" @@ -907,6 +895,18 @@ $isc_netinet6in6_hack ;; esac +AC_MSG_CHECKING(for sockaddr_storage) +AC_TRY_COMPILE([ +#include +#include +#include +], +[struct sockaddr_storage xyzzy; return (0);], + [AC_MSG_RESULT(yes) + HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"], + [AC_MSG_RESULT(no) + HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"]) + AC_SUBST(HAS_INET6_STRUCTS) AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H) AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H) @@ -1117,6 +1117,17 @@ AC_TRY_COMPILE([ ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"]) AC_SUBST(ISC_PLATFORM_NEEDPORTT) +AC_MSG_CHECKING(for struct timespec) +AC_TRY_COMPILE([ +#include +#include ], +[struct timespec ts = { 0, 0 }; return (0);], + [AC_MSG_RESULT(yes) + ISC_PLATFORM_NEEDTIMESPEC="#undef ISC_PLATFORM_NEEDTIMESPEC"], + [AC_MSG_RESULT(no) + ISC_PLATFORM_NEEDTIMESPEC="#define ISC_PLATFORM_NEEDTIMESPEC 1"]) +AC_SUBST(ISC_PLATFORM_NEEDTIMESPEC) + # # Check for addrinfo # @@ -2664,6 +2675,7 @@ AC_OUTPUT( port/Makefile ${PORT_DIR}/Makefile ${PORT_INCLUDE}/Makefile + include/isc/platform.h ) # Tell Emacs to edit this file in shell mode. diff --git a/lib/bind/dst/dst_api.c b/lib/bind/dst/dst_api.c index 417c31f8cfbd5..c1313075aeeec 100644 --- a/lib/bind/dst/dst_api.c +++ b/lib/bind/dst/dst_api.c @@ -1,5 +1,5 @@ #ifndef LINT -static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6.8.4 2006/03/10 00:17:21 marka Exp $"; +static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6.8.6 2007/09/24 17:26:10 each Exp $"; #endif /* @@ -362,7 +362,7 @@ dst_read_key(const char *in_keyname, const u_int16_t in_id, pubkey->dk_alg) == 0) dg_key = dst_free_key(dg_key); - pubkey = dst_free_key(pubkey); + (void)dst_free_key(pubkey); return (dg_key); } @@ -438,6 +438,7 @@ dst_s_write_private_key(const DST_KEY *key) if ((nn = fwrite(encoded_block, 1, len, fp)) != len) { EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n", file, len, nn, errno)); + fclose(fp); return (-5); } fclose(fp); diff --git a/lib/bind/dst/hmac_link.c b/lib/bind/dst/hmac_link.c index 028f02e96a5c9..efad2583f666b 100644 --- a/lib/bind/dst/hmac_link.c +++ b/lib/bind/dst/hmac_link.c @@ -1,6 +1,6 @@ #ifdef HMAC_MD5 #ifndef LINT -static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1.4.2 2006/03/10 00:17:21 marka Exp $"; +static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1.4.4 2007/09/24 17:26:10 each Exp $"; #endif /* * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc. @@ -223,6 +223,7 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen) HMAC_Key *hkey = NULL; MD5_CTX ctx; int local_keylen = keylen; + u_char tk[MD5_LEN]; if (dkey == NULL || key == NULL || keylen < 0) return (-1); @@ -235,7 +236,6 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen) /* if key is longer than HMAC_LEN bytes reset it to key=MD5(key) */ if (keylen > HMAC_LEN) { - u_char tk[MD5_LEN]; MD5Init(&ctx); MD5Update(&ctx, key, keylen); MD5Final(tk, &ctx); @@ -273,16 +273,21 @@ dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen) static int dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff, - const int buff_len) + const int buff_len) { char *bp; - int len, b_len, i, key_len; + int len, i, key_len; u_char key[HMAC_LEN]; HMAC_Key *hkey; if (dkey == NULL || dkey->dk_KEY_struct == NULL) return (0); - if (buff == NULL || buff_len <= (int) strlen(key_file_fmt_str)) + /* + * Using snprintf() would be so much simpler here. + */ + if (buff == NULL || + buff_len <= (int)(strlen(key_file_fmt_str) + + strlen(KEY_FILE_FORMAT) + 4)) return (-1); /* no OR not enough space in output area */ hkey = (HMAC_Key *) dkey->dk_KEY_struct; @@ -291,7 +296,6 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff, sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC"); bp = buff + strlen(buff); - b_len = buff_len - (bp - buff); memset(key, 0, HMAC_LEN); for (i = 0; i < HMAC_LEN; i++) @@ -301,19 +305,21 @@ dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff, break; key_len = i + 1; + if (buff_len - (bp - buff) < 6) + return (-1); strcat(bp, "Key: "); bp += strlen("Key: "); - b_len = buff_len - (bp - buff); - len = b64_ntop(key, key_len, bp, b_len); + len = b64_ntop(key, key_len, bp, buff_len - (bp - buff)); if (len < 0) return (-1); bp += len; + if (buff_len - (bp - buff) < 2) + return (-1); *(bp++) = '\n'; *bp = '\0'; - b_len = buff_len - (bp - buff); - return (buff_len - b_len); + return (bp - buff); } diff --git a/lib/bind/include/Makefile.in b/lib/bind/include/Makefile.in index a6e5553f33001..a9364ebf99090 100644 --- a/lib/bind/include/Makefile.in +++ b/lib/bind/include/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.3.206.1 2004/03/06 08:13:22 marka Exp $ +# $Id: Makefile.in,v 1.3.206.3 2008/01/23 02:14:28 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -24,7 +24,7 @@ HEADERS=fd_setsize.h hesiod.h irp.h irs.h netdb.h netgroup.h res_update.h \ AHEADERS= arpa/inet.h arpa/nameser.h arpa/nameser_compat.h IHEADERS= isc/assertions.h isc/ctl.h isc/dst.h isc/eventlib.h isc/heap.h \ isc/irpmarshall.h isc/list.h isc/logging.h isc/memcluster.h \ - isc/misc.h isc/tree.h + isc/misc.h isc/tree.h isc/platform.h.in all: diff --git a/lib/bind/include/isc/eventlib.h b/lib/bind/include/isc/eventlib.h index 033b3123d7ccf..98c70e31dc08e 100644 --- a/lib/bind/include/isc/eventlib.h +++ b/lib/bind/include/isc/eventlib.h @@ -18,7 +18,7 @@ /* eventlib.h - exported interfaces for eventlib * vix 09sep95 [initial] * - * $Id: eventlib.h,v 1.1.2.1.4.2 2005/07/28 07:43:18 marka Exp $ + * $Id: eventlib.h,v 1.1.2.1.4.3 2008/01/23 02:08:48 marka Exp $ */ #ifndef _EVENTLIB_H @@ -29,6 +29,8 @@ #include #include +#include + #ifndef __P # define __EVENTLIB_P_DEFINED # ifdef __STDC__ diff --git a/lib/bind/include/isc/platform.h.in b/lib/bind/include/isc/platform.h.in new file mode 100644 index 0000000000000..d595c6633c089 --- /dev/null +++ b/lib/bind/include/isc/platform.h.in @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: platform.h.in,v 1.2.4.2 2008/01/23 02:14:28 tbox Exp $ */ + +/*! \file */ + +#ifndef ISC_PLATFORM_H +#define ISC_PLATFORM_H + +/* + * Define if the OS does not define struct timespec. + */ +@ISC_PLATFORM_NEEDTIMESPEC@ +#ifdef ISC_PLATFORM_NEEDTIMESPEC +#include /* For time_t */ +struct timespec { + time_t tv_sec; /* seconds */ + long tv_nsec; /* nanoseconds */ +}; +#endif + +#endif diff --git a/lib/bind/inet/inet_network.c b/lib/bind/inet/inet_network.c index aaa50c8315781..2f40949e28155 100644 --- a/lib/bind/inet/inet_network.c +++ b/lib/bind/inet/inet_network.c @@ -84,9 +84,9 @@ again: } if (!digit) return (INADDR_NONE); + if (pp >= parts + 4 || val > 0xffU) + return (INADDR_NONE); if (*cp == '.') { - if (pp >= parts + 4 || val > 0xffU) - return (INADDR_NONE); *pp++ = val, cp++; goto again; } diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c index 192be042e0b9b..b1bd5f01e6794 100644 --- a/lib/bind/irs/dns_ho.c +++ b/lib/bind/irs/dns_ho.c @@ -52,7 +52,7 @@ /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.8 2006/03/10 00:17:21 marka Exp $"; +static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.9 2006/12/07 04:00:08 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* Imports. */ @@ -941,7 +941,7 @@ gethostans(struct irs_ho *this, bp = (char *)(((u_long)bp + (sizeof(align) - 1)) & ~(sizeof(align) - 1)); /* Avoid overflows. */ - if (bp + n >= &pvt->hostbuf[sizeof pvt->hostbuf]) { + if (bp + n > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1]) { had_error++; continue; } @@ -1051,7 +1051,7 @@ add_hostent(struct pvt *pvt, char *bp, char **hap, struct addrinfo *ai) bp = (char *)(((u_long)bp + (sizeof(align) - 1)) & ~(sizeof(align) - 1)); /* Avoid overflows. */ - if (bp + addrlen >= &pvt->hostbuf[sizeof pvt->hostbuf]) + if (bp + addrlen > &pvt->hostbuf[sizeof(pvt->hostbuf) - 1]) return(-1); if (hap >= &pvt->h_addr_ptrs[MAXADDRS-1]) return(0); /* fail, but not treat it as an error. */ diff --git a/lib/bind/irs/gai_strerror.c b/lib/bind/irs/gai_strerror.c index 0492f8f49aa8d..e8921ea43246e 100644 --- a/lib/bind/irs/gai_strerror.c +++ b/lib/bind/irs/gai_strerror.c @@ -69,8 +69,10 @@ gai_strerror(int ecode) { if (pthread_mutex_lock(&lock) != 0) goto unknown; if (!once) { - if (pthread_key_create(&key, free) != 0) + if (pthread_key_create(&key, free) != 0) { + (void)pthread_mutex_unlock(&lock); goto unknown; + } once = 1; } if (pthread_mutex_unlock(&lock) != 0) diff --git a/lib/bind/irs/irp_ng.c b/lib/bind/irs/irp_ng.c index cf7bc7c31ea23..f459f9dfb6504 100644 --- a/lib/bind/irs/irp_ng.c +++ b/lib/bind/irs/irp_ng.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: irp_ng.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $"; +static const char rcsid[] = "$Id: irp_ng.c,v 1.1.206.2 2006/12/07 04:52:50 marka Exp $"; #endif /* Imports */ @@ -239,14 +239,14 @@ ng_test(struct irs_ng *this, const char *name, } if (irs_irp_send_command(pvt->girpdata, "innetgr %s", body) == 0) { - memput(body, bodylen); - code = irs_irp_read_response(pvt->girpdata, text, sizeof text); if (code == IRPD_GETNETGR_MATCHES) { rval = 1; } } + memput(body, bodylen); + return (rval); } diff --git a/lib/bind/irs/irs_data.c b/lib/bind/irs/irs_data.c index 7904286db87ff..5517a58c3515d 100644 --- a/lib/bind/irs/irs_data.c +++ b/lib/bind/irs/irs_data.c @@ -16,7 +16,7 @@ */ #if !defined(LINT) && !defined(CODECENTER) -static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.4 2006/03/10 00:17:21 marka Exp $"; +static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.6 2007/08/27 03:40:01 marka Exp $"; #endif #include "port_before.h" @@ -131,8 +131,10 @@ net_data_init(const char *conf_file) { if (pthread_mutex_lock(&keylock) != 0) return (NULL); if (!once) { - if (pthread_key_create(&key, net_data_destroy) != 0) + if (pthread_key_create(&key, net_data_destroy) != 0) { + (void)pthread_mutex_unlock(&keylock); return (NULL); + } once = 1; } if (pthread_mutex_unlock(&keylock) != 0) diff --git a/lib/bind/isc/ctl_clnt.c b/lib/bind/isc/ctl_clnt.c index e1fa7e798072b..ddb2efbe660eb 100644 --- a/lib/bind/isc/ctl_clnt.c +++ b/lib/bind/isc/ctl_clnt.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.1.4.3 2004/03/17 01:13:35 marka Exp $"; +static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.1.4.4 2007/05/18 06:25:17 marka Exp $"; #endif /* not lint */ /* @@ -114,6 +114,19 @@ static void touch_timer(struct ctl_cctx *); static void timer(evContext, void *, struct timespec, struct timespec); +#ifndef HAVE_MEMCHR +static void * +memchr(const void *b, int c, size_t len) { + const unsigned char *p = b; + size_t i; + + for (i = 0; i < len; i++, p++) + if (*p == (unsigned char)c) + return ((void *)p); + return (NULL); +} +#endif + /* Private data. */ static const char * const state_names[] = { diff --git a/lib/bind/isc/ctl_srvr.c b/lib/bind/isc/ctl_srvr.c index 56c7684866737..0d1b53dfef088 100644 --- a/lib/bind/isc/ctl_srvr.c +++ b/lib/bind/isc/ctl_srvr.c @@ -1,5 +1,5 @@ #if !defined(lint) && !defined(SABER) -static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.1.4.3 2004/03/17 01:13:35 marka Exp $"; +static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.1.4.4 2006/12/07 04:52:50 marka Exp $"; #endif /* not lint */ /* @@ -564,7 +564,7 @@ static void ctl_readable(evContext lev, void *uap, int fd, int evmask) { static const char me[] = "ctl_readable"; struct ctl_sess *sess = uap; - struct ctl_sctx *ctx = sess->ctx; + struct ctl_sctx *ctx; char *eos, tmp[MAX_NTOP]; ssize_t n; @@ -572,6 +572,8 @@ ctl_readable(evContext lev, void *uap, int fd, int evmask) { REQUIRE(fd >= 0); REQUIRE(evmask == EV_READ); REQUIRE(sess->state == reading || sess->state == reading_data); + + ctx = sess->ctx; evTouchIdleTimer(lev, sess->rdtiID); if (!allocated_p(sess->inbuf) && ctl_bufget(&sess->inbuf, ctx->logger) < 0) { diff --git a/lib/bind/make/rules.in b/lib/bind/make/rules.in index 1a4e81d603d61..a635475d48184 100644 --- a/lib/bind/make/rules.in +++ b/lib/bind/make/rules.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: rules.in,v 1.3.2.3.4.4 2004/10/20 00:14:47 marka Exp $ +# $Id: rules.in,v 1.3.2.3.4.7 2007/08/28 07:19:12 tbox Exp $ ### ### Common Makefile rules for BIND 9. diff --git a/lib/bind/nameser/ns_parse.c b/lib/bind/nameser/ns_parse.c index 19a6f51b2db1d..a342b8de2f92b 100644 --- a/lib/bind/nameser/ns_parse.c +++ b/lib/bind/nameser/ns_parse.c @@ -16,7 +16,7 @@ */ #ifndef lint -static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.1.4.3 2005/10/11 00:48:16 marka Exp $"; +static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.1.4.4 2007/08/27 03:40:01 marka Exp $"; #endif /* Import. */ @@ -40,7 +40,7 @@ static void setsection(ns_msg *msg, ns_sect sect); /* Macros. */ -#ifndef SOLARIS2 +#if !defined(SOLARIS2) || defined(__COVERITY__) #define RETERR(err) do { errno = (err); return (-1); } while (0) #else #define RETERR(err) \ diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in index f248d23f56145..162535ee5067a 100644 --- a/lib/bind/port_after.h.in +++ b/lib/bind/port_after.h.in @@ -36,6 +36,13 @@ @USE_IFNAMELINKID@ @PORT_NONBLOCK@ +#ifndef _POSIX_PATH_MAX +#define _POSIX_PATH_MAX 255 +#endif +#ifndef PATH_MAX +#define PATH_MAX _POSIX_PATH_MAX +#endif + /* * We need to know the IPv6 address family number even on IPv4-only systems. * Note that this is NOT a protocol constant, and that if the system has its diff --git a/lib/bind/port_before.h.in b/lib/bind/port_before.h.in index 320fff1905a95..0b00821ba6a92 100644 --- a/lib/bind/port_before.h.in +++ b/lib/bind/port_before.h.in @@ -12,6 +12,16 @@ struct timezone; /* silence warning */ #endif #include +#ifdef ISC_PLATFORM_NEEDTIMESPEC +#include /* For time_t */ +struct timespec { + time_t tv_sec; /* seconds */ + long tv_nsec; /* nanoseconds */ +}; +#endif +#ifndef HAVE_MEMMOVE +#define memmove(a,b,c) bcopy(b,a,c) +#endif @WANT_IRS_GR@ @WANT_IRS_NIS@ diff --git a/lib/bind/resolv/res_data.c b/lib/bind/resolv/res_data.c index 204e03d685f4e..1b9078cffdb54 100644 --- a/lib/bind/resolv/res_data.c +++ b/lib/bind/resolv/res_data.c @@ -16,7 +16,7 @@ */ #if defined(LIBC_SCCS) && !defined(lint) -static const char rcsid[] = "$Id: res_data.c,v 1.1.206.2 2004/03/16 12:34:18 marka Exp $"; +static const char rcsid[] = "$Id: res_data.c,v 1.1.206.3 2007/09/14 05:35:51 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -40,7 +40,6 @@ static const char rcsid[] = "$Id: res_data.c,v 1.1.206.2 2004/03/16 12:34:18 mar #include #include "port_after.h" -#undef _res const char *_res_opcodes[] = { "QUERY", @@ -70,6 +69,7 @@ const char *_res_sectioncodes[] = { }; #endif +#undef _res #ifndef __BIND_NOSTATIC struct __res_state _res # if defined(__BIND_RES_TEXT) @@ -77,6 +77,10 @@ struct __res_state _res # endif ; +#if defined(DO_PTHREADS) || defined(__linux) +#define _res (*__res_state()) +#endif + /* Proto. */ int res_ourserver_p(const res_state, const struct sockaddr_in *); diff --git a/lib/bind/resolv/res_init.c b/lib/bind/resolv/res_init.c index fd82e87203c05..22ad874da738a 100644 --- a/lib/bind/resolv/res_init.c +++ b/lib/bind/resolv/res_init.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_init.c 8.1 (Berkeley) 6/7/93"; -static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.6 2006/08/30 23:23:01 marka Exp $"; +static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.8 2007/07/09 01:54:03 marka Exp $"; #endif /* LIBC_SCCS and not lint */ #include "port_before.h" @@ -166,7 +166,9 @@ __res_vinit(res_state statp, int preinit) { #endif int dots; union res_sockaddr_union u[2]; + int maxns = MAXNS; + RES_SET_H_ERRNO(statp, 0); if (statp->_u._ext.ext != NULL) res_ndestroy(statp); @@ -216,8 +218,22 @@ __res_vinit(res_state statp, int preinit) { statp->_u._ext.ext->nsaddrs[0].sin = statp->nsaddr; strcpy(statp->_u._ext.ext->nsuffix, "ip6.arpa"); strcpy(statp->_u._ext.ext->nsuffix2, "ip6.int"); - } else - return (-1); + } else { + /* + * Historically res_init() rarely, if at all, failed. + * Examples and applications exist which do not check + * our return code. Furthermore several applications + * simply call us to get the systems domainname. So + * rather then immediately fail here we store the + * failure, which is returned later, in h_errno. And + * prevent the collection of 'nameserver' information + * by setting maxns to 0. Thus applications that fail + * to check our return code wont be able to make + * queries anyhow. + */ + RES_SET_H_ERRNO(statp, NETDB_INTERNAL); + maxns = 0; + } #ifdef RESOLVSORT statp->nsort = 0; #endif @@ -238,9 +254,9 @@ __res_vinit(res_state statp, int preinit) { buf[0] = '.'; cp = strchr(buf, '.'); cp = (cp == NULL) ? buf : (cp + 1); - if (strlen(cp) >= sizeof(statp->defdname)) - goto freedata; - strcpy(statp->defdname, cp); + strncpy(statp->defdname, cp, + sizeof(statp->defdname) - 1); + statp->defdname[sizeof(statp->defdname) - 1] = '\0'; } } #endif /* SOLARIS2 */ @@ -346,7 +362,7 @@ __res_vinit(res_state statp, int preinit) { continue; } /* read nameservers to query */ - if (MATCH(buf, "nameserver") && nserv < MAXNS) { + if (MATCH(buf, "nameserver") && nserv < maxns) { struct addrinfo hints, *ai; char sbuf[NI_MAXSERV]; const size_t minsiz = @@ -482,16 +498,7 @@ __res_vinit(res_state statp, int preinit) { if ((cp = getenv("RES_OPTIONS")) != NULL) res_setoptions(statp, cp, "env"); statp->options |= RES_INIT; - return (0); - -#ifdef SOLARIS2 - freedata: - if (statp->_u._ext.ext != NULL) { - free(statp->_u._ext.ext); - statp->_u._ext.ext = NULL; - } - return (-1); -#endif + return (statp->res_h_errno); } static void diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c index c47dd49bc6e8b..bc3cc923814aa 100644 --- a/lib/bind/resolv/res_send.c +++ b/lib/bind/resolv/res_send.c @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static const char sccsid[] = "@(#)res_send.c 8.1 (Berkeley) 6/4/93"; -static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.9 2006/10/16 23:00:50 marka Exp $"; +static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.11 2008/01/27 02:06:07 marka Exp $"; #endif /* LIBC_SCCS and not lint */ /* @@ -288,7 +288,7 @@ int res_nsend(res_state statp, const u_char *buf, int buflen, u_char *ans, int anssiz) { - int gotsomewhere, terrno, try, v_circuit, resplen, ns, n; + int gotsomewhere, terrno, tries, v_circuit, resplen, ns, n; char abuf[NI_MAXHOST]; #ifdef USE_POLL @@ -400,7 +400,7 @@ res_nsend(res_state statp, /* * Send request, RETRY times, or until successful. */ - for (try = 0; try < statp->retry; try++) { + for (tries = 0; tries < statp->retry; tries++) { for (ns = 0; ns < statp->nscount; ns++) { struct sockaddr *nsap; int nsaplen; @@ -448,7 +448,7 @@ res_nsend(res_state statp, if (v_circuit) { /* Use VC; at most one attempt per server. */ - try = statp->retry; + tries = statp->retry; n = send_vc(statp, buf, buflen, ans, anssiz, &terrno, ns); if (n < 0) @@ -459,7 +459,7 @@ res_nsend(res_state statp, } else { /* Use datagrams. */ n = send_dg(statp, buf, buflen, ans, anssiz, &terrno, - ns, try, &v_circuit, &gotsomewhere); + ns, tries, &v_circuit, &gotsomewhere); if (n < 0) goto fail; if (n == 0) @@ -596,6 +596,9 @@ send_vc(res_state statp, u_short len; u_char *cp; void *tmp; +#ifdef SO_NOSIGPIPE + int on = 1; +#endif nsap = get_nsaddr(statp, ns); nsaplen = get_salen(nsap); @@ -641,6 +644,17 @@ send_vc(res_state statp, return (-1); } } +#ifdef SO_NOSIGPIPE + /* + * Disable generation of SIGPIPE when writing to a closed + * socket. Write should return -1 and set errno to EPIPE + * instead. + * + * Push on even if setsockopt(SO_NOSIGPIPE) fails. + */ + (void)setsockopt(statp->_vcsock, SOL_SOCKET, SO_NOSIGPIPE, &on, + sizeof(on)); +#endif errno = 0; if (connect(statp->_vcsock, nsap, nsaplen) < 0) { *terrno = errno; @@ -768,7 +782,7 @@ send_vc(res_state statp, static int send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans, - int anssiz, int *terrno, int ns, int try, int *v_circuit, + int anssiz, int *terrno, int ns, int tries, int *v_circuit, int *gotsomewhere) { const HEADER *hp = (const HEADER *) buf; @@ -850,7 +864,7 @@ send_dg(res_state statp, const u_char *buf, int buflen, u_char *ans, /* * Wait for reply. */ - seconds = (statp->retrans << try); + seconds = (statp->retrans << tries); if (ns > 0) seconds /= statp->nscount; if (seconds <= 0) diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in index cd822f39a64b9..47b3f082279cb 100644 --- a/lib/bind9/Makefile.in +++ b/lib/bind9/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.2.200.10 2004/12/10 00:05:48 marka Exp $ +# $Id: Makefile.in,v 1.2.200.13 2007/08/28 07:19:13 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind9/api b/lib/bind9/api index be7faa6948e4e..cff58c8ed232f 100644 --- a/lib/bind9/api +++ b/lib/bind9/api @@ -1,3 +1,3 @@ LIBINTERFACE = 0 -LIBREVISION = 8 +LIBREVISION = 10 LIBAGE = 0 diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 2079a8477ac62..fe9836ca4b429 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,12 +15,11 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.37.6.34 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: check.c,v 1.37.6.39 2007/12/14 01:28:26 marka Exp $ */ #include #include -#include #include #include @@ -30,6 +29,7 @@ #include #include #include +#include #include #include @@ -490,6 +490,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "bad domain name '%s'", dlv); result = tresult; + continue; } if (symtab != NULL) { tresult = nameexist(obj, dlv, 1, symtab, @@ -817,18 +818,18 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *config, isc_buffer_add(&b, strlen(zname)); tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b, dns_rootname, ISC_TRUE, NULL); - if (result != ISC_R_SUCCESS) { + if (tresult != ISC_R_SUCCESS) { cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR, "zone '%s': is not a valid name", zname); - tresult = ISC_R_FAILURE; + result = ISC_R_FAILURE; } else { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(dns_fixedname_name(&fixedname), namebuf, sizeof(namebuf)); tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 : 2, - symtab, "zone '%s': already exists " - "previous definition: %s:%u", logctx, mctx); + symtab, "zone '%s': already exists " + "previous definition: %s:%u", logctx, mctx); if (tresult != ISC_R_SUCCESS) result = tresult; } @@ -1318,7 +1319,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx, "previous definition: %s:%u", key, file, line); result = tresult; - } else if (result != ISC_R_SUCCESS) { + } else if (tresult != ISC_R_SUCCESS) { result = tresult; } else if ((strcasecmp(key, "_bind") == 0 && vclass == dns_rdataclass_ch) || diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c index 02d110478cc1d..8727855a5bffa 100644 --- a/lib/bind9/getaddresses.c +++ b/lib/bind9/getaddresses.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001, 2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getaddresses.c,v 1.13.126.8 2005/10/14 02:13:06 marka Exp $ */ +/* $Id: getaddresses.c,v 1.13.126.11 2007/08/28 07:19:13 tbox Exp $ */ #include #include diff --git a/lib/bind9/include/Makefile.in b/lib/bind9/include/Makefile.in index 9081d9ecb1b03..89029b73eb989 100644 --- a/lib/bind9/include/Makefile.in +++ b/lib/bind9/include/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.1.200.3 2004/03/08 09:04:27 marka Exp $ +# $Id: Makefile.in,v 1.1.200.6 2007/08/28 07:19:13 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind9/include/bind9/Makefile.in b/lib/bind9/include/bind9/Makefile.in index dec298276d3a6..a903eb3d51daf 100644 --- a/lib/bind9/include/bind9/Makefile.in +++ b/lib/bind9/include/bind9/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.5.200.4 2004/03/08 09:04:28 marka Exp $ +# $Id: Makefile.in,v 1.5.200.7 2007/08/28 07:19:13 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h index 09e8b2e1be715..93e671c2af342 100644 --- a/lib/bind9/include/bind9/check.h +++ b/lib/bind9/include/bind9/check.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.h,v 1.1.200.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: check.h,v 1.1.200.9 2007/08/28 07:19:13 tbox Exp $ */ #ifndef BIND9_CHECK_H #define BIND9_CHECK_H 1 diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h index 4a3a5466ea400..b6a616d12a811 100644 --- a/lib/bind9/include/bind9/getaddresses.h +++ b/lib/bind9/include/bind9/getaddresses.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getaddresses.h,v 1.2.200.3 2004/03/08 09:04:28 marka Exp $ */ +/* $Id: getaddresses.h,v 1.2.200.6 2007/08/28 07:19:13 tbox Exp $ */ #ifndef BIND9_GETADDRESSES_H #define BIND9_GETADDRESSES_H 1 diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h index a3b812ea8f1cc..42039733408d6 100644 --- a/lib/bind9/include/bind9/version.h +++ b/lib/bind9/include/bind9/version.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.h,v 1.2.208.3 2004/03/08 09:04:28 marka Exp $ */ +/* $Id: version.h,v 1.2.208.6 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/bind9/version.c b/lib/bind9/version.c index 5fee2cf4316a8..b227864e4d05b 100644 --- a/lib/bind9/version.c +++ b/lib/bind9/version.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.c,v 1.3.200.4 2004/03/08 09:04:27 marka Exp $ */ +/* $Id: version.c,v 1.3.200.7 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/dns/acl.c b/lib/dns/acl.c index e81d5ef338126..28988b5914cc7 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.c,v 1.23.52.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: acl.c,v 1.23.52.9 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/dns/adb.c b/lib/dns/adb.c index 3fe436a2bbb4f..a6c6d8b1de2c3 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: adb.c,v 1.181.2.11.2.26 2006/01/04 23:50:20 marka Exp $ */ +/* $Id: adb.c,v 1.181.2.11.2.34 2008/04/03 06:07:11 tbox Exp $ */ /* * Implementation notes @@ -2976,7 +2976,7 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype) adbname->fetch6_err = FIND_ERR_UNEXPECTED; result = dns_view_find(adb->view, &adbname->name, rdtype, now, - NAME_GLUEOK(adbname), + NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0, ISC_TF(NAME_HINTOK(adbname)), NULL, NULL, fname, &rdataset, NULL); @@ -3459,7 +3459,9 @@ dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa, port = isc_sockaddr_getport(sa); addr = new_adbaddrinfo(adb, entry, port); - if (addr != NULL) { + if (addr == NULL) { + result = ISC_R_NOMEMORY; + } else { inc_entry_refcnt(adb, entry, ISC_FALSE); *addrp = addr; } diff --git a/lib/dns/api b/lib/dns/api index 95b29be1b787d..520c3c3a52d3c 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 23 -LIBREVISION = 0 -LIBAGE = 1 +LIBINTERFACE = 24 +LIBREVISION = 2 +LIBAGE = 2 diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c index d027fa3fff9bc..56ef7ebe53e87 100644 --- a/lib/dns/dbtable.c +++ b/lib/dns/dbtable.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ */ /* - * $Id: dbtable.c,v 1.25.12.4 2004/03/09 05:21:08 marka Exp $ + * $Id: dbtable.c,v 1.25.12.7 2007/08/28 07:19:13 tbox Exp $ */ /* diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index 91ef2c5ee0aa3..869fd7bba01c5 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,19 +15,21 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dispatch.c,v 1.101.2.6.2.13 2006/07/19 00:44:04 marka Exp $ */ +/* $Id: dispatch.c,v 1.101.2.6.2.21 2007/08/28 07:19:13 tbox Exp $ */ #include #include +#include +#include #include -#include #include #include #include #include #include +#include #include #include @@ -41,13 +43,22 @@ typedef ISC_LIST(dns_dispentry_t) dns_displist_t; +typedef struct dns_nsid { + isc_uint16_t nsid_state; + isc_uint16_t *nsid_vtable; + isc_uint16_t *nsid_pool; + isc_uint16_t nsid_a1, nsid_a2, nsid_a3; + isc_uint16_t nsid_c1, nsid_c2, nsid_c3; + isc_uint16_t nsid_state2; + isc_boolean_t nsid_usepool; +} dns_nsid_t; + typedef struct dns_qid { unsigned int magic; unsigned int qid_nbuckets; /* hash table size */ unsigned int qid_increment; /* id increment on collision */ isc_mutex_t lock; - isc_lfsr_t qid_lfsr1; /* state generator info */ - isc_lfsr_t qid_lfsr2; /* state generator info */ + dns_nsid_t nsid; dns_displist_t *qid_table; /* the table itself */ } dns_qid_t; @@ -156,7 +167,7 @@ static void destroy_disp(isc_task_t *task, isc_event_t *event); static void udp_recv(isc_task_t *, isc_event_t *); static void tcp_recv(isc_task_t *, isc_event_t *); static void startrecv(dns_dispatch_t *); -static dns_messageid_t dns_randomid(dns_qid_t *); +static dns_messageid_t dns_randomid(dns_nsid_t *); static isc_uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t); static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len); static void *allocate_udp_buffer(dns_dispatch_t *disp); @@ -177,8 +188,12 @@ static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr, static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr); static void destroy_mgr(dns_dispatchmgr_t **mgrp); static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets, - unsigned int increment, dns_qid_t **qidp); + unsigned int increment, isc_boolean_t usepool, + dns_qid_t **qidp); static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp); +static isc_uint16_t nsid_next(dns_nsid_t *nsid); +static isc_result_t nsid_init(isc_mem_t *mctx, dns_nsid_t *nsid, isc_boolean_t usepool); +static void nsid_destroy(isc_mem_t *mctx, dns_nsid_t *nsid); #define LVL(x) ISC_LOG_DEBUG(x) @@ -258,38 +273,16 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp, } } -static void -reseed_lfsr(isc_lfsr_t *lfsr, void *arg) -{ - dns_dispatchmgr_t *mgr = arg; - isc_result_t result; - isc_uint32_t val; - - REQUIRE(VALID_DISPATCHMGR(mgr)); - - if (mgr->entropy != NULL) { - result = isc_entropy_getdata(mgr->entropy, &val, sizeof(val), - NULL, 0); - INSIST(result == ISC_R_SUCCESS); - lfsr->count = (val & 0x1f) + 32; - lfsr->state = val; - return; - } - - lfsr->count = (random() & 0x1f) + 32; /* From 32 to 63 states */ - lfsr->state = random(); -} - /* * Return an unpredictable message ID. */ static dns_messageid_t -dns_randomid(dns_qid_t *qid) { +dns_randomid(dns_nsid_t *nsid) { isc_uint32_t id; - id = isc_lfsr_generate32(&qid->qid_lfsr1, &qid->qid_lfsr2); + id = nsid_next(nsid); - return (dns_messageid_t)(id & 0xFFFF); + return ((dns_messageid_t)id); } /* @@ -629,6 +622,9 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in) { goto restart; } + dns_dispatch_hash(&ev->timestamp, sizeof(&ev->timestamp)); + dns_dispatch_hash(ev->region.base, ev->region.length); + /* response */ bucket = dns_hash(qid, &ev->address, id); LOCK(&qid->lock); @@ -863,6 +859,8 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) { goto restart; } + dns_dispatch_hash(tcpmsg->buffer.base, tcpmsg->buffer.length); + /* * Response. */ @@ -1239,6 +1237,7 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr, if (isc_mempool_create(mgr->mctx, buffersize, &mgr->bpool) != ISC_R_SUCCESS) { + UNLOCK(&mgr->buffer_lock); return (ISC_R_NOMEMORY); } @@ -1246,7 +1245,7 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr, isc_mempool_setmaxalloc(mgr->bpool, maxbuffers); isc_mempool_associatelock(mgr->bpool, &mgr->pool_lock); - result = qid_allocate(mgr, buckets, increment, &mgr->qid); + result = qid_allocate(mgr, buckets, increment, ISC_TRUE, &mgr->qid); if (result != ISC_R_SUCCESS) goto cleanup; @@ -1392,7 +1391,7 @@ dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local, static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets, - unsigned int increment, dns_qid_t **qidp) + unsigned int increment, isc_boolean_t usepool, dns_qid_t **qidp) { dns_qid_t *qid; unsigned int i; @@ -1413,8 +1412,16 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets, return (ISC_R_NOMEMORY); } + if (nsid_init(mgr->mctx, &qid->nsid, usepool) != ISC_R_SUCCESS) { + isc_mem_put(mgr->mctx, qid->qid_table, + buckets * sizeof(dns_displist_t)); + isc_mem_put(mgr->mctx, qid, sizeof(*qid)); + return (ISC_R_NOMEMORY); + } + if (isc_mutex_init(&qid->lock) != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed"); + nsid_destroy(mgr->mctx, &qid->nsid); isc_mem_put(mgr->mctx, qid->qid_table, buckets * sizeof(dns_displist_t)); isc_mem_put(mgr->mctx, qid, sizeof(*qid)); @@ -1427,21 +1434,6 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets, qid->qid_nbuckets = buckets; qid->qid_increment = increment; qid->magic = QID_MAGIC; - - /* - * Initialize to a 32-bit LFSR. Both of these are from Applied - * Cryptography. - * - * lfsr1: - * x^32 + x^7 + x^5 + x^3 + x^2 + x + 1 - * - * lfsr2: - * x^32 + x^7 + x^6 + x^2 + 1 - */ - isc_lfsr_init(&qid->qid_lfsr1, 0, 32, 0x80000057U, - 0, reseed_lfsr, mgr); - isc_lfsr_init(&qid->qid_lfsr2, 0, 32, 0x80000062U, - 0, reseed_lfsr, mgr); *qidp = qid; return (ISC_R_SUCCESS); } @@ -1457,6 +1449,7 @@ qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) { *qidp = NULL; qid->magic = 0; + nsid_destroy(mctx, &qid->nsid); isc_mem_put(mctx, qid->qid_table, qid->qid_nbuckets * sizeof(dns_displist_t)); DESTROYLOCK(&qid->lock); @@ -1600,7 +1593,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock, return (result); } - result = qid_allocate(mgr, buckets, increment, &disp->qid); + result = qid_allocate(mgr, buckets, increment, ISC_FALSE, &disp->qid); if (result != ISC_R_SUCCESS) goto deallocate_dispatch; @@ -1617,8 +1610,10 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock, DNS_EVENT_DISPATCHCONTROL, destroy_disp, disp, sizeof(isc_event_t)); - if (disp->ctlevent == NULL) + if (disp->ctlevent == NULL) { + result = ISC_R_NOMEMORY; goto kill_task; + } isc_task_setname(disp->task, "tcpdispatch", disp); @@ -1799,8 +1794,10 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr, DNS_EVENT_DISPATCHCONTROL, destroy_disp, disp, sizeof(isc_event_t)); - if (disp->ctlevent == NULL) + if (disp->ctlevent == NULL) { + result = ISC_R_NOMEMORY; goto kill_task; + } isc_task_setname(disp->task, "udpdispatch", disp); @@ -1921,7 +1918,7 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest, */ qid = DNS_QID(disp); LOCK(&qid->lock); - id = dns_randomid(qid); + id = dns_randomid(&qid->nsid); bucket = dns_hash(qid, dest, id); ok = ISC_FALSE; for (i = 0; i < 64; i++) { @@ -2264,3 +2261,409 @@ dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) { } } #endif + +/* + * Allow the user to pick one of two ID randomization algorithms. + * + * The first algorithm is an adaptation of the sequence shuffling + * algorithm discovered by Carter Bays and S. D. Durham [ACM Trans. Math. + * Software 2 (1976), 59-64], as documented as Algorithm B in Chapter + * 3.2.2 in Volume 2 of Knuth's "The Art of Computer Programming". We use + * a randomly selected linear congruential random number generator with a + * modulus of 2^16, whose increment is a randomly picked odd number, and + * whose multiplier is picked from a set which meets the following + * criteria: + * Is of the form 8*n+5, which ensures "high potency" according to + * principle iii in the summary chapter 3.6. This form also has a + * gcd(a-1,m) of 4 which is good according to principle iv. + * + * Is between 0.01 and 0.99 times the modulus as specified by + * principle iv. + * + * Passes the spectral test "with flying colors" (ut >= 1) in + * dimensions 2 through 6 as calculated by Algorithm S in Chapter + * 3.3.4 and the ratings calculated by formula 35 in section E. + * + * Of the multipliers that pass this test, pick the set that is + * best according to the theoretical bounds of the serial + * correlation test. This was calculated using a simplified + * version of Knuth's Theorem K in Chapter 3.3.3. + * + * These criteria may not be important for this use, but we might as well + * pick from the best generators since there are so many possible ones and + * we don't have that many random bits to do the picking. + * + * We use a modulus of 2^16 instead of something bigger so that we will + * tend to cycle through all the possible IDs before repeating any, + * however the shuffling will perturb this somewhat. Theoretically there + * is no minimimum interval between two uses of the same ID, but in + * practice it seems to be >64000. + * + * Our adaptatation of Algorithm B mixes the hash state which has + * captured various random events into the shuffler to perturb the + * sequence. + * + * One disadvantage of this algorithm is that if the generator parameters + * were to be guessed, it would be possible to mount a limited brute force + * attack on the ID space since the IDs are only shuffled within a limited + * range. + * + * The second algorithm uses the same random number generator to populate + * a pool of 65536 IDs. The hash state is used to pick an ID from a window + * of 4096 IDs in this pool, then the chosen ID is swapped with the ID + * at the beginning of the window and the window position is advanced. + * This means that the interval between uses of the ID will be no less + * than 65536-4096. The ID sequence in the pool will become more random + * over time. + * + * For both algorithms, two more linear congruential random number generators + * are selected. The ID from the first part of algorithm is used to seed + * the first of these generators, and its output is used to seed the second. + * The strategy is use these generators as 1 to 1 hashes to obfuscate the + * properties of the generator used in the first part of either algorithm. + * + * The first algorithm may be suitable for use in a client resolver since + * its memory requirements are fairly low and it's pretty random out of + * the box. It is somewhat succeptible to a limited brute force attack, + * so the second algorithm is probably preferable for a longer running + * program that issues a large number of queries and has time to randomize + * the pool. + */ + +#define NSID_SHUFFLE_TABLE_SIZE 100 /* Suggested by Knuth */ +/* + * Pick one of the next 4096 IDs in the pool. + * There is a tradeoff here between randomness and how often and ID is reused. + */ +#define NSID_LOOKAHEAD 4096 /* Must be a power of 2 */ +#define NSID_SHUFFLE_ONLY 1 /* algorithm 1 */ +#define NSID_USE_POOL 2 /* algorithm 2 */ +#define NSID_HASHSHIFT 3 +#define NSID_HASHROTATE(v) \ + (((v) << NSID_HASHSHIFT) | ((v) >> ((sizeof(v) * 8) - NSID_HASHSHIFT))) + +static isc_uint32_t nsid_hash_state; + +/* + * Keep a running hash of various bits of data that we'll use to + * stir the ID pool or perturb the ID generator + */ +static void +nsid_hash(void *data, size_t len) { + unsigned char *p = data; + /* + * Hash function similar to the one we use for hashing names. + * We don't fold case or toss the upper bit here, though. + * This hash doesn't do much interesting when fed binary zeros, + * so there may be a better hash function. + * This function doesn't need to be very strong since we're + * only using it to stir the pool, but it should be reasonably + * fast. + */ + /* + * We don't care about locking access to nsid_hash_state. + * In fact races make the result even more non deteministic. + */ + while (len-- > 0U) { + nsid_hash_state = NSID_HASHROTATE(nsid_hash_state); + nsid_hash_state += *p++; + } +} + +/* + * Table of good linear congruential multipliers for modulus 2^16 + * in order of increasing serial correlation bounds (so trim from + * the end). + */ +static const isc_uint16_t nsid_multiplier_table[] = { + 17565, 25013, 11733, 19877, 23989, 23997, 24997, 25421, + 26781, 27413, 35901, 35917, 35973, 36229, 38317, 38437, + 39941, 40493, 41853, 46317, 50581, 51429, 53453, 53805, + 11317, 11789, 12045, 12413, 14277, 14821, 14917, 18989, + 19821, 23005, 23533, 23573, 23693, 27549, 27709, 28461, + 29365, 35605, 37693, 37757, 38309, 41285, 45261, 47061, + 47269, 48133, 48597, 50277, 50717, 50757, 50805, 51341, + 51413, 51581, 51597, 53445, 11493, 14229, 20365, 20653, + 23485, 25541, 27429, 29421, 30173, 35445, 35653, 36789, + 36797, 37109, 37157, 37669, 38661, 39773, 40397, 41837, + 41877, 45293, 47277, 47845, 49853, 51085, 51349, 54085, + 56933, 8877, 8973, 9885, 11365, 11813, 13581, 13589, + 13613, 14109, 14317, 15765, 15789, 16925, 17069, 17205, + 17621, 17941, 19077, 19381, 20245, 22845, 23733, 24869, + 25453, 27213, 28381, 28965, 29245, 29997, 30733, 30901, + 34877, 35485, 35613, 36133, 36661, 36917, 38597, 40285, + 40693, 41413, 41541, 41637, 42053, 42349, 45245, 45469, + 46493, 48205, 48613, 50861, 51861, 52877, 53933, 54397, + 55669, 56453, 56965, 58021, 7757, 7781, 8333, 9661, + 12229, 14373, 14453, 17549, 18141, 19085, 20773, 23701, + 24205, 24333, 25261, 25317, 27181, 30117, 30477, 34757, + 34885, 35565, 35885, 36541, 37957, 39733, 39813, 41157, + 41893, 42317, 46621, 48117, 48181, 49525, 55261, 55389, + 56845, 7045, 7749, 7965, 8469, 9133, 9549, 9789, + 10173, 11181, 11285, 12253, 13453, 13533, 13757, 14477, + 15053, 16901, 17213, 17269, 17525, 17629, 18605, 19013, + 19829, 19933, 20069, 20093, 23261, 23333, 24949, 25309, + 27613, 28453, 28709, 29301, 29541, 34165, 34413, 37301, + 37773, 38045, 38405, 41077, 41781, 41925, 42717, 44437, + 44525, 44613, 45933, 45941, 47077, 50077, 50893, 52117, + 5293, 55069, 55989, 58125, 59205, 6869, 14685, 15453, + 16821, 17045, 17613, 18437, 21029, 22773, 22909, 25445, + 25757, 26541, 30709, 30909, 31093, 31149, 37069, 37725, + 37925, 38949, 39637, 39701, 40765, 40861, 42965, 44813, + 45077, 45733, 47045, 50093, 52861, 52957, 54181, 56325, + 56365, 56381, 56877, 57013, 5741, 58101, 58669, 8613, + 10045, 10261, 10653, 10733, 11461, 12261, 14069, 15877, + 17757, 21165, 23885, 24701, 26429, 26645, 27925, 28765, + 29197, 30189, 31293, 39781, 39909, 40365, 41229, 41453, + 41653, 42165, 42365, 47421, 48029, 48085, 52773, 5573, + 57037, 57637, 58341, 58357, 58901, 6357, 7789, 9093, + 10125, 10709, 10765, 11957, 12469, 13437, 13509, 14773, + 15437, 15773, 17813, 18829, 19565, 20237, 23461, 23685, + 23725, 23941, 24877, 25461, 26405, 29509, 30285, 35181, + 37229, 37893, 38565, 40293, 44189, 44581, 45701, 47381, + 47589, 48557, 4941, 51069, 5165, 52797, 53149, 5341, + 56301, 56765, 58581, 59493, 59677, 6085, 6349, 8293, + 8501, 8517, 11597, 11709, 12589, 12693, 13517, 14909, + 17397, 18085, 21101, 21269, 22717, 25237, 25661, 29189, + 30101, 31397, 33933, 34213, 34661, 35533, 36493, 37309, + 40037, 4189, 42909, 44309, 44357, 44389, 4541, 45461, + 46445, 48237, 54149, 55301, 55853, 56621, 56717, 56901, + 5813, 58437, 12493, 15365, 15989, 17829, 18229, 19341, + 21013, 21357, 22925, 24885, 26053, 27581, 28221, 28485, + 30605, 30613, 30789, 35437, 36285, 37189, 3941, 41797, + 4269, 42901, 43293, 44645, 45221, 46893, 4893, 50301, + 50325, 5189, 52109, 53517, 54053, 54485, 5525, 55949, + 56973, 59069, 59421, 60733, 61253, 6421, 6701, 6709, + 7101, 8669, 15797, 19221, 19837, 20133, 20957, 21293, + 21461, 22461, 29085, 29861, 30869, 34973, 36469, 37565, + 38125, 38829, 39469, 40061, 40117, 44093, 47429, 48341, + 50597, 51757, 5541, 57629, 58405, 59621, 59693, 59701, + 61837, 7061, 10421, 11949, 15405, 20861, 25397, 25509, + 25893, 26037, 28629, 28869, 29605, 30213, 34205, 35637, + 36365, 37285, 3773, 39117, 4021, 41061, 42653, 44509, + 4461, 44829, 4725, 5125, 52269, 56469, 59085, 5917, + 60973, 8349, 17725, 18637, 19773, 20293, 21453, 22533, + 24285, 26333, 26997, 31501, 34541, 34805, 37509, 38477, + 41333, 44125, 46285, 46997, 47637, 48173, 4925, 50253, + 50381, 50917, 51205, 51325, 52165, 52229, 5253, 5269, + 53509, 56253, 56341, 5821, 58373, 60301, 61653, 61973, + 62373, 8397, 11981, 14341, 14509, 15077, 22261, 22429, + 24261, 28165, 28685, 30661, 34021, 34445, 39149, 3917, + 43013, 43317, 44053, 44101, 4533, 49541, 49981, 5277, + 54477, 56357, 57261, 57765, 58573, 59061, 60197, 61197, + 62189, 7725, 8477, 9565, 10229, 11437, 14613, 14709, + 16813, 20029, 20677, 31445, 3165, 31957, 3229, 33541, + 36645, 3805, 38973, 3965, 4029, 44293, 44557, 46245, + 48917, 4909, 51749, 53709, 55733, 56445, 5925, 6093, + 61053, 62637, 8661, 9109, 10821, 11389, 13813, 14325, + 15501, 16149, 18845, 22669, 26437, 29869, 31837, 33709, + 33973, 34173, 3677, 3877, 3981, 39885, 42117, 4421, + 44221, 44245, 44693, 46157, 47309, 5005, 51461, 52037, + 55333, 55693, 56277, 58949, 6205, 62141, 62469, 6293, + 10101, 12509, 14029, 17997, 20469, 21149, 25221, 27109, + 2773, 2877, 29405, 31493, 31645, 4077, 42005, 42077, + 42469, 42501, 44013, 48653, 49349, 4997, 50101, 55405, + 56957, 58037, 59429, 60749, 61797, 62381, 62837, 6605, + 10541, 23981, 24533, 2701, 27333, 27341, 31197, 33805, + 3621, 37381, 3749, 3829, 38533, 42613, 44381, 45901, + 48517, 51269, 57725, 59461, 60045, 62029, 13805, 14013, + 15461, 16069, 16157, 18573, 2309, 23501, 28645, 3077, + 31541, 36357, 36877, 3789, 39429, 39805, 47685, 47949, + 49413, 5485, 56757, 57549, 57805, 58317, 59549, 62213, + 62613, 62853, 62933, 8909, 12941, 16677, 20333, 21541, + 24429, 26077, 26421, 2885, 31269, 33381, 3661, 40925, + 42925, 45173, 4525, 4709, 53133, 55941, 57413, 57797, + 62125, 62237, 62733, 6773, 12317, 13197, 16533, 16933, + 18245, 2213, 2477, 29757, 33293, 35517, 40133, 40749, + 4661, 49941, 62757, 7853, 8149, 8573, 11029, 13421, + 21549, 22709, 22725, 24629, 2469, 26125, 2669, 34253, + 36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013, + 60997, 61189, 61981, 62605, 62821, 7077, 7525, 8781, + 10861, 15277, 2205, 22077, 28517, 28949, 32109, 33493, + 4661, 49941, 62757, 7853, 8149, 8573, 11029, 13421, + 21549, 22709, 22725, 24629, 2469, 26125, 2669, 34253, + 36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013, + 60997, 61189, 61981, 62605, 62821, 7077, 7525, 8781, + 10861, 15277, 2205, 22077, 28517, 28949, 32109, 33493, + 3685, 39197, 39869, 42621, 44997, 48565, 5221, 57381, + 61749, 62317, 63245, 63381, 23149, 2549, 28661, 31653, + 33885, 36341, 37053, 39517, 42805, 45853, 48997, 59349, + 60053, 62509, 63069, 6525, 1893, 20181, 2365, 24893, + 27397, 31357, 32277, 33357, 34437, 36677, 37661, 43469, + 43917, 50997, 53869, 5653, 13221, 16741, 17893, 2157, + 28653, 31789, 35301, 35821, 61613, 62245, 12405, 14517, + 17453, 18421, 3149, 3205, 40341, 4109, 43941, 46869, + 48837, 50621, 57405, 60509, 62877, 8157, 12933, 12957, + 16501, 19533, 3461, 36829, 52357, 58189, 58293, 63053, + 17109, 1933, 32157, 37701, 59005, 61621, 13029, 15085, + 16493, 32317, 35093, 5061, 51557, 62221, 20765, 24613, + 2629, 30861, 33197, 33749, 35365, 37933, 40317, 48045, + 56229, 61157, 63797, 7917, 17965, 1917, 1973, 20301, + 2253, 33157, 58629, 59861, 61085, 63909, 8141, 9221, + 14757, 1581, 21637, 26557, 33869, 34285, 35733, 40933, + 42517, 43501, 53653, 61885, 63805, 7141, 21653, 54973, + 31189, 60061, 60341, 63357, 16045, 2053, 26069, 33997, + 43901, 54565, 63837, 8949, 17909, 18693, 32349, 33125, + 37293, 48821, 49053, 51309, 64037, 7117, 1445, 20405, + 23085, 26269, 26293, 27349, 32381, 33141, 34525, 36461, + 37581, 43525, 4357, 43877, 5069, 55197, 63965, 9845, + 12093, 2197, 2229, 32165, 33469, 40981, 42397, 8749, + 10853, 1453, 18069, 21693, 30573, 36261, 37421, 42533 +}; + +#define NSID_MULT_TABLE_SIZE \ + ((sizeof nsid_multiplier_table)/(sizeof nsid_multiplier_table[0])) +#define NSID_RANGE_MASK (NSID_LOOKAHEAD - 1) +#define NSID_POOL_MASK 0xFFFF /* used to wrap the pool index */ +#define NSID_SHUFFLE_ONLY 1 +#define NSID_USE_POOL 2 + +static isc_uint16_t +nsid_next(dns_nsid_t *nsid) { + isc_uint16_t id, compressed_hash; + isc_uint16_t j; + + compressed_hash = ((nsid_hash_state >> 16) ^ + (nsid_hash_state)) & 0xFFFF; + + if (nsid->nsid_usepool) { + isc_uint16_t pick; + + pick = compressed_hash & NSID_RANGE_MASK; + pick = (nsid->nsid_state + pick) & NSID_POOL_MASK; + id = nsid->nsid_pool[pick]; + if (pick != 0) { + /* Swap two IDs to stir the pool */ + nsid->nsid_pool[pick] = + nsid->nsid_pool[nsid->nsid_state]; + nsid->nsid_pool[nsid->nsid_state] = id; + } + + /* increment the base pointer into the pool */ + if (nsid->nsid_state == 65535) + nsid->nsid_state = 0; + else + nsid->nsid_state++; + } else { + /* + * This is the original Algorithm B + * j = ((u_long) NSID_SHUFFLE_TABLE_SIZE * nsid_state2) >> 16; + * + * We'll perturb it with some random stuff ... + */ + j = ((isc_uint32_t) NSID_SHUFFLE_TABLE_SIZE * + (nsid->nsid_state2 ^ compressed_hash)) >> 16; + nsid->nsid_state2 = id = nsid->nsid_vtable[j]; + nsid->nsid_state = (((isc_uint32_t) nsid->nsid_a1 * nsid->nsid_state) + + nsid->nsid_c1) & 0xFFFF; + nsid->nsid_vtable[j] = nsid->nsid_state; + } + + /* Now lets obfuscate ... */ + id = (((isc_uint32_t) nsid->nsid_a2 * id) + nsid->nsid_c2) & 0xFFFF; + id = (((isc_uint32_t) nsid->nsid_a3 * id) + nsid->nsid_c3) & 0xFFFF; + + return (id); +} + +static isc_result_t +nsid_init(isc_mem_t *mctx, dns_nsid_t *nsid, isc_boolean_t usepool) { + isc_time_t now; + pid_t mypid; + isc_uint16_t a1ndx, a2ndx, a3ndx, c1ndx, c2ndx, c3ndx; + int i; + + isc_time_now(&now); + mypid = getpid(); + + /* Initialize the state */ + memset(nsid, 0, sizeof(*nsid)); + nsid_hash(&now, sizeof now); + nsid_hash(&mypid, sizeof mypid); + + /* + * Select our random number generators and initial seed. + * We could really use more random bits at this point, + * but we'll try to make a silk purse out of a sows ear ... + */ + /* generator 1 */ + a1ndx = ((isc_uint32_t) NSID_MULT_TABLE_SIZE * + (nsid_hash_state & 0xFFFF)) >> 16; + nsid->nsid_a1 = nsid_multiplier_table[a1ndx]; + c1ndx = (nsid_hash_state >> 9) & 0x7FFF; + nsid->nsid_c1 = 2 * c1ndx + 1; + + /* generator 2, distinct from 1 */ + a2ndx = ((isc_uint32_t) (NSID_MULT_TABLE_SIZE - 1) * + ((nsid_hash_state >> 10) & 0xFFFF)) >> 16; + if (a2ndx >= a1ndx) + a2ndx++; + nsid->nsid_a2 = nsid_multiplier_table[a2ndx]; + c2ndx = nsid_hash_state % 32767; + if (c2ndx >= c1ndx) + c2ndx++; + nsid->nsid_c2 = 2*c2ndx + 1; + + /* generator 3, distinct from 1 and 2 */ + a3ndx = ((isc_uint32_t) (NSID_MULT_TABLE_SIZE - 2) * + ((nsid_hash_state >> 20) & 0xFFFF)) >> 16; + if (a3ndx >= a1ndx || a3ndx >= a2ndx) + a3ndx++; + if (a3ndx >= a1ndx && a3ndx >= a2ndx) + a3ndx++; + nsid->nsid_a3 = nsid_multiplier_table[a3ndx]; + c3ndx = nsid_hash_state % 32766; + if (c3ndx >= c1ndx || c3ndx >= c2ndx) + c3ndx++; + if (c3ndx >= c1ndx && c3ndx >= c2ndx) + c3ndx++; + nsid->nsid_c3 = 2*c3ndx + 1; + + nsid->nsid_state = + ((nsid_hash_state >> 16) ^ (nsid_hash_state)) & 0xFFFF; + + nsid->nsid_usepool = usepool; + if (nsid->nsid_usepool) { + nsid->nsid_pool = isc_mem_get(mctx, 0x10000 * sizeof(isc_uint16_t)); + if (nsid->nsid_pool == NULL) + return (ISC_R_NOMEMORY); + for (i = 0; ; i++) { + nsid->nsid_pool[i] = nsid->nsid_state; + nsid->nsid_state = + (((u_long) nsid->nsid_a1 * nsid->nsid_state) + + nsid->nsid_c1) & 0xFFFF; + if (i == 0xFFFF) + break; + } + } else { + nsid->nsid_vtable = isc_mem_get(mctx, NSID_SHUFFLE_TABLE_SIZE * + (sizeof(isc_uint16_t)) ); + if (nsid->nsid_vtable == NULL) + return (ISC_R_NOMEMORY); + + for (i = 0; i < NSID_SHUFFLE_TABLE_SIZE; i++) { + nsid->nsid_vtable[i] = nsid->nsid_state; + nsid->nsid_state = + (((isc_uint32_t) nsid->nsid_a1 * nsid->nsid_state) + + nsid->nsid_c1) & 0xFFFF; + } + nsid->nsid_state2 = nsid->nsid_state; + } + return (ISC_R_SUCCESS); +} + +static void +nsid_destroy(isc_mem_t *mctx, dns_nsid_t *nsid) { + if (nsid->nsid_usepool) + isc_mem_put(mctx, nsid->nsid_pool, + 0x10000 * sizeof(isc_uint16_t)); + else + isc_mem_put(mctx, nsid->nsid_vtable, + NSID_SHUFFLE_TABLE_SIZE * (sizeof(isc_uint16_t)) ); + memset(nsid, 0, sizeof(*nsid)); +} + +void +dns_dispatch_hash(void *data, size_t len) { + nsid_hash(data, len); +} diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 91f7a99fe983c..65f95212d70ee 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.69.2.5.2.9 2006/01/04 23:50:20 marka Exp $ + * $Id: dnssec.c,v 1.69.2.5.2.13 2007/09/14 05:21:56 marka Exp $ */ @@ -405,16 +405,11 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, */ dns_fixedname_init(&fnewname); labels = dns_name_countlabels(name) - 1; - if (labels - sig.labels > 0) { - dns_name_split(name, sig.labels + 1, NULL, - dns_fixedname_name(&fnewname)); - RUNTIME_CHECK(dns_name_downcase(dns_fixedname_name(&fnewname), - dns_fixedname_name(&fnewname), - NULL) - == ISC_R_SUCCESS); - } - else - dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL); + RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname), + NULL) == ISC_R_SUCCESS); + if (labels - sig.labels > 0) + dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1, + NULL, dns_fixedname_name(&fnewname)); dns_name_toregion(dns_fixedname_name(&fnewname), &r); @@ -530,6 +525,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, dst_key_t *pubkey = NULL; unsigned int count = 0; + REQUIRE(nkeys != NULL); + REQUIRE(keys != NULL); + *nkeys = 0; dns_rdataset_init(&rdataset); RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, @@ -539,7 +537,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, pubkey = NULL; dns_rdataset_current(&rdataset, &rdata); RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); - if (!is_zone_key(pubkey)) + if (!is_zone_key(pubkey) || + (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) goto next; keys[count] = NULL; result = dst_key_fromfile(dst_key_name(pubkey), @@ -548,17 +547,23 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, directory, mctx, &keys[count]); - if (result == ISC_R_FILENOTFOUND) + if (result == ISC_R_FILENOTFOUND) { + keys[count] = pubkey; + pubkey = NULL; + count++; goto next; + } if (result != ISC_R_SUCCESS) goto failure; if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { + /* We should never get here. */ dst_key_free(&keys[count]); goto next; } count++; next: - dst_key_free(&pubkey); + if (pubkey != NULL) + dst_key_free(&pubkey); dns_rdata_reset(&rdata); result = dns_rdataset_next(&rdataset); } @@ -574,6 +579,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, dns_rdataset_disassociate(&rdataset); if (pubkey != NULL) dst_key_free(&pubkey); + if (result != ISC_R_SUCCESS) + while (count > 0) + dst_key_free(&keys[--count]); *nkeys = count; return (result); } diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index d34aeca9b516a..49f198bcadef2 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2002 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_parse.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ + * $Id: dst_parse.c,v 1.1.4.3 2008/01/22 23:26:40 tbox Exp $ */ #include @@ -196,6 +196,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, REQUIRE(priv != NULL); priv->nelements = 0; + memset(priv->elements, 0, sizeof(priv->elements)); #define NEXTTOKEN(lex, opt, token) \ do { \ @@ -287,7 +288,6 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, goto fail; } - memset(&priv->elements[n], 0, sizeof(dst_private_element_t)); tag = find_value(DST_AS_STR(token), alg); if (tag < 0 || TAG_ALG(tag) != alg) { ret = DST_R_INVALIDPRIVATEKEY; diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h index bd007c4541f31..cdecafb6ab28d 100644 --- a/lib/dns/gen-unix.h +++ b/lib/dns/gen-unix.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gen-unix.h,v 1.12.12.5 2005/06/09 23:54:29 marka Exp $ */ +/* $Id: gen-unix.h,v 1.12.12.8 2007/08/28 07:19:13 tbox Exp $ */ /* * This file is responsible for defining two operations that are not diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h index ce4c8b6a8679a..225988e3de0f0 100644 --- a/lib/dns/include/dns/acl.h +++ b/lib/dns/include/dns/acl.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.h,v 1.20.52.5 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: acl.h,v 1.20.52.8 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_ACL_H #define DNS_ACL_H 1 diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h index 4b775c9c14cb7..4ee87a2ef087e 100644 --- a/lib/dns/include/dns/cache.h +++ b/lib/dns/include/dns/cache.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.h,v 1.17.12.5 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: cache.h,v 1.17.12.8 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_CACHE_H #define DNS_CACHE_H 1 diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h index 9c2710a57ceb4..63d675d21f3cb 100644 --- a/lib/dns/include/dns/callbacks.h +++ b/lib/dns/include/dns/callbacks.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: callbacks.h,v 1.15.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */ +/* $Id: callbacks.h,v 1.15.2.2.8.4 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_CALLBACKS_H #define DNS_CALLBACKS_H 1 diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h index 042a4ea51a96b..1b14a5b868a0e 100644 --- a/lib/dns/include/dns/compress.h +++ b/lib/dns/include/dns/compress.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: compress.h,v 1.29.2.2.8.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: compress.h,v 1.29.2.2.8.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_COMPRESS_H #define DNS_COMPRESS_H 1 diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index 8e088823ac2ee..37841342b26d9 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: db.h,v 1.67.12.8 2004/05/14 05:06:41 marka Exp $ */ +/* $Id: db.h,v 1.67.12.11 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_DB_H #define DNS_DB_H 1 @@ -852,7 +852,7 @@ dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp); * * 'source' is a valid node. * - * 'targetp' points to a NULL dns_node_t *. + * 'targetp' points to a NULL dns_dbnode_t *. * * Ensures: * diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h index 604f702c118b0..d49496062ecdb 100644 --- a/lib/dns/include/dns/diff.h +++ b/lib/dns/include/dns/diff.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: diff.h,v 1.4.12.3 2004/03/08 09:04:35 marka Exp $ */ +/* $Id: diff.h,v 1.4.12.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_DIFF_H #define DNS_DIFF_H 1 diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h index 201a65a60ed43..29dd7f806385a 100644 --- a/lib/dns/include/dns/dispatch.h +++ b/lib/dns/include/dns/dispatch.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dispatch.h,v 1.45.2.2.4.2 2004/03/06 08:13:55 marka Exp $ */ +/* $Id: dispatch.h,v 1.45.2.2.4.5 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_DISPATCH_H #define DNS_DISPATCH_H 1 @@ -437,6 +437,13 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event); * event != NULL */ +void +dns_dispatch_hash(void *data, size_t len); +/*%< + * Feed 'data' to the dispatch query id generator where 'len' is the size + * of 'data'. + */ + ISC_LANG_ENDDECLS #endif /* DNS_DISPATCH_H */ diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 5f86178a84f69..abdf18a44846c 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec.h,v 1.21.12.5 2004/03/08 09:04:35 marka Exp $ */ +/* $Id: dnssec.h,v 1.21.12.8 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h index 1e66139efb1eb..029f4dbaa664d 100644 --- a/lib/dns/include/dns/events.h +++ b/lib/dns/include/dns/events.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: events.h,v 1.37.2.1.4.4 2004/03/08 09:04:36 marka Exp $ */ +/* $Id: events.h,v 1.37.2.1.4.7 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_EVENTS_H #define DNS_EVENTS_H 1 diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h index fdf609404ed4b..b15199eac9713 100644 --- a/lib/dns/include/dns/journal.h +++ b/lib/dns/include/dns/journal.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.h,v 1.23.12.3 2004/03/08 09:04:36 marka Exp $ */ +/* $Id: journal.h,v 1.23.12.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_JOURNAL_H #define DNS_JOURNAL_H 1 diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h index e53dd2b7e0419..92522a0910c90 100644 --- a/lib/dns/include/dns/lib.h +++ b/lib/dns/include/dns/lib.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:36 marka Exp $ */ +/* $Id: lib.h,v 1.6.12.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_LIB_H #define DNS_LIB_H 1 diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h index 0b861c6710066..be097d4b7cc50 100644 --- a/lib/dns/include/dns/master.h +++ b/lib/dns/include/dns/master.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: master.h,v 1.31.2.3.2.7 2004/03/08 09:04:36 marka Exp $ */ +/* $Id: master.h,v 1.31.2.3.2.10 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_MASTER_H #define DNS_MASTER_H 1 diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h index 888c588f3b628..e4e6d6fe7a78c 100644 --- a/lib/dns/include/dns/masterdump.h +++ b/lib/dns/include/dns/masterdump.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.h,v 1.22.12.10 2005/09/06 02:12:41 marka Exp $ */ +/* $Id: masterdump.h,v 1.22.12.13 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_MASTERDUMP_H #define DNS_MASTERDUMP_H 1 diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h index 6bf6003718990..fc4f21060662f 100644 --- a/lib/dns/include/dns/ncache.h +++ b/lib/dns/include/dns/ncache.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.h,v 1.12.12.5 2004/03/08 09:04:37 marka Exp $ */ +/* $Id: ncache.h,v 1.12.12.8 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_NCACHE_H #define DNS_NCACHE_H 1 diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h index 4d656b8250eea..85ad6fb8563fb 100644 --- a/lib/dns/include/dns/opcode.h +++ b/lib/dns/include/dns/opcode.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: opcode.h,v 1.1.200.3 2004/03/08 09:04:37 marka Exp $ */ +/* $Id: opcode.h,v 1.1.200.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_OPCODE_H #define DNS_OPCODE_H 1 diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h index e28e3ca6ed43e..fd75e9f1848be 100644 --- a/lib/dns/include/dns/order.h +++ b/lib/dns/include/dns/order.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: order.h,v 1.2.202.3 2004/03/08 09:04:37 marka Exp $ */ +/* $Id: order.h,v 1.2.202.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_ORDER_H #define DNS_ORDER_H 1 diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h index 6f99a7dfb069e..1191751985a2f 100644 --- a/lib/dns/include/dns/rbt.h +++ b/lib/dns/include/dns/rbt.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbt.h,v 1.55.12.6 2004/10/11 05:55:51 marka Exp $ */ +/* $Id: rbt.h,v 1.55.12.9 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_RBT_H #define DNS_RBT_H 1 diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h index a0912db320e6b..0dae8b7e7858c 100644 --- a/lib/dns/include/dns/rdataslab.h +++ b/lib/dns/include/dns/rdataslab.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataslab.h,v 1.20.2.2.2.4 2004/03/08 09:04:39 marka Exp $ */ +/* $Id: rdataslab.h,v 1.20.2.2.2.7 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_RDATASLAB_H #define DNS_RDATASLAB_H 1 diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h index b3e7bcd7c2227..ce238c691474a 100644 --- a/lib/dns/include/dns/request.h +++ b/lib/dns/include/dns/request.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.h,v 1.17.12.5 2004/03/08 09:04:39 marka Exp $ */ +/* $Id: request.h,v 1.17.12.8 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_REQUEST_H #define DNS_REQUEST_H 1 diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h index 5fdeace147b9b..af44f5a48fabb 100644 --- a/lib/dns/include/dns/sdb.h +++ b/lib/dns/include/dns/sdb.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdb.h,v 1.12.12.3 2004/03/08 09:04:39 marka Exp $ */ +/* $Id: sdb.h,v 1.12.12.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_SDB_H #define DNS_SDB_H 1 diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h index 0b82443a68a23..bb0ca605d7722 100644 --- a/lib/dns/include/dns/time.h +++ b/lib/dns/include/dns/time.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.h,v 1.9.12.3 2004/03/08 09:04:39 marka Exp $ */ +/* $Id: time.h,v 1.9.12.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_TIME_H #define DNS_TIME_H 1 diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 7b5b4585b643a..140b040ce7b79 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsig.h,v 1.40.2.2.8.3 2004/03/08 09:04:39 marka Exp $ */ +/* $Id: tsig.h,v 1.40.2.2.8.6 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_TSIG_H #define DNS_TSIG_H 1 diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index a0d6acb68c0d9..bf7a7ab13b594 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.18.12.11.6.1 2007/01/11 04:51:39 marka Exp $ */ +/* $Id: validator.h,v 1.18.12.15 2007/09/19 03:41:33 marka Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 @@ -81,11 +81,24 @@ typedef struct dns_validatorevent { ISC_EVENT_COMMON(struct dns_validatorevent); dns_validator_t * validator; isc_result_t result; + /* + * Name and type of the response to be validated. + */ dns_name_t * name; dns_rdatatype_t type; + /* + * Rdata and RRSIG (if any) for positive responses. + */ dns_rdataset_t * rdataset; dns_rdataset_t * sigrdataset; + /* + * The full response. Required for negative responses. + * Also required for positive wildcard responses. + */ dns_message_t * message; + /* + * Proofs to be cached. + */ dns_name_t * proofs[3]; } dns_validatorevent_t; diff --git a/lib/dns/include/dns/version.h b/lib/dns/include/dns/version.h index 28c83be195681..99e7a740d6e1d 100644 --- a/lib/dns/include/dns/version.h +++ b/lib/dns/include/dns/version.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.h,v 1.2.224.3 2004/03/08 09:04:40 marka Exp $ */ +/* $Id: version.h,v 1.2.224.6 2007/08/28 07:19:14 tbox Exp $ */ #include diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h index fb435905cd463..dd5b20461be40 100644 --- a/lib/dns/include/dns/zt.h +++ b/lib/dns/include/dns/zt.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zt.h,v 1.27.2.2.8.1 2004/03/06 08:14:01 marka Exp $ */ +/* $Id: zt.h,v 1.27.2.2.8.4 2007/08/28 07:19:14 tbox Exp $ */ #ifndef DNS_ZT_H #define DNS_ZT_H 1 diff --git a/lib/dns/journal.c b/lib/dns/journal.c index 536416d931a14..b7e81f7ccec79 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,18 +15,20 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.77.2.1.10.13 2005/11/03 23:08:41 marka Exp $ */ +/* $Id: journal.c,v 1.77.2.1.10.22 2007/09/07 05:25:37 marka Exp $ */ #include #include #include +#include #include #include #include #include #include +#include #include #include @@ -674,7 +676,23 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, isc_result_t dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, dns_journal_t **journalp) { - return (journal_open(mctx, filename, write, write, journalp)); + isc_result_t result; + int namelen; + char backup[1024]; + size_t n; + + result = journal_open(mctx, filename, write, write, journalp); + if (result == ISC_R_NOTFOUND) { + namelen = strlen(filename); + if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0) + namelen -= 4; + + n = snprintf(backup, sizeof(backup), "%.*s.jbk", namelen, filename); + if (sizeof(backup) <= n) + return (ISC_R_NOSPACE); + result = journal_open(mctx, backup, write, write, journalp); + } + return (result); } /* @@ -1616,6 +1634,8 @@ read_one_rr(dns_journal_t *j) { /* * Parse the rdata. */ + if (isc_buffer_remaininglength(&j->it.source) != rdlen) + FAIL(DNS_R_FORMERR); isc_buffer_setactive(&j->it.source, rdlen); dns_rdata_reset(&j->it.rdata); CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass, @@ -1931,15 +1951,38 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, journal_pos_t best_guess; journal_pos_t current_pos; dns_journal_t *j = NULL; + dns_journal_t *new = NULL; journal_rawheader_t rawheader; unsigned int copy_length; - unsigned int len; + int namelen; char *buf = NULL; unsigned int size = 0; isc_result_t result; unsigned int indexend; + char newname[1024]; + char backup[1024]; + isc_boolean_t is_backup = ISC_FALSE; + size_t n; + + namelen = strlen(filename); + if (namelen > 4 && strcmp(filename + namelen - 4, ".jnl") == 0) + namelen -= 4; - CHECK(journal_open(mctx, filename, ISC_TRUE, ISC_FALSE, &j)); + n = snprintf(newname, sizeof(newname), "%.*s.jnw", namelen, filename); + if (sizeof(newname) <= n) + return (ISC_R_NOSPACE); + + n = snprintf(backup, sizeof(backup), "%.*s.jbk", namelen, filename); + if (sizeof(newname) <= n) + return (ISC_R_NOSPACE); + + result = journal_open(mctx, filename, ISC_FALSE, ISC_FALSE, &j); + if (result == ISC_R_NOTFOUND) { + is_backup = ISC_TRUE; + result = journal_open(mctx, backup, ISC_FALSE, ISC_FALSE, &j); + } + if (result != ISC_R_SUCCESS) + return (result); if (JOURNAL_EMPTY(&j->header)) { dns_journal_destroy(&j); @@ -1967,6 +2010,8 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, dns_journal_destroy(&j); return (ISC_R_SUCCESS); } + + CHECK(journal_open(mctx, newname, ISC_TRUE, ISC_TRUE, &new)); /* * Remove overhead so space test below can succeed. @@ -2007,47 +2052,12 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, CHECK(journal_next(j, &best_guess)); /* - * Enough space to proceed? + * We should now be roughly half target_size provided + * we did not reach 'serial'. If not we will just copy + * all uncommitted deltas regardless of the size. */ - if ((isc_uint32_t) (j->header.end.offset - best_guess.offset) > - (isc_uint32_t) (best_guess.offset - indexend)) { - dns_journal_destroy(&j); - return (ISC_R_NOSPACE); - } - copy_length = j->header.end.offset - best_guess.offset; - /* - * Invalidate entire index, will be rebuilt at end. - */ - for (i = 0; i < j->header.index_size; i++) { - if (POS_VALID(j->index[i])) - POS_INVALIDATE(j->index[i]); - } - - /* - * Convert the index into on-disk format and write - * it to disk. - */ - CHECK(index_to_disk(j)); - CHECK(journal_fsync(j)); - - /* - * Update the journal header. - */ - if (copy_length == 0) { - j->header.begin.serial = 0; - j->header.end.serial = 0; - j->header.begin.offset = 0; - j->header.end.offset = 0; - } else { - j->header.begin = best_guess; - } - journal_header_encode(&j->header, &rawheader); - CHECK(journal_seek(j, 0)); - CHECK(journal_write(j, &rawheader, sizeof(rawheader))); - CHECK(journal_fsync(j)); - if (copy_length != 0) { /* * Copy best_guess to end into space just freed. @@ -2061,56 +2071,90 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, goto failure; } + CHECK(journal_seek(j, best_guess.offset)); + CHECK(journal_seek(new, indexend)); for (i = 0; i < copy_length; i += size) { - len = (copy_length - i) > size ? size : + unsigned int len = (copy_length - i) > size ? size : (copy_length - i); - CHECK(journal_seek(j, best_guess.offset + i)); CHECK(journal_read(j, buf, len)); - CHECK(journal_seek(j, indexend + i)); - CHECK(journal_write(j, buf, len)); + CHECK(journal_write(new, buf, len)); } - CHECK(journal_fsync(j)); + CHECK(journal_fsync(new)); /* * Compute new header. */ - j->header.begin.offset = indexend; - j->header.end.offset = indexend + copy_length; + new->header.begin.serial = best_guess.serial; + new->header.begin.offset = indexend; + new->header.end.serial = j->header.end.serial; + new->header.end.offset = indexend + copy_length; + /* * Update the journal header. */ - journal_header_encode(&j->header, &rawheader); - CHECK(journal_seek(j, 0)); - CHECK(journal_write(j, &rawheader, sizeof(rawheader))); - CHECK(journal_fsync(j)); + journal_header_encode(&new->header, &rawheader); + CHECK(journal_seek(new, 0)); + CHECK(journal_write(new, &rawheader, sizeof(rawheader))); + CHECK(journal_fsync(new)); /* * Build new index. */ - current_pos = j->header.begin; - while (current_pos.serial != j->header.end.serial) { - index_add(j, ¤t_pos); - CHECK(journal_next(j, ¤t_pos)); + current_pos = new->header.begin; + while (current_pos.serial != new->header.end.serial) { + index_add(new, ¤t_pos); + CHECK(journal_next(new, ¤t_pos)); } /* * Write index. */ - CHECK(index_to_disk(j)); - CHECK(journal_fsync(j)); + CHECK(index_to_disk(new)); + CHECK(journal_fsync(new)); - indexend = j->header.end.offset; + indexend = new->header.end.offset; } + dns_journal_destroy(&new); + + /* + * With a UFS file system this should just succeed and be atomic. + * Any IXFR outs will just continue and the old journal will be + * removed on final close. + * + * With MSDOS / NTFS we need to do a two stage rename triggered + * bu EEXISTS. Hopefully all IXFR's that were active at the last + * rename are now complete. + */ + if (rename(newname, filename) == -1) { + if (errno == EACCES && !is_backup) { + result = isc_file_remove(backup); + if (result != ISC_R_SUCCESS && + result != ISC_R_FILENOTFOUND) + goto failure; + if (rename(filename, backup) == -1) + goto maperrno; + if (rename(newname, filename) == -1) + goto maperrno; + (void)isc_file_remove(backup); + } else { + maperrno: + result = ISC_R_FAILURE; + goto failure; + } + } + dns_journal_destroy(&j); - (void)isc_file_truncate(filename, (isc_offset_t)indexend); result = ISC_R_SUCCESS; failure: + (void)isc_file_remove(newname); if (buf != NULL) isc_mem_put(mctx, buf, size); if (j != NULL) dns_journal_destroy(&j); + if (new != NULL) + dns_journal_destroy(&new); return (result); } diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c index 7f3e3cff2bc60..fccc238685142 100644 --- a/lib/dns/keytable.c +++ b/lib/dns/keytable.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keytable.c,v 1.26.12.5 2006/01/06 00:01:42 marka Exp $ */ +/* $Id: keytable.c,v 1.26.12.8 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/dns/lib.c b/lib/dns/lib.c index 44490675a8e5a..fa675c4b33b3a 100644 --- a/lib/dns/lib.c +++ b/lib/dns/lib.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lib.c,v 1.9.12.3 2004/03/08 09:04:30 marka Exp $ */ +/* $Id: lib.c,v 1.9.12.6 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c index 1cf572145dbb5..19985b3987278 100644 --- a/lib/dns/lookup.c +++ b/lib/dns/lookup.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lookup.c,v 1.9.12.7 2006/01/04 23:50:20 marka Exp $ */ +/* $Id: lookup.c,v 1.9.12.10 2007/08/28 07:19:13 tbox Exp $ */ #include @@ -179,7 +179,7 @@ static void lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { isc_result_t result; isc_boolean_t want_restart; - isc_boolean_t send_event = ISC_FALSE; + isc_boolean_t send_event; dns_name_t *name, *fname, *prefix; dns_fixedname_t foundname, fixed; dns_rdata_t rdata = DNS_RDATA_INIT; @@ -199,6 +199,7 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { do { lookup->restarts++; want_restart = ISC_FALSE; + send_event = ISC_TRUE; if (event == NULL && !lookup->canceled) { dns_fixedname_init(&foundname); @@ -206,6 +207,15 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { INSIST(!dns_rdataset_isassociated(&lookup->rdataset)); INSIST(!dns_rdataset_isassociated (&lookup->sigrdataset)); + /* + * If we have restarted then clear the old node. */ + if (lookup->event->node != NULL) { + INSIST(lookup->event->db != NULL); + dns_db_detachnode(lookup->event->db, + &lookup->event->node); + } + if (lookup->event->db != NULL) + dns_db_detach(&lookup->event->db); result = view_find(lookup, fname); if (result == ISC_R_NOTFOUND) { /* @@ -220,8 +230,8 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { if (lookup->event->db != NULL) dns_db_detach(&lookup->event->db); result = start_fetch(lookup); - if (result != ISC_R_SUCCESS) - send_event = ISC_TRUE; + if (result == ISC_R_SUCCESS) + send_event = ISC_FALSE; goto done; } } else if (event != NULL) { @@ -242,7 +252,6 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { switch (result) { case ISC_R_SUCCESS: result = build_event(lookup); - send_event = ISC_TRUE; if (event == NULL) break; if (event->db != NULL) @@ -267,8 +276,10 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { break; result = dns_name_copy(&cname.cname, name, NULL); dns_rdata_freestruct(&cname); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { want_restart = ISC_TRUE; + send_event = ISC_FALSE; + } break; case DNS_R_DNAME: namereln = dns_name_fullcompare(name, fname, &order, @@ -294,8 +305,10 @@ lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) { result = dns_name_concatenate(prefix, &dname.dname, name, NULL); dns_rdata_freestruct(&dname); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { want_restart = ISC_TRUE; + send_event = ISC_FALSE; + } break; default: send_event = ISC_TRUE; @@ -366,7 +379,6 @@ levent_destroy(isc_event_t *event) { isc_mem_put(mctx, event, event->ev_size); } - isc_result_t dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type, dns_view_t *view, unsigned int options, isc_task_t *task, diff --git a/lib/dns/master.c b/lib/dns/master.c index 7a2dab3adef29..be1c5fad5ab54 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: master.c,v 1.122.2.8.2.14 2004/05/05 01:32:16 marka Exp $ */ +/* $Id: master.c,v 1.122.2.8.2.25 2008/01/24 13:06:47 marka Exp $ */ #include @@ -246,7 +246,8 @@ loadctx_destroy(dns_loadctx_t *lctx); #define MANYERRS(lctx, result) \ ((result != ISC_R_SUCCESS) && \ - ((lctx)->options & DNS_MASTER_MANYERRORS) != 0) + (result != ISC_R_IOERROR) && \ + ((lctx)->options & DNS_MASTER_MANYERRORS) != 0) #define SETRESULT(lctx, r) \ do { \ @@ -497,7 +498,7 @@ loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top, lctx->inc = NULL; result = incctx_create(mctx, origin, &lctx->inc); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) goto cleanup_ctx; if (lex != NULL) { @@ -836,7 +837,7 @@ check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source, callback = lctx->callbacks->error; else callback = lctx->callbacks->warn; - + if (token->type == isc_tokentype_string) { struct in_addr addr; struct in6_addr addr6; @@ -1117,6 +1118,7 @@ load(dns_loadctx_t *lctx) { isc_mem_free(mctx, gtype); if (rhs != NULL) isc_mem_free(mctx, rhs); + range = lhs = gtype = rhs = NULL; /* RANGE */ GETTOKEN(lctx->lex, 0, &token, ISC_FALSE); range = isc_mem_strdup(mctx, @@ -1137,7 +1139,7 @@ load(dns_loadctx_t *lctx) { /* CLASS? */ GETTOKEN(lctx->lex, 0, &token, ISC_FALSE); if (dns_rdataclass_fromtext(&rdclass, - &token.value.as_textregion) + &token.value.as_textregion) == ISC_R_SUCCESS) { GETTOKEN(lctx->lex, 0, &token, ISC_FALSE); @@ -1321,7 +1323,7 @@ load(dns_loadctx_t *lctx) { target_save = target; ictx->glue = new_name; ictx->glue_in_use = new_in_use; - ictx->in_use[ictx->glue_in_use] = + ictx->in_use[ictx->glue_in_use] = ISC_TRUE; } else { result = commit(callbacks, lctx, @@ -1367,7 +1369,7 @@ load(dns_loadctx_t *lctx) { } else { UNEXPECTED_ERROR(__FILE__, __LINE__, "%s:%lu: isc_lex_gettoken() returned " - "unexpeced token type (%d)", + "unexpected token type (%d)", source, line, token.type); result = ISC_R_UNEXPECTED; if (MANYERRS(lctx, result)) { @@ -1581,7 +1583,7 @@ load(dns_loadctx_t *lctx) { dns_name_format(name, namebuf, sizeof(namebuf)); result = DNS_R_BADOWNERNAME; desc = dns_result_totext(result); - if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) { + if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) { (*callbacks->error)(callbacks, "%s:%lu: %s: %s", source, line, @@ -1631,9 +1633,9 @@ load(dns_loadctx_t *lctx) { dns_name_format(ictx->current, namebuf, sizeof(namebuf)); (*callbacks->error)(callbacks, - "%s:%lu: SOA " - "record not at top of zone (%s)", - source, line, namebuf); + "%s:%lu: SOA " + "record not at top of zone (%s)", + source, line, namebuf); result = DNS_R_NOTZONETOP; if (MANYERRS(lctx, result)) { SETRESULT(lctx, result); @@ -1693,7 +1695,9 @@ load(dns_loadctx_t *lctx) { if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) { dns_rdata_rrsig_t sig; - (void)dns_rdata_tostruct(&rdata[rdcount], &sig, NULL); + result = dns_rdata_tostruct(&rdata[rdcount], &sig, + NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (isc_serial_lt(sig.timeexpire, now)) { (*callbacks->warn)(callbacks, "%s:%lu: " @@ -1705,7 +1709,7 @@ load(dns_loadctx_t *lctx) { if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) && lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 && - (lctx->options & DNS_MASTER_SLAVE) == 0) { + (lctx->options & DNS_MASTER_SLAVE) == 0) { (*callbacks->warn)(callbacks, "%s:%lu: old style DNSSEC " " zone detected", source, line); lctx->warn_tcr = ISC_FALSE; @@ -1763,7 +1767,7 @@ load(dns_loadctx_t *lctx) { ISC_LIST_INITANDPREPEND(glue_list, this, link); else ISC_LIST_INITANDPREPEND(current_list, this, - link); + link); } else if (this->ttl != lctx->ttl) { (*callbacks->warn)(callbacks, "%s:%lu: " @@ -1773,7 +1777,7 @@ load(dns_loadctx_t *lctx) { } ISC_LIST_APPEND(this->rdata, &rdata[rdcount], link); - if (ictx->glue != NULL) + if (ictx->glue != NULL) ictx->glue_line = line; else ictx->current_line = line; @@ -1914,8 +1918,7 @@ dns_master_loadfile(const char *master_file, dns_name_t *top, INSIST(result != DNS_R_CONTINUE); cleanup: - if (lctx != NULL) - dns_loadctx_detach(&lctx); + dns_loadctx_detach(&lctx); return (result); } @@ -1928,7 +1931,7 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top, { dns_loadctx_t *lctx = NULL; isc_result_t result; - + REQUIRE(task != NULL); REQUIRE(done != NULL); @@ -1948,8 +1951,7 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top, } cleanup: - if (lctx != NULL) - dns_loadctx_detach(&lctx); + dns_loadctx_detach(&lctx); return (result); } @@ -2040,8 +2042,7 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top, INSIST(result != DNS_R_CONTINUE); cleanup: - if (lctx != NULL) - dns_loadctx_detach(&lctx); + dns_loadctx_detach(&lctx); return (result); } @@ -2076,8 +2077,7 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top, } cleanup: - if (lctx != NULL) - dns_loadctx_detach(&lctx); + dns_loadctx_detach(&lctx); return (result); } diff --git a/lib/dns/message.c b/lib/dns/message.c index 33875433f6aa0..e16bb385af1f1 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.194.2.10.2.24 2006/02/28 06:32:54 marka Exp $ */ +/* $Id: message.c,v 1.194.2.10.2.28 2007/08/28 07:19:13 tbox Exp $ */ /*** *** Imports @@ -1306,6 +1306,11 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, rdata->type = rdtype; rdata->flags = DNS_RDATA_UPDATE; result = ISC_R_SUCCESS; + } else if (rdclass == dns_rdataclass_none && + msg->opcode == dns_opcode_update && + sectionid == DNS_SECTION_UPDATE) { + result = getrdata(source, msg, dctx, msg->rdclass, + rdtype, rdatalen, rdata); } else result = getrdata(source, msg, dctx, rdclass, rdtype, rdatalen, rdata); @@ -2993,8 +2998,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section, ADD_STRING(target, ";; "); if (msg->opcode != dns_opcode_update) { ADD_STRING(target, sectiontext[section]); - } - else { + } else { ADD_STRING(target, updsectiontext[section]); } ADD_STRING(target, " SECTION:\n"); @@ -3116,7 +3120,12 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style, ADD_STRING(target, ";; ->>HEADER<<- opcode: "); ADD_STRING(target, opcodetext[msg->opcode]); ADD_STRING(target, ", status: "); - ADD_STRING(target, rcodetext[msg->rcode]); + if (msg->rcode < (sizeof(rcodetext)/sizeof(rcodetext[0]))) { + ADD_STRING(target, rcodetext[msg->rcode]); + } else { + snprintf(buf, sizeof(buf), "%4u", msg->rcode); + ADD_STRING(target, buf); + } ADD_STRING(target, ", id: "); snprintf(buf, sizeof(buf), "%6u", msg->id); ADD_STRING(target, buf); diff --git a/lib/dns/name.c b/lib/dns/name.c index 1a257de8e1338..b391ee3a92ac1 100644 --- a/lib/dns/name.c +++ b/lib/dns/name.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name.c,v 1.127.2.7.2.16 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: name.c,v 1.127.2.7.2.17 2006/12/07 07:02:45 marka Exp $ */ #include @@ -1573,7 +1573,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, { unsigned char *cdata, *ndata; unsigned int cused; /* Bytes of compressed name data used */ - unsigned int hops, nused, labels, n, nmax; + unsigned int nused, labels, n, nmax; unsigned int current, new_current, biggest_pointer; isc_boolean_t done; fw_state state = fw_start; @@ -1581,10 +1581,12 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, unsigned char *offsets; dns_offsets_t odata; isc_boolean_t downcase; + isc_boolean_t seen_pointer; /* * Copy the possibly-compressed name at source into target, - * decompressing it. + * decompressing it. Loop prevention is performed by checking + * the new pointer against biggest_pointer. */ REQUIRE(VALID_NAME(name)); @@ -1618,11 +1620,11 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, * Set up. */ labels = 0; - hops = 0; done = ISC_FALSE; ndata = isc_buffer_used(target); nused = 0; + seen_pointer = ISC_FALSE; /* * Find the maximum number of uncompressed target name @@ -1648,7 +1650,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, while (current < source->active && !done) { c = *cdata++; current++; - if (hops == 0) + if (!seen_pointer) cused++; switch (state) { @@ -1704,11 +1706,8 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, return (DNS_R_BADPOINTER); biggest_pointer = new_current; current = new_current; - cdata = (unsigned char *)source->base + - current; - hops++; - if (hops > DNS_POINTER_MAXHOPS) - return (DNS_R_TOOMANYHOPS); + cdata = (unsigned char *)source->base + current; + seen_pointer = ISC_TRUE; state = fw_start; break; default: @@ -1744,7 +1743,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, * big enough buffer. */ return (ISC_R_NOSPACE); - } isc_result_t diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 525905c188283..329d83ace4ca2 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssl_link.c,v 1.1.4.3 2006/05/23 23:51:03 marka Exp $ + * $Id: openssl_link.c,v 1.1.4.6 2007/08/28 07:19:13 tbox Exp $ */ #ifdef OPENSSL @@ -171,6 +171,7 @@ dst__openssl_init() { mem_free(rm); #endif cleanup_mutexinit: + CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: mem_free(locks); @@ -186,12 +187,13 @@ dst__openssl_destroy() { e = NULL; } #endif + if (rm != NULL) + mem_free(rm); if (locks != NULL) { + CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); mem_free(locks); } - if (rm != NULL) - mem_free(rm); } isc_result_t diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 74ba39af3612d..1138855db57a9 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2002 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -18,7 +18,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssldh_link.c,v 1.1.4.3 2006/03/02 00:37:20 marka Exp $ + * $Id: openssldh_link.c,v 1.1.4.7 2007/08/28 07:19:13 tbox Exp $ */ #ifdef OPENSSL @@ -138,81 +138,11 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { return (ISC_TRUE); } -#ifndef HAVE_DH_GENERATE_PARAMETERS -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -static DH * -DH_generate_parameters(int prime_len, int generator, - void (*callback)(int,int,void *), void *cb_arg) -{ - BN_GENCB cb; - DH *dh = NULL; - - dh = DH_new(); - if (dh != NULL) { - BN_GENCB_set_old(&cb, callback, cb_arg); - - if (DH_generate_parameters_ex(dh, prime_len, generator, &cb)) - return (dh); - DH_free(dh); - } - return (NULL); -} -#endif - static isc_result_t openssldh_generate(dst_key_t *key, int generator) { +#if OPENSSL_VERSION_NUMBER > 0x00908000L + BN_GENCB cb; +#endif DH *dh = NULL; if (generator == 0) { @@ -235,9 +165,24 @@ openssldh_generate(dst_key_t *key, int generator) { generator = 2; } - if (generator != 0) + if (generator != 0) { +#if OPENSSL_VERSION_NUMBER > 0x00908000L + dh = DH_new(); + if (dh == NULL) + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + + BN_GENCB_set_old(&cb, NULL, NULL); + + if (!DH_generate_parameters_ex(dh, key->key_size, generator, + &cb)) { + DH_free(dh); + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +#else dh = DH_generate_parameters(key->key_size, generator, NULL, NULL); +#endif + } if (dh == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index 267bfe8d13988..df731e45a47df 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2002 Internet Software Consortium. * Portions Copyright (C) 1995-2000 by Network Associates, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: openssldsa_link.c,v 1.1.4.3 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: openssldsa_link.c,v 1.1.4.7 2007/08/28 07:19:13 tbox Exp $ */ #ifdef OPENSSL @@ -169,85 +169,11 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) { return (ISC_TRUE); } -#ifndef HAVE_DSA_GENERATE_PARAMETERS -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -static DSA * -DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, - void (*callback)(int, int, void *), - void *cb_arg) -{ - BN_GENCB cb; - DSA *dsa; - - dsa = DSA_new(); - if (dsa != NULL) { - - BN_GENCB_set_old(&cb, callback, cb_arg); - - if (DSA_generate_parameters_ex(dsa, bits, seed_in, seed_len, - counter_ret, h_ret, &cb)) - return (dsa); - DSA_free(dsa); - } - return (NULL); -} -#endif - static isc_result_t openssldsa_generate(dst_key_t *key, int unused) { +#if OPENSSL_VERSION_NUMBER > 0x00908000L + BN_GENCB cb; +#endif DSA *dsa; unsigned char rand_array[ISC_SHA1_DIGESTLENGTH]; isc_result_t result; @@ -259,12 +185,27 @@ openssldsa_generate(dst_key_t *key, int unused) { if (result != ISC_R_SUCCESS) return (result); +#if OPENSSL_VERSION_NUMBER > 0x00908000L + dsa = DSA_new(); + if (dsa == NULL) + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + + BN_GENCB_set_old(&cb, NULL, NULL); + + if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array, + ISC_SHA1_DIGESTLENGTH, NULL, NULL, + &cb)) + { + DSA_free(dsa); + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +#else dsa = DSA_generate_parameters(key->key_size, rand_array, ISC_SHA1_DIGESTLENGTH, NULL, NULL, NULL, NULL); - if (dsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +#endif if (DSA_generate_key(dsa) == 0) { DSA_free(dsa); diff --git a/lib/dns/order.c b/lib/dns/order.c index f09afedf6d612..1d3950ecbc064 100644 --- a/lib/dns/order.c +++ b/lib/dns/order.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: order.c,v 1.4.202.4 2004/03/08 09:04:30 marka Exp $ */ +/* $Id: order.c,v 1.4.202.7 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c index ecff783724b2c..46c317d262bce 100644 --- a/lib/dns/rbt.c +++ b/lib/dns/rbt.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbt.c,v 1.115.2.2.2.13 2005/06/18 01:03:24 marka Exp $ */ +/* $Id: rbt.c,v 1.115.2.2.2.17 2008/04/03 00:17:07 each Exp $ */ /* Principal Authors: DCL */ @@ -201,7 +201,7 @@ static inline void rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp); static void -dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, +dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, dns_rbtnode_t **rootp); static void @@ -225,7 +225,7 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *), isc_result_t result; #endif dns_rbt_t *rbt; - + REQUIRE(mctx != NULL); REQUIRE(rbtp != NULL && *rbtp == NULL); @@ -574,7 +574,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) { rbt->nodecount++; dns_name_getlabelsequence(name, nlabels - hlabels, - hlabels, new_name); + hlabels, new_name); hash_node(rbt, new_current, new_name); if (common_labels == @@ -770,7 +770,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname, dns_name_init(&hash_name, NULL); hashagain: - /* + /* * Hash includes tail. */ dns_name_getlabelsequence(name, @@ -830,7 +830,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname, */ current = NULL; continue; - + nohash: #endif /* DNS_RBT_USEHASH */ /* @@ -1372,7 +1372,7 @@ dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) { result = dns_name_concatenate(name, ¤t, name, NULL); if (result != ISC_R_SUCCESS) break; - + node = find_up(node); } while (! dns_name_isabsolute(name)); @@ -1639,7 +1639,7 @@ rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) { * true red/black tree on a single level. */ static void -dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, +dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, dns_rbtnode_t **rootp) { dns_rbtnode_t *child, *root, *parent, *grandparent; @@ -2062,8 +2062,8 @@ dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, /* * Note: we don't call unhash_node() here as we are destroying - * the complete rbt tree. - */ + * the complete rbt tree. + */ #if DNS_RBT_USEMAGIC node->magic = 0; #endif @@ -2188,6 +2188,7 @@ dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx) { chain->end = NULL; chain->level_count = 0; chain->level_matches = 0; + memset(chain->levels, 0, sizeof(chain->levels)); chain->magic = CHAIN_MAGIC; } diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 8930d355fd0ab..92159604e1035 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.168.2.11.2.26 2006/03/02 23:18:20 marka Exp $ */ +/* $Id: rbtdb.c,v 1.168.2.11.2.35 2008/01/24 23:45:27 tbox Exp $ */ /* * Principal Author: Bob Halley @@ -131,7 +131,7 @@ typedef struct rdatasetheader { * Otherwise, it points up to the header whose down pointer points * at this header. */ - + struct rdatasetheader *down; /* * Points to the header for the next older version of @@ -267,7 +267,7 @@ static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata); static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target); static unsigned int rdataset_count(dns_rdataset_t *rdataset); static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset, - dns_name_t *name, + dns_name_t *name, dns_rdataset_t *nsec, dns_rdataset_t *nsecsig); @@ -352,6 +352,19 @@ typedef struct rbtdb_dbiterator { static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event); +/*% + * 'init_count' is used to initialize 'newheader->count' which inturn + * is used to determine where in the cycle rrset-order cyclic starts. + * We don't lock this as we don't care about simultanious updates. + * + * Note: + * Both init_count and header->count can be ISC_UINT32_MAX. + * The count on the returned rdataset however can't be as + * that indicates that the database does not implement cyclic + * processing. + */ +static unsigned int init_count; + /* * Locking * @@ -425,7 +438,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { if (event == NULL) event = isc_event_allocate(rbtdb->common.mctx, NULL, - DNS_EVENT_FREESTORAGE, + DNS_EVENT_FREESTORAGE, free_rbtdb_callback, rbtdb, sizeof(isc_event_t)); @@ -645,7 +658,7 @@ free_noqname(isc_mem_t *mctx, struct noqname **noqname) { if ((*noqname)->nsec != NULL) isc_mem_put(mctx, (*noqname)->nsec, dns_rdataslab_size((*noqname)->nsec, 0)); - if ((*noqname)->nsec != NULL) + if ((*noqname)->nsecsig != NULL) isc_mem_put(mctx, (*noqname)->nsecsig, dns_rdataslab_size((*noqname)->nsecsig, 0)); isc_mem_put(mctx, *noqname, sizeof(**noqname)); @@ -658,7 +671,7 @@ free_rdataset(isc_mem_t *mctx, rdatasetheader_t *rdataset) { if (rdataset->noqname != NULL) free_noqname(mctx, &rdataset->noqname); - + if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0) size = sizeof(*rdataset); else @@ -930,7 +943,7 @@ no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, isc_rwlocktype_write); RUNTIME_CHECK(result == ISC_R_SUCCESS || result == ISC_R_LOCKBUSY); - + write_locked = ISC_TF(result == ISC_R_SUCCESS); } else write_locked = ISC_TRUE; @@ -1062,6 +1075,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { rbtdb_serial_t serial, least_serial; dns_rbtnode_t *rbtnode; isc_mutex_t *lock; + isc_boolean_t writer; REQUIRE(VALID_RBTDB(rbtdb)); version = (rbtdb_version_t *)*versionp; @@ -1074,6 +1088,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { INSIST(!version->writer || !(commit && version->references > 1)); version->references--; serial = version->serial; + writer = version->writer; if (version->references == 0) { if (version->writer) { if (commit) { @@ -1180,7 +1195,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { /* * Update the zone's secure status. */ - if (version->writer && commit && !IS_CACHE(rbtdb)) + if (writer && commit && !IS_CACHE(rbtdb)) rbtdb->secure = iszonesecure(db, rbtdb->origin_node); if (cleanup_version != NULL) { @@ -1395,7 +1410,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { if (header != NULL) { if (header->type == dns_rdatatype_dname) dname_header = header; - else if (header->type == + else if (header->type == RBTDB_RDATATYPE_SIGDNAME) sigdname_header = header; else if (node != onode || @@ -1513,8 +1528,8 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, raw = (unsigned char *)header + sizeof(*header); rdataset->private3 = raw; rdataset->count = header->count++; - if (header->count == ISC_UINT32_MAX) - header->count = 0; + if (rdataset->count == ISC_UINT32_MAX) + rdataset->count = 0; /* * Reset iterator state. @@ -2426,7 +2441,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, result = DNS_R_BADDB; goto node_exit; } - + UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock)); result = find_closest_nsec(&search, nodep, foundname, rdataset, sigrdataset, @@ -2822,7 +2837,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0); sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec); - + do { node = NULL; dns_fixedname_init(&fname); @@ -2847,7 +2862,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, * This rdataset is stale. If no one else is * using the node, we can clean it up right * now, otherwise we mark it as stale, and the - * node as dirty, so it will get cleaned up + * node as dirty, so it will get cleaned up * later. */ if (header->ttl > search->now - RBTDB_VIRTUAL) @@ -2869,7 +2884,8 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, } continue; } - if (NONEXISTENT(header) || NXDOMAIN(header)) { + if (NONEXISTENT(header) || + RBTDB_RDATATYPE_BASE(header->type) == 0) { header_prev = header; continue; } @@ -2895,7 +2911,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep, result = DNS_R_COVERINGNSEC; } else if (!empty_node) { result = ISC_R_NOTFOUND; - }else + } else result = dns_rbtnodechain_prev(&search->chain, NULL, NULL); unlock_node: @@ -3973,7 +3989,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, for (topheader = rbtnode->data; topheader != NULL; topheader = topheader->next) { - if (topheader->type == + if (topheader->type == RBTDB_RDATATYPE_NCACHEANY) break; } @@ -4066,7 +4082,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, INSIST(rbtversion->serial >= header->serial); merged = NULL; result = ISC_R_SUCCESS; - + if ((options & DNS_DBADD_EXACT) != 0) flags |= DNS_RDATASLAB_EXACT; if ((options & DNS_DBADD_EXACTTTL) != 0 && @@ -4112,9 +4128,9 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, header->trust >= newheader->trust && dns_rdataslab_equalx((unsigned char *)header, (unsigned char *)newheader, - (unsigned int)(sizeof(*newheader)), + (unsigned int)(sizeof(*newheader)), rbtdb->common.rdclass, - (dns_rdatatype_t)header->type)) { + (dns_rdatatype_t)header->type)) { /* * Honour the new ttl if it is less than the * older one. @@ -4139,7 +4155,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, header->trust >= newheader->trust && dns_rdataslab_equal((unsigned char *)header, (unsigned char *)newheader, - (unsigned int)(sizeof(*newheader)))) { + (unsigned int)(sizeof(*newheader)))) { /* * Honour the new ttl if it is less than the * older one. @@ -4341,7 +4357,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, rdataset->covers); newheader->attributes = 0; newheader->noqname = NULL; - newheader->count = 0; + newheader->count = init_count++; newheader->trust = rdataset->trust; if (rbtversion != NULL) { newheader->serial = rbtversion->serial; @@ -4422,7 +4438,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, newheader->serial = rbtversion->serial; newheader->trust = 0; newheader->noqname = NULL; - newheader->count = 0; + newheader->count = init_count++; LOCK(&rbtdb->node_locks[rbtnode->locknum].lock); @@ -4523,7 +4539,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, if ((options & DNS_DBSUB_EXACT) != 0) result = DNS_R_NOTEXACT; else - result = DNS_R_UNCHANGED; + result = DNS_R_UNCHANGED; } if (result == ISC_R_SUCCESS && newrdataset != NULL) @@ -4655,7 +4671,7 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) { newheader->trust = rdataset->trust; newheader->serial = 1; newheader->noqname = NULL; - newheader->count = 0; + newheader->count = init_count++; result = add(rbtdb, node, rbtdb->current_version, newheader, DNS_DBADD_MERGE, ISC_TRUE, NULL, 0); @@ -4935,6 +4951,12 @@ dns_rbtdb_create rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT; rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t)); + if (rbtdb->node_locks == NULL) { + isc_rwlock_destroy(&rbtdb->tree_lock); + DESTROYLOCK(&rbtdb->lock); + isc_mem_put(mctx, rbtdb, sizeof(*rbtdb)); + return (ISC_R_NOMEMORY); + } rbtdb->active = rbtdb->node_lock_count; for (i = 0; i < (int)(rbtdb->node_lock_count); i++) { result = isc_mutex_init(&rbtdb->node_locks[i].lock); @@ -5301,7 +5323,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) { if (rdtype == 0) { covers = RBTDB_RDATATYPE_EXT(header->type); negtype = RBTDB_RDATATYPE_VALUE(covers, 0); - } else + } else negtype = RBTDB_RDATATYPE_VALUE(0, rdtype); for (header = header->next; header != NULL; header = top_next) { top_next = header->next; diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c index b28435c8bd546..69634608640cc 100644 --- a/lib/dns/rdata/generic/dlv_32769.c +++ b/lib/dns/rdata/generic/dlv_32769.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlv_32769.c,v 1.2.4.2 2006/02/19 06:50:46 marka Exp $ */ +/* $Id: dlv_32769.c,v 1.2.4.5 2007/08/28 07:19:14 tbox Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ @@ -23,9 +23,16 @@ #define RRTYPE_DLV_ATTRIBUTES 0 +#include + +#include + + static inline isc_result_t fromtext_dlv(ARGS_FROMTEXT) { isc_token_t token; + unsigned char c; + int length; REQUIRE(type == 32769); @@ -61,11 +68,15 @@ fromtext_dlv(ARGS_FROMTEXT) { if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); RETERR(uint8_tobuffer(token.value.as_ulong, target)); - type = (isc_uint16_t) token.value.as_ulong; + c = (unsigned char) token.value.as_ulong; /* * Digest. */ + if (c == DNS_DSDIGEST_SHA1) + length = ISC_SHA1_DIGESTLENGTH; + else + length = -1; return (isc_hex_tobuffer(lexer, target, -1)); } @@ -130,9 +141,23 @@ fromwire_dlv(ARGS_FROMWIRE) { UNUSED(options); isc_buffer_activeregion(source, &sr); - if (sr.length < 4) + + /* + * Check digest lengths if we know them. + */ + if (sr.length < 4 || + (sr.base[3] == DNS_DSDIGEST_SHA1 && + sr.length < 4 + ISC_SHA1_DIGESTLENGTH)) return (ISC_R_UNEXPECTEDEND); + /* + * Only copy digest lengths if we know them. + * If there is extra data dns_rdata_fromwire() will + * detect that. + */ + if (sr.base[3] == DNS_DSDIGEST_SHA1) + sr.length = 4 + ISC_SHA1_DIGESTLENGTH; + isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); } @@ -174,6 +199,11 @@ fromstruct_dlv(ARGS_FROMSTRUCT) { REQUIRE(source != NULL); REQUIRE(dlv->common.rdtype == type); REQUIRE(dlv->common.rdclass == rdclass); + switch (dlv->digest_type) { + case DNS_DSDIGEST_SHA1: + REQUIRE(dlv->length == ISC_SHA1_DIGESTLENGTH); + break; + } UNUSED(type); UNUSED(rdclass); diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c index 0206b6f06c226..879cf5bd0e7b4 100644 --- a/lib/dns/rdata/generic/ds_43.c +++ b/lib/dns/rdata/generic/ds_43.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ds_43.c,v 1.6.2.4 2005/09/06 07:29:31 marka Exp $ */ +/* $Id: ds_43.c,v 1.6.2.7 2007/08/28 07:19:14 tbox Exp $ */ /* draft-ietf-dnsext-delegation-signer-05.txt */ @@ -25,10 +25,15 @@ #define RRTYPE_DS_ATTRIBUTES \ (DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT) +#include + +#include + static inline isc_result_t fromtext_ds(ARGS_FROMTEXT) { isc_token_t token; unsigned char c; + int length; REQUIRE(type == 43); @@ -63,12 +68,16 @@ fromtext_ds(ARGS_FROMTEXT) { if (token.value.as_ulong > 0xffU) RETTOK(ISC_R_RANGE); RETERR(uint8_tobuffer(token.value.as_ulong, target)); - type = (isc_uint16_t) token.value.as_ulong; + c = (unsigned char) token.value.as_ulong; /* * Digest. */ - return (isc_hex_tobuffer(lexer, target, -1)); + if (c == DNS_DSDIGEST_SHA1) + length = ISC_SHA1_DIGESTLENGTH; + else + length = -1; + return (isc_hex_tobuffer(lexer, target, length)); } static inline isc_result_t @@ -132,9 +141,23 @@ fromwire_ds(ARGS_FROMWIRE) { UNUSED(options); isc_buffer_activeregion(source, &sr); - if (sr.length < 4) + + /* + * Check digest lengths if we know them. + */ + if (sr.length < 4 || + (sr.base[3] == DNS_DSDIGEST_SHA1 && + sr.length < 4 + ISC_SHA1_DIGESTLENGTH)) return (ISC_R_UNEXPECTEDEND); + /* + * Only copy digest lengths if we know them. + * If there is extra data dns_rdata_fromwire() will + * detect that. + */ + if (sr.base[3] == DNS_DSDIGEST_SHA1) + sr.length = 4 + ISC_SHA1_DIGESTLENGTH; + isc_buffer_forward(source, sr.length); return (mem_tobuffer(target, sr.base, sr.length)); } @@ -176,6 +199,11 @@ fromstruct_ds(ARGS_FROMSTRUCT) { REQUIRE(source != NULL); REQUIRE(ds->common.rdtype == type); REQUIRE(ds->common.rdclass == rdclass); + switch (ds->digest_type) { + case DNS_DSDIGEST_SHA1: + REQUIRE(ds->length == ISC_SHA1_DIGESTLENGTH); + break; + } UNUSED(type); UNUSED(rdclass); diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c index 1768f171f0648..11b694a5965e3 100644 --- a/lib/dns/rdata/generic/gpos_27.c +++ b/lib/dns/rdata/generic/gpos_27.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gpos_27.c,v 1.32.12.5 2004/03/08 09:04:40 marka Exp $ */ +/* $Id: gpos_27.c,v 1.32.12.8 2007/08/28 07:19:14 tbox Exp $ */ /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */ diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c index e432ce57ec0ea..e5c3e7821465d 100644 --- a/lib/dns/rdata/generic/hinfo_13.c +++ b/lib/dns/rdata/generic/hinfo_13.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hinfo_13.c,v 1.37.12.5 2004/03/08 09:04:40 marka Exp $ */ +/* $Id: hinfo_13.c,v 1.37.12.8 2007/08/28 07:19:14 tbox Exp $ */ /* * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley. diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c index cc141578dde65..6e0f4ed204663 100644 --- a/lib/dns/rdata/generic/isdn_20.c +++ b/lib/dns/rdata/generic/isdn_20.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: isdn_20.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */ +/* $Id: isdn_20.c,v 1.30.12.7 2007/08/28 07:19:14 tbox Exp $ */ /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */ diff --git a/lib/dns/rdata/generic/minfo_14.c b/lib/dns/rdata/generic/minfo_14.c index a3c4a9c558ac4..5713879ddcea9 100644 --- a/lib/dns/rdata/generic/minfo_14.c +++ b/lib/dns/rdata/generic/minfo_14.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: minfo_14.c,v 1.40.12.4 2004/03/08 09:04:41 marka Exp $ */ +/* $Id: minfo_14.c,v 1.40.12.7 2007/08/28 07:19:14 tbox Exp $ */ /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */ diff --git a/lib/dns/rdata/generic/null_10.c b/lib/dns/rdata/generic/null_10.c index 492044d9c76a5..f205124b827ea 100644 --- a/lib/dns/rdata/generic/null_10.c +++ b/lib/dns/rdata/generic/null_10.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: null_10.c,v 1.35.2.1.10.4 2004/03/08 09:04:41 marka Exp $ */ +/* $Id: null_10.c,v 1.35.2.1.10.7 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */ diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h index 540135f72c912..3eceb45eaf4a6 100644 --- a/lib/dns/rdata/generic/nxt_30.h +++ b/lib/dns/rdata/generic/nxt_30.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -18,7 +18,7 @@ #ifndef GENERIC_NXT_30_H #define GENERIC_NXT_30_H 1 -/* $Id: nxt_30.h,v 1.18.12.3 2004/03/08 09:04:41 marka Exp $ */ +/* $Id: nxt_30.h,v 1.18.12.6 2007/08/28 07:19:15 tbox Exp $ */ /* RFC 2535 */ diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c index ac74a28529e0f..6f379fc9585bb 100644 --- a/lib/dns/rdata/generic/opt_41.c +++ b/lib/dns/rdata/generic/opt_41.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: opt_41.c,v 1.25.12.4 2004/03/08 09:04:41 marka Exp $ */ +/* $Id: opt_41.c,v 1.25.12.7 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */ diff --git a/lib/dns/rdata/generic/proforma.c b/lib/dns/rdata/generic/proforma.c index 21c65775e67a9..06bf4678934d2 100644 --- a/lib/dns/rdata/generic/proforma.c +++ b/lib/dns/rdata/generic/proforma.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: proforma.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */ +/* $Id: proforma.c,v 1.30.12.7 2007/08/28 07:19:15 tbox Exp $ */ #ifndef RDATA_GENERIC_#_#_C #define RDATA_GENERIC_#_#_C diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c index 27e02ee22b2be..82c45a601cf9a 100644 --- a/lib/dns/rdata/generic/rp_17.c +++ b/lib/dns/rdata/generic/rp_17.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rp_17.c,v 1.35.12.4 2004/03/08 09:04:42 marka Exp $ */ +/* $Id: rp_17.c,v 1.35.12.7 2007/08/28 07:19:15 tbox Exp $ */ /* RFC 1183 */ diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c index 7eeb36e2f5505..6236b662208a5 100644 --- a/lib/dns/rdata/generic/soa_6.c +++ b/lib/dns/rdata/generic/soa_6.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: soa_6.c,v 1.53.12.6 2004/03/08 09:04:42 marka Exp $ */ +/* $Id: soa_6.c,v 1.53.12.9 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */ diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c index 631d7af55b9bc..625fa2be8e7c0 100644 --- a/lib/dns/rdata/generic/txt_16.c +++ b/lib/dns/rdata/generic/txt_16.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: txt_16.c,v 1.37.12.4 2004/03/08 09:04:42 marka Exp $ */ +/* $Id: txt_16.c,v 1.37.12.7 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */ diff --git a/lib/dns/rdata/generic/unspec_103.c b/lib/dns/rdata/generic/unspec_103.c index 157e9a1cc06e5..1c2833a902c89 100644 --- a/lib/dns/rdata/generic/unspec_103.c +++ b/lib/dns/rdata/generic/unspec_103.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: unspec_103.c,v 1.28.2.1.10.4 2004/03/08 09:04:43 marka Exp $ */ +/* $Id: unspec_103.c,v 1.28.2.1.10.7 2007/08/28 07:19:15 tbox Exp $ */ #ifndef RDATA_GENERIC_UNSPEC_103_C #define RDATA_GENERIC_UNSPEC_103_C diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c index 2f123ad76d697..77f1b3860a3cf 100644 --- a/lib/dns/rdata/generic/x25_19.c +++ b/lib/dns/rdata/generic/x25_19.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: x25_19.c,v 1.31.12.4 2004/03/08 09:04:43 marka Exp $ */ +/* $Id: x25_19.c,v 1.31.12.7 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */ diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c index 07d6adcd4270b..b59f812e00c86 100644 --- a/lib/dns/rdata/hs_4/a_1.c +++ b/lib/dns/rdata/hs_4/a_1.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: a_1.c,v 1.25.12.4 2004/03/08 09:04:43 marka Exp $ */ +/* $Id: a_1.c,v 1.25.12.7 2007/08/28 07:19:15 tbox Exp $ */ /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */ diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c index 30165c9045ff7..5338bcf7d31d9 100644 --- a/lib/dns/rdata/in_1/a_1.c +++ b/lib/dns/rdata/in_1/a_1.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: a_1.c,v 1.46.12.5 2004/03/08 09:04:43 marka Exp $ */ +/* $Id: a_1.c,v 1.46.12.8 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */ diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c index 489fe01535458..bee01b4a76665 100644 --- a/lib/dns/rdata/in_1/aaaa_28.c +++ b/lib/dns/rdata/in_1/aaaa_28.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aaaa_28.c,v 1.36.12.5 2004/03/08 09:04:44 marka Exp $ */ +/* $Id: aaaa_28.c,v 1.36.12.8 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */ diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c index ac3956983d9f4..6562d5fa942f4 100644 --- a/lib/dns/rdata/in_1/apl_42.c +++ b/lib/dns/rdata/in_1/apl_42.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: apl_42.c,v 1.4.200.8 2004/03/16 12:38:15 marka Exp $ */ +/* $Id: apl_42.c,v 1.4.200.13 2008/01/22 23:26:40 tbox Exp $ */ /* RFC 3123 */ @@ -49,7 +49,7 @@ fromtext_in_apl(ARGS_FROMTEXT) { isc_tokentype_string, ISC_TRUE)); if (token.type != isc_tokentype_string) break; - + cp = DNS_AS_STR(token); neg = ISC_TF(*cp == '!'); if (neg) @@ -259,7 +259,7 @@ fromstruct_in_apl(ARGS_FROMSTRUCT) { REQUIRE(apl->common.rdtype == type); REQUIRE(apl->common.rdclass == rdclass); REQUIRE(apl->apl != NULL || apl->apl_len == 0); - + isc_buffer_init(&b, apl->apl, apl->apl_len); isc_buffer_add(&b, apl->apl_len); isc_buffer_setactive(&b, apl->apl_len); @@ -306,37 +306,88 @@ freestruct_in_apl(ARGS_FREESTRUCT) { isc_result_t dns_rdata_apl_first(dns_rdata_in_apl_t *apl) { + isc_uint32_t length; + + REQUIRE(apl != NULL); REQUIRE(apl->common.rdtype == 42); REQUIRE(apl->common.rdclass == 1); REQUIRE(apl->apl != NULL || apl->apl_len == 0); + /* + * If no APL return ISC_R_NOMORE. + */ + if (apl->apl == NULL) + return (ISC_R_NOMORE); + + /* + * Sanity check data. + */ + INSIST(apl->apl_len > 3U); + length = apl->apl[apl->offset + 3] & 0x7f; + INSIST(length <= apl->apl_len); + apl->offset = 0; - return ((apl->apl_len != 0) ? ISC_R_SUCCESS : ISC_R_NOMORE); + return (ISC_R_SUCCESS); } isc_result_t dns_rdata_apl_next(dns_rdata_in_apl_t *apl) { + isc_uint32_t length; + + REQUIRE(apl != NULL); REQUIRE(apl->common.rdtype == 42); REQUIRE(apl->common.rdclass == 1); REQUIRE(apl->apl != NULL || apl->apl_len == 0); - if (apl->offset + 3 < apl->apl_len) + /* + * No APL or have already reached the end return ISC_R_NOMORE. + */ + if (apl->apl == NULL || apl->offset == apl->apl_len) return (ISC_R_NOMORE); + + /* + * Sanity check data. + */ + INSIST(apl->offset < apl->apl_len); + INSIST(apl->apl_len > 3U); + INSIST(apl->offset <= apl->apl_len - 4U); + length = apl->apl[apl->offset + 3] & 0x7f; + /* + * 16 to 32 bits promotion as 'length' is 32 bits so there is + * no overflow problems. + */ + INSIST(length + apl->offset <= apl->apl_len); + apl->offset += apl->apl[apl->offset + 3] & 0x7f; return ((apl->offset >= apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE); } isc_result_t dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) { + isc_uint32_t length; + REQUIRE(apl != NULL); REQUIRE(apl->common.rdtype == 42); REQUIRE(apl->common.rdclass == 1); REQUIRE(ent != NULL); REQUIRE(apl->apl != NULL || apl->apl_len == 0); + REQUIRE(apl->offset <= apl->apl_len); - if (apl->offset >= apl->apl_len) + if (apl->offset == apl->apl_len) return (ISC_R_NOMORE); + /* + * Sanity check data. + */ + INSIST(apl->apl_len > 3U); + INSIST(apl->offset <= apl->apl_len - 4U); + length = apl->apl[apl->offset + 3] & 0x7f; + /* + * 16 to 32 bits promotion as 'length' is 32 bits so there is + * no overflow problems. + */ + INSIST(length + apl->offset <= apl->apl_len); + ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1]; ent->prefix = apl->apl[apl->offset + 2]; ent->length = apl->apl[apl->offset + 3] & 0x7f; diff --git a/lib/dns/rdata/in_1/apl_42.h b/lib/dns/rdata/in_1/apl_42.h index 83309a60e0ef0..ce89a3e83e449 100644 --- a/lib/dns/rdata/in_1/apl_42.h +++ b/lib/dns/rdata/in_1/apl_42.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -18,7 +18,7 @@ #ifndef IN_1_APL_42_H #define IN_1_APL_42_H 1 -/* $Id: apl_42.h,v 1.1.202.3 2004/03/08 09:04:44 marka Exp $ */ +/* $Id: apl_42.h,v 1.1.202.6 2007/08/28 07:19:15 tbox Exp $ */ typedef struct dns_rdata_apl_ent { isc_boolean_t negative; diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c index 594b97fb63186..a8174461db7d1 100644 --- a/lib/dns/rdata/in_1/nsap_22.c +++ b/lib/dns/rdata/in_1/nsap_22.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsap_22.c,v 1.33.12.5 2004/03/08 09:04:44 marka Exp $ */ +/* $Id: nsap_22.c,v 1.33.12.8 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */ diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c index c27868602de6b..d346d99f9c8ad 100644 --- a/lib/dns/rdata/in_1/wks_11.c +++ b/lib/dns/rdata/in_1/wks_11.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: wks_11.c,v 1.44.12.8 2004/09/16 01:00:58 marka Exp $ */ +/* $Id: wks_11.c,v 1.44.12.11 2007/08/28 07:19:15 tbox Exp $ */ /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */ diff --git a/lib/dns/request.c b/lib/dns/request.c index c325fd4c28006..69841e5e710ce 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.c,v 1.64.2.1.10.9 2006/08/21 00:50:48 marka Exp $ */ +/* $Id: request.c,v 1.64.2.1.10.12 2007/08/28 07:19:13 tbox Exp $ */ #include diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index a56fecfd3ce1c..16d22e08b332e 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.218.2.18.4.64.4.2 2007/01/11 05:05:10 marka Exp $ */ +/* $Id: resolver.c,v 1.218.2.18.4.77 2008/01/17 23:45:27 tbox Exp $ */ #include @@ -187,6 +187,7 @@ struct fetchctx { isc_sockaddrlist_t forwarders; dns_fwdpolicy_t fwdpolicy; isc_sockaddrlist_t bad; + dns_validator_t *validator; ISC_LIST(dns_validator_t) validators; dns_db_t * cache; dns_adb_t * adb; @@ -207,7 +208,7 @@ struct fetchctx { unsigned int restarts; /* - * The number of timeouts that have occurred since we + * The number of timeouts that have occurred since we * last successfully received a response packet. This * is used for EDNS0 black hole detection. */ @@ -215,7 +216,7 @@ struct fetchctx { /* * Look aside state for DS lookups. */ - dns_name_t nsname; + dns_name_t nsname; dns_fetch_t * nsfetch; dns_rdataset_t nsrrset; @@ -245,7 +246,7 @@ struct fetchctx { #define ADDRWAIT(f) (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \ 0) #define SHUTTINGDOWN(f) (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \ - != 0) + != 0) #define WANTCACHE(f) (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0) #define WANTNCACHE(f) (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0) #define NEEDEDNS0(f) (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0) @@ -289,8 +290,8 @@ struct dns_resolver { unsigned int magic; isc_mem_t * mctx; isc_mutex_t lock; - isc_mutex_t nlock; - isc_mutex_t primelock; + isc_mutex_t nlock; + isc_mutex_t primelock; dns_rdataclass_t rdclass; isc_socketmgr_t * socketmgr; isc_timermgr_t * timermgr; @@ -342,6 +343,8 @@ struct dns_resolver { #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) +#define dns_db_transfernode(a,b,c) do { (*c) = (*b); (*b) = NULL; } while (0) + static void destroy(dns_resolver_t *res); static void empty_bucket(dns_resolver_t *res); static isc_result_t resquery_send(resquery_t *query); @@ -355,7 +358,7 @@ static isc_result_t ncache_adderesult(dns_message_t *message, isc_stdtime_t now, dns_ttl_t maxttl, dns_rdataset_t *ardataset, isc_result_t *eresultp); -static void validated(isc_task_t *task, isc_event_t *event); +static void validated(isc_task_t *task, isc_event_t *event); static void maybe_destroy(fetchctx_t *fctx); static isc_result_t @@ -382,9 +385,13 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, sigrdataset, fctx->rmessage, valoptions, task, validated, valarg, &validator); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { + if ((valoptions & DNS_VALIDATOR_DEFER) == 0) { + INSIST(fctx->validator == NULL); + fctx->validator = validator; + } ISC_LIST_APPEND(fctx->validators, validator, link); - else + } else isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg)); return (result); } @@ -779,6 +786,15 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) { fctx->type == dns_rdatatype_rrsig || fctx->type == dns_rdatatype_sig); + /* + * Negative results must be indicated in event->result. + */ + if (dns_rdataset_isassociated(event->rdataset) && + event->rdataset->type == dns_rdatatype_none) { + INSIST(event->result == DNS_R_NCACHENXDOMAIN || + event->result == DNS_R_NCACHENXRRSET); + } + isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } } @@ -844,7 +860,7 @@ resquery_senddone(isc_task_t *task, isc_event_t *event) { isc_socket_detach(&query->tcpsocket); resquery_destroy(&query); } - } else + } else switch (sevent->result) { case ISC_R_SUCCESS: break; @@ -1501,7 +1517,7 @@ resquery_connected(isc_task_t *task, isc_event_t *event) { } isc_event_free(&event); - + if (retry) { /* * Behave as if the idle timer has expired. For TCP @@ -1661,7 +1677,7 @@ mark_bad(fetchctx_t *fctx) { } static void -add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) { +add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) { char namebuf[DNS_NAME_FORMATSIZE]; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; char classbuf[64]; @@ -1670,6 +1686,7 @@ add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) { isc_buffer_t b; isc_sockaddr_t *sa; const char *sep1, *sep2; + isc_sockaddr_t *address = &addrinfo->sockaddr; if (bad_server(fctx, address)) { /* @@ -1689,6 +1706,11 @@ add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) { if (reason == DNS_R_LAME) /* already logged */ return; + if (reason == DNS_R_UNEXPECTEDRCODE && + fctx->rmessage->opcode == dns_rcode_servfail && + ISFORWARDER(addrinfo)) + return; + if (reason == DNS_R_UNEXPECTEDRCODE) { isc_buffer_init(&b, code, sizeof(code) - 1); dns_rcode_totext(fctx->rmessage->rcode, &b); @@ -2154,7 +2176,7 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) isc_netaddr_fromsockaddr(&ipaddr, sa); blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr); (void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer); - + if (blackhole != NULL) { int match; @@ -2559,7 +2581,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) { dns_validator_cancel(validator); validator = ISC_LIST_NEXT(validator, link); } - + if (fctx->nsfetch != NULL) dns_resolver_cancelfetch(fctx->nsfetch); @@ -2781,6 +2803,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, fctx->fwdpolicy = dns_fwdpolicy_none; ISC_LIST_INIT(fctx->bad); ISC_LIST_INIT(fctx->validators); + fctx->validator = NULL; fctx->find = NULL; fctx->altfind = NULL; fctx->pending = 0; @@ -2981,7 +3004,7 @@ is_lame(fetchctx_t *fctx) { if (rdataset->type != dns_rdatatype_ns) continue; namereln = dns_name_fullcompare(name, &fctx->domain, - &order, &labels); + &order, &labels); if (namereln == dns_namereln_equal && (message->flags & DNS_MESSAGEFLAG_AA) != 0) return (ISC_FALSE); @@ -2998,9 +3021,9 @@ is_lame(fetchctx_t *fctx) { static inline void log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) { char namebuf[DNS_NAME_FORMATSIZE]; - char domainbuf[DNS_NAME_FORMATSIZE]; + char domainbuf[DNS_NAME_FORMATSIZE]; char addrbuf[ISC_SOCKADDR_FORMATSIZE]; - + dns_name_format(&fctx->name, namebuf, sizeof(namebuf)); dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); @@ -3110,7 +3133,7 @@ maybe_destroy(fetchctx_t *fctx) { unsigned int bucketnum; isc_boolean_t bucket_empty = ISC_FALSE; dns_resolver_t *res = fctx->res; - dns_validator_t *validator; + dns_validator_t *validator, *next_validator; REQUIRE(SHUTTINGDOWN(fctx)); @@ -3118,16 +3141,22 @@ maybe_destroy(fetchctx_t *fctx) { return; for (validator = ISC_LIST_HEAD(fctx->validators); - validator != NULL; - validator = ISC_LIST_HEAD(fctx->validators)) { - ISC_LIST_UNLINK(fctx->validators, validator, link); + validator != NULL; validator = next_validator) { + next_validator = ISC_LIST_NEXT(validator, link); dns_validator_cancel(validator); + /* + * If this is a active validator wait for the cancel + * to complete before calling dns_validator_destroy(). + */ + if (validator == fctx->validator) + continue; + ISC_LIST_UNLINK(fctx->validators, validator, link); dns_validator_destroy(&validator); } bucketnum = fctx->bucketnum; LOCK(&res->buckets[bucketnum].lock); - if (fctx->references == 0) + if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators)) bucket_empty = fctx_destroy(fctx); UNLOCK(&res->buckets[bucketnum].lock); @@ -3174,6 +3203,7 @@ validated(isc_task_t *task, isc_event_t *event) { FCTXTRACE("received validation completion event"); ISC_LIST_UNLINK(fctx->validators, vevent->validator, link); + fctx->validator = NULL; /* * Destroy the validator early so that we can @@ -3255,12 +3285,14 @@ validated(isc_task_t *task, isc_event_t *event) { if (result == ISC_R_SUCCESS) dns_db_detachnode(fctx->cache, &node); result = vevent->result; - add_bad(fctx, &addrinfo->sockaddr, result); + add_bad(fctx, addrinfo, result); isc_event_free(&event); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); - if (!ISC_LIST_EMPTY(fctx->validators)) - dns_validator_send(ISC_LIST_HEAD(fctx->validators)); - else if (sentresponse) + INSIST(fctx->validator == NULL); + fctx->validator = ISC_LIST_HEAD(fctx->validators); + if (fctx->validator != NULL) { + dns_validator_send(fctx->validator); + } else if (sentresponse) fctx_done(fctx, result); /* Locks bucket. */ else fctx_try(fctx); /* Locks bucket. */ @@ -3327,7 +3359,12 @@ validated(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) goto noanswer_response; - if (vevent->sigrdataset != NULL) { + if (ardataset != NULL && ardataset->type == 0) { + if (NXDOMAIN(ardataset)) + eresult = DNS_R_NCACHENXDOMAIN; + else + eresult = DNS_R_NCACHENXRRSET; + } else if (vevent->sigrdataset != NULL) { result = dns_db_addrdataset(fctx->cache, node, NULL, now, vevent->sigrdataset, 0, asigrdataset); @@ -3341,6 +3378,7 @@ validated(isc_task_t *task, isc_event_t *event) { * If we only deferred the destroy because we wanted to cache * the data, destroy now. */ + dns_db_detachnode(fctx->cache, &node); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); if (SHUTTINGDOWN(fctx)) maybe_destroy(fctx); /* Locks bucket. */ @@ -3357,6 +3395,7 @@ validated(isc_task_t *task, isc_event_t *event) { * more rdatasets that still need to * be validated. */ + dns_db_detachnode(fctx->cache, &node); UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); dns_validator_send(ISC_LIST_HEAD(fctx->validators)); goto cleanup_event; @@ -3422,8 +3461,7 @@ validated(isc_task_t *task, isc_event_t *event) { dns_fixedname_name(&hevent->foundname), NULL) == ISC_R_SUCCESS); dns_db_attach(fctx->cache, &hevent->db); - hevent->node = node; - node = NULL; + dns_db_transfernode(fctx->cache, &node, &hevent->node); clone_results(fctx); } @@ -3436,12 +3474,14 @@ validated(isc_task_t *task, isc_event_t *event) { fctx_done(fctx, result); /* Locks bucket. */ cleanup_event: + INSIST(node == NULL); isc_event_free(&event); } static inline isc_result_t cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, - isc_stdtime_t now) { + isc_stdtime_t now) +{ dns_rdataset_t *rdataset, *sigrdataset; dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset; dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL; @@ -3547,14 +3587,16 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, sizeof(typebuf)); dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, - "check-names %s %s/%s/%s", + "check-names %s %s/%s/%s", fail ? "failure" : "warning", namebuf, typebuf, classbuf); if (fail) { - if (ANSWER(rdataset)) + if (ANSWER(rdataset)) { + dns_db_detachnode(fctx->cache, &node); return (DNS_R_BADNAME); + } continue; } } @@ -3619,8 +3661,29 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, result = dns_db_addrdataset(fctx->cache, node, NULL, now, rdataset, 0, addedrdataset); - if (result == DNS_R_UNCHANGED) + if (result == DNS_R_UNCHANGED) { result = ISC_R_SUCCESS; + if (!need_validation && + ardataset != NULL && + ardataset->type == 0) { + /* + * The answer in the cache is better + * than the answer we found, and is + * a negative cache entry, so we + * must set eresult appropriately. + */ + if (NXDOMAIN(ardataset)) + eresult = DNS_R_NCACHENXDOMAIN; + else + eresult = DNS_R_NCACHENXRRSET; + /* + * We have a negative response from + * the cache so don't attempt to + * add the RRSIG rrset. + */ + continue; + } + } if (result != ISC_R_SUCCESS) break; if (sigrdataset != NULL) { @@ -3737,12 +3800,10 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, * a negative cache entry, so we * must set eresult appropriately. */ - if (NXDOMAIN(ardataset)) - eresult = - DNS_R_NCACHENXDOMAIN; - else - eresult = - DNS_R_NCACHENXRRSET; + if (NXDOMAIN(ardataset)) + eresult = DNS_R_NCACHENXDOMAIN; + else + eresult = DNS_R_NCACHENXRRSET; } result = ISC_R_SUCCESS; } else if (result != ISC_R_SUCCESS) @@ -3753,15 +3814,22 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, if (valrdataset != NULL) result = valcreate(fctx, addrinfo, name, fctx->type, valrdataset, valsigrdataset, valoptions, - task); + task); if (result == ISC_R_SUCCESS && have_answer) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; if (event != NULL) { + /* + * Negative results must be indicated in event->result. + */ + if (dns_rdataset_isassociated(event->rdataset) && + event->rdataset->type == dns_rdatatype_none) { + INSIST(eresult == DNS_R_NCACHENXDOMAIN || + eresult == DNS_R_NCACHENXRRSET); + } event->result = eresult; dns_db_attach(fctx->cache, adbp); - *anodep = node; - node = NULL; + dns_db_transfernode(fctx->cache, &node, anodep); clone_results(fctx); } } @@ -3999,8 +4067,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, if (event != NULL) { event->result = eresult; dns_db_attach(fctx->cache, adbp); - *anodep = node; - node = NULL; + dns_db_transfernode(fctx->cache, &node, anodep); clone_results(fctx); } } @@ -4107,7 +4174,7 @@ chase_additional(fetchctx_t *fctx) { again: rescan = ISC_FALSE; - + for (result = dns_message_firstname(fctx->rmessage, section); result == ISC_R_SUCCESS; result = dns_message_nextname(fctx->rmessage, section)) { @@ -4187,7 +4254,7 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname, return (DNS_R_FORMERR); } dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); + dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); dns_fixedname_init(fixeddname); result = dns_name_concatenate(dns_fixedname_name(&prefix), &dname.dname, @@ -4211,7 +4278,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, dns_message_t *message; dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name; dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, aa, negative_response; + isc_boolean_t aa, negative_response; dns_rdatatype_t type; dns_section_t section = bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY; @@ -4270,13 +4337,12 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, /* * Process the authority section. */ - done = ISC_FALSE; ns_name = NULL; ns_rdataset = NULL; soa_name = NULL; ds_name = NULL; result = dns_message_firstname(message, section); - while (!done && result == ISC_R_SUCCESS) { + while (result == ISC_R_SUCCESS) { name = NULL; dns_message_currentname(message, section, &name); if (dns_name_issubdomain(name, &fctx->domain)) { @@ -4338,15 +4404,29 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, dns_trust_additional; } } - /* - * A negative response has a SOA record (Type 2) - * and a optional NS RRset (Type 1) or it has neither - * a SOA or a NS RRset (Type 3, handled above) or - * rcode is NXDOMAIN (handled above) in which case - * the NS RRset is allowed (Type 4). - */ - if (soa_name != NULL) - negative_response = ISC_TRUE; + } + result = dns_message_nextname(message, section); + if (result == ISC_R_NOMORE) + break; + else if (result != ISC_R_SUCCESS) + return (result); + } + + /* + * A negative response has a SOA record (Type 2) + * and a optional NS RRset (Type 1) or it has neither + * a SOA or a NS RRset (Type 3, handled above) or + * rcode is NXDOMAIN (handled above) in which case + * the NS RRset is allowed (Type 4). + */ + if (soa_name != NULL) + negative_response = ISC_TRUE; + + result = dns_message_firstname(message, section); + while (result == ISC_R_SUCCESS) { + name = NULL; + dns_message_currentname(message, section, &name); + if (dns_name_issubdomain(name, &fctx->domain)) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { @@ -5041,7 +5121,7 @@ checknamessection(dns_message_t *message, dns_section_t section) { dns_name_t *name; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t *rdataset; - + for (result = dns_message_firstname(message, section); result == ISC_R_SUCCESS; result = dns_message_nextname(message, section)) @@ -5060,7 +5140,7 @@ checknamessection(dns_message_t *message, dns_section_t section) { ISC_FALSE) || !dns_rdata_checknames(&rdata, name, NULL)) { - rdataset->attributes |= + rdataset->attributes |= DNS_RDATASETATTR_CHECKNAMES; } dns_rdata_reset(&rdata); @@ -5599,7 +5679,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * Add this server to the list of bad servers for * this fctx. */ - add_bad(fctx, &addrinfo->sockaddr, broken_server); + add_bad(fctx, addrinfo, broken_server); } if (get_nameservers) { @@ -5679,7 +5759,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { fctx_done(fctx, result); } else if (result == DNS_R_CHASEDSSERVERS) { unsigned int n; - add_bad(fctx, &addrinfo->sockaddr, result); + add_bad(fctx, addrinfo, result); fctx_cancelqueries(fctx, ISC_TRUE); fctx_cleanupfinds(fctx); fctx_cleanupforwaddrs(fctx); @@ -6534,7 +6614,7 @@ free_algorithm(void *node, void *arg) { isc_mem_put(mctx, algorithms, *algorithms); } - + void dns_resolver_reset_algorithms(dns_resolver_t *resolver) { @@ -6578,7 +6658,7 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, mask = 1 << (alg%8); result = dns_rbt_addnode(resolver->algorithms, name, &node); - + if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) { algorithms = node->data; if (algorithms == NULL || len > *algorithms) { @@ -6594,7 +6674,7 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name, *new = len; node->data = new; if (algorithms != NULL) - isc_mem_put(resolver->mctx, algorithms, + isc_mem_put(resolver->mctx, algorithms, *algorithms); } else algorithms[len-1] |= mask; @@ -6655,12 +6735,12 @@ dns_resolver_resetmustbesecure(dns_resolver_t *resolver) { RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write); #endif } - + static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE; isc_result_t dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name, - isc_boolean_t value) + isc_boolean_t value) { isc_result_t result; @@ -6675,7 +6755,7 @@ dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name, if (result != ISC_R_SUCCESS) goto cleanup; } - result = dns_rbt_addname(resolver->mustbesecure, name, + result = dns_rbt_addname(resolver->mustbesecure, name, value ? &yes : &no); cleanup: #if USE_MBSLOCK diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c index 9e9c9409039f2..e361452f87810 100644 --- a/lib/dns/rootns.c +++ b/lib/dns/rootns.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rootns.c,v 1.20.2.3.2.5 2004/03/08 09:04:32 marka Exp $ */ +/* $Id: rootns.c,v 1.20.2.3.2.11 2008/02/05 23:45:38 tbox Exp $ */ #include @@ -40,8 +40,6 @@ static char root_ns[] = ";\n" "; Internet Root Nameservers\n" ";\n" -"; Thu Sep 23 17:57:37 PDT 1999\n" -";\n" "$TTL 518400\n" ". 518400 IN NS A.ROOT-SERVERS.NET.\n" ". 518400 IN NS B.ROOT-SERVERS.NET.\n" @@ -57,25 +55,31 @@ static char root_ns[] = ". 518400 IN NS L.ROOT-SERVERS.NET.\n" ". 518400 IN NS M.ROOT-SERVERS.NET.\n" "A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4\n" +"A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30\n" "B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201\n" "C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12\n" "D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90\n" "E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10\n" "F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241\n" +"F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2F::F\n" "G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4\n" "H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53\n" +"H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803F:235\n" "I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17\n" "J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30\n" +"J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:C27::2:30\n" "K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129\n" -"L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12\n" -"M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33\n"; +"K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7FD::1\n" +"L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42\n" +"M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33\n" +"M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:DC3::35\n"; static isc_result_t in_rootns(dns_rdataset_t *rootns, dns_name_t *name) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_ns_t ns; - + if (!dns_rdataset_isassociated(rootns)) return (ISC_R_NOTFOUND); @@ -94,7 +98,7 @@ in_rootns(dns_rdataset_t *rootns, dns_name_t *name) { return (result); } -static isc_result_t +static isc_result_t check_node(dns_rdataset_t *rootns, dns_name_t *name, dns_rdatasetiter_t *rdsiter) { isc_result_t result; @@ -222,7 +226,7 @@ dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, * Default to using the Internet root servers. */ result = dns_master_loadbuffer(&source, &db->origin, - &db->origin, db->rdclass, + &db->origin, db->rdclass, DNS_MASTER_HINT, &callbacks, db->mctx); } else diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c index ef22418629ff8..7f1670843fbd8 100644 --- a/lib/dns/sdb.c +++ b/lib/dns/sdb.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdb.c,v 1.35.12.8 2004/07/22 04:01:58 marka Exp $ */ +/* $Id: sdb.c,v 1.35.12.16 2008/01/17 23:45:28 tbox Exp $ */ #include @@ -119,6 +119,10 @@ typedef struct sdb_rdatasetiter { /* This is a reasonable value */ #define SDB_DEFAULT_TTL (60 * 60 * 24) +#ifdef __COVERITY__ +#define MAYBE_LOCK(sdb) LOCK(&sdb->implementation->driverlock) +#define MAYBE_UNLOCK(sdb) UNLOCK(&sdb->implementation->driverlock) +#else #define MAYBE_LOCK(sdb) \ do { \ unsigned int flags = sdb->implementation->flags; \ @@ -132,6 +136,7 @@ typedef struct sdb_rdatasetiter { if ((flags & DNS_SDBFLAG_THREADSAFE) == 0) \ UNLOCK(&sdb->implementation->driverlock); \ } while (0) +#endif static int dummy; @@ -306,7 +311,7 @@ dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl ISC_LIST_INIT(rdatalist->rdata); ISC_LINK_INIT(rdatalist, link); ISC_LIST_APPEND(lookup->lists, rdatalist, link); - } else + } else if (rdatalist->ttl != ttl) return (DNS_R_BADTTL); @@ -333,7 +338,7 @@ dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl isc_mem_put(mctx, rdata, sizeof(dns_rdata_t)); return (result); } - + isc_result_t dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl, @@ -376,7 +381,7 @@ dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl, datalen = strlen(data); size = initial_size(datalen); - for (;;) { + do { isc_buffer_init(&b, data, datalen); isc_buffer_add(&b, datalen); result = isc_lex_openbuffer(lex, &b); @@ -625,7 +630,7 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) { } static void -attachversion(dns_db_t *db, dns_dbversion_t *source, +attachversion(dns_db_t *db, dns_dbversion_t *source, dns_dbversion_t **targetp) { REQUIRE(source != NULL && source == (void *) &dummy); @@ -782,7 +787,7 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create, return (result); } } - + *nodep = node; return (ISC_R_SUCCESS); } @@ -930,7 +935,8 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, xresult = dns_name_copy(xname, foundname, NULL); if (xresult != ISC_R_SUCCESS) { - destroynode(node); + if (node != NULL) + destroynode(node); if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); return (DNS_R_BADDB); @@ -1109,7 +1115,7 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, sdb_rdatasetiter_t *iterator; REQUIRE(version == NULL || version == &dummy); - + UNUSED(version); UNUSED(now); diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index ca793d2b94232..00a6bbcd1fc00 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ */ /* - * $Id: tkey.c,v 1.71.2.1.10.9 2006/01/04 23:50:20 marka Exp $ + * $Id: tkey.c,v 1.71.2.1.10.11 2008/01/02 23:45:33 tbox Exp $ */ #include @@ -379,7 +379,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, isc_buffer_base(&secret), isc_buffer_usedlength(&secret), ISC_TRUE, signer, tkeyin->inception, - tkeyin->expire, msg->mctx, ring, NULL)); + tkeyin->expire, ring->mctx, ring, NULL)); /* This key is good for a long time */ tkeyout->inception = tkeyin->inception; @@ -440,7 +440,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, result = dns_tsigkey_createfromkey(name, &tkeyin->algorithm, dstkey, ISC_TRUE, signer, tkeyin->inception, tkeyin->expire, - msg->mctx, ring, NULL); + ring->mctx, ring, NULL); #if 1 if (result != ISC_R_SUCCESS) goto failure; @@ -1106,7 +1106,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, result = dns_tsigkey_create(tkeyname, &rtkey.algorithm, r.base, r.length, ISC_TRUE, NULL, rtkey.inception, rtkey.expire, - rmsg->mctx, ring, outkey); + ring->mctx, ring, outkey); isc_buffer_free(&shared); dns_rdata_freestruct(&rtkey); dst_key_free(&theirkey); @@ -1176,7 +1176,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey, ISC_TRUE, NULL, rtkey.inception, rtkey.expire, - rmsg->mctx, ring, outkey)); + ring->mctx, ring, outkey)); dns_rdata_freestruct(&rtkey); return (result); diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 9bdde06eb1518..657945d1384a2 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.112.2.3.8.10 2006/05/02 04:21:42 marka Exp $ + * $Id: tsig.c,v 1.112.2.3.8.17 2008/01/24 13:06:47 marka Exp $ */ #include @@ -137,6 +137,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, REQUIRE(name != NULL); REQUIRE(algorithm != NULL); REQUIRE(mctx != NULL); + REQUIRE(key != NULL || ring != NULL); tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t)); if (tkey == NULL) @@ -219,7 +220,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, tkey->generated = generated; tkey->inception = inception; tkey->expire = expire; - tkey->mctx = mctx; + tkey->mctx = NULL; + isc_mem_attach(mctx, &tkey->mctx); tkey->magic = TSIG_MAGIC; @@ -314,7 +316,7 @@ tsigkey_free(dns_tsigkey_t *key) { isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t)); } isc_refcount_destroy(&key->refs); - isc_mem_put(key->mctx, key, sizeof(dns_tsigkey_t)); + isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t)); } void @@ -1187,6 +1189,7 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) { result = isc_rwlock_init(&ring->lock, 0, 0); if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t)); UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_rwlock_init() failed: %s", isc_result_totext(result)); @@ -1201,7 +1204,8 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) { return (result); } - ring->mctx = mctx; + ring->mctx = NULL; + isc_mem_attach(mctx, &ring->mctx); *ringp = ring; return (ISC_R_SUCCESS); @@ -1219,5 +1223,5 @@ dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) { dns_rbt_destroy(&ring->keys); isc_rwlock_destroy(&ring->lock); - isc_mem_put(ring->mctx, ring, sizeof(dns_tsig_keyring_t)); + isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t)); } diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c index 1dad0fbad6fa7..27c70c7284b3c 100644 --- a/lib/dns/ttl.c +++ b/lib/dns/ttl.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ttl.c,v 1.21.12.5 2004/03/08 09:04:32 marka Exp $ */ +/* $Id: ttl.c,v 1.21.12.8 2007/08/28 07:19:14 tbox Exp $ */ #include diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 571ad791e7b6c..a32892f3b7d62 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.91.2.5.8.27.6.1 2007/01/11 04:51:39 marka Exp $ */ +/* $Id: validator.c,v 1.91.2.5.8.40 2008/02/19 17:10:55 each Exp $ */ #include @@ -52,7 +52,7 @@ * dlv_validator_start -> validator_start -> validate -> proveunsecure * * validator_start -> validate -> nsecvalidate (secure wildcard answer) - * + * * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV: * validator_start -> startfinddlvsep -> dlv_validator_start -> * validator_start -> validate -> proveunsecure @@ -86,6 +86,7 @@ #define VALID_VALIDATOR(v) ISC_MAGIC_VALID(v, VALIDATOR_MAGIC) #define VALATTR_SHUTDOWN 0x0001 /*%< Shutting down. */ +#define VALATTR_CANCELED 0x0002 /*%< Cancelled. */ #define VALATTR_TRIEDVERIFY 0x0004 /*%< We have found a key and * have attempted a verify. */ #define VALATTR_INSECURITY 0x0010 /*%< Attempting proveunsecure. */ @@ -112,6 +113,7 @@ #define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0) #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) +#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0) static void destroy(dns_validator_t *val); @@ -130,7 +132,8 @@ static isc_result_t nsecvalidate(dns_validator_t *val, isc_boolean_t resume); static isc_result_t -proveunsecure(dns_validator_t *val, isc_boolean_t resume); +proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, + isc_boolean_t resume); static void validator_logv(dns_validator_t *val, isc_logcategory_t *category, @@ -313,7 +316,9 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator"); LOCK(&val->lock); - if (eresult == ISC_R_SUCCESS) { + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %d", rdataset->trust); /* @@ -377,7 +382,9 @@ dsfetched(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched"); LOCK(&val->lock); - if (eresult == ISC_R_SUCCESS) { + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "dsset with trust %d", rdataset->trust); val->dsset = &val->frdataset; @@ -385,12 +392,14 @@ dsfetched(isc_task_t *task, isc_event_t *event) { if (result != DNS_R_WAIT) validator_done(val, result); } else if (eresult == DNS_R_NXRRSET || - eresult == DNS_R_NCACHENXRRSET) + eresult == DNS_R_NCACHENXRRSET || + eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */ { validator_log(val, ISC_LOG_DEBUG(3), - "falling back to insecurity proof"); + "falling back to insecurity proof (%s)", + dns_result_totext(eresult)); val->attributes |= VALATTR_INSECURITY; - result = proveunsecure(val, ISC_FALSE); + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -448,7 +457,9 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s", dns_result_totext(eresult)); LOCK(&val->lock); - if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) { + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) { /* * There is no DS. If this is a delegation, we're done. */ @@ -467,7 +478,7 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { validator_done(val, result); } } else { - result = proveunsecure(val, ISC_TRUE); + result = proveunsecure(val, ISC_FALSE, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } @@ -476,11 +487,12 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { eresult == DNS_R_NCACHENXDOMAIN) { /* - * There is a DS which may or may not be a zone cut. + * There is a DS which may or may not be a zone cut. * In either case we are still in a secure zone resume * validation. */ - result = proveunsecure(val, ISC_TRUE); + result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS), + ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -523,7 +535,9 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated"); LOCK(&val->lock); - if (eresult == ISC_R_SUCCESS) { + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %d", val->frdataset.trust); /* @@ -573,11 +587,13 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated"); LOCK(&val->lock); - if (eresult == ISC_R_SUCCESS) { + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "dsset with trust %d", val->frdataset.trust); if ((val->attributes & VALATTR_INSECURITY) != 0) - result = proveunsecure(val, ISC_TRUE); + result = proveunsecure(val, ISC_TRUE, ISC_TRUE); else result = validatezonekey(val); if (result != DNS_R_WAIT) @@ -613,6 +629,8 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, unsigned int olabels, nlabels, labels; dns_rdata_nsec_t nsec; isc_boolean_t atparent; + isc_boolean_t ns; + isc_boolean_t soa; REQUIRE(exists != NULL); REQUIRE(data != NULL); @@ -644,9 +662,9 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, * The names are the same. */ atparent = dns_rdatatype_atparent(val->event->type); - if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && - !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) - { + ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns); + soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa); + if (ns && !soa) { if (!atparent) { /* * This NSEC record is from somewhere higher in @@ -657,7 +675,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, "ignoring parent nsec"); return (ISC_R_IGNORE); } - } else if (atparent) { + } else if (atparent && ns && soa) { /* * This NSEC record is from the child. * It can not be legitimately used here. @@ -666,12 +684,20 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, "ignoring child nsec"); return (ISC_R_IGNORE); } - *exists = ISC_TRUE; - *data = dns_nsec_typepresent(&rdata, val->event->type); - validator_log(val, ISC_LOG_DEBUG(3), - "nsec proves name exists (owner) data=%d", - *data); - return (ISC_R_SUCCESS); + if (val->event->type == dns_rdatatype_cname || + val->event->type == dns_rdatatype_nxt || + val->event->type == dns_rdatatype_nsec || + val->event->type == dns_rdatatype_key || + !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) { + *exists = ISC_TRUE; + *data = dns_nsec_typepresent(&rdata, val->event->type); + validator_log(val, ISC_LOG_DEBUG(3), + "nsec proves name exists (owner) data=%d", + *data); + return (ISC_R_SUCCESS); + } + validator_log(val, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists"); + return (ISC_R_IGNORE); } if (relation == dns_namereln_subdomain && @@ -731,6 +757,7 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, result = dns_name_concatenate(dns_wildcardname, &common, wild, NULL); if (result != ISC_R_SUCCESS) { + dns_rdata_freestruct(&nsec); validator_log(val, ISC_LOG_DEBUG(3), "failure generating wildcard name"); return (result); @@ -771,7 +798,9 @@ authvalidated(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated"); LOCK(&val->lock); - if (result != ISC_R_SUCCESS) { + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), "authvalidated: got %s", isc_result_totext(result)); @@ -784,7 +813,8 @@ authvalidated(isc_task_t *task, isc_event_t *event) { } } else { dns_name_t **proofs = val->event->proofs; - + dns_name_t *wild = dns_fixedname_name(&val->wild); + if (rdataset->trust == dns_trust_secure) val->seensig = ISC_TRUE; @@ -792,13 +822,12 @@ authvalidated(isc_task_t *task, isc_event_t *event) { rdataset->trust == dns_trust_secure && ((val->attributes & VALATTR_NEEDNODATA) != 0 || (val->attributes & VALATTR_NEEDNOQNAME) != 0) && - (val->attributes & VALATTR_FOUNDNODATA) == 0 && + (val->attributes & VALATTR_FOUNDNODATA) == 0 && (val->attributes & VALATTR_FOUNDNOQNAME) == 0 && nsecnoexistnodata(val, val->event->name, devent->name, - rdataset, &exists, &data, - dns_fixedname_name(&val->wild)) + rdataset, &exists, &data, wild) == ISC_R_SUCCESS) - { + { if (exists && !data) { val->attributes |= VALATTR_FOUNDNODATA; if (NEEDNODATA(val)) @@ -906,7 +935,7 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { /* End of zone chain. */ if (!dns_name_issubdomain(name, &nsec.next)) { /* - * XXXMPA We could look for a parent NSEC + * XXXMPA We could look for a parent NSEC * at nsec.next and if found retest with * this NSEC. */ @@ -943,10 +972,10 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { dns_rdata_freestruct(&nsec); result = DNS_R_NCACHENXDOMAIN; } else if (result != ISC_R_SUCCESS && - result != DNS_R_NCACHENXDOMAIN && - result != DNS_R_NCACHENXRRSET && - result != DNS_R_NXRRSET && - result != ISC_R_NOTFOUND) { + result != DNS_R_NCACHENXDOMAIN && + result != DNS_R_NCACHENXRRSET && + result != DNS_R_NXRRSET && + result != ISC_R_NOTFOUND) { goto notfound; } return (result); @@ -1252,7 +1281,8 @@ isselfsigned(dns_validator_t *val) { { dns_rdata_reset(&rdata); dns_rdataset_current(rdataset, &rdata); - (void)dns_rdata_tostruct(&rdata, &key, NULL); + result = dns_rdata_tostruct(&rdata, &key, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(&rdata, &key); for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; @@ -1260,7 +1290,8 @@ isselfsigned(dns_validator_t *val) { { dns_rdata_reset(&sigrdata); dns_rdataset_current(sigrdataset, &sigrdata); - (void)dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (sig.algorithm == key.algorithm && sig.keyid == keytag) @@ -1501,7 +1532,8 @@ dlv_validatezonekey(dns_validator_t *val) { { dns_rdata_reset(&dlvrdata); dns_rdataset_current(&val->dlv, &dlvrdata); - (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL); + result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dlv.digest_type != DNS_DSDIGEST_SHA1 || !dns_resolver_algorithm_supported(val->view->resolver, @@ -1520,7 +1552,8 @@ dlv_validatezonekey(dns_validator_t *val) { { dns_rdata_reset(&keyrdata); dns_rdataset_current(&trdataset, &keyrdata); - (void)dns_rdata_tostruct(&keyrdata, &key, NULL); + result = dns_rdata_tostruct(&keyrdata, &key, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(&keyrdata, &key); if (dlv.key_tag != keytag || dlv.algorithm != key.algorithm) @@ -1555,7 +1588,8 @@ dlv_validatezonekey(dns_validator_t *val) { dns_rdata_reset(&sigrdata); dns_rdataset_current(val->event->sigrdataset, &sigrdata); - (void)dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (dlv.key_tag != sig.keyid && dlv.algorithm != sig.algorithm) continue; @@ -1651,7 +1685,8 @@ validatezonekey(dns_validator_t *val) { dns_rdata_reset(&sigrdata); dns_rdataset_current(val->event->sigrdataset, &sigrdata); - (void)dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); result = dns_keytable_findkeynode(val->keytable, val->event->name, sig.algorithm, @@ -1705,7 +1740,7 @@ validatezonekey(dns_validator_t *val) { * the RRset is invalid. */ dns_name_format(val->event->name, namebuf, - sizeof(namebuf)); + sizeof(namebuf)); validator_log(val, ISC_LOG_DEBUG(2), "unable to find a DNSKEY which verifies " "the DNSKEY RRset and also matches one " @@ -1802,7 +1837,8 @@ validatezonekey(dns_validator_t *val) { { dns_rdata_reset(&dsrdata); dns_rdataset_current(val->dsset, &dsrdata); - (void)dns_rdata_tostruct(&dsrdata, &ds, NULL); + result = dns_rdata_tostruct(&dsrdata, &ds, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (ds.digest_type != DNS_DSDIGEST_SHA1) continue; @@ -1825,7 +1861,8 @@ validatezonekey(dns_validator_t *val) { { dns_rdata_reset(&keyrdata); dns_rdataset_current(&trdataset, &keyrdata); - (void)dns_rdata_tostruct(&keyrdata, &key, NULL); + result = dns_rdata_tostruct(&keyrdata, &key, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); keytag = compute_keytag(&keyrdata, &key); if (ds.key_tag != keytag || ds.algorithm != key.algorithm) @@ -1844,7 +1881,7 @@ validatezonekey(dns_validator_t *val) { "no DNSKEY matching DS"); continue; } - + for (result = dns_rdataset_first(val->event->sigrdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(val->event->sigrdataset)) @@ -1852,7 +1889,8 @@ validatezonekey(dns_validator_t *val) { dns_rdata_reset(&sigrdata); dns_rdataset_current(val->event->sigrdataset, &sigrdata); - (void)dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (ds.key_tag != sig.keyid || ds.algorithm != sig.algorithm) continue; @@ -1923,7 +1961,7 @@ start_positive_validation(dns_validator_t *val) { * exclusive we stop when one is found. * * Returns - * \li ISC_R_SUCCESS + * \li ISC_R_SUCCESS */ static isc_result_t checkwildcard(dns_validator_t *val) { @@ -2044,12 +2082,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { if (rdataset->type == dns_rdatatype_rrsig) continue; - if (rdataset->type == dns_rdatatype_soa) { - val->soaset = rdataset; - val->soaname = name; - } else if (rdataset->type == dns_rdatatype_nsec) - val->nsecset = rdataset; - for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; sigrdataset = ISC_LIST_NEXT(sigrdataset, @@ -2151,7 +2183,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { "nonexistence proof(s) not found"); val->attributes |= VALATTR_AUTHNONPENDING; val->attributes |= VALATTR_INSECURITY; - return (proveunsecure(val, ISC_FALSE)); + return (proveunsecure(val, ISC_FALSE, ISC_FALSE)); } static isc_boolean_t @@ -2164,7 +2196,8 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) { dns_rdataset_current(rdataset, &dsrdata); - (void)dns_rdata_tostruct(&dsrdata, &ds, NULL); + result = dns_rdata_tostruct(&dsrdata, &ds, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (ds.digest_type == DNS_DSDIGEST_SHA1 && dns_resolver_algorithm_supported(val->view->resolver, @@ -2179,7 +2212,7 @@ check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) { /*% * Callback from fetching a DLV record. - * + * * Resumes the DLV lookup process. */ static void @@ -2253,7 +2286,7 @@ dlvfetched(isc_task_t *task, isc_event_t *event) { /*% * Start the DLV lookup proccess. - * + * * Returns * \li ISC_R_SUCCESS * \li DNS_R_WAIT @@ -2329,6 +2362,10 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { dns_fixedname_init(&val->dlvsep); dlvsep = dns_fixedname_name(&val->dlvsep); dns_name_copy(val->event->name, dlvsep, NULL); + /* + * If this is a response to a DS query, we need to look in + * the parent zone for the trust anchor. + */ if (val->event->type == dns_rdatatype_ds) { labels = dns_name_countlabels(dlvsep); if (labels == 0) @@ -2419,7 +2456,8 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) { * \li DNS_R_NOTINSECURE */ static isc_result_t -proveunsecure(dns_validator_t *val, isc_boolean_t resume) { +proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) +{ isc_result_t result; dns_fixedname_t fixedsecroot; dns_name_t *secroot; @@ -2431,10 +2469,17 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { if (val->havedlvsep) dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); else { + dns_name_copy(val->event->name, secroot, NULL); + /* + * If this is a response to a DS query, we need to look in + * the parent zone for the trust anchor. + */ + if (val->event->type == dns_rdatatype_ds && + dns_name_countlabels(secroot) > 1U) + dns_name_split(secroot, 1, NULL, secroot); result = dns_keytable_finddeepestmatch(val->keytable, - val->event->name, - secroot); - + secroot, secroot); + if (result == ISC_R_NOTFOUND) { validator_log(val, ISC_LOG_DEBUG(3), "not beneath secure root"); @@ -2460,12 +2505,19 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { val->labels = dns_name_countlabels(secroot) + 1; } else { validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure"); - if (val->frdataset.trust >= dns_trust_secure && + /* + * If we have a DS rdataset and it is secure then check if + * the DS rdataset has a supported algorithm combination. + * If not this is a insecure delegation as far as this + * resolver is concerned. Fall back to DLV if available. + */ + if (have_ds && val->frdataset.trust >= dns_trust_secure && !check_ds(val, dns_fixedname_name(&val->fname), &val->frdataset)) { dns_name_format(dns_fixedname_name(&val->fname), namebuf, sizeof(namebuf)); - if (val->mustbesecure) { + if ((val->view->dlv == NULL || DLVTRIED(val)) && + val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure at '%s'", namebuf); @@ -2506,11 +2558,21 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) { namebuf); result = view_find(val, tname, dns_rdatatype_ds); + if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { /* * There is no DS. If this is a delegation, * we maybe done. */ + if (val->frdataset.trust == dns_trust_pending) { + result = create_fetch(val, tname, + dns_rdatatype_ds, + dsfetched2, + "proveunsecure"); + if (result != ISC_R_SUCCESS) + goto out; + return (DNS_R_WAIT); + } if (val->frdataset.trust < dns_trust_secure) { /* * This shouldn't happen, since the negative @@ -2699,7 +2761,7 @@ validator_start(isc_task_t *task, isc_event_t *event) { validator_log(val, ISC_LOG_DEBUG(3), "falling back to insecurity proof"); val->attributes |= VALATTR_INSECURITY; - result = proveunsecure(val, ISC_FALSE); + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); if (result == DNS_R_NOTINSECURE) result = saved_result; } @@ -2713,7 +2775,7 @@ validator_start(isc_task_t *task, isc_event_t *event) { "attempting insecurity proof"); val->attributes |= VALATTR_INSECURITY; - result = proveunsecure(val, ISC_FALSE); + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); } else if (val->event->rdataset == NULL && val->event->sigrdataset == NULL) { @@ -2759,7 +2821,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_validatorevent_t *event; REQUIRE(name != NULL); - REQUIRE(type != 0); REQUIRE(rdataset != NULL || (rdataset == NULL && sigrdataset == NULL && message != NULL)); REQUIRE(validatorp != NULL && *validatorp == NULL); @@ -2812,9 +2873,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->keyset = NULL; val->dsset = NULL; dns_rdataset_init(&val->dlv); - val->soaset = NULL; - val->nsecset = NULL; - val->soaname = NULL; val->seensig = ISC_FALSE; val->havedlvsep = ISC_FALSE; val->depth = 0; @@ -2878,6 +2936,7 @@ dns_validator_cancel(dns_validator_t *validator) { isc_event_free((isc_event_t **)&validator->event); isc_task_detach(&task); } + validator->attributes |= VALATTR_CANCELED; } UNLOCK(&validator->lock); } diff --git a/lib/dns/version.c b/lib/dns/version.c index 6b043ab5a8724..527f8609b1c6b 100644 --- a/lib/dns/version.c +++ b/lib/dns/version.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:33 marka Exp $ */ +/* $Id: version.c,v 1.9.12.6 2007/08/28 07:19:14 tbox Exp $ */ #include diff --git a/lib/dns/view.c b/lib/dns/view.c index ac7af61639de0..90b7e938b3cb7 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.103.2.5.2.14 2004/03/10 02:55:58 marka Exp $ */ +/* $Id: view.c,v 1.103.2.5.2.17 2007/08/28 07:19:14 tbox Exp $ */ #include @@ -679,6 +679,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, REQUIRE(view->frozen); REQUIRE(type != dns_rdatatype_rrsig); REQUIRE(rdataset != NULL); /* XXXBEW - remove this */ + REQUIRE(nodep == NULL || *nodep == NULL); /* * Initialize. diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index fdeed14bd6e67..432569a4e40df 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrin.c,v 1.124.2.4.2.16 2006/07/19 01:04:24 marka Exp $ */ +/* $Id: xfrin.c,v 1.124.2.4.2.21 2007/10/31 01:59:03 marka Exp $ */ #include @@ -717,6 +717,11 @@ xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) { result = DNS_R_BADIXFR; } xfrin_cancelio(xfr); + /* + * Close the journal. + */ + if (xfr->ixfr.journal != NULL) + dns_journal_destroy(&xfr->ixfr.journal); if (xfr->done != NULL) { (xfr->done)(xfr->zone, result); xfr->done = NULL; @@ -1038,6 +1043,7 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) { xfr->checkid = ISC_TRUE; xfr->id++; + xfr->nmsg = 0; msg->id = xfr->id; CHECK(render(msg, xfr->mctx, &xfr->qbuffer)); @@ -1298,6 +1304,11 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) { xfr->state = XFRST_INITIALSOA; CHECK(xfrin_send_request(xfr)); } else if (xfr->state == XFRST_END) { + /* + * Close the journal. + */ + if (xfr->ixfr.journal != NULL) + dns_journal_destroy(&xfr->ixfr.journal); /* * Inform the caller we succeeded. */ diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d2a47b072b2fd..605e336d121ce 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.333.2.23.2.65 2006/07/19 01:04:24 marka Exp $ */ +/* $Id: zone.c,v 1.333.2.23.2.73 2007/12/02 22:31:33 marka Exp $ */ #include @@ -220,6 +220,11 @@ struct dns_zone { * Optional per-zone statistics counters (NULL if not present). */ isc_uint64_t *counters; + + /*% + * Serial number for deferred journal compaction. + */ + isc_uint32_t compact_serial; }; #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0)) @@ -265,6 +270,7 @@ struct dns_zone { #define DNS_ZONEFLG_NOEDNS 0x00400000U #define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U #define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U +#define DNS_ZONEFLG_NEEDCOMPACT 0x02000000U #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0) @@ -997,6 +1003,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) { result = isc_file_getmodtime(zone->masterfile, &filetime); if (result == ISC_R_SUCCESS && + DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) && isc_time_compare(&filetime, &zone->loadtime) <= 0) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "skipping load: master file older " @@ -1255,6 +1262,75 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) { return (result); } +/* + * OpenSSL verification of RSA keys with exponent 3 is known to be + * broken prior OpenSSL 0.9.8c/0.9.7k. Look for such keys and warn + * if they are in use. + */ +static void +zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { + dns_dbnode_t *node = NULL; + dns_dbversion_t *version = NULL; + dns_rdata_dnskey_t dnskey; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t rdataset; + isc_result_t result; + isc_boolean_t logit, foundrsa = ISC_FALSE, foundmd5 = ISC_FALSE; + const char *algorithm; + + result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + goto cleanup; + + dns_db_currentversion(db, &version); + dns_rdataset_init(&rdataset); + result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, + dns_rdatatype_none, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) + goto cleanup; + + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) + { + dns_rdataset_current(&rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &dnskey, NULL); + INSIST(result == ISC_R_SUCCESS); + + if ((dnskey.algorithm == DST_ALG_RSASHA1 || + dnskey.algorithm == DST_ALG_RSAMD5) && + dnskey.datalen > 1 && dnskey.data[0] == 1 && + dnskey.data[1] == 3) + { + if (dnskey.algorithm == DST_ALG_RSASHA1) { + logit = !foundrsa; + foundrsa = ISC_TRUE; + algorithm = "RSASHA1"; + } else { + logit = !foundmd5; + foundmd5 = ISC_TRUE; + algorithm = "RSAMD5"; + } + if (logit) + dns_zone_log(zone, ISC_LOG_WARNING, + "weak %s (%u) key found " + "(exponent=3)", algorithm, + dnskey.algorithm); + if (foundrsa && foundmd5) + break; + } + dns_rdata_reset(&rdata); + } + dns_rdataset_disassociate(&rdataset); + + cleanup: + if (node != NULL) + dns_db_detachnode(db, &node); + if (version != NULL) + dns_db_closeversion(db, &version, ISC_FALSE); + +} + static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, isc_result_t result) @@ -1441,6 +1517,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, } + /* + * Check for weak DNSKEY's. + */ + if (zone->type == dns_zone_master) + zone_check_dnskeys(zone, db); + #if 0 /* destroy notification example. */ { @@ -1979,6 +2061,37 @@ dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters, return (result); } +static isc_boolean_t +same_masters(const isc_sockaddr_t *old, const isc_sockaddr_t *new, + isc_uint32_t count) +{ + unsigned int i; + + for (i = 0; i < count; i++) + if (!isc_sockaddr_equal(&old[i], &new[i])) + return (ISC_FALSE); + return (ISC_TRUE); +} + +static isc_boolean_t +same_keynames(dns_name_t **old, dns_name_t **new, isc_uint32_t count) { + unsigned int i; + + if (old == NULL && new == NULL) + return (ISC_TRUE); + if (old == NULL || new == NULL) + return (ISC_FALSE); + + for (i = 0; i < count; i++) { + if (old[i] == NULL && new[i] == NULL) + continue; + if (old[i] == NULL || new[i] == NULL || + !dns_name_equal(old[i], new[i])) + return (ISC_FALSE); + } + return (ISC_TRUE); +} + isc_result_t dns_zone_setmasterswithkeys(dns_zone_t *zone, const isc_sockaddr_t *masters, @@ -1998,6 +2111,19 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone, } LOCK_ZONE(zone); + /* + * The refresh code assumes that 'masters' wouldn't change under it. + * If it will change then kill off any current refresh in progress + * and update the masters info. If it won't change then we can just + * unlock and exit. + */ + if (count != zone->masterscnt || + !same_masters(zone->masters, masters, count) || + !same_keynames(zone->masterkeynames, keynames, count)) { + if (zone->request != NULL) + dns_request_cancel(zone->request); + } else + goto unlock; if (zone->masters != NULL) { isc_mem_put(zone->mctx, zone->masters, zone->masterscnt * sizeof(*new)); @@ -2424,6 +2550,9 @@ dump_done(void *arg, isc_result_t result) { dns_db_t *db; dns_dbversion_t *version; isc_boolean_t again = ISC_FALSE; + isc_boolean_t compact = ISC_FALSE; + isc_uint32_t serial; + isc_result_t tresult; REQUIRE(DNS_ZONE_VALID(zone)); @@ -2431,8 +2560,6 @@ dump_done(void *arg, isc_result_t result) { if (result == ISC_R_SUCCESS && zone->journal != NULL && zone->journalsize != -1) { - isc_uint32_t serial; - isc_result_t tresult; /* * We don't own these, zone->dctx must stay valid. @@ -2441,7 +2568,11 @@ dump_done(void *arg, isc_result_t result) { version = dns_dumpctx_version(zone->dctx); tresult = dns_db_getsoaserial(db, version, &serial); - if (tresult == ISC_R_SUCCESS) { + /* + * Note: we are task locked here so we can test + * zone->xfr safely. + */ + if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) { tresult = dns_journal_compact(zone->mctx, zone->journal, serial, @@ -2460,11 +2591,16 @@ dump_done(void *arg, isc_result_t result) { dns_result_totext(tresult)); break; } + } else if (tresult == ISC_R_SUCCESS) { + compact = ISC_TRUE; + zone->compact_serial = serial; } } LOCK_ZONE(zone); DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING); + if (compact) + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT); if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) { /* * Try again in a short while. @@ -2880,7 +3016,7 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) { */ if (isc_sockaddr_pf(¬ify->dst) == PF_INET6 && IN6_IS_ADDR_V4MAPPED(¬ify->dst.type.sin6.sin6_addr)) { - isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf)); + isc_sockaddr_format(¬ify->dst, addrbuf, sizeof(addrbuf)); notify_log(notify->zone, ISC_LOG_DEBUG(3), "notify: ignoring IPv6 mapped IPV4 address: %s", addrbuf); @@ -4068,7 +4204,7 @@ soa_query(isc_task_t *task, isc_event_t *event) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(keyname, namebuf, sizeof(namebuf)); dns_zone_log(zone, ISC_LOG_ERROR, - "unable to find key: %s", namebuf); + "unable to find key: %s", namebuf); } } if (key == NULL) @@ -4284,7 +4420,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(keyname, namebuf, sizeof(namebuf)); dns_zone_log(zone, ISC_LOG_ERROR, - "unable to find key: %s", namebuf); + "unable to find key: %s", namebuf); } } if (key == NULL) @@ -4367,7 +4503,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { if (message != NULL) dns_message_destroy(&message); unlock: - if (key != NULL) + if (key != NULL) dns_tsigkey_detach(&key); UNLOCK_ZONE(zone); return; @@ -4600,7 +4736,6 @@ notify_createmessage(dns_zone_t *zone, unsigned int flags, REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(messagep != NULL && *messagep == NULL); - message = NULL; result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER, &message); if (result != ISC_R_SUCCESS) @@ -4720,8 +4855,7 @@ notify_createmessage(dns_zone_t *zone, unsigned int flags, dns_message_puttempname(message, &tempname); if (temprdataset != NULL) dns_message_puttemprdataset(message, &temprdataset); - if (message != NULL) - dns_message_destroy(&message); + dns_message_destroy(&message); return (result); } @@ -5708,6 +5842,30 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { if (zone->tsigkey != NULL) dns_tsigkey_detach(&zone->tsigkey); + /* + * Handle any deferred journal compaction. + */ + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) { + result = dns_journal_compact(zone->mctx, zone->journal, + zone->compact_serial, + zone->journalsize); + switch (result) { + case ISC_R_SUCCESS: + case ISC_R_NOSPACE: + case ISC_R_NOTFOUND: + dns_zone_log(zone, ISC_LOG_DEBUG(3), + "dns_journal_compact: %s", + dns_result_totext(result)); + break; + default: + dns_zone_log(zone, ISC_LOG_ERROR, + "dns_journal_compact failed: %s", + dns_result_totext(result)); + break; + } + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT); + } + /* * This transfer finishing freed up a transfer quota slot. * Let any other zones waiting for quota have it. @@ -6775,7 +6933,7 @@ zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) { if (result != ISC_R_SUCCESS) goto cleanup; - dns_zone_log(zone, ISC_LOG_INFO, "saved '%s' as '%s'", + dns_zone_log(zone, ISC_LOG_WARNING, "saved '%s' as '%s'", path, buf); cleanup: diff --git a/lib/dns/zt.c b/lib/dns/zt.c index 7aa6a9f4c96ef..a72eb6acaad08 100644 --- a/lib/dns/zt.c +++ b/lib/dns/zt.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zt.c,v 1.33.12.6 2004/03/08 21:06:28 marka Exp $ */ +/* $Id: zt.c,v 1.33.12.9 2007/08/28 07:19:14 tbox Exp $ */ #include diff --git a/lib/isc/api b/lib/isc/api index b4d017358ad1e..f94ca40025eca 100644 --- a/lib/isc/api +++ b/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 12 -LIBREVISION = 1 +LIBREVISION = 3 LIBAGE = 1 diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c index 30ce529e500af..0cf6fc2c4bedc 100644 --- a/lib/isc/buffer.c +++ b/lib/isc/buffer.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: buffer.c,v 1.36.12.2 2004/03/08 09:04:48 marka Exp $ */ +/* $Id: buffer.c,v 1.36.12.5 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/event.c b/lib/isc/event.c index f767870ee8053..adcf78fb26cf2 100644 --- a/lib/isc/event.c +++ b/lib/isc/event.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: event.c,v 1.15.12.3 2004/03/08 09:04:48 marka Exp $ */ +/* $Id: event.c,v 1.15.12.6 2007/08/28 07:19:15 tbox Exp $ */ /* * Principal Author: Bob Halley diff --git a/lib/isc/heap.c b/lib/isc/heap.c index fd67d7bd78975..05129ce17f614 100644 --- a/lib/isc/heap.c +++ b/lib/isc/heap.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1997-2001 Internet Software Consortium. + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1997-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: heap.c,v 1.28.12.4 2006/04/17 18:27:20 explorer Exp $ */ +/* $Id: heap.c,v 1.28.12.7 2007/08/28 07:19:15 tbox Exp $ */ /*! \file * Heap implementation of priority queues adapted from the following: diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c index 5166a98cf6ee8..8f96f3a5f6de1 100644 --- a/lib/isc/hmacmd5.c +++ b/lib/isc/hmacmd5.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacmd5.c,v 1.5.12.5 2006/02/26 23:49:48 marka Exp $ */ +/* $Id: hmacmd5.c,v 1.5.12.8 2007/08/28 07:19:15 tbox Exp $ */ /* * This code implements the HMAC-MD5 keyed hash algorithm diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h index 02b82bcbacc5d..4c156469f17f5 100644 --- a/lib/isc/include/isc/buffer.h +++ b/lib/isc/include/isc/buffer.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: buffer.h,v 1.39.12.2 2004/03/08 09:04:51 marka Exp $ */ +/* $Id: buffer.h,v 1.39.12.5 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_BUFFER_H #define ISC_BUFFER_H 1 diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h index 7200a127e62f2..67ba5091b77c5 100644 --- a/lib/isc/include/isc/entropy.h +++ b/lib/isc/include/isc/entropy.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: entropy.h,v 1.23.2.1.10.1 2004/03/06 08:14:40 marka Exp $ */ +/* $Id: entropy.h,v 1.23.2.1.10.4 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_ENTROPY_H #define ISC_ENTROPY_H 1 diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h index 58ef2c32849f0..705a401c4af9f 100644 --- a/lib/isc/include/isc/event.h +++ b/lib/isc/include/isc/event.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: event.h,v 1.24.2.2.8.2 2004/04/15 02:10:41 marka Exp $ */ +/* $Id: event.h,v 1.24.2.2.8.5 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_EVENT_H #define ISC_EVENT_H 1 diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h index 6de6c8a82f20b..a0be041d972d4 100644 --- a/lib/isc/include/isc/file.h +++ b/lib/isc/include/isc/file.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: file.h,v 1.24.12.3 2004/03/08 09:04:51 marka Exp $ */ +/* $Id: file.h,v 1.24.12.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_FILE_H #define ISC_FILE_H 1 diff --git a/lib/isc/include/isc/ipv6.h b/lib/isc/include/isc/ipv6.h index 8b4b0eb31f6a1..353c2014a401b 100644 --- a/lib/isc/include/isc/ipv6.h +++ b/lib/isc/include/isc/ipv6.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ipv6.h,v 1.17.12.4 2004/03/09 05:21:09 marka Exp $ */ +/* $Id: ipv6.h,v 1.17.12.7 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_IPV6_H #define ISC_IPV6_H 1 diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h index 29bdb2fed7caa..60e342b21d720 100644 --- a/lib/isc/include/isc/lex.h +++ b/lib/isc/include/isc/lex.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lex.h,v 1.26.2.2.8.3 2004/03/08 09:04:51 marka Exp $ */ +/* $Id: lex.h,v 1.26.2.2.8.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_LEX_H #define ISC_LEX_H 1 diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h index 1ad449311fb20..cd15de43fbf0f 100644 --- a/lib/isc/include/isc/lib.h +++ b/lib/isc/include/isc/lib.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:51 marka Exp $ */ +/* $Id: lib.h,v 1.6.12.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_LIB_H #define ISC_LIB_H 1 diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h index 5fe82e3fe51de..4c304a80c8b8c 100644 --- a/lib/isc/include/isc/list.h +++ b/lib/isc/include/isc/list.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1997-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1997-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: list.h,v 1.18.2.2.8.3 2006/06/06 00:11:40 marka Exp $ */ +/* $Id: list.h,v 1.18.2.2.8.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_LIST_H #define ISC_LIST_H 1 diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h index 97aeba0c2425a..f244df625088d 100644 --- a/lib/isc/include/isc/log.h +++ b/lib/isc/include/isc/log.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.39.2.4.2.7 2004/04/10 04:31:40 marka Exp $ */ +/* $Id: log.h,v 1.39.2.4.2.10 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_LOG_H #define ISC_LOG_H 1 diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h index 64559240808e4..bb94f5236b571 100644 --- a/lib/isc/include/isc/mem.h +++ b/lib/isc/include/isc/mem.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1997-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1997-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.h,v 1.54.12.4 2004/10/11 05:55:51 marka Exp $ */ +/* $Id: mem.h,v 1.54.12.7 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_MEM_H #define ISC_MEM_H 1 diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h index ad3328c47cdf8..38435300694e4 100644 --- a/lib/isc/include/isc/netaddr.h +++ b/lib/isc/include/isc/netaddr.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: netaddr.h,v 1.18.12.9 2005/07/29 00:13:10 marka Exp $ */ +/* $Id: netaddr.h,v 1.18.12.12 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_NETADDR_H #define ISC_NETADDR_H 1 diff --git a/lib/isc/include/isc/netscope.h b/lib/isc/include/isc/netscope.h index 7cc0f182d7424..6aa0e12b5b74d 100644 --- a/lib/isc/include/isc/netscope.h +++ b/lib/isc/include/isc/netscope.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: netscope.h,v 1.4.142.5 2004/03/08 09:04:52 marka Exp $ */ +/* $Id: netscope.h,v 1.4.142.8 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_NETSCOPE_H #define ISC_NETSCOPE_H 1 diff --git a/lib/isc/include/isc/parseint.h b/lib/isc/include/isc/parseint.h index c877131c94fe1..ab1ff24ce4eb6 100644 --- a/lib/isc/include/isc/parseint.h +++ b/lib/isc/include/isc/parseint.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001, 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parseint.h,v 1.2.202.4 2004/03/08 09:04:52 marka Exp $ */ +/* $Id: parseint.h,v 1.2.202.7 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_PARSEINT_H #define ISC_PARSEINT_H 1 diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in index 7a803d7dfb987..9c4edabb5facc 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h.in,v 1.24.2.1.10.11 2004/03/08 09:04:52 marka Exp $ */ +/* $Id: platform.h.in,v 1.24.2.1.10.13 2007/09/13 23:45:58 tbox Exp $ */ #ifndef ISC_PLATFORM_H #define ISC_PLATFORM_H 1 @@ -24,6 +24,11 @@ ***** Platform-dependent defines. *****/ +/* + * Define if the platform has . + */ +@ISC_PLATFORM_HAVESTRINGSH@ + /*** *** Network. ***/ diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h index 4044118747b35..c78993c2bfd45 100644 --- a/lib/isc/include/isc/quota.h +++ b/lib/isc/include/isc/quota.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: quota.h,v 1.8.12.6 2005/08/11 15:00:08 marka Exp $ */ +/* $Id: quota.h,v 1.8.12.9 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_QUOTA_H #define ISC_QUOTA_H 1 diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h index 2acab34b5ad9b..42614546d3cdf 100644 --- a/lib/isc/include/isc/ratelimiter.h +++ b/lib/isc/include/isc/ratelimiter.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ratelimiter.h,v 1.13.14.3 2004/03/08 09:04:53 marka Exp $ */ +/* $Id: ratelimiter.h,v 1.13.14.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_RATELIMITER_H #define ISC_RATELIMITER_H 1 diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h index 5622394aaf437..738f68fae671a 100644 --- a/lib/isc/include/isc/region.h +++ b/lib/isc/include/isc/region.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: region.h,v 1.16.12.3 2004/03/08 09:04:53 marka Exp $ */ +/* $Id: region.h,v 1.16.12.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_REGION_H #define ISC_REGION_H 1 diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h index 93f7cefbd658b..e45d88d40b93f 100644 --- a/lib/isc/include/isc/result.h +++ b/lib/isc/include/isc/result.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001, 2003 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.h,v 1.57.2.2.8.5 2004/05/15 03:46:13 jinmei Exp $ */ +/* $Id: result.h,v 1.57.2.2.8.8 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_RESULT_H #define ISC_RESULT_H 1 diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h index 9dcadb213caff..324a61a19e460 100644 --- a/lib/isc/include/isc/socket.h +++ b/lib/isc/include/isc/socket.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.h,v 1.54.12.4 2004/03/08 09:04:53 marka Exp $ */ +/* $Id: socket.h,v 1.54.12.7 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_SOCKET_H #define ISC_SOCKET_H 1 diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h index 4fbfe1909cb90..3e9146b530fb9 100644 --- a/lib/isc/include/isc/string.h +++ b/lib/isc/include/isc/string.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,17 +15,21 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: string.h,v 1.9.164.3 2004/03/06 08:14:49 marka Exp $ */ +/* $Id: string.h,v 1.9.164.5 2007/09/13 23:45:58 tbox Exp $ */ #ifndef ISC_STRING_H #define ISC_STRING_H 1 -#include - #include #include #include +#include + +#ifdef ISC_PLATFORM_HAVESTRINGSH +#include +#endif + ISC_LANG_BEGINDECLS isc_uint64_t diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h index 439c943dad531..3e8d3d593524f 100644 --- a/lib/isc/include/isc/timer.h +++ b/lib/isc/include/isc/timer.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: timer.h,v 1.28.12.6 2005/10/27 00:27:30 marka Exp $ */ +/* $Id: timer.h,v 1.28.12.9 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_TIMER_H #define ISC_TIMER_H 1 diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h index c2798d6df0c79..f7614cfaff73c 100644 --- a/lib/isc/include/isc/util.h +++ b/lib/isc/include/isc/util.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.h,v 1.21.12.5 2004/03/08 09:04:53 marka Exp $ */ +/* $Id: util.h,v 1.21.12.8 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_UTIL_H #define ISC_UTIL_H 1 diff --git a/lib/isc/include/isc/version.h b/lib/isc/include/isc/version.h index 3da836c3e8ddb..3e5270d541a92 100644 --- a/lib/isc/include/isc/version.h +++ b/lib/isc/include/isc/version.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.h,v 1.2.220.3 2004/03/08 09:04:54 marka Exp $ */ +/* $Id: version.h,v 1.2.220.6 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c index 530b0103bab09..f82c9e8355a9e 100644 --- a/lib/isc/inet_aton.c +++ b/lib/isc/inet_aton.c @@ -1,8 +1,8 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 1996-2001 Internet Software Consortium. + * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 1996-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -70,7 +70,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.3 2004/03/08 09:04:49 marka Exp $"; +static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.6 2007/08/28 07:19:15 tbox Exp $"; #endif /* LIBC_SCCS and not lint */ #include diff --git a/lib/isc/inet_ntop.c b/lib/isc/inet_ntop.c index 6dadd736e9535..4877eef93d580 100644 --- a/lib/isc/inet_ntop.c +++ b/lib/isc/inet_ntop.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1996-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1996-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -17,7 +17,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$Id: inet_ntop.c,v 1.12.12.4 2004/08/28 06:25:21 marka Exp $"; + "$Id: inet_ntop.c,v 1.12.12.7 2007/08/28 07:19:15 tbox Exp $"; #endif /* LIBC_SCCS and not lint */ #include diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c index 6d5b7ff82385f..4a30154c15f11 100644 --- a/lib/isc/lfsr.c +++ b/lib/isc/lfsr.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lfsr.c,v 1.11.2.2.2.6 2005/10/14 01:38:50 marka Exp $ */ +/* $Id: lfsr.c,v 1.11.2.2.2.9 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/lib.c b/lib/isc/lib.c index fa30abf13a19f..be7d16e5ebec2 100644 --- a/lib/isc/lib.c +++ b/lib/isc/lib.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lib.c,v 1.8.12.3 2004/03/08 09:04:49 marka Exp $ */ +/* $Id: lib.c,v 1.8.12.6 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/mem.c b/lib/isc/mem.c index f5069fb7dc176..8bfe967295c9b 100644 --- a/lib/isc/mem.c +++ b/lib/isc/mem.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mem.c,v 1.98.2.7.2.7 2005/03/17 03:58:32 marka Exp $ */ +/* $Id: mem.c,v 1.98.2.7.2.12 2007/11/26 23:45:51 tbox Exp $ */ #include @@ -191,7 +191,7 @@ struct isc_mempool { if ((isc_mem_debugging & (ISC_MEM_DEBUGTRACE | \ ISC_MEM_DEBUGRECORD)) != 0 && \ b != NULL) \ - add_trace_entry(a, b, c, d, e); \ + add_trace_entry(a, b, c, d, e); \ } while (0) #define DELETE_TRACE(a, b, c, d, e) delete_trace_entry(a, b, c, d, e) @@ -313,7 +313,7 @@ delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size, static inline size_t rmsize(size_t size) { /* - * round down to ALIGNMENT_SIZE + * round down to ALIGNMENT_SIZE */ return (size & (~(ALIGNMENT_SIZE - 1))); } @@ -859,7 +859,7 @@ destroy(isc_mem_t *ctx) { dl != NULL; dl = ISC_LIST_HEAD(ctx->debuglist[i])) { ISC_LIST_UNLINK(ctx->debuglist[i], - dl, link); + dl, link); free(dl); } } @@ -884,7 +884,8 @@ destroy(isc_mem_t *ctx) { for (i = 0; i < ctx->basic_table_count; i++) (ctx->memfree)(ctx->arg, ctx->basic_table[i]); (ctx->memfree)(ctx->arg, ctx->freelists); - (ctx->memfree)(ctx->arg, ctx->basic_table); + if (ctx->basic_table != NULL) + (ctx->memfree)(ctx->arg, ctx->basic_table); #endif /* ISC_MEM_USE_INTERNAL_MALLOC */ ondest = ctx->ondestroy; @@ -1105,7 +1106,7 @@ print_active(isc_mem_t *mctx, FILE *out) { "memory allocations:\n")); found = ISC_FALSE; format = isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM, - ISC_MSG_PTRFILELINE, + ISC_MSG_PTRFILELINE, "\tptr %p size %u file %s line %u\n"); for (i = 0; i <= mctx->max_size; i++) { dl = ISC_LIST_HEAD(mctx->debuglist[i]); @@ -1354,19 +1355,30 @@ isc_mem_inuse(isc_mem_t *ctx) { void isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg, - size_t hiwater, size_t lowater) + size_t hiwater, size_t lowater) { + isc_boolean_t callwater = ISC_FALSE; + isc_mem_water_t oldwater; + void *oldwater_arg; + REQUIRE(VALID_CONTEXT(ctx)); REQUIRE(hiwater >= lowater); LOCK(&ctx->lock); + oldwater = ctx->water; + oldwater_arg = ctx->water_arg; if (water == NULL) { + callwater = ctx->hi_called; ctx->water = NULL; ctx->water_arg = NULL; ctx->hi_water = 0; ctx->lo_water = 0; ctx->hi_called = ISC_FALSE; } else { + if (ctx->hi_called && + (ctx->water != water || ctx->water_arg != water_arg || + ctx->inuse < lowater || lowater == 0U)) + callwater = ISC_TRUE; ctx->water = water; ctx->water_arg = water_arg; ctx->hi_water = hiwater; @@ -1374,6 +1386,9 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg, ctx->hi_called = ISC_FALSE; } UNLOCK(&ctx->lock); + + if (callwater && oldwater != NULL) + (oldwater)(oldwater_arg, ISC_MEM_LOWATER); } /* diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c index dc7c23d8689ee..dd8c725371108 100644 --- a/lib/isc/mutexblock.c +++ b/lib/isc/mutexblock.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutexblock.c,v 1.14.12.3 2004/03/08 09:04:49 marka Exp $ */ +/* $Id: mutexblock.c,v 1.14.12.6 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c index 712ad2c1341b3..f40f9c464bb49 100644 --- a/lib/isc/netaddr.c +++ b/lib/isc/netaddr.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: netaddr.c,v 1.18.12.9 2004/05/15 03:46:12 jinmei Exp $ */ +/* $Id: netaddr.c,v 1.18.12.12 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c index 8df448399c5d1..262377ab1b41d 100644 --- a/lib/isc/netscope.c +++ b/lib/isc/netscope.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -17,7 +17,7 @@ #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = - "$Id: netscope.c,v 1.5.142.9 2006/08/25 05:25:50 marka Exp $"; + "$Id: netscope.c,v 1.5.142.12 2007/08/28 07:19:15 tbox Exp $"; #endif /* LIBC_SCCS and not lint */ #include diff --git a/lib/isc/nls/msgcat.c b/lib/isc/nls/msgcat.c index 906e26e9070eb..9b86e7e0c6a6d 100644 --- a/lib/isc/nls/msgcat.c +++ b/lib/isc/nls/msgcat.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: msgcat.c,v 1.10.12.6 2005/06/09 23:54:31 marka Exp $ */ +/* $Id: msgcat.c,v 1.10.12.9 2007/08/28 07:19:15 tbox Exp $ */ /* * Principal Author: Bob Halley diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c index 395d52f7d307d..13a785b77c830 100644 --- a/lib/isc/nothreads/condition.c +++ b/lib/isc/nothreads/condition.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: condition.c,v 1.4.12.5 2006/08/25 05:25:50 marka Exp $ */ +/* $Id: condition.c,v 1.4.12.8 2007/08/28 07:19:16 tbox Exp $ */ #include diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c index a707947fe9b7f..00d8e7a346f1b 100644 --- a/lib/isc/nothreads/mutex.c +++ b/lib/isc/nothreads/mutex.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.c,v 1.4.12.5 2006/08/25 05:25:50 marka Exp $ */ +/* $Id: mutex.c,v 1.4.12.8 2007/08/28 07:19:16 tbox Exp $ */ #include diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c index 489980c1f5a92..8539a8004484b 100644 --- a/lib/isc/pthreads/condition.c +++ b/lib/isc/pthreads/condition.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: condition.c,v 1.30.2.1.10.1 2004/03/06 08:14:53 marka Exp $ */ +/* $Id: condition.c,v 1.30.2.1.10.4 2007/08/28 07:19:16 tbox Exp $ */ #include diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h index f6e526d8b2fa1..d180c55ab94e1 100644 --- a/lib/isc/pthreads/include/isc/mutex.h +++ b/lib/isc/pthreads/include/isc/mutex.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.h,v 1.23.26.3 2004/03/08 09:04:55 marka Exp $ */ +/* $Id: mutex.h,v 1.23.26.6 2007/08/28 07:19:17 tbox Exp $ */ #ifndef ISC_MUTEX_H #define ISC_MUTEX_H 1 diff --git a/lib/isc/pthreads/mutex.c b/lib/isc/pthreads/mutex.c index 71db6696610d3..17cca53fc6a72 100644 --- a/lib/isc/pthreads/mutex.c +++ b/lib/isc/pthreads/mutex.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: mutex.c,v 1.6.26.5 2005/03/17 03:58:32 marka Exp $ */ +/* $Id: mutex.c,v 1.6.26.8 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/quota.c b/lib/isc/quota.c index 273a1b2ac6ddb..b9cb3db9c63d6 100644 --- a/lib/isc/quota.c +++ b/lib/isc/quota.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: quota.c,v 1.11.12.5 2005/07/29 00:13:09 marka Exp $ */ +/* $Id: quota.c,v 1.11.12.8 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c index 211363ccf0f1f..28976d018f70f 100644 --- a/lib/isc/ratelimiter.c +++ b/lib/isc/ratelimiter.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ratelimiter.c,v 1.18.14.4 2004/03/08 09:04:50 marka Exp $ */ +/* $Id: ratelimiter.c,v 1.18.14.7 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/region.c b/lib/isc/region.c index 92f4f027f3d63..02386ad4bbd37 100644 --- a/lib/isc/region.c +++ b/lib/isc/region.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: region.c,v 1.2.202.3 2004/03/08 09:04:50 marka Exp $ */ +/* $Id: region.c,v 1.2.202.6 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/result.c b/lib/isc/result.c index fd4e5c6cb98a1..37a487e71fb0b 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001, 2003 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.56.2.2.8.9 2005/06/09 23:54:30 marka Exp $ */ +/* $Id: result.c,v 1.56.2.2.8.12 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c index 8b2b8c46bc33f..6102b18de0847 100644 --- a/lib/isc/symtab.c +++ b/lib/isc/symtab.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1996-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1996-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: symtab.c,v 1.24.12.3 2004/03/08 09:04:50 marka Exp $ */ +/* $Id: symtab.c,v 1.24.12.6 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c index a3931a9fb90c8..6e2401de3b10e 100644 --- a/lib/isc/taskpool.c +++ b/lib/isc/taskpool.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: taskpool.c,v 1.10.12.5 2006/01/04 23:50:21 marka Exp $ */ +/* $Id: taskpool.c,v 1.10.12.8 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isc/timer.c b/lib/isc/timer.c index 6a6acf6bb081b..d002b11722ce6 100644 --- a/lib/isc/timer.c +++ b/lib/isc/timer.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2002 Internet Software Consortium. + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: timer.c,v 1.64.12.13 2006/01/04 23:50:21 marka Exp $ */ +/* $Id: timer.c,v 1.64.12.17 2007/10/24 01:08:01 marka Exp $ */ #include @@ -582,6 +582,7 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) { isc_eventtype_t type = 0; isc_timer_t *timer; isc_result_t result; + isc_boolean_t idle; /* * The caller must be holding the manager lock. @@ -613,23 +614,33 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) { type = ISC_TIMEREVENT_LIFE; post_event = ISC_TRUE; need_schedule = ISC_FALSE; - } else if (!isc_time_isepoch(&timer->idle) && - isc_time_compare(now, - &timer->idle) >= 0) { - type = ISC_TIMEREVENT_IDLE; - post_event = ISC_TRUE; - need_schedule = ISC_FALSE; } else { - /* - * Idle timer has been touched; reschedule. - */ - XTRACEID(isc_msgcat_get(isc_msgcat, - ISC_MSGSET_TIMER, - ISC_MSG_IDLERESCHED, - "idle reschedule"), - timer); - post_event = ISC_FALSE; - need_schedule = ISC_TRUE; + idle = ISC_FALSE; + + LOCK(&timer->lock); + if (!isc_time_isepoch(&timer->idle) && + isc_time_compare(now, + &timer->idle) >= 0) { + idle = ISC_TRUE; + } + UNLOCK(&timer->lock); + if (idle) { + type = ISC_TIMEREVENT_IDLE; + post_event = ISC_TRUE; + need_schedule = ISC_FALSE; + } else { + /* + * Idle timer has been touched; + * reschedule. + */ + XTRACEID(isc_msgcat_get(isc_msgcat, + ISC_MSGSET_TIMER, + ISC_MSG_IDLERESCHED, + "idle reschedule"), + timer); + post_event = ISC_FALSE; + need_schedule = ISC_TRUE; + } } if (post_event) { diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h index ad7a5d042b22a..22f7ae3881c05 100644 --- a/lib/isc/timer_p.h +++ b/lib/isc/timer_p.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: timer_p.h,v 1.4.12.3 2004/03/08 09:04:50 marka Exp $ */ +/* $Id: timer_p.h,v 1.4.12.6 2007/08/28 07:19:15 tbox Exp $ */ #ifndef ISC_TIMER_P_H #define ISC_TIMER_P_H diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in index 49845d420d5b4..725ba68441daf 100644 --- a/lib/isc/unix/Makefile.in +++ b/lib/isc/unix/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1998-2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.35.2.1.10.2 2004/06/22 02:48:36 marka Exp $ +# $Id: Makefile.in,v 1.35.2.1.10.5 2007/08/28 07:19:17 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c index 811d67be1ff6f..8e1f0fafd306b 100644 --- a/lib/isc/unix/app.c +++ b/lib/isc/unix/app.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: app.c,v 1.43.2.3.8.5 2004/03/08 02:08:05 marka Exp $ */ +/* $Id: app.c,v 1.43.2.3.8.8 2008/01/17 23:45:28 tbox Exp $ */ #include @@ -57,11 +57,11 @@ static isc_boolean_t running = ISC_FALSE; /* * We assume that 'want_shutdown' can be read and written atomically. */ -static isc_boolean_t want_shutdown = ISC_FALSE; +static volatile isc_boolean_t want_shutdown = ISC_FALSE; /* * We assume that 'want_reload' can be read and written atomically. */ -static isc_boolean_t want_reload = ISC_FALSE; +static volatile isc_boolean_t want_reload = ISC_FALSE; static isc_boolean_t blocked = ISC_FALSE; #ifdef ISC_PLATFORM_USETHREADS @@ -85,13 +85,13 @@ static pthread_t main_thread; #ifndef HAVE_SIGWAIT static void exit_action(int arg) { - UNUSED(arg); + UNUSED(arg); want_shutdown = ISC_TRUE; } static void reload_action(int arg) { - UNUSED(arg); + UNUSED(arg); want_reload = ISC_TRUE; } #endif @@ -337,7 +337,7 @@ evloop() { * We call isc__timermgr_dispatch() only when * necessary, in order to reduce overhead. If the * select() call indicates a timeout, we need the - * dispatch. Even if not, if we set the 0-timeout + * dispatch. Even if not, if we set the 0-timeout * for the select() call, we need to check the timer * events. In the 'readytasks' case, there may be no * timeout event actually, but there is no other way @@ -421,7 +421,7 @@ isc__nothread_signal_hack(isc_condition_t *cp) { signalled = ISC_TRUE; return (ISC_R_SUCCESS); } - + #endif /* ISC_PLATFORM_USETHREADS */ isc_result_t @@ -674,7 +674,7 @@ isc_app_unblock(void) { REQUIRE(blockedthread == pthread_self()); RUNTIME_CHECK(sigemptyset(&sset) == 0 && - sigaddset(&sset, SIGINT) == 0 && + sigaddset(&sset, SIGINT) == 0 && sigaddset(&sset, SIGTERM) == 0); RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0); #endif /* ISC_PLATFORM_USETHREADS */ diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c index 85a121739b4c7..29afb0f264b0a 100644 --- a/lib/isc/unix/dir.c +++ b/lib/isc/unix/dir.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dir.c,v 1.18.2.1.2.3 2004/03/08 09:04:55 marka Exp $ */ +/* $Id: dir.c,v 1.18.2.1.2.6 2007/08/28 07:19:17 tbox Exp $ */ /* Principal Authors: DCL */ diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c index d52849aa35b84..f30a4725dcdcb 100644 --- a/lib/isc/unix/entropy.c +++ b/lib/isc/unix/entropy.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: entropy.c,v 1.60.2.3.8.14 2006/03/02 23:29:17 marka Exp $ */ +/* $Id: entropy.c,v 1.60.2.3.8.15 2006/12/07 04:52:50 marka Exp $ */ /* * This is the system depenedent part of the ISC entropy API. @@ -486,8 +486,6 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) { LOCK(&ent->lock); - source = NULL; - if (stat(fname, &_stat) < 0) { ret = isc__errno2result(errno); goto errout; @@ -589,9 +587,6 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) { (void)close(fd); errout: - if (source != NULL) - isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t)); - UNLOCK(&ent->lock); return (ret); diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c index 66a4e916d79c4..d25dcb288f50b 100644 --- a/lib/isc/unix/errno2result.c +++ b/lib/isc/unix/errno2result.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: errno2result.c,v 1.8.2.4.8.1 2004/03/06 08:14:59 marka Exp $ */ +/* $Id: errno2result.c,v 1.8.2.4.8.4 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c index 7ed6272efb73a..8e4e87c6077c1 100644 --- a/lib/isc/unix/file.c +++ b/lib/isc/unix/file.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -48,7 +48,7 @@ * SUCH DAMAGE. */ -/* $Id: file.c,v 1.38.12.8 2004/03/16 05:50:25 marka Exp $ */ +/* $Id: file.c,v 1.38.12.11 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c index ad6e1e0b04099..ac4edc8922c30 100644 --- a/lib/isc/unix/ifiter_getifaddrs.c +++ b/lib/isc/unix/ifiter_getifaddrs.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ifiter_getifaddrs.c,v 1.2.68.3 2004/03/06 08:14:59 marka Exp $ */ +/* $Id: ifiter_getifaddrs.c,v 1.2.68.6 2007/08/28 07:19:17 tbox Exp $ */ /* * Obtain the list of network interfaces using the getifaddrs(3) library. @@ -106,7 +106,9 @@ internal_current(isc_interfaceiter_t *iter) { INSIST(ifa != NULL); INSIST(ifa->ifa_name != NULL); - INSIST(ifa->ifa_addr != NULL); + + if (ifa->ifa_addr == NULL) + return (ISC_R_IGNORE); family = ifa->ifa_addr->sa_family; if (family != AF_INET && family != AF_INET6) diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c index 68a13651bc86a..ce8baf7e99ebf 100644 --- a/lib/isc/unix/ifiter_ioctl.c +++ b/lib/isc/unix/ifiter_ioctl.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.19 2006/02/03 23:51:37 marka Exp $ */ +/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.21 2007/08/31 23:45:57 tbox Exp $ */ /* * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl. @@ -904,7 +904,8 @@ internal_next4(isc_interfaceiter_t *iter) { struct ifreq *ifrp; #endif - REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len); + REQUIRE(iter->ifc.ifc_len == 0 || + iter->pos < (unsigned int) iter->ifc.ifc_len); #ifdef __linux if (linux_if_inet6_next(iter) == ISC_R_SUCCESS) @@ -912,6 +913,10 @@ internal_next4(isc_interfaceiter_t *iter) { if (!iter->first) return (ISC_R_SUCCESS); #endif + + if (iter->ifc.ifc_len == 0) + return (ISC_R_NOMORE); + #ifdef ISC_PLATFORM_HAVESALEN ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos); diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h index 53b51df087b1c..e9e965963bac6 100644 --- a/lib/isc/unix/include/isc/dir.h +++ b/lib/isc/unix/include/isc/dir.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dir.h,v 1.15.12.3 2004/03/08 09:04:57 marka Exp $ */ +/* $Id: dir.h,v 1.15.12.6 2007/08/28 07:19:17 tbox Exp $ */ /* Principal Authors: DCL */ diff --git a/lib/isc/unix/include/isc/strerror.h b/lib/isc/unix/include/isc/strerror.h index f51fbdc2d04cf..7577b1ccb2e66 100644 --- a/lib/isc/unix/include/isc/strerror.h +++ b/lib/isc/unix/include/isc/strerror.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: strerror.h,v 1.2.12.3 2004/03/08 09:04:57 marka Exp $ */ +/* $Id: strerror.h,v 1.2.12.6 2007/08/28 07:19:17 tbox Exp $ */ #ifndef ISC_STRERROR_H #define ISC_STRERROR_H diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h index 6021c13d9295b..c592862c6e019 100644 --- a/lib/isc/unix/include/isc/time.h +++ b/lib/isc/unix/include/isc/time.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.h,v 1.25.2.1.10.4 2004/03/08 09:04:58 marka Exp $ */ +/* $Id: time.h,v 1.25.2.1.10.7 2007/08/28 07:19:17 tbox Exp $ */ #ifndef ISC_TIME_H #define ISC_TIME_H 1 diff --git a/lib/isc/unix/keyboard.c b/lib/isc/unix/keyboard.c index 146338aebe75e..5828ef0461d71 100644 --- a/lib/isc/unix/keyboard.c +++ b/lib/isc/unix/keyboard.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: keyboard.c,v 1.9.12.3 2004/03/08 09:04:56 marka Exp $ */ +/* $Id: keyboard.c,v 1.9.12.6 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c index e0aeccbbbf4d8..42cadec7d7617 100644 --- a/lib/isc/unix/net.c +++ b/lib/isc/unix/net.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.c,v 1.22.2.2.10.9 2005/03/17 03:58:33 marka Exp $ */ +/* $Id: net.c,v 1.22.2.2.10.11 2007/09/13 23:45:58 tbox Exp $ */ #include @@ -30,17 +30,26 @@ #include #include -#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY) +#if defined(ISC_PLATFORM_HAVEIPV6) +# if defined(ISC_PLATFORM_NEEDIN6ADDRANY) const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT; -#endif +# endif -#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK) +# if defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK) const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT; -#endif +# endif -static isc_once_t once = ISC_ONCE_INIT; +# if defined(WANT_IPV6) static isc_once_t once_ipv6only = ISC_ONCE_INIT; +# endif + +# if defined(ISC_PLATFORM_HAVEIN6PKTINFO) static isc_once_t once_ipv6pktinfo = ISC_ONCE_INIT; +# endif +#endif /* ISC_PLATFORM_HAVEIPV6 */ + +static isc_once_t once = ISC_ONCE_INIT; + static isc_result_t ipv4_result = ISC_R_NOTFOUND; static isc_result_t ipv6_result = ISC_R_NOTFOUND; static isc_result_t ipv6only_result = ISC_R_NOTFOUND; @@ -235,7 +244,7 @@ initialize_ipv6only(void) { RUNTIME_CHECK(isc_once_do(&once_ipv6only, try_ipv6only) == ISC_R_SUCCESS); } -#endif /* IPV6_V6ONLY */ +#endif /* WANT_IPV6 */ #ifdef ISC_PLATFORM_HAVEIN6PKTINFO static void @@ -291,7 +300,7 @@ initialize_ipv6pktinfo(void) { try_ipv6pktinfo) == ISC_R_SUCCESS); } #endif /* ISC_PLATFORM_HAVEIN6PKTINFO */ -#endif /* WANT_IPV6 */ +#endif /* ISC_PLATFORM_HAVEIPV6 */ isc_result_t isc_net_probe_ipv6only(void) { diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c index 4d34d8ce6f47e..fb37acdca61df 100644 --- a/lib/isc/unix/os.c +++ b/lib/isc/unix/os.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.11.12.6 2005/10/14 02:13:07 marka Exp $ */ +/* $Id: os.c,v 1.11.12.9 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c index b6faf32a5e4d3..bfec43d32d454 100644 --- a/lib/isc/unix/resource.c +++ b/lib/isc/unix/resource.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resource.c,v 1.11.206.1 2004/03/06 08:15:01 marka Exp $ */ +/* $Id: resource.c,v 1.11.206.3 2008/01/26 23:45:31 tbox Exp $ */ #include @@ -40,13 +40,13 @@ resource2rlim(isc_resource_t resource, int *rlim_resource) { break; case isc_resource_cputime: *rlim_resource = RLIMIT_CPU; - break; + break; case isc_resource_datasize: *rlim_resource = RLIMIT_DATA; - break; + break; case isc_resource_filesize: *rlim_resource = RLIMIT_FSIZE; - break; + break; case isc_resource_lockedmemory: #ifdef RLIMIT_MEMLOCK *rlim_resource = RLIMIT_MEMLOCK; @@ -79,7 +79,7 @@ resource2rlim(isc_resource_t resource, int *rlim_resource) { *rlim_resource = RLIMIT_STACK; break; default: - /* + /* * This test is not very robust if isc_resource_t * changes, but generates a clear assertion message. */ @@ -132,58 +132,27 @@ isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) { rlim_value = value; } - /* - * The BIND 8 documentation reports: - * - * Note: on some operating systems the server cannot set an - * unlimited value and cannot determine the maximum number of - * open files the kernel can support. On such systems, choosing - * unlimited will cause the server to use the larger of the - * rlim_max for RLIMIT_NOFILE and the value returned by - * sysconf(_SC_OPEN_MAX). If the actual kernel limit is larger - * than this value, use limit files to specify the limit - * explicitly. - * - * The CHANGES for 8.1.2-T3A also mention: - * - * 352. [bug] Because of problems with setting an infinite - * rlim_max for RLIMIT_NOFILE on some systems, previous versions - * of the server implemented "limit files unlimited" by setting - * the limit to the value returned by sysconf(_SC_OPEN_MAX). The - * server will now use RLIM_INFINITY on systems which allow it. - * - * At some point the BIND 8 server stopped using SC_OPEN_MAX for this - * purpose at all, but it isn't clear to me when or why, as my access - * to the CVS archive is limited at the time of this writing. What - * BIND 8 *does* do is to set RLIMIT_NOFILE to either RLIMIT_INFINITY - * on a half dozen operating systems or to FD_SETSIZE on the rest, - * the latter of which is probably fewer than the real limit. (Note - * that libisc's socket module will have problems with any fd over - * FD_SETSIZE. This should be fixed in the socket module, not a - * limitation here. BIND 8's eventlib also has a problem, making - * its RLIMIT_INFINITY setting useless, because it closes and ignores - * any fd over FD_SETSIZE.) - * - * More troubling is the reference to some operating systems not being - * able to set an unlimited value for the number of open files. I'd - * hate to put in code that is really only there to support archaic - * systems that the rest of libisc won't work on anyway. So what this - * extremely verbose comment is here to say is the following: - * - * I'm aware there might be an issue with not limiting the value - * for RLIMIT_NOFILE on some systems, but since I don't know yet - * what those systems are and what the best workaround is (use - * sysconf()? rlim_max from getrlimit()? FD_SETSIZE?) so nothing - * is currently being done to clamp the value for open files. - */ - rl.rlim_cur = rl.rlim_max = rlim_value; unixresult = setrlimit(unixresource, &rl); if (unixresult == 0) return (ISC_R_SUCCESS); - else - return (isc__errno2result(errno)); + +#if defined(OPEN_MAX) && defined(__APPLE__) + /* + * The Darwin kernel doesn't accept RLIM_INFINITY for rlim_cur; the + * maximum possible value is OPEN_MAX. BIND8 used to use + * sysconf(_SC_OPEN_MAX) for such a case, but this value is much + * smaller than OPEN_MAX and is not really effective. + */ + if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) { + rl.rlim_cur = OPEN_MAX; + unixresult = setrlimit(unixresource, &rl); + if (unixresult == 0) + return (ISC_R_SUCCESS); + } +#endif + return (isc__errno2result(errno)); } isc_result_t diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index f95e3c8f75d41..7322abc2518e3 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.207.2.19.2.26 2006/05/19 02:53:36 marka Exp $ */ +/* $Id: socket.c,v 1.207.2.19.2.35 2008/01/27 02:06:07 marka Exp $ */ #include @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -57,6 +58,10 @@ #include "socket_p.h" #endif /* ISC_PLATFORM_USETHREADS */ +#if defined(SO_BSDCOMPAT) && defined(__linux__) +#include +#endif + /* * Some systems define the socket length argument as an int, some as size_t, * some as socklen_t. This is here so it can be easily changed if needed. @@ -400,7 +405,7 @@ select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) { "read() failed " "during watcher poke: %s"), strbuf); - + return; } INSIST(cc == sizeof(buf)); @@ -505,7 +510,7 @@ cmsg_space(ISC_SOCKADDR_LEN_T len) { return ((char *)cmsgp - (char *)msg.msg_control); else return (0); -#endif +#endif } #endif /* USE_CMSG */ @@ -579,7 +584,7 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) { "interface received on ifindex %u", dev->pktinfo.ipi6_ifindex); if (IN6_IS_ADDR_MULTICAST(&pktinfop->ipi6_addr)) - dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST; + dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST; goto next; } #endif @@ -951,7 +956,7 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) { isc__strerror(recv_errno, strbuf, sizeof(strbuf)); socket_log(sock, NULL, IOEVENT, isc_msgcat, ISC_MSGSET_SOCKET, - ISC_MSG_DOIORECV, + ISC_MSG_DOIORECV, "doio_recv: recvmsg(%d) %d bytes, err %d/%s", sock->fd, cc, recv_errno, strbuf); } @@ -999,7 +1004,7 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) { if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) { socket_log(sock, &dev->address, IOEVENT, isc_msgcat, ISC_MSGSET_SOCKET, - ISC_MSG_ZEROPORT, + ISC_MSG_ZEROPORT, "dropping source port zero packet"); } return (DOIO_SOFT); @@ -1368,7 +1373,45 @@ free_socket(isc_socket_t **socketp) { *socketp = NULL; } +#ifdef SO_BSDCOMPAT /* + * This really should not be necessary to do. Having to workout + * which kernel version we are on at run time so that we don't cause + * the kernel to issue a warning about us using a deprecated socket option. + * Such warnings should *never* be on by default in production kernels. + * + * We can't do this a build time because executables are moved between + * machines and hence kernels. + * + * We can't just not set SO_BSDCOMAT because some kernels require it. + */ + +static isc_once_t bsdcompat_once = ISC_ONCE_INIT; +isc_boolean_t bsdcompat = ISC_TRUE; + +static void +clear_bsdcompat(void) { +#ifdef __linux__ + struct utsname buf; + char *endp; + long int major; + long int minor; + + uname(&buf); /* Can only fail if buf is bad in Linux. */ + + /* Paranoia in parsing can be increased, but we trust uname(). */ + major = strtol(buf.release, &endp, 10); + if (*endp == '.') { + minor = strtol(endp+1, &endp, 10); + if ((major > 2) || ((major == 2) && (minor >= 4))) { + bsdcompat = ISC_FALSE; + } + } +#endif /* __linux __ */ +} +#endif + +/*% * Create a new 'type' socket managed by 'manager'. Events * will be posted to 'task' and when dispatched 'action' will be * called with 'arg' as the arg value. The new socket is returned @@ -1385,6 +1428,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, #endif char strbuf[ISC_STRERRORSIZE]; const char *err = "socket"; + int tries = 0; REQUIRE(VALID_MANAGER(manager)); REQUIRE(socketp != NULL && *socketp == NULL); @@ -1394,6 +1438,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, return (ret); sock->pf = pf; + again: switch (type) { case isc_sockettype_udp: sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP); @@ -1402,6 +1447,8 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP); break; } + if (sock->fd == -1 && errno == EINTR && tries++ < 42) + goto again; #ifdef F_DUPFD /* @@ -1428,7 +1475,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, free_socket(&sock); return (ISC_R_NORESOURCES); } - + if (sock->fd < 0) { free_socket(&sock); @@ -1468,8 +1515,10 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, } #ifdef SO_BSDCOMPAT - if (setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT, - (void *)&on, sizeof(on)) < 0) { + RUNTIME_CHECK(isc_once_do(&bsdcompat_once, + clear_bsdcompat) == ISC_R_SUCCESS); + if (bsdcompat && setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT, + (void *)&on, sizeof(on)) < 0) { isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, "setsockopt(%d, SO_BSDCOMPAT) %s: %s", @@ -1481,6 +1530,20 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, } #endif +#ifdef SO_NOSIGPIPE + if (setsockopt(sock->fd, SOL_SOCKET, SO_NOSIGPIPE, + (void *)&on, sizeof(on)) < 0) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + UNEXPECTED_ERROR(__FILE__, __LINE__, + "setsockopt(%d, SO_NOSIGPIPE) %s: %s", + sock->fd, + isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, + ISC_MSG_FAILED, "failed"), + strbuf); + /* Press on... */ + } +#endif + #if defined(USE_CMSG) if (type == isc_sockettype_udp) { @@ -1491,7 +1554,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, "setsockopt(%d, SO_TIMESTAMP) %s: %s", - sock->fd, + sock->fd, isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ISC_MSG_FAILED, @@ -1513,7 +1576,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, } #ifdef ISC_PLATFORM_HAVEIN6PKTINFO #ifdef IPV6_RECVPKTINFO - /* 2292bis */ + /* RFC 3542 */ if ((pf == AF_INET6) && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, (void *)&on, sizeof(on)) < 0)) { @@ -1528,7 +1591,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, strbuf); } #else - /* 2292 */ + /* RFC 2292 */ if ((pf == AF_INET6) && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO, (void *)&on, sizeof(on)) < 0)) { @@ -1544,7 +1607,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, } #endif /* IPV6_RECVPKTINFO */ #endif /* ISC_PLATFORM_HAVEIN6PKTINFO */ -#ifdef IPV6_USE_MIN_MTU /*2292bis, not too common yet*/ +#ifdef IPV6_USE_MIN_MTU /* RFC 3542, not too common yet*/ /* use minimum MTU */ if (pf == AF_INET6) { (void)setsockopt(sock->fd, IPPROTO_IPV6, @@ -1851,7 +1914,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { */ addrlen = sizeof(dev->newsocket->address.type); - memset(&dev->newsocket->address.type.sa, 0, addrlen); + memset(&dev->newsocket->address.type, 0, addrlen); fd = accept(sock->fd, &dev->newsocket->address.type.sa, (void *)&addrlen); @@ -1919,7 +1982,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_accept(): " "accept() returned peer address " - "family %u (expected %u)", + "family %u (expected %u)", dev->newsocket->address. type.sa.sa_family, sock->pf); @@ -1992,7 +2055,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) { dev->newsocket->references--; free_socket(&dev->newsocket); } - + /* * Fill in the done event details and send it off. */ diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c index b8d818dcfd7a9..3833b27d7c016 100644 --- a/lib/isc/unix/stdtime.c +++ b/lib/isc/unix/stdtime.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1999-2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: stdtime.c,v 1.11.2.1.10.5 2005/06/09 23:54:31 marka Exp $ */ +/* $Id: stdtime.c,v 1.11.2.1.10.8 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/unix/strerror.c b/lib/isc/unix/strerror.c index 863867e15953f..5d7d7c5f1ab98 100644 --- a/lib/isc/unix/strerror.c +++ b/lib/isc/unix/strerror.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: strerror.c,v 1.1.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */ +/* $Id: strerror.c,v 1.1.2.1.10.6 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isc/unix/syslog.c b/lib/isc/unix/syslog.c index e53154452254a..8e898c3a12f39 100644 --- a/lib/isc/unix/syslog.c +++ b/lib/isc/unix/syslog.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,15 +15,15 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: syslog.c,v 1.1.12.3 2004/03/08 09:04:57 marka Exp $ */ +/* $Id: syslog.c,v 1.1.12.7 2007/09/13 05:18:08 each Exp $ */ #include #include -#include #include #include +#include #include #include diff --git a/lib/isc/version.c b/lib/isc/version.c index d0f270d4a47d8..286b25551b9a6 100644 --- a/lib/isc/version.c +++ b/lib/isc/version.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:51 marka Exp $ */ +/* $Id: version.c,v 1.9.12.6 2007/08/28 07:19:15 tbox Exp $ */ #include diff --git a/lib/isccc/api b/lib/isccc/api index 8c77091b90c5e..bc239a7d77535 100644 --- a/lib/isccc/api +++ b/lib/isccc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 2 -LIBREVISION = 2 +LIBREVISION = 3 LIBAGE = 2 diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index ccf8c686aee53..8786e4814fe9c 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 2001-2003 Internet Software Consortium. * Portions Copyright (C) 2001 Nominum, Inc. * @@ -16,7 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cc.c,v 1.4.2.3.2.5 2004/08/28 06:25:23 marka Exp $ */ +/* $Id: cc.c,v 1.4.2.3.2.7 2006/12/07 23:57:57 marka Exp $ */ #include @@ -466,12 +466,21 @@ createmessage(isc_uint32_t version, const char *from, const char *to, result = ISC_R_NOMEMORY; _ctrl = isccc_alist_create(); + if (_ctrl == NULL) + goto bad; + if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL) { + isccc_sexpr_free(&_ctrl); + goto bad; + } + _data = isccc_alist_create(); - if (_ctrl == NULL || _data == NULL) + if (_data == NULL) goto bad; - if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL || - isccc_alist_define(alist, "_data", _data) == NULL) + if (isccc_alist_define(alist, "_data", _data) == NULL) { + isccc_sexpr_free(&_data); goto bad; + } + if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL || isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL || (want_expires && diff --git a/lib/isccc/include/isccc/Makefile.in b/lib/isccc/include/isccc/Makefile.in index b86e50cf39e2c..910002d744f06 100644 --- a/lib/isccc/include/isccc/Makefile.in +++ b/lib/isccc/include/isccc/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.3.12.3 2004/03/08 09:05:05 marka Exp $ +# $Id: Makefile.in,v 1.3.12.6 2007/08/28 07:19:17 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/isccc/include/isccc/lib.h b/lib/isccc/include/isccc/lib.h index a57357d280052..d695343fa23f0 100644 --- a/lib/isccc/include/isccc/lib.h +++ b/lib/isccc/include/isccc/lib.h @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2001 Internet Software Consortium. + * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2001, 2003 Internet Software Consortium. * Portions Copyright (C) 2001 Nominum, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lib.h,v 1.2.12.3 2004/03/08 09:05:05 marka Exp $ */ +/* $Id: lib.h,v 1.2.12.6 2007/08/28 07:19:17 tbox Exp $ */ #ifndef ISCCC_LIB_H #define ISCCC_LIB_H 1 diff --git a/lib/isccc/include/isccc/version.h b/lib/isccc/include/isccc/version.h index 36a909c514941..9be1c53cffa9d 100644 --- a/lib/isccc/include/isccc/version.h +++ b/lib/isccc/include/isccc/version.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:05 marka Exp $ */ +/* $Id: version.h,v 1.2.222.6 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isccc/lib.c b/lib/isccc/lib.c index d37e28c768f0e..29ad400d58372 100644 --- a/lib/isccc/lib.c +++ b/lib/isccc/lib.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2001 Internet Software Consortium. + * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2001, 2003 Internet Software Consortium. * Portions Copyright (C) 2001 Nominum, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lib.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */ +/* $Id: lib.c,v 1.2.12.6 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isccc/sexpr.c b/lib/isccc/sexpr.c index a372a7d2aa71c..53fc152236efa 100644 --- a/lib/isccc/sexpr.c +++ b/lib/isccc/sexpr.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2001 Internet Software Consortium. + * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2001, 2003 Internet Software Consortium. * Portions Copyright (C) 2001 Nominum, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,7 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sexpr.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */ +/* $Id: sexpr.c,v 1.2.12.6 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isccc/symtab.c b/lib/isccc/symtab.c index 6aca4850f4da8..d0bacc34a72f1 100644 --- a/lib/isccc/symtab.c +++ b/lib/isccc/symtab.c @@ -1,9 +1,9 @@ /* - * Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Portions Copyright (C) 2001 Internet Software Consortium. + * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2001, 2003 Internet Software Consortium. * Portions Copyright (C) 2001 Nominum, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -16,16 +16,16 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: symtab.c,v 1.3.12.3 2004/03/08 09:05:04 marka Exp $ */ +/* $Id: symtab.c,v 1.3.12.7 2007/09/13 05:18:08 each Exp $ */ #include #include #include -#include #include #include +#include #include #include diff --git a/lib/isccc/version.c b/lib/isccc/version.c index 08cda2f33dada..99fcf17feeb68 100644 --- a/lib/isccc/version.c +++ b/lib/isccc/version.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:04 marka Exp $ */ +/* $Id: version.c,v 1.1.12.6 2007/08/28 07:19:17 tbox Exp $ */ #include diff --git a/lib/isccfg/api b/lib/isccfg/api index 59ed93b011048..d174ce2fc4b19 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -1,3 +1,3 @@ LIBINTERFACE = 1 -LIBREVISION = 6 +LIBREVISION = 8 LIBAGE = 0 diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in index dc8b1b1ea6f77..a95217f3c90d4 100644 --- a/lib/isccfg/include/isccfg/Makefile.in +++ b/lib/isccfg/include/isccfg/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2001, 2002 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2001-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.4.12.3 2004/03/08 09:05:07 marka Exp $ +# $Id: Makefile.in,v 1.4.12.6 2007/08/28 07:19:18 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h index c4867199b9793..39ca84bcc6fd9 100644 --- a/lib/isccfg/include/isccfg/cfg.h +++ b/lib/isccfg/include/isccfg/cfg.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cfg.h,v 1.30.12.6 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: cfg.h,v 1.30.12.9 2007/08/28 07:19:18 tbox Exp $ */ #ifndef ISCCFG_CFG_H #define ISCCFG_CFG_H 1 diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h index b3d2da7d72b44..793a590f3bb55 100644 --- a/lib/isccfg/include/isccfg/log.h +++ b/lib/isccfg/include/isccfg/log.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.h,v 1.3.2.1.10.3 2004/03/08 09:05:07 marka Exp $ */ +/* $Id: log.h,v 1.3.2.1.10.6 2007/08/28 07:19:18 tbox Exp $ */ #ifndef ISCCFG_LOG_H #define ISCCFG_LOG_H 1 diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h index 4d5bd0b2701ba..a3de4b45c09de 100644 --- a/lib/isccfg/include/isccfg/namedconf.h +++ b/lib/isccfg/include/isccfg/namedconf.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.h,v 1.2.202.3 2004/03/08 09:05:07 marka Exp $ */ +/* $Id: namedconf.h,v 1.2.202.6 2007/08/28 07:19:18 tbox Exp $ */ #ifndef ISCCFG_NAMEDCONF_H #define ISCCFG_NAMEDCONF_H 1 diff --git a/lib/isccfg/include/isccfg/version.h b/lib/isccfg/include/isccfg/version.h index d02a814b018f8..dfb3215740629 100644 --- a/lib/isccfg/include/isccfg/version.h +++ b/lib/isccfg/include/isccfg/version.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:08 marka Exp $ */ +/* $Id: version.h,v 1.2.222.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/isccfg/log.c b/lib/isccfg/log.c index b16b4d3b3a9b7..61a40fa26433e 100644 --- a/lib/isccfg/log.c +++ b/lib/isccfg/log.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: log.c,v 1.2.2.1.10.3 2004/03/08 09:05:06 marka Exp $ */ +/* $Id: log.c,v 1.2.2.1.10.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index d54bbe23c474e..1943af3dbebfd 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2006, 2008 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.21.44.34 2006/03/02 00:37:20 marka Exp $ */ +/* $Id: namedconf.c,v 1.21.44.36 2008/01/24 23:45:28 tbox Exp $ */ #include @@ -34,7 +34,7 @@ /* Check a return value. */ #define CHECK(op) \ - do { result = (op); \ + do { result = (op); \ if (result != ISC_R_SUCCESS) goto cleanup; \ } while (0) @@ -216,7 +216,7 @@ static cfg_type_t cfg_type_pubkey = { * Note that the old parser allows quotes around the RR type names. */ static cfg_type_t cfg_type_rrtypelist = { - "rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal, + "rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring }; @@ -238,7 +238,7 @@ static cfg_type_t cfg_type_matchtype = { */ static cfg_tuplefielddef_t grant_fields[] = { { "mode", &cfg_type_mode, 0 }, - { "identity", &cfg_type_astring, 0 }, /* domain name */ + { "identity", &cfg_type_astring, 0 }, /* domain name */ { "matchtype", &cfg_type_matchtype, 0 }, { "name", &cfg_type_astring, 0 }, /* domain name */ { "types", &cfg_type_rrtypelist, 0 }, @@ -332,7 +332,7 @@ static cfg_tuplefielddef_t rrsetorderingelement_fields[] = { { "class", &cfg_type_optional_wild_class, 0 }, { "type", &cfg_type_optional_wild_type, 0 }, { "name", &cfg_type_optional_wild_name, 0 }, - { "order", &cfg_type_ustring, 0 }, /* must be literal "order" */ + { "order", &cfg_type_ustring, 0 }, /* must be literal "order" */ { "ordering", &cfg_type_ustring, 0 }, { NULL, NULL, 0 } }; @@ -516,7 +516,7 @@ static cfg_type_t cfg_type_serverid = { static isc_result_t parse_port(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { isc_result_t result; - + UNUSED(type); CHECK(cfg_parse_uint32(pctx, NULL, ret)); @@ -650,9 +650,9 @@ static cfg_type_t cfg_type_disablealgorithm = { }; static cfg_tuplefielddef_t mustbesecure_fields[] = { - { "name", &cfg_type_astring, 0 }, - { "value", &cfg_type_boolean, 0 }, - { NULL, NULL, 0 } + { "name", &cfg_type_astring, 0 }, + { "value", &cfg_type_boolean, 0 }, + { NULL, NULL, 0 } }; static cfg_type_t cfg_type_mustbesecure = { @@ -1066,7 +1066,7 @@ static isc_result_t parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, isc_boolean_t optional, cfg_obj_t **ret) { - isc_result_t result; + isc_result_t result; cfg_obj_t *obj = NULL; const keyword_type_t *kw = type->of; @@ -1095,7 +1095,7 @@ static isc_result_t parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype, const cfg_type_t *othertype, cfg_obj_t **ret) { - isc_result_t result; + isc_result_t result; CHECK(cfg_peektoken(pctx, 0)); if (pctx->token.type == isc_tokentype_string && cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) { @@ -1170,7 +1170,7 @@ parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { } static cfg_type_t cfg_type_notifytype = { "notifytype", parse_notify_type, cfg_print_ustring, doc_enum_or_other, - &cfg_rep_string, notify_enums, + &cfg_rep_string, notify_enums, }; static keyword_type_t key_kw = { "key", &cfg_type_astring }; @@ -1274,7 +1274,6 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { port = 0; - CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj)); for (;;) { CHECK(cfg_peektoken(pctx, 0)); if (pctx->token.type == isc_tokentype_string) { @@ -1282,7 +1281,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { "address") == 0) { /* read "address" */ - CHECK(cfg_gettoken(pctx, 0)); + CHECK(cfg_gettoken(pctx, 0)); CHECK(cfg_parse_rawaddr(pctx, flags | CFG_ADDR_WILDOK, &netaddr)); @@ -1290,7 +1289,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { } else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) { /* read "port" */ - CHECK(cfg_gettoken(pctx, 0)); + CHECK(cfg_gettoken(pctx, 0)); CHECK(cfg_parse_rawport(pctx, CFG_ADDR_WILDOK, &port)); @@ -1309,6 +1308,7 @@ parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) { return (ISC_R_UNEXPECTEDTOKEN); } + CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj)); isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port); *ret = obj; return (ISC_R_SUCCESS); @@ -1356,7 +1356,7 @@ static cfg_type_t cfg_type_querysource = { static isc_result_t parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - isc_result_t result; + isc_result_t result; UNUSED(type); CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING)); @@ -1580,9 +1580,9 @@ static isc_result_t parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { isc_result_t result; cfg_obj_t *obj = NULL; - const cfg_tuplefielddef_t *fields = type->of; + const cfg_tuplefielddef_t *fields = type->of; - CHECK(cfg_create_tuple(pctx, type, &obj)); + CHECK(cfg_create_tuple(pctx, type, &obj)); /* Parse the mandatory "file" field */ CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0])); @@ -1591,7 +1591,7 @@ parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { for (;;) { CHECK(cfg_peektoken(pctx, 0)); if (pctx->token.type == isc_tokentype_string) { - CHECK(cfg_gettoken(pctx, 0)); + CHECK(cfg_gettoken(pctx, 0)); if (strcasecmp(TOKEN_STRING(pctx), "versions") == 0 && obj->value.tuple[1] == NULL) { @@ -1620,7 +1620,7 @@ parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { return (ISC_R_SUCCESS); cleanup: - CLEANUP_OBJ(obj); + CLEANUP_OBJ(obj); return (result); } @@ -1799,7 +1799,7 @@ static isc_result_t parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - isc_result_t result; + isc_result_t result; cfg_obj_t *obj = NULL; UNUSED(type); @@ -1810,9 +1810,9 @@ parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type, CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret)); else { const cfg_tuplefielddef_t *fields = - cfg_type_nameport.of; + cfg_type_nameport.of; CHECK(cfg_create_tuple(pctx, &cfg_type_nameport, - &obj)); + &obj)); CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0])); CHECK(cfg_parse_obj(pctx, fields[1].type, @@ -1826,7 +1826,7 @@ parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type, return (ISC_R_UNEXPECTEDTOKEN); } cleanup: - CLEANUP_OBJ(obj); + CLEANUP_OBJ(obj); return (result); } @@ -1881,7 +1881,7 @@ static isc_result_t parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - isc_result_t result; + isc_result_t result; cfg_obj_t *obj = NULL; UNUSED(type); @@ -1898,7 +1898,7 @@ parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type, return (ISC_R_UNEXPECTEDTOKEN); } cleanup: - CLEANUP_OBJ(obj); + CLEANUP_OBJ(obj); return (result); } diff --git a/lib/isccfg/version.c b/lib/isccfg/version.c index fe001d7434bf0..20b1ca325fc40 100644 --- a/lib/isccfg/version.c +++ b/lib/isccfg/version.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 1998-2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1998-2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:06 marka Exp $ */ +/* $Id: version.c,v 1.1.12.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in index 024b988492a7c..603978841a1be 100644 --- a/lib/lwres/Makefile.in +++ b/lib/lwres/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000, 2001 Internet Software Consortium. +# Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000, 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.25.12.8 2005/06/09 23:54:32 marka Exp $ +# $Id: Makefile.in,v 1.25.12.11 2007/08/28 07:19:18 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/lwres/api b/lib/lwres/api index 63704dd62ad3b..03003a281a8d7 100644 --- a/lib/lwres/api +++ b/lib/lwres/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 10 -LIBREVISION = 5 -LIBAGE = 1 +LIBINTERFACE = 11 +LIBREVISION = 0 +LIBAGE = 2 diff --git a/lib/lwres/context.c b/lib/lwres/context.c index b606b9d21a1f0..213b43748de60 100644 --- a/lib/lwres/context.c +++ b/lib/lwres/context.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: context.c,v 1.41.2.1.2.4 2004/09/17 05:50:31 marka Exp $ */ +/* $Id: context.c,v 1.41.2.1.2.8 2007/08/28 07:19:18 tbox Exp $ */ #include @@ -128,6 +128,9 @@ lwres_context_destroy(lwres_context_t **contextp) { *contextp = NULL; if (ctx->sock != -1) { +#ifdef WIN32 + DestroySockets(); +#endif (void)close(ctx->sock); ctx->sock = -1; } @@ -231,19 +234,34 @@ context_connect(lwres_context_t *ctx) { } else return (LWRES_R_IOERROR); +#ifdef WIN32 + InitSockets(); +#endif s = socket(domain, SOCK_DGRAM, IPPROTO_UDP); - if (s < 0) + if (s < 0) { +#ifdef WIN32 + DestroySockets(); +#endif return (LWRES_R_IOERROR); + } ret = connect(s, sa, salen); if (ret != 0) { +#ifdef WIN32 + DestroySockets(); +#endif (void)close(s); return (LWRES_R_IOERROR); } MAKE_NONBLOCKING(s, ret); - if (ret < 0) + if (ret < 0) { +#ifdef WIN32 + DestroySockets(); +#endif + (void)close(s); return (LWRES_R_IOERROR); + } ctx->sock = s; diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c index 06b7fbe1efd19..d962e109f5109 100644 --- a/lib/lwres/gai_strerror.c +++ b/lib/lwres/gai_strerror.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2006 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gai_strerror.c,v 1.14.2.1.10.3 2006/08/25 05:25:50 marka Exp $ */ +/* $Id: gai_strerror.c,v 1.14.2.1.10.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c index 9ad10dfd7eb39..438be6d52ec92 100644 --- a/lib/lwres/getaddrinfo.c +++ b/lib/lwres/getaddrinfo.c @@ -1,11 +1,11 @@ /* - * Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * This code is derived from software contributed to ISC by * Berkeley Software Design, Inc. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -18,13 +18,14 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getaddrinfo.c,v 1.41.206.6 2006/11/13 11:57:41 marka Exp $ */ +/* $Id: getaddrinfo.c,v 1.41.206.8 2007/09/13 23:45:58 tbox Exp $ */ #include -#include #include +#include + #include #include #include diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c index 9b1a07bdda7b5..62fe572013529 100644 --- a/lib/lwres/getipnode.c +++ b/lib/lwres/getipnode.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getipnode.c,v 1.30.2.4.2.6 2005/04/29 00:03:32 marka Exp $ */ +/* $Id: getipnode.c,v 1.30.2.4.2.10 2007/08/28 07:19:18 tbox Exp $ */ #include @@ -566,13 +566,20 @@ scan_interfaces(int *have_v4, int *have_v6) { int s, n; size_t cpsize; +#ifdef WIN32 + InitSockets(); +#endif #if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \ !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) /* * Try to scan the interfaces using IPv6 ioctls(). */ - if (!scan_interfaces6(have_v4, have_v6)) + if (!scan_interfaces6(have_v4, have_v6)) { +#ifdef WIN32 + DestroySockets(); +#endif return (0); + } #endif /* @@ -697,13 +704,20 @@ scan_interfaces(int *have_v4, int *have_v6) { } if (buf != NULL) free(buf); +#ifdef WIN32 + DestroySockets(); +#endif close(s); return (0); + err_ret: if (buf != NULL) free(buf); if (s != -1) close(s); +#ifdef WIN32 + DestroySockets(); +#endif return (-1); #endif } diff --git a/lib/lwres/include/lwres/Makefile.in b/lib/lwres/include/lwres/Makefile.in index 48c28f6207d02..3c558d8a7ccfa 100644 --- a/lib/lwres/include/lwres/Makefile.in +++ b/lib/lwres/include/lwres/Makefile.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 2000, 2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2000, 2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.19.12.3 2004/03/08 09:05:11 marka Exp $ +# $Id: Makefile.in,v 1.19.12.6 2007/08/28 07:19:18 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ diff --git a/lib/lwres/include/lwres/lwres.h b/lib/lwres/include/lwres/lwres.h index 7260b00f11ce8..67b12355b8fc3 100644 --- a/lib/lwres/include/lwres/lwres.h +++ b/lib/lwres/include/lwres/lwres.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwres.h,v 1.49.12.3 2004/03/08 09:05:11 marka Exp $ */ +/* $Id: lwres.h,v 1.49.12.6 2007/08/28 07:19:18 tbox Exp $ */ #ifndef LWRES_LWRES_H #define LWRES_LWRES_H 1 diff --git a/lib/lwres/include/lwres/platform.h.in b/lib/lwres/include/lwres/platform.h.in index e995aa46c0e57..da64174ce03ed 100644 --- a/lib/lwres/include/lwres/platform.h.in +++ b/lib/lwres/include/lwres/platform.h.in @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h.in,v 1.12.2.1.10.5 2005/06/08 02:08:32 marka Exp $ */ +/* $Id: platform.h.in,v 1.12.2.1.10.8 2007/08/28 07:19:18 tbox Exp $ */ #ifndef LWRES_PLATFORM_H #define LWRES_PLATFORM_H 1 diff --git a/lib/lwres/include/lwres/version.h b/lib/lwres/include/lwres/version.h index 1b291ceeae9e9..5c7d58202e0f3 100644 --- a/lib/lwres/include/lwres/version.h +++ b/lib/lwres/include/lwres/version.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.h,v 1.2.224.3 2004/03/08 09:05:11 marka Exp $ */ +/* $Id: version.h,v 1.2.224.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/lwres/lwres_gabn.c b/lib/lwres/lwres_gabn.c index 9df87ce6706c6..771144d1fdcaa 100644 --- a/lib/lwres/lwres_gabn.c +++ b/lib/lwres/lwres_gabn.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwres_gabn.c,v 1.27.12.3 2004/03/08 09:05:10 marka Exp $ */ +/* $Id: lwres_gabn.c,v 1.27.12.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/lwres/lwres_gnba.c b/lib/lwres/lwres_gnba.c index a11c0665792d5..aba563e6c3572 100644 --- a/lib/lwres/lwres_gnba.c +++ b/lib/lwres/lwres_gnba.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwres_gnba.c,v 1.20.2.2.8.4 2004/03/08 09:05:11 marka Exp $ */ +/* $Id: lwres_gnba.c,v 1.20.2.2.8.8 2007/09/24 17:26:10 each Exp $ */ #include @@ -44,7 +44,6 @@ lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req, REQUIRE(req != NULL); REQUIRE(req->addr.family != 0); REQUIRE(req->addr.length != 0); - REQUIRE(req->addr.address != NULL); REQUIRE(pkt != NULL); REQUIRE(b != NULL); diff --git a/lib/lwres/lwres_grbn.c b/lib/lwres/lwres_grbn.c index f8147fc622e8d..1797c27450234 100644 --- a/lib/lwres/lwres_grbn.c +++ b/lib/lwres/lwres_grbn.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: lwres_grbn.c,v 1.4.12.3 2004/03/08 09:05:11 marka Exp $ */ +/* $Id: lwres_grbn.c,v 1.4.12.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3 index 886f1f1b1a8c7..eff528a4b0601 100644 --- a/lib/lwres/man/lwres.3 +++ b/lib/lwres/man/lwres.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres.3,v 1.15.206.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres.3,v 1.15.206.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -159,4 +159,7 @@ bit should be set. \fBresolver\fR(5), \fBlwresd\fR(8). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres.docbook b/lib/lwres/man/lwres.docbook index 83258a9dd743c..c6bceca92e88c 100644 --- a/lib/lwres/man/lwres.docbook +++ b/lib/lwres/man/lwres.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html index 02af1f7d98c86..1c5ce3e45cb1d 100644 --- a/lib/lwres/man/lwres.html +++ b/lib/lwres/man/lwres.html @@ -1,5 +1,5 @@ - + lwres - +

-
+

Name

lwres — introduction to the lightweight resolver library

@@ -32,7 +32,7 @@ 
#include <lwres/lwres.h>
-

DESCRIPTION

+

DESCRIPTION

The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname-to-address @@ -47,7 +47,7 @@ UDP-based protocol.

-

OVERVIEW

+

OVERVIEW

The lwresd library implements multiple name service APIs. The standard @@ -101,7 +101,7 @@ and servers is outlined in the following sections.

-

CLIENT-SIDE LOW-LEVEL API CALL FLOW

+

CLIENT-SIDE LOW-LEVEL API CALL FLOW

When a client program wishes to make an lwres request using the native low-level API, it typically performs the following @@ -147,7 +147,7 @@ packet specific information contained in the body.

-

SERVER-SIDE LOW-LEVEL API CALL FLOW

+

SERVER-SIDE LOW-LEVEL API CALL FLOW

When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the @@ -188,7 +188,7 @@ set.

-

SEE ALSO

+

SEE ALSO

lwres_gethostent(3), diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3 index 62312379c1b4d..865dfdcadd1d4 100644 --- a/lib/lwres/man/lwres_buffer.3 +++ b/lib/lwres/man/lwres_buffer.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_buffer.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_buffer.3,v 1.12.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_buffer .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -93,7 +93,7 @@ The is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty. .PP .sp -.RS 3n +.RS 4 .nf /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\ /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\ @@ -217,4 +217,7 @@ bytes of memory from to \fIbase\fR. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_buffer.docbook b/lib/lwres/man/lwres_buffer.docbook index c70aee508e772..ebb138ca88011 100644 --- a/lib/lwres/man/lwres_buffer.docbook +++ b/lib/lwres/man/lwres_buffer.docbook @@ -1,11 +1,11 @@ -]> - + @@ -35,6 +35,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html index 9443fbda1e4cb..e34bd616828e0 100644 --- a/lib/lwres/man/lwres_buffer.html +++ b/lib/lwres/man/lwres_buffer.html @@ -1,5 +1,5 @@ - + lwres_buffer - +

-
+

Name

lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem — lightweight resolver buffer management

@@ -49,31 +49,18 @@ void
- - - - -
   ,
   );
- - +
- - - - - - -
void lwres_buffer_invalidate(   );
   -);
+ - - - - - @@ -105,47 +87,26 @@ void - - - - -
@@ -85,11 +72,6 @@ void
   ,
   );
   ,
   );
- - +
- - - - - - -
void lwres_buffer_clear(   );
   -);
- - +
+ - - - - - - -
void lwres_buffer_first(   );
   -);
+ - - - - - @@ -177,31 +133,18 @@ void - - - - -
@@ -157,11 +118,6 @@ void
   ,
   );
   ,
   );
- - +
- - - - - - -
lwres_uint8_t lwres_buffer_getuint8(   );
   -);
+ - - - - -
@@ -213,31 +156,18 @@ void
   ,
   );
- - +
- - - - - - -
lwres_uint16_t lwres_buffer_getuint16(   );
   -);
+ - - - - -
@@ -249,31 +179,18 @@ void
   ,
   );
- - +
- - - - - - -
lwres_uint32_t lwres_buffer_getuint32(   );
   -);
+ - - - - - @@ -310,11 +222,6 @@ void - - - - - @@ -335,11 +242,6 @@ void - - - - - @@ -347,7 +249,7 @@ void
-

DESCRIPTION

+

DESCRIPTION

These functions provide bounds checked access to a region of memory where data is being read or written. diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3 index 0a239235144bb..570c028a3aeba 100644 --- a/lib/lwres/man/lwres_config.3 +++ b/lib/lwres/man/lwres_config.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_config.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_config.3,v 1.12.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_config .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -100,4 +100,7 @@ unless an error occurred when converting the network addresses to a numeric host .PP \fI/etc/resolv.conf\fR .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_config.docbook b/lib/lwres/man/lwres_config.docbook index 03426beb32747..9e055982cce25 100644 --- a/lib/lwres/man/lwres_config.docbook +++ b/lib/lwres/man/lwres_config.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html index 339a48784333c..1596fa4adaa3d 100644 --- a/lib/lwres/man/lwres_config.html +++ b/lib/lwres/man/lwres_config.html @@ -1,5 +1,5 @@ - + lwres_config - +

-
+

Name

lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get — lightweight resolver configuration

@@ -31,38 +31,22 @@

Synopsis

#include <lwres/lwres.h>
-
@@ -285,11 +202,6 @@ void
   ,
   );
   ,
   );
   ,
   );
- +
- - - - - - -
void lwres_conf_init(   );
   -);
- - +
+ - - - - - - -
void lwres_conf_clear(   );
   -);
+ - - - - - @@ -94,35 +73,22 @@ lwres_result_t - - - - -
@@ -74,11 +58,6 @@ lwres_result_t
   ,
   );
   ,
   );
- - +
- - - - - - -
lwres_conf_t * lwres_conf_get(   );
   -);
+
-

DESCRIPTION

+

DESCRIPTION

lwres_conf_init() creates an empty @@ -159,7 +125,7 @@ to the

-

RETURN VALUES

+

RETURN VALUES

lwres_conf_parse() returns @@ -184,14 +150,14 @@ If this happens, the function returns

-

SEE ALSO

+

SEE ALSO

stdio(3), resolver(5).

-

FILES

+

FILES

/etc/resolv.conf

diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3 index ba68e408cce90..a7dbf8df695e1 100644 --- a/lib/lwres/man/lwres_context.3 +++ b/lib/lwres/man/lwres_context.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_context.3,v 1.13.2.2.2.7 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_context.3,v 1.13.2.2.2.9 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_context .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -163,4 +163,7 @@ times out waiting for a response. \fBmalloc\fR(3), \fBfree\fR(3 ). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001, 2003 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_context.docbook b/lib/lwres/man/lwres_context.docbook index 48d43362e1eeb..a8a47fb0ea311 100644 --- a/lib/lwres/man/lwres_context.docbook +++ b/lib/lwres/man/lwres_context.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html index 6f7fbecec2b47..54870957f8830 100644 --- a/lib/lwres/man/lwres_context.html +++ b/lib/lwres/man/lwres_context.html @@ -1,5 +1,5 @@ - + lwres_context - +
-
+

Name

lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv — lightweight resolver context management

@@ -52,31 +52,18 @@ lwres_result_t     -, - - -  -  ); - - +
- - - - - - -
lwres_result_t lwres_context_destroy(   );
   -);
+ - - - - -
@@ -88,31 +75,18 @@ void
   ,
   );
- - +
- - - - - - -
lwres_uint32_t lwres_context_nextserial(   );
   -);
+ - - - - - @@ -149,11 +118,6 @@ void - - - - - @@ -189,11 +153,6 @@ void * - - - - - @@ -201,7 +160,7 @@ void *
-

DESCRIPTION

+

DESCRIPTION

lwres_context_create() creates a @@ -331,7 +290,7 @@ returned in

-

RETURN VALUES

+

RETURN VALUES

lwres_context_create() returns @@ -362,7 +321,7 @@ times out waiting for a response.

-

SEE ALSO

+

SEE ALSO

lwres_conf_init(3), diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3 index 593ebc5cb3cc7..c4c2c8b8c5a63 100644 --- a/lib/lwres/man/lwres_gabn.3 +++ b/lib/lwres/man/lwres_gabn.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gabn.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_gabn.3,v 1.13.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_gabn .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -60,7 +60,7 @@ There are four main functions for the getaddrbyname opcode. One render function These structures are defined in \fI\fR. They are shown below. .sp -.RS 3n +.RS 4 .nf #define LWRES_OPCODE_GETADDRSBYNAME 0x00010001U typedef struct lwres_addr lwres_addr_t; @@ -171,4 +171,7 @@ indicate that the packet is not a response to an earlier query. .PP \fBlwres_packet\fR(3 ) .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_gabn.docbook b/lib/lwres/man/lwres_gabn.docbook index 6e90ea3905b36..2eeb979cdb7a2 100644 --- a/lib/lwres/man/lwres_gabn.docbook +++ b/lib/lwres/man/lwres_gabn.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html index fce25c5170323..06f743c83beed 100644 --- a/lib/lwres/man/lwres_gabn.html +++ b/lib/lwres/man/lwres_gabn.html @@ -1,5 +1,5 @@ - + lwres_gabn - +

-
+

Name

lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free — lightweight resolver getaddrbyname message handling

@@ -52,11 +52,6 @@ lwres_result_t
- - - - - @@ -82,11 +77,6 @@ lwres_result_t - - - - - @@ -112,11 +102,6 @@ lwres_result_t - - - - - @@ -142,11 +127,6 @@ lwres_result_t - - - - - @@ -162,11 +142,6 @@ void - - - - - @@ -182,11 +157,6 @@ void - - - - - @@ -194,7 +164,7 @@ void
-

DESCRIPTION

+

DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver name-to-address lookup request and @@ -309,7 +279,7 @@ structures is also discarded.

-

RETURN VALUES

+

RETURN VALUES

The getaddrbyname opcode functions lwres_gabnrequest_render(), @@ -347,7 +317,7 @@ indicate that the packet is not a response to an earlier query.

-

SEE ALSO

+

SEE ALSO

lwres_packet(3 ) diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3 index e6efcd09a81d2..999f7d8323929 100644 --- a/lib/lwres/man/lwres_gai_strerror.3 +++ b/lib/lwres/man/lwres_gai_strerror.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_gai_strerror .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -43,43 +43,65 @@ gai_strerror \- print suitable error string returns an error message corresponding to an error code returned by \fBgetaddrinfo()\fR. The following error codes and their meaning are defined in \fIinclude/lwres/netdb.h\fR. -.TP 3n +.PP \fBEAI_ADDRFAMILY\fR +.RS 4 address family for hostname not supported -.TP 3n +.RE +.PP \fBEAI_AGAIN\fR +.RS 4 temporary failure in name resolution -.TP 3n +.RE +.PP \fBEAI_BADFLAGS\fR +.RS 4 invalid value for \fBai_flags\fR -.TP 3n +.RE +.PP \fBEAI_FAIL\fR +.RS 4 non\-recoverable failure in name resolution -.TP 3n +.RE +.PP \fBEAI_FAMILY\fR +.RS 4 \fBai_family\fR not supported -.TP 3n +.RE +.PP \fBEAI_MEMORY\fR +.RS 4 memory allocation failure -.TP 3n +.RE +.PP \fBEAI_NODATA\fR +.RS 4 no address associated with hostname -.TP 3n +.RE +.PP \fBEAI_NONAME\fR +.RS 4 hostname or servname not provided, or not known -.TP 3n +.RE +.PP \fBEAI_SERVICE\fR +.RS 4 servname not supported for \fBai_socktype\fR -.TP 3n +.RE +.PP \fBEAI_SOCKTYPE\fR +.RS 4 \fBai_socktype\fR not supported -.TP 3n +.RE +.PP \fBEAI_SYSTEM\fR +.RS 4 system error returned in errno +.RE The message invalid error code is returned if @@ -101,4 +123,7 @@ used by \fBgetaddrinfo\fR(3), \fBRFC2133\fR(). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_gai_strerror.docbook b/lib/lwres/man/lwres_gai_strerror.docbook index f34836d2a2c4e..e9fb95bf0e09f 100644 --- a/lib/lwres/man/lwres_gai_strerror.docbook +++ b/lib/lwres/man/lwres_gai_strerror.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html index 4b244e3c8c036..cf40e28e20995 100644 --- a/lib/lwres/man/lwres_gai_strerror.html +++ b/lib/lwres/man/lwres_gai_strerror.html @@ -1,5 +1,5 @@ - + lwres_gai_strerror - +

-
+

Name

gai_strerror — print suitable error string

@@ -31,13 +31,18 @@

Synopsis

#include <lwres/netdb.h>
-

+

@@ -129,11 +103,6 @@ void
   ,
   );
   ,
   );
   ,
   );
   ,
   );
   ,
   );
   ,
   );
   ,
   );
   ,
   );
   ,
   );
+ + + +
char * -gai_strerror(int ecode);

+gai_strerror(		  +);
-

DESCRIPTION

+

DESCRIPTION

lwres_gai_strerror() returns an error message corresponding to an error code returned by @@ -109,7 +114,7 @@ used by

-

SEE ALSO

+

SEE ALSO

strerror(3), diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3 index fe52cd52cf2da..35600b380268a 100644 --- a/lib/lwres/man/lwres_getaddrinfo.3 +++ b/lib/lwres/man/lwres_getaddrinfo.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.7 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.9 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_getaddrinfo .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -43,7 +43,7 @@ lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and se If the operating system does not provide a \fBstruct addrinfo\fR, the following structure is used: .sp -.RS 3n +.RS 4 .nf struct addrinfo { int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ @@ -82,14 +82,17 @@ is either a decimal port number or a service name as listed in is an optional pointer to a \fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in \fI*hints\fR: -.TP 3n +.PP \fBai_family\fR +.RS 4 The protocol family that should be used. When \fBai_family\fR is set to \fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system. -.TP 3n +.RE +.PP \fBai_socktype\fR +.RS 4 denotes the type of socket \(em \fBSOCK_STREAM\fR, \fBSOCK_DGRAM\fR @@ -98,13 +101,17 @@ or \(em that is wanted. When \fBai_socktype\fR is zero the caller will accept any socket type. -.TP 3n +.RE +.PP \fBai_protocol\fR +.RS 4 indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If \fBai_protocol\fR is zero the caller will accept any protocol. -.TP 3n +.RE +.PP \fBai_flags\fR +.RS 4 Flag bits. If the \fBAI_CANONNAME\fR bit is set, a successful call to @@ -150,6 +157,7 @@ is set to it indicates that \fIhostname\fR should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted. +.RE .PP All other elements of the \fBstruct addrinfo\fR @@ -232,4 +240,7 @@ returns \fBsendmsg\fR(2), \fBsocket\fR(2). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001, 2003 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_getaddrinfo.docbook b/lib/lwres/man/lwres_getaddrinfo.docbook index 190721923b112..44185a0344666 100644 --- a/lib/lwres/man/lwres_getaddrinfo.docbook +++ b/lib/lwres/man/lwres_getaddrinfo.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html index 375c319c9c69a..e5ffc48cb1e63 100644 --- a/lib/lwres/man/lwres_getaddrinfo.html +++ b/lib/lwres/man/lwres_getaddrinfo.html @@ -1,5 +1,5 @@ - + lwres_getaddrinfo - +

-
+

Name

lwres_getaddrinfo, lwres_freeaddrinfo — socket address structure to host and service name

@@ -52,31 +52,18 @@ int     -, - - -  -  ); - - +
- - - - - - -
void lwres_freeaddrinfo(   );
   -);
+

If the operating system does not provide a @@ -100,7 +87,7 @@ struct addrinfo {

-

DESCRIPTION

+

DESCRIPTION

lwres_getaddrinfo() is used to get a list of IP addresses and port numbers for host @@ -297,7 +284,7 @@ created by a call to

-

RETURN VALUES

+

RETURN VALUES

lwres_getaddrinfo() returns zero on success or one of the error codes listed in @@ -317,7 +304,7 @@ returns

-

SEE ALSO

+

SEE ALSO

lwres(3), diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3 index 6fe933d753bae..64fb16725ccce 100644 --- a/lib/lwres/man/lwres_gethostent.3 +++ b/lib/lwres/man/lwres_gethostent.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_gethostent .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -66,7 +66,7 @@ functions provided by most operating systems. They use a which is usually defined in \fI\fR. .sp -.RS 3n +.RS 4 .nf struct hostent { char *h_name; /* official name of host */ @@ -81,26 +81,36 @@ struct hostent { .sp .PP The members of this structure are: -.TP 3n +.PP \fBh_name\fR +.RS 4 The official (canonical) name of the host. -.TP 3n +.RE +.PP \fBh_aliases\fR +.RS 4 A NULL\-terminated array of alternate names (nicknames) for the host. -.TP 3n +.RE +.PP \fBh_addrtype\fR +.RS 4 The type of address being returned \(em \fBPF_INET\fR or \fBPF_INET6\fR. -.TP 3n +.RE +.PP \fBh_length\fR +.RS 4 The length of the address in bytes. -.TP 3n +.RE +.PP \fBh_addr_list\fR +.RS 4 A \fBNULL\fR terminated array of network addresses for the host. Host addresses are returned in network byte order. +.RE .PP For backward compatibility with very old software, \fBh_addr\fR @@ -222,18 +232,26 @@ return NULL to indicate an error. In this case the global variable \fBlwres_h_errno\fR will contain one of the following error codes defined in \fI\fR: -.TP 3n +.PP \fBHOST_NOT_FOUND\fR +.RS 4 The host or address was not found. -.TP 3n +.RE +.PP \fBTRY_AGAIN\fR +.RS 4 A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed. -.TP 3n +.RE +.PP \fBNO_RECOVERY\fR +.RS 4 A non\-recoverable error occurred. -.TP 3n +.RE +.PP \fBNO_DATA\fR +.RS 4 The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility. +.RE .PP \fBlwres_hstrerror\fR(3 ) translates these error codes to suitable error messages. @@ -292,4 +310,7 @@ The resolver daemon does not currently support any non\-DNS name services such a or \fBNIS\fR, consequently the above functions don't, either. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_gethostent.docbook b/lib/lwres/man/lwres_gethostent.docbook index 9f92d3b3134c3..e8220bd44cf39 100644 --- a/lib/lwres/man/lwres_gethostent.docbook +++ b/lib/lwres/man/lwres_gethostent.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html index fefc67b886310..5082a6a9b85b7 100644 --- a/lib/lwres/man/lwres_gethostent.html +++ b/lib/lwres/man/lwres_gethostent.html @@ -1,5 +1,5 @@ - + lwres_gethostent - +

-
+

Name

lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r — lightweight resolver get network host entry

@@ -31,22 +31,14 @@

Synopsis

#include <lwres/netdb.h>
- - +
- - - - - - -
struct hostent * lwres_gethostbyname(   );
   -);
+ - - - - - @@ -83,24 +70,34 @@ struct hostent * - - - - -
@@ -58,11 +50,6 @@ struct hostent *
   ,
   );
   ,
   );
-

+ + + + +
struct hostent * -lwres_gethostent(void);

-

+lwres_gethostent(

  +);
+ + + + +
void -lwres_sethostent(int stayopen);

-

+lwres_sethostent(

  +);
+ + + + +
void -lwres_endhostent(void);

+lwres_endhostent(		  +);
- - - - - @@ -172,11 +164,6 @@ struct hostent * - - - - - @@ -202,25 +189,30 @@ struct hostent * - - - - -
@@ -127,11 +124,6 @@ struct hostent *
   ,
   );
   ,
   );
   ,
   );
-

+ + + + +
void -lwres_sethostent_r(int stayopen);

-

+lwres_sethostent_r(

  +);
+ + + + +
void -lwres_endhostent_r(void);

+lwres_endhostent_r(		  +);

-

DESCRIPTION

+

DESCRIPTION

These functions provide hostname-to-address and address-to-hostname lookups by means of the lightweight resolver. @@ -357,7 +349,7 @@ calls to lwres_gethostbyaddr_r() return

-

RETURN VALUES

+

RETURN VALUES

The functions lwres_gethostbyname(), @@ -424,7 +416,7 @@ hostent. If buf was too small, b

-

SEE ALSO

+

SEE ALSO

gethostent(3), @@ -435,7 +427,7 @@ hostent. If buf was too small, b

-

BUGS

+

BUGS

lwres_gethostbyname(), lwres_gethostbyname2(), diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3 index f7ab62b581b2d..72768eca5b3b3 100644 --- a/lib/lwres/man/lwres_getipnode.3 +++ b/lib/lwres/man/lwres_getipnode.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.7 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.9 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_getipnode .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -50,7 +50,7 @@ They use a which is defined in \fInamedb.h\fR: .sp -.RS 3n +.RS 4 .nf struct hostent { char *h_name; /* official name of host */ @@ -65,26 +65,36 @@ struct hostent { .sp .PP The members of this structure are: -.TP 3n +.PP \fBh_name\fR +.RS 4 The official (canonical) name of the host. -.TP 3n +.RE +.PP \fBh_aliases\fR +.RS 4 A NULL\-terminated array of alternate names (nicknames) for the host. -.TP 3n +.RE +.PP \fBh_addrtype\fR +.RS 4 The type of address being returned \- usually \fBPF_INET\fR or \fBPF_INET6\fR. -.TP 3n +.RE +.PP \fBh_length\fR +.RS 4 The length of the address in bytes. -.TP 3n +.RE +.PP \fBh_addr_list\fR +.RS 4 A \fBNULL\fR terminated array of network addresses for the host. Host addresses are returned in network byte order. +.RE .PP \fBlwres_getipnodebyname()\fR looks up addresses of protocol family @@ -93,26 +103,34 @@ for the hostname \fIname\fR. The \fIflags\fR parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are: -.TP 3n +.PP \fBAI_V4MAPPED\fR +.RS 4 This is used with an \fIaf\fR of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses. -.TP 3n +.RE +.PP \fBAI_ALL\fR +.RS 4 This is used with an \fIaf\fR of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses. -.TP 3n +.RE +.PP \fBAI_ADDRCONFIG\fR +.RS 4 Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored. -.TP 3n +.RE +.PP \fBAI_DEFAULT\fR +.RS 4 This default sets the \fBAI_V4MAPPED\fR and \fBAI_ADDRCONFIG\fR flag bits. +.RE .PP \fBlwres_getipnodebyaddr()\fR performs a reverse lookup of address @@ -150,18 +168,26 @@ to an appropriate error code and the function returns a \fBNULL\fR pointer. The error codes and their meanings are defined in \fI\fR: -.TP 3n +.PP \fBHOST_NOT_FOUND\fR +.RS 4 No such host is known. -.TP 3n +.RE +.PP \fBNO_ADDRESS\fR +.RS 4 The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer. -.TP 3n +.RE +.PP \fBTRY_AGAIN\fR +.RS 4 A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried. -.TP 3n +.RE +.PP \fBNO_RECOVERY\fR +.RS 4 An unexpected failure occurred, and retrying the request is pointless. +.RE .PP \fBlwres_hstrerror\fR(3 ) translates these error codes to suitable error messages. @@ -174,4 +200,7 @@ translates these error codes to suitable error messages. \fBlwres_getnameinfo\fR(3), \fBlwres_hstrerror\fR(3). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001, 2003 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_getipnode.docbook b/lib/lwres/man/lwres_getipnode.docbook index 94de72c0fe703..eae7d506fd9df 100644 --- a/lib/lwres/man/lwres_getipnode.docbook +++ b/lib/lwres/man/lwres_getipnode.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html index 779da90673832..b6a98744fc2a1 100644 --- a/lib/lwres/man/lwres_getipnode.html +++ b/lib/lwres/man/lwres_getipnode.html @@ -1,5 +1,5 @@ - + lwres_getipnode - +

-
+

Name

lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent — lightweight resolver nodename / address translation API

@@ -52,11 +52,6 @@ struct hostent *     -, - - -  -  ); @@ -82,35 +77,22 @@ struct hostent *     -, - - -  -  ); - - +
- - - - - - -
void lwres_freehostent(   );
   -);
+
-

DESCRIPTION

+

DESCRIPTION

These functions perform thread safe, protocol independent nodename-to-address and address-to-nodename @@ -251,7 +233,7 @@ structure itself.

-

RETURN VALUES

+

RETURN VALUES

If an error occurs, lwres_getipnodebyname() @@ -297,7 +279,7 @@ translates these error codes to suitable error messages.

-

SEE ALSO

+

SEE ALSO

RFC2553, diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3 index a9af04be5447d..4f0ec827c7c21 100644 --- a/lib/lwres/man/lwres_getnameinfo.3 +++ b/lib/lwres/man/lwres_getnameinfo.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_getnameinfo .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -68,21 +68,31 @@ bytes long. The maximum length of the service name is The \fIflags\fR argument sets the following bits: -.TP 3n +.PP \fBNI_NOFQDN\fR +.RS 4 A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead. -.TP 3n +.RE +.PP \fBNI_NUMERICHOST\fR +.RS 4 Return the address in numeric form, as if calling inet_ntop(), instead of a host name. -.TP 3n +.RE +.PP \fBNI_NAMEREQD\fR +.RS 4 A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form. -.TP 3n +.RE +.PP \fBNI_NUMERICSERV\fR +.RS 4 The service name is returned as a digit string representing the port number. -.TP 3n +.RE +.PP \fBNI_DGRAM\fR +.RS 4 Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP. +.RE .SH "RETURN VALUES" .PP \fBlwres_getnameinfo()\fR @@ -101,4 +111,7 @@ RFC2133 fails to define what the nonzero return values of \fBgetnameinfo\fR(3) are. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_getnameinfo.docbook b/lib/lwres/man/lwres_getnameinfo.docbook index b6e10ac3ab050..be77ee577edc6 100644 --- a/lib/lwres/man/lwres_getnameinfo.docbook +++ b/lib/lwres/man/lwres_getnameinfo.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html index 311173012576a..25a1453033009 100644 --- a/lib/lwres/man/lwres_getnameinfo.html +++ b/lib/lwres/man/lwres_getnameinfo.html @@ -1,5 +1,5 @@ - + lwres_getnameinfo - +

-
+

Name

lwres_getnameinfo — lightweight resolver socket address structure to hostname and service name

@@ -67,11 +67,6 @@ int     -, - - -  -  ); @@ -79,7 +74,7 @@ int
-

DESCRIPTION

+

DESCRIPTION

This function is equivalent to the getnameinfo(3) function defined in RFC2133. lwres_getnameinfo() returns the hostname for the struct sockaddr sa which is @@ -130,14 +125,14 @@ TCP.

-

RETURN VALUES

+

RETURN VALUES

lwres_getnameinfo() returns 0 on success or a non-zero error code if an error occurs.

-

SEE ALSO

+

SEE ALSO

RFC2133, getservbyport(3), @@ -148,7 +143,7 @@ returns 0 on success or a non-zero error code if an error occurs.

-

BUGS

+

BUGS

RFC2133 fails to define what the nonzero return values of getnameinfo(3) diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3 index 1aeca283cd75a..b0f8938f598e7 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.3 +++ b/lib/lwres/man/lwres_getrrsetbyname.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_getrrsetbyname .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Oct 18, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -42,7 +42,7 @@ lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records .PP The following structures are used: .sp -.RS 3n +.RS 4 .nf struct rdatainfo { unsigned int rdi_length; /* length of data */ @@ -120,24 +120,39 @@ created by a call to .PP \fBlwres_getrrsetbyname()\fR returns zero on success, and one of the following error codes if an error occurred: -.TP 3n +.PP \fBERRSET_NONAME\fR +.RS 4 the name does not exist -.TP 3n +.RE +.PP \fBERRSET_NODATA\fR +.RS 4 the name exists, but does not have data of the desired type -.TP 3n +.RE +.PP \fBERRSET_NOMEMORY\fR +.RS 4 memory could not be allocated -.TP 3n +.RE +.PP \fBERRSET_INVAL\fR +.RS 4 a parameter is invalid -.TP 3n +.RE +.PP \fBERRSET_FAIL\fR +.RS 4 other failure -.TP 3n +.RE +.PP +.RS 4 +.RE .SH "SEE ALSO" .PP \fBlwres\fR(3). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_getrrsetbyname.docbook b/lib/lwres/man/lwres_getrrsetbyname.docbook index 53c33bef7b34e..a1494653cbb6a 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.docbook +++ b/lib/lwres/man/lwres_getrrsetbyname.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html index 6cbed6fafe15b..a6edf231ed13f 100644 --- a/lib/lwres/man/lwres_getrrsetbyname.html +++ b/lib/lwres/man/lwres_getrrsetbyname.html @@ -1,5 +1,5 @@ - + lwres_getrrsetbyname - +

-
+

Name

lwres_getrrsetbyname, lwres_freerrset — retrieve DNS records

@@ -57,31 +57,18 @@ int     -, - - -  -  ); - - +
- - - - - - -
void lwres_freerrset(   );
   -);
+

The following structures are used: @@ -108,7 +95,7 @@ struct rrsetinfo {

-

DESCRIPTION

+

DESCRIPTION

lwres_getrrsetbyname() gets a set of resource records associated with a @@ -185,7 +172,7 @@ created by a call to

-

RETURN VALUES

+

RETURN VALUES

lwres_getrrsetbyname() returns zero on success, and one of the following error @@ -221,7 +208,7 @@ other failure

-

SEE ALSO

+

SEE ALSO

lwres(3).

diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3 index dc546d2ab2ec5..e890e84708276 100644 --- a/lib/lwres/man/lwres_gnba.3 +++ b/lib/lwres/man/lwres_gnba.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_gnba.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_gnba.3,v 1.13.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_gnba .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -60,7 +60,7 @@ to the canonical format. This is complemented by a parse function which converts These structures are defined in \fIlwres/lwres.h\fR. They are shown below. .sp -.RS 3n +.RS 4 .nf #define LWRES_OPCODE_GETNAMEBYADDR 0x00010002U typedef struct { @@ -165,4 +165,7 @@ indicate that the packet is not a response to an earlier query. .PP \fBlwres_packet\fR(3). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_gnba.docbook b/lib/lwres/man/lwres_gnba.docbook index 753148642efe8..14b51ba3a3be4 100644 --- a/lib/lwres/man/lwres_gnba.docbook +++ b/lib/lwres/man/lwres_gnba.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html index 4d07580fd0e59..8a9a7f47cd212 100644 --- a/lib/lwres/man/lwres_gnba.html +++ b/lib/lwres/man/lwres_gnba.html @@ -1,5 +1,5 @@ - + lwres_gnba - +
-
+

Name

lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free — lightweight resolver getnamebyaddress message handling

@@ -39,31 +39,25 @@ lwres_result_t lwres_gnbarequest_render ( -  +lwres_context_t *  ctx,   -  - -ctx, - - -  -  +lwres_gnbarequest_t *  req,   -  +lwres_lwpacket_t *  pkt,   -  +lwres_buffer_t *  b); @@ -90,11 +84,6 @@ lwres_result_t     -, - - -  -  ); @@ -120,11 +109,6 @@ lwres_result_t     -, - - -  -  ); @@ -150,11 +134,6 @@ lwres_result_t     -, - - -  -  ); @@ -171,11 +150,6 @@ void     -, - - -  -  ); @@ -191,11 +165,6 @@ void     -, - - -  -  ); @@ -203,7 +172,7 @@ void
-

DESCRIPTION

+

DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver address-to-name lookup request and @@ -308,7 +277,7 @@ structures is also discarded.

-

RETURN VALUES

+

RETURN VALUES

The getnamebyaddr opcode functions lwres_gnbarequest_render(), @@ -346,7 +315,7 @@ indicate that the packet is not a response to an earlier query.

-

SEE ALSO

+

SEE ALSO

lwres_packet(3).

diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3 index d6fc8f5feb7f5..329390d1598dc 100644 --- a/lib/lwres/man/lwres_hstrerror.3 +++ b/lib/lwres/man/lwres_hstrerror.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_hstrerror .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -54,21 +54,31 @@ for the error code stored in the global variable \fBlwres_hstrerror()\fR returns an appropriate string for the error code gievn by \fIerr\fR. The values of the error codes and messages are as follows: -.TP 3n +.PP \fBNETDB_SUCCESS\fR +.RS 4 Resolver Error 0 (no error) -.TP 3n +.RE +.PP \fBHOST_NOT_FOUND\fR +.RS 4 Unknown host -.TP 3n +.RE +.PP \fBTRY_AGAIN\fR +.RS 4 Host name lookup failure -.TP 3n +.RE +.PP \fBNO_RECOVERY\fR +.RS 4 Unknown server error -.TP 3n +.RE +.PP \fBNO_DATA\fR +.RS 4 No address associated with name +.RE .SH "RETURN VALUES" .PP The string @@ -83,4 +93,7 @@ is not a valid error code. \fBherror\fR(3), \fBlwres_hstrerror\fR(3). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_hstrerror.docbook b/lib/lwres/man/lwres_hstrerror.docbook index a36c072ef394a..2ecf315dee318 100644 --- a/lib/lwres/man/lwres_hstrerror.docbook +++ b/lib/lwres/man/lwres_hstrerror.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html index d2f1e4aa706be..087bf0d844d8e 100644 --- a/lib/lwres/man/lwres_hstrerror.html +++ b/lib/lwres/man/lwres_hstrerror.html @@ -1,5 +1,5 @@ - + lwres_hstrerror - +
-
+

Name

lwres_herror, lwres_hstrerror — lightweight resolver error message generation

@@ -31,16 +31,26 @@

Synopsis

#include <lwres/netdb.h>
-

+ + + + +
void -lwres_herror(const char *s);

-

+lwres_herror(

  +);
+ + + + +
const char * -lwres_hstrerror(int err);

+lwres_hstrerror(		  +);

-

DESCRIPTION

+

DESCRIPTION

lwres_herror() prints the string s on stderr followed by the string @@ -79,7 +89,7 @@ the error codes and messages are as follows:

-

RETURN VALUES

+

RETURN VALUES

The string Unknown resolver error is returned by lwres_hstrerror() @@ -89,7 +99,7 @@ is not a valid error code.

-

SEE ALSO

+

SEE ALSO

herror(3), diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3 index 6395e60099a74..3b4fbd0c9ee94 100644 --- a/lib/lwres/man/lwres_inetntop.3 +++ b/lib/lwres/man/lwres_inetntop.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_inetntop .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -71,4 +71,7 @@ is not supported. \fBinet_ntop\fR(3), \fBerrno\fR(3). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_inetntop.docbook b/lib/lwres/man/lwres_inetntop.docbook index 651ef04d91bd4..abb288f5b1cde 100644 --- a/lib/lwres/man/lwres_inetntop.docbook +++ b/lib/lwres/man/lwres_inetntop.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html index ca5c0bd693afc..95601de11bd9a 100644 --- a/lib/lwres/man/lwres_inetntop.html +++ b/lib/lwres/man/lwres_inetntop.html @@ -1,5 +1,5 @@ - + lwres_inetntop - +

-
+

Name

lwres_net_ntop — lightweight resolver IP address presentation

@@ -52,11 +52,6 @@ const char *     -, - - -  -  ); @@ -64,7 +59,7 @@ const char *
-

DESCRIPTION

+

DESCRIPTION

lwres_net_ntop() converts an IP address of protocol family af — IPv4 or IPv6 — @@ -80,7 +75,7 @@ ASCII representation of the address.

-

RETURN VALUES

+

RETURN VALUES

If successful, the function returns dst: a pointer to a string containing the presentation format of the @@ -92,7 +87,7 @@ supported.

-

SEE ALSO

+

SEE ALSO

RFC1884, inet_ntop(3), diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3 index e32c2f8020f1b..a57938b72421c 100644 --- a/lib/lwres/man/lwres_noop.3 +++ b/lib/lwres/man/lwres_noop.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_noop.3,v 1.14.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_noop.3,v 1.14.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_noop .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -64,7 +64,7 @@ to the canonical format. This is complemented by a parse function which converts These structures are defined in \fIlwres/lwres.h\fR. They are shown below. .sp -.RS 3n +.RS 4 .nf #define LWRES_OPCODE_NOOP 0x00000000U typedef struct { @@ -164,4 +164,7 @@ indicate that the packet is not a response to an earlier query. .PP \fBlwres_packet\fR(3 ) .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_noop.docbook b/lib/lwres/man/lwres_noop.docbook index fcb3c5933ab74..c77c60eb8a8fb 100644 --- a/lib/lwres/man/lwres_noop.docbook +++ b/lib/lwres/man/lwres_noop.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html index 145bcac0844eb..7e8a2f2984572 100644 --- a/lib/lwres/man/lwres_noop.html +++ b/lib/lwres/man/lwres_noop.html @@ -1,5 +1,5 @@ - + lwres_noop - +

-
+

Name

lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free — lightweight resolver no-op message handling

@@ -53,11 +53,6 @@ lwres_result_t     -, - - -  -  ); @@ -83,11 +78,6 @@ lwres_result_t     -, - - -  -  ); @@ -113,11 +103,6 @@ lwres_result_t     -, - - -  -  ); @@ -143,11 +128,6 @@ lwres_result_t     -, - - -  -  ); @@ -163,11 +143,6 @@ void     -, - - -  -  ); @@ -183,11 +158,6 @@ void     -, - - -  -  ); @@ -195,7 +165,7 @@ void
-

DESCRIPTION

+

DESCRIPTION

These are low-level routines for creating and parsing lightweight resolver no-op request and response messages. @@ -276,7 +246,7 @@ structures referenced via structp.

-

RETURN VALUES

+

RETURN VALUES

The no-op opcode functions lwres_nooprequest_render(), @@ -315,7 +285,7 @@ indicate that the packet is not a response to an earlier query.

-

SEE ALSO

+

SEE ALSO

lwres_packet(3 ) diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3 index 35a8f10ca88d1..ffd17a2a4a102 100644 --- a/lib/lwres/man/lwres_packet.3 +++ b/lib/lwres/man/lwres_packet.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_packet.3,v 1.15.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_packet.3,v 1.15.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_packet .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -46,7 +46,7 @@ These functions rely on a which is defined in \fIlwres/lwpacket.h\fR. .sp -.RS 3n +.RS 4 .nf typedef struct lwres_lwpacket lwres_lwpacket_t; struct lwres_lwpacket { @@ -65,45 +65,69 @@ struct lwres_lwpacket { .sp .PP The elements of this structure are: -.TP 3n +.PP \fBlength\fR +.RS 4 the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP 3n +.RE +.PP \fBversion\fR +.RS 4 the header format. There is currently only one format, \fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP 3n +.RE +.PP \fBpktflags\fR +.RS 4 library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls. -.TP 3n +.RE +.PP \fBserial\fR +.RS 4 is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application. -.TP 3n +.RE +.PP \fBopcode\fR +.RS 4 indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP 3n +.RE +.PP \fBresult\fR +.RS 4 is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls. -.TP 3n +.RE +.PP \fBrecvlength\fR +.RS 4 is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application. -.TP 3n +.RE +.PP \fBauthtype\fR +.RS 4 defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero. -.TP 3n +.RE +.PP \fBauthlen\fR +.RS 4 gives the length of the authentication data. Since packet authentication is currently not used, this must be zero. +.RE .PP The following opcodes are currently defined: -.TP 3n +.PP \fBNOOP\fR +.RS 4 Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type. -.TP 3n +.RE +.PP \fBGETADDRSBYNAME\fR +.RS 4 returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type. -.TP 3n +.RE +.PP \fBGETNAMEBYADDR\fR +.RS 4 return the hostname for the given address. The lwres_gnba_*() functions should be used for this type. +.RE .PP \fBlwres_lwpacket_renderheader()\fR transfers the contents of lightweight resolver packet structure @@ -134,4 +158,7 @@ and lightweight resolver packet both functions return \fBLWRES_R_UNEXPECTEDEND\fR. .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_packet.docbook b/lib/lwres/man/lwres_packet.docbook index 226f9942c9aee..06ab1ec336eb8 100644 --- a/lib/lwres/man/lwres_packet.docbook +++ b/lib/lwres/man/lwres_packet.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html index 32bb81ee94bef..dae42a8afd132 100644 --- a/lib/lwres/man/lwres_packet.html +++ b/lib/lwres/man/lwres_packet.html @@ -1,5 +1,5 @@ - + lwres_packet - +

-
+

Name

lwres_lwpacket_renderheader, lwres_lwpacket_parseheader — lightweight resolver packet handling functions

@@ -42,11 +42,6 @@ lwres_result_t     -, - - -  -  ); @@ -62,11 +57,6 @@ lwres_result_t     -, - - -  -  ); @@ -74,7 +64,7 @@ lwres_result_t
-

DESCRIPTION

+

DESCRIPTION

These functions rely on a struct lwres_lwpacket @@ -212,7 +202,7 @@ buffer *b to resolver packet

-

RETURN VALUES

+

RETURN VALUES

Successful calls to lwres_lwpacket_renderheader() and lwres_lwpacket_parseheader() return diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3 index 907706c424e45..a8eccfc7e3d7d 100644 --- a/lib/lwres/man/lwres_resutil.3 +++ b/lib/lwres/man/lwres_resutil.3 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -13,13 +13,13 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: lwres_resutil.3,v 1.14.2.1.8.6 2006/06/29 13:02:31 marka Exp $ +.\" $Id: lwres_resutil.3,v 1.14.2.1.8.8 2007/01/30 00:11:48 marka Exp $ .\" .hy 0 .ad l .\" Title: lwres_resutil .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Generator: DocBook XSL Stylesheets v1.71.1 .\" Date: Jun 30, 2000 .\" Manual: BIND9 .\" Source: BIND9 @@ -74,7 +74,7 @@ use the \fBlwres_gnbaresponse_t\fR structure defined below: .sp -.RS 3n +.RS 4 .nf typedef struct { lwres_uint32_t flags; @@ -164,4 +164,7 @@ if the buffers used for sending queries and receiving replies are too small. \fBlwres_buffer\fR(3), \fBlwres_gabn\fR(3). .SH "COPYRIGHT" -Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") +.br +Copyright \(co 2000, 2001 Internet Software Consortium. +.br diff --git a/lib/lwres/man/lwres_resutil.docbook b/lib/lwres/man/lwres_resutil.docbook index 7ab2146b40b75..a8f24852f7c41 100644 --- a/lib/lwres/man/lwres_resutil.docbook +++ b/lib/lwres/man/lwres_resutil.docbook @@ -1,11 +1,11 @@ -]> - + @@ -36,6 +36,7 @@ 2004 2005 + 2007 Internet Systems Consortium, Inc. ("ISC") diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html index a9bc1eea103d1..c3317b60a9082 100644 --- a/lib/lwres/man/lwres_resutil.html +++ b/lib/lwres/man/lwres_resutil.html @@ -1,5 +1,5 @@ - + lwres_resutil - +

-
+

Name

lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr — lightweight resolver utility functions

@@ -47,11 +47,6 @@ lwres_result_t     -, - - -  -  ); @@ -67,11 +62,6 @@ lwres_result_t     -, - - -  -  ); @@ -97,11 +87,6 @@ lwres_result_t     -, - - -  -  ); @@ -132,11 +117,6 @@ lwres_result_t     -, - - -  -  ); @@ -144,7 +124,7 @@ lwres_result_t
-

DESCRIPTION

+

DESCRIPTION

lwres_string_parse() retrieves a DNS-encoded string starting the current pointer of lightweight resolver buffer @@ -220,7 +200,7 @@ is made available through *structp.

-

RETURN VALUES

+

RETURN VALUES

Successful calls to lwres_string_parse() @@ -264,7 +244,7 @@ small.

-

SEE ALSO

+

SEE ALSO

lwres_buffer(3), diff --git a/lib/lwres/unix/include/lwres/net.h b/lib/lwres/unix/include/lwres/net.h index b214de6b1ea4e..0018813fe46c5 100644 --- a/lib/lwres/unix/include/lwres/net.h +++ b/lib/lwres/unix/include/lwres/net.h @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000-2002 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000-2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: net.h,v 1.3.12.3 2004/03/08 09:05:12 marka Exp $ */ +/* $Id: net.h,v 1.3.12.6 2007/08/28 07:19:18 tbox Exp $ */ #ifndef LWRES_NET_H #define LWRES_NET_H 1 diff --git a/lib/lwres/version.c b/lib/lwres/version.c index ac3e6c8089e1b..83a990920f639 100644 --- a/lib/lwres/version.c +++ b/lib/lwres/version.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001 Internet Software Consortium. + * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * - * Permission to use, copy, modify, and distribute this software for any + * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: version.c,v 1.6.12.3 2004/03/08 09:05:11 marka Exp $ */ +/* $Id: version.c,v 1.6.12.6 2007/08/28 07:19:18 tbox Exp $ */ #include diff --git a/make/includes.in b/make/includes.in index 2e5b89b3581aa..47f162101d20e 100644 --- a/make/includes.in +++ b/make/includes.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") -# Copyright (C) 1999-2001 Internet Software Consortium. +# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1999-2001, 2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: includes.in,v 1.15.12.4 2004/12/09 04:07:30 marka Exp $ +# $Id: includes.in,v 1.15.12.7 2007/08/28 07:19:18 tbox Exp $ # Search for machine-generated header files in the build tree, # and for normal headers in the source tree (${top_srcdir}). diff --git a/make/rules.in b/make/rules.in index 39e82ce427313..0dbecc251cceb 100644 --- a/make/rules.in +++ b/make/rules.in @@ -1,7 +1,7 @@ -# Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # -# Permission to use, copy, modify, and distribute this software for any +# Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: rules.in,v 1.40.2.5.4.10 2006/01/06 00:01:42 marka Exp $ +# $Id: rules.in,v 1.40.2.5.4.15 2008/02/18 23:45:31 tbox Exp $ ### ### Common Makefile rules for BIND 9. @@ -104,7 +104,7 @@ STD_CWARNINGS = @STD_CWARNINGS@ BUILD_CC = @BUILD_CC@ BUILD_CFLAGS = @BUILD_CFLAGS@ BUILD_CPPFLAGS = @BUILD_CPPFLAGS@ -BUILD_LDFAGS = @BUILD_LDFAGS@ +BUILD_LDFLAGS = @BUILD_LDFLAGS@ BUILD_LIBS = @BUILD_LIBS@ .SUFFIXES: @@ -190,7 +190,7 @@ INSTALL_DATA = @INSTALL_DATA@ ### not to exist when not generating documentation. ### -XSLTPROC = @XSLTPROC@ --novalid +XSLTPROC = @XSLTPROC@ --novalid --xinclude --nonet PERL = @PERL@ LATEX = @LATEX@ PDFLATEX = @PDFLATEX@ diff --git a/version b/version index 49710d4957d54..4327c9e433c68 100644 --- a/version +++ b/version @@ -1,10 +1,10 @@ -# $Id: version,v 1.26.2.17.2.26.4.1 2007/01/11 05:06:25 marka Exp $ +# $Id: version,v 1.26.2.17.2.31 2008/04/03 00:22:17 each Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # MAJORVER=9 MINORVER=3 -PATCHVER=4 +PATCHVER=5 RELEASETYPE= RELEASEVER= -- cgit v1.2.3